This is where the BIN Hackers and definition junkies discuss the inner workings of the EEC code and hardware. General tuning questions do not go here. Only technical/hardware-specific/code questions and discussions belong here.

Moderators: cgrey8, EDS50, Jon 94GT, 2Shaker

OzFalcon
Regular
Posts: 67
Joined: Sat Aug 23, 2014 8:50 am

first steps - Disassembly - walkthrough

Post by OzFalcon » Fri Feb 18, 2022 9:12 am

hi guys,

this topic is about me as a beginner trying to sort out a partially correct defintion file..
i will be using the SAD (Semi Automatic Disassembler for Ford EEC-IV and V binaries) from here --->
https://github.com/tvrfan/EEC-IV-disass ... 407_16.exe

the bin is from a 1999 Au1.5 Ford falcon (austalian) 6cyl it is WANA catch code.
I pulled the bin myself using quaterhorse (QH) and TunerProRT (TPRT), so it is a 256K file.
a WANA bin was also available from Ti, but it has 14 bytes difference right near the end of the file.. the ti having all FF in those 14 bytes and mine have something else.. not sure why the difference but i am ignoring it for now and using my bin not theirs..

the def i am using to begin with is one from TiPerformance .. ---> https://www.tiperformance.com.au/Defini ... XL1_v4.xdf

OK,
lets start..

first problem upon opening up the bin and def in TPRT is that i can see obvious errors in some of the tables..
starting from the top :



adaptive fuel (12x9) - has all cells filled with 255 -- is this data valid - -doubtful.. col/row labelling seems right

Fuel Base Table -- values are all over the place -- table is obviously not aligned properly, starting address is wrong.. col/row labeling wrong

Fuel startup table -- values all over the place --- col/row labels missing/wrong

MFA fuel multiplier table --- values wrong -- cols labelled correct, rows labelled wrong

spark table borderline knock -- values wrong -- col/row labels seem correct

spark table borderline knock MPG -- values wrong -- col/row labels seem correct

from previous experience i know what roughly these tablels should look like and i am able to mostly correct them manually by just looking in the bins using other good bins and defs from ti as a guide, but this is still not always working..

anyway I am confident that i have the spark and fuel tables correct.. with my corrected def . . "N9XL1N6_v8 Corrected for WANA.xdf"

i would like to use the dissemblers and see what they can do..


so then i tried to use https://github.com/tvrfan/EEC-IV-disassembler and the guide on decipha's site http://www.efidynotuning.com/dis.htm

but it all went wrong when it got to the _msg.txt - Messages with no real explanation of what was going on or why..

then i went to the SAD806x disassembler https://github.com/OpenEEC-Project/SAD806x and read the SAD806x.pdf ..

but again it went wrong when the first thing i read is :
"Installation:
SAD806x can be installed everywhere on a Microsoft Windows system, using Framework 2.0
at least. Following files should be present in its folder to permit it to work properly:
- SAD806x.exe : the executable file.
- NCalc.dll : Mathematical Expressions Evaluator for .NET
(https://github.com/sheetsync/NCalc)
- System.Windows.Forms.DataVisualization.dll : Microsoft Charting for .NET "

well Ncalc.dll wasnt available on that link, and where do you get System.Windows.Forms.DataVisualization.dll , maybe i have it already but couldnt find it on my system..

anyway ...
i went ahead and ran the SAD_407_16.EXE

AND well well well ... it didnt find any of the tables that i was sure i had found.. it did find 43 tables (supposedly)..

but it didnt locate :
fuel base
fuel stabilized
fuel startup
MFA fuel multiplier
spark mbt
spark mbt mpg
spark bdln knock
spark bdln knock mpg
volumetric eff

and these were the ones i thought i had right..

SO OK.. where to now?
what is the next step?
what did it get right?

(see following post for all the files i used)
Last edited by OzFalcon on Fri Feb 18, 2022 9:44 am, edited 3 times in total.
Primary car : 1999 Falcon AU 1.5 australian 6cyl
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse

from Vic, Australia

OzFalcon
Regular
Posts: 67
Joined: Sat Aug 23, 2014 8:50 am

Re: first steps - Disassembly - walkthrough

Post by OzFalcon » Fri Feb 18, 2022 9:14 am

i have no idea where the files i attached are..
i will try to attach them here
Attachments
N9XL1N6_v8 Corrected for WANA.xdf
(112.15 KiB) Downloaded 253 times
WANA_msg.txt
(79.32 KiB) Downloaded 270 times
WANA_lst.txt
(1.43 MiB) Downloaded 251 times
WANA.bin
(256 KiB) Downloaded 252 times
Primary car : 1999 Falcon AU 1.5 australian 6cyl
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse

from Vic, Australia

OzFalcon
Regular
Posts: 67
Joined: Sat Aug 23, 2014 8:50 am

Re: first steps - Disassembly - walkthrough

Post by OzFalcon » Fri Feb 18, 2022 9:38 am

I now just ran the SAD806x.exe..

1st thing was an error but it did run -- the errror was "calibration elements conflict : 1 5a58 vs 5a59".. what does this mean.. can it be ignored?

aside from that, it gave the same results as SAD_407_16.exe..

