IDA Pro EVO8 ROM

IDA Pro EVO8 ROM

Postby Evo4Mad » Sun Jun 04, 2006 10:56 pm

Can someone please decompile the full Evo8 ROM code in IDA pro or similiar. I would like to decipher the OBDII protocol.

I am going to decompile it in IDA pro or something, I've never used it before or know if its suitable, it will take me 6 months, so if someone can work it out a little quicker, let me know :) cheers.

I have a decoded 1G DSM ROM to go from, its similiar but different in many aspects.. would really like an Evo7/8, or 9 one.

Here is the Registers decompiled for the 1G DSM (has some mh6111 op code thingies), would like the Evo8 one.

Code: Select all
Known Registers/Memory:

Stock logger -> I/O register lookup table

OBD Commands 0x00-0x3F map to the following registers...

d000: 02 03 06 07 16 2f 8a cb 44 ed 46 ee 40 41 42 e9
d010: d3 d4 cf ce d0 cd 49 d2 e8 e5 e4 40 e0 a1 e6 40
d020: dc dd f1 f3 fe fd 8b d7 d8 a7 a8 89 8d 8e a3 a4
d030: 4b 57 58 59 5a 5b 50 51 4e 4f cc 4c 4d 40 8e 01

The above are what get read when you send commands 0-0x3F to the
ECU from the logger. Additional commands are:

0xCA Clear Faults

0xF5 Canister purge
0xF6 Fuel pump
0xF7 Disable injector #6
0xF8 Disable injector #5
0xF9 Disable injector #4
0xFA Disable injector #3
0xFB Disable injector #2
0xFC Disable injector #1

For all other values sent to the logger, you get the value at that
address in the ECU map.

Potentially unused addresses.
0x54
0x60
0xa5
0xf7


Known, or sort-of known addresses.

0x00 ??? MSB, loaded with 0x7e16 @ ea30, zeroed at fae5
0x01 ??? LSB
0x02 Flags
bit 4 is the fuel pump relay
bit 5 is the A/C clutch, 0 = on...apparently all bits are active low?
0x03 Flags
DDR?
0x04 ??? MSB, loaded with value from 0x00,01 sometimes, zeroed sometimes
0x05 ??? LSB
0x06 Inputs
bit 1 is fuel cut, no run?
bit 2 is TDC
bit 3 is power steering
bit 4 is AC switch
bit 5 is the park/neutral (clutch) switch
bit 6 is car moving
bit 7 is idle switch
0x07 Used to find offset in timing table, resistor strappings used at 0xfb22
0x08 Flags
0x09 ??? MSB, value = 16?
0x0a ??? LSB, value = 16?
0x0b ??? MSB, uses flags from 0x8
0x0c ??? LSB, uses flags from 0x8
0x10 serial port rate control Note: serial port conforms to 6801 documentation
0x11 serial port control reg, read to clear
0x12 serial port receiver
0x13 serial port transmitter
0x16 Mechanical hardware output lines:
bit 5 is BCS line, controlled by duty cycle value at 0x181
bit 6-7 select current cylinder?
0x18 Interrupt pending?
bit 7, PACTL timer interrupt?
0x19 Used by TMO for A/C cutout
0x1a Flags
bit 6, interrupt pending?
0x1b ??? MSB, uses flags from 0x18
0x1c ??? LSB, uses flags from 0x18
0x1d MSB pulse accumulator (PACTL) This counts the number of MAF pulses since the last CAS signal.
0x1e LSB pulse accumulator (PACTL) This counts the number of MAF pulses since the last CAS signal.
0x1f ADC control; [bit 3 = start bit?, bit 2:0 = channel select ]
ADC channels:
0x0 coolant temp (-1.45x + 308)
0x1 air temp (-1.69x + 358F)
0x2 baro (0.00486xBar)
0x3 O2 sensor (0.0195x)
0x4 egr
0x5 batt voltage (0.0733xV)
0x6 instantaneous knock
0x7 tps (0-255)
0x20 ADC 1 data/voltage sensor
0x21 ADC 2 data/voltage sensor (unused)?
0x22 ADC 3 data/voltage sensor (unused)?
0x23 ADC 4 data/voltage sensor (unused)?
0x25 unused
0x28 unused
0x29 ??? MSB
0x2a ??? LSB
0x2b ??? MSB
0x2c ??? LSB
0x2d ??? MSB
0x2e ??? LSB
0x2f Electrical hardware output lines:
bit 0 is the purge canister solenoid? knock sensor counter reset?
bit 2 is boost gauge, PWM by value in 0x17f, w x/24th duty cycle at 33.3Hz
bit 3 is check engine light
0x30 unused
0x31 unused
0x32 ??? MSB
0x33 ??? LSB
0x34 unused
0x35 unused
0x36 unused
0x37 unused
0x38 unused
0x39 unused
0x3a unused
0x3b unused
0x3c unused
0x3d unused
0x3e unused
0x3f unused

*** Everything above here is an I/O register, below here is RAM ***

0x40 fuel trim low (0.78x)
0x41 fuel trim mid (0.78x)
0x42 fuel trim hi (0.78x)
0x43 fuel trim spillover/subtrim?
0x44 ??? MSB Init flags? ISC related?
0x45 ??? LSB Init flags?
0x46 ??? MSB Init flags?
0x47 ??? LSB Init flags?
0x48 something to do with ISC control
0x49 ISC steps
0x4a ISC related?
0x4b Flags, bit 7 = rebooting?
0x4c Stored faults low
0x4d Stored faults high
0x4e Active Faults low
0x4f Active Faults high
Bit # Code Fault
0 11 Oxygen sensor
1 12 Intake air flow sensor
2 13 Intake air temperature sensor
3 14 Throttle position sensor
4 15 ISC motor position sensor
5 21 Engine coolant temperature sensor
6 22 Engine speed sensor
7 23 TDC sensor
8 24 Vehicle speed sensor
9 25 Barometric pressure sensor
10 31 Knock sensor
11 41 Injector circuit
12 42 Fuel pump relay
13 43 EGR
14 44 Ignition coil
15 36 Ignition circuit


0x50 used in logger table? Fault table related, CEL countdown?
0x51 used in logger table? Fault sensor related, CEL countdown?
0x52 Octane value
0x53 Flags? Bit 7 Set when load is greater than 0x49 at 0xdb78
If bit 7 is clear, knocksum is decremented every two loops.
Otherwise 0x8b is decremented every 120 loops through the main loop.
See 0xf927
0x54 *** Unused! ***
0x55 3 LSbs tell which gauge is selected, 2 MSbs are zeroed upon successful entry of security code
Bit 7 = Valet mode? Bit 6 = security off?
0x56 Flags
bits 0,1 index for 0xec0d
bit 7, check for lesser reqs?

