MPC56xx / PowerPC table lookup examples?

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
Posts: 72
Joined: Sat Apr 25, 2020 6:09 am

MPC56xx / PowerPC table lookup examples?

Postby Gatecrasher » Fri Jan 14, 2022 8:29 am

Has anyone got disassembly examples for how an MPX56xx or other PowerPC variant does table lookups? I'm picking apart a chassis control module (MPC5644A) looking for the NPP exhaust valve controls. Now that I'm finally learning how Ghidra works, I'm making decent progress. Knowing a little bit about how GM does table and axis lookups would help a lot though. It doesn't look like GM uses headers or prefixes like the old Mitsubishi stuff I'm used to. That stuff seems so quaint by comparison.

User avatar
Posts: 2618
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: MPC56xx / PowerPC table lookup examples?

Postby Tazzi » Fri Jan 14, 2022 11:06 am

This would all depend on how the developer handles it?

Some GM modules have references to every table/option near the top of the operating system. This is easy to identify after having 1 or 2 items defines, since you can then search the absolute address of the defined value in memory and try identify it in the operating system area.
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Posts: 72
Joined: Sat Apr 25, 2020 6:09 am

Re: MPC56xx / PowerPC table lookup examples?

Postby Gatecrasher » Sat Jan 15, 2022 12:40 am

Ok. I was hoping there was some sort of common-ish format to the calibration files that you could use to get some basic characteristics of the table and then work backwards from there.

This thing has a ton of code. It can perform a whole lot of functions in the trucks. Air suspension, trailer braking, etc. I'm kind of surprised they stuck it in cars where it's only doing exhaust flapper control. Seems way overkill.

Posts: 72
Joined: Sat Apr 25, 2020 6:09 am

Re: MPC56xx / PowerPC table lookup examples?

Postby Gatecrasher » Mon Jan 17, 2022 8:52 am

This is irritating. I don't think it's explicitly related to map lookups, but it's busting up my disassembly enough to hurt my search. Ghidra flags this as a bad instruction and halts disassembly. IDA doesn't know it either. It happens in quite a few places.

Code: Select all
                             LAB_0015fc90                                    XREF[1]:     0015fc78(j) 
        0015fc90 81 8e 31 ac     lwz        r12,DAT_000031ac(r14)
        0015fc94 3d 60 00 09     lis        r11,0x9
        0015fc98 81 6b 91 00     lwz        r11,-0x6f00(r11)=>DAT_00089100                   = 41800000h
        0015fc9c 10              ??         10h
        0015fc9d 8c              ??         8Ch
        0015fc9e 5a              ??         5Ah    Z
        0015fc9f cc              ??         CCh
        0015fca0 40              ??         40h    @
        0015fca1 85              ??         85h
        0015fca2 00              ??         00h
        0015fca3 18              ??         18h


The processor is an off the shelf NXP part, so I don't think it's some custom GM stuff. It might be related to cache instructions in later versions of this PPC core, but I can't find a clear answer on it. If anyone has seen this in other PPC based ECUs, please let me know.

User avatar
Posts: 2618
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: MPC56xx / PowerPC table lookup examples?

Postby Tazzi » Mon Jan 17, 2022 9:04 am

Likely a VLE instruction.

In MPC55xx and newer (Including MPC56xx), they brought in VLE instructions which can sometimes not be automatically picked up or identified.
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Posts: 72
Joined: Sat Apr 25, 2020 6:09 am

Re: MPC56xx / PowerPC table lookup examples?

Postby Gatecrasher » Mon Jan 17, 2022 9:43 am

I may have fixed it.

You can change the processor language for an existing project. It's irreversible, so they recommend you back up your project file before you do it. I switched from "PPC big endian 32 bit" to "PPC big endian 64 bit VLE with 32 bit addressing". The code block disassembles now.

Code: Select all
                             LAB_0015fc90                                    XREF[1]:     0015fc78(j) 
        0015fc90 81 8e 31 ac     lwz        r12,DAT_000031ac(r14)
        0015fc94 3d 60 00 09     lis        r11,0x9
        0015fc98 81 6b 91 00     lwz        r11,-0x6f00(r11)=>DAT_00089100                   = 41800000h
        0015fc9c 10 8c 5a cc     efscmpgt   cr1,r12,r11
        0015fca0 40 85 00 18     ble        cr1,LAB_0015fcb8
        0015fca4 39 80 00 00     li         r12,0x0
        0015fca8 b1 8e 32 84     sth        r12,0x3284(r14)=>DAT_4000b274
        0015fcac 38 60 18 05     li         r3=>DAT_00001805,0x1805
        0015fcb0 48 00 4a b1     bl         FUN_00164760                                     undefined FUN_00164760()
        0015fcb4 48 00 00 38     b          LAB_0015fcec


EFSCMPGT is apparently Floating-Point Single-Precision Compare Greater Than.

User avatar
Posts: 2618
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: MPC56xx / PowerPC table lookup examples?

Postby Tazzi » Mon Jan 17, 2022 12:18 pm

haha!! VLE strikes again!!!

Came across the same issue when looking at the GM write kernels.

Hopefully that helps make a bit more sense.
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Site Admin
User avatar
Posts: 6811
Joined: Sat Feb 28, 2009 8:34 pm

Re: MPC56xx / PowerPC table lookup examples?

Postby antus » Mon Jan 17, 2022 12:32 pm

Good to know, thanks for sharing Tazzi, not an obvious one to understand when you just see the disassembly fail.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 72
Joined: Sat Apr 25, 2020 6:09 am

Re: MPC56xx / PowerPC table lookup examples?

Postby Gatecrasher » Tue Jan 18, 2022 1:05 am

I think I found the master subroutine for the exhaust valve controls. It checks one byte in the calibration region for a 1 or 0, and if it find a 1, it starts down a tree of 103 additional subroutines. I don't know yet if that's just the NPP sound valves or if that includes the upstream AFM valves too. That seems like a whole lot of code for it to just be the NPP valves. I've barely scratched the surface yet.

I stumbled on something else interesting. It looks like some of the map values are 32 bit floating point values, and Ghidra shows them as percentages in the decompiler window. So that's handy. I've never seen that before. There's a ton of xxyy0000 values in the calibration region, and I was wondering what the hell they were. It looks like there might be some RPM values encoded the same way too.

Return to Engineering and Reverse Engineering

Who is online

Users browsing this forum: No registered users and 3 guests