Write new code?
#1
Evolving Member
Thread Starter
iTrader: (4)
Join Date: Apr 2008
Location: Germany
Posts: 186
Likes: 0
Received 0 Likes
on
0 Posts
Write new code?
Hi,
my changes on the ecu were just small. I compiled them by myself with the controller manual and writing bits on paper. It was just a few bytes.
But how can i write lager sections of code and compile it? eg. complete new subroutines. Is there a assembler tool out there?
for windows, but if linux is needed, i will figure it out.
thx Jan
my changes on the ecu were just small. I compiled them by myself with the controller manual and writing bits on paper. It was just a few bytes.
But how can i write lager sections of code and compile it? eg. complete new subroutines. Is there a assembler tool out there?
for windows, but if linux is needed, i will figure it out.
thx Jan
#4
Evolved Member
iTrader: (2)
This is pretty Linux-specific (although should work for Windows guys with Cygwin), but I slapped a quick script (wiki page, see pcrel_filter.sh) that can usually convert IDA's output into something that "just compiles". with the GNU assembler. On the wiki page, I've got a couple of suggestions for streamlining the process of hex->IDA->assembly->hex a bit.
That being said, I don't do this stuff on a regular basis like mrfred and tephra, so consider that a starting point. Updates to that wiki page are very welcome if you have any workflow suggestions!
(Edit: whoops, I didn't see that acamus had already linked to my old thread on getting started with this stuff. I'll hush up now. )
That being said, I don't do this stuff on a regular basis like mrfred and tephra, so consider that a starting point. Updates to that wiki page are very welcome if you have any workflow suggestions!
(Edit: whoops, I didn't see that acamus had already linked to my old thread on getting started with this stuff. I'll hush up now. )
#5
I use KPIT Cummins binutils to produce a hex file. I have a batch file I run that assembles and links to produce the hex file. Then I use a hex editor to copy and paste the code. Then I reload the altered ROM into IDA to check for problems before testing on the car or in Lauterbach simsh. Renesas also have a simulator you can download if you register, but it isn't like IDA in terms of the disassembly. However, you can make a panel of switches and LEDs on the screen that can reflect memory contents as you run the simulated code. Not tried this though.
#6
Evolving Member
iTrader: (7)
I use KPIT Cummins binutils to produce a hex file. I have a batch file I run that assembles and links to produce the hex file. Then I use a hex editor to copy and paste the code. Then I reload the altered ROM into IDA to check for problems before testing on the car or in Lauterbach simsh. Renesas also have a simulator you can download if you register, but it isn't like IDA in terms of the disassembly. However, you can make a panel of switches and LEDs on the screen that can reflect memory contents as you run the simulated code. Not tried this though.
i use the KPIT stuff too. its great and free. you just have to rip some assembler related header info and end-of-file info to get the rom the right size--with a hex editor. i'm a little lazy, but you may be able to disable that stuff with the switches/not sure.
i use ida to export the ASM code in GNU SH mode after have created my markers or disassembled what i need. then i use notepad or any text editor to add in my code/mods/etc. i think KPIT now supports SHASM/but not sure.
its good to explore the rom with all the information thats available to "find your way around." i am looking for a good simulator/i will have time to think about it for a while in a month or so heh.
lol it becomes second nature after a few times like tephra said.
always check your work in IDA or whatever. you will find errors/misalignments/etc due to overlooking as i have many times in the beginning.
most of all have fun.
Trending Topics
#8
Evolved Member
iTrader: (2)
My biggest complaint (that I brought up at the end of that other thread) is that I've never been able to get gas to deal properly with the PC-relative references that IDA spits out in it's gas-compatible mode; it either gets the offset length wrong by one or two bytes, or just chokes entirely thinking the offset is too far (which is just a symptom of the offset being wrong). I'm convinced gas is tracking the program counter correctly (as evidenced by the non-relative form generating the correct code), but it's getting the offset wrong when dealing with pc-relative addresses.
