P04 Disassembly
-
- Posts: 139
- Joined: Tue Oct 03, 2023 9:33 am
- cars: 04 Monte SSSC
04 Tahoe
92 Trans Am - Location: AZ USA
P04 Disassembly
I'm going to be disassembling my P04 in IDA Pro here somewhat soon.
My plan is obviously to learn how the subroutines actually work so I can make educated tunes, but I also want to write a few custom subroutines to have fancy things added.
First job will be to use my steering wheel controls to turn on performance shift since it's not a 98-.
In other cars I actually did this and made them "modes" IE performance mode, MPG mode, valet mode etc.
Anyway my question finally:
Can anybody share the PCM breakdown so I can open the bin in IDA? Like processor options and addresses of RAM/ROM etc?
Repo for my work:
https://github.com/kerchakone/12588500
My plan is obviously to learn how the subroutines actually work so I can make educated tunes, but I also want to write a few custom subroutines to have fancy things added.
First job will be to use my steering wheel controls to turn on performance shift since it's not a 98-.
In other cars I actually did this and made them "modes" IE performance mode, MPG mode, valet mode etc.
Anyway my question finally:
Can anybody share the PCM breakdown so I can open the bin in IDA? Like processor options and addresses of RAM/ROM etc?
Repo for my work:
https://github.com/kerchakone/12588500
Last edited by ProfessWRX on Tue Nov 28, 2023 8:12 am, edited 2 times in total.
- antus
- Site Admin
- Posts: 8262
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: P04 Disassembly
Load the bin at 0000, ram at FF8000 for length 8000 (may not be 100% correct length, but its close).
Look at the source for the P04 kernel in PCMHammer for DLC and Watchdog registers.
Vectors are 32 bit from 0000 up to about 400, so convert them to DWORD and disassemble from the target addresses to hit most the code.
Sometimes a variable is loaded to a register from flash, then the register is jumped to, IDA cant follow these types of jumps so you need to resolve them manually, or write an IDC or Python script to do it.
A version of P04 kernel is here. Note that is not 100% and we'll be going with Gampys branch. They are nearly identical and we have both put a lot of work in to it. The addresses here are correct, so it is OK to use it as a reference. https://github.com/LegacyNsfw/PcmHacks/ ... 08/Kernels
Look at Kernel.S and Common-Assembly.h
You'll find some code uses FFFF8000 for ram, others use FF8000. These are functionally identical as its a 24 bit address space. It does make life a little harder in IDA as it doesn't know they're the same address. So, its important you do know.
Sometimes 16 bit addressing is used, so the opcode stores say 1234, and the processor sets all high bits as 1, so it disassembles as FFFF1234. But when a 32 bit value is used 00FF8000 is stored. That is how this comes about. You cant go 100% one way or the other, unfortunately, because its baked in to the code and the architecture.
Look at the source for the P04 kernel in PCMHammer for DLC and Watchdog registers.
Vectors are 32 bit from 0000 up to about 400, so convert them to DWORD and disassemble from the target addresses to hit most the code.
Sometimes a variable is loaded to a register from flash, then the register is jumped to, IDA cant follow these types of jumps so you need to resolve them manually, or write an IDC or Python script to do it.
A version of P04 kernel is here. Note that is not 100% and we'll be going with Gampys branch. They are nearly identical and we have both put a lot of work in to it. The addresses here are correct, so it is OK to use it as a reference. https://github.com/LegacyNsfw/PcmHacks/ ... 08/Kernels
Look at Kernel.S and Common-Assembly.h
You'll find some code uses FFFF8000 for ram, others use FF8000. These are functionally identical as its a 24 bit address space. It does make life a little harder in IDA as it doesn't know they're the same address. So, its important you do know.
Sometimes 16 bit addressing is used, so the opcode stores say 1234, and the processor sets all high bits as 1, so it disassembles as FFFF1234. But when a 32 bit value is used 00FF8000 is stored. That is how this comes about. You cant go 100% one way or the other, unfortunately, because its baked in to the code and the architecture.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
-
- Posts: 139
- Joined: Tue Oct 03, 2023 9:33 am
- cars: 04 Monte SSSC
04 Tahoe
92 Trans Am - Location: AZ USA
Re: P04 Disassembly
Thanks, that might get me started. I will probably have 1000 more questions when I actually sit down and do it.
- antus
- Site Admin
- Posts: 8262
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: P04 Disassembly
Happy to help where I can. Probably the other REs lurking around here too.
I'd consider an early part of the job being to get what we know about the calibration in to IDA too. If you look at the definitions universal patcher is using (originally from tiny tuner), you can generate an idc that'll comment or name addresses through the calibration segment as to what they are. Then you'll be able to identify code purpose largely based on that, and by inspecting the code you'll be able to find things in ram, which will point you to other code, that is deeper in the OS.