Values below here get overwritten with every boot.

0x57 16 bit airflow from 0xDE divided by 4
0x58 used in logger table? TMO zeroed these out, MSB
0x59 used in logger table? TMO zeroed these out, LSB, sometimes table width
0x5a TMO uses this for something we store pulsewidth related info in, MSB, sometimes 0
0x5b Sometimes contains battery voltage - 0x80, but no less than 0, sometimes duplicates 0x5c
0x5c Air volume (per rev?) used for map lookup, MSB, or maybe rpm-500. X-coordinate
0x5d Air volume (per rev?) used for map lookup, LSB, or maybe load 0-170 scaled from 0xE3, Y-coordinate
0x5e ??? MSB
0x5f ??? LSB

0x60 *** Unused! ***

0x64 ??? MSB, raw crank timing?
0x65 ??? LSB
0x68 ??? MSB
0x69 ??? LSB
0x6a ??? MSB
0x6b ??? LSB
0x6e ??? MSB
0x6f ??? LSB
0x70 ??? MSB
0x71 ??? LSB
0x72 ??? MSB
0x73 ??? LSB
0x74 ??? MSB
0x75 ??? LSB
0x76 ??? MSB
0x77 ??? LSB
0x78 ??? MSB
0x79 ??? LSB

0x7b Flags for 0x19?

0x80 Raw crank timing?
0x81 Timing advance?
0x85 Flags
0x89 used in logger table?
0x8a Timing advance-10
0x8b Knock Sum
0x8c Countdown to decrement knock value, depends on 0x53, bit 7
0x8d Air velocity/rev, MSB, or $A0 * 8 during cranking or timing adjust, MSB - if $A2 bit 1 set the $8D:8E = 0xff * 8
0x8e Air velocity/rev, middle byte, or $A0 * 8 during cranking or timing adjust, LSB - if $A2 bit 1 set the $8D:8E = 0xff * 8
0x8f Air velocity/rev, LSB
0x90 16 bit count of airflow/rev (it is averaged into 0x8d for a smoother reading), MSB
0x91 16 bit count of airflow/rev (it is averaged into 0x8d for a smoother reading), LSB
0x92 previous scan air = $8D
0x93 previous scan air = $8E
0x94 Computed timing value from table, 0x07 used to find offset in table, MSB
0x95 Computed timing value from table, 0x07 used to find offset in table, LSB
0x96 used in case of pulse accum overflow, MSB or backup of 0xd?
0x97 used in case of pulse accum overflow, LSB or backup of 0xd?
0x98 used in case of pulse accum overflow, MSB old pulse accumulator (0x1d)
0x99 used in case of pulse accum overflow, LSB old pulse accumulator (0x1d)
0x9a maf ticks seen since last CAS? MSB delta 0x1d
0x9b maf ticks seen since last CAS? LSB delta 0x1d
0x9c is a cap on how many maf ticks can be seen per cylinder, MSB, max airflow per crank
0x9d is a cap on how many maf ticks can be seen per cylinder, LSB
0x9e Flags
bit 7 is 2x mode check of pulse accumulator?
0x9f Update Hz rolling average rate, for averaging in 0x90 to 0x8d
0xa0 Minimum airflow rate
0xa1 Accel enrichment
0xa2 Flags for broken things?: If bits 2-5 are set, don't fire injectors
bit 2 set $145:146 < 500 stock rev limit?
bit 3 engine over rev limit
bit 4 ?
bit 5 ?
0xa3 MSB fuel per air (air vol * fpa = p/w) inc density, desired afr, enrichment
0xa4 LSB fuel per air (air vol * fpa = p/w) inc density, desired afr, enrichment
0xa5 TMO stores pulsewidth related info here. Otherwise *** Unused ***
0xa6 Injector dead time /24us
0xa7 Injector PW (0.256xms, uS*16), MSB for TMO?
0xa8 Injector PW (0.256xms, uS*16), LSB for TMO?

0xa9 ??? MSB lo trim? deadtime?
0xaa ??? LSB lo trim?
0xab ??? MSB
0xac ??? LSB
0xad ??? MSB hi trim?
0xae ??? LSB hi trim?
0xaf ??? MSB
0xb0 ??? LSB

0xb2 Shift counter?
0xb5 Shift counter flags?
0xb6 TDC failure counter
0xb8 Shift counter?
0xb9 Flags?
0xba Injector disable mask
0xbb Byte counter/timer, increment every time in f840?
0xbc Byte counter/timer, wrap at 48 in f840?
0xbd Sensor counter, update on bit1
0xbe decrementing counter
0xbf ???, LSB?
0xc1 constantly decrementing counter, MAF counter
0xc2 ???, LSB?
0xc6 Speed sensor...checked before setting rev limit to 6k
0xc7 Old TPS value
0xc8 Delta TPS, ie change in throttle position

