SH7058 vs IDA

Links to development tools which have been useful to this project

Moderator: Freon

SH7058 vs IDA

Postby LGT-3-6 » Sun May 28, 2006 11:34 am

I don't see an appropriate forum for this or the info so I thought I'd start out with what I (think) have discovered so far, since some of it doesn't seem to be in the documentation, I have to look of all places in gnu packages for the vectors to be defined :/ Feel free to correct me!

SH7058 uses the SH2 instruction set which is backwards compatible with all the SuperH sets above it, SH3, etc. It appears to be big endian, at least NOP's appear after all branch instructions when dissassembling this way, which you would expect.

The structure of the reset vector is as following:

0x00: PC Power on
0x04: SP Power on
0x08: PC Reset
0x12: SP Reset

In our case both are the same, makes sense!

I get a bit of unfolding so far, however IDA stops after a short while... updates later..
LGT-3-6
 
Posts: 50
Joined: Fri Jun 03, 2005 1:12 pm

Postby JonnyM » Sun May 28, 2006 4:11 pm

You have to disassemble as SH-4B in IDA since SH-3 does not have floating point support. There's a bit of floating point libraries in the beginning of the ROM.
There is also a lot of nop's , FF's or 00's being used to align subroutines on 4-byte boundaries..
JonnyM
 
Posts: 20
Joined: Mon May 30, 2005 9:23 pm

Postby LGT-3-6 » Sun May 28, 2006 5:14 pm

How far did you get it to disassemble? I still haven't found a master loop.
LGT-3-6
 
Posts: 50
Joined: Fri Jun 03, 2005 1:12 pm

Postby LGT-3-6 » Sun May 28, 2006 5:28 pm

Also SH-3 does have floating point, do you mean perhaps the library in IDA is broken?
LGT-3-6
 
Posts: 50
Joined: Fri Jun 03, 2005 1:12 pm

Postby JonnyM » Sun May 28, 2006 9:03 pm

The SH-3 family does not have a FPU !!
see:
http://www.renesas.com/fmwk.jsp?cnt=sh_ ... chitecture
(middle of the page)

The code starts at $0AAC , with 2 calls to hardware init routines and then a call to the application program main routine.
But, the I in IDA stands for 'Interactive' , you can't expect just to push a button and get a complete disassembly. 8)
This is especially true for this type of CPU and it's way of loading data from the litteral areas following the routines.
There is also a lot of call tables in data portion of the code, something that no disassembler can resolve automatically.
And finally, there is the Hitachi taskswitching operating system using these call tables conditionally.

So get of your a..e and do some work now :lol:
JonnyM
 
Posts: 20
Joined: Mon May 30, 2005 9:23 pm

Postby LGT-3-6 » Sun May 28, 2006 9:31 pm

JonnyM wrote:The SH-3 family does not have a FPU !!
see:
http://www.renesas.com/fmwk.jsp?cnt=sh_ ... chitecture
(middle of the page)

The code starts at $0AAC , with 2 calls to hardware init routines and then a call to the application program main routine.
But, the I in IDA stands for 'Interactive' , you can't expect just to push a button and get a complete disassembly. 8)
This is especially true for this type of CPU and it's way of loading data from the litteral areas following the routines.
There is also a lot of call tables in data portion of the code, something that no disassembler can resolve automatically.
And finally, there is the Hitachi taskswitching operating system using these call tables conditionally.

So get of your a..e and do some work now :lol:

Thanks for the info :)

but
"In addition, the SH-2E supports single-precision floating point calculations as well as entirely
PCAPI compatible emulation of double-precision floating point calculations. The SH-2E
instructions are a subset of the floating point calculations conforming to the IEEE754 standard."

and

"In addition, the SH-3E supports single-precision floating point calculations as well as entirely
PCAPI compatible emulation of double-precision floating point calculations. The SH-3E
instructions are a subset of the floating point calculations conforming to the IEEE754 standard."

