Current Status on E38, E67, etc.. Hacking Toys
Re: Current Status on E38, E67, etc.. Hacking Toys
Hey kur4o, can I ask how you got your r13 value?
Re: Current Status on E38, E67, etc.. Hacking Toys
You can trace it in disassembly. r2 and r13 are set at initial boot, maybe at reset vector, or right after that.
The vectors are at the very start of bin file.
The vectors are at the very start of bin file.
Re: Current Status on E38, E67, etc.. Hacking Toys
I am seeing life from my E67!!
MB: 5 ID: 0x2C5 Len: 6 Data: 0x12 2A 3 20 1F FF
MB: ??? ID: 0x1C1 Len: 4 Data: 0x12 2A 12 2A
MB: ??? ID: 0xC9 Len: 7 Data: 0x0 0 0 D 0 41 0
MB: ??? ID: 0x191 Len: 8 Data: 0x16 25 16 25 16 25 0 0
MB: ??? ID: 0xC9 Len: 7 Data: 0x0 0 0 0 0 41 0
MB: ??? ID: 0x191 Len: 8 Data: 0x16 25 16 25 16 25 0 0
MB: ??? ID: 0x1A1 Len: 3 Data: 0x0 10 42
MB: ??? ID: 0xC9 Len: 7 Data: 0x0 0 0 7 0 41 0
MB: ??? ID: 0x191 Len: 8 Data: 0x16 25 16 25 16 25 0 0
MB: ??? ID: 0xC9 Len: 7 Data: 0x0 0 0 A 0 41 0
MB: ??? ID: 0x191 Len: 8 Data: 0x16 25 16 25 16 25 0 0
Anyone recommend a program to decode this? I think my next step will be to try and request the VIN.
MB: 5 ID: 0x2C5 Len: 6 Data: 0x12 2A 3 20 1F FF
MB: ??? ID: 0x1C1 Len: 4 Data: 0x12 2A 12 2A
MB: ??? ID: 0xC9 Len: 7 Data: 0x0 0 0 D 0 41 0
MB: ??? ID: 0x191 Len: 8 Data: 0x16 25 16 25 16 25 0 0
MB: ??? ID: 0xC9 Len: 7 Data: 0x0 0 0 0 0 41 0
MB: ??? ID: 0x191 Len: 8 Data: 0x16 25 16 25 16 25 0 0
MB: ??? ID: 0x1A1 Len: 3 Data: 0x0 10 42
MB: ??? ID: 0xC9 Len: 7 Data: 0x0 0 0 7 0 41 0
MB: ??? ID: 0x191 Len: 8 Data: 0x16 25 16 25 16 25 0 0
MB: ??? ID: 0xC9 Len: 7 Data: 0x0 0 0 A 0 41 0
MB: ??? ID: 0x191 Len: 8 Data: 0x16 25 16 25 16 25 0 0
Anyone recommend a program to decode this? I think my next step will be to try and request the VIN.
Re: Current Status on E38, E67, etc.. Hacking Toys
viewtopic.php?f=42&t=7753
Check this if you have j2534 device on hand.
Idle traffic have meaning but not that easy to decode. There is some data on github based on different manufacturers. It is still a project to be build in patcher to decode that def files.
Check this if you have j2534 device on hand.
Idle traffic have meaning but not that easy to decode. There is some data on github based on different manufacturers. It is still a project to be build in patcher to decode that def files.
Re: Current Status on E38, E67, etc.. Hacking Toys
Kur4o, please educate me, I'm missing something. My binary has the following: . So I set r13 to 0x400000.
I'm scratching my head as you have a different value for r13 and I can't see it in the disassembly. If you could spare the time to walk me through it I'd be extremely grateful.
Code: Select all
00010290 3d a0 00 40 lis r13,0x40 #load immediate shift left by 16 bits.
I'm scratching my head as you have a different value for r13 and I can't see it in the disassembly. If you could spare the time to walk me through it I'd be extremely grateful.
- Gatecrasher
- Posts: 278
- Joined: Sat Apr 25, 2020 6:09 am
Re: Current Status on E38, E67, etc.. Hacking Toys
It's different depending on your application. I was just looking at a T43 TCM dump with Tre-Cool, and that is also set to 0x400000. It sets the pointer to the top of the RAM area and loads data from RAM using negative offsets.hjtrbo wrote:Kur4o, please educate me, I'm missing something. My binary has the following:. So I set r13 to 0x400000.Code: Select all
00010290 3d a0 00 40 lis r13,0x40 #load immediate shift left by 16 bits.
I'm scratching my head as you have a different value for r13 and I can't see it in the disassembly. If you could spare the time to walk me through it I'd be extremely grateful.
Code: Select all
00010268 3d a0 00 40 lis r13,0x40
0001026c 39 ad 00 00 addi r13,r13,0x0
00010270 3c 40 00 01 lis r2,0x1
00010274 38 42 80 00 subi r2,r2,0x8000
Re: Current Status on E38, E67, etc.. Hacking Toys
I will explain how this works.
The ppc cpu have troubles with 4 bytes addressing modes, and some special techniques are needed to load a 4 byte address.
When you set a value in r13 to say. You can use offset based on that register to access memory. So you say to cpu add 7726 bytes to r13 to get the address. loading an 4 bytes address is always 2-3 command, adding 2 16 bits value, using some add and lis commands.
lis command sets the upper 16 bits nibbles and than [add] adds the lower 16 bits nibble to get a 32bit address.
Usually at the very start of code.
There could be others registers set in the subroutines during code and disassembler needs to keep track of it and change the offset accordingly.
Usually r2 and r13 are set once, but later pcm uses r13-r18 set at different values.
