|
prj
|
 |
« Reply #30 on: November 24, 2012, 06:05:29 AM »
|
|
|
Thank you, then one last thing I want to ask today: how do you find out page number?  Is there somewhere post on nefmoto maybe on that subject? I recommend reading the C166 user's manual and how memory addressing works in the processor. It is explained very well there. |
|
|
|
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #31 on: November 24, 2012, 04:36:28 PM »
|
|
|
OK some progress here... I've started to look for shared axis of these maps I've asked earlier (because it should be shared by them all). This helped me to find it: axis_addr -(1or2) - (206h * 4000h) = search text This is what I have found: seg003:352E8 mov r12, #2BDAh
seg003:352EC mov r13, #206h
seg003:352F0 mov r14, word_F9B6
seg003:352F4 extp #0E1h, #1 ; 'ß'
seg003:352F8 mov r15, word_384960
seg003:352FC calls 83h, sub_833B94
seg003:35300 extp #0E1h, #1 ; 'ß'
seg003:35304 mov word_384960, r4 Here's how I analyzed this so far: seg003:352E8 mov r12, #2BDAh Points to 1ABDA (axis description address, because 206h * 4000h + 2BDAh = 81ABDAh) seg003:352EC mov r13, #206h Just points us out to use 206h in equation seg003:352F0 mov r14, word_F9B6
seg003:352F4 extp #0E1h, #1 ; 'ß'
seg003:352F8 mov r15, word_384960
seg003:352FC calls 83h, sub_833B94
seg003:35300 extp #0E1h, #1 ; 'ß'
seg003:35304 mov word_384960, r4 Now these give me hard time... Please suggest me, if I need to further follow to 833B94 address to know which maps access this shared axis? what info r14 and r15 stores here? What does r4 store - maybe variable that comes out from this axis? |
|
|
|
|
Logged
|
|
|
|
rajivc666
Full Member
Karma: +23/-2
 Offline
Posts: 127
|
|
« Reply #32 on: November 25, 2012, 11:00:02 AM »
|
|
|
yes thats right , r4 contains the factor and the location with respect to axis.
EX . say rpm axis is 1000 1200 1600 2000 2500 for example , and the rpm is say 1850 for simplicity
( which is passed on by the code in this example if the axis is rpm related is mov r14,NMOT(f9b6).....)
so on return rh4 (or rl4 i dont remember offhand) will contain say 3 (or 2 if starting from zero , i dont remeber that aslo as I had reversed it long time bck) because 1850 comes between 3rd (1600) and 4th (2000) , and rl4 will contain a factor something like (1850-1600) / (1600-2000) . so this is stored into ram 348490 from r4. Similarly the other axis (say the load axis in case of kfzw map) will also be stored in some other ram area. So when its time to lookup the main map say kfzw these two variables are passed to the subroutine along with the start address of the map like kfzw and also the dimension of one of these axis like in kfzw the size of the load map (rl) is given. so say if the size of the map is say 10 X 16 . so subroutine knows one side of the map is 10 so using this and other varibles it can look up the table. This is done because similar axes are shared by many maps so the ecu doesnot have to find the axis every time.
|
|
|
|
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #33 on: November 25, 2012, 04:31:00 PM »
|
|
|
yes thats right , r4 contains the factor and the location with respect to axis.
EX . say rpm axis is 1000 1200 1600 2000 2500 for example , and the rpm is say 1850 for simplicity
( which is passed on by the code in this example if the axis is rpm related is mov r14,NMOT(f9b6).....)
so on return rh4 (or rl4 i dont remember offhand) will contain say 3 (or 2 if starting from zero , i dont remeber that aslo as I had reversed it long time bck) because 1850 comes between 3rd (1600) and 4th (2000) , and rl4 will contain a factor something like (1850-1600) / (1600-2000) . so this is stored into ram 348490 from r4. Similarly the other axis (say the load axis in case of kfzw map) will also be stored in some other ram area. So when its time to lookup the main map say kfzw these two variables are passed to the subroutine along with the start address of the map like kfzw and also the dimension of one of these axis like in kfzw the size of the load map (rl) is given. so say if the size of the map is say 10 X 16 . so subroutine knows one side of the map is 10 so using this and other varibles it can look up the table. This is done because similar axes are shared by many maps so the ecu doesnot have to find the axis every time.
