Disassembly Rambling and Musings

Disassembly, Programming, Coding, Assembly, Binary information and all hacking discussions belong here.

Disassembly Rambling and Musings

Unread postby CausticUrbanCoast » Wed Sep 05, 2018 1:09 pm

Just familiar with embedded, not a tuner as I have not learned to recognize those software registers and tables yet.

For what it is worth, and because I am not sure where to put this; and in case anyone is interested what the rest of the first disassembly line from SAD likely is (this is from ICY1):
Code: Select all
0000 0000: FF FA 21 3B 00 00 FF DF  00 FF D9 BE 00 E0 5D 00


As shown and known by SAD:
Code: Select all
2000: ff                  nop                   
2001: fa                  di                     disable ints;
2002: 21,3b               sjmp  213f             goto 213f ;

2004: 00,00,ff,df,00,ff,d9,be ???
200c: 00,e0               ???   

200e: 5d,00               word     5d


Specifically how I read it is:
Code: Select all
/** This part is well known **/
FF (MCU Core Command) FE (Disable Interrupts)      --- This is also a common embedded sequence mcu command notifier
20 (ShortJump - anded with 12bit 2s address) of 13F (location/destination)   2000&013F=213F interesting hybrid 12bit command-address method- External ram address, start of initialization sequence - cpmmon mcu
00 (skip/nop) 00 (skip/nop)


/** Seems to be a pair of macros, likely ISR **/
FF (MCU Command) DF (Jump if Z flag is set from the last operation)
00 (skip/nop)

FF (MCU Command) D9 (Jump if C flag is set and Z flag is clear from the last operation)
ELSE BE (ldbse) [BC command, register 02] (load A/D word - Accessed by byte, loads word)
00 (skip/nop)
E0 (-- and jump if not zero) 5D (Check Register A2 - djnz is 8bit 2s compliment)
00 (skip/nop)


That last bit would be something like:

if status registers show NOT ((C=1) AND (!Z)) from the last operation
{read/load data from A/D registers - Load the new data}
Then
Decriment Register A2 (I am actually guessing this a basic A/D polling timeout for slow sensor aquisition - common practice)


A note on the sjmp command 20-27 [and other hybrid commands]- Without a bank switch or 16 bit need, this saves cycle time by not having to load the address and then jump, so we have 8 hardwired shortcycle-commands. Old Intel/IBM method I had forgotten about.


Initial code is usually pretty important, and I like to know what it is doing. This same sequence also seems to appear at the beginning of most BINs I have looked at.

I do find it interesting that the upper 4 bits are being used for something else called Engineering Console and Calibration Console. Perhaps this has something to do with Ford's proprietary version of the CAN interface?
CausticUrbanCoast
General Poster
 
Posts: 15
Joined: Fri Aug 10, 2018 1:43 pm
Name: Nigel
Vehicle Information: 1997 F350 460 7.5L Manual with Holland Vialle LPi

Re: Disassembly Rambling and Musings

Unread postby decipha » Wed Sep 05, 2018 1:16 pm

the engineering / calibration console was fords debug and testing and tuning hardware they used to develop the tunes. It basically held the calibration constants and the pointers were directed to the console to snatch those calibration constants from an external source so it could be modified to dial in the tune. There were only rumored to be 170 or so of them ever created. I know there is one in England. I have no idea what ever happened to the others or if they even survived over the years. Regardless, the QH serves the same purpose in a much more manageable size.
User avatar
decipha
Tooner
 
Posts: 15802
Joined: Mon Jul 15, 2013 5:29 pm
Location: New Orleans, LA
Name: Michael Ponthieux
Vehicle Information: Supercoupin' x10
90 (4x 5spds) - Dante, Ruby, Daja, Ava
91 4r70w - Skarlett
92 (2x) 5spd & auto - Bianqa, Andrea
93 auto - Danika
94 5spd Rionda
95 auto Aisha
Vehicle 2 Information: Others:
00 Lincoln LS - Luanda
98 Camaro SS - Bounquisha
02 Harley F-150 - Sasasha
03 Marauder - DyShyKy
00 Explorer 5L - Bernyce

Re: Disassembly Rambling and Musings

Unread postby CausticUrbanCoast » Wed Sep 05, 2018 6:49 pm

Interesting. I know that Ford has a tool similar to Nissan's consult which gives access to restricted parts of the ecu and tcu. I wonder if it is the same system you mention.
CausticUrbanCoast
General Poster
 
Posts: 15
Joined: Fri Aug 10, 2018 1:43 pm
Name: Nigel
Vehicle Information: 1997 F350 460 7.5L Manual with Holland Vialle LPi

Re: Disassembly Rambling and Musings

Unread postby decipha » Wed Sep 05, 2018 8:10 pm

no that would be akin to the aice chip on the fords which isnt exactly restricted its just inaccessible since its not on the eeprom, thus why ford ecus cannot be bricked cuz unlike GM and the like they flash over hardware and not over software

this is all eec-v and obdii port related earlier ecus such as the eec iv does not have an aice chip or an obdii port
User avatar
decipha
Tooner
 
Posts: 15802
Joined: Mon Jul 15, 2013 5:29 pm
Location: New Orleans, LA
Name: Michael Ponthieux
Vehicle Information: Supercoupin' x10
90 (4x 5spds) - Dante, Ruby, Daja, Ava
91 4r70w - Skarlett
92 (2x) 5spd & auto - Bianqa, Andrea
93 auto - Danika
94 5spd Rionda
95 auto Aisha
Vehicle 2 Information: Others:
00 Lincoln LS - Luanda
98 Camaro SS - Bounquisha
02 Harley F-150 - Sasasha
03 Marauder - DyShyKy
00 Explorer 5L - Bernyce


Return to Programming & Coding

Who is online

Users browsing this forum: No registered users and 1 guest