43 tables found... but none of the ones i expected or needed..

was hoping it would confirm that my table xdf was correct.. either it didnt find them or i was wrong in my address... i m 95% condfident that i have those tables right..

one thing to answer for my previous questions is that SAD806x installs those Ncalc.dll and ther other files.. so that is that answered
Primary car : 1999 Falcon AU 1.5 australian 6cyl
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse

from Vic, Australia

jsa
Tuning Addict
Posts: 1155
Joined: Sat Nov 23, 2013 7:28 pm
Location: 'straya

Re: first steps - Disassembly - walkthrough

Post by jsa » Fri Feb 18, 2022 7:19 pm

OzFalcon wrote: Fri Feb 18, 2022 9:12 am the bin is from a 1999 Au1.5 Ford falcon (austalian) 6cyl it is WANA catch code.
I pulled the bin myself using quaterhorse (QH) and TunerProRT (TPRT), so it is a 256K file.
a WANA bin was also available from Ti, but it has 14 bytes difference right near the end of the file.. the ti having all FF in those 14 bytes and mine have something else.. not sure why the difference but i am ignoring it for now and using my bin not theirs..
Use the BIN you pulled from your car to tune with.
first problem upon opening up the bin and def in TPRT is that i can see obvious errors in some of the tables..
starting from the top :
Yep, still errors in the ACT Transfer function address, in the Corrected v8 xdf you posted above.
Note the input range from maximum to minimum.

Code: Select all

#                                       Volts         F*
   F.?703A_ECT?/ACT_Transfer:
124b6: ff,ff,00,ec        func          5.12 ,       -40    
124ba: c0,ff,00,ec        func          5.11 ,       -40    
124be: 80,f7,00,f5        func          4.95 ,       -22    
124c2: 48,f0,00,fe        func          4.81 ,        -4    
124c6: 00,e7,00,07        func          4.62 ,        14    
124ca: f3,da,00,10        func          4.38 ,        32    
124ce: b3,cb,00,19        func          4.07 ,        50    
124d2: cd,b6,00,22        func          3.66 ,        68    
124d6: e6,a0,00,2b        func          3.22 ,        86    
124da: 0d,89,00,34        func          2.74 ,       104    
124de: 33,73,00,3d        func          2.3  ,       122    
124e2: 26,60,00,46        func          1.92 ,       140    
124e6: 40,4d,00,4f        func          1.54 ,       158    
124ea: 8d,3e,00,58        func          1.25 ,       176    
124ee: 80,31,00,61        func          0.99 ,       194    
124f2: da,26,00,6a        func          0.78 ,       212    
124f6: 80,1d,00,73        func          0.59 ,       230    
124fa: 00,14,00,7c        func          0.4  ,       248    
124fe: 00,00,00,7f        func          0    ,       254    
anyway I am confident that i have the spark and fuel tables correct.. with my corrected def . . "N9XL1N6_v8 Corrected for WANA.xdf"
So define them in WANNA_DIR.txt
anyway ...
i went ahead and ran the SAD_407_16.EXE

AND well well well ... it didnt find any of the tables that i was sure i had found.. it did find 43 tables (supposedly)..

but it didnt locate :
fuel base
fuel stabilized
fuel startup
....

and these were the ones i thought i had right..
SO OK.. where to now?
If you are sure you are right, DIRect SAD to do what you want.
SAD's golden rule; The user is always right.

I took your WANNA.bin from above and created a WANNA_DIR.txt file in the same folder as the bin.
These DIR commands were written using the info in your V8 XDF from above.
Copy and paste the following to your DIR;

Code: Select all

fun 124B6 12501 "F.?703A_ECT?/ACT_Transfer"      :UW V12800 :SW V128 P5  # From OzFalcon V8 xdf

tab 136B8 13723 "T.FN1360_FuelStabilisedTbl"     :O12 UY V8.7432 P1      # From OzFalcon V8 xdf
tab 13724 1377D "T.FN1362_FuelBaseTbl"           :O10 UY V8.7432 P1      # From OzFalcon V8 xdf
tab 1377E 137CD "T.FN1361_FuelStartupTbl"        :O10 UY V8.7432 P1      # From OzFalcon V8 xdf
Go ahead and add in all the other parameters you think you have right. Post it up here for review.

You can create a comments file as well. I created a WANNA_CMT.txt file in the same folder as the bin.
Copy and paste the following to your CMT;

Code: Select all


124B5 \n\n# \t40Volts \t54F*

EDIT; Fixed copy & paste error
Last edited by jsa on Sun Feb 20, 2022 2:14 pm, edited 1 time in total.
Cheers

John

95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag

OzFalcon
Regular
Posts: 67
Joined: Sat Aug 23, 2014 8:50 am

Re: first steps - Disassembly - walkthrough

Post by OzFalcon » Sun Feb 20, 2022 2:09 am

ok so i made a WANA_dir.txt file

put this in it, which i took from the WANA_msg.txt file outputed by SAD406
(yes i am still using SAD406 because it gave the correct tables addresses that i found manually..)

rbase 62 680
rbase 64 780
rbase 66 880
rbase 68 980
rbase 6a a80
rbase 6c b80
rbase 6e d94
rbase 70 1080
rbase 72 1180
rbase f0 12060 # cmd
rbase f2 126bc # cmd
rbase f4 134fa # cmd
rbase f6 14832 # cmd
rbase f8 1502c # cmd
rbase fa 1577e # cmd
rbase fc 15bbe # cmd
rbase fe 17c8a # cmd

I then re-ran SAD406...

the results are exactly the same.. my first WANA_lst file is the same as this one run with the dir file.
how was this dir file and the rbase command supposed to help? what am i missing/ not understanding?