Wow, a lot of info  Thanks! So with this I have updated some comments on this block: seg003:352E8 mov r12, #2BDAh ; axis 1ABDA
seg003:352EC mov r13, #206h ; use 206h in equation
seg003:352F0 mov r14, word_F9B6 ; type of axis variable?
seg003:352F4 extp #0E1h, #1 ; 'ß'
seg003:352F8 mov r15, word_384960
seg003:352FC calls 83h, sub_833B94
seg003:35300 extp #0E1h, #1 ; 'ß'
seg003:35304 mov word_384960, r4 ; location and factor of axis variable Now before going any further I have to ask you, how do you know what type of variable it is for example word_F9B6? Also If the RAM variable holds the offset and factor of current value of axis variable, then how can I know factor for example? By looking at the RAM address I see only: RAM:384960 word_384960: ds 2 Actual factor for this axis should be 0.100000 (decimal)... |
|
|
|
|
Logged
|
|
|
|
jooo
Jr. Member
Karma: +0/-1
Offline
Posts: 30
|
|
« Reply #34 on: November 25, 2012, 05:36:16 PM »
|
|
|
Also If the RAM variable holds the offset and factor of current value of axis variable, then how can I know factor for example? By looking at the RAM address I see only: RAM:384960 word_384960: ds 2 Actual factor for this axis should be 0.100000 (decimal)... How would you know what the ram adress contains without tracing code or logging it? I assume you didn't import a ram dump into IDA. edit: know what not know that |
|
|
|
« Last Edit: November 25, 2012, 06:30:40 PM by jooo »
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #35 on: November 25, 2012, 06:34:57 PM »
|
|
|
Some progress on reversing subroutine that prepares axis value... seg003:33B94
seg003:33B94 sub_833B94: ; CODE XREF: sub_835114+1C8�P
seg003:33B94 ; sub_835114+1E8�P ...
seg003:33B94 extp r13, #1
seg003:33B96 mov r4, [r12+] ; axis first cell (+2 from r12) to r4
seg003:33B98 mov r1, r12 ; axis desc to r1
seg003:33B9A mov r2, r12 ; axis desc to r2
seg003:33B9C shr r15, #8 ; shift RAM val right by 8
seg003:33B9E shl r15, #1 ; shift RAM val left by 1
seg003:33BA0 add r1, r15 ; set offset of current variable value??? (desc addr + shifter RAM val)
seg003:33BA2 extp r13, #1
seg003:33BA4 cmp r14, [r1+] ; it compares current axis cell to axis variable type (r14)???
seg003:33BA6 jmpr cc_C, loc_833BE8 Help needed to understand these: seg003:33B9C shr r15, #8 ; shift RAM val right by 8
seg003:33B9E shl r15, #1 ; shift RAM val left by 1
seg003:33BA0 add r1, r15 ; set offset of current variable value??? (desc addr + shifter RAM val) Am I correct? Also I don't get the comparisson between r14 and [r1+]: seg003:33BA4 cmp r14, [r1+] ; it compares current axis cell to axis variable type (r14)??? BTW: r14 -> word_F9B6 (IRAM? What type of data this section holds?) |
|
|
|
« Last Edit: November 25, 2012, 06:52:27 PM by masterj »
|
Logged
|
|
|
|
jooo
Jr. Member
Karma: +0/-1
Offline
Posts: 30
|
|
« Reply #36 on: November 25, 2012, 07:12:36 PM »
|
|
|
Help needed to understand these: seg003:33B9C shr r15, #8 ; shift RAM val right by 8
seg003:33B9E shl r15, #1 ; shift RAM val left by 1
seg003:33BA0 add r1, r15 ; set offset of current variable value??? (desc addr + shifter RAM val) shr #8 = divide by 256 (shr #1 =divide by 2 and shr #8 = divide by (2*2*2*2*2*2*2*2) shl #1 = multiply by 2 http://en.wikipedia.org/wiki/Bitwise_operation |
|
|
|
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #37 on: November 25, 2012, 07:21:10 PM »
|
|
|
Oh, Ok point taken. But why they use two instructions instead of one? Like shr #7 would be enough, no? I'm still not understanding why do these operations on RAM value that holds the axis variable offset... Updated info: sub_833B94:
extp r13, #1
mov r4, [r12+] ; axis first cell (+2 from r12) to r4
mov r1, r12 ; axis desc to r1
mov r2, r12 ; axis desc to r2
shr r15, #8 ; divide RAM val by 256 (2^8)
shl r15, #1 ; multiply RAM val by 2 (2^1)
add r1, r15 ; set offset of current variable value??? (axis desc addr + divided/multiplied RAM val)
extp r13, #1
cmp r14, [r1+] ; it compares current axis cell to axis variable type (r14)???
jmpr cc_C, loc_833BE8 ; r14 > [r1+] ==> TRUE |
|
|
|
« Last Edit: November 25, 2012, 07:36:45 PM by masterj »
|
Logged
|
|
|
|
jooo
Jr. Member
Karma: +0/-1
Offline
Posts: 30
|
|
« Reply #38 on: November 25, 2012, 07:43:45 PM »
|
|
|
...
