16 bit ecu disassembly

JSarv · **Joined:** Sat Mar 01, 2008 10:31 pm **Posts:** 696

Stack Pointer.

SK= Stack Address
SP= Pushed Value

Is there distinct addressing that the stack is located?

I've read enough about the stack pointer to make me sick and still need a "stack pointer for idiots" explanation if possible.

I understand the whole purpose/function behind it. I understand it grows in size as the rom follows through, but I don't understand what to look for to determine exactly what is/is not being pushed onto the stack.

I have about 30min of reading left in the CPU manual and have exhausted everything usefull about 16bit stacks on the net.

If anyone has an idiot version of the stack pointer (for me) please feel free to make me feel a bit smarter.

I do believe figuring out the stack will greatly increase my ability to understand ALOT of the logic. I see so many things I THINK is stack related but don't know what the hell to do with it

-Jerod

merchgod · **Joined:** Thu Mar 30, 2006 2:38 am **Posts:** 5336

Just start in the routine in question and start with an arbitrary address and keep track of how the stack pointer changes. From the manual:

Quote:

Stack implementation in the CPU16 is from high to low memory. The stack grows
downward as it is filled. SK : SP are decremented each time data is pushed on the
stack, and incremented each time data is pulled from the stack.
SK : SP point to the next available stack address, rather than to the address of the latest
stack entry.

So, check each instruction to see if something is being pushed to the stack (or the SP is changed). For example, if there's a jump (jsr), look in the manual you will find:

Quote:

Push (PC)
(SK : SP) - $0002 SK : SP
Push (CCR)
(SK : SP) - $0002 SK : SP

elevenpoint7five · **Posted:** Fri Dec 18, 2009 8:49 am

I'm having a bit of trouble with something, and I am hoping that someone might be able to help. First I'll post some code, then I'll explain what I think it's doing, and hopefully someone can tell me what I am doing wrong

Code:

ROM:0000C80A                 ais     #-4
ROM:0000C80C                 pshm    Z
ROM:0000C80E                 tsz
ROM:0000C810                 brclr   byte_20B76, #40h, loc_C8B6
...................
ROM:0000C84E loc_C84E:                               
ROM:0000C84E                 ldd     #9A77h
ROM:0000C852                 std     4, Z
ROM:0000C854                 ldaa    #1
ROM:0000C856                 staa    3, Z
ROM:0000C858                 bra     loc_C89E

There is nothing that references the stack, Z or ZK between those two segments, but it is some lengthy code(checking what gear the car is in) so I won't post it all. Obviously Z is being changed here. From the manual I got that 1111 1111 1111 1111 1100 or 0xFFFFC is being transferred to the stack pointer(SK:SP) then SK:SP - 2 = 0xFFFFA --> SK:SP and Z is pushed to the stack. Next SK:SP + 2 = 0xFFFFA -->ZK:IZ but SK:SP remains at 0xFFFFA. So how do the addresses of 3, Z and 4, Z make any sense? If I am reading it right and doing the math correctly then the locations don't exist in this ROM, or in any 16bit ROM for that matter.

Thanks in advance for any light someone may be able to shed on this. I've been going over it for hours and just not grasping something.

Andy

merchgod · **Joined:** Thu Mar 30, 2006 2:38 am **Posts:** 5336

tsz is the key instruction here

elevenpoint7five · **Posted:** Fri Dec 18, 2009 6:18 pm

merchgod wrote:

tsz is the key instruction here

I am assuming I am doing the tsz part wrong then?

Code:

Operation: (SK : SP) + $0002 Þ ZK : IZ
Description: Replaces the contents of the ZK field and index register Z with the
contents of the SK field and the stack pointer plus two. Contents of
SK and SP are not changed.

I just don't understand how...

Is ZK the only piece I should be looking at, so just the 4 bits of 1111 or 0xF?

Andy

elevenpoint7five · **Posted:** Sun Dec 20, 2009 7:20 pm

elevenpoint7five wrote:

I'm having a very hard time figuring out how the CEL table and logic works. I have seen the fix talked about with the "05 00 00" but with the Group-N ROM this doesn't seem to fix certain CEL's for people. I would really like to look into it more and learn how it all works.

I know the location of the table, but how is it referenced?
I am not sure on the logic, though, I have a few subroutines marked that I think it might possibly be.

