First: I hate to post about vaporware. But I'm doing it today because I think this is pretty neat. The code is all available under the asm662/experimental directory in CVS. It's written in Objective Caml, except for the Perl 66207.op -> opcode.ml converter.
Here's a glimpse of what I've been playing with lately:
<http://www.a1k0n.net/honda/p30cfg>
The .PNGs are control flow graphs of various entry points into the ROM. The control flow graphs for the INT1 and startup routines are way too complex to make a graph of with AT&T GraphViz (it runs my machine out of memory), so those have been omitted.
<http://a1k0n.net/honda/p30cfg/decomp_5063.txt> is a glimpse of the dataflow analysis program I've started on. I pre-set the local register base to 0x200, so r2 appears as RAM @0x202. Any references to data not already assigned to are assumed to be inputs to the procedure, and are tagged with ramw_in[addr] or ramb_in[addr]. Otherwise, ramb[addr] and ramw[addr] stand for RAM locations that have been assigned to, and it can do dataflow analysis on. So the next step is to implement liveness analysis and eliminate dead code, such as unused assignments to condition flags.
It does a limited amount of expression simplification, and seems to work well enough for now. I plan to have a full single-static-assignment form algorithm implemented soon which will hopefully be able to decompile the whole ROM into a C-like language.
In the meantime, if anyone has any requests for a dataflow analysis of a particular routine in a particular ROM, I will give it a shot.
|