Q.. are these rbase values permanent (RAM??) addresses stored in the chips onboard memory..
are they the "payload" addresses for things like KAMRF and LAMBSE and RPM etc etc?

if so wouldnt it be better to label them something helpful so u can see them in the lst file output?

Q. what is the SYM command used for and can i use that at this point..

attached is the 2nd WANA_lst.txt file i ran after making the dir file and running it through SAD406..
Attachments
WANA_dir.txt
(350 Bytes) Downloaded 246 times
WANA_lst.txt
(1.69 MiB) Downloaded 256 times
Primary car : 1999 Falcon AU 1.5 australian 6cyl
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse

from Vic, Australia

jsa
Tuning Addict
Posts: 1155
Joined: Sat Nov 23, 2013 7:28 pm
Location: 'straya

Re: first steps - Disassembly - walkthrough

Post by jsa » Sun Feb 20, 2022 3:06 am

OzFalcon wrote: Sun Feb 20, 2022 2:09 am ok so i made a WANA_dir.txt file

put this in it, which i took from the WANA_msg.txt

the results are exactly the same.. my first WANA_lst file is the same as this one run with the dir file.
how was this dir file and the rbase command supposed to help? what am i missing/ not understanding?
Msg contains a list of commands that SAD found automatically plus those from the DIR.
It also contains warnings and errors if there are any.

As you copied over from MSG without change, nothing is going to change in LST.

SAD used to do very little without a DIR, but now it gets a lot right automatically and a little wrong. 4.06 gets more wrong than 40716.

DIR is for the user to DIRect SAD where needed. Rbase was not needed in DIR as it happened automatically as seen in MSG.

Have you read SAD help?
https://github.com/tvrfan/EEC-IV-disass ... aster/Docs
https://github.com/tvrfan/EEC-IV-disass ... rsions.txt
Q.. are these rbase values permanent (RAM??) addresses stored in the chips onboard memory..
are they the "payload" addresses for things like KAMRF and LAMBSE and RPM etc etc?
Rbases are values used by certain addressing modes as a base to offset from.

Read about it in this reference manual.
https://github.com/OpenEEC-Project/Usef ... Manual.pdf

Payloads are all the parameters that are logged. KAMRF and LAMBSE and RPM are 3 examples.
if so wouldnt it be better to label them something helpful so u can see them in the lst file output?

Q. what is the SYM command used for and can i use that at this point..
Yes you can use sym to name them.

Read the SAD help file.

Do the stuff in my previous post.
Cheers

John

95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag

jsa
Tuning Addict
Posts: 1155
Joined: Sat Nov 23, 2013 7:28 pm
Location: 'straya

Re: first steps - Disassembly - walkthrough

Post by jsa » Sun Feb 20, 2022 3:17 am

Rbase in action

Code: Select all

rbase 62 680

021d9: a3,62,ce,38        ldw   R38,[R62+ce]     R38 = [64e];
Cheers

John

95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag

OzFalcon
Regular
Posts: 67
Joined: Sat Aug 23, 2014 8:50 am

Re: first steps - Disassembly - walkthrough

Post by OzFalcon » Sun Feb 20, 2022 6:55 am

jsa wrote: Fri Feb 18, 2022 7:19 pm
These DIR commands were written using the info in your V8 XDF from above.
Copy and paste the following to your DIR;

Code: Select all

fun 124B6 12501 "F.?703A_ECT?/ACT_Transfer"      :UW V12800 :SW V128 P5  # From OzFalcon V8 xdf

tab 136B8 13723 "T.FN1360_FuelStabilisedTbl"     :O12 UY V8.7432 P1      # From OzFalcon V8 xdf
tab 13724 1377D "T.FN1362_FuelBaseTbl"           :O10 UY V8.7432 P1      # From OzFalcon V8 xdf
tab 1377E 137CD "T.FN1361_FuelStartupTbl"        :O10 UY V8.7432 P1      # From OzFalcon V8 xdf
Go ahead and add in all the other parameters you think you have right. Post it up here for review.

