EEC V file conversion

[jsa]

and then jsa sent me THIS - and the air went blue (Do you say this in USA, or
is it more like "swears like a trooper?")

446a - - - - WHAT THE F**K is THAT ??!!!! AAARRGGGHHHH !!!!!!

My pleasure!

The waffle I have in LST.

Code: Select all

   Sub444e_6Args_To_R1A:
444e: 2d,80               scall 41d0             Sub41D0_xArgs_To_R1A (
4450: 06                        #arg 1              6 );
4451: 71,fd,2c            an2b  R2c,fd           CxxxFlgClrSet = 0;                # B1 Clear 0
4454: 20,1e               sjmp  4474             goto 4474;

#
##################################################################################
# 

    # Call  from L2F0F                                                             Sub2ea1
    # Call  from L2F19                                                             Sub2ea1
    # Call  from L2F2B                                                             Sub2ea1
    # Call  from L2F54                                                             Sub2ea1
    # Call  from L3A59                                                             Sub39f4
    # Call  from L3A6A                                                             Sub39f4
    # Call  from L3A90                                                             Sub39f4
    # Call  from L3A99                                                             Sub39f4
   Sub4456_FltCdHndlr:
4456: f8                  clc                    CY = 0;                           # Return to Callers address
4457: 20,01               sjmp  445a             goto 445a;

#
##################################################################################
# Tests process values against limits. Set flags when outside limits.

    # Call  from L2ED6                                                             Sub2ea1
    # Call  from L2EDF                                                             Sub2ea1
    # Call  from L2EE8                                                             Sub2ea1
    # Call  from L2EF1                                                             Sub2ea1
    # Call  from L2F60                                                             Sub2ea1
    # Call  from L2F69                                                             Sub2ea1
    # Call  from L39D9                                                             Sub354c
    # Call  from L39E4                                                             Sub354c
   Sub4459_FltCdHndlr:
4459: f9                  stc                    CY = 1;                           # Return to Sub40FA_2Arg_R14_R17

    # Continue Carry Set 1
    # SJump from L4457 Carry Cleared 0                                             Sub4456_FltCdHndlr
445a: cc,18               pop   R18              R18 = pop();                      # Get callers next line from stack
445c: b2,19,1a            ldb   R1a,[R18++]      R1a = [R18++];                    # Get yArg1A from address++
445f: b2,19,1b            ldb   R1b,[R18++]      R1b = [R18++];                    # Get yArg1B from address++
4462: b2,19,1c            ldb   R1c,[R18++]      R1c = [R18++];                    # Get yArg1C from address++
4465: b2,19,1d            ldb   R1d,[R18++]      R1d = [R18++];                    # Get yArg1D from address++
4468: d3,05               jnc   446f             if (CY = 1)  {                    # L2F12 CY Clear 0 on entry L4456
    # Cont CY=1 Take
446a: c9,fa,40            push  40fa             push(Sub40FA_2Arg_R14_R17);       # Push Sub40FA_2Arg_R14_R17 return address to stack
446d: 20,02               sjmp  4471             goto 4471; }                      # goto L4471 CY=1 Sub4459_FltCdHndlr sequence


    # JNC   from L4468 CY = 0 Sub4456_FltCdHndlr sequence,                         Sub4459_FltCdHndlr
446f: c8,18               push  R18              push(R18);                        # Push callers retrun address to stack

    # Cont  from L446F CY=0 Sub4456_FltCdHndlr sequence
    # SJump from L446D CY=1 Sub4459_FltCdHndlr sequence
4471: 91,02,2c            orb   R2c,2            CxxxFlgClrSet = 1;                # B1 Set 1

