Pages: 1 2 [3] 4 5 ... 7
Author Topic: First disassemble - questions  (Read 81405 times)
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6035


« Reply #30 on: November 24, 2012, 06:05:29 AM »

Thank you, then one last thing I want to ask today: how do you find out page number?  Huh Is there somewhere post on nefmoto maybe on that subject?

I recommend reading the C166 user's manual and how memory addressing works in the processor.
It is explained very well there.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
masterj
Hero Member
*****

Karma: +62/-5
Offline Offline

Posts: 1049



WWW
« Reply #31 on: November 24, 2012, 04:36:28 PM »

OK some progress here... I've started to look for shared axis of these maps I've asked earlier (because it should be shared by them all). This helped me to find it: axis_addr -(1or2) - (206h * 4000h) = search text

This is what I have found:
Code:
seg003:352E8                 mov     r12, #2BDAh
seg003:352EC                 mov     r13, #206h
seg003:352F0                 mov     r14, word_F9B6
seg003:352F4                 extp    #0E1h, #1 ; 'ß'
seg003:352F8                 mov     r15, word_384960
seg003:352FC                 calls   83h, sub_833B94
seg003:35300                 extp    #0E1h, #1 ; 'ß'
seg003:35304                 mov     word_384960, r4

Here's how I analyzed this so far:
Code:
seg003:352E8                 mov     r12, #2BDAh
Points to 1ABDA (axis description address, because 206h * 4000h + 2BDAh = 81ABDAh)

Code:
seg003:352EC                 mov     r13, #206h
Just points us out to use 206h in equation

Code:
seg003:352F0                 mov     r14, word_F9B6
seg003:352F4                 extp    #0E1h, #1 ; 'ß'
seg003:352F8                 mov     r15, word_384960
seg003:352FC                 calls   83h, sub_833B94
seg003:35300                 extp    #0E1h, #1 ; 'ß'
seg003:35304                 mov     word_384960, r4
Now these give me hard time... Please suggest me, if I need to further follow to 833B94 address to know which maps access this shared axis? what info r14 and r15 stores here? What does r4 store - maybe variable that comes out from this axis?
Logged

rajivc666
Full Member
***

Karma: +23/-2
Offline Offline

Posts: 127



« Reply #32 on: November 25, 2012, 11:00:02 AM »

yes thats right , r4 contains the factor and the location with respect to axis.
EX . say rpm axis is 1000 1200 1600 2000 2500 for example , and the rpm is say 1850 for simplicity
( which is passed on by the code in this example if the axis is rpm related is mov  r14,NMOT(f9b6).....)
so on return rh4 (or rl4 i dont remember offhand) will contain say 3 (or 2 if starting from zero , i dont remeber that aslo as I had reversed it long time bck)  because 1850 comes between 3rd (1600) and 4th (2000) , and rl4 will contain a factor something like (1850-1600) / (1600-2000) . so this is stored into ram 348490 from r4. Similarly the other axis (say the load axis in case of kfzw map) will also be stored in some other ram area. So when its time to lookup the main map say kfzw these two variables are passed to the subroutine along with the start address of the map like kfzw and also the dimension of one of these axis like in kfzw the size of the load map (rl) is given. so say if the size of the map is say 10 X 16 . so subroutine knows one side of the map is 10 so using this and other varibles it can look up the  table. This is done because similar axes are shared by many maps so the ecu doesnot have to find the axis every time.
Logged
masterj
Hero Member
*****