You can create a comments file as well. I created a WANNA_CMT.txt file in the same folder as the bin.
Copy and paste the following to your DIR;

Code: Select all


124B5 \n\n# \t40Volts \t54F*

ok so added all the tables and functions that i thought were right..

i also cleaned up the def file so that has changed, i deleted a lot of the tables and functions that werent right..

there are also some scalars that i would like to add to to the dir file but what do u refer to them as

"124B5 \n\n# \t40Volts \t54F*" ... i have no idea what that is.. i put it in the dir file as you said... couldnt see anything in the lst that was different as a result..

also i noticed u used fun and tab instead of func and table... i used func because that was what the lst file called it, but used tab for the tables (i got lazy and gave up shortening them.. (((OK - i ran the test and you must call it fun and tab else it doesnt work))) leaving this here for anyone else in the future trying to do this..

also is it fine to use spaces when nameing the tables for SAD? (((OK - i ran a test and you must NOT use spaces else it doesnt work))) leaving this here for anyone else in the future trying to do this..

i also didnt provide the divisions for the functions (V12800 :SW V128 P5) and that last bit on each table (the V8.7432 P1 that u had -- i couldnt see where it came from so i left it off) plus it was a lot of effort to go back and forward looking at the defs... besides it doesnt help much at the moment

here is the dir file i made
and here is the updated def
Attachments
WANA_dir.txt
(1.99 KiB) Downloaded 261 times
N9XL1N6_v11 Corrected for WANA.xdf
(55.81 KiB) Downloaded 251 times
Last edited by OzFalcon on Sun Feb 20, 2022 9:51 am, edited 3 times in total.
Primary car : 1999 Falcon AU 1.5 australian 6cyl
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse

from Vic, Australia

OzFalcon
Regular
Posts: 67
Joined: Sat Aug 23, 2014 8:50 am

Re: first steps - Disassembly - walkthrough

Post by OzFalcon » Sun Feb 20, 2022 8:54 am

ok so after spending a couple of hours looking at and scrolling through the new lst files generated using my new dir file it seems i am going in circles..

at this stage it is probably pretty clear that i have absolutely no idea what i am doing..
i am so off the path that i dont even know what i am trying to do anymore..

the only thing i have actually acheived is the cleaning up of the def file by looking at other working defs and finding the same byte patterns in my bins (which i then update the def with)..

the disassemblers havent shown me anything and all the posts i read confuse me.. all the guides ive read are for very experienced programmers and it all just goes from 0-100 in the blink of an eye..

i started out wanting to be able to read things like KAM and LAMBSE as the QH is supposed to be good for that ... well all ive used it for is reading a bin and making basic changes .. to get data all i knew was that i needed patch code and an ADX.. just even finding out what those were was a major effort..

i then went looking at the disassemblers because that is what i "thought" you were supposed to use to find the hidden addresses of the payload data (am i even refering to this correctly??).. i then thought oh, the disassemblers can find tables and functions.. oh that would be handy i thought because my tables and functions were a mess... well it didnt help me find any... the opposite -- i found the tables for it -- im telling it where the tables are... what is even the point...
well it seems it can and cant .. it can find them but given there is literally hundreds of functions and tables it doesnt help much at all.. and then it misses the MAJOR and most important tables u need -- the spark and fuel tables!!

sorry to sound ungrateful, i certainly am not, i do appreciate the time spent helping... just the past 3/4 days efforts are making me feel stupid..
Primary car : 1999 Falcon AU 1.5 australian 6cyl
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse

from Vic, Australia

jsa
Tuning Addict
Posts: 1155
Joined: Sat Nov 23, 2013 7:28 pm
Location: 'straya

Re: first steps - Disassembly - walkthrough

Post by jsa » Sun Feb 20, 2022 9:01 pm

OzFalcon wrote: Sun Feb 20, 2022 6:55 am
jsa wrote: Fri Feb 18, 2022 7:19 pm
These DIR commands were written using the info in your V8 XDF from above.
Copy and paste the following to your DIR;

Code: Select all

fun 124B6 12501 "F.?703A_ECT?/ACT_Transfer"      :UW V12800 :SW V128 P5  # From OzFalcon V8 xdf

tab 136B8 13723 "T.FN1360_FuelStabilisedTbl"     :O12 UY V8.7432 P1      # From OzFalcon V8 xdf
tab 13724 1377D "T.FN1362_FuelBaseTbl"           :O10 UY V8.7432 P1      # From OzFalcon V8 xdf
tab 1377E 137CD "T.FN1361_FuelStartupTbl"        :O10 UY V8.7432 P1      # From OzFalcon V8 xdf
Go ahead and add in all the other parameters you think you have right. Post it up here for review.

You can create a comments file as well. I created a WANNA_CMT.txt file in the same folder as the bin.
Copy and paste the following to your CMT;

Code: Select all


124B5 \n\n# \t40Volts \t54F*

Sorry, Copy and Paste, failed to edit error on my part. It has to go in the CMT file only.
Attachments
WANA_CMT.txt
(32 Bytes) Downloaded 251 times
Cheers

John

95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag

jsa
Tuning Addict
Posts: 1155
Joined: Sat Nov 23, 2013 7:28 pm
Location: 'straya

Re: first steps - Disassembly - walkthrough

Post by jsa » Sun Feb 20, 2022 11:24 pm

OzFalcon wrote: Sun Feb 20, 2022 6:55 am ok so added all the tables and functions that i thought were right..
Ok, so I run your DIR and looked at MSG. You can't have repeats. Keep the DIR entries in a logical, sequential and tidy order, otherwise we'll get nowhere. No Mess

I'll post an ammeded DIR below.

