Arguements

Author: Sluder

ClusterBins.py

@@ -7,6 +7,7 @@
 import pandas
 import operator
 import hashlib
+import argparse
 from collections import OrderedDict, Counter
 from sklearn.cluster import AgglomerativeClustering
 from itertools import count
@@ -51,33 +52,23 @@ def get_opcodes(self, should_hash=True):
             return hashlib.md5(opcodes.encode()).hexdigest()
         return opcodes
 
-    def n_grams(self, stop_addr=None, get_first_ops=True, n_grams=2):
+    def n_grams(self, stop_addr=None):
+        """
+        Creates list of opcodes for this blocks instructions
+        :param stop_addr: Address to stop grabbing opcodes
+        """
         opcodes = []
 
-        if stop_addr is None:
-            for instruction in self.instructions.values():
-                opcodes.append(instruction.opcode)
-        else:
-            if get_first_ops:
-                for address, instruction in self.instructions.items():
-                    if address == stop_addr:
-                        break
-                    opcodes.append(instruction.opcode)
-            else:
-                skip = False
-
-                for address, instruction in self.instructions.items():
-                    if address == stop_addr:
-                        skip = True
-                    elif skip:
-                        opcodes.append(instruction.opcode)
+        for address, instruction in self.instructions.items():
+            if stop_addr is not None and address == stop_addr:
+                break
+            opcodes.append(instruction.opcode)
 
         return opcodes
 
     def gen_features(self, inst, depth=1):
         """
         :param inst: Instruction instance to get features for
-        :param sensor_addr: Str of sensor address to find
         :param depth: Number of blocks to get features from before/after inst
         """
         features = {"pre":[], 'post':[]}
@@ -124,7 +115,7 @@ def _gen_following_grams(self, instruction_addr, depth=1):
         :param depth: Number of blocks to get features from before/after inst
         """
         ret = []
-        ret.extend(self.n_grams(instruction_addr, False))
+        ret.extend(self.n_grams(instruction_addr))
 
         if self.fail is not None:
             ret.extend(self.fail.n_grams())
@@ -384,7 +375,9 @@ def get_rvector_calls(self, r2):
 
         # Get 1000 instructions due to radare2 stopping too early with analysis
         # Fix was to use command 'afu' to resize function after finding main loop
-        instructions = json.loads(str(r2.cmd('pdj 1000'), 'ISO-8859-1'), strict=False, object_pairs_hook=OrderedDict)
+        instructions = json.loads(
+            str(r2.cmd('pdj 1000'), 'ISO-8859-1'), strict=False, object_pairs_hook=OrderedDict
+        )
         calls = []
         stores = 0
         watch = False
@@ -494,6 +487,7 @@ def match_functions(self, bins):
                     control_bin = bins[self.control.filename]
                     sensor_fcn.sensor = sensor
 
+                    # Get hashes of CFG if the functions file didnt have it
                     if sensor_fcn.base_addr in control_bin.functions.keys():
                         control_hashes = control_bin.functions[sensor_fcn.base_addr].hashes
                     else:
@@ -508,6 +502,7 @@ def match_functions(self, bins):
                     highest_jaccard = 0
                     chosen_fcn = None
 
+                    # Test all functions against the control function
                     for test_fcn in bin.functions.values():
                         value = jaccard_index(control_hashes, test_fcn.hashes)
 
@@ -522,9 +517,10 @@ def match_functions(self, bins):
 
         return matches
 
-    def match_sensors(self):
+    def match_sensors(self, should_simplify):
         """
-        Find corrosponding sensor addresses using the matched functions
+        Find corresponding sensor addresses using the matched functions
+        :param should_simplify: Whether results should only show found sensors
         """
         matches = {}
 
@@ -564,11 +560,13 @@ def match_sensors(self):
 
                         matches[filename][control_fcn.sensor][addr] = round(average, 2)
         self.sensor_matches = matches
-        self.cleanup_sensor_matches()
+
+        if should_simplify:
+            self.cleanup_sensor_matches()
 
     def cleanup_sensor_matches(self):
         """
-        Helper to simplify sensor matches json
+        Helper to simplify sensor matches JSON
         """
         for filename, sensor_matches in self.sensor_matches.items():
             for sensor, matches in sensor_matches.items():
@@ -662,6 +660,9 @@ def setup_r2(file_path):
     return r2
 
 def analyze_bins():
+    """
+    Create EcuFile instances for bins in the directory
+    """
     bins = {}
 
     for filename in os.listdir(BIN_DIR):
@@ -673,6 +674,7 @@ def analyze_bins():
 def build_clusters(bins):
     """
     Builds Cluster instances from grouped binaries
+    :param bins: List of EcuFile instances
     """
     clusters = []
 