// note: the following 8 locations are loaded from the ADC
0xcb Coolant temp (-1.45x + 308)
0xcc Air temp (-1.69x + 358F)
0xcd Barometer (0.00486xBar)
0xce O2 sensor voltage
0xcf EGR temp *** good for analog input ***, connect pin 15 to center of 50k pot and ground one side pin
0xd0 Battery voltage (0.0733xV) (voltage / 18.7V)
0xd1 Knock sensor board raw
0xd2 TPS (0-255)
0xd3 Old coolant temp - compared to ECT and l014e is derived from it
0xd4 Old/Verified air temp, set to default if signal is bad
0xd5 Verified pressure, set to default if signal is bad
0xd6 Flags:
bit 0 set if ECTraw $CB > 236 or < 5, fault value = 30, bad ECT
bit 1 set if IATraw $CC > 234 or < 14, fault value = 123, bad IAT
bit 2 set if Barometerraw $CD > 228 or < 100, fault value = 205, bad BPS
bit 3 set if $121 = 0, if cranking or timing adjust $121 = 12, bad MAS
bit 4 ?
bit 5 knock sensor bad? Locks knocksum at 9 unless 0x53, bit 7 and $D8, bit 5 are off, which locks it to zero
bit 7 knock sensor bad
0xd7 Flags?
bit 6 checked at 0x07D1 (TMO)
0xd8 Flags:
bit 5 set if knock sensor OK
0xd9 Flags:
bit 0 clear if key in start position
bit 1 sensors enabled?
0xda RPM*1.024/4, MSB?
0xdb RPM*1.024/4, LSB?
0xdc RPM*1.024/8
0xdd RPM*1.024/31.25(32)
0xde Airflow per rev, MSB - $8D:8E * 24198 (25273 GVR4), then / 0x10000 (0x280 = fuel cut) scaled
0xdf Airflow per rev, LSB - $8D:8E * 24198 (25273 GVR4), then / 0x10000 (0x280 = fuel cut) scaled
0xe0 0xde:0xdf/2 = Airflow per rev/2 = air volume
0xe1 e0 x *(0x15f)/2 (linearized air temperature) This is the one the stock boost gauge uses
0xe2 e0 x *(0x15f) x *(0x160)/4 Airflow weighted for both temp and pressure = air mass/rev = true load
0xe3 e0 x *(0x160)/2 (linearized barometric pressure)
0xe4 MAF (6.29xHz)
0xe5 Flags:
bit 0,1 used as a two-bit integer to describe current fuel trim being used (0=low, 1=mid, 2=high)
bit 3 rpm > 1100 (or maybe speed < something...like maybe stopped?)
bit 4 I think this is actually the rpm < 1000, > 1100 comparison.
0xe6 Flags:
bit 0 set if timing adjust mode (timing terminal grounded)
bit 1 shadow 0xd6, bit 3
bit 4 set if engine cranking, trying to start
bit 5 is complement of 0xD8, bit 5, set if knock sensor is not OK
bit 7 set if in closed loop
0xe7 Flags to check rpms?
0xe8 used in logger table
bit 0 seems to control whether fuel trims are used, see map at 0xfbca
bit 1 also in closed loop, see next maps
bit 6 bit 7 has changed
bit 7 running rich
0xe9 O2 feedback trim
0xea something else related to O2 feedback trim
0xeb MSB value we looked up in 0xfc04
0xec LSB value we looked up in 0xfc04
0xed used in logger table?
0xee used in logger table?
0xf1 used in logger table?
0xf3 used in logger table? flags where bit 5 has something to do with idle?
0xf7 *** Unused! ***
0xf8 Flags
bit 1, overheating
0xf9 Flags
bit 4, something to do with rev limit?
bit 5, boost control solenoid
0xfa serial port control flags [0x80=new TX data,
0x40=new RX data,
0x02=heart beat (pulsed code) mode,
0x01=diagnostics (serial port) mode ]
0xfb solenoid enable mask
0xfd ISC related? Something to do with battery?
0xfe used in logger table?
0xff Airflow if MAF is broken? Injector duty cycle?
0xfd-ff Device ID? (stock GVR4:cbe022) (cali gvr4:cbe023) (phr 1g:cb16xx) (phr 2g:cb26xx) (phr MAP:cba1xx) (phr MAP/dual/EGR:cba2xx)

0x102 Old O2 fuel trim used and flag?
0x104 AE countdown?
0x10c Accel enrichment value
0x10d AE countdown?
0x10e Old tps, dup of 0xc7

0x114 MSB Injector fire time w/o dead time?
0x115 LSB Injector fire time w/o dead time?

0x120 Tells us if engine is running. If > 0, engine is running. Bit 6 = engine running Countdown that's incremented as engine turns.
0x121 Counter for airflow, is air flowing? MAF overflow countdown
0x122 Fuelcut counter. Holds 0x28 or ??? depending on contents of 0x57.
0x123 Timer for when to update fuel trim?
0x12d solenoid test timer
0x133 ???
0x134 counter for 0xe6?
0x137 Timer for re-evaluating closed loop status?
0x138 Overheat factor
0x145 RPM!!! MSB
0x146 RPM!!! LSB
0x147 Old Rpm, MSB
0x148 Old Rpm, LSB
0x14b $8D:8E * 8205 R, this is the R from PV=nRT the ideal gas law, V would be $8D:8E, MSB = air vol * 200d / crank ms = air velocity
0x14c $8D:8E * 8205 R, this is the R from PV=nRT the ideal gas law, V would be $8D:8E, LSB
0x14d Maximum 0xd8, delta TPS
0x14e 0xcb (ECT) checked and scaled for table lookups, or old ect
0x14f 0xcc (IAT) checked and scaled for table lookups, or old iat
0x151 (RPM/31.25)-16 capped @ 144, scaled for lookups, dup of 0x5c?, rpm-500, clamp 6500,4500
All interpolations done through 3 previous variables.
0x152 Barometer - 0x5d
0x153 MSB, 155:156 * 16 * *(0x4a, injector compensation value, 74 for 450s)
0x154 LSB for above
0x155 basic injector activation, MSB (0xF6BE lookup + 100)*(0xFB83 lookup) = weighted MAF lookup
0x156 basic injector activation, LSB
0x157 MAF weight
0x159 air/fuel ratio target
0x15a current O2 trim value
0x15b current fuel trim value
0x15c weight from coolant/airflow? Coolant cold enrichment
0x15d coolant timing retard
0x15e coolant timing retard update counter
0x15f 0x14f linearized, air density?
0x160 0xcd (barometric pressure) scaled * 0.625 (128th bar)
0x161 Basic Ignition Advance Angle, timing map lookup
0x165 Low battery alert
0x170 Octane retard
0x171 ECT timing correction
0x172 IAT timing correction
0x173 unused and left at 0x80? maybe would have been barometer timing correction?
0x176 Knock timer for updated timing? Octane counter, not auto incremented
0x17a Serial port receiver data
0x17b ???
0x17c ???
0x17f TMO: If security AND valet, 12. If not valet 0, else if not security 24, seems to be a write only reg
Non-TMO: Boostgauge value (0-24, 24=off, 0=on)
0x181 BCS PWM value (0-48 is 0-100% duty cycle)
0x182 BCS counter of some sort
0x183 BCS counter of some sort?
0x184 DA:DB * 16 during cranking or timing adjust, MSB, rpm rolling average * 4 when running?
0x185 DA:DB * 16 during cranking or timing adjust, LSB, rpm rolling average * 4 when running?
0x187 Expected airflow volume? Airflow at 100% VE?
0x189 Location used to store x or d for initialization purposes, then maybe moved into 0xb3,b4
0x18a
0x191 Used as counter
0x192 Contains -*(0x55) and then is incremented at times
0x193
0x194
0x1bf start of stack