Karma: +62/-5
Offline Offline

Posts: 1049



WWW
« Reply #33 on: November 25, 2012, 04:31:00 PM »

yes thats right , r4 contains the factor and the location with respect to axis.
EX . say rpm axis is 1000 1200 1600 2000 2500 for example , and the rpm is say 1850 for simplicity
( which is passed on by the code in this example if the axis is rpm related is mov  r14,NMOT(f9b6).....)
so on return rh4 (or rl4 i dont remember offhand) will contain say 3 (or 2 if starting from zero , i dont remeber that aslo as I had reversed it long time bck)  because 1850 comes between 3rd (1600) and 4th (2000) , and rl4 will contain a factor something like (1850-1600) / (1600-2000) . so this is stored into ram 348490 from r4. Similarly the other axis (say the load axis in case of kfzw map) will also be stored in some other ram area. So when its time to lookup the main map say kfzw these two variables are passed to the subroutine along with the start address of the map like kfzw and also the dimension of one of these axis like in kfzw the size of the load map (rl) is given. so say if the size of the map is say 10 X 16 . so subroutine knows one side of the map is 10 so using this and other varibles it can look up the  table. This is done because similar axes are shared by many maps so the ecu doesnot have to find the axis every time.

Wow, a lot of info Smiley Thanks!

So with this I have updated some comments on this block:
Code:
seg003:352E8                 mov     r12, #2BDAh     ; axis 1ABDA
seg003:352EC                 mov     r13, #206h      ; use 206h in equation
seg003:352F0                 mov     r14, word_F9B6  ; type of axis variable?
seg003:352F4                 extp    #0E1h, #1 ; 'ß'
seg003:352F8                 mov     r15, word_384960
seg003:352FC                 calls   83h, sub_833B94
seg003:35300                 extp    #0E1h, #1 ; 'ß'
seg003:35304                 mov     word_384960, r4 ; location and factor of axis variable

Now before going any further I have to ask you, how do you know what type of variable it is for example word_F9B6? Also If the RAM variable holds the offset and factor of current value of axis variable, then how can I know factor for example? By looking at the RAM address I see only:
Code:
RAM:384960 word_384960:    ds 2

Actual factor for this axis should be 0.100000 (decimal)...
Logged

jooo
Jr. Member
**

Karma: +0/-1
Offline Offline

Posts: 30


« Reply #34 on: November 25, 2012, 05:36:16 PM »

Also If the RAM variable holds the offset and factor of current value of axis variable, then how can I know factor for example? By looking at the RAM address I see only:
Code:
RAM:384960 word_384960:    ds 2

Actual factor for this axis should be 0.100000 (decimal)...
How would you know what the ram adress contains without tracing code or logging it? I assume you didn't import a ram dump into IDA.

edit: know what not know that
« Last Edit: November 25, 2012, 06:30:40 PM by jooo » Logged
masterj
Hero Member
*****

Karma: +62/-5
Offline Offline

Posts: 1049



WWW
« Reply #35 on: November 25, 2012, 06:34:57 PM »

Some progress on reversing subroutine that prepares axis value...
Code:
seg003:33B94
seg003:33B94 sub_833B94:                             ; CODE XREF: sub_835114+1C8P
seg003:33B94                                         ; sub_835114+1E8P ...
seg003:33B94                 extp    r13, #1
seg003:33B96                 mov     r4, [r12+]      ; axis first cell (+2 from r12) to r4
seg003:33B98                 mov     r1, r12         ; axis desc to r1
seg003:33B9A                 mov     r2, r12         ; axis desc to r2
seg003:33B9C                 shr     r15, #8         ; shift RAM val right by 8
seg003:33B9E                 shl     r15, #1         ; shift RAM val left by 1
seg003:33BA0                 add     r1, r15         ; set offset of current variable value??? (desc addr + shifter RAM val)
seg003:33BA2                 extp    r13, #1
seg003:33BA4                 cmp     r14, [r1+]      ; it compares current axis cell to axis variable type (r14)???
seg003:33BA6                 jmpr    cc_C, loc_833BE8

Help needed to understand these:
Code:
seg003:33B9C                 shr     r15, #8         ; shift RAM val right by 8
seg003:33B9E                 shl     r15, #1         ; shift RAM val left by 1
seg003:33BA0                 add     r1, r15         ; set offset of current variable value??? (desc addr + shifter RAM val)

Am I correct?

Also I don't get the comparisson between r14 and [r1+]:
Code:
seg003:33BA4                 cmp     r14, [r1+]      ; it compares current axis cell to axis variable type (r14)???

