Reverse Engineering the NC ECU (revisited) -- SH7508

http://forum.miata.net/vb/showthread.php?t=536601

Hey all!

About 5 years ago, there was a great thread on reverse engineering the NC ECU (http://forum.miata.net/vb/showthread.php?t=341366). In the spirit of that thread, I wanted to continue the discussion here for anyone remotely interested in the ecu’s inner workings. MX-Five (Clive) and Jim Boemler have done some solid work on this already, and I’m hoping we can rekindle further exploration. Please, no pissing matches between folks with regards to tunes and tuners… the end goal here is discovery, and sharing information. If any tuners have technical knowledge that doesn't compromise their tuning strategies, I’m sure you’d have a captive audience. All ears, or eyes, or whatever.. you know what I mean!  Anyway, to start things off I’ve consolidated some information on the tools needed for disassembling the ROM should anyone want to explore.

---

DOCUMENTATION

Renesas sh7058 manual
https://googledrive.com/host/0B3_pF8...sas_sh7058.pdf

Sega SH-4 manual (has C equivalents of the SH instruction set, kinda helpful)
https://googledrive.com/host/0B3_pF8...ZDQ/SHC_PM.pdf

---

TOOLS

KPIT Gnu Tools & Renesas High-Performance Embedded Workshop
http://www.kpitgnutools.com/index.php

A compiler/debugger/simulator that's extremely useful! Step thru code, access RAM, registers, i/o simulation (haven’t quite figured that out), etc. It requires registering a free account, and will take a day or so for confirmation granting access to downloads. Once confirmed, go to free downloads > all downloads.

Download the following and install.
HEW 4.08-ntc for KPIT GNU Tools with Simulators
GNUV850 v12.02 Windows Tool Chain

Setup
* run HEW
* from popup or file menu, select create a new project workspace
* give workspace/project a name
* set CPU family to 'SuperH RISC enginge’
* set toolchain to 'KPIT GNUSH [ELF]'
* leave project at default (C application)
* press ok 
* (new popup) leave toolchain version at default
* set CPU series to 'SH-2e'
* set CPU type to ‘SH7058F'
* press next
* (option setting popup) press next
* (library generator settings popup) select 'enable all', then press next
* (target system for debugging popup) select targets 'SH-2E' check box
* set target type to 'SH-2E' (should be default)
* press next
* select finish
* (summary popup) press ok, and the workspace will load
* select debug > debug settings
* set target to 'SH-2E Simulator'
* set debug format to ‘Binary'
* select browse, and then select your ROM file
* press ok to confirm
* press ok again to get out of debug settings popup
* (warning popup) select ‘YES’ to continue
* (peripheral function simulation popup), press ok
* look at the project browser pane to the left
* right-click your ROM, and select download
* go debug menu and select 'reset CPU'
* disassembly visible, and now you can step thru the code

One additional step I'm unsure if required for accessing RAM is going to setup > simulator > memory resource.. then setting up both Memory Map and Memory Resource according to Table 9.3 in the Renesas manual. One quirk, memory settings don't stick when reloading project.

—

IDA Pro - Probably reversings #1 tool (both legitimate and fringe)
https://www.hex-rays.com/index.shtml

Setup
* drag ROM into ida
* set processor type to Renesas SH4B
* check box to create RAM section
* set RAM start address to 0xffff0000
* set RAM size to FFFF
* press ok
* popup will ask chose device name, select SH7058
* press ‘G’ (goto) and enter 0000 (you are likely at the top anyway)
* press ‘D’ three times (you will see hex convert to long value.. for example, mine says "data.l unk_C0C”)
* double click that reference, or press ‘G’ and type it in (only the hex)
* press ‘C’ - you will see some disassembled code
* goto options > analysis > kernal options 1, then check the box 'final analysis pass' and press ok
* goto options > analysis, then press reanalyze program
* rom disassembled, now the hard part.. what does it all mean?

IDA Register Definitions for SH7055 / SH7058 by dshultz over at the romraider forum. 
https://raw.githubusercontent.com/ds...rc/IDA/sh3.cfg
Copy file to your IDA cfg directory, and replace sh3.cfg which should already exist. 
Interrupts will be labeled on reanalysis.

IDA Consonance Theme - Eye strain relief from the default color theme!
https://github.com/eugeneching/ida-consonance