Page 3 of 4
Re: Learning to disassemble ROMs
Posted:
Wed Nov 18, 2009 5:57 am
by Rhinoman
The MM bit is set when the processor comes out of reset, if there is no need to map the control registers to the lower half of memory then there is no need to write to that bit and the registers will be at FFF000h to FFFFFFh and you will be writing to FFF200h
ZK is initailised at reset so if you don't see any write to it then you need to take the value that is at 000000h.
Is this an ECU that has a seperate memory device?
Re: Learning to disassemble ROMs
Posted:
Wed Nov 18, 2009 10:28 pm
by elevenpoint7five
Oh you lost me! Haha! I have NO background in programming or assembly language or processors. I've been basically self teaching for the past few weeks and I seem to have hit a roadblock. Here is the full code, maybe it will help:
- Code: Select all
ROM:00006906 ldab #0Fh
ROM:00006908 tbyk
ROM:0000690A ldy #0F200h
ROM:0000690E lde #34h
ROM:00006912 ste 30h, Y
ROM:00006916 lde #3Fh
ROM:0000691A ste 32h, Y
ROM:0000691E lde #3Fh
ROM:00006922 ste 34h, Y
ROM:00006926 lde #3Fh
ROM:0000692A ste 36h, Y
ROM:0000692E lde #3Fh
ROM:00006932 ste 38h, Y
ROM:00006936 lde #3Fh
ROM:0000693A ste 3Ah, Y
ROM:0000693E lde #3Fh
ROM:00006942 ste 3Ch, Y
ROM:00006946 lde #3Fh
ROM:0000694A ste 3Eh, Y
ROM:0000694E lde #3Fh
ROM:00006952 ste 40h, Y
ROM:00006956 lde #3Fh
ROM:0000695A ste 42h, Y
ROM:0000695E lde #3Fh
ROM:00006962 ste 44h, Y
ROM:00006966 lde #3Fh
ROM:0000696A ste 46h, Y
ROM:0000696E lde #3Fh
ROM:00006972 ste 48h, Y
ROM:00006976 lde #3Fh
ROM:0000697A ste 4Ah, Y
ROM:0000697E lde #3Fh
ROM:00006982 ste 4Ch, Y
ROM:00006986 lde #3Fh
ROM:0000698A ste 4Eh, Y
ROM:0000698E lde #3Fh
ROM:00006992 ste 50h, Y
ROM:00006996 lde #3Fh
ROM:0000699A ste 52h, Y
ROM:0000699E lde #3Fh
ROM:000069A2 ste 54h, Y
ROM:000069A6 lde #3Fh
ROM:000069AA ste 56h, Y
ROM:000069AE lde #3Bh
ROM:000069B2 ste 58h, Y
ROM:000069B6 lde #3Ah
ROM:000069BA ste 5Ah, Y
ROM:000069BE lde #39h
ROM:000069C2 ste 5Ch, Y
ROM:000069C6 lde #38h
ROM:000069CA ste 5Eh, Y
ROM:000069CE lde #37h
ROM:000069D2 ste 60h, Y
ROM:000069D6 lde #36h
ROM:000069DA ste 62h, Y
ROM:000069DE lde #35h
ROM:000069E2 ste 64h, Y
ROM:000069E6 lde #33h
ROM:000069EA ste 66h, Y
ROM:000069EE lde #32h
ROM:000069F2 ste 68h, Y
ROM:000069F6 lde #31h
ROM:000069FA ste 6Ah, Y
ROM:000069FE lde #30h
ROM:00006A02 ste 6Ch, Y
ROM:00006A06 lde #3
ROM:00006A0A ste 6Eh, Y
ROM:00006A0E lde #2
ROM:00006A12 ste 70h, Y
ROM:00006A16 lde #1
ROM:00006A1A ste 72h, Y
ROM:00006A1E lde #0
ROM:00006A22 ste 74h, Y
ROM:00006A26 lde #3Fh
ROM:00006A2A ste 76h, Y
ROM:00006A2E lde #3Fh
ROM:00006A32 ste 78h, Y
ROM:00006A36 lde #3Fh
ROM:00006A3A ste 7Ah, Y
ROM:00006A3E lde #3Fh
ROM:00006A42 ste 7Ch, Y
ROM:00006A46 lde #3Fh
ROM:00006A4A ste 7Eh, Y
ROM:00006A4E jsr sub_19D6
ROM:00006A52 jsr sub_68DE
ROM:00006A56 lde 816h, Z
ROM:00006A5A ste 17E8h, Z
ROM:00006A5E ldy #0B577h
ROM:00006A62 ldd 17E8h, Z
ROM:00006A66 jsr Read_Tables
ROM:00006A6A std 17EAh, Z
ROM:00006A6E brclr 0DCh, Z, #40h, loc_6A76
ROM:00006A72 ldd #0B000h
That is from beginning to end of that particular function. I understand what all of the opcodes do, it's the memory locations that are getting me.
