Scribd
Upload
66 views

How To Disassemble & Reassemble Evo ECU Code

Disassemble & Reassemble Evo ECU

Uploaded by

Chatchai Nuanhing
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
66 views

How To Disassemble & Reassemble Evo ECU Code

Disassemble & Reassemble Evo ECU

Uploaded by

Chatchai Nuanhing
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

HOW TO DISASSEMBLE &

REASSEMBLE EVO ECU CODE


Introduction
This is a summary of the steps and tools required to disassemble, reassemble, link, trim and
re-flash Evo code into your ROM. It was pulled together from many threads on the
www.evolutionm.net site, to make it easier to figure out how to do this for anyone who
wants to get into coding their own mods to the Mitsubishi ECUs. It is an open work in
progress, so feel free to make any corrections or additions as needed.

ECU Disassembly
This section explains how to disassemble an Evo ROM binary file, downloaded from your ECU
using EcuFlash, into a GNU assembly text file using a Windows PC. It assumes you know how
to dump your ROM to a hex file using ECUFlash.

1. Get a copy of IDA Pro 6.1 and the IDA Pro Book 2nd edition from the internetz.
Spend many days reading about how to install and use this powerful disassembly
tool.

2. Download a copy of the Hitachi Renesas SH-2 Software Manual to get familiar with
the assembly language used in the Evo ROMs.

3. Download a copy of the Hitachi Renesas SH7052F-Hardware Manual to get familiar


with the Evo 8 ECU.

4. Download a copy of the Hitachi Renesas SH7055SF-Hardware Manual for the Evo 9
ECU.

5. Open IDA Pro 6.1 and click Go! (Work on your own).

Page |1
HOW TO DISASSEMBLE & REASSEMBLE EVO ECU CODE

6. Use File > Open to select the ROM hex file you want to disassemble.

7. The Load a new file window will appear:

Change the processor type in the drop down list from "Intel 80x86 processors: metapc"
to "Renesas: SH4B" and press the Set button.

2
HOW TO DISASSEMBLE & REASSEMBLE EVO ECU CODE

8. Click the Kernel Options 1 button.

Uncheck the “Create ascii string if data xref exisits” and “Convert 32 bit instruction
operand to offset” options and then click OK.

3
HOW TO DISASSEMBLE & REASSEMBLE EVO ECU CODE

9. Click the Kernel Options 2 button:

Uncheck the “Check for unicode strings” option and hit OK.

10. Click the Processor Options button.

Remove the check mark from “Convert immediate loads” and hit OK, then OK again.

4
HOW TO DISASSEMBLE & REASSEMBLE EVO ECU CODE
11. A new window will appear called "Disassembly memory organization”.

Check the "Create RAM section”.


Change the RAM start address to 0xFFFF0000
Set RAM size to 0xFFFF and press OK.

12. Another window will appear (Choose the device name):

Check the Renesas SH7058 (SH4B) processor is selected and press OK to continue.

5
HOW TO DISASSEMBLE & REASSEMBLE EVO ECU CODE

13. The disassembled hex file will be shown on your IDA pro window:

14. Use keyboard shortcut "G" to jump to the beginning of the code.
Press "G", insert 0000 and press OK.
***Now you are at the beginning of the code***

6
HOW TO DISASSEMBLE & REASSEMBLE EVO ECU CODE
15. Press keyboard "D" 3 times and that reference will transform into another number

16. Double-click on the “unk_XXXX” reference to jump to the start of the main
routine.

7
HOW TO DISASSEMBLE & REASSEMBLE EVO ECU CODE

17. Now you need to press keyboard "C" and wait. This will convert the code from
binary into assembly. It will change to something like this:

***This is actually Renesas SHASM assembly code and is no good for the GNU assembler
that we will use later to build the ROM after modification.

18. To fix this, select Options > General, and on the Analysis tab change the Target
assembler to “GNU Assembler” from the drop down list. Click the Reanalyze
program button, then hit OK.

19. Next run logic’s SH7052.idc script to fix the IDA file to a format that can be used to
produce an .ASM file that the KPIT GNU assembler can use.
Get the script from http://dev.logic.net/hg/esm/file/tip/evo/IDA/sh7052.idc and
save it to your ..\IDA PRO 61\idc folder.

8
HOW TO DISASSEMBLE & REASSEMBLE EVO ECU CODE

20. Run the script in IDA using File > Script file, to select and run the SH7052.idc script
in the ..\IDA PRO 61\idc folder.

