NefMoto

I'm adding code to an me7 ecu but cannot get my jmps or calls to work. I think I've completely missed something and hope that someone can help.

Example:        A list of calls and in one of the sub routines I've made a succesful local jmps but the long jmps or calls to another segment makes the ecu hang.

loc_800xxx:
      CALLS   80h, loc_802000
      CALLS   81h, loc_812000
      CALLS   82h, loc_821000
      CALLS   80h, loc_807000 (this routine is where I changes seen below)
      CALLS   83h, loc_838000
      
=======================================================
sub_807000:
807000      jmps    80h, loc_807008      (this jmps within the sub works well)
807004      nop
807006      nop
807008      mov      word_3810xx, r5
80700c      ...

=======================================================
sub_807000:
807000      JMPS   87h, loc_87e000   (this jmps with a jmps to return to 807004 does not work and seems to hang ecu)
807004      mov      word_3810xx, r5
807006      add      ...
807008      mov      .....
80700c      ....

87e000:
         NOP
         NOP
         JMPS   80h, loc_807004


=======================================================
sub_807000:
807000      CALLS   87h, loc_87e000   (this CALLS with a RETS to return to 807004 does not work and seems to hang ecu)
807004      mov      word_3810xx, r5
807006      add      ...
807008      mov      .....
80700c      ....

87e000:
         NOP
         NOP
         RETS

Is there anyone with enough C16x knowledge here? Problem with DPP due to probably beeing inside an interrupt or trap?

edit: I edited a couple of digit errors above in OP but nothing significant to the problem explained.

Sre you sure 87e000 doesn't get called outside of 807000 (in main loop) thus causing an infinite loop?

finally someone who has something to say

If I understand your concern correctly this is my answer to that:
87e000 is a new routine made by me, it was empty space FF before

It may have been empty space, but it could have been included in the main loop. doubtful, but best to confirm. you can do that by reverting your first jmps to NOT jmp to 87e000 and replace jmp in new func with setting a varible u can log to see if ur new func is being called/ran without u jmping to it.

Well 87e000 is part of ~8kb of empty space filled with FF . I don't really understand what you mean with jmps from main loop to this empty area?
I'm well aware of the the method of writing to a ram variable and log, preferably with an add to be able to log how often it is running. I'm using a Roadrunner emulator in the ecu, it's really easy to try different things.

calls #87h, #0E000h

( DA8700E0 )

do not use jmps to call your routine from main loop

It is not in main loop but rather an interrupt subroutine. CALLS/RETS or JMPS/JMPS both give same result.

calls 87h, #e000h  (loc_87e000 is the IDA label with offset), DA8700E0 is the hex like you say

well
whats the original string you replaced by call?
i think there is something else. im using a few calls to a new routines in my file without any issue. but ive placed it to the 8Bh seg

One move and one add, third is replaced with a MOV mem, ZEROES .
Unfortunately there is no clue in that either since the local  JMPS 80h, loc_807008 works well. (within same segment and also within same subroutine in example1 above)

I've done more testing now and I think it might be a bug in TunerPro or worst case the Roadrunner Emulator causing my problem.
I will do some more testing and report what I find out.

After todays testing I'm convinced that there is a problem with TunerPro or the Roadrunner emulator at word 0x7dffe and word 0x7e000.
The ecu seems to hang while executing code at those two words, download from emulator to binary file shows correct information.
I've not tried moates tool to download binary yet. If that also show correct binary information it would indicate a problem with the Roadrunner, if not there is an upload/download problem with TunerPro.
Could anyone else with a Roadrunner try to execute something at 7dffe or 7e002? Prj?

Red code does not work. Green code works fine.

==============================
calls   87h, sub_87dffe

...

sub_87dffe:
0x87dffe   rets
==============================
calls   87h, sub_87e000

...

sub_87e000:
0x87e000   rets
==============================
calls   87h, sub_87dff8

...

sub_87dff8:
0x87dff8   nop
0x87dffa   nop
0x87dffc   nop
0x87dffe   nop
0x87e000   nop
0x87e002   nop
0x87e004   nop
0x87e006   rets
==============================



==============================
calls   87h, sub_87dffc

...

sub_87dffc:
0x87dffc   rets
==============================
calls   87h, sub_87e002

...

sub_87e002:
0x87e002   rets
==============================

From what I can tell after testing to download emulator memory with emutility the contents of emulator is correct, but the emulator does not like to execute at those words.
I cannot find anything in C167 errata documents indicating that the problem is within CPU. I will need to contact Moates and check with them.
It would still be interessting if someone with a Roadrunner could try to put some code at the mentioned 2 words and see how their ECU reacts.

Don't have time to test, too much work atm. If you don't solve it, bug me in 2 weeks.