Hello,
I've looked around here and I can't find anything about how to create or edit XDF files. Does it require Ghidra or some other tool like IDA Pro . . . both of which I know very little about.
This request is mostly intellectual curiosity on my part to enable me to keep up with the sometimes very technical discussions. I'm also not asking for lessons . . . more a guided tutorial for self learning if such a thing exists.
Many thanks,
Rick
Tunerpro allows you to create and edit XDF files. I would recommend beginning with an existing file to see how the parameters are set up. Select an XDF, select a parameter or table in the LH parameter tree, then press F2 to see the edit screen.
Hello,
Yes, I have seen that capability in Tuner Pro. I just went back and finally found one that did not need a password to unlock it. Previously, I had looked through a dozen or more XDF files and all needed a password. Now that I finally found an XDF that can be opened, I can see that I need to be much more skilled at programming and that is going to a tougher deal to crack.
But I thank you for getting me this far.
Rick
You may not need to be skilled at programming, but you will need to find a reference that provides the needed information. Essentially you're just decoding a bunch of values. If you have a warehouse full of shelves you need to be able to determine what items are on each shelf. Shelf location, item name, item description, and quantity are all important. For the calibration you get hex location, item name, item description, and the value which is revealed through a formula.
There are two ways to interpret this question...
1) How does one add a parameter or table to an XDF? This is pretty straightforward if you're starting with an unlocked XDF. TunerPro has dialog boxes where you can enter the necessary information. Or you can do it by editing the XDF file with a text editor, if you're comfortable with XML.
2) How does one get the information needed to correctly add a useful parameter or table to an XDF? This is reverse engineering, and yes this is where tools like IDA Pro and Ghidra come in. You can do this without them, using a disassembler that just spits out chunks for assembly language when you give it a file and an address to start from, but interactive tools (IDA Pro, Ghidra) make the job far easier.
And even with those tools, reverse engineering is a lot of work.
If you are not currently using operating system 12212156 (for P01 PCMs), or 12587603 (for P59 PCMs), I suggest using HPT or EFILive to copy your tune over to one of those before you start. To the best of my knowledge those are available in variations that will work for any combination of auto/manual, DBW/DBC, etc. The community would be best off if everyone focused on those two operating systems rather than sprinkling effort randomly across dozens of others. The Subaru world was encumbered by having unique operating systems in every model and model-year, so after something useful is found in one model/year, it takes a long time (a lot of work) for the same thing to be figured out in every other model/year. It's a pain, but we have the opportunity to avoid that problem in the GM world.
Anyway...
IDA Pro is expensive because until recently it had no competitors. Ghidra just changed that for a lot of people, but not quite for us. The problem for us is that Ghidra doesn't yet support all of the instructions used by the CPU in our PCMs, and that creates some headaches. The missing instructions are for table lookups, which are used all over the place in PCM OS code - especially the code we care about - so it's a big problem. But it's solvable, and I'm sure it will be solved. And once that problem is solved, there will be no reason to buy IDA.
If you're working with an operating system that already has an XDF, that will give you a big head start. I've written a script that will convert an XDF into a script that can be loaded into IDA, and it will label the memory addresses for all of the parametes and tables in the XDF. Another script will label the addresses of the functions that handle OBD2 PID requests. I will make Ghidra versions of those scripts as soon as Ghidra supports those missing instructions.
So you'll start with a disassembled operating system where a bunch of data addresses are labeled, and a little bit of code is labeled. Then you have to figured out what the rest of the code is doing, so that you can find the data that it uses, figure out what that data is for, and then put the addresses of the data into an XDF, with a useful name and description. The information in the existing XDFs provides a big head start. For example if you want to investigate the fueling code, you can start by finding the fueling table, then ask IDA/Ghidra to find the code that uses that table, and in that code you'll see references to related tables and constants from the XDF, so that's where you start your investigation.
If you have experience writing software, you can pick this up pretty quickly. If you don't, this is something where learning-by-doing works just fine. Some of the folks who have made huge contributions to Subaru reverse engineering don't work in the software industry - they just got curious, got motivated, and got busy. Mostly this just takes perseverance.
The assembly language instruction set used in our PCMs is called CPU32, and 99% of CPU32 is just the Motorola 68000 (aka 68k) instruction set, and you can find tons of reference material for 68k online, in PDF and/or web pages because it was widely used in the 1990s - early Macs, the Sega Genesis game console, Commodore Amiga, etc. The CPU32 extensions are also out there, at least in PDF form. You can also buy it in book form, though I'm not sure that was a great investment as I tend to just use web pages most of the time.
A few years ago I might have dropped some plausibly deniable hints about IDA being available in hacked form through various shady channels, but at this point I think it makes more sense to wait for Ghidra to support the table-lookup instructions that we need.
Or if you want to jump head first into the very deep end of the pool, you might hunt down the tblu (table lookup) instruction documentation and figure out how to get Ghidra to support them. If you can figure that out, you're ready for anything. :)
Hello,
Now we are getting somewhere but after your explanation, I'm not certain that my two remaining brain cells are quite up to the task. I think I will continue to learn and maybe seek those Motorola 68000 documents that you mention. I won't be buying IDA Pro but I may look for Ghidra and play with it a little.
Its all interesting and I thank you very much for the detailed answer. If your info winds up not assisting me, maybe somebody else will make better use of it.
Rick
Posting Permissions
Reply With Quote
Bookmarks