BTW: r14 -> word_F9B6 (IRAM? What type of data this section holds?)
« Last Edit: November 25, 2012, 06:52:27 PM by masterj » Logged

jooo
Jr. Member
**

Karma: +0/-1
Offline Offline

Posts: 30


« Reply #36 on: November 25, 2012, 07:12:36 PM »

Help needed to understand these:
Code:
seg003:33B9C                 shr     r15, #8         ; shift RAM val right by 8
seg003:33B9E                 shl     r15, #1         ; shift RAM val left by 1
seg003:33BA0                 add     r1, r15         ; set offset of current variable value??? (desc addr + shifter RAM val)
shr #8  = divide by 256  (shr #1 =divide by 2 and shr #8 = divide by (2*2*2*2*2*2*2*2)
shl #1    = multiply by 2
http://en.wikipedia.org/wiki/Bitwise_operation
Logged
masterj
Hero Member
*****

Karma: +62/-5
Offline Offline

Posts: 1049



WWW
« Reply #37 on: November 25, 2012, 07:21:10 PM »

shr #8  = divide by 256  (shr #1 =divide by 2 and shr #8 = divide by (2*2*2*2*2*2*2*2)
shl #1    = multiply by 2
http://en.wikipedia.org/wiki/Bitwise_operation

Oh, Ok point taken. But why they use two instructions instead of one?
Like shr #7 would be enough, no?  Huh

I'm still not understanding why do these operations on RAM value that holds the axis variable offset...

Updated info:
Code:
sub_833B94:
extp    r13, #1
mov     r4, [r12+]      ; axis first cell (+2 from r12) to r4
mov     r1, r12         ; axis desc to r1
mov     r2, r12         ; axis desc to r2
shr     r15, #8         ; divide RAM val by 256 (2^8)
shl     r15, #1         ; multiply RAM val by 2 (2^1)
add     r1, r15         ; set offset of current variable value??? (axis desc addr + divided/multiplied RAM val)
extp    r13, #1
cmp     r14, [r1+]      ; it compares current axis cell to axis variable type (r14)???
jmpr    cc_C, loc_833BE8 ; r14 > [r1+] ==> TRUE
« Last Edit: November 25, 2012, 07:36:45 PM by masterj » Logged

jooo
Jr. Member
**

Karma: +0/-1
Offline Offline

Posts: 30


« Reply #38 on: November 25, 2012, 07:43:45 PM »

...

edit: faulty remark. was too tired
« Last Edit: November 26, 2012, 06:16:42 PM by jooo » Logged
locon
Newbie
*

Karma: +4/-0
Offline Offline

Posts: 6



« Reply #39 on: November 26, 2012, 08:24:48 AM »

Like shr #7 would be enough, no?  Huh
With shr #8 get high byte of the word (ex. offset). With shl #1 get the offset value (in words) on the axis. To "C" are two different instructions and the compiler translate them in two instructions.
Logged
masterj
Hero Member
*****

Karma: +62/-5
Offline Offline

Posts: 1049



WWW
« Reply #40 on: November 26, 2012, 08:45:35 AM »

With shr #8 get high byte of the word (ex. offset). With shl #1 get the offset value (in words) on the axis. To "C" are two different instructions and the compiler translate them in two instructions.

so it basically takes byte from r15 and converts res back to word? that would finally make sense
« Last Edit: November 26, 2012, 08:48:06 AM by masterj » Logged

masterj
Hero Member
*****

Karma: +62/-5
Offline Offline

Posts: 1049



WWW
« Reply #41 on: November 26, 2012, 04:27:14 PM »

So progress again:
Code:
sub_833B94:
extp    r13, #1
mov     r4, [r12+]      ; axis first cell (+2 from r12) to r4
mov     r1, r12         ; axis desc to r1
mov     r2, r12         ; axis desc to r2
shr     r15, #8         ; get high byte of r15 (offset)
shl     r15, #1         ; convert r15 to word (16bit)
add     r1, r15         ; set current axis cell
extp    r13, #1
cmp     r14, [r1+]      ; it compares current axis cell to axis variable type (r14)???
jmpr    cc_C, loc_833BE8 ; r14 > [r1+] ==> TRUE

Basically I understand everything up to the cmp point, where r14 is compared to [r1+]. r14 holds word_F9B6. word_F9B6 is set in IRAM segment. What kind of data it actually holds?

