Friday, December 31, 2010

Some disassembly required

(Happy New Year's Eve!   Before I talk about reverse-engineering strategies, I thought I would explain to the uninitiated what a disassembler is, and recommend a good one.  If you already know what a disassembler is and have a favorite, you can skip this post.)

Once you've successfully read out the firmware image from your ECU, you still only have a bunch of bytes.  In order to make any sense out of it, you're going to have to change it into a more human-readable form:  assembly language.  You could try doing this manually, by looking up what instruction each byte corresponds to in the user manual for your ECU's microcontroller.  You could, but that would be crazy.  It would take forever.  The right way is to use a disassembler, which is a program that does this (and usually a lot more) for you.

When I started with the Honda CRX, I was lucky that its ECU used an 8051.  It's such a popular micro that there are free disassemblers available to download.  The Integra, however, uses a much less common chip from Oki Semiconductor (66207), so I wasn't able to disassemble it until someone else (another Honda ECU hacker, I assume) wrote a disassembler for it.  For the NB Miata, although I don't know the exact micro it's using, I at least know it's from the Motorola MC68HC16 family, and that's common enough that disassemblers exist for it.  There are certain registers (memory locations with special functions) that are specific to the particular variant found in the NB that the disassemblers don't know about, but for the most part the assembly code they generate is quite usable.

So earlier I mentioned that most disassemblers do more than just transform bytes into assembly language instructions.  What else do they do?  A lot!  Take IDA Pro, for example.  This is probably one of the most well-known and best disassemblers out there.  It's also freakin' expensive, so for most of us, we can only afford the free version.  But even that is still really powerful.  For example, the assembly language listing it generates is not just a text file, but it groups code into functions and subroutines, and you can follow the jump instructions by simply clicking on them.  It also compiles lists of all functions, subroutines and variable names used, which can be renamed so that as you figure out what each one is for, you can rename it to something more meaningful.  You can also specify which parts of your firmware image are instructions and which parts are data tables (or blank), so the disassembler translates it properly.  In the expensive version, IDA Pro can also draw subroutines is flowcharts, which I'm sure makes untangling them even easier.  I wish they had a cheaper version that had some of the Pro features in it.  I would definitely consider buying it.  Still, anyone interested in reverse-engineering binary code (whether it's from an ECU, any other firmware or even PC programs) should at least check out their free version.  The Pro version supports many more processors than the free version, but sometimes people write modules that support other processors for the free version (including the one that works for the Miata, fortunately!).

1 comment: