Pages: [1] 2
Author Topic: ME7.5 Launch Control On 4B0906018CH_360854  (Read 10401 times)
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« on: May 23, 2018, 08:06:21 PM »

Trying to make revisions.  New to assembly.  Trying to write ROM 0x817E0A to RAM 0xFA40.

Ive gotten
F3 F9 0A 7E F7 F9 40 FA DB 00

or

movb rh4, 0x817E0A
movb 0xFA40, rh4
rest

Also looking for an idea for a place to look to make insertion point.  Am I on the right track?
Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #1 on: May 24, 2018, 01:09:57 PM »

ok.  So the issue i keep snagging myself on is in bit referencing.  At 0x8A3AE0, I want to do a simple jb  0xFA40, jump x words.  I cant seem to get the command to move outside of the FDxx Ram Locations.  Right now I have 8A 20 50 00 or jb 0xFD40, jump 5 words.  i have a feeling that this has to do with a ext command, but am not sure how to write the jump from the offset within 0xFDxx to be in 0xFAxx.  Could someone help me figure out which ext command will shift me down?
Logged
woj
Hero Member
*****

Karma: +41/-3
Offline Offline

Posts: 500


« Reply #2 on: May 24, 2018, 01:55:39 PM »

http://nefariousmotorsports.com/forum/index.php?topic=14265.msg115230#msg115230

You said you would read that. There IIRC you will find all you need about bit-addressable memory ranges, etc. But, to answer your question, the jb* instructions work only with a narrow range of addresses, not ext-s will do anything about that.
Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #3 on: May 24, 2018, 02:17:26 PM »

I'm reading it and rereading it and trying to understand it.  Im crossreferencing different areas of code.  Its helped with a lot of things.  I get a lot of the architecture and I understand how the directions are working.  Every item I see I reread that page and then tinker.  Jb and jbc seem to be the biggest one in the working with bits, most everything else is words and bytes.
Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #4 on: May 24, 2018, 02:22:06 PM »

So if I want to use RAM location bits as switches to enable and disable features I just need to keep it all in the 0xFDxx range?
Logged
gt-innovation
Sr. Member
****

Karma: +60/-89
Offline Offline

Posts: 442


« Reply #5 on: May 24, 2018, 02:43:42 PM »

So if I want to use RAM location bits as switches to enable and disable features I just need to keep it all in the 0xFDxx range?

No and the only thing you need to do to understand is to look at the original code.When you ask such questions i can only understand that you did not look at your own binary file enough or you did not define it.

Simple Ram locations that you can work with 0x38xxxx - 0xfdXX

To hook up (hijack) (redirect to your function) your routine you will need to think how fast you need it to run... 1ms 10ms 100ms.

find the tables with the call functions with 1-10-100 ms raster and hijack a function that is not so vital(at least that is my approach) .

Before you do all this things though, sit down and analyze some of the main functions of your sw and you will start to understand more and more.
Logged
woj
Hero Member
*****

Karma: +41/-3
Offline Offline

Posts: 500


« Reply #6 on: May 25, 2018, 12:20:14 AM »

You can bit address everything, just not everything directly. Typically, you copy the variable to a register and bit address the register. You can also bit mask a register and do jumps based on the contents of the flags in PSW, compilers typically produce code like this, probably not most optimal.
Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #7 on: May 25, 2018, 09:45:49 AM »

That was exactly what I needed.  Moved the RAM to the register, used jbc to reference register.  Now I can set bits in another register and then write it to the RAM.  Thank you so much.

Right now I'm not working on highjacking any function.  With my limited experience I'm trying to give myself proof of concept.  I'm just doing a ROM to RAM bit transfer.  Then using that RAM as a switch in the routine.  (I think I can just read this from ROM now)  I'm setting my routine to output another RAM value.  I'm going to be able to log that and confirm everything is working as it should and then start hijacking routines.
« Last Edit: May 25, 2018, 09:51:24 AM by Cadensdad14 » Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #8 on: May 28, 2018, 04:43:46 AM »

Been making great progress since seeing that last post.  Can't thank you enough for the help.  Just have one question.