Since this has been sort of a dead end for me, I decided to move onto some other stuff, and I hit another wall. I found the subroutine that is used to read the data tables, but I have NO idea how it works. It's a bunch of math it seems, but I'm not sure how it is deciding which table to go to(I think is has something to do with the pshm opcode) and how it stores the data for future use. Again with memory locations haha!
As far as I know, the ECU has no separate memory device.
Andy
Re: Learning to disassemble ROMs
Posted:
Thu Nov 19, 2009 10:18 am
by Rhinoman
You are right that this code is writing to a bunch of addresses. Unfortunately I don't know what module is located at FF200, its possible that the code could be setting up a bunch of timers (TPU?) or it could just be initialising some memory.
- Code: Select all
; Lets call the most significant bit of the 24-bit address n
; instead of Y to avoid confusing it with the Y register
; the most significant nibble (msn) is n111 (the other three bits are always 1)
; if the M bit is the reset value '0' then n=0111 or 7h
ROM:00006906 ldab #0Fh ;B = 0Fh
ROM:00006908 tbyk ;YK = B = Fh
ROM:0000690A ldy #0F200h ;n,YK,Y = 7FF200
ROM:0000690E lde #34h ;e = 34h
ROM:00006912 ste 30h, Y ;write 34h to address 7FF230
ROM:00006916 lde #3Fh
ROM:0000691A ste 32h, Y ;write 3Fh to address 7FF232
ROM:0000691E lde #3Fh
ROM:00006922 ste 34h, Y ;write 3Fh to address 7FF234
ROM:00006926 lde #3Fh
ROM:0000692A ste 36h, Y ;and so on (initialising memory?)
ROM:0000692E lde #3Fh
ROM:00006932 ste 38h, Y
ROM:00006936 lde #3Fh
ROM:0000693A ste 3Ah, Y
ROM:0000693E lde #3Fh
ROM:00006942 ste 3Ch, Y
ROM:00006946 lde #3Fh
ROM:0000694A ste 3Eh, Y
ROM:0000694E lde #3Fh
ROM:00006952 ste 40h, Y
ROM:00006956 lde #3Fh
ROM:0000695A ste 42h, Y
ROM:0000695E lde #3Fh
ROM:00006962 ste 44h, Y
ROM:00006966 lde #3Fh
ROM:0000696A ste 46h, Y
ROM:0000696E lde #3Fh
ROM:00006972 ste 48h, Y
ROM:00006976 lde #3Fh
ROM:0000697A ste 4Ah, Y
ROM:0000697E lde #3Fh
ROM:00006982 ste 4Ch, Y
ROM:00006986 lde #3Fh
ROM:0000698A ste 4Eh, Y
ROM:0000698E lde #3Fh
ROM:00006992 ste 50h, Y
ROM:00006996 lde #3Fh
ROM:0000699A ste 52h, Y
ROM:0000699E lde #3Fh
ROM:000069A2 ste 54h, Y
ROM:000069A6 lde #3Fh
ROM:000069AA ste 56h, Y ;write 3Fh to address 0FF256
