Current Status on E38, E67, etc.. Hacking Toys

[hjtrbo]

Hey kur4o, can I ask how you got your r13 value?

[kur4o]

You can trace it in disassembly. r2 and r13 are set at initial boot, maybe at reset vector, or right after that.

The vectors are at the very start of bin file.

[Meistro]

I am seeing life from my E67!!

MB: 5 ID: 0x2C5 Len: 6 Data: 0x12 2A 3 20 1F FF
MB: ??? ID: 0x1C1 Len: 4 Data: 0x12 2A 12 2A
MB: ??? ID: 0xC9 Len: 7 Data: 0x0 0 0 D 0 41 0
MB: ??? ID: 0x191 Len: 8 Data: 0x16 25 16 25 16 25 0 0
MB: ??? ID: 0xC9 Len: 7 Data: 0x0 0 0 0 0 41 0
MB: ??? ID: 0x191 Len: 8 Data: 0x16 25 16 25 16 25 0 0
MB: ??? ID: 0x1A1 Len: 3 Data: 0x0 10 42
MB: ??? ID: 0xC9 Len: 7 Data: 0x0 0 0 7 0 41 0
MB: ??? ID: 0x191 Len: 8 Data: 0x16 25 16 25 16 25 0 0
MB: ??? ID: 0xC9 Len: 7 Data: 0x0 0 0 A 0 41 0
MB: ??? ID: 0x191 Len: 8 Data: 0x16 25 16 25 16 25 0 0


Anyone recommend a program to decode this? I think my next step will be to try and request the VIN.

[kur4o]

viewtopic.php?f=42&t=7753

Check this if you have j2534 device on hand.

Idle traffic have meaning but not that easy to decode. There is some data on github based on different manufacturers. It is still a project to be build in patcher to decode that def files.

[hjtrbo]

Kur4o, please educate me, I'm missing something. My binary has the following:

Code: Select all

00010290 3d a0 00 40 lis r13,0x40 #load immediate shift left by 16 bits. 

. So I set r13 to 0x400000.
I'm scratching my head as you have a different value for r13 and I can't see it in the disassembly. If you could spare the time to walk me through it I'd be extremely grateful.

[Gatecrasher]

Kur4o, please educate me, I'm missing something. My binary has the following:

Code: Select all

00010290 3d a0 00 40 lis r13,0x40 #load immediate shift left by 16 bits. 

. So I set r13 to 0x400000.
I'm scratching my head as you have a different value for r13 and I can't see it in the disassembly. If you could spare the time to walk me through it I'd be extremely grateful.

It's different depending on your application. I was just looking at a T43 TCM dump with Tre-Cool, and that is also set to 0x400000. It sets the pointer to the top of the RAM area and loads data from RAM using negative offsets.

Code: Select all

        00010268 3d a0 00 40     lis        r13,0x40
        0001026c 39 ad 00 00     addi       r13,r13,0x0
        00010270 3c 40 00 01     lis        r2,0x1
        00010274 38 42 80 00     subi       r2,r2,0x8000

I think R2 ends up being the pointer to the EEPROM area. 0x10000 - 0x8000 = 0x8000.

[kur4o]

I will explain how this works.

The ppc cpu have troubles with 4 bytes addressing modes, and some special techniques are needed to load a 4 byte address.

When you set a value in r13 to say. You can use offset based on that register to access memory. So you say to cpu add 7726 bytes to r13 to get the address. loading an 4 bytes address is always 2-3 command, adding 2 16 bits value, using some add and lis commands.

lis command sets the upper 16 bits nibbles and than [add] adds the lower 16 bits nibble to get a 32bit address.

Code: Select all

loc_338:
oris      r1, r0, 0x40 # '@'
mr        r1, r1
addi      r1, r1, -0x10
oris      r2, r0, 0     Here r2 is set
mr        r2, r2
oris      r13, r0, 0x3F # '?'   here r13 is set]
ori       r13, r13, 0xE800
lis       r31, (dword_2FC100+0x10000)@h
oris      r11, r0, 0
ori       r11, r11, 0x297A
lwz       r11, 0(r11)
stw       r11, dword_2FC100@l(r31)
oris      r7, r0, 0
ori       r7, r7, 0x297E
lwz       r7, 0(r7)
stw       r7, dword_2FC104@l(r31)
oris      r9, r0, 0
ori       r9, r9, 0x2982
lwz       r9, 0(r9)

Usually at the very start of code.

