Title: First disassemble - questions
Post by: masterj on November 19, 2012, 11:11:21 AM
Hello, fellow tuners,
i wanted to start this thread as a help for anyone who wants to start disassembling their bins and one place for all these questions one might have trying to do so.
So, first mini tutorial to get the proper idb file:
1) Get yourself a copy of IDA PRO (v6.1 or later)
2) Download your car flash file
3) Download cpu code (me7.5 cpu code is attached to this topic)
4) Use prj's autoit script from http://nefariousmotorsports.com/forum/index.php?topic=2431.0title= (http://nefariousmotorsports.com/forum/index.php?topic=2431.0title=) to help with the preparation (First time it asks for file use cpu.bin, second time - actual flash). If for some reason prj's script doesn't work, you can try my update (for me didn't work some of the alt+xxx commands so i've just recorded mouse clicks instead - loadbin.exe).
5) After script is finished (code is analyzed & cleanup performed) try to get similar flash file in OLS or other complete definition format and do whole procedure again
6) Now it gets tricky... that's when this topic comes in :)
6a) http://nefariousmotorsports.com/forum/index.php?topic=2851.msg27875#msg27875 (http://nefariousmotorsports.com/forum/index.php?topic=2851.msg27875#msg27875)
6b) http://nefariousmotorsports.com/forum/index.php?topic=2851.msg27866#msg27866 (http://nefariousmotorsports.com/forum/index.php?topic=2851.msg27866#msg27866)
6c) http://nefariousmotorsports.com/forum/index.php?topic=2851.msg27862#msg27862 (http://nefariousmotorsports.com/forum/index.php?topic=2851.msg27862#msg27862)
Also I have uploaded disassembled 4B0906018DC_ME7.5_Bosch_362358_VW_B5.5_-_(Original)-v00.idb:
http://www.sendspace.com/file/zf40l0 (http://www.sendspace.com/file/zf40l0)
& 06A906032HN_ME7.5_Bosch__Seat_1.8T_-_(Original)-v00.idb:
http://www.sendspace.com/file/9bqold (http://www.sendspace.com/file/9bqold)
& 4Z7907551R__ME7.1.1_Bosch__Audi_2.7T_-_(Original)-v00.idb:
http://www.sendspace.com/file/k59059 (http://www.sendspace.com/file/k59059)
if anyone needs them (definition files are here: http://nefariousmotorsports.com/forum/index.php?topic=2847.msg27312#msg27312 (http://nefariousmotorsports.com/forum/index.php?topic=2847.msg27312#msg27312)) :)
ADDED Q67121-C946.pdf (C167CR datasheet)
ADDED: c166ism.pdf (mostly C166 family instructions, very good resource!)
ATM this is all I have, just started to do the asm and those are my first idb files :))
Title: Re: First disassemble - questions
Post by: masterj on November 19, 2012, 11:17:26 AM
So i wanted to ask this first question:
When i look at the PROKONAL bits of known binary I see that IDA works in 16bit mode, because it shows only every second address (segment003) 18194, 18196, 18198... Is it possible to change some settings so I could see every single address in 8bit mode? 18194, 18195, 18196, 18197...
In 06A906032HN_ME7.5_Bosch__Seat_1.8T_-_(Original)-v00.idb @ 18194 there's CDAGR map and @ 18196 CDATR. How can I see 18195 (CDAGRL)?
Also can someone post a basic routine on how to identify these PROKONAL maps in other files by using this file as a reference?
Title: Re: First disassemble - questions
Post by: phila_dot on November 19, 2012, 12:06:45 PM
Pressing the "d" key will change data types, but if that location isn't referenced then it isn't used anyway.
The PROKONAL code words are checked and bits are set in a few word variables. X ref the PROKONAL word variables. They are referenced exactly as the are set, not bitwise but by hex value.
Title: Re: First disassemble - questions
Post by: masterj on November 19, 2012, 01:37:44 PM
Pressing the "d" key will change data types, but if that location isn't referenced then it isn't used anyway.
The PROKONAL code words are checked and bits are set in a few word variables. X ref the PROKONAL word variables. They are referenced exactly as the are set, not bitwise but by hex value.
Thank you :) I'll try to analyze data now
Title: Re: First disassemble - questions
Post by: masterj on November 19, 2012, 02:14:56 PM
So to check if i understood stuff: in 0xxxHN i see that 181b5 (cwdlsu) isn't used at all? Also 181ba (cwkonfls)?
Not sure about:
181c3 (nsw01) & 181c4 (nsw02) because i don't see XREFs.
Also could you explain a little bit about why everytime i click on address value (for example 181C2 = 4) I get sent to seg003:0004?
I KNOW I KNOW I AM NOOB AT ASM
Title: Re: First disassemble - questions
Post by: phila_dot on November 19, 2012, 02:50:48 PM
So to check if i understood stuff: in 0xxxHN i see that 181b5 (cwdlsu) isn't used at all? Also 181ba (cwkonfls)?
Not sure about:
181c3 (nsw01) & 181c4 (nsw02) because i don't see XREFs.
Also could you explain a little bit about why everytime i click on address value (for example 181C2 = 4) I get sent to seg003:0004?
I KNOW I KNOW I AM NOOB AT ASM
Do you have all of the code disassembled? References in hex that haven't been identified as code will not be considered. IDA assumes nothing except that the user knows what he/she is doing. It takes you to 0x0004 because it may be a possible address reference. This is the "Interactive" part.
Title: Re: First disassemble - questions
Post by: masterj on November 19, 2012, 03:04:57 PM
Do you have all of the code disassembled? References in hex that haven't been identified as code will not be considered.
IDA assumes nothing except that the user knows what he/she is doing. It takes you to 0x0004 because it may be a possible address reference. This is the "Interactive" part.
I think I have all the code disassembled (used code analysis on whole segment003 - flash part). CPU took some sweet time going through every line of asm to show everything
Title: Re: First disassemble - questions
Post by: phila_dot on November 19, 2012, 04:18:32 PM
There are numerous ways that things are referenced. It will not always be a direct reference. After analyzing enough assembly you will develope a feel for how to find these.
If there is no reference direct or indirect, then obviously it isn't used.
I have only seen the PROKONAL codewords directly referenced.
Title: Re: First disassemble - questions
Post by: masterj on November 19, 2012, 04:35:20 PM
The are numerous ways that things are referenced. It will not always be a direct reference. After analyzing enough assembly you will develope a feel for how to find these.
Ok those prokonal maps in 181xx im pretty sure figured out :) easy when you can just jump to any ref :) now a little harder map is WESSOT...
Title: Re: First disassemble - questions
Post by: masterj on November 21, 2012, 03:57:11 PM
How do we find axis in disassemble? For example by looking at the winols hex dump I see some axis @ 181c7. But when i open dissasembled bin I see no xrefs or anything:
seg003:181C7 db 0Ah
seg003:181C8 db 17h
seg003:181C9 db 29h ; )
seg003:181CA db 40h ; @
seg003:181CB db 54h ; T
seg003:181CC db 6Bh ; k
seg003:181CD db 80h ; Ć
seg003:181CE db 0A3h ; Ż
seg003:181CF db 0CCh ; _
seg003:181D0 db 0FEh ; _
his part supposed to be axis, but how do we look which maps access this axis? :o
Title: Re: First disassemble - questions
Post by: prj on November 21, 2012, 04:05:50 PM
Figure out what page it is.
After that 0xpage * 0x4000 you get a number which is segment start loc.
Subtract the number from the address you think the axis starts.
After that alt+b, swap high and low and search for the exact bytes.
Look up those locations, one of them will be what you are looking for (the map access).
You see, the map routines often take both the offset and the page number as arguments.
So there is no direct reference, as they are combined later, and IDA can not parse this.
Title: Re: First disassemble - questions
Post by: matchew on November 21, 2012, 07:49:45 PM
How do we find axis in disassemble? For example by looking at the winols hex dump I see some axis @ 181c7. But when i open dissasembled bin I see no xrefs or anything:
seg003:181C7 db 0Ah
seg003:181C8 db 17h
seg003:181C9 db 29h ; )
seg003:181CA db 40h ; @
seg003:181CB db 54h ; T
seg003:181CC db 6Bh ; k
seg003:181CD db 80h ; Ć
seg003:181CE db 0A3h ; Ż
seg003:181CF db 0CCh ; _
seg003:181D0 db 0FEh ; _
his part supposed to be axis, but how do we look which maps access this axis? :o
You tried to disassemble the axis to a map? seriously what did you expect to find? What you are trying to learn here can not be picked up in a couple sessions of asking random questions.
Title: Re: First disassemble - questions
Post by: jooo on November 21, 2012, 08:01:47 PM
You tried to disassemble the axis to a map? seriously what did you expect to find? What you are trying to learn here can not be picked up in a couple sessions of asking random questions.
Well, If you think for one more sec you understand that he is questioning why there is no CODE xref on the first line where the axis begin. Which for a beginner might not be easy to understand. Though I agree with you that learning disassembly/reverseeng is not done in hours or weeks. It takes months or even years if you've not done coding in assembly before and has no sense of programming.
Title: Re: First disassemble - questions
Post by: Bische on November 21, 2012, 08:41:28 PM
As a total beginner to disassembly, reading machine code is a very steep stair to try to climb, no doubt. I have been trying to grasp some basics by reading the information on here over and over, now after a couple of weeks I think I have gotten as far as setting up my file correctly.
Alot of my questions were answered just by watching the script setting up the CPU ROM with the rest of the readout, I really want to thank prj for sharing his script as this has saved me alot of time. I attached a screenshot of where im at now.
Now im going to tattoo the C167 manual on the inside of my eyelids and start staring at the code, I really want to learn how to do this. I have started to look a little bit at trying to follow init -> KRKTE as of now.
Title: Re: First disassemble - questions
Post by: masterj on November 22, 2012, 10:36:27 AM
Thank you all for your comments:) I know that to learn asm is long process but i'm starting to get sense of this all, although only basic stuff, like to check if my map definition is correct or not by xrefing maps from similar known ols basically i understand that on the code part of asm they should be very similar in mnemonic instructions Like (known ols): seg003:748AA cmpb rl4, unk_81958A
seg003:748AE jmpr cc_C, loc_8748B6
seg003:748B0 movb rl5, #8
seg003:748B2 orb byte_A1E4, rl5
seg003:748B6
seg003:748B6 loc_8748B6: ; CODE XREF: sub_87422C+682�j
seg003:748B6 jnb word_FD72.11, loc_8748BC
seg003:748BA jmpr cc_UC, loc_8748D2 and (unknown bin) seg003:7350C cmpb rl4, byte_819596
seg003:73510 jmpr cc_C, loc_873518
seg003:73512 movb rl5, #8
seg003:73514 orb byte_A27C, rl5
seg003:73518
seg003:73518 loc_873518: ; CODE XREF: sub_872EAC+664�j
seg003:73518 jnb word_FD6E.7, loc_87351E
seg003:7351C jmpr cc_UC, loc_873534 Are similar to my eyes and I now think that map in second binary is correctly defined.. BTW: is there a way to search binary with mnemonic code sequences instead of hex and in selected area only (for example seg003:70000-seg003:80000)?
Title: Re: First disassemble - questions
Post by: phila_dot on November 22, 2012, 01:31:40 PM
How do we find axis in disassemble? For example by looking at the winols hex dump I see some axis @ 181c7. But when i open dissasembled bin I see no xrefs or anything:
seg003:181C7 db 0Ah
seg003:181C8 db 17h
seg003:181C9 db 29h ; )
seg003:181CA db 40h ; @
seg003:181CB db 54h ; T
seg003:181CC db 6Bh ; k
seg003:181CD db 80h ; Ć
seg003:181CE db 0A3h ; Ż
seg003:181CF db 0CCh ; _
seg003:181D0 db 0FEh ; _
his part supposed to be axis, but how do we look which maps access this axis? :o
Alt + t -> 1C7h -> show all occurences
Title: Re: First disassemble - questions
Post by: phila_dot on November 22, 2012, 01:33:28 PM
As a total beginner to disassembly, reading machine code is a very steep stair to try to climb, no doubt. I have been trying to grasp some basics by reading the information on here over and over, now after a couple of weeks I think I have gotten as far as setting up my file correctly.
Alot of my questions were answered just by watching the script setting up the CPU ROM with the rest of the readout, I really want to thank prj for sharing his script as this has saved me alot of time. I attached a screenshot of where im at now.
Now im going to tattoo the C167 manual on the inside of my eyelids and start staring at the code, I really want to learn how to do this. I have started to look a little bit at trying to follow init -> KRKTE as of now.
Set your DPP's.
Title: Re: First disassemble - questions
Post by: masterj on November 22, 2012, 01:49:30 PM
Alt + t -> 1C7h -> show all occurences
ida doesn't find any occurences...
Title: Re: First disassemble - questions
Post by: phila_dot on November 22, 2012, 02:03:38 PM
ida doesn't find any occurences...
Look at the hex, is there an axis length defined before the axis? The lookup method will determine how the axis is referenced, if it's even used.
Title: Re: First disassemble - questions
Post by: masterj on November 22, 2012, 03:30:58 PM
Look at the hex, is there an axis length defined before the axis?
The lookup method will determine how the axis is referenced, if it's even used.
Yes, there's 0A -> 10
Title: Re: First disassemble - questions
Post by: phila_dot on November 22, 2012, 04:23:25 PM
Yes, there's 0A -> 10
X axis only? X and y axis? Does it preceed a map? Search as above for the first address.
Title: Re: First disassemble - questions
Post by: masterj on November 22, 2012, 05:52:23 PM
X axis only? X and y axis? Does it preceed a map?
Search as above for the first address.
Here's whole axis in asm (including the size in front): seg003:181C6 db 0Ah
seg003:181C6 ; End of function sub_8175B8
seg003:181C6
seg003:181C7 db 0Ah
seg003:181C8 db 17h
seg003:181C9 db 29h ; )
seg003:181CA db 40h
seg003:181CB db 54h ; T
seg003:181CC db 6Bh ; k
seg003:181CD db 80h ; Ć
seg003:181CE db 0A3h ; Ż
seg003:181CF db 0CCh ; _
seg003:181D0 db 0FEh The map does not precede after this axis. It goes like this: END OF PROKONAL MAPS > 0A 0A 17 29 40 54 6B 80 A3 CC FE > other axes without maps. It is one of those shared between different maps axes i think, like in the beginning area of flash 010000.
Title: Re: First disassemble - questions
Post by: matchew on November 22, 2012, 06:21:53 PM
Axis description is at 0x181C6 and is referenced at 0x9D628. This is only an axis for the table found at 0x19FE0.
Title: Re: First disassemble - questions
Post by: masterj on November 23, 2012, 01:49:21 AM
Axis description is at 0x181C6 and is referenced at 0x9D628. This is only an axis for the table found at 0x19FE0.
thank you, matchew. could you tell me steps (with this example) you did to find it? I mean I know that axis description is at 0x181C6, but how did you found out about reference to this axis?
Title: Re: First disassemble - questions
Post by: prj on November 23, 2012, 02:17:46 AM
Look at the code and you will have the answer. It's right there staring at you :)
Title: Re: First disassemble - questions
Post by: Bische on November 23, 2012, 10:57:53 AM
Set your DPP's.
Thanks /senseibow
Title: Re: First disassemble - questions
Post by: masterj on November 23, 2012, 12:22:11 PM
Look at the code and you will have the answer. It's right there staring at you :)
hehe :) Ok, so let's try this again: if I see no xref in ida, my very first step should be search for text with the last 3 digits from axis/"unknown" map address? For example at the moment I'm trying to check if i have correctly defined ZATMIKML, but this is first map that has no xref set by ida (both in known ols bin and also in my definition). This map is @ 1D748 in known ols. It is 16bit and size of 7x1 :) seg003:1D748 db 1Fh
seg003:1D749 db 5
seg003:1D74A db 50h ; P
seg003:1D74B db 6
seg003:1D74C db 89h ; ē
seg003:1D74D db 8
seg003:1D74E db 0CCh ; _
seg003:1D74F db 0Ch
seg003:1D750 db 3
seg003:1D751 db 17h
seg003:1D752 db 0ABh ; ½
seg003:1D753 db 2Ah ; *
seg003:1D754 db 33h ; 3
seg003:1D755 db 33h ; 3 So I'm thinking that first I should convert it to dw? This is what I get: seg003:1D748 dw 51Fh
seg003:1D74A dw 650h
seg003:1D74C dw 889h
seg003:1D74E dw 0CCCh
seg003:1D750 dw 1703h
seg003:1D752 dw 2AABh
seg003:1D754 dw 3333h Should I search alt+t > 748h?
Title: Re: First disassemble - questions
Post by: prj on November 23, 2012, 02:34:33 PM
No point to convert it.
You can take the page number where it occurs, subtract it from it (like I detailed before) and then search for the bytes that are left.
I would use alt+b, it's quicker.
This should yield the map access routine... I already told you everything in the first reply on how to find the map access. If you read this, then you will figure it out.
Title: Re: First disassemble - questions
Post by: masterj on November 23, 2012, 02:51:48 PM
No point to convert it.
You can take the page number where it occurs, subtract it from it (like I detailed before) and then search for the bytes that are left.
I would use alt+b, it's quicker.
This should yield the map access routine... I already told you everything in the first reply on how to find the map access. If you read this, then you will figure it out.
Thank you, then one last thing I want to ask today: how do you find out page number? ??? Is there somewhere post on nefmoto maybe on that subject?
Title: Re: First disassemble - questions
Post by: rajivc666 on November 23, 2012, 03:35:39 PM
Its unlikely you will find this map, it is one of those multiple maps which are conditionally accessed depending on RAM variables , You can get the location where this map is accessed using the axis of the map which will be shared by some other maps, why dont you choose some simpler maps to begin with like kfzw etc.
Edit: The above is valid only for the HN and not 4B0906018DC, in which it is quite straight forward.
Title: Re: First disassemble - questions
Post by: prj on November 24, 2012, 06:05:29 AM
Thank you, then one last thing I want to ask today: how do you find out page number? ??? Is there somewhere post on nefmoto maybe on that subject?
I recommend reading the C166 user's manual and how memory addressing works in the processor. It is explained very well there.
Title: Re: First disassemble - questions
Post by: masterj on November 24, 2012, 04:36:28 PM
OK some progress here... I've started to look for shared axis of these maps I've asked earlier (because it should be shared by them all). This helped me to find it: axis_addr -(1or2) - (206h * 4000h) = search text This is what I have found: seg003:352E8 mov r12, #2BDAh
seg003:352EC mov r13, #206h
seg003:352F0 mov r14, word_F9B6
seg003:352F4 extp #0E1h, #1 ; 'ß'
seg003:352F8 mov r15, word_384960
seg003:352FC calls 83h, sub_833B94
seg003:35300 extp #0E1h, #1 ; 'ß'
seg003:35304 mov word_384960, r4 Here's how I analyzed this so far: seg003:352E8 mov r12, #2BDAh Points to 1ABDA (axis description address, because 206h * 4000h + 2BDAh = 81ABDAh) seg003:352EC mov r13, #206h Just points us out to use 206h in equation seg003:352F0 mov r14, word_F9B6
seg003:352F4 extp #0E1h, #1 ; 'ß'
seg003:352F8 mov r15, word_384960
seg003:352FC calls 83h, sub_833B94
seg003:35300 extp #0E1h, #1 ; 'ß'
seg003:35304 mov word_384960, r4 Now these give me hard time... Please suggest me, if I need to further follow to 833B94 address to know which maps access this shared axis? what info r14 and r15 stores here? What does r4 store - maybe variable that comes out from this axis?
Title: Re: First disassemble - questions
Post by: rajivc666 on November 25, 2012, 11:00:02 AM
yes thats right , r4 contains the factor and the location with respect to axis.
EX . say rpm axis is 1000 1200 1600 2000 2500 for example , and the rpm is say 1850 for simplicity
( which is passed on by the code in this example if the axis is rpm related is mov r14,NMOT(f9b6).....)
so on return rh4 (or rl4 i dont remember offhand) will contain say 3 (or 2 if starting from zero , i dont remeber that aslo as I had reversed it long time bck) because 1850 comes between 3rd (1600) and 4th (2000) , and rl4 will contain a factor something like (1850-1600) / (1600-2000) . so this is stored into ram 348490 from r4. Similarly the other axis (say the load axis in case of kfzw map) will also be stored in some other ram area. So when its time to lookup the main map say kfzw these two variables are passed to the subroutine along with the start address of the map like kfzw and also the dimension of one of these axis like in kfzw the size of the load map (rl) is given. so say if the size of the map is say 10 X 16 . so subroutine knows one side of the map is 10 so using this and other varibles it can look up the table. This is done because similar axes are shared by many maps so the ecu doesnot have to find the axis every time.
Title: Re: First disassemble - questions
Post by: masterj on November 25, 2012, 04:31:00 PM
yes thats right , r4 contains the factor and the location with respect to axis.
EX . say rpm axis is 1000 1200 1600 2000 2500 for example , and the rpm is say 1850 for simplicity
( which is passed on by the code in this example if the axis is rpm related is mov r14,NMOT(f9b6).....)
so on return rh4 (or rl4 i dont remember offhand) will contain say 3 (or 2 if starting from zero , i dont remeber that aslo as I had reversed it long time bck) because 1850 comes between 3rd (1600) and 4th (2000) , and rl4 will contain a factor something like (1850-1600) / (1600-2000) . so this is stored into ram 348490 from r4. Similarly the other axis (say the load axis in case of kfzw map) will also be stored in some other ram area. So when its time to lookup the main map say kfzw these two variables are passed to the subroutine along with the start address of the map like kfzw and also the dimension of one of these axis like in kfzw the size of the load map (rl) is given. so say if the size of the map is say 10 X 16 . so subroutine knows one side of the map is 10 so using this and other varibles it can look up the table. This is done because similar axes are shared by many maps so the ecu doesnot have to find the axis every time.
Wow, a lot of info :) Thanks! So with this I have updated some comments on this block: seg003:352E8 mov r12, #2BDAh ; axis 1ABDA
seg003:352EC mov r13, #206h ; use 206h in equation
seg003:352F0 mov r14, word_F9B6 ; type of axis variable?
seg003:352F4 extp #0E1h, #1 ; 'ß'
seg003:352F8 mov r15, word_384960
seg003:352FC calls 83h, sub_833B94
seg003:35300 extp #0E1h, #1 ; 'ß'
seg003:35304 mov word_384960, r4 ; location and factor of axis variable Now before going any further I have to ask you, how do you know what type of variable it is for example word_F9B6? Also If the RAM variable holds the offset and factor of current value of axis variable, then how can I know factor for example? By looking at the RAM address I see only: RAM:384960 word_384960: ds 2 Actual factor for this axis should be 0.100000 (decimal)...
Title: Re: First disassemble - questions
Post by: jooo on November 25, 2012, 05:36:16 PM
Also If the RAM variable holds the offset and factor of current value of axis variable, then how can I know factor for example? By looking at the RAM address I see only: RAM:384960 word_384960: ds 2 Actual factor for this axis should be 0.100000 (decimal)... How would you know what the ram adress contains without tracing code or logging it? I assume you didn't import a ram dump into IDA. edit: know what not know that
Title: Re: First disassemble - questions
Post by: masterj on November 25, 2012, 06:34:57 PM
Some progress on reversing subroutine that prepares axis value... seg003:33B94
seg003:33B94 sub_833B94: ; CODE XREF: sub_835114+1C8�P
seg003:33B94 ; sub_835114+1E8�P ...
seg003:33B94 extp r13, #1
seg003:33B96 mov r4, [r12+] ; axis first cell (+2 from r12) to r4
seg003:33B98 mov r1, r12 ; axis desc to r1
seg003:33B9A mov r2, r12 ; axis desc to r2
seg003:33B9C shr r15, #8 ; shift RAM val right by 8
seg003:33B9E shl r15, #1 ; shift RAM val left by 1
seg003:33BA0 add r1, r15 ; set offset of current variable value??? (desc addr + shifter RAM val)
seg003:33BA2 extp r13, #1
seg003:33BA4 cmp r14, [r1+] ; it compares current axis cell to axis variable type (r14)???
seg003:33BA6 jmpr cc_C, loc_833BE8 Help needed to understand these: seg003:33B9C shr r15, #8 ; shift RAM val right by 8
seg003:33B9E shl r15, #1 ; shift RAM val left by 1
seg003:33BA0 add r1, r15 ; set offset of current variable value??? (desc addr + shifter RAM val) Am I correct? Also I don't get the comparisson between r14 and [r1+]: seg003:33BA4 cmp r14, [r1+] ; it compares current axis cell to axis variable type (r14)??? BTW: r14 -> word_F9B6 (IRAM? What type of data this section holds?)
Title: Re: First disassemble - questions
Post by: jooo on November 25, 2012, 07:12:36 PM
Help needed to understand these: seg003:33B9C shr r15, #8 ; shift RAM val right by 8
seg003:33B9E shl r15, #1 ; shift RAM val left by 1
seg003:33BA0 add r1, r15 ; set offset of current variable value??? (desc addr + shifter RAM val) shr #8 = divide by 256 (shr #1 =divide by 2 and shr #8 = divide by (2*2*2*2*2*2*2*2) shl #1 = multiply by 2 http://en.wikipedia.org/wiki/Bitwise_operation
Title: Re: First disassemble - questions
Post by: masterj on November 25, 2012, 07:21:10 PM
shr #8 = divide by 256 (shr #1 =divide by 2 and shr #8 = divide by (2*2*2*2*2*2*2*2)
shl #1 = multiply by 2
http://en.wikipedia.org/wiki/Bitwise_operation
Oh, Ok point taken. But why they use two instructions instead of one? Like shr #7 would be enough, no? ??? I'm still not understanding why do these operations on RAM value that holds the axis variable offset... Updated info: sub_833B94:
extp r13, #1
mov r4, [r12+] ; axis first cell (+2 from r12) to r4
mov r1, r12 ; axis desc to r1
mov r2, r12 ; axis desc to r2
shr r15, #8 ; divide RAM val by 256 (2^8)
shl r15, #1 ; multiply RAM val by 2 (2^1)
add r1, r15 ; set offset of current variable value??? (axis desc addr + divided/multiplied RAM val)
extp r13, #1
cmp r14, [r1+] ; it compares current axis cell to axis variable type (r14)???
jmpr cc_C, loc_833BE8 ; r14 > [r1+] ==> TRUE
Title: Re: First disassemble - questions
Post by: jooo on November 25, 2012, 07:43:45 PM
...
edit: faulty remark. was too tired
Title: Re: First disassemble - questions
Post by: locon on November 26, 2012, 08:24:48 AM
Like shr #7 would be enough, no? ???
With shr #8 get high byte of the word (ex. offset). With shl #1 get the offset value (in words) on the axis. To "C" are two different instructions and the compiler translate them in two instructions.
Title: Re: First disassemble - questions
Post by: masterj on November 26, 2012, 08:45:35 AM
With shr #8 get high byte of the word (ex. offset). With shl #1 get the offset value (in words) on the axis. To "C" are two different instructions and the compiler translate them in two instructions.
so it basically takes byte from r15 and converts res back to word? that would finally make sense
Title: Re: First disassemble - questions
Post by: masterj on November 26, 2012, 04:27:14 PM
So progress again: sub_833B94:
extp r13, #1
mov r4, [r12+] ; axis first cell (+2 from r12) to r4
mov r1, r12 ; axis desc to r1
mov r2, r12 ; axis desc to r2
shr r15, #8 ; get high byte of r15 (offset)
shl r15, #1 ; convert r15 to word (16bit)
add r1, r15 ; set current axis cell
extp r13, #1
cmp r14, [r1+] ; it compares current axis cell to axis variable type (r14)???
jmpr cc_C, loc_833BE8 ; r14 > [r1+] ==> TRUE Basically I understand everything up to the cmp point, where r14 is compared to [r1+]. r14 holds word_F9B6. word_F9B6 is set in IRAM segment. What kind of data it actually holds? I understand is that r14 is compared to (data inside word_F9B6 + 2). Am I correct? Any ideas on what type of data is in IRAM?
Title: Re: First disassemble - questions
Post by: rajivc666 on November 26, 2012, 08:58:54 PM
So progress again: sub_833B94:
extp r13, #1
mov r4, [r12+] ; transfer memory location r12(size of axis) to r4 then increase r12 by 2
mov r1, r12 ; transfer to r1 the memory address of the first data location in axis
mov r2, r12 ; transfer to r2 the memory address of the first data location in axis
shr r15, #8 ; this instruction has the same effect as mov rl15,rh15 (rh15 holds the relative location) and mov rh15,00
shl r15, #1 ; double the location info since the datais word type and not byte(16 bit)
add r1, r15 ;after this r1 holds memory address of lower of the axis value which was used to interpolate last time.
extp r13, #1
cmp r14, [r1+] ;This comparison is done so that in the subsequent instructions it is checked if the current value of word_F9B6 is more or less than the extreme values of the axis , if more then rh4 will contain relative location of the higest value of axis and rl4 will be zero and exit subroutine and if less than the least value of axis then in this subroutine zero is assigned to r4 or (in other words the least value of axis will be taken) and exit subroutine
jmpr cc_C, loc_833BE8 ; r14 > [r1+] ==> TRUE
Title: Re: First disassemble - questions
Post by: masterj on November 27, 2012, 11:01:03 AM
So progress again: sub_833B94:
extp r13, #1
mov r4, [r12+] ; transfer memory location r12(size of axis) to r4 then increase r12 by 2
mov r1, r12 ; transfer to r1 the memory address of the first data location in axis
mov r2, r12 ; transfer to r2 the memory address of the first data location in axis
shr r15, #8 ; this instruction has the same effect as mov rl15,rh15 (rh15 holds the relative location) and mov rh15,00
shl r15, #1 ; double the location info since the datais word type and not byte(16 bit)
add r1, r15 ;after this r1 holds memory address of lower of the axis value which was used to interpolate last time.
extp r13, #1
cmp r14, [r1+] ;This comparison is done so that in the subsequent instructions it is checked if the current value of word_F9B6 is more or less than the extreme values of the axis , if more then rh4 will contain relative location of the higest value of axis and rl4 will be zero and exit subroutine and if less than the least value of axis then in this subroutine zero is assigned to r4 or (in other words the least value of axis will be taken) and exit subroutine
jmpr cc_C, loc_833BE8 ; r14 > [r1+] ==> TRUE
Thank you, so jmpr cc_C, loc_833BE8 ; r14 > [r1+] ==> TRUE checks for set carrier bit (which is set when [r1+] < r14) and by that jumps to 833BE8, else just goes to the next line, right? Hm... So this sub will not help me to find which maps shares this specific axis? :o Because All I see here is that this sub prepares data by limiting current axis value, there is no ref to maps at all....
Title: Re: First disassemble - questions
Post by: rajivc666 on November 27, 2012, 11:06:07 AM
N0. If thats what you want then just press "x" after clicking on word_384960.
Title: Re: First disassemble - questions
Post by: masterj on November 27, 2012, 11:25:55 AM
N0. If thats what you want then just press "x" after clicking on word_384960.
oh man, so i was trying so hard to do wrong thing :) well, any thing I have learned is always useful. So now when I see xrefs to this word, I have tried to open few locations and basically it always goes like this: word is moved to r14 and after that always there's subroutine called. Is every single subroutine linked to different map addresses that uses axis from word?
Title: Re: First disassemble - questions
Post by: nyet on November 27, 2012, 11:26:44 AM
call sub_833B94 is a function call.
r15 is a function call parameter.
i.e.
function(.., blah, ...) in assembly
is
mov r15, blah
call function
here, function() is a map lookup, and r15 is loaded with the map address before calling the function.
Title: Re: First disassemble - questions
Post by: nyet on November 27, 2012, 11:28:10 AM
The problem here is that you don't really understand how a compiler works (yet)
i.e. how does a compiler convert a function call and a function implementation into assembly.
Title: Re: First disassemble - questions
Post by: masterj on November 27, 2012, 11:42:50 AM
The problem here is that you don't really understand how a compiler works (yet)
i.e. how does a compiler convert a function call and a function implementation into assembly.
I'm trying my best to understand this... Ok, so rxx are input variables to functions (that are called subroutines in asm). Now, I have calculated axis address that is set as r12 input variable (axis size addr - 206h * 4000h) of lookup function. My next step is to xref variable in r15 and find every function that uses this variable in its input, right? And one of those functions should be the one that outputs map address based on axis addres (using word_384960 for example)? P.S> by xrefing word_384960 I have found 3 other functions that are using same variable as input: sub_8343D2:
mov r3, r14
movbz r2, rh3
add r12, r2
extp r13, #1
movb rl4, [r12+]
movbs r4, rl4
shl r14, #8
shr r14, #1
jmpr cc_Z, locret_8343F6 sub_834370:
mov r3, r14
movbz r2, rh3
add r12, r2
extp r13, #1
movb rl4, [r12+]
movbz r4, rl4
shl r14, #8
shr r14, #1 sub_8343F8:
mov r3, r14
movbz r2, rh3
shl r2, #1
add r12, r2
extp r13, #1
mov r4, [r12+]
shl r14, #8
jmpr cc_Z, locret_834428
Title: Re: First disassemble - questions
Post by: nyet on November 27, 2012, 12:18:33 PM
You've got the right idea about function calls now.
However, I don't think there is a generalized function that outputs a map address based on an axis address, since there is no constant want to determine map address based on only the axis address.
You'll have to be more specific about what you are looking for (I couldn't really tell from the rest of your posts in the thread)
Title: Re: First disassemble - questions
Post by: masterj on November 27, 2012, 12:42:34 PM
You've got the right idea about function calls now.
However, I don't think there is a generalized function that outputs a map address based on an axis address, since there is no constant want to determine map address based on only the axis address.
You'll have to be more specific about what you are looking for (I couldn't really tell from the rest of your posts in the thread)
Could you give me example of workflow how can I find map(s) that share known axis? For example I see axis start in my bin (4xxxxxxxDC) @ 1ABDC. Axis size is defined @ 1ABDA (it is 16bit data so we have to get back by word). I do the 81ABDAh - 206h * 4000h and find 2BDAh. I searched for 2BDAh and found seg003:352E8 mov r12, #2BDAh This is input to lookup function.... seg003:352E0 extp #0E1h, #1 ; 'ß'
seg003:352E4 mov word_38495E, r4
seg003:352E8 mov r12, #2BDAh ; axis 1ABDA
seg003:352EC mov r13, #206h ; use 206h in equation
seg003:352F0 mov r14, word_F9B6 ; type of axis variable
seg003:352F4 extp #0E1h, #1 ; 'ß'
seg003:352F8 mov r15, word_384960 ; x this input variable to find all functions that uses this variable
seg003:352FC calls 83h, sub_833B94
Title: Re: First disassemble - questions
Post by: nyet on November 27, 2012, 01:08:37 PM
Unfortunately, I'm a noob at disassembly. I'll shut up here and let people who know wtf they're doing answer.
However, if it was ME7.1, i'd just look at an existing map pack and search, and I wouldn't have to do any of that... I'm assuming that isn't an option in this case? Or maybe this is just an exercise for learning..
Title: Re: First disassemble - questions
Post by: masterj on November 27, 2012, 01:13:09 PM
Unfortunately, I'm a noob at disassembly. I'll shut up here and let people who know wtf they're doing answer.
However, if it was ME7.1, i'd just look at an existing map pack and search, and I wouldn't have to do any of that... I'm assuming that isn't an option in this case? Or maybe this is just an exercise for learning..
This is learning exercise + some things that aren't that easy to track via winols... for example if I ever need to change axis values I need to be 100% sure on what maps it will have effects and also I want to be 100% before I'm doing any map edits... So far I can verify my definitions for one byte maps by comparing known ols file and looking at the xref data. But I need to learn how to connect axis with map(s) and vise versa to be able to check defined one dimensional and two dimensional maps...
Title: Re: First disassemble - questions
Post by: phila_dot on November 27, 2012, 02:07:04 PM
The axis will be described differently depending on the lookup method, so there isn't one set way to xref them.
Find the axis in IDA and depending on how it is described will determine how you can xref it.
Title: Re: First disassemble - questions
Post by: masterj on November 27, 2012, 02:17:22 PM
The axis will be described differently depending on the lookup method, so there isn't one set way to xref them.
Find the axis in IDA and depending on how it is described will determine how you can xref it.
How to find out how axis is DESCRIBED? :o Here's axis in IDA: seg003:1ABDA dw 7 seg003:1ABDC dw 78h seg003:1ABDE dw 0C8h seg003:1ABE0 dw 1F4h seg003:1ABE2 dw 3E8h seg003:1ABE4 dw 5DCh seg003:1ABE6 dw 0BB8h seg003:1ABE8 dw 1194h
Title: Re: First disassemble - questions
Post by: matchew on November 27, 2012, 02:53:05 PM
How to find out how axis is DESCRIBED?
A reference line drawn on a graph from which you can measure from and find values.
Title: Re: First disassemble - questions
Post by: masterj on November 27, 2012, 04:35:49 PM
Holly cracks! I finally understand how to connect axis to map! For example I see axis start in my bin (4xxxxxxxDC) @ 1ABDC. Axis size is defined @ 1ABDA (it is 16bit data so we have to get back by word). I do the 81ABDAh - 206h * 4000h and find 2BDAh. I searched for 2BDAh and found seg003:352E8 mov r12, #2BDAh This is input to lookup function.... seg003:352E0 extp #0E1h, #1 ; 'ß'
seg003:352E4 mov word_38495E, r4
seg003:352E8 mov r12, #2BDAh ; axis 1ABDA
seg003:352EC mov r13, #206h ; use 206h in equation
seg003:352F0 mov r14, word_F9B6 ; type of axis variable
seg003:352F4 extp #0E1h, #1 ; 'ß'
seg003:352F8 mov r15, word_384960 ; x this input variable to find all functions that uses this variable
seg003:352FC calls 83h, sub_833B94 Now I xref data that is in r15 and find a lot of locations. Next step is to check each and look at the r12 and r13. For example one instance: seg003:4F36A mov r12, #3B72h
seg003:4F36E mov r13, #206h
seg003:4F372 extp #0E1h, #1 ; 'ß'
seg003:4F376 mov r14, word_384960
seg003:4F37A calls 83h, sub_8343F8 r12 holds the map address and r13 holds the multiplier for 4000h, so to reverse it we go like this: 3B72h + 206h * 4000h = 81BB72So one of the maps is @ 1BB72!!! Also, what I do now is rename the first function to something like MAP_LOCATOR_SUB_833B94 to easily see it next time i look for axis :)
Title: Re: First disassemble - questions
Post by: masterj on November 27, 2012, 04:56:03 PM
So final result of my search is this:
Axis @ 1ABDC is shared by:
1BB72
1BB2C
1BB56
1BB3A
1BB64
1BB48
1BB80
1BB1E
1843D
1844E
18455
18444
A lot of maps, huh? :)
Now I need help in getting the factor and offset for axis... how to look for them? Any ideas?
Title: Re: First disassemble - questions
Post by: nyet on November 27, 2012, 05:32:56 PM
3B72h + 206h * 4000h = 81BB72
Btw you should get used to writing that like so: (206h << 14) | 3b72h
Title: Re: First disassemble - questions
Post by: masterj on November 27, 2012, 05:36:27 PM
Now other thing I have noticed is for axes that have data xref. For example TVUB. Axis is here: seg003:13EB0 unk_813EB0: db 5 ; DATA XREF: sub_865E8C+58�r
seg003:13EB1 db 71h ; q
seg003:13EB2 db 8Eh
seg003:13EB3 db 0AAh ; ¬
seg003:13EB3 ; END OF FUNCTION CHUNK FOR sub_813CE2
seg003:13EB4 db 0C7h ; Ū
seg003:13EB5 db 0E3h ; Ń As you can see axis size is defined @ 13EB0 and it has direct xref which makes it extra easy :) All we have to do is double click the sub_865E8C+58�r. seg003:65EDC extp #0E1h, #1 ; 'ß'
seg003:65EE0 mov word_384A92, r4
seg003:65EE4 movbz r12, unk_813EB0
seg003:65EE8 mov r13, #3EB1h
seg003:65EEC mov r14, #3EB6h
seg003:65EF0 movbz r15, byte_38099C
seg003:65EF4 calls 0, sub_7B42 Now we look for r14, which holds address to the map (r13 I think holds first cell of axis, dunno why it is needed) :) One more thing: multiplier for 4000h can be 204h or 205h or 206h or 207h... 204h -> addr: 10000 : 14000 205h -> addr: 14000 : 18000 206h -> addr: 18000 : 1C000 207h -> addr: 1C000 : 20000 and so on....
Title: Re: First disassemble - questions
Post by: nyet on November 27, 2012, 05:42:38 PM
Now we look for r14, which holds address to the map (r13 I think holds first cell of axis, dunno why it is needed) :)
How else would the map lookup function know where the axis is?
Title: Re: First disassemble - questions
Post by: masterj on November 27, 2012, 05:49:34 PM
How else would the map lookup function know where the axis is?
ah well maybe you're right... I think i need to learn one more thing: all these subs can operate only on input rxx variables? there are no "global" variables in asm like in higher programming languages?
Title: Re: First disassemble - questions
Post by: masterj on November 27, 2012, 06:02:04 PM
Just attached to this topic c166ism.pdf - very good resource on instructions of assembly!
Title: Re: First disassemble - questions
Post by: masterj on November 27, 2012, 06:12:22 PM
Ok, I'm stuck on trying to get the factor and offset of axis values (that we put into winols to properly display numbers)... Let's take TVUB again: seg003:65EDC extp #0E1h, #1 ; 'ß'
seg003:65EE0 mov word_384A92, r4
seg003:65EE4 movbz r12, unk_813EB0
seg003:65EE8 mov r13, #3EB1h
seg003:65EEC mov r14, #3EB6h
seg003:65EF0 movbz r15, byte_38099C
seg003:65EF4 calls 0, sub_7B42
Axis offset: 0r4? r15? orther r? or should I just dive into sub_7B42 to look for it? How to get these numbers?
Title: Re: First disassemble - questions
Post by: nyet on November 27, 2012, 08:34:53 PM
ah well maybe you're right...
I think i need to learn one more thing: all these subs can operate only on input rxx variables? there are no "global" variables in asm like in higher programming languages?
Again, you should review what a compiler does :) For example, the c compiler/linker: Global variables (including static "globals") are placed in either the BSS or DATA section during the link stage, and a symbol is generated for each global variable. All references to that global variable are replaced by a reference to that memory location. When the program is first run, the BSS section is zeroed out (for globals that are initialized to zero). Initialized globals are in the DATA section. When the program is run, the DATA section is memcpy'd from the INITDATA subsection (typcally located in the read only TEXT section) Local variables are generally located in the stack. When a function is called, stack area is reserved for all local variables, and they are either initialized to zero or their "initial" value by direct asm instructions. Parameters are generally passed in registers (as you discovered) If there are too many parameters to pass by registers, typically the compiler will put them on the stack. Finally, if the function being called uses registers that it knows are in use by the caller, it typically saves those registers on the stack, does its thing with them, then restores those values from the stack before returning. BTW, those ME7 variables we log? They are ALL globals. They all exist in memory. If they were in registers we couldn't log them.
Title: Re: First disassemble - questions
Post by: masterj on November 28, 2012, 05:51:15 AM
Again, you should review what a compiler does :)
For example, the c compiler/linker:
Global variables (including static "globals") are placed in either the BSS or DATA section during the link stage, and a symbol is generated for each global variable.
All references to that global variable are replaced by a reference to that memory location.
When the program is first run, the BSS section is zeroed out (for globals that are initialized to zero). Initialized globals are in the DATA section. When the program is run, the DATA section is memcpy'd from the INITDATA subsection (typcally located in the read only TEXT section)
Local variables are generally located in the stack. When a function is called, stack area is reserved for all local variables, and they are either initialized to zero or their "initial" value by direct asm instructions.
Parameters are generally passed in registers (as you discovered)
If there are too many parameters to pass by registers, typically the compiler will put them on the stack.
Finally, if the function being called uses registers that it knows are in use by the caller, it typically saves those registers on the stack, does its thing with them, then restores those values from the stack before returning.
BTW, those ME7 variables we log? They are ALL globals. They all exist in memory. If they were in registers we couldn't log them.
Thanks for the info :)
Title: Re: First disassemble - questions
Post by: masterj on November 28, 2012, 08:15:25 AM
Added 4Z7907551R__ME7.1.1_Bosch__Audi_2.7T_-_(Original)-v00.idb
Need info on this specific file KFFWL_0_A map (@19093)... Since there is no XREF I've tried usual approach: 819093h - 206h * 4000h = 1093h and search for it. No results found whatsoever. What should be my next step here to find axes connected to this map? :)
Title: Re: First disassemble - questions
Post by: phila_dot on November 28, 2012, 08:52:59 AM
Added 4Z7907551R__ME7.1.1_Bosch__Audi_2.7T_-_(Original)-v00.idb
Need info on this specific file KFFWL_0_A map (@19093)... Since there is no XREF I've tried usual approach: 819093h - 206h * 4000h = 1093h and search for it. No results found whatsoever. What should be my next step here to find axes connected to this map? :)
You can try searching 093h. Is there anything unique around the map reference in the FR that you could reference? Is the map preceeded by the axis? Look in the data section for a direct reference to the axis or axis size maybe. Have you looked at the C167 user manual? Lots of good info there.
Title: Re: First disassemble - questions
Post by: matchew on November 28, 2012, 09:09:21 AM
There is no direct call for this map in code.
Title: Re: First disassemble - questions
Post by: rajivc666 on November 28, 2012, 09:19:17 AM
Ya these are one of those maps which are referenced to with register offsets. You can search for the axis of the map and if you are lucky you will find the map :)
Title: Re: First disassemble - questions
Post by: masterj on November 28, 2012, 06:51:03 PM
Ya these are one of those maps which are referenced to with register offsets. You can search for the axis of the map and if you are lucky you will find the map :)
What procedure do you normally go through to accomplish this task on these types of maps? Could you write for this specific file and this specific map, what would you do?
Title: Re: First disassemble - questions
Post by: phila_dot on November 28, 2012, 07:09:33 PM
What procedure do you normally go through to accomplish this task on these types of maps? Could you write for this specific file and this specific map, what would you do?
This map is referenced by a pointer. If you find the Stutzstellen then you can xref them to the map reference. If you search 093h like I stated earlier than you should find that hex directly referenced in the data section.
Title: Re: First disassemble - questions
Post by: masterj on November 28, 2012, 08:05:49 PM
This map is referenced by a pointer.
If you find the Stutzstellen then you can xref them to the map reference.
If you search 093h like I stated earlier than you should find that hex directly referenced in the data section.
Thanks, Philla_dot, can you elaborate on what is Stutzstellen? And how to find it?
Title: Re: First disassemble - questions
Post by: matchew on November 28, 2012, 08:10:24 PM
Thanks, Philla_dot, can you elaborate on what is Stutzstellen? And how to find it?
Google translate ::) how much bigger of a spoon do you need?
Title: Re: First disassemble - questions
Post by: masterj on December 03, 2012, 08:07:21 PM
Can someone tell me address of CLRSKA in 4.....DC bin? :o I've tried comparing XREFS with OLS I have but was unable to find similar subroutine...
Also, how do you search regex in multiline?
for example: mov(.)+\n(.)+add?
Title: Re: First disassemble - questions
Post by: masterj on December 11, 2012, 08:18:24 PM
Hi, fellow nefmotoers! Is there on nefmoto definition file for ME7.5 binary that has defined ESKONF bytes ? I mean full definition like: 0. ZUE4 ZUE3 ZUE2 ZUE1
1. NC NC NC NC
2. EV4 EV3 EV2 EV1
3. LSHHK EFLA SU/LDR TEV
4. BKV NC AAV MIL
5. NC NC EKP SLP
6. ULT EAGR SLV NWS I have found ESKONF on my file (4B...DC) @ 10D34, but without example file I can't compare bytes to know their order (IIRC Phila_dot said that it is different on each binary). I suspect that first 4 bytes are actually these: 0. ZUE4 ZUE3 ZUE2 ZUE1
1. NC NC NC NC
2. EV4 EV3 EV2 EV1
3. LSHHK EFLA SU/LDR TEV but the other bytes doesn't look like they're same as in FR
Title: Re: First disassemble - questions
Post by: phila_dot on December 12, 2012, 04:16:47 PM
The bit pairs are laid out the same in all of the 2.7t S4 binaries that I have looked at.
The other files that I have looked at are definitely not.
I have concluded that ESKONF in the S4 files is actually 13 bytes starting at 10C75.
Title: Re: First disassemble - questions
Post by: masterj on December 14, 2012, 02:19:03 AM
The bit pairs are laid out the same in all of the 2.7t S4 binaries that I have looked at.
The other files that I have looked at are definitely not.
I have concluded that ESKONF in the S4 files is actually 13 bytes starting at 10C75.
Are you sure about 10C75? :O I have S4 file (8D0907551G 360855) and it is fully defined. @ 10C75 it is GAFGRO map... Anyway, in my file where I think ESKONF is: 10D34: AA FF 00 30 FF F8 30 but just after this there's: 10D3B: AA FF 00 30 3F F8 30 . Both portions of hex looks like ESKONF, no? :o And If it is normally bigger that FR 7 bytes, then in my file it should be 14bytes... OR maybe there are two ESKONF versions? like ESKONF_0_A & ESKONF_1_A both in 7byte sizes?
Title: Re: First disassemble - questions
Post by: phila_dot on December 14, 2012, 06:15:47 AM
Are you sure about 10C75? :O I have S4 file (8D0907551G 360855) and it is fully defined. @ 10C75 it is GAFGRO map... Anyway, in my file where I think ESKONF is: 10D34: AA FF 00 30 FF F8 30 but just after this there's: 10D3B: AA FF 00 30 3F F8 30 . Both portions of hex looks like ESKONF, no? :o And If it is normally bigger that FR 7 bytes, then in my file it should be 14bytes... OR maybe there are two ESKONF versions? like ESKONF_0_A & ESKONF_1_A both in 7byte sizes? Ok...I wrote that post like an idiot. They are laid out the same, not all at the same location. M box is 10C75. What do you see in IDA? The AA FF's in yours are likely ZUE and EV.
Title: Re: First disassemble - questions
Post by: masterj on December 18, 2012, 06:13:30 PM
Ok...I wrote that post like an idiot. They are laid out the same, not all at the same location. M box is 10C75.
What do you see in IDA?
The AA FF's in yours are likely ZUE and EV.
Hi, philla! Yes I think that AA FF are first two bytes as in FR, but what about the other ones? Here's all I see in IDA: seg003:10D34 db 0AAh ; ¬
seg003:10D35 db 0FFh
seg003:10D36 db 0
seg003:10D37 db 30h ; 0
seg003:10D38 db 0FFh
seg003:10D39 db 0F8h ; °
seg003:10D3A db 30h ; 0
seg003:10D3B db 0AAh ; ¬
seg003:10D3C db 0FFh
seg003:10D3D db 0
seg003:10D3E db 30h ; 0
seg003:10D3F db 3Fh ; ?
seg003:10D40 db 0F8h ; °
seg003:10D41 db 30h ; 0 No direct references and also no indirect references with the method I know (810D35h - 204h * 4000h). Searched for D35h in text mode and no results either.... Please advise... Thanks
Title: Re: First disassemble - questions
Post by: Bische on February 07, 2013, 04:28:30 AM
Just wanted to take 10min to make a reply here and thank everyone for the info, I have begun to invest time in IDA pro now and I have now aquired enough understanding to find desired RAM variables for logging. :)
The more I stare at the code the better "feel" I get, also gaining alot of speed at the same time. I found the graph view really good also for getting a better/faster understanding of code flow. I have also bought the IDA pro unofficial guide book by Chris Eagle.
Here is a screenshot of my disassembly virgin taken, rkukg_w :)
Title: Re: First disassemble - questions
Post by: masterj on February 11, 2013, 11:31:43 AM
Peeps, I started getting B1S1 malfunction dtc... Can someone tell me which functions is responsible for this? Also readiness is not passed for oxygen sensors and evap. Any ideas? Oxygen sensor is brand new
Title: Re: First disassemble - questions
Post by: ddillenger on February 11, 2013, 11:34:57 AM
(kind of unrelated)
How are you checking readiness? It's been my experience that vcds reports PASSED for unsupported monitors. I've verified this with several scanners.
(end of OT)
Title: Re: First disassemble - questions
Post by: phila_dot on February 11, 2013, 12:17:40 PM
(kind of unrelated)
How are you checking readiness? It's been my experience that vcds reports PASSED for unsupported monitors. I've verified this with several scanners.
(end of OT)
Ready bit is automatically set for unsupported functions. You have to check evsup1 for supported/unsupported.
Title: Re: First disassemble - questions
Post by: catbed on February 11, 2013, 03:13:37 PM
Hi, fellow nefmotoers! Is there on nefmoto definition file for ME7.5 binary that has defined ESKONF bytes ? I mean full definition like: 0. ZUE4 ZUE3 ZUE2 ZUE1
1. NC NC NC NC
2. EV4 EV3 EV2 EV1
3. LSHHK EFLA SU/LDR TEV
4. BKV NC AAV MIL
5. NC NC EKP SLP
6. ULT EAGR SLV NWS I have found ESKONF on my file (4B...DC) @ 10D34, but without example file I can't compare bytes to know their order (IIRC Phila_dot said that it is different on each binary). I suspect that first 4 bytes are actually these: 0. ZUE4 ZUE3 ZUE2 ZUE1
1. NC NC NC NC
2. EV4 EV3 EV2 EV1
3. LSHHK EFLA SU/LDR TEV but the other bytes doesn't look like they're same as in FR My 018CH file follows the FR for bit pair locations, just not the same factory values. I know this because I have an OTS 630 bin with SLS and SLV changed in ESKONF. The bit pairs changed match the FR diagrams.
Title: Re: First disassemble - questions
Post by: catbed on February 11, 2013, 03:15:46 PM
Peeps, I started getting B1S1 malfunction dtc... Can someone tell me which functions is responsible for this? Also readiness is not passed for oxygen sensors and evap. Any ideas? Oxygen sensor is brand new
I also have this B1S1 Malfunction. I reverted ESKONF to before I removed post-cat o2 but the B1S1 malfunction DTC is still there. Sorry I am not much help with disassembly, baby steps lol.
Title: Re: First disassemble - questions
Post by: fever on March 15, 2013, 06:19:01 AM
Hi ! maybe someone could explain this a little please.
I am looking at AL/NLS posted on this forum and can't figure out something.
There is for example.
seg018:E808 exts #81h, #1 ; 'ь'
seg018:E80C mov r9, 7E00h ; 817E00h
(817E00h-7E00h)/4000h=204h
Why we set exts to #81h ? (so calculation will be 81h*10000h instead of 4000h)
How to calculate address right in this situation.
Many thanks!
Title: Re: First disassemble - questions
Post by: fever on March 18, 2013, 04:51:13 AM
Think i got it. Page and segment.
But why used exts vs extp?
Title: Re: First disassemble - questions
Post by: phila_dot on March 18, 2013, 05:11:06 AM
Just a different way to do it.
Doesn't make a difference, one way or the other.
Title: Re: First disassemble - questions
Post by: fever on March 18, 2013, 06:17:27 AM
Just a different way to do it.
Doesn't make a difference, one way or the other.
As i thought, thank you for clarify. =)
Title: Re: First disassemble - questions
Post by: Bische on March 26, 2013, 11:45:21 AM
I am defining the 8E0909518AK binary currently and got stuck on TEMIN/VA. I did load it up for disassembly to find the adresses and found something I would like to verify, here is the call for TEMIN/VA as it usually looks:
(http://img842.imageshack.us/img842/6/temin.jpg)
Here is it in the 518AK, TEMINVA lookup is a RAM location and TEMINVA is determined in another routine:
(http://img40.imageshack.us/img40/8143/temin2.jpg)
So according to my understanding, TEMINVA is a KL instead of a single and has tmot as axis?