OpCodes:

00 TEST
01 NOP
02 IDIV

02 ANDM (DIR) These are Mitsu "mystery" opcodes. These two look like they or-mask and
03 ORM (DIR) and-mask memory, like bset and bclr but with the bclr mask inverted.
02 FA FE ANDM *0xFA #$FE ; clr bit 1 *0xFA
03 FA 02 ORM *0xFA #$02 ; set bit 2 *0xFA

03 FDIV
04 LSRD
05 ASLD, LSLD
06 TAP
07 TPA
08 INX
18 08 INY
09 DEX
18 09 DEY
0A CLV
0B SEV
0C CLC
0D SEC
0E CLI
0F SEI
10 SBA
11 CBA

14 DIVD (DIR)
15 DIVD These are Mitsu "mystery" opcodes. (b = D/M, a = D%M)

12 BRSET (DIR)
13 BRCLR (DIR)
14 BSET (DIR)
15 BCLR (DIR)
16 TAB
17 TBA
19 DAA
1A 83 CPD
1A 93 CPD
1A B3 CPD
1A A3 CPD
1B ABA

1C CPD (IMM) These are Mitsu "mystery" opcodes and supersede the definitions below
1D CPD (DIR)
1E CPD (IND,X)
1F CPD (EXT)

1C BSET (IND,X)
1D BCLR (IND,X)
1E BRSET (IND,X)
1F BRCLR (IND,X)
18 1C BSET (IND,Y)
18 1D BCLR (IND,Y)
18 1E BRSET (IND,Y)
18 1F BRCLR (IND,Y)
3A ABX
18 3A ABY

20 BRA
21 BRN
22 BHI
23 BLS
24 BHS/BCC
25 BLO/BCS
26 BNE
27 BEQ
28 BVC
29 BVS
2A BPL
2B BMI
2C BGE
2D BLT
2E BGT
2F BLE
30 TSX
18 30 TSY
31 INS
32 PUL PULA
33 PUL PULB
34 DES
35 TXS
18 35 TYS
36 PSH PSHA
37 PSH PSHB
38 PUL PULX
18 38 PUL PULY
39 RTS
3B RTI
3C PSH PSHX
18 3C PSH PSHY
3D MUL
3E WAI
3F SWI
40 NEG NEGA
43 COM COMA
44 LSR LSRA
46 ROR RORA
47 ASR ASRA
48 ASL ASLA, LSL LSLA
49 ROL ROLA
4A DEC DECA
4C INC INCA
4D TST TSTA
4F CLR CLRA
50 NEG NEGB
53 COM COMB
54 LSR LSRB
56 ROR RORB
57 ASR ASRB
58 ASL ALSB, LSL LSLB
59 ROL ROLB
5A DEC DECB
5C INC INCB
5D TST TSTB
5F CLR CLRB
60 NEG
63 COM
64 LSR
66 ROR
67 ASR
68 ASL, LSL
69 ROL
6A DEC
6C INC
6D TST
6E JMP
6F CLR
18 60 NEG
18 63 COM
18 64 LSR
18 66 ROR
18 67 ASR
18 68 ASL, LSL
18 69 ROL
18 6A DEC
18 6C INC
18 6E JMP
18 6D TST
18 6F CLR
70 NEG
73 COM
74 LSR
76 ROR
77 ASR
78 ASL, LSL
79 ROL
7A DEC
7C INC
7D TST
7E JMP
7F CLR (EXT)
80 SUB SUBA (IMM)
81 CMP CMPA (IMM)
82 SBC SBCA (IMM)
83 SUB SUBD (IMM)
84 AND ANDA (IMM)
85 BIT BITA (IMM)
86 LDA LDAA (IMM)

87 BRSET (DIR) This is a Mitsu "mystery" opcode

88 EOR EORA (IMM)
89 ADC ADCA (IMM)
8A ORA ORAA (IMM)
8B ADD ADCA (IMM)
8C CPX (IMM)
18 8C CPY (IMM)
8D BSR
8E LDS (IMM)
8F XGDX

