http://forum.miata.net/vb/showthread.php?t=536601

Hey all!

About 5 years ago, there was a great thread on reverse engineering the NC ECU (http://forum.miata.net/vb/showthread.php?t=341366). In the spirit of that thread, I wanted to continue the discussion here for anyone remotely interested in the ecu’s inner workings. MX-Five (Clive) and Jim Boemler have done some solid work on this already, and I’m hoping we can rekindle further exploration. Please, no pissing matches between folks with regards to tunes and tuners… the end goal here is discovery, and sharing information. If any tuners have technical knowledge that doesn't compromise their tuning strategies, I’m sure you’d have a captive audience. All ears, or eyes, or whatever.. you know what I mean!  Anyway, to start things off I’ve consolidated some information on the tools needed for disassembling the ROM should anyone want to explore.

---

DOCUMENTATION

Renesas sh7058 manual
https://googledrive.com/host/0B3_pF8...sas_sh7058.pdf

Sega SH-4 manual (has C equivalents of the SH instruction set, kinda helpful)
https://googledrive.com/host/0B3_pF8...ZDQ/SHC_PM.pdf

---

TOOLS

KPIT Gnu Tools & Renesas High-Performance Embedded Workshop
http://www.kpitgnutools.com/index.php

A compiler/debugger/simulator that's extremely useful! Step thru code, access RAM, registers, i/o simulation (haven’t quite figured that out), etc. It requires registering a free account, and will take a day or so for confirmation granting access to downloads. Once confirmed, go to free downloads > all downloads.

Download the following and install.
HEW 4.08-ntc for KPIT GNU Tools with Simulators
GNUV850 v12.02 Windows Tool Chain

Setup
* run HEW
* from popup or file menu, select create a new project workspace
* give workspace/project a name
* set CPU family to 'SuperH RISC enginge’
* set toolchain to 'KPIT GNUSH [ELF]'
* leave project at default (C application)
* press ok 
* (new popup) leave toolchain version at default
* set CPU series to 'SH-2e'
* set CPU type to ‘SH7058F'
* press next
* (option setting popup) press next
* (library generator settings popup) select 'enable all', then press next
* (target system for debugging popup) select targets 'SH-2E' check box
* set target type to 'SH-2E' (should be default)
* press next
* select finish
* (summary popup) press ok, and the workspace will load
* select debug > debug settings
* set target to 'SH-2E Simulator'
* set debug format to ‘Binary'
* select browse, and then select your ROM file
* press ok to confirm
* press ok again to get out of debug settings popup
* (warning popup) select ‘YES’ to continue
* (peripheral function simulation popup), press ok
* look at the project browser pane to the left
* right-click your ROM, and select download
* go debug menu and select 'reset CPU'
* disassembly visible, and now you can step thru the code

One additional step I'm unsure if required for accessing RAM is going to setup > simulator > memory resource.. then setting up both Memory Map and Memory Resource according to Table 9.3 in the Renesas manual. One quirk, memory settings don't stick when reloading project.

IDA Pro - Probably reversings #1 tool (both legitimate and fringe)
https://www.hex-rays.com/index.shtml

Setup
* drag ROM into ida
* set processor type to Renesas SH4B
* check box to create RAM section
* set RAM start address to 0xffff0000
* set RAM size to FFFF
* press ok
* popup will ask chose device name, select SH7058
* press ‘G’ (goto) and enter 0000 (you are likely at the top anyway)
* press ‘D’ three times (you will see hex convert to long value.. for example, mine says "data.l unk_C0C”)
* double click that reference, or press ‘G’ and type it in (only the hex)
* press ‘C’ - you will see some disassembled code
* goto options > analysis > kernal options 1, then check the box 'final analysis pass' and press ok
* goto options > analysis, then press reanalyze program
* rom disassembled, now the hard part.. what does it all mean?

IDA Register Definitions for SH7055 / SH7058 by dshultz over at the romraider forum. 
https://raw.githubusercontent.com/ds...rc/IDA/sh3.cfg
Copy file to your IDA cfg directory, and replace sh3.cfg which should already exist. 
Interrupts will be labeled on reanalysis.

IDA Consonance Theme - Eye strain relief from the default color theme!
https://github.com/eugeneching/ida-consonance

Reverse Engineering the NC ECU (revisited) -- SH7508的更多相关文章

  1. Reverse Engineering Custom DataTypes -> GUID() in SQL Server to PostgreSQL

    原文 https://archive.sap.com/discussions/thread/3641585 First you reverse engineer from a script where ...