Here is how I defined it:
(http://img822.imageshack.us/img822/484/temin3.jpg)
Here is a link to the .idb if anyone want to take a look: http://www.sendspace.com/file/fui178 (http://www.sendspace.com/file/fui178)
Title: Re: First disassemble - questions
Post by: jooo on March 29, 2013, 03:53:40 PM
How are input/outputs on 2nd C167 addressed? I need to find such code to identify a map.
Title: Re: First disassemble - questions
Post by: masterj on March 30, 2013, 02:56:50 AM
Can someone tell me how do you find out factor and offset of maps? Also need some info on workflow when address is not direct but through registers. Currentyl trying to find CWDMFAB map and in all bin files it was xrefed directly. Well my lucky bin was a little bit different and instead of direct xref I had to use regex to find reference to map. First I'll show usual bin: seg003:8C742 loc_88C742: ; CODE XREF: sub_88C672+52�j
seg003:8C742 mov r12, #1D8Dh
seg003:8C746 mov r13, #206h
seg003:8C74A movbz r14, byte_380A46
seg003:8C74E calls 82h, sub_825C30
seg003:8C752 extp #0E1h, #1 ; 'ß'
seg003:8C756 movb byte_3848DD, rl4
seg003:8C75A movb [r0], unk_81150D ;<--- CWDMFAB
seg003:8C75E mov r4, [r0]
seg003:8C760 bmov word_FD8C.6, r4.0
seg003:8C764 bmov word_FD8C.7, r4.1
seg003:8C768 bmov word_FD8C.8, r4.2
seg003:8C76C bmov word_FD8C.9, r4.3
seg003:8C770 bmov word_FD8C.10, r4.4
seg003:8C774 bmov word_FD8C.11, r4.5
seg003:8C778 bmov word_FD8C.12, r4.6
seg003:8C77C bmov word_FD8C.13, r4.7
seg003:8C780 add r0, #2
seg003:8C782 mov r8, [r0+]
seg003:8C784 mov r9, [r0+]
Now in my bin I found it like this: seg003:8AEF0 loc_88AEF0: ; CODE XREF: sub_88AE20+52�j
seg003:8AEF0 mov r12, #1FDEh
seg003:8AEF4 mov r13, #206h
seg003:8AEF8 movbz r14, tmot
seg003:8AEFC calls 83h, sub_833D44
seg003:8AF00 extp #0E1h, #1 ; 'ß'
seg003:8AF04 movb byte_3848D7, rl4
seg003:8AF08 movbz r4, byte_FA12
seg003:8AF0C movb rl5, [r4+63B8h] ; <--- [FA12 + 63B8h]
seg003:8AF10 movb [r0], rl5
seg003:8AF12 mov r4, [r0]
seg003:8AF14 bmov word_FD88.11, r4.0
seg003:8AF18 bmov word_FD88.12, r4.1
seg003:8AF1C bmov word_FD88.13, r4.2
seg003:8AF20 bmov word_FD88.14, r4.3
seg003:8AF24 bmov word_FD88.15, r4.4
seg003:8AF28 bmov word_FD8A.0, r4.5
seg003:8AF2C bmov word_FD8A.1, r4.6
seg003:8AF30 bmov word_FD8A.2, r4.7
seg003:8AF34 add r0, #2
seg003:8AF36 mov r8, [r0+]
seg003:8AF38 mov r9, [r0+]
seg003:8AF3A rets Next thing I did was xrefing byte_FA12 and looking for write. Found one @ 9F742: seg003:9F6D6 sub_89F6D6: ; CODE XREF: sub_89F514+1C�P
seg003:9F6D6 mov [-r0], r9
seg003:9F6D8 mov [-r0], r6
seg003:9F6DA mov r9, r12
seg003:9F6DC mov r6, r9
seg003:9F6DE shl r6, #2
seg003:9F6E0 add r6, r9
seg003:9F6E2 shl r6, #1
seg003:9F6E4 extp #20Ah, #2
seg003:9F6E8 movb rl4, [r6+5A8h]
seg003:9F6EC nop
seg003:9F6EE movb byte_FA0E, rl4
seg003:9F6F2 extp #20Ah, #2
seg003:9F6F6 movb rl5, [r6+5A9h]
seg003:9F6FA nop
seg003:9F6FC movb byte_FA10, rl5
seg003:9F700 extp #20Ah, #2
seg003:9F704 movb rl3, [r6+5AAh]
seg003:9F708 nop
seg003:9F70A movb byte_FA0F, rl3
seg003:9F70E extp #20Ah, #2
seg003:9F712 movb rl2, [r6+5ABh]
seg003:9F716 nop
seg003:9F718 movb byte_FA0C, rl2
seg003:9F71C extp #20Ah, #2
seg003:9F720 movb rl1, [r6+5ACh]
seg003:9F724 nop
seg003:9F726 movb byte_FA0D, rl1
seg003:9F72A extp #20Ah, #2
seg003:9F72E movb rl4, [r6+5ADh]
seg003:9F732 nop
seg003:9F734 movb byte_FA11, rl4
seg003:9F738 extp #20Ah, #2
seg003:9F73C movb rl4, [r6+5AEh]
seg003:9F740 nop
seg003:9F742 movb byte_FA12, rl4; <-- found write! Great. More redirections...
seg003:9F746 calls 89h, sub_89F5E4
seg003:9F74A calls 89h, sub_89F5F4
seg003:9F74E calls 89h, sub_89F604
seg003:9F752 calls 89h, sub_89F612
seg003:9F756 calls 89h, sub_89F622
seg003:9F75A calls 89h, sub_89F632
seg003:9F75E calls 89h, sub_89F642
seg003:9F762 calls 89h, sub_89F652
seg003:9F766 calls 89h, sub_89F662
seg003:9F76A calls 89h, sub_89F670
seg003:9F76E calls 89h, sub_89F680
seg003:9F772 calls 89h, sub_89F690
seg003:9F776 calls 89h, sub_89F6A0
seg003:9F77A calls 89h, sub_89F6B0
seg003:9F77E mov r6, [r0+]
seg003:9F780 mov r9, [r0+]
seg003:9F782 rets Next thing was to notice how rl4 is set (lower byte of word @ r4, because of l right?) seg003:9F738 extp #20Ah, #2
seg003:9F73C movb rl4, [r6+5AEh] Now we go few lines up and see how r6 is set: seg003:9F6DA mov r9, r12
seg003:9F6DC mov r6, r9
seg003:9F6DE shl r6, #2
seg003:9F6E0 add r6, r9
seg003:9F6E2 shl r6, #1 Now here I do not understand why it is shifting values here... Can someone explain shl operation? For now I xref this subroutine (because r12 is from outside). seg003:9F526 extp #0E1h, #1 ; 'ß'
seg003:9F52A mov word_384C78, r8
seg003:9F52E mov r12, r9
seg003:9F530 calls 89h, sub_89F6D6
seg003:9F534 mov r4, #1
seg003:9F536 jmpr cc_UC, loc_89F542; <-- call to our subroutine Basically r12 = r9. So next step is to turn graphical representation and find out that r9 is constant of 0. WTF? seg003:9F514 mov [-r0], r9
seg003:9F516 mov [-r0], r8
seg003:9F518 mov r8, r12
seg003:9F51A mov r9, #0 <--- WTF? Can someone explain where is my mistake?
Title: Re: First disassemble - questions
Post by: masterj on March 30, 2013, 12:05:44 PM
Thanks, phila_dot, for helping me out with this issue. It looks like I just had to use default 204h (204 * 4000) = 810000
10000 + 63B8 = 163B8
Voila.
Although, I'm still not sure why we ignore offset stored in FA12...
Title: Re: First disassemble - questions
Post by: Axis on April 09, 2013, 12:18:35 PM
How are input/outputs on 2nd C167 addressed? I need to find such code to identify a map.
Anyone care to help?
Title: Re: First disassemble - questions
Post by: MIL_on on January 23, 2014, 08:09:50 AM
Hi, i am also busy, disassembling a file for the first time. prj mentioned once " [...] ps_w gets converted to rl_w [...]". This happens in bgsrm-brl. While looking at it i always asked what happens to psagr_w in the files without external recirculation (attachment 1). So i picked this "little" function to be the first i wanted to follow in IDA. I think i've set everything correct while loading. After re-naming rl_w, ps_w and ml_w i tried to go backwards through searching all occurences of rl_w (attachment2). i thought the beste idea is to look through the only function which mov to rl_w instead "away" from it. sub_86138E:
seg003:0006138E movb rl4, #85h ; 'à'
seg003:00061392 movb rl, rl4
seg003:00061396 mov r4, #10AAh
seg003:0006139A mov rl_w, r4
seg003:0006139E mov r5, #10AAh
seg003:000613A2 mov word_381D8A, r5
seg003:000613A6 mov r2, #10AAh
seg003:000613AA extp #0E1h, #1 ; 'ß'
seg003:000613AE mov word_384A54, r2
seg003:000613B2 mov r3, #654Ch
seg003:000613B6 mov word_381D86, r3
seg003:000613BA mov r1, #543Dh
seg003:000613BE extp #0E1h, #1 ; 'ß'
seg003:000613C2 mov word_384A4A, r1
seg003:000613C6 mov r2, #543Dh
seg003:000613CA mov word_381D94, r2
seg003:000613CE mov r2, #800h
seg003:000613D2 extp #0E1h, #1 ; 'ß'
seg003:000613D6 mov word_384A4C, r2
seg003:000613DA rets
seg003:000613DA ; End of function sub_86138E
no xrefs found here. am i reading correct, that the value from #10AAh is loaded into r4 and from there into the RAM? by searching backwards for 10AAh or to look at location 150AA (using the equation: 205h*4000h+10AA = 8150AA) i found nothing that looked right :(. So how else can the subroutines be called? So, any hints for a beginner in assembler?