8F BRCLR (DIR) This is a Mitsu "mystery" opcode

18 8F XGDY
90 SUB SUBA (DIR)
91 CMP CMPA (DIR)
92 SBC SBCA (DIR)
93 SUB SUBD (DIR)
94 AND ANDA (DIR)
95 BIT BITA (DIR)
96 LDA LDAA (DIR)
97 STA STAA (DIR)
98 EOR EORA (DIR)
99 ADC ADCA (DIR)
9A ORA ORAA (DIR)
9B ADD ADCA (DIR)
9C CPX (DIR)
18 9C CPY (DIR)
9D JSR (DIR)
9E LDS (DIR)
9F STS (DIR)
A0 SUB SUBA (IND,X)
A1 CMP CMPA (IND,X)
A2 SBC SBCA (IND,X)
A3 SUB SUBD (IND,X)
A4 AND ANDA (IND,X)
A5 BIT BITA (IND,X)
A6 LDA LDAA (IND,X)
A7 STA STAA (IND,X)
A8 EOR EORA (IND,X)
A9 ADC ADCA (IND,X)
AA ORA ORAA (IND,X)
AB ADD ADCA (IND,X)
AC CPX (IND,X)
1A AC CPY (IND,X)
AD JSR (IND,X)
AE LDS (IND,X)
AF STS (IND,X)
18 A0 SUB SUBA (IND,Y)
18 A1 CMP CMPA (IND,Y)
18 A2 SBC SBCA (IND,Y)
18 A3 SUB SUBC (IND,Y)
18 A4 AND ANDA (IND,Y)
18 A5 BIT BITA (IND,Y)
18 A6 LDA LDAA (IND,Y)
18 A7 STA STAA (IND,Y)
18 A8 EOR EORA (IND,Y)
18 A9 ADC ADCA (IND,Y)
18 AA ORA ORAA (IND,Y)
18 AB ADD ADCA (IND,Y)
18 AC CPY (IND,Y)
18 AD JSR (IND,Y)
18 AE LDS (IND,Y)
18 AF STS (IND,Y)
B0 SUB SUBA (EXT)
B1 CMP CMPA (EXT)
B2 SBC SBCA (EXT)
B3 SUB SUBD (EXT)
B4 AND ANDA (EXT)
B5 BIT BITA (EXT)
B6 LDA LDAA (EXT)
B7 STA STAA (EXT)
B8 EOR EORA (EXT)
B9 ADC ADCA (EXT)
BA ORA ORAA (EXT)
BB ADD ADCA (EXT)
BC CPX (EXT)
18 BC CPY (EXT)
BD JSR (EXT)
BE LDS (EXT)
BF STS (EXT)
C0 SUB SUBB (IMM)
C1 CMP CMPB (IMM)
C2 SBC SBCB (IMM)
C3 ADDD (IMM)
C4 AND ANDB (IMM)
C5 BIT BITB (IMM)
C6 LDA LDAB (IMM)
C7 BRSET (IND,X) Mitsu
C8 EOR EORB (IMM)
C9 ADC ADCB (IMM)
CA ORA ORAB (IMM)
CB ADD ADCB (IMM)
CC LDD (IMM)
CD A3 CPD
CD AC CPX (IND,Y)
CE LDX (IMM)
18 CE LDY (IMM)
CF STOP
CF BRCLR (IND,X) Mitsu
D0 SUB SUBB (DIR)
D1 CMP CMPB (DIR)
D2 SBC SBCB (DIR)
D3 ADDD (DIR)
D4 AND ANDB (DIR)
D5 BIT BITB (DIR)
D6 LDA LDAB (DIR)
D7 STA STAB (DIR)
D8 EOR EORB (DIR)
D9 ADC ADCB (DIR)
DA ORA ORAB (DIR)
DB ADD ADCB (DIR)
DC LDD (DIR)
DD STD (DIR)
DE LDX (DIR)
18 DE LDY (DIR)
DF STX (DIR)
18 DF STY (DIR)
E0 SUB SUBB (IND,X)
E1 CMP CMPB (IND,X)
E2 SBC SBCB (IND,X)
E3 ADDD (IND,X)
E4 AND ANDB (IND,X)
E5 BIT BITB (IND,X)
E6 LDA LDAB (IND,X)
E7 STA STAB (IND,X)
E8 EOR EORB (IND,X)
E9 ADC ADCB (IND,X)
EA ORA ORAB (IND,X)
EB ADD ADCB (IND,X)
EC LDD (IND,X)
ED STD (IND,X)
EE LDX (IND,X)
CD EE LDX (IND,Y)
1A EE LDY, STY (IND,X)
EF STX (IND,X)
CD EF STX (IND,Y)
18 E0 SUB SUBB (IND,Y)
18 E1 CMP CMPB (IND,Y)
18 E2 SBC SBCB (IND,Y)
18 E3 ADDD (IND,Y)
18 E4 AND ANDB (IND,Y)
18 E5 BIT BITB (IND,Y)
18 E6 LDA LDAB (IND,Y)
18 E7 STA STAB (IND,Y)
18 E8 EOR EORB (IND,Y)
18 E9 ADC ADCB (IND,Y)
18 EA ORA ORAB (IND,Y)
18 EB ADD ADCB (IND,Y)
18 EC LDD (IND,Y)
18 ED STD (IND,Y)
18 EE LDY (IND,Y)
18 EF STY (IND,Y)
F0 SUB SUBB (EXT)
F1 CMP CMPB (EXT)
F2 SBC SBCB (EXT)
F3 ADDD (EXT)
F4 AND ANDB (EXT)
F5 BIT BITB (EXT)
F6 LDA LDAB (EXT)
F7 STA STAB (EXT)
F8 EOR EORB (EXT)
F9 ADC ADCB (EXT)
FA ORA ORAB (EXT)
FB ADD ADCB (EXT)
FC LDD (EXT)
FD STD (EXT)
FE LDX (EXT)
18 FE LDY (EXT)
FF STX (EXT)
18 FF STY (EXT)




and here are the mh6111 opcodes

00 TEST 1 * TEST OPERATION TEST MODE ONLY
01 NOP 1 2 NO OPERATION
02 AIM DIR 3 ? AND IN MEMORY
03 OIM DIR 3 ? OR IN MEMORY
04 LSRD 1 3 LOGICAL SHIFT RIGHT DOUBLE ACCUMULATOR
05 ASLD / LSLD 1 3 ARITHMETIC / LOGICAL SHIFT LEFT DOUBLE ACC
06 TAP 1 2 TRANSFER FROM ACC A TO CONDITION CODE REGISTER
07 TPA 1 2 TRANSFER FROM CONDITION CODE REGISTER TO ACC A
08 INX 1 3 INCREMENT INDEX REGISTER X
09 DEX 1 3 DECREMENT INDEX REGISTER X
0A CLV 1 2 CLEAR TWOS COMPLEMENT OVERFLOW BIT
0B SEV 1 2 SET TWOS COMPLEMENT OVERFLOW BIT
0C CLC 1 2 CLEAR CARRY
0D SEC 1 2 SET CARRY
0E CLI 1 2 CLEAR INTERRUPT MASK
0F SEI 1 2 SET INTERRUPT MASK

10 SBA 1 2 SUBTRACT ACCUMULATORS
11 CBA 1 2 COMPARE ACCUMULATORS
14 IDIV DIR 2 6 INTEGER DIVIDE
15 FDIV DIR 2 6 FRACTIONAL DIVIDE
16 TAB 1 2 TRANSFER ACCUMULATOR A TO ACCUMULATOR B
17 TBA 1 2 TRANSFER FROM ACCUMULATOR B TO ACCUMULATOR A
18 XGXY 1 4 EXCHANGE REGISTER X AND REGISTER Y
19 DAA 1 2 DECIMAL ADJUST ACCUMULATOR A
1A XGDX 1 EXCHANGE DOUBLE ACCUMLATOR AND INDEX REG X
1B ABA 1 2 ADD ACCUMULATOR B TO ACCUMULATOR A
1C CPD IMM 3 5 COMPARE DOUBLE ACCUMULATOR
1D CPD DIR 2 6 COMPARE DOUBLE ACCUMULATOR
1F CPD EXT 3 7 COMPARE DOUBLE ACCUMULATOR

