Test binaries

[mumbel]

@frankracer @bri3d @normmatt @bugasu

Sorry to ping you guys, but you are the few that have some interest in this. Does anyone have sample binaries they would be willing to share, it would be appreciated (Feel free to msg my Reddit acct if you don't want file info here/public). Also didn't realize issues isn't default on, so if you had been wanting to make one .

[esaulenka]

for example, https://dropmefiles.com/ZwcKl (password '123') automotive engine controller TC1724

[Frankracer]

I will look through my files later today.

[Alexpux]

Here is dump from automotive ECU with TC1762 - https://yadi.sk/d/LArGKvd8_m5rRQ

[mumbel]

Thanks @Alexpux . The spec is not too different than the 172x, but added https://github.com/mumbel/ghidra/commit/49b687adabfe6e919a26e8749088d94410ad2baa for the TC176x

[Alexpux]

@mumbel thanks! Maybe we can add more information about memory blocks and registers to specs, like in IDA Pro? This is my config file for TC1762 in IDA - https://yadi.sk/d/6hCGC1_zmkHuxA

Also I think it will be good to automatically find and declare ABM (alternate boot mode) headers. From datasheed for TC1762:

Alternate boot mode (ABM): Start from internal PFLASH after CRC check is correctly executed; enter a serial bootstrap loader mode1) if CRC check fails. Defined in ABM header or D400 0000H

ABM header location:

Primary ABM Header
8001 FFE0H - 8001 FFFFH
A001 FFE0H - A001 FFFF

Secondary ABM Header
8003 FFE0H - 8003 FFFFH
A003 FFE0H - A003 FFFFH

ABH header structure

Address                      Value                                                 Function
XXXX XXE0H    32-bit start address                         Program/code start address
XXXX XXE4H    DEADBEEFH                                     Identifier string
XXXX XXE8H    32-bit address (checksum start)        32-bit aligned start address of memory range to be checked
XXXX XXECH    32-bit address(checksum end)          32-bit aligned end address (last word address) of memory range to be checked
XXXX XXF0H    32-bit CRC value CRC RANGE           Expected 32-bit CRC result for memory range to be checked
XXXX XXF4H    CRC RANGE inverted                         Inverted expected 32-bit CRC result for memory range to be checked
XXXX XXF8H    32-bit CRC value CRC HEAD              CRC result of current ABM header from offset (byte) address E0H to F7H
XXXX XXFCH    CRC HEAD  inverted                          Inverted CRC result of current ABM header from offset (byte) address E0H to F7

[esaulenka]

automatically find and declare ABM (alternate boot mode) headers

@Alexpux, i think that decompiler shouldn't do that. It is one of peripheral modules, not the core.

Also, i checked some binaries. In real applications present only one ABM header, and some data instead second.

[mumbel]

@Alexpux fyi https://github.com/mumbel/ghidra/commit/fd87ebaa663de12c4dd3daaf38b8519dccc1a385 have not yet looked into the header/struct question though

[Alexpux]

@mumbel sorry for later response. Thanks for your work! I will do more testing on my binaries

[mumbel]

Just FYI, Tricore was merged into master today so I'll be deleting my branch. Can still use this repo's issues if something comes up. but probably makes more sense to move to NSA/Ghidra at this point. Thanks for all the samples and testing.