Says the programers manuals.. :/
LGT-3-6
 
Posts: 50
Joined: Fri Jun 03, 2005 1:12 pm

Postby JonnyM » Sun May 28, 2006 10:17 pm

The only problem beeing that IDA does not have a processor module for the
E (Extended) version of SH-3, and no module at all for SH-2..

So you must use SH-4 to get the fpu instructions disassembled.
SH-4 instructions are downward compatible with SH-2 and SH-3 so all other instructions will disassemble correct as well.
JonnyM
 
Posts: 20
Joined: Mon May 30, 2005 9:23 pm

Postby ev8siv3 » Mon Jul 03, 2006 8:18 am

What entry point are you guys using for the SH4B?
ev8siv3
 
Posts: 159
Joined: Fri Mar 24, 2006 11:27 am

Postby cboles » Mon Jul 03, 2006 9:33 am

You need to look at the vector table to get the entry points.
cboles
Site Admin
 
Posts: 1233
Joined: Wed Dec 29, 2004 5:45 pm
Location: Seattle, WA

Postby ev8siv3 » Wed Jul 05, 2006 3:22 pm

Still no luck with entry points here, doesn't quite fall apart like the HC16.
ev8siv3
 
Posts: 159
Joined: Fri Mar 24, 2006 11:27 am

Postby cboles » Wed Jul 05, 2006 3:47 pm

have you read the vector table info in the datasheets posted on this site?
cboles
Site Admin
 
Posts: 1233
Joined: Wed Dec 29, 2004 5:45 pm
Location: Seattle, WA

Postby ev8siv3 » Wed Jul 05, 2006 4:01 pm

cboles wrote:have you read the vector table info in the datasheets posted on this site?


It states 000000-000039F
ev8siv3
 
Posts: 159
Joined: Fri Mar 24, 2006 11:27 am

Postby cboles » Wed Jul 05, 2006 4:19 pm

take a look at section 6.1.3, Table 6.3:

Table 6.3 Exception Processing Vector Table

Exception Sources Vector Numbers Vector Table Address†Offset

Power-on reset
PC 0 H'00000000–H'00000003
SP 1 H'00000004–H'00000007

Manual reset
PC 2 H'00000008–H'0000000B
SP 3 H'0000000C–H'0000000F
cboles
Site Admin
 
Posts: 1233
Joined: Wed Dec 29, 2004 5:45 pm
Location: Seattle, WA

Postby ev8siv3 » Thu Jul 06, 2006 12:14 pm

cboles wrote:take a look at section 6.1.3, Table 6.3:

Table 6.3 Exception Processing Vector Table

Exception Sources Vector Numbers Vector Table Address†Offset

Power-on reset
PC 0 H'00000000–H'00000003
SP 1 H'00000004–H'00000007

Manual reset
PC 2 H'00000008–H'0000000B
SP 3 H'0000000C–H'0000000F


Code: Select all
PC 0  0000 08DC
SP 1  FFFF DFA0

PC 2  0000 08DC
SP 3  FFFF DFA0


I had previously gathered that much.

So from here I've gathered entry points of 0xF554, 0xF8A4, 0xFBD0, 0x10000, 0x103D4, 0x10AF4, 0x11060. These are for the 512k ROM.

Or simply put, mostly the bytes below:

D26E 420B 0009 D36E 430B 0009 D26D 420B

Thanks for the help again Colby! Anything else I'm missing?
ev8siv3
 
Posts: 159
Joined: Fri Mar 24, 2006 11:27 am

Postby LogicGateX » Fri Jul 07, 2006 7:47 am

I am having the same problems. I though IDA would have the SH7 disassembler in the SDK. I appreciate you guys posting your findings here to aid the process.
User avatar
LogicGateX
 
Posts: 7
Joined: Tue Jun 27, 2006 12:55 pm
Location: Orlando, FL

Next

Return to Development Tools

Who is online

Users browsing this forum: No registered users and 5 guests

cron