edit: faulty remark. was too tired
|
|
|
|
« Last Edit: November 26, 2012, 06:16:42 PM by jooo »
|
Logged
|
|
|
|
locon
Newbie
Karma: +4/-0
Offline
Posts: 6
|
|
« Reply #39 on: November 26, 2012, 08:24:48 AM »
|
|
|
Like shr #7 would be enough, no? With shr #8 get high byte of the word (ex. offset). With shl #1 get the offset value (in words) on the axis. To "C" are two different instructions and the compiler translate them in two instructions. |
|
|
|
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #40 on: November 26, 2012, 08:45:35 AM »
|
|
|
With shr #8 get high byte of the word (ex. offset). With shl #1 get the offset value (in words) on the axis. To "C" are two different instructions and the compiler translate them in two instructions.
so it basically takes byte from r15 and converts res back to word? that would finally make sense |
|
|
|
« Last Edit: November 26, 2012, 08:48:06 AM by masterj »
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #41 on: November 26, 2012, 04:27:14 PM »
|
|
|
So progress again: sub_833B94:
extp r13, #1
mov r4, [r12+] ; axis first cell (+2 from r12) to r4
mov r1, r12 ; axis desc to r1
mov r2, r12 ; axis desc to r2
shr r15, #8 ; get high byte of r15 (offset)
shl r15, #1 ; convert r15 to word (16bit)
add r1, r15 ; set current axis cell
extp r13, #1
cmp r14, [r1+] ; it compares current axis cell to axis variable type (r14)???
jmpr cc_C, loc_833BE8 ; r14 > [r1+] ==> TRUE Basically I understand everything up to the cmp point, where r14 is compared to [r1+]. r14 holds word_F9B6. word_F9B6 is set in IRAM segment. What kind of data it actually holds? I understand is that r14 is compared to (data inside word_F9B6 + 2). Am I correct? Any ideas on what type of data is in IRAM? |
|
|
|
|
Logged
|
|
|
|
rajivc666
Full Member
Karma: +23/-2
Offline
Posts: 127
|
|
« Reply #42 on: November 26, 2012, 08:58:54 PM »
|
|
|
So progress again: sub_833B94:
extp r13, #1
mov r4, [r12+] ; transfer memory location r12(size of axis) to r4 then increase r12 by 2
mov r1, r12 ; transfer to r1 the memory address of the first data location in axis
mov r2, r12 ; transfer to r2 the memory address of the first data location in axis
shr r15, #8 ; this instruction has the same effect as mov rl15,rh15 (rh15 holds the relative location) and mov rh15,00
shl r15, #1 ; double the location info since the datais word type and not byte(16 bit)
add r1, r15 ;after this r1 holds memory address of lower of the axis value which was used to interpolate last time.
extp r13, #1
cmp r14, [r1+] ;This comparison is done so that in the subsequent instructions it is checked if the current value of word_F9B6 is more or less than the extreme values of the axis , if more then rh4 will contain relative location of the higest value of axis and rl4 will be zero and exit subroutine and if less than the least value of axis then in this subroutine zero is assigned to r4 or (in other words the least value of axis will be taken) and exit subroutine
jmpr cc_C, loc_833BE8 ; r14 > [r1+] ==> TRUE
|
|
|
|
« Last Edit: November 27, 2012, 02:13:06 AM by rajivc666 »
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #43 on: November 27, 2012, 11:01:03 AM »
|
|
|
So progress again: sub_833B94:
extp r13, #1
mov r4, [r12+] ; transfer memory location r12(size of axis) to r4 then increase r12 by 2
mov r1, r12 ; transfer to r1 the memory address of the first data location in axis
mov r2, r12 ; transfer to r2 the memory address of the first data location in axis
shr r15, #8 ; this instruction has the same effect as mov rl15,rh15 (rh15 holds the relative location) and mov rh15,00
shl r15, #1 ; double the location info since the datais word type and not byte(16 bit)
add r1, r15 ;after this r1 holds memory address of lower of the axis value which was used to interpolate last time.
extp r13, #1
cmp r14, [r1+] ;This comparison is done so that in the subsequent instructions it is checked if the current value of word_F9B6 is more or less than the extreme values of the axis , if more then rh4 will contain relative location of the higest value of axis and rl4 will be zero and exit subroutine and if less than the least value of axis then in this subroutine zero is assigned to r4 or (in other words the least value of axis will be taken) and exit subroutine
jmpr cc_C, loc_833BE8 ; r14 > [r1+] ==> TRUE
Thank you, so jmpr cc_C, loc_833BE8 ; r14 > [r1+] ==> TRUE checks for set carrier bit (which is set when [r1+] < r14) and by that jumps to 833BE8, else just goes to the next line, right? Hm... So this sub will not help me to find which maps shares this specific axis?  Because All I see here is that this sub prepares data by limiting current axis value, there is no ref to maps at all.... |
|
|
|
|
Logged
|
|
|
|
rajivc666
Full Member
Karma: +23/-2
Offline
Posts: 127
|
|
« Reply #44 on: November 27, 2012, 11:06:07 AM »
|
|
|
N0. If thats what you want then just press "x" after clicking on word_384960.
|
|
|
|
|
Logged
|
|
|
|
|