  2. reverse engineering in ax

    install Visio2010 Premium(UML model template). not work in Visio 2013 and other version.

  3. MyEclipse的Hibernate Reverse Engineering失败解决方法

    当使用MyEclipse的Hibernate逆向工程功能时,有时出现不成功的情况,点击finish按钮后对应的源文件目录没有生产相关对象,这时应该如何解决呢? 在国内的网站找了很久没找到,最后在国外的 ...

  4. MyEclipse Hibernate Reverse Engineering 找不到项目错误

    解决办法:在项目下找到.project文件,在最后的natures标签加入下面红色的一行代码. <natures>        <nature>com.genuitec.ec ...

  5. radare, the reverse engineering framework

    History The radare project [http://radare.org/] started in February of 2006 aiming to provide a free ...

  6. symfony2已有数据表导入实体时报错 Doctrine does not support reverse engineering from tables that don't have a primary key

    先在配置文件 app/config/config.yml中配置 schema_filter: /^(?!(tablename))/ 即可,或者在出现问题表都加上一个id 然后再使用命令 php app ...

  7. (转)EntityFrameword “Reverse Engineer Code First” 连接 MySql

    转自:http://stackoverflow.com/questions/19676624/error-trying-to-reverse-engineer-code-first-mysql-dat ...

  8. OtterCTF - Reverse - Msg Me This

    原文地址:Msg Me This 题目 Category: Reverse Engineering Points: 500 Solves: 15 Description: Rick created a ...

  9. 基于ARM处理器的反汇编器软件简单设计及实现

    写在前面 2012年写的毕业设计,仅供参考 反汇编的目的 缺乏某些必要的说明资料的情况下, 想获得某些软件系统的源代码.设计思想及理念, 以便复制, 改造.移植和发展: 从源码上对软件的可靠性和安全性 ...

随机推荐

  1. python网络编程-进程锁

    一:进程锁的作用 进程锁是防止多进程并发执行在屏幕打印的时候,其他进程也输出数据到屏幕,而出现混乱现象. 比如:进程池中很多进程会向同一个日志文件中打印日志 二:代码 # -*- coding:utf ...

  2. linux文件处理

    取中间的行数作为train.txt sed -n '1000000,170910580p' train.txt > trainv1.txt 取前面的行数作为dev.txt head -10000 ...

  3. InnoDB锁问题

    InnoDB锁问题 InnoDB与MyISAM的最大不同有两点:一是支持事务(TRANSACTION):二是采用了行级锁.行级锁与表级锁本来就有许多不同之处,另外,事务的引入也带来了一些新问题.下面我 ...

  4. sql server中分布式查询随笔(链接服务器(sp_addlinkedserver)和远程登录映射(sp_addlinkedsrvlogin)使用小总结)

    由于业务逻辑的多样性,经常得在sql server中查询不同数据库中数据,这就产生了分布式查询的需求 现我将开发中遇到的几种查询总结如下: 1.access版本 --建立连接服务器 EXEC sp_a ...

  5. 安装部署Apache Hadoop (完全分布式模式并且实现NameNode HA和ResourceManager HA)

    本节内容: 环境规划 配置集群各节点hosts文件 安装JDK1.7 安装依赖包ssh和rsync 各节点时间同步 安装Zookeeper集群 添加Hadoop运行用户 配置主节点登录自己和其他节点不 ...

  6. 最小圆覆盖 gym-102006 I

    #include<bits/stdc++.h> #define LL long long #define fi first #define se second #define mk mak ...

  7. Ionic入门七:ionic tab(选项卡)

    ionic tab(选项卡) 是水平排列的按钮或者链接,用以页面间导航的切换.它可以包含文字和图标的组合,是一种移动设备上流行的导航方法. 1.基本用法 以下选项卡容器使用了 tabs 类,每个选项卡 ...

  8. 2017-2018-1 20179202《Linux内核原理与分析》第十一周作业

    Metasploit实现木马生成.捆绑.免杀 1.预备知识 (1)Metasploit Metasploit是一款开源的安全漏洞检测工具,全称叫做The Metasploit Framework,简称 ...

  9. LINUX 下挂载 exfat 格式 u 盘或移动硬盘

    apt-get update apt-get install exfat-utils

  10. 不可不说的Java“锁”事

    前言 Java提供了种类丰富的锁,每种锁因其特性的不同,在适当的场景下能够展现出非常高的效率.本文旨在对锁相关源码(本文中的源码来自JDK 8).使用场景进行举例,为读者介绍主流锁的知识点,以及不同的 ...