Code: Select all

## fun 12122 1212b "VE_Multiplier_for_ACT"  : SY :UY 
 Warning - Duplicate Command
 Warning - Symname replaces previous "VE_Multiplier_for_ACT"

## fun    12562 12579  "possible_MAP_Transfer_Function"   : UW  : UW 
 Warning - Duplicate Command
 Warning - Symname replaces previous "possible_MAP_Transfer_Function"

## fun    125a6 125d5  "Table_Scaler_for_Abs_Exhaust_Pressure"   : UW  : UW 
 Warning - Duplicate Command
 Warning - Symname replaces previous "Tbl_Sclr_for_Abs_Exhst_Press"

## fun    125d6 125f1  "Table_Scaler_for_RPM"   : UW  : UW 
 Warning - Duplicate Command
 Warning - Symname replaces previous "Table_Scaler_for_RPM"

## fun    1261a 12635 "Table_Scaler_for_MAP"         :UW :UW
 Warning - Duplicate Command
 Warning - Symname replaces previous "Table_Scaler_for_MAP"
i also cleaned up the def file so that has changed, i deleted a lot of the tables and functions that werent right..
Ok, not looked at it, spent available time on DIR.

there are also some scalars that i would like to add to to the dir file but what do u refer to them as
That would depend on what they are. Post some details.

also i noticed u used fun and tab instead of func and table... i used func because that was what the lst file called it, but used tab for the tables (i got lazy and gave up shortening them..
Three letter commands are in the SAD help file I linked above. Try using 4.07.16 instead of 4.06. Let me know how you get on.
also is it fine to use spaces when nameing the tables for SAD?
Nope, follow the examples in the help file linked above.
i also didnt provide the divisions for the functions (V12800 :SW V128 P5) and that last bit on each table (the V8.7432 P1 that u had -- i couldnt see where it came from so i left it off) plus it was a lot of effort to go back and forward looking at the defs... besides it doesnt help much at the moment
128/14.64=8.7432
84732.PNG
84732.PNG (26.89 KiB) Viewed 10357 times
Cheers

John

95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag

jsa
Tuning Addict
Posts: 1155
Joined: Sat Nov 23, 2013 7:28 pm
Location: 'straya

Re: first steps - Disassembly - walkthrough

Post by jsa » Sun Feb 20, 2022 11:45 pm

OzFalcon wrote: Sun Feb 20, 2022 8:54 am ok so after spending a couple of hours looking at and scrolling through the new lst files generated using my new dir file it seems i am going in circles..

at this stage it is probably pretty clear that i have absolutely no idea what i am doing..
i am so off the path that i dont even know what i am trying to do anymore..
There is a plan. You have tables and functions and you know what they are for. You can use that info to discover stuff, like payloads. Examples to follow.

You keep saying 4.06 is better at finding stuff, great, get the DIR setup so 4.07.16 finds the same stuff. You need to be using 4.07.16.

the only thing i have actually acheived is the cleaning up of the def file by looking at other working defs and finding the same byte patterns in my bins (which i then update the def with)..
Good, that is progress also.

the disassemblers havent shown me anything and all the posts i read confuse me..
The disassemblers have turned hexadecimal into something we can comprehend.
i started out wanting to be able to read things like KAM and LAMBSE as the QH is supposed to be good for that ... well all ive used it for is reading a bin and making basic changes .. to get data all i knew was that i needed patch code and an ADX.. just even finding out what those were was a major effort..
You need the addresses of the payloads you want to log.
You need a place for the patchcode to go in the binary.
i then went looking at the disassemblers because that is what i "thought" you were supposed to use to find the hidden addresses of the payload data (am i even refering to this correctly??).. i then thought oh, the disassemblers can find tables and functions.. oh that would be handy i thought because my tables and functions were a mess... well it didnt help me find any... the opposite -- i found the tables for it -- im telling it where the tables are... what is even the point...
There is no magic wand, just time and effort to find what you need in the LST.
You can compare your disassembly subroutines to the strategy books available on github to see what the parameters are.
You can compare your disassembly subroutines to other strategy disassembly subroutines available on github to see what the parameters are.
sorry to sound ungrateful, i certainly am not, i do appreciate the time spent helping... just the past 3/4 days efforts are making me feel stupid..
Chin up, you're trying to jump to the good stuff without reading and understanding the available literature first.
Cheers

John

95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag

jsa
Tuning Addict
Posts: 1155
Joined: Sat Nov 23, 2013 7:28 pm
Location: 'straya

Re: first steps - Disassembly - walkthrough

Post by jsa » Mon Feb 21, 2022 12:07 am

So, having run the updated DIR, search LST for LU_

A table we know about can be found, along with the lookup.
Having read and understood the software manual linked above, you will follow this code to the subroutine @ 8453C.
You will see;
Arg 1 is the location of the function
Arg 2 is the input value to lookup
R40 has the output value from the lookup
0x108CE is the address where the output value is stored

Code: Select all

84fe8: ef,51,f5           call  8453c            UUWFuncLU_8453c (
84feb: 76,05                    #arg 1              Table_Scaler_for_RPM,
84fed: 10,06                    #arg 2              610 );
84fef: c3,66,4e,40        stw   R40,[R66+4e]     [108ce] = R40;
If your naming is correct then 0x00610 contains RPM and 0x108CE contains the table scaler.
You have a payload for RPM.

Two entries get added to the DIR.

