RomRaider

Within IDApro

get correct sh3.cfg
download binary
add RAM segment
add SFR segment

Options\General\Analysis\Reanalyze program in order to link SFR names \ found RAM locations.

You may repeat this any time to link RAM\SFR locations when segments are redefined.

Stack pointer processing is according to C conventions in Denso code.
Return address ( and processor flags ) are saved and restore on enter\exit.
Moreover the link register R14 may be stacked if the subroutine calls another one.

I did this and it didn't name the SFR locations (such as ADDR0, ADDR1, etc). I'll try again and see if I can get it to work.


Good to know, I'll research that.

I see that, but they override one another in the snippet of code I posted. I just don't understand why.

I see that r14 is stacked in my example posted, I figured it was because the function used it.

This means save register X to the STACK (pointed to by r15) then decrement r15 by 4.
Check the SH-2E software manual for a proper understanding of the opcodes.

If you didn't save your work to an IDC file and reload the ROM from scratch as suggested, you can get the peripheral addresses to show by going to the IDA menu Options > General > Analysis. Click 'Processor specific analysis options', then click the 'Choose device' button. Of the processors listed click on SH7058 and click OK. Click OK again and then click the 'Reanalyze program' button. The peripherals should all now be referenced and mark in that new segment and in code.

Here's the result you should see.

Thank you very much, I'm new to this and want to keep learning, so I appreciate all the help.

I had previously looked for the software manual, but for some reason Renesas doesn't list it when you drill down to the SH7058 CPU, but lists it for the parent level SH7050 Series. Oh well, I have it now and I hope to not have to bother asking beginner questions.

The software manual has a much more in depth description of each instruction so that is great for me.

I'll attach a spreadsheet I made that lists the instructions in a table incase anyone else finds it useful. I needed a quick way to look up instructions and find out what they were doing and I found it nice to be able to filter the table.

Ok, I'm stumped once again and need help.

I'm trying to decipher how the raw MAF ADC gets converted into a voltage.

I believe that I found the MAF is connected to AN15.



My question is: Does the ram location 0xFFFF4042 contain the 10 bit value in the lower 10 bits or the upper 10 bits?

I suppose I could log that ram address and find out, but I'm not sure yet how to add a ram address to the list of logged parameters. Also my car is in the garage for the winter.

The 10 bit value is left justified in the word register (section 17.2.1 in the manual).
Lowest value is 0, the first increment will give you a value of: 0x40
The highest value is: 0xFFC0

Ok, that clears that up.

But I don't understand how it converts it to a 0 to 5 volt number.

What looks like is happening is it converts the 0x40 to 0xFFC0 number to a float, multiplies it by 0.000076293945, subtracts 0, divides by 255 and adds .5

by what I have read it should only multiply by 0.000076293945 to convert to a 0 to 5 range.

From the 10bit value to float VDC it would be a straight multiplication by 0.000076293945. You can see this in the sub that does the MAF scaling before it reads the table.

The float value may be converted to a word value for use elsewhere, such as reporting the value via the SSM query or on the CAN bus. At the receiver the conversion is reversed to get the VDC value.

Can someone point to a thread/post that explains the syntax of the logger.xml file? I would like to be able to know how to log the previously meantioned 0xFFFF4042 RAM address.

But I would like to learn how to do it on my own for other parameters.

Items below in italics are optional.

In the example above, an Extended parameter is defined with the ecuparm element name. The parameter element contains attributes, these are:

• id - this has to be unique (no duplicates) within the entire logger.xml file, if it is not the last id read will clobber any previously defined id
• name - this is the name you will see in the Logger listing. The * denotes this is an extended RAM parameter and not a standard SSM parameter. Sometimes the name ends with (1, 2 or 4-byte)* to indicate the precision of the parameter (4 byte is typically a float value)
• desc - this is a free text description of the parameter. It is visible when you hover the cursor over the entry in the Logger listing
• target - this indicates if the parameter is related to the ECU or TCU or both. 1 - ECU, 2 - TCU, 3 - both

Within the ecuparm element you need to enclose two more elements, ecu and conversions.
For each ecu element enter an attribute of id which is a comma separated list of the ECU IDs of the ROMs that the enclosing RAM address applies to.
Within the ecu address element you have to define the data length attribute which is the number of bytes to read starting at the RAM address. The length attribute is only needed if the data length is > 1. There is also an optional bit attribute used to mask a byte and log only one bit of the raw data. This is used for bit encoded on/off type switches.
The address element is the least significant 6 bytes of the RAM address.

The conversions element contains one or more conversion entries which tells the Logger how to represent the data in the Logger display and in log files. Each conversion element contains the following attributes:

• units - the units of measure of the data
• storagetype - this is the way the data is represented within the ECU. Possible storage types are: int8, int16, uint8, uint16, int32, float
• expr - this is the mathematical formula used to convert the raw data to a real number for the indicated units of measure. x represents the value the logger gets from the ECU.
• format - this is how the number is presented and how many decimal places will be displayed
• gauge_min - for the Logger Gauges tab this is the minimum value on the dial
• gauge_max - for the Logger Gauges tab this is the maximum value on the dial
• gauge_step - for the Logger Gauges tab this is the number of tick marks between min and max on the dial

If you modify the XML file I suggest using Notepad++ with the XML tools plugin. With that plugin you can use it to check the XML syntax for errors. And when you save the logger.dtd in the same directory as your modified logger.xml file you can use the XML plugin to check the validity of your changes against the DTD file. This ensures you don't pass XML elements and attributes to the Logger that it doesn't support and reports any duplicate entries you may have created on purpose or by accident.

Very good information.

That should be in a sticky somewhere on the forum.