Hi guys. I'm just starting reverse engineering the ME7.5 with a C167, which is very similar in design to the C166.

Now I've looked at the jnb command Jump if Bit Not Set. I understand that 9a is logically the jnb command and according to what I've learned so far, the address plus bitmask comes in the next 2 bytes. The last byte shows the jump ahead.
Now I'd like to know how this address is calculated because I can't just enter my address here, like b_kuppl FD4a bit 9.

 Can someone explain to me how I have to run this address around so that the jnb command understands what I want from it?

I thank you in advance

Gesendet von meinem M2007J3SG mit Tapatalk

Hi, thanks a lot for pointing me to the C167 datasheet – page 133 helped me understand how the JNB instruction works for regular bit-addressable RAM. The formula
(FDxx – FD00) * 16 + Bit works fine when I'm accessing bits directly in the FDxx range.

However, what I'm specifically trying to understand is the Bosch internal bit mapping used in ME7.x code. For example:

According to the function matrix, b_kuppl is at FD4A, Bit 9 → bitmask 0x0200

But in actual Bosch ME7 code, the JNB instruction uses 25 13 → bit address 0x1325, not 0x04A9 as per the formula


My question is: Is there any known mapping table, method, tool, or script
that systematically translates FDxx + bit into the Bosch-style JNB bit address (e.g. FD4A.9 → 0x1325)?

I'm developing custom LC/NLS functions and need to generate the correct JNB opcodes, but right now I can only do it by comparing to disassembled dumps in Ghidra.

Any pointers to:

a lookup table

a bit-mapping reference

or insight into how tools like ME7Sum or Setzi's disassembler resolve this
would be greatly appreciated!


Thanks!

Gesendet von meinem M2007J3SG mit Tapatalk

Example:
@85F52A 9A 25 02 D0       jnb     word_FD4A.B_kuppl, loc_85F532

translates as:
at address 0x85F52A,opcodes are 9A 25 02 D0     for ASM :   jnb     word_FD4A.B_kuppl, loc_85F532

where:
jnb ---> 9A (see prj's attachment),   hence 9A
word_FD4A ---> 4A:2=25 hex, hence   25
loc_85F532 - 85F2A = 8 (8bytes=> 8/4=2 words =>02 relative leap/jump, hence 02
B_kuppl is Bit13, mask 0x2000 ---> 13dec=Dhex, hence D
0 folows always after mask in hex, hence D0

So, you mean, if I write the function in an IDE like IDA, does it set the value I need for jnb itself? So, I only need the internal RAM address FD XX + the bitmask for it? And it sets the bit address itself?

Gesendet von meinem M2007J3SG mit Tapatalk

I am following this advice since I came across it:

9A 4A FA 00 is not at all correct.
The Instructions Manual that prj provided you, must be read until understood.
I tried to save you some time:
for jnb you write 9A
for FD4A (FA4A must be a typo) you ignore FD and write 4A:2= 25 (hex obviously)
then you write the "jump"in "words": count bytes, divide by 4, write the hex value of the result
finally, write the mask followed by a zero: 9 0 , hence 90
9A 25 xx 90 (xx is the relative jump number in words)
vs
9A 4A FA 00 which is wrong

Edit:
^^^^ now, this is like spoon feeding and is not encouraged much on this forum, you need to put in a little effort yourself and much more help will follow
This is already explained by other people on this forum, maybe searching is not easy, so I thought I could save you the time. I concluded that 99% of any question one might have, is already answered.

Okay, yes, and I think you've misunderstood me or I've worded it wrong. So what I understand now is that 9A, the command I FD, is not written at all, it's irrelevant. That means I only need half of my Me7info address, so 4A, this value is divided by 2 and I get 25. Then the jump size has to be defined. That's clear too. And right at the end, the calculated bit is simply written, so 90 for bit 9, 13 for bit 13 and so on. So in my case the command looks like this: 9A 25 ?? 90. Have I understood that correctly?

Gesendet von meinem M2007J3SG mit Tapatalk