20 BRA 2 3 BRANCH ALWAYS
21 BRN 2 3 BRANCH NEVER
22 BHI 2 3 BRANCH IF HIGHER
23 BLS 2 3 BRANCH IF LOWER OR SAME
24 BCC / BHS 2 3 BRANCH IF CARRY CLR / BRANCH IF HIGHER OR SAME
25 BCS / BLO 2 3 BRANCH IF CARRY SET / BRANCH IF LOWER
26 BNE 2 3 BRANCH IF NOT EQUAL TO ZERO
27 BEQ 2 3 BRANCH IF EQUAL
28 BVC 2 3 BRANCH IF OVERFLOW CLEAR
29 BVS 2 3 BRANCH IF OVERFLOW SET
2A BPL 2 3 BRANCH IF PLUS
2B BMI 2 3 BRANCH IF MINUS
2C BGE 2 3 BRANCH IF GREATER THAN OR EQUAL TO ZERO
2D BLT 2 3 BRANCH IF LESS THAN ZERO
2E BGT 2 3 BRANCH IF GREATER THAN ZERO
2F BLE 2 3 BRANCH IF LESS THAN OR EQUAL TO ZERO

30 TSX 1 3 TRANSFER FROM STACK POINTER TO INDEX REGISTER X
31 INS 1 3 INCREMENT STACK POINTER
32 PULA 1 4 PULL DATA FROM STACK
33 PULB 1 4 PULL DATA FROM STACK
34 DES 1 3 DECREMENT STACK POINTER
35 TXS 1 3 TRANSFER FROM INDEX REGISTER X TO STACK POINTER
36 PSHA 1 3 PUSH DATA ONTO STACK
37 PSHB 1 3 PUSH DATA ONTO STACK
38 PULX 1 5 PULL INDEX REGISTER X FROM STACK
39 RTS 1 5 RETURN FROM SUBROUTINE
3A ABX 1 3 ADD ACCUMULATOR B TO INDEX REGISTER X
3B RTI 1 12 RETURN FROM INTERRUPT
3C PSHX 1 4 PUSH INDEX REGISTER X ONTO STACK
3D MUL 1 10 MULTIPLY UNSIGNED
3E WAI 1 14 WAIT FOR INTERRUPT
3F SWI 1 14 SOFTWARE INTERRUPT

40 NEGA 1 2 NEGATE
43 COMA 1 2 COMPLEMENT
44 LSRA 1 2 LOGICAL SHIFT RIGHT
46 RORA 1 2 ROTATE RIGHT
47 ASRA 1 2 ARITHMETIC SHIFT RIGHT
48 ASLA / LSLA 1 2 ARITHMETIC / LOGICAL SHIFT LEFT
49 ROLA 1 2 ROTATE LEFT
4A DECA 1 2 DECREMENT
4C INCA 1 2 INCREMENT
4D TSTA 1 2 TEST
4F CLRA 1 2 CLEAR

50 NEGB 1 2 NEGATE
53 COMB 1 2 COMPLEMENT
54 LSRB 1 2 LOGICAL SHIFT RIGHT
56 RORB 1 2 ROTATE RIGHT
57 ASRB 1 2 ARITHMETIC SHIFT RIGHT
58 ASLB / LSLB 1 2 ARITHMETIC / LOGICAL SHIFT LEFT
59 ROLB 1 2 ROTATE LEFT
5A DECB 1 2 DECREMENT
5C INCB 1 2 INCREMENT
5D TSTB 1 2 TEST
5F CLRB 1 2 CLEAR

60 NEG IND,X 2 6 NEGATE
63 COM IND,X 2 6 COMPLEMENT
64 LSR IND,X 2 6 LOGICAL SHIFT RIGHT
66 ROR IND,X 2 6 ROTATE RIGHT
67 ASR IND,X 2 6 ARITHMETIC SHIFT RIGHT
68 ASL / LSL IND,X 2 6 ARITHMETIC / LOGICAL SHIFT LEFT
69 ROL IND,X 2 6 ROTATE LEFT
6A DEC IND,X 2 6 DECREMENT
6C INC IND,X 2 6 INCREMENT
6D TST IND,X 2 6 TEST
6E JMP IND,X 2 3 JUMP
6F CLR IND,X 2 6 CLEAR

70 NEG EXT 3 6 NEGATE
73 COM EXT 3 6 COMPLEMENT
74 LSR EXT 3 6 LOGICAL SHIFT RIGHT
76 ROR EXT 3 6 ROTATE RIGHT
77 ASR EXT 3 6 ARITHMETIC SHIFT RIGHT
78 ASL / LSL EXT 3 6 ARITHMETIC / LOGICAL SHIFT LEFT
79 ROL EXT 3 6 ROTATE LEFT
7A DEC EXT 3 6 DECREMENT
7C INC EXT 3 6 INCREMENT
7D TST EXT 3 6 TEST
7E JMP EXT 3 3 JUMP
7F CLR EXT 3 6 CLEAR

80 SUBA IMM 2 2 SUBTRACT
81 CMPA IMM 2 2 COMPARE
82 SBCA IMM 2 2 SUBTRACT WITH CARRY
83 SUBD IMM 3 4 SUBTRACT DOUBLE ACCUMULATOR
84 ANDA IMM 2 2 LOGICAL AND
85 BITA IMM 2 2 BIT TEST
86 LDAA IMM 2 2 LOAD ACCUMULATOR
87 BRSET DIR 4 BRANCH IF BIT(S) ARE SET
88 EORA IMM 2 2 EXCLUSIVE OR
89 ADCA IMM 2 2 ADD WITH CARRY
8A ORAA IMM 2 2 INCLUSIVE OR
8B ADDA IMM 2 2 ADD WITHOUT CARRY
8C CPX IMM 3 4 COMPARE INDEX REGISTER X
8D BSR 2 6 BRANCH TO SUBROUTINE
8E LDS IMM 3 3 LOAD STACK POINTER
8F BRCLR DIR 4 BRANCH IF BIT(S) ARE CLEAR