Code: Select all

SYM   610 "RPM"                             #UW # L84FED


SYM 108CE "RPM_Sclr"                        #UW # L84FEF
Run the updated DIR.
Search LST for RPM
As above, you now know func_1450e uses RPM

Code: Select all

86874: ef,c5,dc           call  8453c            UUWFuncLU_8453c (
86877: 14,50                    #arg 1              Func_1450e,
86879: 10,06                    #arg 2              RPM );
Another entry gets added to DIR.
The function output is unknown at this point.

Code: Select all

fun 1450E 1452D "F.1450E_RPM_???"                :UW :UW                 #
You can search LST for RPM_Sclr and find;

Code: Select all

86f05: a3,66,4e,38        ldw   R38,[R66+4e]     R38 = RPM_Sclr;
86f09: a3,66,50,3a        ldw   R3a,[R66+50]     R3a = [108d0];
86f0d: ad,0a,3c           ldzbw R3c,a            wR3c = a;
86f10: 45,de,12,f4,40     ad3w  R40,Rf4,12de     R40 = Table_147d8;
You can make a table entry in DIR. Hint a is 10.

You can search for all LU_ in LST and add more entries to DIR.

Updated DIR here
WANA_dir.txt
(2.25 KiB) Downloaded 250 times
Cheers

John

95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag

jamie from oz
Regular
Posts: 122
Joined: Wed Oct 06, 2021 5:10 am

Re: first steps - Disassembly - walkthrough

Post by jamie from oz » Fri Sep 23, 2022 7:55 am

how do you put the rpm [610] into a payload to log ?
as it is above the hidden ram how do we make the QH read it?

cmd hex string example from a ADX .
0x51 0x54 0x01 0x01 0x1F 0x1F 0x02 0x01 0x16 0x16 0x02 0x01 0x14 0x26 0x01 0x01 0xC0 0x79
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)

jsa
Tuning Addict
Posts: 1155
Joined: Sat Nov 23, 2013 7:28 pm
Location: 'straya

Re: first steps - Disassembly - walkthrough

Post by jsa » Fri Sep 23, 2022 2:09 pm

I don't use TP, in any case patchcode is not required.

This is GUFB payloads in BE. Row 17 is RPM for word size data.
Address would become 0x0610
Screenshot_20220924-065758_WPS Office.jpg
Screenshot_20220924-065758_WPS Office.jpg (88.39 KiB) Viewed 7873 times
Cheers

John

95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag

User avatar
tvrfan
Tuning Addict
Posts: 581
Joined: Sat May 14, 2011 11:41 pm
Location: New Zealand

Re: first steps - Disassembly - walkthrough

Post by tvrfan » Fri Sep 23, 2022 3:24 pm

A couple of general notes in case they help everybody -

SAD is still a work in progress, and still being worked on (I am trying, but other stuff keeps getting in the way).
I designed it to be happy to run with NO _dir file. The base idea is you should get a mostly correct disassembly (the code anyway) and then use extra .dir commands to 'home in' and correct things (and set names). So unless you know that your bin matches exactly with one of the same strategy (which is unlikely), try not using a dir for the first run. And don't think SAD is always right....

For most code, SAD does a 'static' analysis.

First job is to identify the bank starts in the bin file. I had a method that works really well, until FM20M06 bin came along.
FM20M06 bin doesn't work because Ford broke its own coding rules for interrupts..... AARRGGGHHH!!!! I haven't sorted out how to get around this yet...

Second (biggest) job. Start at the very first jump (= bank 8 0x2000) run down the code and track all the jumps and calls as new places to start a scan. It continues until all the jumps and calls have been scanned. But this already needs some extra bits, as many subroutines are called from a 'master task list' of addresses, which use a PUSH(address), ... RET; to call each one.

Third job. Use a 'fingerprint' type match to find the main lookup routines (table and function), and then track back to find the addresses fed in to those subroutines to try to find the data structures. This is good in theory, but there are things that don't work. For example some of the later bins use a lookup list (one seems to even have a combo of table-func, table-func, table-func, in sets) and this is not handled properly.

There's other things too, but these are main jobs.

Some stuff is still TOUGH to sort out. Subroutines with arguments (=parameters) is an example, as some handle variable number of arguments, and the only way to sort this out is to do a local emulation of the code. Some bins (e.g. CARD) actually do a PUSH(address) to effectively insert an extra bit of code to be run. It's a total pain in the A*S, frankly. So from above, some subroutine calls are then marked as 'must emulate this bit' and done over.

SAD still misses some code after all the above, because of the use of code 'tricks'. These are not bad programming or anything, but can ruin my nice flow model of the code, and so SAD will miss a block now and then. Sometimes I reckon code shows a 'patch', a jump which looks to be inserted to jump over some code, that code is never called, so never disassembled...

YES there ARE both tables and functions which are DUMMY. it's NOT unusual to see a table with all zeroes or all 0xff, and functions with one 0xff and all zeroes. Either they aren't used in this strategy, or aren't used in this particular model/engine/trans(/country?) combination, but kept there for a 'marker' ?. I don't know why exactly.

And, now and again, some binary appears which has something different somewhere, and messes everything up (e.g. FM20M06) and I have to come up with a new fix ....