ROM:000069AE lde #3Bh
ROM:000069B2 ste 58h, Y ;write 3Bh to address 0FF258
ROM:000069B6 lde #3Ah
ROM:000069BA ste 5Ah, Y ;write 3Ah to address 0FF25A
ROM:000069BE lde #39h
ROM:000069C2 ste 5Ch, Y
ROM:000069C6 lde #38h
ROM:000069CA ste 5Eh, Y
ROM:000069CE lde #37h
ROM:000069D2 ste 60h, Y
ROM:000069D6 lde #36h
ROM:000069DA ste 62h, Y
ROM:000069DE lde #35h
ROM:000069E2 ste 64h, Y
ROM:000069E6 lde #33h
ROM:000069EA ste 66h, Y
ROM:000069EE lde #32h
ROM:000069F2 ste 68h, Y
ROM:000069F6 lde #31h
ROM:000069FA ste 6Ah, Y
ROM:000069FE lde #30h
ROM:00006A02 ste 6Ch, Y
ROM:00006A06 lde #3
ROM:00006A0A ste 6Eh, Y
ROM:00006A0E lde #2
ROM:00006A12 ste 70h, Y
ROM:00006A16 lde #1
ROM:00006A1A ste 72h, Y
ROM:00006A1E lde #0
ROM:00006A22 ste 74h, Y
ROM:00006A26 lde #3Fh
ROM:00006A2A ste 76h, Y
ROM:00006A2E lde #3Fh
ROM:00006A32 ste 78h, Y
ROM:00006A36 lde #3Fh
ROM:00006A3A ste 7Ah, Y
ROM:00006A3E lde #3Fh
ROM:00006A42 ste 7Ch, Y
ROM:00006A46 lde #3Fh
ROM:00006A4A ste 7Eh, Y
ROM:00006A4E jsr sub_19D6 ;whats this sub do?
ROM:00006A52 jsr sub_68DE ;whats this sub do?
ROM:00006A56 lde 816h, Z ;e = contents of (Z+816h)
ROM:00006A5A ste 17E8h, Z ;copy to (Z+17E8)
ROM:00006A5E ldy #0B577h ;Y=0B577
ROM:00006A62 ldd 17E8h, Z ;copy E to D
ROM:00006A66 jsr Read_Tables ;now read tables
ROM:00006A6A std 17EAh, Z ;value from table???
ROM:00006A6E brclr 0DCh, Z, #40h, loc_6A76 ;some sort of check
ROM:00006A72 ldd #0B000h
The last part sets up the table read, the value in Z+816 is stored in D and E, Y is loaded with B577h
(this may be the base address of the table). It looks like the value from the read_table routine is returned
in D and is then stored at Z+17EA
Re: Learning to disassemble ROMs
Posted:
Thu Nov 19, 2009 8:44 pm
by elevenpoint7five
Wow! You're smart!
Thank you so much for the notations, that helped a ton! Unfortunately I don't think that Y is the base address of the table, here is what is stored in that location:
- Code: Select all
ROM:0000B570 bcc loc_B58E
ROM:0000B572 brset 22h, Z, #80h, loc_B58E
ROM:0000B576 ldaa 0B3Bh, Z
ROM:0000B57A cmpa byte_29586
I really wish it was though! That would make everything so much easier!
Here is the other two subs that are referenced, and a few more that are referenced in those. Thanks for this!