    # Cont  from L4471 CY=0 Sub4456_FltCdHndlr sequence
    # Cont  from L4471 CY=1 Sub4459_FltCdHndlr sequence
    # SJump from L4454 after Sub444e_6Args_To_R1A with CxxxFlgClrSet=1
4474: ad,1a,3e            ldzbw R3e,1a           wR3e = 1a;                        # wR3E immediate value for target address wArg1A
4477: 28,26               scall 449f             Sub449f_2yArgAddr_Decode ();
4479: ad,1c,3e            ldzbw R3e,1c           wR3e = 1c;                        # wR3E immediate value for target address wArg1C
447c: 28,21               scall 449f             Sub449f_2yArgAddr_Decode ();      #
447e: a2,1a,42            ldw   R42,[R1a]        R42 = [R1a];                      # x053C MAPTIM_Dt
4481: 8a,1c,42            cmpw  R42,[R1c]                                          # x053C [F138]
4484: d1,0b               jleu  4491             if (R42 > [R1c])  {               # Compares present value
                                                                                   # with limit value, order
                                                                                   # depends on arg order so
                                                                                   # sub can process Hi and Lo limits

    # Cont process value outside of limit, Set Fault Code
4486: 39,2c,0b            jb    B1,R2c,4494      if (CxxxFlgClrSet = 1) return;

    # Cont CxxxFlgClrSet=0 Sub444e_6Args_To_R1A Sequence
4489: a0,1e,1a            ldw   R1a,R1e          R1a = R1e;                        # wR1A=R1E Arg 5 & 6 Fault Code
448c: 91,02,2c            orb   R2c,2            CxxxFlgClrSet = 1;                # B1 Set 1
448f: 22,99               sjmp  472a             goto Sub472a_Str_Flt_Cd; }


    # JLEU  from L4484 process value within limits, No Fault Code                  Sub4459_FltCdHndlr
4491: 71,fd,2c            an2b  R2c,fd           CxxxFlgClrSet = 0; }              # B1 Clear 0

    # JB    from L4486 CxxxFlgClrSet=1 x Sequence                                  Sub4459_FltCdHndlr
4494: f0                  ret                    return;                           # Return to pushed Sub40FA_2Arg_R14_R17 CY=1 Sub4459 sequence
                                                                                   # Return to Caller for Sub444e_6Args_To_R1A
                                                                                   # Return to Caller for Sub4456_FltCdHndlr

The six arg byte case, three arg words.

Code: Select all

4840: ef,0b,fc            call  444e             Sub444e_6Args_To_R1A (
4843: 32,00                     #arg 1              32,                            #  [15A] DSDRPM
4845: 5e,f0                     #arg 2              S.ISubND_400rpm,               # [DBB2]
4847: 12,04                     #arg 3              412 );                         # KOER Test idle RPM to high

The four arg byte case, two arg words.

Code: Select all

2f0f: ef,44,15            call  4456             Sub4456_FltCdHndlr (
2f12: 3c,05                     #arg 1              MAPTIM_Dt,                     # [053C]
2f14: 38,f1                     #arg 2              S.VBPDL2_4320Tk );             # [DC8C]

Exploding Args, piste de résistance.

Code: Select all

2ee8: ef,6e,15            call  4459             Sub4459_FltCdHndlr (
2eeb: 2c,f0                     #arg 1              S.ACTMIN_0.2V,                 # [DB80]
2eed: 0e,01                     #arg 2              iACT,                          # [010E]
2eef: 00                        #arg 3              C112FIL_iACT_VLo,              #  [17C] C112FIL_iACT_VLo
                                                                                   # [DCFE] S.C112LVL_200counts
                                                                                   # [DD4F] S.C112UP_50counts
                                                                                   # B0_758 KAM C Fault Code Flag
                                                                                   # 763 KAM C
2ef0: 00                        #arg 4              0 );                           # B0_1D4 RAM C Fault Code Flag

2ef1: ef,65,15            call  4459             Sub4459_FltCdHndlr (
2ef4: 0e,01                     #arg 1              iACT,                          # [010E]
2ef6: 2e,f0                     #arg 2              S.ACTMAX_4.675V,               # [DB82]
2ef8: 01                        #arg 3              C113FIL_iACT_VHi,              #  [17D] C113FIL_iACT_VHi
                                                                                   # [DCFF] S.C113LVL_200counts
                                                                                   # [DD50] S.C113UP_50counts
                                                                                   # B1_758 KAM C Fault Code Flag
                                                                                   # 764 KAM C
2ef9: 01                        #arg 4              1 );                           # B1_1D4 RAM C Fault Code Flag

Exploding args pretty much drove the last nail into SAD V4's coffin.