There could be others registers set in the subroutines during code and disassembler needs to keep track of it and change the offset accordingly.

Usually r2 and r13 are set once, but later pcm uses r13-r18 set at different values.

Here is some example how to get an address

lis r27, (unk_3F9E48+0x10000)@h # unk_3F9E48 3F 60 [00 40]
addi r27, r27, -0x61B8 # unk_3F9E48 3B 7B [9E 48]

As you can see the address is derived from 0040 and 9e48 added to the register and there is -$10000 offset added, that is based on signed vs unsigned values being used.

[Meistro]

viewtopic.php?f=42&t=7753

Check this if you have j2534 device on hand.

Idle traffic have meaning but not that easy to decode. There is some data on github based on different manufacturers. It is still a project to be build in patcher to decode that def files.

I bought the OBDXPRO VX because it was recommended on this site. I'm still waiting for that j2534 DLL. That's mainly why I'm messing around with the Arduino.

[hjtrbo]

Kur4o, your code snippet, is that from my binary? I cannot find it. I understand the address offsetting during runtime. Thankyou.

Gatecrasher, that's what I've got too in my OS.

I'm sticking with r13 = 0x400000 and r2 = 0x8000.

In my OS the first 0x10283 bytes are data tables. Then the very first function is the following:

Code: Select all

                            **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_00010284()
                               assume r13 = 0x400000
             undefined         r3:1           <RETURN>
             undefined4        Stack[0x4]:4   local_res4                              XREF[2]:     0001028c(W), 
                                                                                                   000102cc(R)  
             undefined4        Stack[-0x8]:4  local_8                                 XREF[2]:     000102b4(W), 
                                                                                                   000102b8(R)  
             undefined4        Stack[-0x10]:4 local_10                                XREF[1]:     00010284(W)  
                             FUN_00010284                                    XREF[3]:     FUN_000102dc:000102f8(c), 
                                                                                          FUN_00010318:00010334(c), 
                                                                                          FUN_00010e2c:00010e48(c)  
        00010284 94 21 ff f0     stwu       r1,local_10(r1)
        00010288 7c 08 02 a6     mfspr      r0,LR
        0001028c 90 01 00 14     stw        r0,local_res4(r1)
        00010290 3d a0 00 40     lis        r13,0x40
        00010294 39 ad 00 00     addi       r13,r13,0x0
        00010298 3c 40 00 01     lis        r2,0x1
        0001029c 38 42 80 00     subi       r2,r2,0x8000
        000102a0 48 00 09 51     bl         FUN_00010bf0                                     undefined FUN_00010bf0()
        000102a4 48 00 08 ed     bl         FUN_00010b90                                     undefined FUN_00010b90()
        000102a8 3c 60 00 30     lis        r3,0x30
        000102ac 38 63 c0 00     subi       r3=>DAT_002fc000,r3,0x4000
        000102b0 81 63 01 40     lwz        r11,0x140(r3)=>DAT_002fc140
        000102b4 91 61 00 08     stw        r11,local_8(r1)
        000102b8 81 41 00 08     lwz        r10,local_8(r1)
        000102bc 55 4a 00 3c     rlwinm     r10,r10,0x0,0x0,0x1e
        000102c0 91 43 01 40     stw        r10,0x140(r3)=>DAT_002fc140
        000102c4 48 00 12 41     bl         FUN_00011504                                     undefined FUN_00011504()
        000102c8 48 00 14 0d     bl         FUN_000116d4                                     undefined FUN_000116d4()
        000102cc 80 01 00 14     lwz        r0,local_res4(r1)
        000102d0 7c 08 03 a6     mtspr      LR,r0
        000102d4 38 21 00 10     addi       r1,r1,0x10
        000102d8 4e 80 00 20     blr

I need to start a new thread so Meistro can continue without being bothered by T43 stuff...

[hjtrbo]

New thread started here for T43 disassembly. Sorry about the hijack Meistro!
viewtopic.php?f=26&t=8409