90 SUBA DIR 2 3 SUBTRACT
91 CMPA DIR 2 3 COMPARE
92 SBCA DIR 2 3 SUBTRACT WITH CARRY
93 SUBD DIR 2 5 SUBTRACT DOUBLE ACCUMULATOR
94 ANDA DIR 2 3 LOGICAL AND
95 BITA DIR 2 3 BIT TEST
96 LDAA DIR 2 3 LOAD ACCUMULATOR
97 STAA DIR 2 3 STORE ACCUMULATOR
98 EORA DIR 2 3 EXCLUSIVE OR
99 ADCA DIR 2 3 ADD WITH CARRY
9A ORAA DIR 2 3 INCLUSIVE OR
9B ADDA DIR 2 3 ADD WITHOUT CARRY
9C CPX DIR 2 5 COMPARE INDEX REGISTER X
9D JSR DIR 2 5 JUMP TO SUBROUTINE
9E LDS DIR 2 4 LOAD STACK POINTER
9F STS DIR 2 4 STORE STACK POINTER

A0 SUBA IND,X 2 4 SUBTRACT
A0 80 SUBA IND,Y 2 SUBTRACT
A1 CMPA IND,X 2 4 COMPARE
A1 80 CMPA IND,Y+ 2 COMPARE WITH/Y+
A2 SBCA IND,X 2 4 SUBTRACT WITH CARRY
A2 80 SBCA IND,Y 2 SUBTRACT WITH CARRY
A3 SUBD IND,X 2 6 SUBTRACT DOUBLE ACCUMULATOR
A3 80 SUBD IND,Y 2 6 SUBTRACT DOUBLE ACCUMULATOR
A4 ANDA IND,X 2 4 LOGICAL AND
A4 80 ANDA IND,Y 2 4 LOGICAL AND
A5 BITA IND,X 2 4 BIT TEST
A5 80 BITA IND,Y 2 4 BIT TEST
A6 LDAA IND,X 2 4 LOAD ACCUMULATOR
A6 80 LDAA IND,Y+ 2 LOAD ACCUMULATOR WITH/Y+
A7 STAA IND,X 2 4 STORE ACCUMULATOR
A7 80 STAA IND,Y 2 STORE ACCUMULATOR
A8 EORA IND,X 2 4 EXCLUSIVE OR
A8 80 EORA IND,Y 2 4 EXCLUSIVE OR
A9 ADCA IND,X 2 4 ADD WITH CARRY
A9 80 ADCA IND,Y 2 4 ADD WITH CARRY
AA ORAA IND,X 2 4 INCLUSIVE OR
AA 80 ORAA IND,Y 2 4 INCLUSIVE OR
AB ADDA IND,X 2 4 ADD WITHOUT CARRY
AB 80 ADDA IND,Y 2 4 ADD WITHOUT CARRY
AC CPX IND,X 2 6 COMPARE INDEX REGISTER X
AC 80 CPX IND,Y 2 6 COMPARE INDEX REGISTER X
AD JSR IND,X 2 6 JUMP TO SUBROUTINE
AD 80 JSR IND,Y 2 JUMP TO SUBROUTINE
AE LDS IND,X 2 5 LOAD STACK POINTER
AE 80 LDS IND,Y 2 5 LOAD STACK POINTER
AF STS IND,X 2 5 STORE STACK POINTER
AF 80 STS IND,Y 2 5 STORE STACK POINTER

B0 SUBA EXT 3 4 SUBTRACT
B1 CMPA EXT 3 4 COMPARE
B2 SBCA EXT 3 4 SUBTRACT WITH CARRY
B3 SUBD EXT 3 6 SUBTRACT DOUBLE ACCUMULATOR
B4 ANDA EXT 3 4 LOGICAL AND
B5 BITA EXT 3 4 BIT TEST
B6 LDAA EXT 3 4 LOAD ACCUMULATOR
B7 STAA EXT 3 4 STORE ACCUMULATOR
B8 EORA EXT 3 4 EXCLUSIVE OR
B9 ADCA EXT 3 4 ADD WITH CARRY
BA ORAA EXT 3 4 INCLUSIVE OR
BB ADDA EXT 3 4 ADD WITHOUT CARRY
BC CPX EXT 3 6 COMPARE INDEX REGISTER X
BD JSR EXT 3 6 JUMP TO SUBROUTINE
BE LDS EXT 3 5 LOAD STACK POINTER
BF STS EXT 3 5 STORE STACK POINTER

C0 SUBB IMM 2 2 SUBTRACT
C1 CMPB IMM 2 2 COMPARE
C2 SBCB IMM 2 2 SUBTRACT WITH CARRY
C3 ADDD IMM 3 4 ADD DOUBLE ACCUMULATOR
C4 ANDB IMM 2 2 LOGICAL AND
C5 BITB IMM 2 2 BIT TEST
C6 LDAB IMM 2 2 LOAD ACCUMULATOR
C8 EORB IMM 2 2 EXCLUSIVE OR
C9 ADCB IMM 2 2 ADD WITH CARRY
CA ORAB IMM 2 2 INCLUSIVE OR
CB ADDB IMM 2 2 ADD WITHOUT CARRY
CC LDD IMM 3 3 LOAD DOUBLE ACCUMULATOR

CD 08 INY 2 4 INCREMENT INDEX REGISTER Y
CD 09 DEY 2 4 DECREMENT INDEX REGISTER Y
CD 1A XGDY 2 EXCHANGE DOUBLE ACCUMULATOR AND INDEX REG Y
CD 3A ABY 2 ADD ACCUMULATOR B TO INDEX REG Y
CD 8C CMPY IMM, Y++ 4 CMPY INDEX REGISTER Y AND INCREMENT.
CD CE LDY IMM 4 4 LOAD INDEX REGISTER Y
CD DF STY DIR 3 5 STORE INDEX REGISTER Y
CD EE LDY IND,X 3 6 LOAD INDEX REGISTER Y

CE LDX IMM 3 3 LOAD INDEX REGISTER X
CF ***** 3 ?????