Arguably, instead of outputting pc-relative references (with labels in the comments), IDA should probably just output label-based address references directly. It's just more sane to work with; relative references all have to be changed as soon as you change the code. And those comments IDA sprinkles everywhere are obsolete almost immediately upon being written to disk.
That silly little awk script I whipped up to filter out pcrel addressing works (and does some necessary other stuff as well), but I'd love to figure out what the real problem is. I'm obviously missing something.
(evoredy: I've never spent any time with getting gas to recognize shasm-formatted code; any pointers to concrete information on that would be greatly appreciated.)
Arguably, instead of outputting pc-relative references (with labels in the comments), IDA should probably just output label-based address references directly. It's just more sane to work with; relative references all have to be changed as soon as you change the code. And those comments IDA sprinkles everywhere are obsolete almost immediately upon being written to disk.
That silly little awk script I whipped up to filter out pcrel addressing works (and does some necessary other stuff as well), but I'd love to figure out what the real problem is. I'm obviously missing something.
(evoredy: I've never spent any time with getting gas to recognize shasm-formatted code; any pointers to concrete information on that would be greatly appreciated.)
#9
I have recently combined my four assembly files into one. The code is too big to put all the variables in one place, so I've split them. Maybe with some elegant section naming I could avoid the _ and __ in front of duplicate labels, but it works like this and is easier to put together. Apart from a few nops to stop the DMA being killed and the vectors being set, this is my entire code that runs three interrupt vectors, intercepting MUT E0, E1 or E2 from the serial port interrupt and feeding them to my routines, or else returning to the usual serial port interrupt. There is also a DMA end interrupt serviced here, and a transmit end. Plus my own logic/variables to keep track of the seqeuence for my new protocols - an initial DMA transfer of a long address and a word length, followed by the receive or transmit DMA sequences for map data or logging the MUT table. Does quite a bit in not too much code. The main bugs I had to kill were keeping track of when I'd moved variables between versions. Enjoy or weep as per your preference ...
I also show the code as hex in Ecuflash.
I also show the code as hex in Ecuflash.
Code:
RXI0: add #-4, r15 sts.l pr, @-r15 mov.l r14, @-r15 mov r15, r14 sts.l macl, @-r15 sts.l mach, @-r15 mov.l r10, @-r15 mov.l r11, @-r15 mov.l r12, @-r15 mov.l r13, @-r15 mov.l r3, @-r15 mov.l r4, @-r15 mov.l r5, @-r15 mov.l r6, @-r15 mov.l r7, @-r15 mov.l r0, @-r15 mov.l (int_disable),r10 jsr @r10 nop mov.l (RDR0),r10 mov.b @r10,r10 extu.b r10,r10 mov.w (E0),r3 cmp/hs r3,r10 bf exitformut mov.w (E2),r3 cmp/hi r3,r10 bt exitformut mov.l (bit7allowslogging), r0 mov.w @r0, r0 tst #0x80, r0 bt exitformut mov.l (mutorobd), r0 mov.w @r0, r0 tst #0x80, r0 bt exitformut mov.l (receive_transmit_status_bits), r0 mov.w @r0, r0 tst #0x80, r0 bf exitformut brE012: mov.l (DMAOPFLAG2),r11 mov.l r10,@r11 mov #0,r0 mov.l (counter1),r10 mov.w r0,@r10 mov #0xfffffffc,r0 mov.l (CHCR3),r10 mov.l @r10,r10 and r0,r10 mov.l (CHCR3),r11 mov.l r10,@r11 mov.l (RDR0),r0 mov.l (SAR3),r11 mov.l r0,@r11 mov.l (DMAread),r0 mov.l (DAR3),r11 mov.l r0,@r11 mov #6,r0 mov.l (DMATCR3),r11 mov.l r0,@r11 mov #0x37,r0 mov.l (DMAOPFLAG),r10 mov.l r0,@r10 mov.l (SSR0),r10 mov.b @r10,r0 and #0x87,r0 mov.b r0,@r10 mov.l (DMA3CONFIGread),r0 mov.l (CHCR3),r10 mov.l r0,@r10 mov.l (int_enable),r10 jsr @r10 nop bra exit nop exitformut: mov.l (int_enable),r10 jsr @r10 nop mov.l (serialreceivewithoutdma),r10 jsr @r10 nop exit: mov.l @r15+, r0 mov.l @r15+, r7 mov.l @r15+, r6 mov.l @r15+, r5 mov.l @r15+, r4 mov.l @r15+, r3 mov.l @r15+, r13 mov.l @r15+, r12 mov.l @r15+, r11 mov.l @r15+, r10 lds.l @r15+, mach lds.l @r15+, macl mov.l @r15+, r14 lds.l @r15+, pr add #4, r15 rte nop .align 2 int_disable: .long 0x400 int_enable: .long 0x41e serialreceivewithoutdma: .long 0xe32a /*TO BE CHANGED FOR EACH ROM*/ bit7allowslogging: .long 0xffff6fea /*TO BE CHANGED FOR EACH ROM*/ mutorobd: .long 0xffff6fb2 /*TO BE CHANGED FOR EACH ROM*/ receive_transmit_status_bits: .long 0xffff6fe6 /*TO BE CHANGED FOR EACH ROM*/ counter1: .long 0xffff7054 /*TO BE CHANGED FOR EACH ROM*/ SAR3: .long 0xffffecf0 DAR3: .long 0xffffecf4 DMATCR3: .long 0xffffecf8 CHCR3: .long 0xffffecfc DMA3CONFIGread: .long 0x20105 SSR0: .long 0xfffff004 RDR0: .long 0xfffff005 DMAOPFLAG: .long 0xffff8480 DMAOPFLAG2: .long 0xffff8484 DMAread: .long 0xffff8488 E0: .word 0xE0 E2: .word 0xE2 /*--------------------------------*/ .align 4 DMAEND: sts.l pr,@-r15 mov.l r0,@-r15 mov.l r10,@-r15 mov.l (_int_disable),r10 jsr @r10 nop mov #0xfffffffc,r0 mov.l (_CHCR3),r10 mov.l @r10,r10 and r10,r0 mov.l (_CHCR3),r10 mov.l r0,@r10 mov.l (_DMAOPFLAG2),r0 mov.l @r0,r0 mov #1,r10 cmp/eq r10,r0 bt brwrite nop mov.w (_E0),r10 cmp/eq r10,r0 bt brE0 nop mov.w (_E1),r10 cmp/eq r10,r0 bt brE1 nop mov.w (_E2),r10 cmp/eq r10,r0 bt brE2 nop bra TEIEinvade nop brwrite: mov.l (_SSR0),r10 mov.b @r10,r0 tst #4,r0 bf TEIEinvade nop mov.w (_SCR0_CLRTIE_SETTEIE),r0 mov.l (_SCR0),r10 mov.b r0,@r10 mov.l (_int_enable),r10 jsr @r10 nop mov.l @r15+,r10 mov.l @r15+,r0 lds.l @r15+,pr rte nop brE0: mov #1,r0 mov.l (_DMAOPFLAG2),r10 mov.l r0,@r10 mov.l (_DMAaddress),r0 mov.l @r0,r0 mov.l (_SAR3),r10 mov.l r0,@r10 mov.l (_TDR0),r0 mov.l (_DAR3),r10 mov.l r0,@r10 mov.l (_DMAlength),r0 mov.w @r0,r0 mov.l (_DMATCR3),r10 mov.l r0,@r10 mov #0x37,r0 mov.l (_DMAOPFLAG),r10 mov.l r0,@r10 mov.w (_SCR0_CLRRE_SETTIE),r0 mov.l (_SCR0),r10 mov.b r0,@r10 mov.l (_DMA3CONFIGwriteindirect),r0 mov.l (_CHCR3),r10 mov.l r0,@r10 mov.l (_int_enable),r10 jsr @r10 nop mov.l @r15+,r10 mov.l @r15+,r0 lds.l @r15+,pr rte nop brE1: mov #1,r0 mov.l (_DMAOPFLAG2),r10 mov.l r0,@r10 mov.l (_DMAaddress),r0 mov.l @r0,r0 mov.l (_SAR3),r10 mov.l r0,@r10 mov.l (_TDR0),r0 mov.l (_DAR3),r10 mov.l r0,@r10 mov.l (_DMAlength),r0 mov.w @r0,r0 mov.l (_DMATCR3),r10 mov.l r0,@r10 mov #0x37,r0 mov.l (_DMAOPFLAG),r10 mov.l r0,@r10 mov.w (_SCR0_CLRRE_SETTIE),r0 mov.l (_SCR0),r10 mov.b r0,@r10 mov.l (_DMA3CONFIGwritedirect),r0 mov.l (_CHCR3),r10 mov.l r0,@r10 mov.l (_int_enable),r10 jsr @r10 nop mov.l @r15+,r10 mov.l @r15+,r0 lds.l @r15+,pr rte nop brE2: mov #2,r0 mov.l (_DMAOPFLAG2),r10 mov.l r0,@r10 mov.l (_RDR0),r0 mov.l (_SAR3),r10 mov.l r0,@r10 mov.l (_DMAaddress),r0 mov.l @r0,r0 mov.l (_DAR3),r10 mov.l r0,@r10 mov.l (_DMAlength),r0 mov.w @r0,r0 mov.l (_DMATCR3),r10 mov.l r0,@r10 mov #0x37,r0 mov.l (_DMAOPFLAG),r10 mov.l r0,@r10 mov.l (_SSR0),r10 mov.b @r10,r0 and #0x87,r0 mov.b r0,@r10 mov.l (_DMA3CONFIGread),r0 mov.l (_CHCR3),r10 mov.l r0,@r10 mov.l r0,@r10 mov.l (_int_enable),r10 jsr @r10 nop mov.l @r15+,r10 mov.l @r15+,r0 lds.l @r15+,pr rte nop .align 4 TEIE: sts.l pr,@-r15 mov.l r0,@-r15 mov.l r10,@-r15 mov.l (_int_disable),r10 jsr @r10 nop TEIEinvade: mov #0,r0 mov.l (_DMAOPFLAG),r10 mov.l r0,@r10 mov.w (_SCR0_SETRE_CLRTEIE),r0 mov.l (_SCR0),r10 mov.b r0,@r10 mov.l (_SSR0),r10 mov.b @r10,r0 and #0x87,r0 mov.b r0,@r10 mov.l (_int_enable),r10 jsr @r10 nop mov.l @r15+,r10 mov.l @r15+,r0 lds.l @r15+,pr rte nop .align 2 _SAR3: .long 0xffffecf0 _DAR3: .long 0xffffecf4 _DMATCR3: .long 0xffffecf8 _CHCR3: .long 0xffffecfc _SCR0: .long 0xfffff002 _TDR0: .long 0xfffff003 _SSR0: .long 0xfffff004 _RDR0: .long 0xfffff005 _DMA3CONFIGwriteindirect: .long 0x10011005 _DMA3CONFIGwritedirect: .long 0x11005 _DMA3CONFIGread: .long 0x20105 _DMAOPFLAG: .long 0xffff8480 _DMAOPFLAG2: .long 0xffff8484 _DMAaddress: .long 0xffff8488 _DMAlength: .long 0xffff848c _int_disable: .long 0x400 _int_enable: .long 0x41e _E0: .word 0xE0 _E1: .word 0xE1 _E2: .word 0xE2 _SCR0_CLRTIE_SETTEIE: .word 0x24 _SCR0_SETRE_CLRTEIE: .word 0x70 _SCR0_CLRRE_SETTIE: .word 0xa0 /*--------------------------------*/ .align 4 COPY: sts.l pr,@-r15 mov.l r0,@-r15 mov.l r1,@-r15 mov.l r2,@-r15 