SAK-C167CR-LM HA+ endianness

tretornesp · **Joined:** Thu Jul 01, 2021 8:49 am **Posts:** 1

Hello everyone.

This is my first post in the forum, so i hope i dont break any rules.

Im developing a dissasembler for the ms42 processor and i got to a dumb halt that some of you may be able to solve:

The thing is, the first 4 bytes of my .bin (full 512k read, ms42 C6) are:

Code:

0xFA 0x00 0x60 0x06

The thing is, 0xFA is the opcode for the JMPS instruction (unconditional jump relative to segment + addres). Which makes a lot of sense!

Well, the thing is: the bootloader starts with some yet unknown bytes from 0x00000 to 0x000226. Then it fills with 0xFF until 0x000660. If you check the first 4 bytes shown above, you can clearly see 0x0660 in little endian. But transposing also the first 2 bytes we get 0x00 0xFA, which is not the opcode for JMPS but ADD, which doesnt make too much sense for me.

So, my question is: Do you know what this first instruction should really translate to? I can go on with just one example, doesnt need to be the first but any instruction in assembler and its hex output.

Sorry for my bad english and i hope i have explained in clear enough terms my problem.

PS: The documentation about the CPU im following comes from:
https://www.infineon.com/dgdl/Infineon- ... 361fac649a
https://www.keil.com/dd/docs/datashts/i ... 166ism.pdf

PS2: The code of the project i will be uploading to github: https://github.com/TretornESP/decompile46 (dont expect much by now, i have just started today).

sda2 · **Posted:** Mon Jul 05, 2021 11:17 am

Hi!

The first instruction in C167 is always the jump to the reset handler.

Quote:

MEM_EXT_0:00000000 FA 00 60 06 jmps 0, RESET_handler ; Absolute Inter-Segment Jump

In this case the reset handler is located at 0x660:

Code:

MEM_EXT_0:00000660             ; ---------------------------------------------------------------------------
MEM_EXT_0:00000660
MEM_EXT_0:00000660             RESET_handler:                          ; CODE XREF: sub_0J
MEM_EXT_0:00000660 E6 08 00 F6                 mov     CP, #0F600h     ; Move Word
MEM_EXT_0:00000664 CC 00                       nop                     ; No Operation
MEM_EXT_0:00000666 E6 00 12 00                 mov     DPP0, #12h      ; Move Word
MEM_EXT_0:0000066A E6 01 14 00                 mov     DPP1, #14h      ; Move Word
MEM_EXT_0:0000066E E6 02 13 00                 mov     DPP2, #13h      ; Move Word
MEM_EXT_0:00000672 1A 89 E2 FF                 bfldh   SYSCON, #0FFh, #0E2h ; Bit Field High Byte
MEM_EXT_0:00000676 0A 89 87 06                 bfldl   SYSCON, #87h, #6 ; 'ç' ; Bit Field Low Byte
MEM_EXT_0:0000067A E6 0C 07 08                 mov     ADDRSEL1, #807h ; Move Word
MEM_EXT_0:0000067E E6 0D C1 00                 mov     ADDRSEL2, #0C1h ; '-' ; Move Word
MEM_EXT_0:00000682 E6 0E 00 01                 mov     ADDRSEL3, #100h ; Move Word
MEM_EXT_0:00000686 E6 0F F0 FF                 mov     ADDRSEL4, #0FFF0h ; Move Word

Check the ISM for how the code is interpreted and you will find out

Also, maybe you can check out the discord in my signature, we still need some people that go into disassembly

mattbarn · **Joined:** Wed Mar 05, 2014 1:47 pm **Posts:** 21

It's awesome to see someone interested in building software tools for these ECUs.

I just want to make a recommendation that instead of building your own disassembler, you could put that effort into building a Ghidra processor module for the processor instead. This has the advantage that when you are done, it doesn't just disassemble but it will decompile the code back to pseudo-C.

Someone has already started one here: https://github.com/esaulenka/Ghidra_C166 so in fact you could contribute to that instead of starting fresh.

Good luck with your project either way!

RomRaider

Forum rules

SAK-C167CR-LM HA+ endianness

Who is online