P04 Disassembly

[ProfessWRX]

I'm going to be disassembling my P04 in IDA Pro here somewhat soon.
My plan is obviously to learn how the subroutines actually work so I can make educated tunes, but I also want to write a few custom subroutines to have fancy things added.

First job will be to use my steering wheel controls to turn on performance shift since it's not a 98-.
In other cars I actually did this and made them "modes" IE performance mode, MPG mode, valet mode etc.

Anyway my question finally:

Can anybody share the PCM breakdown so I can open the bin in IDA? Like processor options and addresses of RAM/ROM etc?



Repo for my work:
https://github.com/kerchakone/12588500

[antus]

Load the bin at 0000, ram at FF8000 for length 8000 (may not be 100% correct length, but its close).
Look at the source for the P04 kernel in PCMHammer for DLC and Watchdog registers.
Vectors are 32 bit from 0000 up to about 400, so convert them to DWORD and disassemble from the target addresses to hit most the code.
Sometimes a variable is loaded to a register from flash, then the register is jumped to, IDA cant follow these types of jumps so you need to resolve them manually, or write an IDC or Python script to do it.

A version of P04 kernel is here. Note that is not 100% and we'll be going with Gampys branch. They are nearly identical and we have both put a lot of work in to it. The addresses here are correct, so it is OK to use it as a reference. https://github.com/LegacyNsfw/PcmHacks/ ... 08/Kernels
Look at Kernel.S and Common-Assembly.h

You'll find some code uses FFFF8000 for ram, others use FF8000. These are functionally identical as its a 24 bit address space. It does make life a little harder in IDA as it doesn't know they're the same address. So, its important you do know.
Sometimes 16 bit addressing is used, so the opcode stores say 1234, and the processor sets all high bits as 1, so it disassembles as FFFF1234. But when a 32 bit value is used 00FF8000 is stored. That is how this comes about. You cant go 100% one way or the other, unfortunately, because its baked in to the code and the architecture.

[ProfessWRX]

Thanks, that might get me started. I will probably have 1000 more questions when I actually sit down and do it.

[antus]

Happy to help where I can. Probably the other REs lurking around here too.

I'd consider an early part of the job being to get what we know about the calibration in to IDA too. If you look at the definitions universal patcher is using (originally from tiny tuner), you can generate an idc that'll comment or name addresses through the calibration segment as to what they are. Then you'll be able to identify code purpose largely based on that, and by inspecting the code you'll be able to find things in ram, which will point you to other code, that is deeper in the OS.

[MudDuck514]

I'm going to be disassembling my P04 in IDA Pro here somewhat soon.
My plan is obviously to learn how the subroutines actually work so I can make educated tunes, but I also want to write a few custom subroutines to have fancy things added.

First job will be to use my steering wheel controls to turn on performance shift since it's not a 98-.
In other cars I actually did this and made them "modes" IE performance mode, MPG mode, valet mode etc.

Anyway my question finally:

Can anybody share the PCM breakdown so I can open the bin in IDA? Like processor options and addresses of RAM/ROM etc?

Are you going to use the L67 bin, or the Alero bin you posted in another thread?
I want to try using whichever one you try to use in Ghidra, so could you post the bin here?

Mike

[ProfessWRX]

I'm going to be disassembling my P04 in IDA Pro here somewhat soon.
My plan is obviously to learn how the subroutines actually work so I can make educated tunes, but I also want to write a few custom subroutines to have fancy things added.

First job will be to use my steering wheel controls to turn on performance shift since it's not a 98-.
In other cars I actually did this and made them "modes" IE performance mode, MPG mode, valet mode etc.

Anyway my question finally:

Can anybody share the PCM breakdown so I can open the bin in IDA? Like processor options and addresses of RAM/ROM etc?

Are you going to use the L67 bin, or the Alero bin you posted in another thread?
I want to try using whichever one you try to use in Ghidra, so could you post the bin here?

Mike

This is the one I'll be doing. This is my car's Stock bin. 04 Monte L67

[MudDuck514]

Thanks. I FINALLY managed to get Ghidra to work - NOW to figure out HOW to use it.
Anyone have any tips on using Ghidra?
Started rewatching the video on YouTube by TurboV6
https://www.youtube.com/watch?v=iU_yiOW99pI&t=1125s

Looks like others may be interested too since the file has been DL'd several time already!

Mike

[ProfessWRX]

Looks like others may be interested too since the file has been DL'd several time already!

Mike

18 times now. What are people wanting with that file and why so many people? I figured it was just the few guys collecting bins for posterity. Weird.

[MudDuck514]

20 times now. HOPEFULLY there are at least a FEW people wanting to contribute!
I am still trying to wrap my head around using Ghidra!

Mike

[Gampy]

Yes, some of us collect them, add them to our databases, as our relational tables grow, we become data wiser.

-Enjoy