Test binaries

Question

Test binaries

mumbel opened this issue 5 years ago · comments

Sorry to ping you guys, but you are the few that have some interest in this. Does anyone have sample binaries they would be willing to share, it would be appreciated (Feel free to msg my Reddit acct if you don't want file info here/public). Also didn't realize issues isn't default on, so if you had been wanting to make one .

Alexey Esaulenko · Answer 1 · Fri May 31 2019 21:59:29 GMT+0800 (China Standard Time)

for example, https://dropmefiles.com/ZwcKl (password '123')
automotive engine controller
TC1724

Frankracer · Answer 2 · Fri May 31 2019 23:31:40 GMT+0800 (China Standard Time)

I will look through my files later today.

Алексей · Answer 3 · Mon Jun 10 2019 04:41:10 GMT+0800 (China Standard Time)

Here is dump from automotive ECU with TC1762 - https://yadi.sk/d/LArGKvd8_m5rRQ

mumbel · Answer 4 · Mon Jun 10 2019 06:44:32 GMT+0800 (China Standard Time)

Thanks @Alexpux . The spec is not too different than the 172x, but added 49b687a for the TC176x

Алексей · Answer 5 · Mon Jun 10 2019 13:55:03 GMT+0800 (China Standard Time)

@mumbel thanks!
Maybe we can add more information about memory blocks and registers to specs, like in IDA Pro?
This is my config file for TC1762 in IDA - https://yadi.sk/d/6hCGC1_zmkHuxA

Also I think it will be good to automatically find and declare ABM (alternate boot mode) headers. From datasheed for TC1762:

Alternate boot mode (ABM): Start from internal PFLASH after CRC check is correctly executed; enter a serial bootstrap loader mode1) if CRC check fails. Defined in ABM header or D400 0000H

ABM header location:

Primary ABM Header
8001 FFE0H - 8001 FFFFH
A001 FFE0H - A001 FFFF

Secondary ABM Header
8003 FFE0H - 8003 FFFFH
A003 FFE0H - A003 FFFFH

ABH header structure

Address                      Value                                                 Function
XXXX XXE0H    32-bit start address                         Program/code start address
XXXX XXE4H    DEADBEEFH                                     Identifier string
XXXX XXE8H    32-bit address (checksum start)        32-bit aligned start address of memory range to be checked
XXXX XXECH    32-bit address(checksum end)          32-bit aligned end address (last word address) of memory range to be checked
XXXX XXF0H    32-bit CRC value CRC RANGE           Expected 32-bit CRC result for memory range to be checked
XXXX XXF4H    CRC RANGE inverted                         Inverted expected 32-bit CRC result for memory range to be checked
XXXX XXF8H    32-bit CRC value CRC HEAD              CRC result of current ABM header from offset (byte) address E0H to F7H
XXXX XXFCH    CRC HEAD  inverted                          Inverted CRC result of current ABM header from offset (byte) address E0H to F7

Alexey Esaulenko · Answer 6 · Mon Jun 10 2019 23:11:43 GMT+0800 (China Standard Time)

automatically find and declare ABM (alternate boot mode) headers

@Alexpux, i think that decompiler shouldn't do that. It is one of peripheral modules, not the core.

Also, i checked some binaries. In real applications present only one ABM header, and some data instead second.

mumbel · Answer 7 · Tue Jun 11 2019 07:34:02 GMT+0800 (China Standard Time)

@Alexpux fyi fd87eba have not yet looked into the header/struct question though

Алексей · Answer 8 · Wed Jun 12 2019 15:31:22 GMT+0800 (China Standard Time)

@mumbel sorry for later response. Thanks for your work! I will do more testing on my binaries

mumbel · Answer 9 · Sat Aug 03 2019 04:22:07 GMT+0800 (China Standard Time)

Just FYI, Tricore was merged into master today so I'll be deleting my branch. Can still use this repo's issues if something comes up. but probably makes more sense to move to NSA/Ghidra at this point. Thanks for all the samples and testing.