Write new code?

Reply Subscribe

Thread Tools

Search this Thread

May 19, 2009, 11:32 PM

#46

tephra

EvoM Guru

iTrader: (6)

Join Date: Feb 2007

Location: Melbourne, Australia

Posts: 9,486

Likes: 1

Received 66 Likes on 42 Posts

obviously choose an address that isn't DIRECTLY referenced.

but then you also have to choose an address that isn't inside a range...

0xffff8400 is a good start, john is using 0xffff8480+, so maybe look at 0xffff8500...

Reply Like

May 19, 2009, 11:33 PM

#47

tephra

EvoM Guru

iTrader: (6)

Join Date: Feb 2007

Location: Melbourne, Australia

Posts: 9,486

Likes: 1

Received 66 Likes on 42 Posts

half light, as in flashing on/off REALLY quick?

you are probably missing the main counting loop at the top (0->255)

Reply Like

May 19, 2009, 11:44 PM

#48

acamus

Evolved Member

Join Date: Mar 2008

Location: Lattitude 48.38°, Longitude 17.58°, Altitude 146m = Slovakia, for common dude

Posts: 730

Likes: 0

Received 2 Likes on 2 Posts

Code:

sub_35500
00035500                 sts.l   pr, @-r15
00035502                 mov.l   r0, @-r15
00035504                 mov.l   r1, @-r15
00035506                 mov.l   r2, @-r15
00035508                 mov.l   @(h'80,pc), r1 ; FFFF8500
0003550A                 mov.b   @r1, r0
0003550C                 add     #1, r0
0003550E                 and     #h'FF, r0
00035510                 mov.b   r0, @r1
00035512                 mov.l   @(h'7C,pc), r1 ; FFFF8501
00035514                 mov.w   @r1, r0
00035516                 mov.w   @(h'88,pc), r2 ;h'15E
00035518                 cmp/hi  r2, r0
0003551A                 bf      35520
0003551C                 mov     #0, r0
0003551E                 mov.w   r0, @r1
00035520                 mov.l   @(h'70,pc), r0 ;  mut_9a
00035522                 mov.w   @r0, r0
00035524                 mov.l   @(h'70,pc), r1 ; FFFF8502
00035526                 mov.w   r0, @r1
00035528                 mov.w   @(h'70,pc), r0 ;  1
0003552A                 tst     r0, r0
0003552C                 bt      35548
0003552E                 mov.w   @(h'6C,pc), r0 ;  1
00035530                 mov.l   @(h'50,pc), r1 ; mut_26
00035532                 mov.w   @r1, r1
00035534                 cmp/hs  r0, r1
00035536                 bf      35548
00035538                 mov.w   @(h'64,pc), r0 ; h'140
0003553A                 mov.l   @(h'4C,pc), r1 ; load_2b
0003553C                 mov.w   @r1, r1
0003553E                 cmp/hs  r0, r1
00035540                 bf      35548
00035542                 mov.l   @(h'4C,pc), r1 ; FFFF8501
00035544                 mov.w   @(h'5A,pc), r0 ; h'15E
00035546                 mov.w   r0, @r1
00035548                 mov.l   @(h'44,pc), r1 ; FFFF8501
0003554A                 mov.w   @r1, r0
0003554C                 tst     r0, r0
0003554E                 bt      35554
00035550                 add     #-1, r0
00035552                 mov.w   r0, @r1
00035554                 tst     r0, r0
00035556                 bt      3556C
00035558                 mov.l   @(h'30,pc), r0 ; FFFF8500
0003555A                 mov.b   @r0, r0
0003555C                 shlr2   r0
0003555E                 shlr2   r0
00035560                 tst     #1, r0
00035562                 bf      3556C
00035564                 mov.l   @(h'30,pc), r1 ; FFFF8502
00035566                 mov.w   @r1, r0
00035568                 xor     #8, r0
0003556A                 mov.w   r0, @r1
0003556C                 mov.l   @r15+, r2
0003556E                 mov.l   @r15+, r1
00035570                 mov.l   @r15+, r0
00035572                 mov.l   @(h'C,pc), r0 ; sub A98A
00035574                 jsr     @r0 ; sub_A98A
00035576                 nop
00035578                 lds.l   @r15+, pr
0003557A                 rts
0003557C                 nop

Maybe I do not understand how it shall work but with engine off (not started) it shall not be lit according to code. Yes exactly rapid on/offs. So I have picked exactly the addresses you have suggested

Last edited by acamus; Nov 4, 2009 at 10:31 PM.