[tvrfan]

Yes, I am looking at eqe3 errors now, along with other fails, to try to sort out what goes wrong. It probably affects other bins too.
I hope those are some good examples in previous posts of what can screw things up.

I know as a software developer that the code in those binaries is more or less 'normal' standard stuff, and there are always shortcuts available where useful, to save space and processing time. But decoding them correctly can be tough. The human brain always sees patterns easily but not programs (unless you've got a massive AI engine, and even then, they screw up too.)

Exploding args pretty much drove the last nail into SAD V4's coffin.

Yep, and I'm still trying to find a better solution.....

[jsa]

Yep, and I'm still trying to find a better solution.....

Thank you for the ongoing effort.

[BOOSTEDEVERYTHING]

Yes, Thank you both for all the effort and help!!! I can not say enough how much of a help you all have been. Thank you so much!!!!

I have a stupid question..... I probably should have asked this a long time ago, What is PSW exactly? I thought it was just shorthand for push command but now I am not so sure, looking at the spreadsheet. Also, correct me if I am wrong, any time the code uses call or push or scall or pushw, it is loading a return address on the stack of the address where the actual command is located? Just to be sure I am looking at all of this correctly. Thanks. I have several sections where there are 5 arg lines under a subroutine in the eqe3 bin. getting very confusing for me for sure, maybe wasn't the best bin to start with. LOL

Code: Select all

099c1: ef,04,c2           call  05bc8            Sub_05bc8 (); } }
099c4: b3,01,9e,17,46     ldb   R46,[R0+179e]    TMP0L = OBDII_RESET;
099c9: 99,01,46           cmpb  R46,1            
099cc: df,5a              je    09a28            if (TMP0L != 1)  {
099ce: b3,d8,e4,46        ldb   R46,[Rd8+e4]     TMP0L = ER_STATUS;
099d2: 99,01,46           cmpb  R46,1            
099d5: df,51              je    09a28            if (TMP0L != 1)  {
099d7: 99,5f,46           cmpb  R46,5f           
099da: df,4c              je    09a28            if (TMP0L != 5f)  {
099dc: c4,25,24           stb   R24,R25          TEMP0H = TEMP0L;
099df: 10,08              rombk 8
099e1: ef,32,bf           call  85916            Sub_85916 (
099e4: 24,00                    #arg 1              TEMP0L,
099e6: 60,10                    #arg 2              1060,
099e8: 01                       #arg 3              1,
099e9: 80                       #arg 4              80,
099ea: 19                       #arg 5              19 );
099eb: 10,08              rombk 8
099ed: ef,26,bf           call  85916            Sub_85916 (
099f0: 24,00                    #arg 1              TEMP0L,
099f2: 60,10                    #arg 2              1060,
099f4: 04                       #arg 3              4,
099f5: 40                       #arg 4              40,
099f6: 1a                       #arg 5              1a );
099f7: 10,08              rombk 8
099f9: ef,1a,bf           call  85916            Sub_85916 (
099fc: 24,00                    #arg 1              TEMP0L,
099fe: 60,10                    #arg 2              1060,
09a00: 02                       #arg 3              2,
09a01: 20                       #arg 4              20,
09a02: 1b                       #arg 5              1b );
09a03: 10,08              rombk 8
09a05: ef,0e,bf           call  85916            Sub_85916 (
09a08: 24,00                    #arg 1              TEMP0L,
09a0a: 60,10                    #arg 2              1060,
09a0c: 08                       #arg 3              8,
09a0d: 10                       #arg 4              10,
09a0e: 1c                       #arg 5              1c );

You may want to ignore the labels, I am not sure they are correct as I am still trying to clean up my mess of a dir file. I will post an updated dir file as soon as I clean it up a little for review. I screwed up the order of several of the commands and put in some unnecessary stuff previously that I am still working on cleaning up.

