EECTuning.org

So reverse scan is different to stepping back through the code? Yeah in my head anyway. I originally kept a 'pile' of previous opcodes for conditional jumps, and stepped back through them, but now I've changed the code so that it can simply feed in ANY (valid) opcode start address and get it decode...

OK, sorry about further delay, I ran into a tricky bug... Anyway, I've now got SAD v4 to work correctly for variable arguments, and it also is able to size and decode those arguments. (decode is where the argument has a value like 0xd040 which equates to address [0xfa] + 40 ). I've found FOUR versio...

Ah Yes, a good reminder.

I couldn't get that to work either !!

In the end I added a special extra emulate pass/block, flagged/created from the push, which executes before the 'final' return (this is where the args are)
so that gets more args if required.

and it seems to work !!

More - Problem with loops was for tabs and funcs (2D and 1D lookups). SAD did originally rescan those blocks to get the parameters (address and size) out (from the call tree), but that caused loops when trying to link it with emulate (complicated by the fact that the function lookup code has JUMPS i...

the code now has 2 distinct 'phases'. It scans the binary as a 'tree' (i.e. jumps and calls create a new 'branch' as a block to be scanned), but keeps a fake stack of 'callers' up to date. and if it finds a POP or LDX [STACK+n] command, it flags that scan branch as an argument getter, and then flags...

Update after being far too long getting next version ready, here's my announcement Where I am up to - I have FINALLY got a method which seems to work for all my 'test binaries' collection, including variable argument decodes. The variable arg analysis proved HUGELY harder than I expected, and I agai...

Ah right - sorry. My 'standard' stuff' was the HEGOs and emission stuff, base sensors, basically what's on all engines. I don't know if VVT sensor replaces the 'standard' cam sensor or not, I think probably not as it's a 'cyl 1' marker Yes ?? I really DO mean Lotus. The Evora uses the 2GR-FE engine ...

Right - Yep, some complex addressing there indeed ............

OK. I never expected more than one offset (or special attribute etc.) per argument, so it was coded that way.

Hmmm..... I need to see if I can work out what it's doing.
have you cracked it ?? Any help appreciated !

Andy.

No.

It seems a bit weird to me, in fact. Where is the code ? I'll have a look.

Andy.

Just spotted this.......... NB. 1. whether or not the I/O is direct or via a bus, the EEC still has to receive/generate it, so all those events still have to happen in the code. 2. CAN bus as I understand was its own acronym Cheap, Adequate, Nasty, and was really because it's now cheaper to have a c...

It's a catch-22, like much of the internet. me - I don't have a fixed IP on my account, and don't use a VPN for this site. As default, I use Firefox with NoScript to switch off most/all of the JavaScript to stop ads,popups,trackers, which it does well, but it does stop some things working on many si...

On reading this thread, an idea occurs to me... If you have an engine that can climb up the revs really fast (as you stated), then could it also be that the 'rolling average' calculations need to change? have you already thought of that ? Why - On the A9L bins, (GUFB) the rolling average calcs actua...

From me, the SAD author... I had to come up with some kind of default name, so I chose Bx_Ry, meaning "Bit x of Register y". In a typical binary there are many,many 'flag' states (i.e. ON or OFF), used for all sorts of things, and the CPU has the opcodes JB JNB (jump if bit set/not set) to support f...

In that case I hereby claim ALL THE KUDOS for writing good clean 'C' code, which isn't easy !!! (Joking !! - - for some weird reason, smilies don't seem to work for me in this BB. Linux/Firefox issue ? Hmmm....No, smilies not disabled.) Seriously, I'm truly glad it DID compile and run, as it does he...

Another just in case - please don't think I'm 'knocking' anything there - I just want to help stop any misunderstandings and confusion. It's already hard enough to look at low level machine code, especially some of the multibank tricks. (ooh - an unintended pun there...) I'm lucky as I've done this ...