mov.l r10,@-r15 mov.l r11,@-r15 mov.w (DEADval),r0 mov.l (DEADloc),r1 mov.w @r1,r1 cmp/eq r1,r0 bt TIMEOUT nop mov.l (ROM),r10 mov.l (RAM),r11 mov.l (LENGTH),r1 mov #0,r0 loop: mov.l @(r0,r10),r2 mov.l r2,@(r0,r11) add #4,r0 cmp/hs r1,r0 bf loop nop TIMEOUT: mov.l (__int_disable),r10 jsr @r10 nop mov.l (__bit7allowslogging),r10 mov.w @r10,r0 tst #0x80,r0 bf __exit nop mov #0xfffffffc,r0 mov.l (__CHCR3),r10 mov.l @r10,r10 and r10,r0 mov.l (__CHCR3),r10 mov.l r0,@r10 mov #0,r0 mov.l (__DMAOPFLAG),r10 mov.l r0,@r10 __exit: mov.l (__int_enable),r10 jsr @r10 nop mov.l @r15+,r11 mov.l @r15+,r10 mov.l @r15+,r2 mov.l @r15+,r1 mov.l @r15+,r0 lds.l @r15+,pr mov.l (tephra),r10 jmp @r10 nop .align 2 DEADloc: .long 0xffff841c __CHCR3: .long 0xffffecfc __DMAOPFLAG: .long 0xffff8480 __bit7allowslogging: /*CHANGE FOR EACH ROM*/ .long 0xffff6fea __int_disable: .long 0x400 __int_enable: .long 0x41e tephra: /*CHANGE FOR 256K ECUS*/ .long 0x48000 ROM: .long 0x37b00 RAM: .long 0xFFFF8500 LENGTH: .long 0x800 DEADval: .word 0xDEAD
Last edited by jcsbanks; Mar 13, 2009 at 01:58 PM.
#11
Evolving Member
Thread Starter
iTrader: (4)
Join Date: Apr 2008
Location: Germany
Posts: 186
Likes: 0
Received 0 Likes
on
0 Posts
I downloaded the Kpit stuff, but i am total lost.
its so different than any other coding i have done before.
Can someone describe the steps (not in detail, but what tools to use), how to get from ida disassembly to a new hex file.
its so different than any other coding i have done before.
Can someone describe the steps (not in detail, but what tools to use), how to get from ida disassembly to a new hex file.
#14
Evolving Member
Thread Starter
iTrader: (4)
Join Date: Apr 2008
Location: Germany
Posts: 186
Likes: 0
Received 0 Likes
on
0 Posts
I still don't understand it, but when thinking about it, two problems came across my mind:
1.) When your write new assembler code, do you have to write the whole relative adressing stuff by yourself? Do i have to count all things relative to programm counter?
e.g. mov.l @(8,pc), r0 ! [000197AC] = sub_1A29A
the @(8,pc), is there a mechanism to automate it?
2.) what tool do i use (gnu-as or kpit) to assemble from source code to the bin file? i even can't find the program. next problem how to use it, i thing i can fugure it out.
1.) When your write new assembler code, do you have to write the whole relative adressing stuff by yourself? Do i have to count all things relative to programm counter?
e.g. mov.l @(8,pc), r0 ! [000197AC] = sub_1A29A
the @(8,pc), is there a mechanism to automate it?
2.) what tool do i use (gnu-as or kpit) to assemble from source code to the bin file? i even can't find the program. next problem how to use it, i thing i can fugure it out.