This is where the BIN Hackers and definition junkies discuss the inner workings of the EEC code and hardware. General tuning questions do not go here. Only technical/hardware-specific/code questions and discussions belong here.
Moderators: cgrey8, EDS50, Jon 94GT, 2Shaker
- Posts: 178
- Joined: Tue May 24, 2011 8:33 pm
- Location: Vandenberg AFB, CA
ironmanisanemic wrote:So i believe i have found all of the references given so far. mpaton, can you please check my work? i have attached my Dir file.
That's a great effort. I think you've got almost all of them.
But have a look at addresses
and see what you think.
You haven't been careless here, it's something that can happen that we have to watch out for.
See if you can work out what it is and let us know.
Now I need to work out the next things I want to see in a dir file
jsa, you're off the hook for the word size 1D lookups, ironman's got them all.
So next, it should be understanding interpolation math and code, and then we can look at a 2D table example, with some Ford ROM and RAM addressing conventions,
I tried to be through, i guess i still missed a few.
I went through the ones you listed and added them to my DIR file. NOW it should complete up to this point. I forgot to re run the searches after i got the first round of them. i did that on most of them but i must have still missed a few. i forgot that as i cleaned up the data that some new values under address values i was searching for would appear. so completing a string of values and going back and rechecking my work more thoroughly would have been beneficial.
I attached my newest iteration of the dir file.
- (803 Bytes) Downloaded 167 times
1989 Ford Bronco:
-393W, Edelbrock Performer RPM heads, ProComp Upper and lower intake, Custom Comp Hyd Roller cam, 10:1 compression, 30lb injectors, 75mm TB, Pro-M 80mm MAF, equal length short tube headers, 2.5 inch y pipe merged into single 3 inch with hooker aerochamber muffler and no cat, QH w/ BE and EA running U4P0, AOD
1995 Ford Mustang GT
-Bone stock minus the QH. 5 Speed. T4M0
- Tuning Addict
- Posts: 524
- Joined: Sat Nov 23, 2013 7:28 pm
- Location: 'straya
so people didn't have to go and read the 1989 or 1991 documentation.
What are they, where are they, can you link them please or give ISBN or full names please ?
95 Escort RS Cosworth - GHAJ0 / ANTI on a COSY box code
Moates QH & BE
- Gear Head
- Posts: 31
- Joined: Tue May 18, 2010 2:02 am
Well sorry to necropost but I'm getting into EEC hacking and I find this thread very helpful and interesting. Did ironmanisanemic just give up after all that work? Granted this exercise was a really big ask for someone with no embedded systems experience, but some good progress was being made!
tvrfan wrote: ↑
Fri Oct 16, 2015 9:37 pm
Hmm..... or another teaser perhaps..... what does THIS code actually do ?
Code: Select all
cc,38 pop R38 R38 = pop();
b2,3b,3c ldb R3c,[R38++] R3c = [R38++];
b2,3b,3d ldb R3d,[R38++] R3d = [R38++];
c8,38 push R38 push(R38);
Thank you for posting this. It's clear to me that this snippet of code is loading a word of what you all call an "inline parameter" into r3c:r3d and fixing up the return address on the call stack to skip over the inline data.
After the call the stack contains the return address which actually points to the first byte of inline data. That address is popped into r38 which is then used to indirectly load the next two bytes of program memory into the registers. R38 now points to the next instruction after the inline data and this address is pushed back onto the call stack so the ret at the end of the function will set the program counter to the correct value.
I see that the code and data directives in the dir file are being used like the "view as code" / "view as data (db/dw/etc)" in IDA. Once one has located a function with inline parameters and determined the number of parameters, you have to iterate over each occurrence in the BL listing, add directives, and disassemble again to find the next. This is quite tedious so I'm assuming mpaton added his own directives and enhanced the BL disassembler to automate this process once such functions have been located.
This is really great stuff! Any way to get this discussion rolling again?
1994 Mustang GT, 351w (377 stroker), TFS heads, hydraulic roller lifters, 1.7 roller rockers, explorer intake, T4M0, Quarterhorse, SLC-DIY wideband AFR meter
last I knew ida didn't handle 806x too well
but getting back to it, in most advanced disassemblers you can specify that a specific routine is grabbing inline parameters thus anytime that address is called, the following xxx bytes are omitted as code
Who is online
Users browsing this forum: No registered users and 1 guest