Yes, I am still looking at better ways to identify everything. I do have a 'scan_gaps' type pass in latest 'stable' release, but it also produces false data matches.... so I took it away in latest development versions....

Working on next major version now, but somehow it's been a year gone by....
Perhaps one of the alternate tools may prove to be better. I can handle that !
I don't know sometimes... perhaps there's a better way lurking out there ...
TVR, kit cars, classic cars. Ex IT geek, development and databases.
https://github.com/tvrfan/EEC-IV-disassembler

jamie from oz
Regular
Posts: 122
Joined: Wed Oct 06, 2021 5:10 am

Re: first steps - Disassembly - walkthrough

Post by jamie from oz » Sat Sep 24, 2022 4:38 am

jsa wrote: Fri Sep 23, 2022 2:09 pm I don't use TP, in any case patchcode is not required.

This is GUFB payloads in BE. Row 17 is RPM for word size data.
Address would become 0x0610
Screenshot_20220924-065758_WPS Office.jpg
Thanks jsa i get it now and can probably make my file in BE also .

tvrfan and jsa i find your work on SAD amazing and its great that you are so willing to help .
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)

jsa
Tuning Addict
Posts: 1155
Joined: Sat Nov 23, 2013 7:28 pm
Location: 'straya

Re: first steps - Disassembly - walkthrough

Post by jsa » Sat Sep 24, 2022 5:24 am

Cool and thanks.
Cheers

John

95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag

jamie from oz
Regular
Posts: 122
Joined: Wed Oct 06, 2021 5:10 am

Re: first steps - Disassembly - walkthrough

Post by jamie from oz » Sun Jan 15, 2023 3:19 pm

Was just looking through the WANA dissasembly and want to confirm the checksum location and start end points as i can't seem to find the data in the code.
i think checksum is 0x1200a
is start 0x02000 and end 0x0ffff for bank 0 ??
is start 0x12000 and end 0x1ffff for bank 1 ??


Code: Select all

########################################################################
# Bank 1  file offset 12000-1ffff, (12000 - 1ffff)
########################################################################



12000: 27,fe              sjmp  12000            goto 12000;

12002: 0c,20              ???   

12004: 8e                 byte     8e
12005: 22                 byte     22
12006: ff                 byte     ff
12007: ff                 byte     ff
12008: ff                 byte     ff

12009: ff                 ???   

1200a: 59,46              word   4659
1200c: ff,ff              word   ffff
1200e: ff,ff              word   ffff

12010: 60,84              vect  18460            I1_HSO_0
12012: 65,84              vect  18465            I1_HSO_1
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)

jamie from oz
Regular
Posts: 122
Joined: Wed Oct 06, 2021 5:10 am

Re: first steps - Disassembly - walkthrough

Post by jamie from oz » Sun Jan 15, 2023 3:24 pm

and bank 8
check sum at 0x8200a
start 0x2000 and end at 0x0e000 ??

Code: Select all

########################################################################
# Bank 8  file offset 22000-2ffff, (82000 - 8ffff)
########################################################################



82000: ff                 nop                    
82001: fa                 di                     disable intps;
82002: e7,da,05           jump  825df            goto 825df;

82005: ff,ff,df,00,ff     ???   

8200a: de,c0              word   c0de
8200c: 00,e0              word   e000
8200e: 5d,00              word     5d

82010: 72,20              vect  82072            I8_HSO_0
82012: 75,20              vect  82075            I8_HSO_1
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)

User avatar
tvrfan
Tuning Addict
Posts: 581
Joined: Sat May 14, 2011 11:41 pm
Location: New Zealand

Re: first steps - Disassembly - walkthrough

Post by tvrfan » Sun Jan 15, 2023 9:09 pm

Jamie,

I ran your bin with SAD 4.0.6 (latest stable on SAD GIT website). This got quite a lot of data by the looks of it. Data is all in bank 1.
Those bank directives have the first two values as file offsets, so that if SAD gets the order or bank number wrong, the user can edit them to specify exactly what they/you want. Normally just leave them as comment.

A quick look at the listing seems pretty good, bank 9 is empty, code in banks 0 and 8 and data in bank 1. Looks like one of the common layouts. Interrupt handlers seem to line up, so chances are this is the right order.
8200a is checksum 'correction' value, so the checksum subroutine returns zero. Checksum subroutine is at 04511 I think. This looks like there is only ONE grand checksum value, as banks are added together?

The 8200c probably is end of ROM, but this is used to tell cal console (or other Ford plugin tools) where it can map a virtual memory block, and 8200e is nearly always 5d and has something to do with those tools too, but I can't remember exactly , it's something to do with I/O timer.

Hope that helps !
TVR, kit cars, classic cars. Ex IT geek, development and databases.
https://github.com/tvrfan/EEC-IV-disassembler

jamie from oz
Regular
Posts: 122
Joined: Wed Oct 06, 2021 5:10 am

Re: first steps - Disassembly - walkthrough

Post by jamie from oz » Mon Jan 16, 2023 3:24 am

Thanks.
Just wasn't sure and wanted to check.

