|
Title: Explanation of the JNB / jb command Post by: JayTec on April 17, 2025, 02:05:13 AM Hi guys. I'm just starting reverse engineering the ME7.5 with a C167, which is very similar in design to the C166.
Now I've looked at the jnb command Jump if Bit Not Set. I understand that 9a is logically the jnb command and according to what I've learned so far, the address plus bitmask comes in the next 2 bytes. The last byte shows the jump ahead. Now I'd like to know how this address is calculated because I can't just enter my address here, like b_kuppl FD4a bit 9. Can someone explain to me how I have to run this address around so that the jnb command understands what I want from it? I thank you in advance Gesendet von meinem M2007J3SG mit Tapatalk Title: Re: Explanation of the JNB / jb command Post by: prj on April 17, 2025, 08:50:04 AM https://www.keil.com/dd/docs/datashts/infineon/c166ism.pdf (https://www.keil.com/dd/docs/datashts/infineon/c166ism.pdf)
Page 133. Title: Re: Explanation of the JNB / jb command Post by: JayTec on April 17, 2025, 09:34:09 AM Hi, thanks a lot for pointing me to the C167 datasheet – page 133 helped me understand how the JNB instruction works for regular bit-addressable RAM. The formula
(FDxx – FD00) * 16 + Bit works fine when I'm accessing bits directly in the FDxx range. However, what I'm specifically trying to understand is the Bosch internal bit mapping used in ME7.x code. For example: According to the function matrix, b_kuppl is at FD4A, Bit 9 → bitmask 0x0200 But in actual Bosch ME7 code, the JNB instruction uses 25 13 → bit address 0x1325, not 0x04A9 as per the formula My question is: Is there any known mapping table, method, tool, or script that systematically translates FDxx + bit into the Bosch-style JNB bit address (e.g. FD4A.9 → 0x1325)? I'm developing custom LC/NLS functions and need to generate the correct JNB opcodes, but right now I can only do it by comparing to disassembled dumps in Ghidra. Any pointers to: a lookup table a bit-mapping reference or insight into how tools like ME7Sum or Setzi's disassembler resolve this would be greatly appreciated! Thanks! Gesendet von meinem M2007J3SG mit Tapatalk Title: Re: Explanation of the JNB / jb command Post by: prj on April 17, 2025, 09:53:30 AM There is no "bosch style" or whatever style.
This is a processor. Read the manual. Title: Re: Explanation of the JNB / jb command Post by: rogerius on April 17, 2025, 11:13:19 AM Hi, thanks a lot for pointing me to the C167 datasheet – page 133 helped me understand how the JNB instruction works for regular bit-addressable RAM. The formula Example:(FDxx – FD00) * 16 + Bit works fine when I'm accessing bits directly in the FDxx range. However, what I'm specifically trying to understand is the Bosch internal bit mapping used in ME7.x code. For example: According to the function matrix, b_kuppl is at FD4A, Bit 9 → bitmask 0x0200 But in actual Bosch ME7 code, the JNB instruction uses 25 13 → bit address 0x1325, not 0x04A9 as per the formula My question is: Is there any known mapping table, method, tool, or script that systematically translates FDxx + bit into the Bosch-style JNB bit address (e.g. FD4A.9 → 0x1325)? I'm developing custom LC/NLS functions and need to generate the correct JNB opcodes, but right now I can only do it by comparing to disassembled dumps in Ghidra. Any pointers to: a lookup table a bit-mapping reference or insight into how tools like ME7Sum or Setzi's disassembler resolve this would be greatly appreciated! Thanks! Gesendet von meinem M2007J3SG mit Tapatalk @85F52A 9A 25 02 D0 jnb word_FD4A.B_kuppl, loc_85F532 translates as: at address 0x85F52A,opcodes are 9A 25 02 D0 for ASM : jnb word_FD4A.B_kuppl, loc_85F532 where: jnb ---> 9A (see prj's attachment), hence 9A word_FD4A ---> 4A:2=25 hex, hence 25 loc_85F532 - 85F2A = 8 (8bytes=> 8/4=2 words =>02 relative leap/jump, hence 02 B_kuppl is Bit13, mask 0x2000 ---> 13dec=Dhex, hence D 0 folows always after mask in hex, hence D0 Title: Re: Explanation of the JNB / jb command Post by: fknbrkn on April 17, 2025, 12:12:01 PM Quote I'm developing custom LC/NLS functions with pure hex? use keil uvision IDE for that Title: Re: Explanation of the JNB / jb command Post by: JayTec on April 17, 2025, 01:51:22 PM So, you mean, if I write the function in an IDE like IDA, does it set the value I need for jnb itself? So, I only need the internal RAM address FD XX + the bitmask for it? And it sets the bit address itself?
Gesendet von meinem M2007J3SG mit Tapatalk Title: Re: Explanation of the JNB / jb command Post by: prj on April 17, 2025, 04:30:36 PM So, you mean, if I write the function in an IDE like IDA, does it set the value I need for jnb itself? So, I only need the internal RAM address FD XX + the bitmask for it? And it sets the bit address itself? Gesendet von meinem M2007J3SG mit Tapatalk IDA is not an IDE. It is a disassembler. Keil is an IDE. And it has a C166 Assembler. So of course you just write the mnemonic and the assembler assembles the hex. Title: Re: Explanation of the JNB / jb command Post by: rogerius on April 17, 2025, 09:32:07 PM IDA is not an IDE. It is a disassembler. Keil is an IDE. And it has a C166 Assembler. So of course you just write the mnemonic and the assembler assembles the hex. I am following this advice since I came across it: Real men write straight hex on c167 ;D Title: Re: Explanation of the JNB / jb command Post by: JayTec on April 18, 2025, 12:21:04 AM Yes, that's my goal. To be honest, I actually prefer writing the whole thing in hex. What I'm ultimately interested in is knowing which values I need to specify for JNB, i.e., the bit address. I already have the address for B_kuppl in my case, for example, FA4A bit 9. But I can't just write 9A 4AFA 00 here; I need a bit address for this...and how I can order it. That's what I'm interested in.
Gesendet von meinem M2007J3SG mit Tapatalk Title: Re: Explanation of the JNB / jb command Post by: rogerius on April 18, 2025, 12:46:28 AM Yes, that's my goal. To be honest, I actually prefer writing the whole thing in hex. What I'm ultimately interested in is knowing which values I need to specify for JNB, i.e., the bit address. I already have the address for B_kuppl in my case, for example, FA4A bit 9. But I can't just write 9A 4AFA 00 here; I need a bit address for this...and how I can order it. That's what I'm interested in. 9A 4A FA 00 is not at all correct.Gesendet von meinem M2007J3SG mit Tapatalk The Instructions Manual that prj provided you, must be read until understood. I tried to save you some time: for jnb you write 9A for FD4A (FA4A must be a typo) you ignore FD and write 4A:2= 25 (hex obviously) then you write the "jump"in "words": count bytes, divide by 4, write the hex value of the result finally, write the mask followed by a zero: 9 0 , hence 90 9A 25 xx 90 (xx is the relative jump number in words) vs 9A 4A FA 00 which is wrong Edit: ^^^^ now, this is like spoon feeding and is not encouraged much on this forum, you need to put in a little effort yourself and much more help will follow This is already explained by other people on this forum, maybe searching is not easy, so I thought I could save you the time. I concluded that 99% of any question one might have, is already answered. Title: Re: Explanation of the JNB / jb command Post by: prj on April 18, 2025, 01:40:22 AM Yes, that's my goal. To be honest, I actually prefer writing the whole thing in hex. What I'm ultimately interested in is knowing which values I need to specify for JNB, i.e., the bit address. I already have the address for B_kuppl in my case, for example, FA4A bit 9. But I can't just write 9A 4AFA 00 here; I need a bit address for this...and how I can order it. That's what I'm interested in. Gesendet von meinem M2007J3SG mit Tapatalk And this is exactly the problem keil uvision solves. For any serious amount of code not using an assembler is dumb. Title: Re: Re: Explanation of the JNB / jb command Post by: JayTec on April 20, 2025, 01:38:23 AM 9A 4A FA 00 is not at all correct. Okay, yes, and I think you've misunderstood me or I've worded it wrong. So what I understand now is that 9A, the command I FD, is not written at all, it's irrelevant. That means I only need half of my Me7info address, so 4A, this value is divided by 2 and I get 25. Then the jump size has to be defined. That's clear too. And right at the end, the calculated bit is simply written, so 90 for bit 9, 13 for bit 13 and so on. So in my case the command looks like this: 9A 25 ?? 90. Have I understood that correctly?The Instructions Manual that prj provided you, must be read until understood. I tried to save you some time: for jnb you write 9A for FD4A (FA4A must be a typo) you ignore FD and write 4A:2= 25 (hex obviously) then you write the "jump"in "words": count bytes, divide by 4, write the hex value of the result finally, write the mask followed by a zero: 9 0 , hence 90 9A 25 xx 90 (xx is the relative jump number in words) vs 9A 4A FA 00 which is wrong Edit: ^^^^ now, this is like spoon feeding and is not encouraged much on this forum, you need to put in a little effort yourself and much more help will follow This is already explained by other people on this forum, maybe searching is not easy, so I thought I could save you the time. I concluded that 99% of any question one might have, is already answered. Gesendet von meinem M2007J3SG mit Tapatalk Title: Re: Re: Explanation of the JNB / jb command Post by: rogerius on April 20, 2025, 01:52:35 AM Okay, yes, and I think you've misunderstood me or I've worded it wrong. So what I understand now is that 9A, the command I FD, is not written at all, it's irrelevant. That means I only need half of my Me7info address, so 4A, this value is divided by 2 and I get 25. Then the jump size has to be defined. That's clear too. And right at the end, the calculated bit is simply written, so 90 for bit 9, 13 for bit 13 and so on. So in my case the command looks like this: 9A 25 ?? 90. Have I understood that correctly? yes (bit 13 is D, right? hex).For bit 9 is 90, for bit 13 is D0.Gesendet von meinem M2007J3SG mit Tapatalk Have a look in your disassembly, for few cases of jnb (or jb) and observe the patterns. Consult the manual that prj attached. |