I understand is that r14 is compared to (data inside word_F9B6 + 2). Am I correct? Any ideas on what type of data is in IRAM?
Logged

rajivc666
Full Member
***

Karma: +23/-2
Offline Offline

Posts: 127



« Reply #42 on: November 26, 2012, 08:58:54 PM »

So progress again:
Code:
sub_833B94:
extp    r13, #1
mov     r4, [r12+]      ;  transfer memory location r12(size of axis)  to r4 then increase r12 by 2
mov     r1, r12         ; transfer to  r1  the memory address of the first data location in axis
mov     r2, r12         ; transfer to  r2 the memory address of the first data location in axis
shr     r15, #8         ; this instruction has the same effect as mov rl15,rh15 (rh15 holds the relative location) and mov rh15,00
shl     r15, #1         ; double the location info since the datais word type and not byte(16 bit)
add     r1, r15         ;after this r1 holds memory address of  lower of the axis value which was used to interpolate last time.
extp    r13, #1
cmp     r14, [r1+]      ;This comparison is done so that in the subsequent instructions it is checked if the current value of  word_F9B6 is more or less than the extreme values of the axis , if more then rh4 will contain relative location of the higest value of axis and  rl4 will be zero and exit subroutine   and if less than the least value of axis then in this subroutine zero is assigned to r4 or (in other words the least value of axis will be taken) and exit subroutine
jmpr    cc_C, loc_833BE8 ; r14 > [r1+] ==> TRUE
« Last Edit: November 27, 2012, 02:13:06 AM by rajivc666 » Logged
masterj
Hero Member
*****

Karma: +62/-5
Offline Offline

Posts: 1049



WWW
« Reply #43 on: November 27, 2012, 11:01:03 AM »

So progress again:
Code:
sub_833B94:
extp    r13, #1
mov     r4, [r12+]      ;  transfer memory location r12(size of axis)  to r4 then increase r12 by 2
mov     r1, r12         ; transfer to  r1  the memory address of the first data location in axis
mov     r2, r12         ; transfer to  r2 the memory address of the first data location in axis
shr     r15, #8         ; this instruction has the same effect as mov rl15,rh15 (rh15 holds the relative location) and mov rh15,00
shl     r15, #1         ; double the location info since the datais word type and not byte(16 bit)
add     r1, r15         ;after this r1 holds memory address of  lower of the axis value which was used to interpolate last time.
extp    r13, #1
cmp     r14, [r1+]      ;This comparison is done so that in the subsequent instructions it is checked if the current value of  word_F9B6 is more or less than the extreme values of the axis , if more then rh4 will contain relative location of the higest value of axis and  rl4 will be zero and exit subroutine   and if less than the least value of axis then in this subroutine zero is assigned to r4 or (in other words the least value of axis will be taken) and exit subroutine
jmpr    cc_C, loc_833BE8 ; r14 > [r1+] ==> TRUE

Thank you, so
Code:
jmpr    cc_C, loc_833BE8 ; r14 > [r1+] ==> TRUE
checks for set carrier bit (which is set when [r1+] < r14) and by that jumps to 833BE8, else just goes to the next line, right? Hm... So this sub will not help me to find which maps shares this specific axis? Shocked Because All I see here is that this sub prepares data by limiting current axis value, there is no ref to maps at all....
Logged

rajivc666
Full Member
***

Karma: +23/-2
Offline Offline

Posts: 127



« Reply #44 on: November 27, 2012, 11:06:07 AM »

N0. If thats what you want then just press "x" after clicking on word_384960.
Logged
Pages: 1 2 [3] 4 5 ... 7
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.048 seconds with 19 queries. (Pretty URLs adds 0.001s, 0q)