I'd consider an early part of the job being to get what we know about the calibration in to IDA too. If you look at the definitions universal patcher is using (originally from tiny tuner), you can generate an idc that'll comment or name addresses through the calibration segment as to what they are. Then you'll be able to identify code purpose largely based on that, and by inspecting the code you'll be able to find things in ram, which will point you to other code, that is deeper in the OS.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
-
- Posts: 397
- Joined: Wed Jul 05, 2017 8:30 am
- cars: 2001 Pontiac Grand AM SE
LD9 2.4l I4, 4T40E
2005 Chevrolet Venture
LA1 3400 V6, 4T65E - Location: North TX, USA
Re: P04 Disassembly
Are you going to use the L67 bin, or the Alero bin you posted in another thread?ProfessWRX wrote:I'm going to be disassembling my P04 in IDA Pro here somewhat soon.
My plan is obviously to learn how the subroutines actually work so I can make educated tunes, but I also want to write a few custom subroutines to have fancy things added.
First job will be to use my steering wheel controls to turn on performance shift since it's not a 98-.
In other cars I actually did this and made them "modes" IE performance mode, MPG mode, valet mode etc.
Anyway my question finally:
Can anybody share the PCM breakdown so I can open the bin in IDA? Like processor options and addresses of RAM/ROM etc?
I want to try using whichever one you try to use in Ghidra, so could you post the bin here?
Mike
-
- Posts: 139
- Joined: Tue Oct 03, 2023 9:33 am
- cars: 04 Monte SSSC
04 Tahoe
92 Trans Am - Location: AZ USA
Re: P04 Disassembly
This is the one I'll be doing. This is my car's Stock bin. 04 Monte L67MudDuck514 wrote:Are you going to use the L67 bin, or the Alero bin you posted in another thread?ProfessWRX wrote:I'm going to be disassembling my P04 in IDA Pro here somewhat soon.
My plan is obviously to learn how the subroutines actually work so I can make educated tunes, but I also want to write a few custom subroutines to have fancy things added.
First job will be to use my steering wheel controls to turn on performance shift since it's not a 98-.
In other cars I actually did this and made them "modes" IE performance mode, MPG mode, valet mode etc.
Anyway my question finally:
Can anybody share the PCM breakdown so I can open the bin in IDA? Like processor options and addresses of RAM/ROM etc?
I want to try using whichever one you try to use in Ghidra, so could you post the bin here?
Mike
- Attachments
-
- CarlSTOCK.bin
- (512 KiB) Downloaded 240 times
-
- Posts: 397
- Joined: Wed Jul 05, 2017 8:30 am
- cars: 2001 Pontiac Grand AM SE
LD9 2.4l I4, 4T40E
2005 Chevrolet Venture
LA1 3400 V6, 4T65E - Location: North TX, USA
Re: P04 Disassembly
Thanks. I FINALLY managed to get Ghidra to work - NOW to figure out HOW to use it.
Anyone have any tips on using Ghidra?
Started rewatching the video on YouTube by TurboV6
https://www.youtube.com/watch?v=iU_yiOW99pI&t=1125s
Looks like others may be interested too since the file has been DL'd several time already!
Mike
Anyone have any tips on using Ghidra?
Started rewatching the video on YouTube by TurboV6
https://www.youtube.com/watch?v=iU_yiOW99pI&t=1125s
Looks like others may be interested too since the file has been DL'd several time already!
Mike
-
- Posts: 139
- Joined: Tue Oct 03, 2023 9:33 am
- cars: 04 Monte SSSC
04 Tahoe
92 Trans Am - Location: AZ USA
Re: P04 Disassembly
18 times now. What are people wanting with that file and why so many people? I figured it was just the few guys collecting bins for posterity. Weird.MudDuck514 wrote:Looks like others may be interested too since the file has been DL'd several time already!
Mike
-
- Posts: 397
- Joined: Wed Jul 05, 2017 8:30 am
- cars: 2001 Pontiac Grand AM SE
LD9 2.4l I4, 4T40E
2005 Chevrolet Venture
LA1 3400 V6, 4T65E - Location: North TX, USA
Re: P04 Disassembly
20 times now. HOPEFULLY there are at least a FEW people wanting to contribute!
I am still trying to wrap my head around using Ghidra!
Mike
I am still trying to wrap my head around using Ghidra!
Mike
Re: P04 Disassembly
Yes, some of us collect them, add them to our databases, as our relational tables grow, we become data wiser.
-Enjoy
-Enjoy
Intelligence is in the details!
It is easier not to learn bad habits, then it is to break them!
If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
It is easier not to learn bad habits, then it is to break them!
If I was here to win a popularity contest, their would be no point, so I wouldn't be here!