- Code: Select all
ROM:000019D6 sub_19D6: ; CODE XREF: calls_62h+148p
ROM:000019D6 jsr sub_199A
ROM:000019DA jsr sub_19B0
ROM:000019DE clr 1775h, Z
ROM:000019E2 clr 1774h, Z
ROM:000019E6 ldab #0
ROM:000019E8 tbxk
ROM:000019EA ldx #16D2h
ROM:000019EE ldab 1774h, Z
ROM:000019F2 abx
ROM:000019F4 ldaa #7Ch
ROM:000019F6 ldab 0, X
ROM:000019F8 jsr sub_1D58
ROM:000019FC ldab #0Fh
ROM:000019FE tbyk
ROM:00001A00 ldy #0F200h
ROM:00001A04 bclrw 10h, Y, #2000h
ROM:00001A0A bsetw 0Eh, Y, #2000h
ROM:00001A10
ROM:00001A10 loc_1A10: ; CODE XREF: sub_19D6+5Cj
ROM:00001A10 ; sub_19D6+64j
ROM:00001A10 ldab #0Fh
ROM:00001A12 tbyk
ROM:00001A14 ldy #0F900h
ROM:00001A18 ldd 9Ah, Y
ROM:00001A1A
ROM:00001A1A loc_1A1A: ; CODE XREF: sub_19D6+4Ej
ROM:00001A1A lde 9Ah, Y
ROM:00001A1E sde
ROM:00001A20 cpe #0FAh
ROM:00001A24 bcs loc_1A1A
ROM:00001A26 jsr sub_4868
ROM:00001A2A jsr sub_1712
ROM:00001A2E tst 1774h, Z
ROM:00001A32 lbne loc_1A10
ROM:00001A36 tst 1775h, Z
ROM:00001A3A lbne loc_1A10
ROM:00001A3E rts
- Code: Select all
ROM:0000199A sub_199A: ; CODE XREF: sub_19D6p
ROM:0000199A ldab #0Fh
ROM:0000199C tbyk
ROM:0000199E ldy #0F200h
ROM:000019A2 bclrw 10h, Y, #8000h
ROM:000019A8 bsetw 0Ch, Y, #2000h
ROM:000019AE rts
ROM:000019AE ; End of function sub_199A
- Code: Select all
ROM:000019B0 sub_19B0: ; CODE XREF: sub_19B0+12j
ROM:000019B0 ; sub_19D6+4p
ROM:000019B0 ldab #0Fh
ROM:000019B2 tbyk
ROM:000019B4 ldy #0F200h
ROM:000019B8 lde 10h, Y
ROM:000019BC ande #8000h
ROM:000019C0 tste
ROM:000019C2 beq sub_19B0
ROM:000019C4 ldab #0Fh
ROM:000019C6 tbyk
ROM:000019C8 ldy #0F200h
ROM:000019CC ldd 1B0h, Y
ROM:000019D0 std 177Eh, Z
ROM:000019D4 rts
ROM:000019D4 ; End of function sub_19B0
- Code: Select all
ROM:00004868
ROM:00004868 sub_4868: ; CODE XREF: ROM:000009E6p
ROM:00004868 ; ROM:000009F2p ...
ROM:00004868 pshm D, E, X, Y, Z, K
ROM:0000486A brset 8A1h, Z, #20h, loc_4876
ROM:00004870 bset 8A1h, Z, #20h
ROM:00004874 bra loc_487A
ROM:00004876 ; ---------------------------------------------------------------------------
ROM:00004876
ROM:00004876 loc_4876: ; CODE XREF: sub_4868+2j
ROM:00004876 bclr 8A1h, Z, #20h
ROM:0000487A
ROM:0000487A loc_487A: ; CODE XREF: sub_4868+Cj
ROM:0000487A ldab #0Fh
ROM:0000487C tbyk
ROM:0000487E ldy #0FA00h
ROM:00004882 brset 8A1h, Z, #20h, loc_488E
ROM:00004888 bclr 31h, Y, #40h
ROM:0000488C bra loc_4892
ROM:0000488E ; ---------------------------------------------------------------------------
ROM:0000488E
ROM:0000488E loc_488E: ; CODE XREF: sub_4868+1Aj
ROM:0000488E bset 31h, Y, #40h
ROM:00004892
ROM:00004892 loc_4892: ; CODE XREF: sub_4868+24j
ROM:00004892 pulm K, Z, Y, X, E, D
ROM:00004894 rts
ROM:00004894 ; End of function sub_4868
- Code: Select all
ROM:00001712 sub_1712: ; CODE XREF: sub_1712+12j
ROM:00001712 ; sub_19D6+54p
ROM:00001712 ldab #0Fh
ROM:00001714 tbyk
