Here's a version of Colby's HC16 module built against the IDA Pro 4.8 SDK.
Installation instructions are the same as he posted at the top of this thread.
.... and now, on to debugging.
To find the entry point for your particular ROM, look at the first eight bytes of the file ROM.
0000: 0220
0002: 0220
0004: 08F6
0006: 0000
(above is from an A4SG900C)
This is the HC16 reset vector. The format of the reset vector is:
0000: xx ZK SK PK
0002: PC PC PC PC
0004: SP SP SP SP
0006: IZ IZ IZ IZ
So, to get the entry point, you really want (PK << 4) + PC... PK is the extension register for PC (ie, it's the most significant nibble of the 5 nibble total counter).
So, in the above example, the PK nibble is 0, and the PC bytes are 0220. Therefore, the final destination of the reset vector is 00220.
After that, sit back and wait for the rest of the file to cascade apart.
All of the logic for actually running the ECU appears to be in the lower EEPROM segment (0x00000 - 0x1FFFF). Obviously, all of the variables live in the RAM segment (0x20000 - 0x27FFF).
There doesn't appear to be any executable code in the upper EEPROM segment (0x27FFF - 0x2FFFF)... just maps. I've successfully found the code in my A4SG900C that manages high/low detonation fuel map switching, which points quite obviously at the IAM in memory, and has divulged the location of the map threshold (0x2934D).
Something to keep in mind here is that all of the memory references (ie, anything using effective addressing) uses the K-register offsets. The result is that IDA, with Colby's module, currently generates some very confusing output.
For instance... the high/low det logic:
ROM:00011456 sub_11456: ; CODE XREF: sub_11400p
ROM:00011456 LDAA loc_124, Z
ROM:0001145A CMPA loc_934C+1
ROM:0001145E BCS loc_11496
...
ROM:0001148A LDY #9358h
ROM:00011496 loc_11496: ; CODE XREF: sub_11456+8j
...
ROM:000114C0 LDY #94CEh
Basically, this loads the IAM out of RAM (0x20124) into A, compares it against the low/high det threshold value (0x2934D). If the IAM is less than the threshold, branch to the code that ends with setting Y to point at the high det map (0x294CE). If it's greater than the threshold, do some stuff, then set Y to point at the low det map (0x29358).
Essentially, since IDA is only looking at the addresses in the instructions, and isn't tracking the value of XK, YK, and ZK extension registers, the addresses are all wonky. Doh!
Colby -- any idea on how we might address the issue?
/Andrew
(PS ... the pun above was inadvertent.
)