If anyone could shed some light on this I'd greatly appreciate it!

Andy

I'm going to ask this one again because it's really frustrating me that I can't figure it out. Anyone?

Andy

elevenpoint7five · **Posted:** Tue Dec 29, 2009 9:21 pm

I'm pretty sure I've got the CEL stuff figured out, I do have a question about it though. In the LUT you will see an address followed by a few CEL codes followed by a bit. Where that address is, lets use 45 as an example, it will say 45 01 CD 01. Is it ALWAYS going to be 45, or will it be CD(or whatever is actually there) sometimes? I know this question sounds funny, but anyone that knows how the LUT works will understand...I hope

Andy

ckibue · **Posted:** Tue Jan 05, 2010 2:37 pm

elevenpoint7five wrote:

I found it located at 0x2DD05(02) 0x2DD06(B1) and 0x2DD07(67).

Hope this helps someone in the future!

Andy

Thanks Andy, it sure does help, for the rom in question, I think 0x2DD07(67) should read 0x02DD07(63) :wink:

elevenpoint7five · **Posted:** Tue Jan 05, 2010 3:17 pm

ckibue wrote:

elevenpoint7five wrote:

I found it located at 0x2DD05(02) 0x2DD06(B1) and 0x2DD07(67).

Hope this helps someone in the future!

Andy

Thanks Andy, it sure does help, for the rom in question, I think 0x2DD07(67) should read 0x02DD07(63) :wink:

You're right, thanks

The location is correct, the value I just typed wrong. I updated my post.

Andy

ckibue · **Posted:** Tue Jan 05, 2010 5:31 pm

elevenpoint7five wrote:

Got it! Man that is confusing!

The ecu ID I was working on was 3D04EA4605, and I found it at 0x2B163 through 0x2B167, it's 5 bytes long. I found it located at 0x2DD05(02) 0x2DD06(B1) and 0x2DD07(63). The ecu ID is the 5th-9th byte of the table, so go back 5 to 0x2DD00 and that is the start of the SSM LUT.
Andy

Might I be wrong to say that the ecu ID location addr (0x2B163) location(s) (0x2DD05 thru 0x2DD07) are the 5th - 7th bytes of the SSM LUT :?:

ckibue · **Posted:** Tue Jan 05, 2010 7:26 pm

In trying to test if I understand how to get through the ssm lut, i did a test with the grp n rom ecuid 3D04EA4605 whose initial byte I found located at addr 0x2B163. A search of 2B163 shows it at addr 0x2DD05 and going back 5 bytes prior to this gives the ssm lut start at 0x2DD00.
From ssm.pdf, taking coolant temp as an example, it's parameter index is 8 which when multiplied by 4 gives 32d which is 20h, adding this to the ssm lut start gives 0x2DD20. At addr 0x2DD20, I find 02 0C FE, and searching for the last two bytes 0CFE shows them referenced by the function sub_19A06.......

Am I anywhere near right before I completely loose myself????

elevenpoint7five · **Posted:** Tue Jan 05, 2010 7:31 pm

You are exactly right

0x20CFE is the SSM ECT, the "Current ECT" should be loaded to an accumulator just above the SSM ECT in the sub you mentioned. Then it does some converting and stores it as the SSM ECT.

Andy

ckibue · **Posted:** Tue Jan 05, 2010 7:37 pm

elevenpoint7five wrote:

You are exactly right

0x20CFE is the SSM ECT, the "Current ECT" should be loaded to an accumulator just above the SSM ECT in the sub you mentioned. Then it does some converting and stores it as the SSM ECT.

Andy

Cool, thanks Andy and all for guiding through the book cover, now I can turn to page 1

elevenpoint7five · **Posted:** Tue Jan 05, 2010 7:49 pm

Haha no problem! Any questions just ask man. Good luck!

Andy

ckibue · **Posted:** Mon Jan 11, 2010 8:33 am

elevenpoint7five wrote:

Haha no problem! Any questions just ask man. Good luck!

Andy

What would be the best approach to understand the underlaying logic? I started off from 0x220 which jumps me to 0x9AA. It seems here the Interrupt priority (IP) is set to the highest level of 7 and the CCR contents ANDed with FFFFh and a jump to 0x7144......

Is this the right path to go???? Pointers anyone.

RomRaider

16 bit ecu disassembly

Who is online