ROM:00001716 ldy #0F200h
ROM:0000171A lde 10h, Y
ROM:0000171E ande #2000h
ROM:00001722 tste
ROM:00001724 beq sub_1712
ROM:00001726 ldab #0Fh
ROM:00001728 tbyk
ROM:0000172A ldy #0F200h
ROM:0000172E ldaa 1774h, Z
ROM:00001732 cmpa #0
ROM:00001734 bne loc_173E
ROM:00001736 ldd 1F4h, Y
ROM:0000173A std 1744h, Z
ROM:0000173E
ROM:0000173E loc_173E: ; CODE XREF: sub_1712+22j
ROM:0000173E ldaa 1774h, Z
ROM:00001742 cmpa #1
ROM:00001744 bne loc_174E
ROM:00001746 ldd 1F4h, Y
ROM:0000174A std 1746h, Z
ROM:0000174E
ROM:0000174E loc_174E: ; CODE XREF: sub_1712+32j
ROM:0000174E ldaa 1774h, Z
ROM:00001752 cmpa #0
ROM:00001754 bne loc_175E
ROM:00001756 ldd 1F2h, Y
ROM:0000175A std 174Ch, Z
ROM:0000175E
ROM:0000175E loc_175E: ; CODE XREF: sub_1712+42j
ROM:0000175E ldaa 1774h, Z
ROM:00001762 cmpa #1
ROM:00001764 bne loc_176E
ROM:00001766 ldd 1F2h, Y
ROM:0000176A std 174Eh, Z
ROM:0000176E
ROM:0000176E loc_176E: ; CODE XREF: sub_1712+52j
ROM:0000176E ldaa 1774h, Z
ROM:00001772 cmpa #2
ROM:00001774 bne loc_177E
ROM:00001776 ldd 1F2h, Y
ROM:0000177A std 1750h, Z
ROM:0000177E
ROM:0000177E loc_177E: ; CODE XREF: sub_1712+62j
ROM:0000177E ldaa 1774h, Z
ROM:00001782 cmpa #3
ROM:00001784 bne loc_178E
ROM:00001786 ldd 1F2h, Y
ROM:0000178A std 1752h, Z
ROM:0000178E
ROM:0000178E loc_178E: ; CODE XREF: sub_1712+72j
ROM:0000178E ldaa 1774h, Z
ROM:00001792 cmpa #0
ROM:00001794 bne loc_179E
ROM:00001796 ldd 1F0h, Y
ROM:0000179A std 1754h, Z
ROM:0000179E
ROM:0000179E loc_179E: ; CODE XREF: sub_1712+82j
ROM:0000179E ldaa 1774h, Z
ROM:000017A2 cmpa #1
ROM:000017A4 bne loc_17AE
ROM:000017A6 ldd 1F0h, Y
ROM:000017AA std 1756h, Z
ROM:000017AE
ROM:000017AE loc_17AE: ; CODE XREF: sub_1712+92j
ROM:000017AE ldaa 1774h, Z
ROM:000017B2 cmpa #2
ROM:000017B4 bne loc_17BE
ROM:000017B6 ldd 1F0h, Y
ROM:000017BA std 1758h, Z
ROM:000017BE
ROM:000017BE loc_17BE: ; CODE XREF: sub_1712+A2j
ROM:000017BE ldaa 1774h, Z
ROM:000017C2 cmpa #3
ROM:000017C4 bne loc_17CE
ROM:000017C6 ldd 1F0h, Y
ROM:000017CA std 175Ah, Z
ROM:000017CE
ROM:000017CE loc_17CE: ; CODE XREF: sub_1712+B2j
ROM:000017CE ldd 1EEh, Y
ROM:000017D2 std 175Ch, Z
ROM:000017D6 ldd 1ECh, Y
ROM:000017DA std 175Eh, Z
ROM:000017DE ldd 0EAh, Y
ROM:000017E0 std 1760h, Z
ROM:000017E4 ldd 1E8h, Y
ROM:000017E8 std 1762h, Z
ROM:000017EC ldd 1E6h, Y
ROM:000017F0 std 1764h, Z
ROM:000017F4 ldd 1E4h, Y
ROM:000017F8 std 1766h, Z
ROM:000017FC ldd 1E2h, Y
ROM:00001800 std 1768h, Z
ROM:00001804 ldd 1E0h, Y
ROM:00001808 std 176Ah, Z
ROM:0000180C ldd 1DEh, Y
ROM:00001810 std 176Ch, Z
ROM:00001814 ldd 1DCh, Y
ROM:00001818 std 176Eh, Z
ROM:0000181C ldd 1DAh, Y
ROM:00001820 std 1770h, Z
ROM:00001824 ldd 1D8h, Y
ROM:00001828 std 1772h, Z
ROM:0000182C ldaa 1775h, Z
ROM:00001830 cmpa #3
ROM:00001832 beq loc_183A
ROM:00001834 cmpa byte_2B571
ROM:00001838 bcs loc_1842
ROM:0000183A
