MPC56xx / PowerPC table lookup examples?

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: MPC56xx / PowerPC table lookup examples?

Post by Tazzi »

If a custom kernel was made to read the flash and then write back to it, then it could be added to a flashing application.
Biggest part is making the kernel.

Its usually best to look at what the GM one does, then create from that. These usually have the complex needed parts done for you (unlock flash, erase ect), the actual writing and reading memory is the easy part.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Highlander
Posts: 81
Joined: Sun May 11, 2014 6:36 pm
cars: Z06

Re: MPC56xx / PowerPC table lookup examples?

Post by Highlander »

Gatecrasher wrote:I may have fixed it.

You can change the processor language for an existing project. It's irreversible, so they recommend you back up your project file before you do it. I switched from "PPC big endian 32 bit" to "PPC big endian 64 bit VLE with 32 bit addressing". The code block disassembles now.

Code: Select all

                             LAB_0015fc90                                    XREF[1]:     0015fc78(j)  
        0015fc90 81 8e 31 ac     lwz        r12,DAT_000031ac(r14)
        0015fc94 3d 60 00 09     lis        r11,0x9
        0015fc98 81 6b 91 00     lwz        r11,-0x6f00(r11)[b][u]=>DAT_00089100[/u][/b]                   = 41800000h
        0015fc9c 10 8c 5a cc     efscmpgt   cr1,r12,r11
        0015fca0 40 85 00 18     ble        cr1,LAB_0015fcb8
        0015fca4 39 80 00 00     li         r12,0x0
        0015fca8 b1 8e 32 84     sth        r12,0x3284(r14[b][i][u])=>DAT_4000b274[/u][/i][/b]
        0015fcac 38 60 18 05     li         r3=>DAT_00001805,0x1805
        0015fcb0 48 00 4a b1     bl         FUN_00164760                                     undefined FUN_00164760()
        0015fcb4 48 00 00 38     b          LAB_0015fcec
EFSCMPGT is apparently Floating-Point Single-Precision Compare Greater Than.
Are these: =>DAT_00089100 your annotations?
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: MPC56xx / PowerPC table lookup examples?

Post by antus »

It looks to me like Ghidras built in default naming convention, eg for a function its FUN_address and for a data address reference its DAT_address, similar to IDA using subroutine SUB_address, and you have the option to rename them to something more meaningful as you figure it out.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Tre-Cool
Posts: 265
Joined: Tue Oct 16, 2012 12:17 pm
cars: VY SS UTE, VX Drag Car
Location: Perth
Contact:

Re: MPC56xx / PowerPC table lookup examples?

Post by Tre-Cool »

coz im kinda retarded at this sort of stuff, but can bumble/half ass my way through. I'd like to do a similar thing for the T43 trans controller bin. I'm trying to find a limiter preventing the use of 6th gear past an input shaft speed of 3757rpm.

Anyone able help out? ive got ghidra installed but lost from there
User avatar
Tre-Cool
Posts: 265
Joined: Tue Oct 16, 2012 12:17 pm
cars: VY SS UTE, VX Drag Car
Location: Perth
Contact:

Re: MPC56xx / PowerPC table lookup examples?

Post by Tre-Cool »

Tre-Cool wrote:coz im kinda retarded at this sort of stuff, but can bumble/half ass my way through. I'd like to do a similar thing for the T43 trans controller bin. I'm trying to find a limiter preventing the use of 6th gear past an input shaft speed of 3757rpm.

Anyone able help out? ive got ghidra installed but lost from there
I managed to find the limiter tables a few months ago. There is what i suspect a High RPM that when triggered forces the downshift, then a lower re-engage rpm limiter. Similar to how engine rpm limiter works in the E38.

I've now added a bunch of different os locations to some efilive cax files for them (rpm does vary calibration to calibration).

Worked it all out just by logging the trans & seeing what rpm the trans downshifted at, then went looking, surprisingly didn't take that long.

Then today checked that ghidra showed the particular locations linked to function blocks.
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: MPC56xx / PowerPC table lookup examples?

Post by Gatecrasher »

That's cool. Nice job. :)
Post Reply