@@ -757,6 +759,10 @@ def write_clusters(clusters):
         print("Write results to cluster_matches.json")
 
 if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Cluster M7700 binaries & find sensor addresses')
+    parser.add_argument('-s', action='store_true', help='simplify sensor findings output')
+    args = parser.parse_args()
+
     bins = analyze_bins()
 
     clusters = build_clusters(bins)
@@ -765,6 +771,6 @@ def write_clusters(clusters):
 
     for cluster in clusters:
         cluster.match_functions(bins)
-        cluster.match_sensors()
+        cluster.match_sensors(args.s)
 
     write_clusters(clusters)

cluster_matches.json

@@ -7,17 +7,17 @@
             "water_temp": "0x1185",
             "ignition_timing": "0x10a2",
             "airflow": "0x1283",
-            "throttle_position": "0x128c",
-            "knock_correction": "0x1051"
+            "throttle_position": "0x1036",
+            "knock_correction": "0x1089"
         },
         "742521-1994-USDM-SVX-EG33.bin": {
             "batt_voltage": "0x10b4",
             "vehicle_speed": "0x1071",
             "engine_speed": "0x106f",
             "water_temp": "0x1185",
-            "ignition_timing": "0x11a7",
+            "ignition_timing": "0x11ac",
             "airflow": "0x1283",
-            "throttle_position": "0x128c",
+            "throttle_position": "0x1036",
             "knock_correction": "0x1071"
         },
         "722527-1993-USDM-SVX-EG33.bin": {
@@ -27,7 +27,7 @@
             "water_temp": "0x1185",
             "ignition_timing": "0x10a2",
             "airflow": "0x1283",
-            "throttle_position": "0x128c",
+            "throttle_position": "0x1036",
             "knock_correction": "0x12a7"
         },
         "722515-1992-JDM-SVX-EG33.bin": {
@@ -37,8 +37,8 @@
             "water_temp": "0x1185",
             "ignition_timing": "0x10a2",
             "airflow": "0x103a",
-            "throttle_position": "0x128c",
-            "knock_correction": "0x1051"
+            "throttle_position": "0x1036",
+            "knock_correction": "0x1089"
         },
         "722531-1996-UK-SVX-EG33.bin": {
             "batt_voltage": "0x1186",
@@ -47,7 +47,7 @@
             "water_temp": "0x1185",
             "ignition_timing": "0x10a2",
             "airflow": "0x1283",
-            "throttle_position": "0x128c",
+            "throttle_position": "0x1036",
             "knock_correction": "0x1089"
         },
         "742541-1994-MidEast-SVX-EG33.bin": {
@@ -57,18 +57,18 @@
             "water_temp": "0x1185",
             "ignition_timing": "0x10a2",
             "airflow": "0x1283",
-            "throttle_position": "0x128c",
+            "throttle_position": "0x1036",
             "knock_correction": "0x1134"
         },
         "722521-1991-USDM-SVX-EG33.bin": {
             "batt_voltage": "0x10b4",
             "vehicle_speed": "0x1071",
             "engine_speed": "0x106f",
             "water_temp": "0x1185",
-            "ignition_timing": "0x105b",
+            "ignition_timing": "0x10a2",
             "airflow": "0x1283",
-            "throttle_position": "0x128c",
-            "knock_correction": "0x1256"
+            "throttle_position": "0x1036",
+            "knock_correction": "0x105a"
         },
         "722525-1992-USDM-SVX-EG33.bin": {
             "batt_voltage": "0x102f",
@@ -77,7 +77,7 @@
             "water_temp": "0x1185",
             "ignition_timing": "0x10a2",
             "airflow": "0x1283",
-            "throttle_position": "0x128c",
+            "throttle_position": "0x1036",
             "knock_correction": "0x1237"
         }
     },
@@ -89,7 +89,7 @@
             "water_temp": "0x11a2",
             "ignition_timing": "0x109e",
             "airflow": "0x1307",
-            "throttle_position": "0x12c6",
+            "throttle_position": "0x133b",
             "knock_correction": "0x1328"
         },
         "744014-1995-JDM-Wrx-EJ20T.bin": {
@@ -99,7 +99,7 @@
             "water_temp": "0x11a2",
             "ignition_timing": "0x109e",
             "airflow": "0x1307",
-            "throttle_position": "0x12c6",
+            "throttle_position": "0x133b",
             "knock_correction": "0x1328"
         },
         "74401A-1995-JDM-WrxRA-EJ20T.bin": {
@@ -109,7 +109,7 @@
             "water_temp": "0x11a2",
             "ignition_timing": "0x109e",
             "airflow": "0x1307",
-            "throttle_position": "0x12c6",
+            "throttle_position": "0x133b",
             "knock_correction": "0x1328"
         },
         "744011-1994-JDM-Wrx-EJ20T.bin": {
@@ -119,20 +119,20 @@
             "water_temp": "0x11a2",
             "ignition_timing": "0x109e",
             "airflow": "0x11fd",
-            "throttle_position": "0x120a",
+            "throttle_position": "0x1073",
             "knock_correction": "0x1328"
         }
     },
     "Cluster 3": {
         "733257-1993-Canada-Legacy-EJ22.bin": {
-            "batt_voltage": "0x10b8",
+            "batt_voltage": "0x1072",
             "vehicle_speed": "0x1075",
             "engine_speed": "0x1073",
             "water_temp": "0x11a9",
             "ignition_timing": "0x109e",
             "airflow": "0x1307",
             "throttle_position": "0x1031",
-            "knock_correction": "0x1270"
+            "knock_correction": "0x127c"
         },
         "7232A5-1992-UK-Legacy-EJ22.bin": {
             "batt_voltage": "0x1170",
@@ -155,7 +155,7 @@
             "knock_correction": "0x1132"
         },
         "7237A5-1992-EDM-Legacy-EJ20.bin": {
-            "batt_voltage": "0x1170",
+            "batt_voltage": "0x11ce",
             "vehicle_speed": "0x1075",
             "engine_speed": "0x1073",
             "water_temp": "0x11b0",