[BOOSTEDEVERYTHING]

Actually, here it is for now, please ignore the mess, still working on correcting a bunch of things and verifying others.

I think I am goig to start a spreadsheet for the subroutines for eqe3 and rzasa, may help me keep better track of where I have been and where to go.

[BOOSTEDEVERYTHING]

Nice idea, but SAD has to work out how many arg bytes there are, to avoid !INV and/or it going off into fantasy land, as args are often valid opcode numbers (but trash...). I did wonder if it was possible somehow to guess how many arg bytes...but can't think of any way that works.
An issue with v4 , trying to sort this out..........

Code: Select all

0e8dc: ef,6a,08           call  0f149            Sub_0f149 ();                # this should have 9 following bytes ......
0e8df: c8,09              push  R108             push(R108);
0e8e1: dc,09              jvt   0e8ec            if (OVT = 1) {
0e8e3: 90,0a,5b           orb   R5b,Ra           R5b |= IO_Status;
0e8e6: 08,80,ef           shrw  R1ee,R80         R1ee >>= R80;        # should be opcode ef ...call <something>
0e8e9: 66,06,ef           ad2w  R1ee,[R6]        R1ee += [IO_Timer]; }
0e8ec: 93,09,f3,f0,a3     orb   Ra3,[R8+f0f3]    Ra3 |= [INT_Mask+1f0f3];
0e8f1: 20,02              sjmp  0e8f5            goto 0e8f5;

0e8f3: 3e,a3,20           jb    B6,Ra3,0e916     if (B6_Ra3 = 1) 
0e8f6: 04                 !INV! 
0e8f7: 26,f2              sjmp  0e7eb            

This is what i get in that section of code when I use SAD Version 4.0.12 (12 Mar 2023).

Code: Select all

0e8dc: ef,6a,08           call  0f149            Sub_0f149 (
0e8df: c8,09                    #arg 1              9c8,
0e8e1: dc,09                    #arg 2              9dc,
0e8e3: 90                       #arg 3              90,
0e8e4: 0a                       #arg 4              a,
0e8e5: 5b,08                    #arg 5              85b,
0e8e7: 80                       #arg 6              80 );
0e8e8: ef,66,06           call  0ef51            Sub_0ef51 ();
0e8eb: ef,93,09           call  0f281            Sub_0f281 ();
0e8ee: f3                 popp                   PSW = pop();
0e8ef: f0                 ret                    return;

   Sub_0e8f0:
0e8f0: a3,20,02,3e        ldw   R3e,[R20+2]      TMP6L = [STACK_POINTER+2];
0e8f4: a3,20,04,26        ldw   R26,[R20+4]      TEMP1L = [STACK_POINTER+4];
0e8f8: f2                 pushp                  push(PSW);
0e8f9: fa                 di                     interrupts OFF;
0e8fa: 18,02,3f           shrb  R3f,2            TMP6H >>= 2;
0e8fd: c4,11,3f           stb   R3f,R11          ROM_BANK_CTL = TMP6H;

[tvrfan]

Wow, well spotted - I didn't see that. I'll go back see if there are clues as to why that works but my current development version doesn't.

PSW = Processor Status Word. This contains flags and fields which are set at the end of the instruction (e.g. overflow, negative, zero ...) and is used for the conditional jumps e.g if (Rx > 0) goto 12345 It also contains some bank information on 8065 CPU, which is why you will also see PUSHP (pushes PSW onto stack) and POPP (replace psw with version at the stack pointer) in many places. PUSHW and POPW are the instructions used for calls and returns on stack. CALL does an implicit PUSH, and RET does an implicit POP.