I want to set a bit in a byte and move it back to ram.  What I've done write now is use words instead.

Mov r4, ZEROS
bset r4.1
Mov RAM location, r4

I just don't see a way to do bset rl4.1
Does bset always write to the low byte or the high byte?

If I could do that I could replace a lot of mov with Movb.  Also, am I really gaining anything?  By working in bytes instead of words do I just reduce ram usage or do I speed functionality?
Logged
woj
Hero Member
*****

Karma: +41/-3
Offline Offline

Posts: 500


« Reply #9 on: May 28, 2018, 05:28:52 AM »

All basic instructions are constant time as far as overall performance is concerned, this does not apply to (long) multiplication / division and such. So, one typically optimises for number of instructions / instruction length (to optimise fetch / space in flash).

I would advise care with byte instructions, one gets into a habit of having uneven addresses (like $FD03), but then missing on b part of the instruction doing "mov r4, mem" and depending on how clever your compiler / assembler is (or your brain when you do things by hand) you will end up in a trap interrupt and likely bricked ECU in effect.

Back to your concrete question, up to r6 you can access the whole word in the register with rX, or single bytes with rlX / rhX, but it is still the same register. So, if your RAM location is a byte, then:

mov r4, ZEROS
bset r4.1
movb RAM, rl4

(sets bit 1 in byte RAM). Equivalently (byte RAM will have bit 1 set):

mov r4, ZEROS
bset r4.9
movb RAM, rh4

And even:

movb rl4, #2
orb RAM, rl4

And while we are at it, "mov r4, ZEROS" is four bytes operation, while "mov r4, #0" is two Wink

I can go on like this forever, I suggest, again, to read the ST10 programming document (again).
Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #10 on: May 28, 2018, 06:03:28 AM »

Ive been reading it.  I remember reading about the cycles for multiplication and division.  I've been doing everything by looking at how the function works in other areas and redoing it.  Ive been using that information to edit the hex with a thorough reread each time for the instruction and then reload the file in the disassembled.

On further inspection I do have
Mov r5, #0
But got it E6 F5 00 00

So your saying I could do
Mov r5, #0
Through E0 05
Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #11 on: May 28, 2018, 06:13:02 AM »

Another entry level question, but just checking.  Do I have to reload data to a register every time I want to use it?  At the beginning of my routine I have a min and max temperature check. 

Extp #0e1h, #1
Movb rl4, tmotlin
Exts #81h, #1
Movb rh4, max_temp
Cmpb rl4, rh4
Jmpr cc_c, cw_reset
Exts #81h, #1
Movb rh4, min_temp
Cmpb rl4, rh4
Jmpr cc_nc, cw_reset

Do I need to reload tmotlin before running another cmpb?
Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #12 on: May 30, 2018, 03:46:20 PM »

I have what I want put together for my ram locations.  In trying to understand the Multimaps so I can make sense out of map switching routines.  I want to set it up where if 0xFA40 cc_nz I get an alternate map for lamfa, kfzw, and kfzw2.  Can I get any help?
Logged
woj
Hero Member
*****

Karma: +41/-3
Offline Offline

Posts: 500


« Reply #13 on: May 31, 2018, 02:29:53 AM »

First, $FA40 sounds suspiciously like the register area for one of the interrupts, I'd strongly suggest to verify that it is not used (just disassembly with IDA and direct reference use checking might not be sufficient, as these are typically referenced by pointer not value). In general it is a much better idea to place your things in the external RAM.

Then I suggest to some simpler code modification exercise first. You should get to a point with ST10 assembly and code analysis where solving the problem of multi maps comes to your head naturally. If you need (serious) help, the likely hood of messing this up (even with help) is very high.
Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #14 on: May 31, 2018, 03:01:31 AM »

I understand.  Illl get that moved.  I put it there when I was struggling with the jb referencing.

I figure this is going the entail a level of trial and error, which is fine as the car is not a daily and I can boot mode flash.

It seems like there's a 16 bit offset constant thats modified.  If I stare at this long enough ill figure it out.
Logged
Pages: [1] 2
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.02 seconds with 16 queries. (Pretty URLs adds 0s, 0q)