NefMoto

Technical => Reverse Engineering => Topic started by: vesko_hard on September 24, 2013, 01:15:20 AM



Title: C167 questions
Post by: vesko_hard on September 24, 2013, 01:15:20 AM
Hi ECU guru's :)

I have problem with disasembling of one unit. Is not ECU it's navigation but cpu is sak C167 without internal flash.

It has two flashes 29f400 all pins are in paralel only chip selects go to diffrent lines  of cpu. BOOTOM flash CS goes to P6.0/CS0 and TOP flash goes to P6.3/CS3. External RAM CS is connected to pin P6.1/CS1.
I need to know what is proper address of flash to load in ida.

here is listing of top flash when i load it address 0x0000 :
Code:

ROM:00000000                 jmps    0, loc_1000
.
.
.
ROM:00001000 loc_1000:                               ; CODE XREF: ROM:00000000J
ROM:00001000                 cmp     ZEROS, #1
ROM:00001004                 jmpr    cc_NZ, loc_100A
ROM:00001006                 diswdt
ROM:0000100A
ROM:0000100A loc_100A:                               ; CODE XREF: ROM:00001004j
ROM:0000100A                 mov     WDTCON, #1
ROM:0000100E                 srvwdt
ROM:00001012                 cmp     ZEROS, #0
ROM:00001016                 jmpr    cc_Z, loc_1026
ROM:00001018                 bfldh   SYSCON, #0FBh, #9 ; 'v'
ROM:0000101C                 movb    P4, #0
ROM:00001020                 movb    DP4, #0FFh
ROM:00001024                 jmpr    cc_UC, loc_102A
ROM:00001026 ; ---------------------------------------------------------------------------
ROM:00001026
ROM:00001026 loc_1026:                               ; CODE XREF: ROM:00001016j
ROM:00001026                 bfldh   SYSCON, #0FBh, #1 ; 'v'
ROM:0000102A
ROM:0000102A loc_102A:                               ; CODE XREF: ROM:00001024j
ROM:0000102A                 bfldl   SYSCON, #3Fh, #80h ; '?'
ROM:0000102E                 bfldl   BUSCON0, #0FFh, #0ADh
ROM:00001032                 bfldh   BUSCON0, #0FFh, #4
ROM:00001036                 mov     ADDRSEL1, #1008h
ROM:0000103A                 bfldl   BUSCON1, #0FFh, #8Dh
ROM:0000103E                 bfldh   BUSCON1, #0FFh, #4
ROM:00001042                 mov     ADDRSEL2, #2007h
ROM:00001046                 bfldl   BUSCON2, #0FFh, #0A7h
ROM:0000104A                 bfldh   BUSCON2, #0FFh, #14h
ROM:0000104E                 mov     ADDRSEL3, #807h
ROM:00001052                 bfldl   BUSCON3, #0FFh, #8Dh
ROM:00001056                 bfldh   BUSCON3, #0FFh, #4
ROM:0000105A                 mov     ADDRSEL4, #3100h
ROM:0000105E                 bfldl   BUSCON4, #0FFh, #1
ROM:00001062                 bfldh   BUSCON4, #0FFh, #4
ROM:00001066                 extr    #1
ROM:00001068                 mov     EXICON, #3C00h
ROM:0000106C                 mov     CC14IC, #7Fh ; ''
ROM:00001070                 mov     CC13IC, #7Eh ; '~'
ROM:00001074                 einit




I try to decode ADDRSELx registers

mov     ADDRSEL1, #1008h
Range Start Address: 0x00200000
Resulting Window Size: 1 MByte
mov     ADDRSEL2, #2007h
Range Start Address: 0x00400000
Resulting Window Size: 512 KByte
mov     ADDRSEL3, #807h
Range Start Address: 0x00100000
Resulting Window Size: 512 KByte
mov     ADDRSEL4, #3100h
Range Start Address: 0x00620000
Resulting Window Size: 4 KByte

Is that correct?

Thanks in advace.


Title: Re: C167 questions
Post by: ykchong4 on September 28, 2013, 08:37:20 AM
hope someone can reply your question, i'm also want this answer too