Bosch MED9.1.1

[lgtmelo]

looks ok so far?

[kur4o]

Some improvement I can suggest.

Turn off vle, I don`t think code use vle. VLE is compressed opcode, if not set correctly you get no results.

When all files are loaded, don`t select all and hit analyze.

Go to 0 and manually convert vectors to code using C button

usually vectors starts with 48 00 at 0 and at 400000

When you convert vectors goto->options->general->analysis-> In kernel options turn off coagulate data and mark make final analysis pass-> you can play with other options[usually all set is a good starting point]->reanalyze program->you press it several times to run multiple analysis.

[lgtmelo]

thanks! will do

[lgtmelo]

Some improvement I can suggest.

Turn off vle, I don`t think code use vle. VLE is compressed opcode, if not set correctly you get no results.

When all files are loaded, don`t select all and hit analyze.

Go to 0 and manually convert vectors to code using C button

usually vectors starts with 48 00 at 0 and at 400000

When you convert vectors goto->options->general->analysis-> In kernel options turn off coagulate data and mark make final analysis pass-> you can play with other options[usually all set is a good starting point]->reanalyze program->you press it several times to run multiple analysis.

like every byte that shows as 0x48? or just the one at literally 00000000?

a.png (15 KiB) Viewed 652 times

[lgtmelo]

and just double checking, thats the way you want right? asking because coagulate DATA was already off, but coagulate CODE was on.

a.png (4.22 KiB) Viewed 650 times

[kur4o]

Yes the ones that start with 48 is some vectors, usually there is 4 bytes vector 4 bytes not used.
Goto 400000 there is also some vectors that start with 48

All coagulate must be off for nicer disassembly.

[lgtmelo]

funny thing, noticed this:

seg000:000010E0 lis r13, 0x80

does this mean my r13 is actually 0x80 and not 0x7FFFF0 as i had set? or did i screw something up to make it show as 0x80?

[lgtmelo]

Yes the ones that start with 48 is some vectors, usually there is 4 bytes vector 4 bytes not used.
Goto 400000 there is also some vectors that start with 48

All coagulate must be off for nicer disassembly.

does this mean these 0x86 and 0xA6 should also be set as vectors (i.e. should i press C on them?)
and these 0x48 not followed by 4 bytes not used should be left alone?
***edit: nevermind i understood what you meant now!


HEY, THANK YOU SO MUCH <3

[antus]

Hit 'd' a couple of times on them to go from byte (dc.b - 1 byte value), to word (dc.b two byte value) to long (dc.l 4 byte value), do that on each one, so you end up with addresses as longs instead of bytes. Then go the address listed (g -> type address to goto) and hit c on the first byte to convert to code, and it should disassemble from there as far as it can for that vector entry point. You can also hit shift P on the first instruction at that address once its disassembled (or right click -> create function) to create a function on the address of the first byte. If the code is red it means its loose, not in a function. But of course it is a function but it wasnt able to identify it as such as you did the vector manually instead of with it following a jump or call, so when you create the function the code will turn black and it'll be listed on the list of functions on the left as sub_xxxxxx where sub means subroutine and xxxxxxx is the address, instead of loc_xxxxxxx which means its a location that is used somewhere.

[lgtmelo]

i did the long thing, but if i try to go to this address, it says it doesnt exist (Command "JumpAsk" failed).