EFIDynoTuning Forum

Thanks for the updated files.

You could try Ghidra for digging around exe and dll.
https://ghidra-sre.org/

Usb sniffer or packet capture would allow looking at usb traffic.

The QH gives access to all of the ECU, so what is to be gained from the diagnostic subset??

Rfe is an rbase, you can likely find the value it holds in your msg file or you could look in lst for where Rfe is loaded with a value.

Look at code preceding your pasted snippet for where r26 is loaded with a value. An rbase could be set over a range but the jump bit will foil the plan due to +8 vs +8+2.

The QH gives access to all of the ECU, so what is to be gained from the diagnostic subset??

I guess nothing really there. I was just thinking about the active commands section to activate outputs from tunerpro maybe for diagnostic purposes I guess. I think that the addressing may be in the vehicle build file possibly. Not sure. A lot of the xml files seem to point to a vbf file.

Look at code preceding your pasted snippet for where r26 is loaded with a value. An rbase could be set over a range but the jump bit will foil the plan due to +8 vs +8+2.

I will see what I can track down here. I do have Rfe defined in my lst file, not sure why SAD is not applying the value in this SUB. May be a bug I guess.

Looks like it loads word 12a7, which is also GR_DS_TV, should I be looking at this subroutine without the label on the 12a7 address and as a value instead?

Code: Select all

 Sxx92128_RZA082DA:
92128: f2                 pushp                  push(PSW);
92129: a1,a7,12,26        ldw   R26,12a7         TEMP1L = GR_DS_TV;
9212d: a1,2a,00,28        ldw   R28,2a           TEMP2L = 2a;
92131: 10,08              rombk 8
92133: ef,4f,b9           call  8da85            Sxx8DA85_RZA8E908 ();
92136: 11,3c              clrb  R3c              TMP5L = 0;
92138: 01,26              clrw  R26              TEMP1L = 0;
9213a: b3,01,21,01,30     ldb   R30,[R0+121]     TEMP6L = TP_REL_H;
9213f: b3,e4,10,31        ldb   R31,[Re4+10]     TEMP6H = VSBART_RT;
92143: 37,b0,18           jnb   B7,Rb0,9215e     if (FLG_SFT_IN = 1)  {
92146: b3,fd,80,10,46     ldb   R46,[Rfc+1080]   TMP0L = [16db2];
9214b: 30,46,04           jnb   B0,R46,92152     if (B0_TMP0L = 1)  {
9214e: b3,e4,32,30        ldb   R30,[Re4+32]     TEMP6L = [112b2]; }
92152: b3,fd,81,10,46     ldb   R46,[Rfc+1081]   TMP0L = [16db3];
92157: 30,46,04           jnb   B0,R46,9215e     if (B0_TMP0L = 1)  {
9215a: b3,e4,15,31        ldb   R31,[Re4+15]     TEMP6H = [11295]; } }
9215e: 39,2a,11           jb    B1,R2a,92172     if (B1_TEMP3L = 0)  {
92161: 3a,2a,10           jb    B2,R2a,92174     if (B2_TEMP3L = 1) goto 92174;
92164: 3b,2a,30           jb    B3,R2a,92197     if (B3_TEMP3L = 1) goto 92197;
92167: 3c,2a,02           jb    B4,R2a,9216c     if (B4_TEMP3L = 0)  {
9216a: 22,56              sjmp  923c2            goto 923c2; }

More like this? But instead of 12a7 add 8 to it to equal 12af?

Code: Select all

92197: 65,08,00,26        ad2w  R26,8            TEMP1L += 8;
9219b: 3d,ad,04           jb    B5,Rad,921a2     if (FLG_SFT_UP = 0)  {
9219e: 65,02,00,26        ad2w  R26,2            TEMP1L += 2; } } } }
921a2: 45,6e,92,26,32     ad3w  R32,R26,926e     TEMP7L = 12a7 + 926e;
921a7: 46,32,fe,36        ad3w  R36,Rfe,[R32]    TMP2L = 1723e + [TEMP7L];
921ab: b0,30,38           ldb   R38,R30          TMP3L = TEMP6L;
921ae: 91,10,a5           orb   Ra5,10           SIGNDY = 1;
921b1: ef,a9,26           call  9485d            SLU9485D_92C16_**YFn ();
921b4: c7,e4,2a,3c        stb   R3c,[Re4+2a]     TV_RAMP = TMP5L;

From your pasted example, it could be 12af or 12b1, depends on B5_Rad.

Add a couple lines to your comment file for the sum results of both.

Questioning your example, R26 is loaded with 0.

Code: Select all

92138: 01,26              clrw  R26              TEMP1L = 0;

In this case it's 8 or a.

Missed when it cleared the word value, sorry about that. So it should be 8 or a depending on the result in b5_Rad then? Just to clear it up. So then I would add 8 to 926e to equal 9276 or a to 926e to equal 124ee than add the RBase value of 1723e to either of those results to find what is loaded into Tmp2l?

like this?

Code: Select all

92197: 65,08,00,26        ad2w  R26,8            TEMP1L(0) += 8;     =8
9219b: 3d,ad,04           jb    B5,Rad,921a2     if (FLG_SFT_UP = 0)  {
9219e: 65,02,00,26        ad2w  R26,2            TEMP1L (0)+= 2; } } } }    =2
921a2: 45,6e,92,26,32     ad3w  R32,R26,926e     TEMP7L = 8 + 926e;  = s.0x09276   or   a + 926e  =  s.0x09280
921a7: 46,32,fe,36        ad3w  R36,Rfe,[R32]    TMP2L = 1723e + [TEMP7L];  s.0x09276 + 1723e = s.0x204b4  or  s.0x09280 + 1723e = s.0x204be

But I feel like that would be incorrect, because of the results? Because there is no s.0x204be? So what am I doing wrong? Sorry if these are stupid questions. Or maybe the RBase value in Rfe is not correct?

Two things appear to be tripping you up.
Address mode for line 921a7, what do you make of that?
Data bank, once memory expansion is enabled and the data bank is set, which commands automatically get data from which bank?

The address mode is indirect. But I need to read up on what that means in this case. Also need to read up on memory expansion a bit more.

Ok, read up, post back if it still doesn't make sense.

Did you get this?

Code: Select all

926e + 8 = [9276]

19276: c8,13              word  

1723e + 13c8 = 18606


926e + 2 = [9270]

19270: a4,13              word  

1723e + 13a4 = 185e2

Something like this could go in CMT

Code: Select all

92197 # 0x08
9219E # 0x02
921A2 # [19276] \s19276\n
921A2 # [19270] \s19270
921A7 # [18606] \s18606\n
921A7 # [185E2] \s185E2

EFIDynoTuning Forum

EEC V file conversion

Re: EEC V file conversion

Re: EEC V file conversion

Re: EEC V file conversion

Re: EEC V file conversion

Re: EEC V file conversion

Re: EEC V file conversion

Re: EEC V file conversion

Re: EEC V file conversion

Re: EEC V file conversion

Re: EEC V file conversion