D0 SUBB DIR 2 3 SUBTRACT
D1 CMPB DIR 2 3 COMPARE
D2 SBCB DIR 2 3 SUBTRACT WITH CARRY
D3 ADDD DIR 2 5 ADD DOUBLE ACCUMULATOR
D4 ANDB DIR 2 3 LOGICAL AND
D5 BITB DIR 2 3 BIT TEST
D6 LDAB DIR 2 3 LOAD ACCUMULATOR
D7 STAB DIR 2 3 STORE ACCUMULATOR
D8 EORB DIR 2 3 EXCLUSIVE OR
D9 ADCB DIR 2 3 ADD WITH CARRY
DA ORAB DIR 2 3 INCLUSIVE OR
DB ADDB DIR 2 3 ADD WITHOUT CARRY
DC LDD DIR 2 4 LOAD DOUBLE ACCUMULATOR
DD STD DIR 2 4 STORE DOUBLE ACCUMULATOR
DE LDX DIR 2 4 LOAD INDEX REGISTER X
DF STX DIR 2 4 STORE INDEX REGISTER X

E0 SUBB IND,X 2 4 SUBTRACT
E0 80 SUBB IND,Y 2 4 SUBTRACT
E1 CMPB IND,X 2 4 COMPARE
E1 80 CMPB IND,Y 2 4 COMPARE
E2 SBCB IND,X 2 4 SUBTRACT WITH CARRY
E2 80 SBCB IND,Y 2 4 SUBTRACT WITH CARRY
E3 ADDD IND,X 2 6 ADD DOUBLE ACCUMULATOR
E3 80 ADDD IND,Y 2 6 ADD DOUBLE ACCUMULATOR
E4 ANDB IND,X 2 4 LOGICAL AND
E4 80 ANDB IND,Y 2 4 LOGICAL AND
E5 BITB IND,X 2 4 BIT TEST
E5 80 BITB IND,Y 2 4 BIT TEST
E6 LDAB IND,X 2 4 LOAD ACCUMULATOR
E6 80 LDAB IND,Y 2 4 LOAD ACCUMULATOR
E7 STAB IND,X 2 4 STORE ACCUMULATOR
E7 80 STAB IND,Y 2 4 STORE ACCUMULATOR
E8 EORB IND,X 2 4 EXCLUSIVE OR
E8 80 EORB IND,Y 2 4 EXCLUSIVE OR
E9 ADCB IND,X 2 4 ADD WITH CARRY
E9 80 ADCB IND,Y 2 4 ADD WITH CARRY
EA ORAB IND,X 2 4 INCLUSIVE OR
EA 80 ORAB IND,Y 2 4 INCLUSIVE OR
EB ADDB IND,X 2 4 ADD WITHOUT CARRY
EB 80 ADDB IND,Y 2 4 ADD WITHOUT CARRY
EC LDD IND,X 2 5 LOAD DOUBLE ACCUMULATOR
EC 80 LDD IND,Y 2 5 LOAD DOUBLE ACCUMULATOR
ED STD IND,X 2 5 STORE DOUBLE ACCUMULATOR
ED 80 STD IND,Y 2 5 STORE DOUBLE ACCUMULATOR
EE LDX IND,X 2 5 LOAD INDEX REGISTER X
EE 80 LDX IND,Y++ 2 5 LOAD INDEX REGISTER X WITH/Y++
EF STX IND,X 2 5 STORE INDEX REGISTER X
EF 80 STX IND,X 2 5 STORE INDEX REGISTER X

F0 SUBB EXT 3 4 SUBTRACT
F1 CMPB EXT 3 4 COMPARE
F2 SBCB EXT 3 4 SUBTRACT WITH CARRY
F3 ADDD EXT 3 6 ADD DOUBLE ACCUMULATOR
F4 ANDB EXT 3 4 LOGICAL AND
F5 BITB EXT 3 4 BIT TEST
F6 LDAB EXT 3 4 LOAD ACCUMULATOR
F7 STAB EXT 3 4 STORE ACCUMULATOR
F8 EORB EXT 3 4 EXCLUSIVE OR
F9 ADCB EXT 3 4 ADD WITH CARRY
FA ORAB EXT 3 4 INCLUSIVE OR
FB ADDB EXT 3 4 ADD WITHOUT CARRY
FC LDD EXT 3 5 LOAD DOUBLE ACCUMULATOR
FD STD EXT 3 5 STORE DOUBLE ACCUMULATOR
FE LDX EXT 3 5 LOAD INDEX REGISTER X
FF STX EXT 3 5 STORE INDEX REGISTER X
Evo4Mad
 
Posts: 332
Joined: Mon Jun 13, 2005 11:58 pm
Location: New Zealand

Postby cboles » Mon Jun 05, 2006 1:15 pm

the "I" in IDA stands for interactive, so there is no simple way to disassemble the whole ROM accurately without manually cleaning it up - a lot. The datasheets for the SH7052 are on the site here or can be downloading from the manufacturer.

COlby
cboles
Site Admin
 
Posts: 1233
Joined: Wed Dec 29, 2004 5:45 pm
Location: Seattle, WA

Postby Evo4Mad » Tue Jun 06, 2006 10:55 pm

Thanks Colby,

I'll take a look, at the datasheets..

Jason, do you have any decompilation info I can work with as a starting point?, thanks.
Evo4Mad
 
Posts: 332
Joined: Mon Jun 13, 2005 11:58 pm
Location: New Zealand

Postby Evo4Mad » Sat Jun 10, 2006 6:07 pm

you basically have to know about EFI ecu design to be able to dissassemble it tho, all I see is numbers being shuffled around... hehe, I don't the difference between a knock sensing code section to a fuel trim code section..

mind you someone has already documented the maps, so I could probably tell when a section of code references a particular map.
Evo4Mad
 
Posts: 332
Joined: Mon Jun 13, 2005 11:58 pm
Location: New Zealand

Postby Evo4Mad » Sat Jun 10, 2006 6:08 pm

I presume all the addressing is in 32bit for these roms?
Evo4Mad
 
Posts: 332
Joined: Mon Jun 13, 2005 11:58 pm
Location: New Zealand

Postby Evo4Mad » Sat Jun 10, 2006 6:09 pm

Has anyone seen the OBD -> I/O Register Mapping table in these roms?
Evo4Mad
 
Posts: 332
Joined: Mon Jun 13, 2005 11:58 pm
Location: New Zealand

Postby MalibuJack » Sun Jun 11, 2006 4:51 am

Evo4Mad wrote:you basically have to know about EFI ecu design to be able to dissassemble it tho, all I see is numbers being shuffled around... hehe, I don't the difference between a knock sensing code section to a fuel trim code section..

mind you someone has already documented the maps, so I could probably tell when a section of code references a particular map.


Thats basically the point I'm stuck at.. Though the data sheets did have some insight..
MalibuJack
 
Posts: 128
Joined: Tue Apr 25, 2006 12:10 pm
Location: Royse City, TX


Return to Mitsubishi (all models)

Who is online

Users browsing this forum: No registered users and 2 guests

cron