P04 BIN Editing (disabling security)

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: P04 BIN Editing (disabling security)

Post by antus »

No there isnt way to do that other than disassembly and figuring it out. We do know from reverse engineering the P01 and P59 (our own work as well of the work of our predecessors) what family of chips are in there, but you need to get a handle on part of the code as a starting reference then watch what its doing and read data sheets to figure out the addresses. Then when you move to a similar PCM you can bring across what you learnt from the last one, and start validating thing, where the code looks the same but the addresses look different you can start figuring out where various registers and things have moved too. $F6xxxx vs $F7xxxx might work out to be generally true but you can see thats not how its designed. The various chips address space just need to be clear of each other, not necessarily aligned within boundaries like that.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: P04 BIN Editing (disabling security)

Post by DWS »

I see, I expected the addresses would flip chip based on a bit or bits, but I haven't gotten into hardware quite that deep.

I'm brewing some ideas on how to identify the different settings, but testing it across PCM types it doesn't work (P11 vs P05 vs P04), however across 3 different P04 bins I've pulled it did find the value. It's also already known on all 3 so not exactly discovering anything new yet. Basically the concept is code is reused, so ignoring memory addresses, a "map" could be made on a snippet of code that has the reference to a desired setting. I'm guessing something similar must already be in use though since universal patcher picked up the settings in all 3 bins even though all 3 store the values in different locations. I guess each PCM type is more or less it's own set of code, and each change is where you get all the variations from. I'm told there's something like 300 OS's for the P04. Also comparing the 4 P11's I have, they have a lot of reused code, so if I figure one out, the others should be similar I'd think.

I have a couple more ideas in mind, I'll have to plug away at a known bin (like P04) and see if I can "discover" the tables, settings, etc that are listed and try to figure out how they were determined to do the thing they are labeled as doing. Hopefully make slow progress and build on the experience and info others have posted to discover something new for the community. I'm sure I have many hours to dig around looking at hex files and disassembled code to go before I'll break through on anything special (if I find anything).
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: P04 BIN Editing (disabling security)

Post by antus »

Yes thats right. Often you might be able to find it from something like a DTC or an OBD message. Both of those pieces of code function pretty similar across OS, and once you find the code thats handling the OBD or looking up the DTC, you can then find the message mode number or DTC number reference, and that should be closely linked by code path to the piece of code your looking for.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: P04 BIN Editing (disabling security)

Post by DWS »

Sounds like I'm in the right ballpark then.

Is there any reverse engineering tools made for PCM's yet, or is it all done manually/private code? I figured bare min, the code to look up a table value should match for a given cpu type, so finding all tables should be possible, even ones that have little to no use in tuning.

For giggles I started up a new C# project to poke around a bit with these ideas to make it a bit faster than manually searching and such. A "mask" is easier to build in code too.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: P04 BIN Editing (disabling security)

Post by antus »

Generally its Ida pro or ghidra, though ghidra doesnt support a couple of the instructions that are used in the PCM. Ghidra is free, and has a decompiler, but its not a very advanced decompiler, and while its output might be syntactically correct the code isnt necessarily that useful. Ida with 68K support is commercial. If you can get access to a copy of it then you can script something to pull addresses from an XDF and comment the code, similar to what NSFW has done here: https://github.com/LegacyNsfw/12593358
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: P04 BIN Editing (disabling security)

Post by DWS »

I see, I've been using ghidra a bit for the "decompiled" code. I just looked at some of the table references, and so far every one of them goes to broken code. Maybe I should start out a little more generic, like discovering settings referenced in if statements first. My basic concept is a tool to list all of the memory addresses referenced in the bin. Maybe eventually it can evolve into some sort of "auto detect" type of program. I've been automating things for quite some time, so most of what I can do in a hex editor or ghidra generally can be automated with a program. Might be wishful thinking, but have to start somewhere =).
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
Post Reply