ROM:0000183A loc_183A: ; CODE XREF: sub_1712+120j
ROM:0000183A ldd 1744h, Z
ROM:0000183E std 832h, Z
ROM:00001842
ROM:00001842 loc_1842: ; CODE XREF: sub_1712+126j
ROM:00001842 ldaa 1775h, Z
ROM:00001846 cmpa byte_2B571
ROM:0000184A bcs loc_1854
ROM:0000184C ldd 1746h, Z
ROM:00001850 std 810h, Z
ROM:00001854
ROM:00001854 loc_1854: ; CODE XREF: sub_1712+138j
ROM:00001854 ldaa 1775h, Z
ROM:00001858 cmpa byte_2B571
ROM:0000185C bcs loc_1866
ROM:0000185E ldd 174Ch, Z
ROM:00001862 std 826h, Z
ROM:00001866
ROM:00001866 loc_1866: ; CODE XREF: sub_1712+14Aj
ROM:00001866 ldaa 1775h, Z
ROM:0000186A cmpa byte_2B571
ROM:0000186E bcs loc_1878
ROM:00001870 ldd 174Eh, Z
ROM:00001874 std 82Ah, Z
ROM:00001878
ROM:00001878 loc_1878: ; CODE XREF: sub_1712+15Cj
ROM:00001878 ldaa 1775h, Z
ROM:0000187C cmpa #3
ROM:0000187E beq loc_1886
ROM:00001880 cmpa byte_2B571
ROM:00001884 bcs loc_188E
ROM:00001886
ROM:00001886 loc_1886: ; CODE XREF: sub_1712+16Cj
ROM:00001886 ldd 1750h, Z
ROM:0000188A std 830h, Z
ROM:0000188E
ROM:0000188E loc_188E: ; CODE XREF: sub_1712+172j
ROM:0000188E ldaa 1775h, Z
ROM:00001892 cmpa byte_2B571
ROM:00001896 bcs loc_18A0
ROM:00001898 ldd 1752h, Z
ROM:0000189C std 82Ch, Z
ROM:000018A0
ROM:000018A0 loc_18A0: ; CODE XREF: sub_1712+184j
ROM:000018A0 ldaa 1775h, Z
ROM:000018A4 cmpa byte_2B571
ROM:000018A8 bcs loc_18B2
ROM:000018AA ldd 1754h, Z
ROM:000018AE std 1780h, Z
ROM:000018B2
ROM:000018B2 loc_18B2: ; CODE XREF: sub_1712+196j
ROM:000018B2 ldaa 1775h, Z
ROM:000018B6 cmpa byte_2B571
ROM:000018BA bcs loc_18C4
ROM:000018BC ldd 1756h, Z
ROM:000018C0 std 816h, Z
ROM:000018C4
ROM:000018C4 loc_18C4: ; CODE XREF: sub_1712+1A8j
ROM:000018C4 ldaa 1775h, Z
ROM:000018C8 cmpa byte_2B571
ROM:000018CC bcs loc_18D6
ROM:000018CE ldd 1758h, Z
ROM:000018D2 std 818h, Z
ROM:000018D6
ROM:000018D6 loc_18D6: ; CODE XREF: sub_1712+1BAj
ROM:000018D6 ldaa 1775h, Z
ROM:000018DA cmpa byte_2B571
ROM:000018DE bcs loc_18E8
ROM:000018E0 ldd 175Ah, Z
ROM:000018E4 std 834h, Z
ROM:000018E8
ROM:000018E8 loc_18E8: ; CODE XREF: sub_1712+1CCj
ROM:000018E8 ldd 175Ch, Z
ROM:000018EC std 177Ch, Z
ROM:000018F0 ldd 175Eh, Z
ROM:000018F4 std 81Ch, Z
ROM:000018F8 ldd 1760h, Z
ROM:000018FC tsta
ROM:000018FE beq loc_1902
ROM:00001900 ldab #0FFh
ROM:00001902
ROM:00001902 loc_1902: ; CODE XREF: sub_1712+1ECj
ROM:00001902 stab 81Eh, Z
ROM:00001906 ldd 1762h, Z
ROM:0000190A std 814h, Z
ROM:0000190E ldd 1764h, Z
ROM:00001912 std 836h, Z
ROM:00001916 ldd 836h, Z
ROM:0000191A cpd 17A8h, Z
ROM:0000191E bls loc_1924
ROM:00001920 std 17A8h, Z
ROM:00001924
ROM:00001924 loc_1924: ; CODE XREF: sub_1712+20Cj
ROM:00001924 cpd 17AAh, Z
ROM:00001928 bcc loc_192E
ROM:0000192A std 17AAh, Z
ROM:0000192E
ROM:0000192E loc_192E: ; CODE XREF: sub_1712+216j
ROM:0000192E ldd 1766h, Z
ROM:00001932 std 812h, Z
ROM:00001936 ldd 1768h, Z
