pgmfi.org

Hacking up Honda's ECU
It is currently Fri Feb 23, 2018 4:21 pm

All times are UTC - 5 hours [ DST ]





Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Sat Dec 31, 2005 12:21 am 
Offline

Joined: Tue Jul 27, 2004 3:01 am
Posts: 2945
Location: Tampa bay, Florida
Trying to learn more about Asm and I wanted to clarify something for myself and maybe others...

in this example..
Code:
reset_send:     CLR    DP                      ; clear DP (working address) 
clear_send:     CLR    er0                     ; (working address buffer)
                CLR    er1                     ; (command, state)
                ;;CLR    er2                     ; word read buffer
                ;;CLR    er3
send_byte:      STB    A, STBUF                ; send to serial port

exit_int:       L      A, 0f2h                 ; original interupt exit code
                ANDB   PSWH, #0feh             
                ST     A, IE
                RTI


When you jump to Reset_Send, does the processor execute that command and continue into Clear_Send, then Send_byte, then Exit_int, or does it complete the Clr DP command and then return back to the calling procedure?

Obviously, I know RTI is an exit routine..


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Dec 31, 2005 1:31 am 
Offline

Joined: Tue Jul 27, 2004 3:01 am
Posts: 2945
Location: Tampa bay, Florida
Poking around Stock P30_203 code, I found that the disassembler didn't touch this:
Code:
                DB  0E5h,0F4h,0D5h,01Ah,0B5h,004h,098h,002h ; 02B2               
                DB  001h,067h,000h,001h,0F5h,055h,0C5h,056h ; 02BA
                DB  00Bh,0CEh,00Ch,0C5h,006h,02Fh,0C5h,007h ; 02C2
                DB  015h,0CAh,004h,0C5h,007h,098h,002h,052h ; 02CA
                DB  0F2h,0D5h,051h,0E5h,0F2h,0A2h,008h,0B5h ; 02D2
                DB  01Ah,08Ah,002h ; 02DA


I figured out that it actually WAS code, and assume maybe it is unused, so it was treated as a table?

Here's what I figured out so far..

Code:
;               L       A, 0f4h                ; 02B2  DB  0E5h,0F4h 
;               ST      A, IE                  ; 02B4  DB  0D5h,01Ah
;               MOV     PSWH, #00102h          ; 02B6  DB  0B5h,004h,098h,002h,001h
;               L       A, #0100h              ; 02BB  DB  067h,000h,001h             Seems odd to do this before loading a byte from the Serial Buffer..?
;               LB      A, SRBUF               ; 02BE  DB  0F5h,055h
;               RB      SRSTAT.3               ; 02C0  DB  0C5h,056h,00Bh
;               JNE     Label_02d1             ; 02C3  DB  0CEh,00Ch                   Did I understand the Address Translation correctly??
;               MB      C, ACC.7               ; 02C5  DB  0C5h,006h,02Fh
;               CLRB    ACCH                   ; 02C7  DB  0C5h,007h,015h
;               JLT     Label_02d0             ; 02CA  DB  0CAh,004h                   Did I understand the Address Translation correctly??
;               MOVB    ACCH, #002h            ; 02CC  DB  0C5h,007h,098h,002h
;               MOV     DP, A                  ; 02D0  DB  052h
;               LB      A, [DP]                ; 02D1  DB  0F2h
;               STB     A, STBUF               ; 02D2  DB  0D5h,051h
;               L       A, 0f2h                ; 02D4  DB  0E5h,0F2h
;               RB      PSWH.0                 ; 02D6  DB  0A2h,008h
;                                              ; 02D8  DB  0B5h,01Ah,08Ah,002h
;


the last group, however, I couldn't figure out...

Code:
0B5h,01Ah,08Ah,002h


it looks like a CMP A, ?? but I wasn't sure... Any ideas? Is it incomplete because the last byte was overwritten by new, current code??:

Code:
int_timer_2_overflow: L       A, 0f4h                ; 02DD 1 ??? ??? E5F4


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Dec 31, 2005 1:38 am 
Offline

Joined: Tue Jul 27, 2004 3:01 am
Posts: 2945
Location: Tampa bay, Florida
Very similar code exists in P72_273 at 02CD... it also didn't dasm with Andy's app..


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Dec 31, 2005 4:14 am 
Offline

Joined: Sun Oct 03, 2004 5:34 pm
Posts: 430
Location: San Jose, CA
First question: you got it right. Jumping to reset_send will cause DP, er0 and er1 to be cleared, etc. Jumping to clear_send will not clear DP, it will clear er0 and er1, etc.

Second question: It looks like the code that the disassembler did not touch is never referenced so there is no way that that code can be executed, unless there is a problem with the disassembler, and it is missing a reference.

It is possible that they tweaked the TxInt service routine in a way that shorthened it, and they didn't want the rest of the code to move, so they put an "ORG 02f8h" assembler directive in front of the Timer 2 Overflow Interrupt Service Routine which would prevent the rest of the code from changing, but would leave a "hole" in the code. Depending on how the assembler build process works, there could have been any kind of junk left in the memory occupied by the hole, which would get put into the binary. Maybe there was a last minute change, and they avoided a lot of testing and validation by minimizing the amount of code that changed.

My guess, anyway.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Jan 06, 2006 5:49 pm 
Offline

Joined: Tue Jul 27, 2004 2:21 am
Posts: 268
Location: Milwaukee, WI
Yeah, the disassembler walks through the code looking for jumps and calls; it won't disassemble code that can't ever be run (although if the code uses an indirect jump via a jump table, which some complers are smart enough to generate, it will miss those; however, I haven't seen any Honda code do that, so it wasn't an issue).

Most likely that routine is an abandoned vestige of some earlier code that just got left in without ever being used.

You don't have to disassemble it by hand, BTW. Just throw a fake J 02b2h instruction in anywhere and re-assemble and re-disassemble if you want to see it. Alternately you can paste the DB xxx code into a new .asm file and assemble/disassemble it (to do this you'll need to also recreate the interrupt vector table and locate the code somewhere >0038h - so the whole file could be something like: DW 0100h org 0100h DB 0E5h,0F4h,...)

Earlier versions of the disassembler also let you specify extra addresses to disassemble on the command line but the latest version uses those addresses to indicate bogus "table references" to ignore.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Jan 11, 2006 5:15 pm 
Offline

Joined: Tue Jul 27, 2004 3:03 am
Posts: 1236
Location: Salem, OR
Could this "No Disassemble #5!" issue be why we're having trouble deciphering the P13/P0A/PT2 Fuel Vectoring?


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Feb 05, 2006 4:43 pm 
Offline

Joined: Tue Jul 27, 2004 2:21 am
Posts: 268
Location: Milwaukee, WI
I have no idea - I don't really keep up with the "scene". I just kinda check back in this forum to support people using my lousy hack job development tools.

But if you're seeing blocks of data that look like they should be code, don't be afraid to goof around with it (for instance by removing a jump or return above that block), reassemble and redisassemble.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  


Powered by phpBB® Forum Software © phpBB Group