Disassemble IPC firmware with IDA-Pro

Disassemble the firmware using IDA-Pro.

Alle nachfolgenden Ausführen basieren auf der Firmware 7M2T-14C026-AG, welche auf einem vFL Convers+ zum Einsatz kam.

Before you start you should learn some facts about the mac7116, the Microcontroller used inside the Convers+.

Regarding to the board layout, the MPU is run in „Normal Single Chip Mode“, which is somewhat important for internal ressource mapping addresses and behaviour of the chip itself.

The firmware-files from Ford (namely *.vbf files) only contains the main firmware part, without the primary bootloader and reset vectors. To get an full image of everything, simply concatenate the parts into one file (expect of the RAM-segment because IDA will create this on the fly and it is empty by default aber boot .

This table consist of 8 DWORD entries used by the CPU to jump to specific locations in the code, depending on the type of interrupt raised. The first vector is used on reset.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  EA 00 04 04 EA 00 14 BF EA 00 14 BF EA 00 14 BF  ê...ê..¿ê..¿ê..¿
00000010  EA 00 14 BF EA 00 14 BF EA 00 14 BF EA 00 14 BF  ê..¿ê..¿ê..¿ê..¿

This one is hard to get, because it is not distributed in any way. Look if you could download it somewhere. It is the key to a usefull disassembling…

To gain the binary part of the Firmware, load the VBF-File into a Hex-Editor like HxD, cut off the first bytes until the last '}' of the readable text part, also the 8 following Bytes (header data) and the last two Bytes (VBF checksum). Then save it as *.bin, which you will load into IDA Pro.

This code plays no role in disassembing because it is only loader into SRAM of MPU on update to execute the update process.

Set Processor type: ARM Big-endian [ARMB]

Processor options ⇒ Edit ARM architecture options: ARMv4T

Load options:

Disassemble as 32-Bit code, when asked

Now IDA tries to analyze the code, but mostly don't find any and therefore show everything as 8-Bit DATA (DCB):

Now put the cursor into the first line of data at 0x0000 and press c to convert it to code, and voilá, there it is right in front of you:

On the left panel you see that IDA was able by using linear disassembling technique to find most of the subfunctions. Also on the code window you find readable ARM7 instructions. The red arrows on the left shows the call-flow.

You can now follow the branches and try to understand what this is all about.

The next thing we should do is to find code accessing the memory-mapped IO periphals of the MAC7116 MCU and replace them with names for better understanding of the code. The datasheet is your friend, go an read it and find the memory locations of them: MAC7100 Microcontroller Family Reference Manual

The first instructions of the „Reset Vector Table“ shows 8 branch instructions which are called whenever the CPU issues an interrupt. The first is the reset-vector:

ROM:00000000                 B       loc_1018
ROM:00000004                 B       loc_5308
ROM:00000008                 B       loc_530C
ROM:0000000C                 B       loc_5310
ROM:00000010                 B       loc_5314
ROM:00000014                 B       loc_5318
ROM:00000018                 B       loc_531C
ROM:0000001C                 B       loc_5320

As you see it jumps to address 0x0000 1018 which is in the primary bootloader code. The other branches are heading right into the segment of the main firmware code, which is loaded at 0x0000 5000 onwards.