Not all instructions set the PSW. The argument getters (previous posts) mess around with PSW via PUSHP and POPP to get the caller's bank.

Have a look at the Ford handbook, which is a mini version of the software manual on Open EEC in github (scanned as a set of pictures).

[BOOSTEDEVERYTHING]

Have a look at the Ford handbook, which is a mini version of the software manual on Open EEC in github (scanned as a set of pictures).

I did not know about this one, well, didn't know it was posted. I remember seeing a post from JSA about posting it up somewhere when he was done scanning it or something like that but the post never lead to a document. It was very old. I will have to take a look and see if I can find it, maybe it will be easier to reference that the whole software manual.

Wow, well spotted - I didn't see that. I'll go back see if there are clues as to why that works but my current development version doesn't.

Even a broken clock is correct 2 times a day!!! LOL , Well, it may be something in my dir file that JSA added early on to define the sizes of the arg in the code? It was one of the first posts in this thread I believe. Ill look back and see if I can find it.
Thanks for the explanation on those. I looked through the SAD docs and the strategy docs and couldn't find anything on those instructions. It didn't even dawn on me that they were most likely in the software or hardware manuals. Duh!!! LOL

[BOOSTEDEVERYTHING]

As it happens this bin needs a DIR as SAD has failed to handle the arg count correctly.

If you look in your MSG you will find this;

Code: Select all

Invalid opcode at 1e8f6 [5]

It's a double bug, the real address of the issue is at 0e8f6.

@TVRfan has been working on a future release of SAD that will overcome a number of issues around args.
In the meantime the user has to be able to recognise the issue/s and direct SAD to the correct solution.

Adding this command to the DIR will get the correct number of args.

Code: Select all

args    0E8DF 0E8E8 :O 2 UW  :O 2 UY :UW :UY

I have just mimicked the arg size that SAD applied to the previous block of args. SAD does not always get that right either but I don't have time to check it right now.

Directive file
eqe3_ml2_8a1a_stock read burn1fnb_dir.zip

The bugs have been reported to TVRfan.

Yep, Here is the post when we were getting started, not sure if this does all the arg sizes or just the one at 0e8f6. Turns out this is also the error that WWHITE was talking about as well.

[tvrfan]

I think I've found and fixed the eqe3 problem. eqe3 now works in my development version.

I was saying earlier that there was a bin which had a flag in first byte/argument to get more bytes. I found an example in M0M2. It's not the one I remember, but it does show the type of code trick which is very hard to do in a 'static' way, forcing an emulate method. I can't think of any other way than emulating the actual code. I have a problem in M0M2 as SAD still gets incorrect number of bytes/arguments in another subroutine, so emulation is still not working perfectly.

Code: Select all

    
   Sub_2c87:
2c87: cc,18               pop   R18              R18 = pop(); }
   Sub_2c89:
2c89: ae,19,14            ldzbw R14,[R18++]      wR14 = y[R18++];                  #get first argument/byte
2c8c: b1,01,17            ldb   R17,1            R17 = 1;
2c8f: 37,14,14            jnb   B7,R14,2ca6      if (B7_R14 = 1) {            # if top bit set get an extra byte
2c92: 71,7f,14            an2b  R14,7f           R14 &= 7f;                        # clear top bit flag                    
2c95: ae,19,34            ldzbw R34,[R18++]      wR34 = y[R18++];      #next byte
2c98: 41,07,00,34,1a      an3w  R1a,R34,7        R1a = R34 & 7;
2c9d: ad,01,16            ldzbw R16,1            wR16 = 1;
2ca0: 19,1a,16            shlb  R16,R1a          R16 <<= R1a;
2ca3: 08,03,34            shrw  R34,3            R34 >>= 3; }
2ca6: c8,18               push  R18              push(R18);