ROM:0000193A std 82Eh, Z
ROM:0000193E ldd 176Ah, Z
ROM:00001942 std 828h, Z
ROM:00001946 ldaa 1775h, Z
ROM:0000194A cmpa byte_2B571
ROM:0000194E bcs loc_1960
ROM:00001950 ldaa 1774h, Z
ROM:00001954 cmpa #1
ROM:00001956 bne loc_1960
ROM:00001958 ldd 828h, Z
ROM:0000195C std 1814h, Z
ROM:00001960
ROM:00001960 loc_1960: ; CODE XREF: sub_1712+23Cj
ROM:00001960 ; sub_1712+244j
ROM:00001960 ldd 176Ch, Z
ROM:00001964 std 177Ah, Z
ROM:00001968 ldd 176Eh, Z
ROM:0000196C std 88Ch, Z
ROM:00001970 ldd 1770h, Z
ROM:00001974 std 88Eh, Z
ROM:00001978 ldd 1772h, Z
ROM:0000197C std 820h, Z
ROM:00001980 jsr sub_16D6
ROM:00001984 ldab #0Fh
ROM:00001986 tbyk
ROM:00001988 ldy #0F200h
ROM:0000198C bclrw 10h, Y, #2000h
ROM:00001992 bsetw 0Eh, Y, #2000h
ROM:00001998 rts
ROM:00001998 ; End of function sub_1712
ROM:00001998
- Code: Select all
ROM:000068DE sub_68DE: ; CODE XREF: calls_62h+14Cp
ROM:000068DE lde 828h, Z
ROM:000068E2 ste 1962h, Z
ROM:000068E6 rts
ROM:000068E6 ; End of function sub_68DE
Would it help if you could see the Read_Tables sub too?
Andy
Re: Learning to disassemble ROMs
Posted:
Mon Nov 30, 2009 10:31 pm
by elevenpoint7five
For anyone reading that wants to learn how to find the SSM table, first you need to find the ecu ID. Best bet is to search for it in a hex editor(or the hex window in IDA). From there, you need to search for the address that the ecu ID was at, again, use a hex editor(or the hex window in IDA). The ecu ID I was working on was 3D04EA4605, and I found it at 0x2B163 through 0x2B167, it's 5 bytes long. I found it located at 0x2DD05(02) 0x2DD06(B1) and 0x2DD07(67). The ecu ID is the 5th-9th byte of the table, so go back 5 to 0x2DD00 and that is the start of the SSM LUT. You should notice a pattern now, and it helps! You can either count down every 4 bytes to whatever address you're looking for(according to the ssm.pdf) or you can use merchgod's formula (SSM LUT Start + (0x4*parameter)) to get the address. You'll see that it has an address stored over 3 bytes and surrounded by 0's. If you're using IDA you'll want to search for the last 2 bytes of that address(exclude the beginning 2) and eventually you'll find where it is loaded and stored to a different location. That different location is the RAM address for whatever parameter you were looking at.
Hope this helps someone in the future!
Andy
Re: Learning to disassemble ROMs
Posted:
Mon Dec 28, 2009 2:01 am
by KanScooby
Andy, awesome work and many many thanks for sharing your progress. Learning the same here with IDA Pro and would sure like to join in the process. PM sent with my email as I would be very interested in the files you have so far. Working on the same Grp N ROM which i uploaded sometime ago not knowing how far we could get into disassembling it.... really awesome work all of you.