Reply Like

May 19, 2009, 11:49 PM

#49

tephra

EvoM Guru

iTrader: (6)

Join Date: Feb 2007

Location: Melbourne, Australia

Posts: 9,486

Likes: 1

Received 66 Likes on 42 Posts

check out 0x35512...

you are loading an odd offset into r1, then doing a mov.w from it. so you are getting an alignment problem..

fix that up first

Reply Like

May 19, 2009, 11:55 PM

#50

acamus

Evolved Member

Join Date: Mar 2008

Location: Lattitude 48.38°, Longitude 17.58°, Altitude 146m = Slovakia, for common dude

Posts: 730

Likes: 0

Received 2 Likes on 2 Posts

Oh, right, obvious bugs are always overlooked.

Thank you, you certainly deserve your GURU status

Reply Like

May 20, 2009, 11:26 PM

#51

acamus

Evolved Member

Join Date: Mar 2008

Location: Lattitude 48.38°, Longitude 17.58°, Altitude 146m = Slovakia, for common dude

Posts: 730

Likes: 0

Received 2 Likes on 2 Posts

Quote:

Originally Posted by tephra

check out 0x35512...

you are loading an odd offset into r1, then doing a mov.w from it. so you are getting an alignment problem..

fix that up first

Dave I believe you are wrong here, the line @35512 is pretty legitimate according to manual:

MOV.W @(disp,PC),Rn
1001nnnndddddddd
(disp × 2 + PC) → Sign extension → Rn

so displacement (disp) can be odd...., this must be something else...

you can search h'7c in your rom and will find many mov commands.

Reply Like

May 20, 2009, 11:29 PM

#52

tephra

EvoM Guru

iTrader: (6)

Join Date: Feb 2007

Location: Melbourne, Australia

Posts: 9,486

Likes: 1

Received 66 Likes on 42 Posts

its the mov.w @r1, r0 that im worried about.

its legal syntax, but i am pretty sure you will find that you are actually getting 0xffff8500 and 01, not 01 and 02 as you think.

it still needs to be word aligned...

Reply Like

May 21, 2009, 12:57 AM

#53

acamus

Evolved Member

Join Date: Mar 2008

Location: Lattitude 48.38°, Longitude 17.58°, Altitude 146m = Slovakia, for common dude

Posts: 730

Likes: 0

Received 2 Likes on 2 Posts

I understand now the mistake, I am trying to use variables of byte size for word assignments

. Thank you again.

Reply Like

May 21, 2009, 01:52 AM

#54

tephra

EvoM Guru

iTrader: (6)

Join Date: Feb 2007

Location: Melbourne, Australia

Posts: 9,486

Likes: 1

Received 66 Likes on 42 Posts

my mistake for not highlighting it properly!

Reply Like

May 21, 2009, 11:12 PM

#55

dude

Evolved Member

iTrader: (12)

Join Date: Dec 2003

Location: Farmington, NM

Posts: 591

Likes: 0

Received 0 Likes on 0 Posts

Quote:

Originally Posted by tephra

rte or rts?

NOP after jsr

Wow! What Rosetta Stone CD do I need to understand this language? I'm an Engineer and I don't understand any of this, though granted I only took VB and C++ and didn't enjoy either.

Keep up the good work guys, the more fellas we have attacking our ECU disasm, the more awesome our tuning platform becomes!

And Tephra, we need to get you another EVO!

Reply Like

May 21, 2009, 11:13 PM

#56

tephra

EvoM Guru

iTrader: (6)

Join Date: Feb 2007

Location: Melbourne, Australia

Posts: 9,486

Likes: 1

Received 66 Likes on 42 Posts

hehe.

hightlight my sig

hidden secrets :P (or just bad colouring on my behalf :P)

Reply Like

Mar 6, 2017, 12:09 PM

#57

sowne

Newbie

Join Date: Nov 2012

Location: tbilisi, georgia

Posts: 20

Likes: 1

Received 0 Likes on 0 Posts

stupid question here, how realistic is it to disassemble rom without IDA? any free alternatives?

Reply Like

Mar 6, 2017, 12:20 PM

#58

logic

Evolved Member

iTrader: (2)

Join Date: Apr 2003

Location: Berkeley, CA

Posts: 1,022

Likes: 0

Received 6 Likes on 5 Posts

Wow, old thread.

I wrote an SH2 disassembler in Python years ago, if it helps: https://github.com/logic/sh2dis

No support, and you're definitely on your own for working with the resulting output.