Title: Re: First disassemble - questions
Post by: terminator on January 28, 2014, 03:17:32 PM
solved
Title: Re: First disassemble - questions
Post by: dream3R on January 29, 2014, 05:47:03 AM
I'll try and answer some of the questions here, but I do find them hard to follow (English maybe).
Anyway, the only way I can see to calculate the factor and offset is by using mx=y+b equation for calculating engineering units? Anyone care to chime in?
Title: Re: First disassemble - questions
Post by: dream3R on January 29, 2014, 06:03:05 AM
Anyone care to help?
Inputs as in analogue or digital pins?
GGHFM: ; CODE XREF: INTERRUPT+40�P
seg017:628C push PSW
seg017:628E atomic #3
seg017:6290 or PSW, #0F000h
seg017:6294 nop
seg017:6296 mov r14, maf_reading4
seg017:629A mov r12, maf_reading3
seg017:629E mov r13, maf_reading2
seg017:62A2 mov maf_reading4, ZEROS
seg017:62A6 mov maf_reading2, ZEROS
seg017:62AA mov maf_reading3, ZEROS
seg017:62AE pop PSW
seg017:62B0 jb b_ehfm.1, loc_762BE
seg017:62B4 mov r12, maf_reading1
seg017:62B8 bset b_ehfm.1
seg017:62BA jmpa cc_UC, loc_762CE ; average
seg017:62BE ; ---------------------------------------------------------------------------
seg017:62BE
seg017:62BE loc_762BE: ; CODE XREF: GGHFM+24�j
seg017:62BE mov MDH, r12
seg017:62C2 mov MDL, r13
seg017:62C6 divl r14
seg017:62C8 mov r14, MDL
seg017:62CC mov r12, r14
seg017:62CE
seg017:62CE loc_762CE: ; CODE XREF: GGHFM+2E�j
seg017:62CE mov mlhfmm_w, r12 ; average
seg017:62D2 mov mshfmm_w, r12
seg017:62D6 mov r13, fkhfm
seg017:62DA mov r14, r12
seg017:62DC mov r12, #0
seg017:62DE mov r15, r14
seg017:62E0 jmpr cc_NN, loc_762E4
seg017:62E2 neg r15
seg017:62E4
seg017:62E4 loc_762E4: ; CODE XREF: GGHFM+54�j
seg017:62E4 mulu r15, r13
seg017:62E6 mov r15, MDH
seg017:62EA mov r12, r15
seg017:62EC and r15, #0C000h
seg017:62F0 jmpr cc_Z, loc_76302
seg017:62F2 mov r15, r14
seg017:62F4 jmpr cc_N, loc_762FC
seg017:62F6 mov r12, #7FFFh
seg017:62FA jmpr cc_UC, loc_76312
seg017:62FC ; ---------------------------------------------------------------------------
seg017:62FC
seg017:62FC loc_762FC: ; CODE XREF: GGHFM+68�j
seg017:62FC mov r12, #8000h
seg017:6300 jmpr cc_UC, loc_76312
seg017:6302 ; ---------------------------------------------------------------------------
seg017:6302
seg017:6302 loc_76302: ; CODE XREF: GGHFM+64�j
seg017:6302 shl r12, #1
seg017:6304 mov r15, MDL
seg017:6308 bmov r12.0, r15.15
seg017:630C mov r15, r14
seg017:630E jmpr cc_NN, loc_76312
seg017:6310 neg r12
seg017:6312
seg017:6312 loc_76312: ; CODE XREF: GGHFM+6E�j
seg017:6312 ; GGHFM+74�j ...
seg017:6312 mov r13, r12
seg017:6314 mov mshfm1_w, r12
seg017:6318 cmp r12, #0
seg017:631A jmpr cc_SGT, loc_76322
seg017:631C mov mshfm_w, ZEROS
seg017:6320 jmpr cc_UC, loc_76326
seg017:6322 ; ---------------------------------------------------------------------------
seg017:6322
seg017:6322 loc_76322: ; CODE XREF: GGHFM+8E�j
seg017:6322 mov mshfm_w, r12
seg017:6326
seg017:6326 loc_76326: ; CODE XREF: GGHFM+94�j
seg017:6326 cmp r12, MLMIN
seg017:632A jmpr cc_SGE, loc_76336
seg017:632C mov r12, MLMIN
seg017:6330 mov mshfms_w, r12
seg017:6334 rets
Above is my analysis of GGHFM where is calulates MAF reading from voltage, it might give some insight. I believe maf_readingx is voltage readings directly from the maf, read from the ECU pins. I can't find that code just now but unless I remember wrong that is what I saw. Here is another bit of code where the CPU pin ad6 is being read directly in-to the variable uulsuv_w, which iirc is the wideband O2 on my caR. AD6 is actually a RAM cell in this example. seg013:FF3E READ_CPU_PINS_sub_3FF3E: ; CODE XREF: READ_ADC+8�P
seg013:FF3E ; ONE_MS_INTERRUPT_READ_SENSORS+1E�P
seg013:FF3E mov r4, f_ad7
seg013:FF42 and r4, #3FFh
seg013:FF46 mov word_30094E, r4
seg013:FF4A mov r5, f_ad6
seg013:FF4E and r5, #3FFh
seg013:FF52 mov uulsuv_w, r5
seg013:FF56 rets
Title: Re: First disassemble - questions
Post by: terminator on January 29, 2014, 11:26:09 AM
The thread like a monolog now. People are only asking.
Title: Re: First disassemble - questions
Post by: TijnCU on December 19, 2016, 02:54:28 AM
How are input/outputs on 2nd C167 addressed? I need to find such code to identify a map.
I found inputs as ram and outputs as P#.# Could be the inputs come from a P#.# as well, but havent looked for further xrefs.
Title: Re: First disassemble - questions
Post by: elRey on February 19, 2017, 06:43:12 PM
Hello all, I'd like to multiply a word and a byte, specifically out put of KFLDRAPP and vstfva and cap at 100%. For testing I can use ldtvmd_word and vstfva and monitor the results before I decide to use it. I want vstfva byte to represent a 0% - 100% not 0% - 200%. So, if ldtvmd = 40% (i believe x66h) and vstfva = x80h (50% on a 0-100 scale), the result should be 20% (x33h). This will replace the addition of vsldtv_byte to output KFLDRAPP. I typically look for near exact examples of what I want to do and copy/paste/modify for what I need. However, I'm having a hard time finding an close example of to byte mulu where I can clearly understand the assign of MDH and MDL afterward. I'm confused with pulling out byte for the word results of the mulu. First part: mov r4, ldtvmd_word_382484
movbz r5, vstfva_ch03_byte_380AE4
mulu r5, r4
Problem I see here is the movbz of vstfva. If vstfva = xFFh, then movbz would make it xFF00h (99.61%) and not xFFFFh (100%). Or is this something I shouldn't worry about (close enough)? 2nd part: cmp MDH, #0FFh
jmpr cc_ULE, loc_84D8CA
mov MDH, #0FFh
Not sure this does what I think it does. I want to quickly check if it it should be (capped at) 100%. 3rd part: mov r5, word_FE0E
shr r5, #7
movb factored_ldtvmd_byte_380D86, rl5
I'm confused about this also. How do I get the word result into a byte? Thanks, Rey edit: just found this example: mov r4, #8Ch ; <- will use ldtvmd_word_382484 here
movbz r5, byte_38092F ; <- will use vstfva_ch03_byte_380AE4 here
mulu r5, r4
jmpr cc_V, loc_844DA2 ; <- checking Overflow
mov r2, word_FE0E
jmpr cc_UC, loc_844DA6
loc_844DA2:
mov r2, #0FFFFh ; <- FFFF is Overflow
loc_844DA6:
shr r2, #7
movb byte_383100, rl2
Title: Re: First disassemble - questions
Post by: nubcake on April 04, 2017, 10:30:58 AM
Once again a late reply from me, but, eh - better late, than never? See below. First part: mov r4, ldtvmd_word_382484
movbz r5, vstfva_ch03_byte_380AE4
mulu r5, r4
Problem I see here is the movbz of vstfva. If vstfva = xFFh, then movbz would make it xFF00h (99.61%) and not xFFFFh (100%). Or is this something I shouldn't worry about (close enough)? "movbz" extends the MSB, not LSB. Meaning "mobvz" to the word register will produce "00FFh" value or "FFh" in "rl x" and "00h" in "rh x". 2nd part: cmp MDH, #0FFh
jmpr cc_ULE, loc_84D8CA
mov MDH, #0FFh
Not sure this does what I think it does. I want to quickly check if it it should be (capped at) 100%. Just the check of result size, I believe. If multiplication got over 6 hex digits (if it makes sense). 3rd part: mov r5, word_FE0E
shr r5, #7
movb factored_ldtvmd_byte_380D86, rl5
I'm confused about this also. How do I get the word result into a byte? No way without losing accuracy, obviously. :) And that's what this snippet does: MDL to r5, divide r5 by 128 (shift right 7 times = divide by 2^7), moves the result into 380D86. Why the last bit is ignored - I dunno. Might be one of the initial values was signed and sign is irrelevant.
|