Re: Learning to disassemble ROMs
Posted:
Sun Mar 07, 2010 2:55 am
by letsteyr
I found it located at 0x2DD05(02) 0x2DD06(B1) and 0x2DD07(67)
i don't understand how you find that.
Re: Learning to disassemble ROMs
Posted:
Sun Apr 04, 2010 3:13 pm
by vaccine
in IDA search for a seaquence of bytes (ALT+B).
Type in the ecu ID.. ie 3D04EA4605.
This will return with a memory address it was found at begining at. ie.. 02B167
Again (ALT+B) and seach for th adress 02B167.
This returns 0x2DD05(02) 0x2DD06(B1) and 0x2DD07(67)
SSM is 5-bytes back.
Re: Learning to disassemble ROMs
Posted:
Sat Apr 10, 2010 12:03 pm
by letsteyr
Sorry, i'had found the solution.
I didn't post before cause i worked a lot on 32bit roms like on my STI9 (A8DH200Z). I've dissassembled all the code, found VBR,SSM,Maps,Mappull,defs maps,main loops...
I've modified my rom to be able to switch many maps (SP98 and E85).
I'm trying to do this stuff on 16bit roms. Not so easy cause IDA makes mistakes in dissassembling (dead links beetween maps and code). Thanks
Re: Learning to disassemble ROMs
Posted:
Thu Apr 22, 2010 10:03 pm
by hmanxx
Do you mind describe the concept used for map switching..
I would like to do map switching to cater for Methanol /Normal Petrol usage.
MAF/ Timing /AFR tables switching required.
Re: Learning to disassemble ROMs
Posted:
Mon Apr 26, 2010 6:12 pm
by megalomaniac
Would you all be able to assist me with decoding the map locations for this attached rom?
Its a 2002 subaru outback H6-3.0 VDC. ECU ID is D6HE100B. Im sure many others would need this as well, as this motor is begging to be tuned.
Much thanks,
Nick
Re: Learning to disassemble ROMs
Posted:
Sun May 02, 2010 12:31 pm
by letsteyr
The concept is based on Ram adresses you know very well.
For example, the satus of the defoger correspond to a bit (0 or 1) at one RAM adress.
When you've identified the maps you want to switch, you've to flow the xrefs to jump back into the code. Sometimes, one map can be loaded at two diferent places. Very often, it's just once.
When i've identified the map "call", i replace it by loading a "jump" to a free place (where i'llcode my switch).
Once the jump is ok, i make a test on the bit of my RAM switch. According to the result, i'll make it load 2 different maps locations. In each case, i make it jump back to the initial code.
You've to write the map description (number rows,cols, adresses, type of data, multiplier, offset) and the map itself (rows, cols, data).
I've tested my switches on the defoger. I'm trying to find another switch (AT/MT entry).
For the outback, i'll have a look if've a got some free time. You need the maps adresses(rows, data, cols)?
Re: Learning to disassemble ROMs
Posted:
Sun May 02, 2010 6:51 pm
by megalomaniac
Yes, if I have the map locations I can build the def for romraider. I have a BS in comnputer science, but I am having trouble with this rom. I've tried disassembling with IDA Pro 5.5, but I think I am getting the entry points wrong?
Thanks for any help you can provide,
Nick
Re: Learning to disassemble ROMs
Posted:
Thu May 13, 2010 1:37 am
by letsteyr
i started dissasembing you rom. Found the maps. Got to define their function.
Re: Learning to disassemble ROMs
Posted:
Fri Jun 18, 2010 4:42 pm
by markdonrob
Hello guys, just seeking some info, and stumbled onto this very interesting thread... hope someone can help me.. my friend has a JDM 2005 forester (FBW throttle) 2000cc turbo, and been having detonation issues with the lower octane fuel in Jamaica
I've been trying to find out if this tactrix flasher can work to access his ecu and allow him to read and adjust his fuel and timing maps to cure his issues.
What info would i need to verify that this unit could satisfy his tuners needs... They have tried some romraider and ecutek flashes, but apparently they cant read the programs being installed ( maps being flashed are from a tuner in Australia), and none have worked so far.