!!! Note !!!


The SH7052.idc script creates a RAM segment for an VIII ECU starting at 0xFFFF8000
with a size of 0x3000. IX ECUs start at 0xFFFF6000 with a size of 0x8000. It also
creates a third segment for the hardware registers, at 0xFFFFE400 with a length of
0x1460. (On the VIII ECU, it's FFFFE400 through FFFFF85F, while on the IX it's FFFFE400
through FFFFF83F; for simplicity, it defines it as the wider VIII range.) For details on
this segment and what addresses are tied to what registers, see Appendix A of either
the SH7052F manual (for VIII ECUs), or the SH7055S manual (for IX ECUs).

The reason it restricts the definition is because when IDA encounters a longword, it
tries to treat it as a reference to a memory address if it falls within one of the existing
segments. This helps to filter out obviously bogus references to things like
"0xFFFFFFFF" or "0xFFFF0000" as there are quite a few instances of the latter used as
bitmasks.

21. Export your ASM text file from IDA using File > Produce file > Create ASM file, and
save it to your favorite project folder.

9
HOW TO DISASSEMBLE & REASSEMBLE EVO ECU CODE

ECU Assembly

This section describes how to build a ROM binary from a GNU format assembly text file.
1. Download the pcrel-filter.sh script from
http://dev.logic.net/hg/esm/file/tip/evo/IDA/pcrel_filter.sh
Save it to your project folder.

2. Download and install the Cygwin 64bit bash shell terminal for Windows using the
instructions at https://cygwin.com/install.html

3. Download and install the Renesas High-performance Embedded Workshop (HEW) v4


from https://www.renesas.com/en-us/products/software-tools/tools/ide/hew.html
This builds the environment needed for assembling and linking Renesas SuperH RISC
programs.

4. Download the KPIT GNU Toolchain v09.02 installer executable from the Renasas
GNU Tools website. The name of the installer executable has the form
―GNUSH<version>-ELF.exe‖, where <version> is toolchain version. For example if
toolchain version is ―v0902‖ then its installer will have the name ―GNUSHv0902-
ELF.exe

5. Run the KPIT GNU Toolchain installer and integrate it with HEW. Installation
instructions are in C:\Program Files (x86)\Renesas\Hew\Tools\KPIT
Cummins\GNUSH-ELF\v0902\Doc\ GNUSH_UserManual.pdf

6. Prepare the ASM text file for the KPIT GNU assembler by running the pcrel_filter.sh
bash script on your assembly text file. This script corrects PC-Relative MOV
instructions to a format that is recognized by the KPIT GNU assembler.

a. Start a Cygwin64 bash shell by clicking on the Cygwin64 Terminal option on the
Start menu.

10
HOW TO DISASSEMBLE & REASSEMBLE EVO ECU CODE

b. Change to the project directory containing your assembly text file and the
pcrel_filter.sh script.
Type cd <drive:/path to project directory> and hit enter.

11
HOW TO DISASSEMBLE & REASSEMBLE EVO ECU CODE

c. The line above the $ prompt changes to show the relative path to the project
directory.

d. At the $ prompt, enter “sh pcrel_filter.sh (assembly_file_name).txt >


(assembly_file_name).asm” and hit Enter.

This bash shell script removes the PC relative references from


(assembly_file_name).txt file, and pipes the output to
(assembly_file_name).asm.

12
HOW TO DISASSEMBLE & REASSEMBLE EVO ECU CODE

e. Type exit and hit enter to quit the Cygwin64 terminal.

7. Start a DOS command prompt as administrator.

13
HOW TO DISASSEMBLE & REASSEMBLE EVO ECU CODE

8. Change to the directory containing the KPIT GNU sh-elf-as.exe assembler

14
HOW TO DISASSEMBLE & REASSEMBLE EVO ECU CODE
9. Assemble the code by running this command:

sh-elf-as -o (rom_file_name).o (assembly_file_name).asm.

This will create an output file named (rom_file_name).o.

10. Link the code by running:


sh-elf-ld -o (rom_file_name) (rom_file_name).o
This will create a linked output file named (rom_file_name).

11. Finally, you'll need to trim the header junk created by the GNU assembler and linker,
using a Cygwin64 Terminal command:

dd if=(rom_file_name) of=rom.hex bs=1 skip=132 count=262144

This will extract the ROM image into a hex file that you can flash to your ECU.

15

You might also like