Just a note here - I had a look too, some of those docs are now superceded, and the bank swop one (written by me) is WRONG at the detail level (but the analysis of how the code works is still correct). This was before I saw the Ford Handbook, which gives the true answer. For Techies/Advanced/IT geek...

Guys, Just for completeness, it's worth a quick review of the PSW on 8065 CPUs and bank operation. Whilst the 8065 PSW lower byte contains the various status flags for conditional jumps (zero, negative, etc), the upper byte contains current program bank (which I take to mean 'code bank'), the curren...

John, Just discovered a bug in the way code blocks are queued for scanning, which may also explain some of the undecoded sections in CARD. Effectively this bug means some block scan combos are lost entirely. Found it when working on the multibank argument emulate/decode. So I'll fix that first and r...

Thanks John, Methods 1) already thought about possible endless loop, so emulation has an 'opcodes executed' maximum, currently at 1000 (may change this) 2) Interesting idea. I admit I had not thought that way at all. I already have a 'called by' chain, which is necessary for subroutines (and argumen...

<code snipped> Load a word, push it later and return is a common theme for overlooked code. Maybe scan any for code any time a load push return sequence is encountered. Yes, A9L does that, and I've been stuck on how to handle it properly. The problem is that a register is loaded with an address in ...

Thanks. I have mentioned previously how all the blocks of code are overlooked and how fixing one detail snowballed a pile of code. I will try to find it. The start of many structues are found. Good that it finds the start points at least !! I have been playing with the idea of some kind of 'data pa...

John, I found the bug with the 4456 and 4459 args. I think that's all working right now. Here is a new listing in case it's any use to you. Code should be right (I hope!), but data isn't ! I see there are still some blocks which look like code but are not decoded, along with some obvious all-data st...

Thanks John, that's fantastic - will check out your issues spotted. Possibly some new code trick I didn't see. Often, one example of a faulty args decode, will apply to all those subr calls, so improvement can be quite large from one fix. I hope. I see that some of the 4459 calls show 6 args correct...

Jsa - John, VARIABLE ARGS !!!!! I think I may finally have cracked a method to get the arguments working, with a part-scan, part emulate approach, which is a 'merge and modify' of a couple of previous attempts. I have attached a CARD listing done with NO COMMANDS by current development SAD, so it's ...

Taking a break from m0m2 since it's useable, so I'm focused on some SD tunes that I've cloned. One in particular is 8SD, which doesn't seem to follow conventional wisdom with Rbases. Certain subroutines have their own offsets defined which makes for a hell of a time disassembling them. Does SAD hav...

'Console present' Yes - quite a few bins have that style of check where 0xd00 (or similar addresses) appear to be a console status flag, and there are various other 'set' addresses around for plug in or special function chips/peripherals. But like the cal console (0xd000 or d006 or d009 or e000 or ....

No, I designed the 'signature' routine after the unix regular expression (= RE), up to a point, but even that isn't flexible enough. If you've never used this, the RE is embedded in a wide range of unix/linux edit and search applications, and although a more complex RE looks like gobbledegook, the s...

While testing, I ran into a problem with vects (not same as reported by jsa, but still....) and I discovered yet more CRAZY stuff. first - I changed vector list detection in 3.08 as it wasn't working with later binaries - so I changed the 'signature' options for a 'detect' type (when SAD arrives at ...

The post was about a cold turkey 1st run of SAD against a bin, yeah understood 2nd step of creating a dir with args set would improve 3.08 results for the changes you describe. Pondering Bank8, have any been sighted that; * Don't start with FF FA * Don't have Checksum at 0x200A Is more required tha...

motorhead1991 wrote: ↑

Wed May 15, 2019 3:53 pm

It was this command:

Code: Select all

bank 0 0 dfff

It complained of a fill address out of bounds despite removing the "fill" commands from the dir file.

Ahhh. OK, could be a screw up in the command parser then....
Thanks.