P04 Disassembly

[antus]

Downloads are open to guests too, you only need an account to post. It could be bots or any passers by searching for p04 bins on google as we rank quite highly. As well as lurkers who want to learn as you do but are not ready to contribute.

[kur4o]

Thanks, that might get me started. I will probably have 1000 more questions when I actually sit down and do it.

Do you have access to IDApro.

I already posted some diss already, you can use for reference, how code should look at the end.

[rjdrew1986]

Hi kur4o, where did you post the reference disassemblies?

[kur4o]

I can`t remember, so I will re post here.

[ProfessWRX]

I can`t remember, so I will re post here.

That helped. I'm getting mine cleaned up. Starting to look more like something that will one day be legible.

Anybody care to share more?

[TheHom]

I wanted to check-in and say that I am interested in this effort as I am trying to find more parameters for a few items in the P04 (want to properly set up an L67 for use with a manual transmission). I am completely new to this and just started in Ghidra, so I am not sure how much I will be able to contribute, but will make an effort to come up to speed and help where I can. It looks like your OS is a different 'MapNumber' than mine based on the Tiny Tuner database (89 vs 99), but I would imagine a lot can be translated between them.

When I followed the YouTube video, I got a lot a code that didn't disassemble in Ghidra - not sure how to address that. I did order a license for IDA Home for the 68K processor (looks like I need to wait until Monday to download) - hoping this can help with that.

My background is mechanical engineering.
 
I'll keep you posted as I get up and running. Would like to work with a group so we are not duplicating efforts.

[antus]

What paramaters are you searching for? Do any programs have them already? It may be possible to use another and flash it in to a P04, read it back and either you have the config item, or you can start looking at the code that accesses that calibration item?

[antus]

@ProsessWRX: NSFW used a list of CSV locations which was donated to generate this idc https://github.com/LegacyNsfw/12587603/ ... 03.csv.idc
You could build something similar to use the locations and descriptions from the tiny tuner database, or as that is the data source which universal pathcer uses you could load your bin in to that and generate an XDF to work from, or there may be other export options. Then you can run the IDC in ida to propagate that information through your database.

I also look a look, but my version of IDA updated the database which might cause you problems loading back in to your version, so just two things I noticed early:
vector 00000000 is the stack, and its FFB8000 so you can comment that
vector 00000004 is the boot address so you can comment that. That function loads a lot of data in to hardware registers to set up the platform for operation. This is the data we look in to in order to make the XML files for USBJTAG-NT to get the hardware in to a state that BDM can read and write flash.

From https://github.com/LegacyNsfw/PcmHacks/ ... Assembly.h
you can see watchdogs aka COP (computer operating properly) are:

Code: Select all

  .equ COP1,             0xFFFA27
  .equ COP2,             0xFFC006

Then you can also comment the DLC registers at 0xFFE800 and 0xFFE801
The later DLC uses more than 2 registers so the function can be a bit easier to read from the disassembly, but the early one packs more in to two registers, so you have to think a bit harder to understand the code from the datasheet. Once you've stared at it enough times it starts to become clear. I documented registers in the bottom of common-assembly.h (taken from the MC68hc58 datasheet) above so its easy to always have that information on hand while you are trying to understand the bitmasks to try and understand if you are looking at transmit or receive functions, and for by or packet.

[ProfessWRX]

@ProsessWRX: NSFW used a list of CSV locations which was donated to generate this idc https://github.com/LegacyNsfw/12587603/ ... 03.csv.idc
You could build something similar to use the locations and descriptions from the tiny tuner database, or as that is the data source which universal pathcer uses you could load your bin in to that and generate an XDF to work from, or there may be other export options. Then you can run the IDC in ida to propagate that information through your database.

I also look a look, but my version of IDA updated the database which might cause you problems loading back in to your version, so just two things I noticed early:
vector 00000000 is the stack, and its FFB8000 so you can comment that
vector 00000004 is the boot address so you can comment that. That function loads a lot of data in to hardware registers to set up the platform for operation. This is the data we look in to in order to make the XML files for USBJTAG-NT to get the hardware in to a state that BDM can read and write flash.

From https://github.com/LegacyNsfw/PcmHacks/ ... Assembly.h
you can see watchdogs aka COP (computer operating properly) are:

Code: Select all

  .equ COP1,             0xFFFA27
  .equ COP2,             0xFFC006

Then you can also comment the DLC registers at 0xFFE800 and 0xFFE801
The later DLC uses more than 2 registers so the function can be a bit easier to read from the disassembly, but the early one packs more in to two registers, so you have to think a bit harder to understand the code from the datasheet. Once you've stared at it enough times it starts to become clear. I documented registers in the bottom of common-assembly.h (taken from the MC68hc58 datasheet) above so its easy to always have that information on hand while you are trying to understand the bitmasks to try and understand if you are looking at transmit or receive functions, and for by or packet.

Thanks, Yeah I've been pulling tables and ram addresses off universalpatcher. I am still trying to clean up the code here and there. I don't know how to do it other than manually so that's what most of my time has been spent on so far.

I just 20 seconds ago finally got the instruction set for the 68330 so now I can possibly follow some code logic. I am facing a DAUNTING task of figuring out random bits and variables that I have no idea what they are and with my limited capacity never will. I'm not sure if I'll ever get this done. I'm wondering if there's a far more documented or commented bin file from early P04s that might offer more insight into all of this.

My "Progress" attached.

[antus]

There is not, this is hard stuff. A lot of the information that is known is pulled by using other tools and observing what changes, because the assembly code is very complicated and understanding all the logic is a difficult task. It is not impossible, but you would typically only do the RE you need to meet your objective and some of that might be educated guesswork based on what you already know about how it works, and maybe even with manual validation by patching the bin and observing the results. You probably wont find yourself ever doing the whole bin. Operating systems started getting too complicated to do that manually about this era. 32Kb bins were a big job. 128Kb bins are quite a stretch, 512kb+ is almost no chance.

Note that in ida you can turn on "auto comments" which will give every line a description of what the opcode does. That can be a nice way to get familiar with the instruction set, but after a while it's just clutter and gets in the way. Maybe its helpful, maybe its not.