Here is some example how to get an address
lis r27, (unk_3F9E48+0x10000)@h # unk_3F9E48 3F 60 [00 40]
addi r27, r27, -0x61B8 # unk_3F9E48 3B 7B [9E 48]
As you can see the address is derived from 0040 and 9e48 added to the register and there is -$10000 offset added, that is based on signed vs unsigned values being used.
The ppc cpu have troubles with 4 bytes addressing modes, and some special techniques are needed to load a 4 byte address.
When you set a value in r13 to say. You can use offset based on that register to access memory. So you say to cpu add 7726 bytes to r13 to get the address. loading an 4 bytes address is always 2-3 command, adding 2 16 bits value, using some add and lis commands.
lis command sets the upper 16 bits nibbles and than [add] adds the lower 16 bits nibble to get a 32bit address.
Code: Select all
loc_338:
oris r1, r0, 0x40 # '@'
mr r1, r1
addi r1, r1, -0x10
oris r2, r0, 0 Here r2 is set
mr r2, r2
oris r13, r0, 0x3F # '?' here r13 is set]
ori r13, r13, 0xE800
lis r31, (dword_2FC100+0x10000)@h
oris r11, r0, 0
ori r11, r11, 0x297A
lwz r11, 0(r11)
stw r11, dword_2FC100@l(r31)
oris r7, r0, 0
ori r7, r7, 0x297E
lwz r7, 0(r7)
stw r7, dword_2FC104@l(r31)
oris r9, r0, 0
ori r9, r9, 0x2982
lwz r9, 0(r9)
There could be others registers set in the subroutines during code and disassembler needs to keep track of it and change the offset accordingly.
Usually r2 and r13 are set once, but later pcm uses r13-r18 set at different values.
Here is some example how to get an address
lis r27, (unk_3F9E48+0x10000)@h # unk_3F9E48 3F 60 [00 40]
addi r27, r27, -0x61B8 # unk_3F9E48 3B 7B [9E 48]
As you can see the address is derived from 0040 and 9e48 added to the register and there is -$10000 offset added, that is based on signed vs unsigned values being used.
Re: Current Status on E38, E67, etc.. Hacking Toys
I bought the OBDXPRO VX because it was recommended on this site. I'm still waiting for that j2534 DLL. That's mainly why I'm messing around with the Arduino.kur4o wrote:viewtopic.php?f=42&t=7753
Check this if you have j2534 device on hand.
Idle traffic have meaning but not that easy to decode. There is some data on github based on different manufacturers. It is still a project to be build in patcher to decode that def files.
Re: Current Status on E38, E67, etc.. Hacking Toys
Kur4o, your code snippet, is that from my binary? I cannot find it. I understand the address offsetting during runtime. Thankyou.
Gatecrasher, that's what I've got too in my OS.
I'm sticking with r13 = 0x400000 and r2 = 0x8000.
In my OS the first 0x10283 bytes are data tables. Then the very first function is the following:
I need to start a new thread so Meistro can continue without being bothered by T43 stuff...
Gatecrasher, that's what I've got too in my OS.
I'm sticking with r13 = 0x400000 and r2 = 0x8000.
In my OS the first 0x10283 bytes are data tables. Then the very first function is the following:
Code: Select all
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_00010284()
assume r13 = 0x400000
undefined r3:1 <RETURN>
undefined4 Stack[0x4]:4 local_res4 XREF[2]: 0001028c(W),
000102cc(R)
undefined4 Stack[-0x8]:4 local_8 XREF[2]: 000102b4(W),
000102b8(R)
undefined4 Stack[-0x10]:4 local_10 XREF[1]: 00010284(W)
FUN_00010284 XREF[3]: FUN_000102dc:000102f8(c),
FUN_00010318:00010334(c),
FUN_00010e2c:00010e48(c)
00010284 94 21 ff f0 stwu r1,local_10(r1)
00010288 7c 08 02 a6 mfspr r0,LR
0001028c 90 01 00 14 stw r0,local_res4(r1)
00010290 3d a0 00 40 lis r13,0x40
00010294 39 ad 00 00 addi r13,r13,0x0
00010298 3c 40 00 01 lis r2,0x1
0001029c 38 42 80 00 subi r2,r2,0x8000
000102a0 48 00 09 51 bl FUN_00010bf0 undefined FUN_00010bf0()
000102a4 48 00 08 ed bl FUN_00010b90 undefined FUN_00010b90()
000102a8 3c 60 00 30 lis r3,0x30
000102ac 38 63 c0 00 subi r3=>DAT_002fc000,r3,0x4000
000102b0 81 63 01 40 lwz r11,0x140(r3)=>DAT_002fc140
000102b4 91 61 00 08 stw r11,local_8(r1)
000102b8 81 41 00 08 lwz r10,local_8(r1)
000102bc 55 4a 00 3c rlwinm r10,r10,0x0,0x0,0x1e
000102c0 91 43 01 40 stw r10,0x140(r3)=>DAT_002fc140
000102c4 48 00 12 41 bl FUN_00011504 undefined FUN_00011504()
000102c8 48 00 14 0d bl FUN_000116d4 undefined FUN_000116d4()
000102cc 80 01 00 14 lwz r0,local_res4(r1)
000102d0 7c 08 03 a6 mtspr LR,r0
000102d4 38 21 00 10 addi r1,r1,0x10
000102d8 4e 80 00 20 blr
Re: Current Status on E38, E67, etc.. Hacking Toys
New thread started here for T43 disassembly. Sorry about the hijack Meistro!
viewtopic.php?f=26&t=8409
viewtopic.php?f=26&t=8409