I use both 406 and 7###

Thank you very much.
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)

jsa
Tuning Addict
Posts: 1155
Joined: Sat Nov 23, 2013 7:28 pm
Location: 'straya

Re: first steps - Disassembly - walkthrough

Post by jsa » Mon Jan 16, 2023 11:32 pm

jamie from oz wrote: Sun Jan 15, 2023 3:19 pm Was just looking through the WANA dissasembly and want to confirm the checksum location and start end points as i can't seem to find the data in the code.
i think checksum is 0x1200a
is start 0x02000 and end 0x0ffff for bank 0 ??
is start 0x12000 and end 0x1ffff for bank 1 ??
Search for 2000 in the _LST to find candidates for the CheckSum Sub. Look for the Sub that compares Sum to Zero, and call a fault code sub if not zero.

In the code below you can see where the start address is loaded prior to looping through each bank.
In the code below the CheckSum word end address for each bank is the value that exits the loop.

This CheckSum Sub is summing all banks together, so a single word in the CheckSum address ranges could be used for the correction of a change in any bank.

BE definitions have the end address as the high byte of the last word, so ending with FF, not FE.

Code: Select all

   Sub04511_CheckSum:
04511: 01,44              clrw  R44              R44 = 0;
04513: a1,00,20,42        ldw   R42,2000         R42 = 2000;                       # Bank 8 Checksum Start Address

     # JNC   Loop from L04523 for address 82000-8FFFC                              
04517: b1,ff,05           ldb   R5,ff            WDG_Timer = ff;
0451a: 10,08              rombk 8
0451c: 66,43,44           ad2w  R44,[R42++]      R44 += [R42++];
0451f: 89,fe,ff,42        cmpw  R42,fffe                                           # Bank 8 Checksum End Address
04523: d3,f2              jnc   04517            if (R42 < fffe) goto 04517;

     # Cont  from L04523 for address 8FFFE                                         
04525: 10,08              rombk 8
04527: 66,42,44           ad2w  R44,[R42]        R44 += [R42];                     # Sum Word 8FFFE
0452a: a1,00,20,42        ldw   R42,2000         R42 = 2000;                       # Bank 1 Checksum Start Address

     # JLEU   Loop from L04538 for address 12000-19FFE                             
0452e: b1,ff,05           ldb   R5,ff            WDG_Timer = ff;
04531: 66,43,44           ad2w  R44,[R42++]      R44 += [R42++];
04534: 89,fe,9f,42        cmpw  R42,9ffe                                           # Bank 1 Checksum End Address
04538: d1,f4              jleu  0452e            if (R42 <= 9ffe) goto 0452e;

     # Cont  from L04538 for address 1A000                                         
0453a: a1,00,20,42        ldw   R42,2000         R42 = 2000;                       # Bank 0 Checksum Start Address

     # JNC   Loop from L0454A for address 02000-0FFFC                              
0453e: b1,ff,05           ldb   R5,ff            WDG_Timer = ff;
04541: 10,00              rombk 0
04543: 66,43,44           ad2w  R44,[R42++]      R44 += [R42++];
04546: 89,fe,ff,42        cmpw  R42,fffe                                           # Bank 0 Checksum End Address
0454a: d3,f2              jnc   0453e            if (R42 < fffe) goto 0453e;

     # Cont  from L0454A for address 0FFFE                                         
0454c: 10,00              rombk 0
0454e: 66,42,44           ad2w  R44,[R42]        R44 += [R42];                     # Sum Word 0FFFE
04551: a1,00,20,42        ldw   R42,2000         R42 = 2000;                       # Bank 9 Checksum Start Address

     # JNC   Loop from L04561 for address 92000-9FEFC                              
04555: b1,ff,05           ldb   R5,ff            WDG_Timer = ff;
04558: 10,09              rombk 9
0455a: 66,43,44           ad2w  R44,[R42++]      R44 += [R42++];
0455d: 89,fe,fe,42        cmpw  R42,fefe                                           # Bank 9 Checksum End Address
04561: d3,f2              jnc   04555            if (R42 < fefe) goto 04555;

     # Cont  from L04561 for address 9FEFE                                         
04563: 10,09              rombk 9
04565: 66,42,44           ad2w  R44,[R42]        R44 += [R42];                     # Sum Word 9FEFE
04568: 88,00,44           cmpw  R44,R0           
0456b: df,05              je    04572            if (R44 != 0)  {

     # Cont  from L0456B Incorrect Checksum                                        
0456d: ef,90,0d           call  05300            Sub_05300 (
04570: 34,05                    #arg 1              534 ); }

     # JE    from L0456B correct Checksum = 0                                      
04572: f0                 ret                    return;

Search for ROM_TO and FIXSUM in the strategy documents. Their addresses are 0x200A and 0x2004 respectively.
But then Ford don't seem to read their own documents, WANA Bank 8 has code at 0x8004.

You could choose an address in fill for BE's ChecksumStore or ROM_TO.

Code: Select all

02004: ff,ff,ff,ff,ff,ff  ???   
0200a: ff,ff              word   ffff


12004: 8e                 byte     8e
12005: 22                 byte     22
12006: ff                 byte     ff
12007: ff                 byte     ff
12008: ff                 byte     ff
12009: ff                 byte     ff
1200a: 59,46              word   4659


   Sub82000_Boot:
82000: ff                 nop                    
82001: fa                 di                     interrupts OFF;
82002: e7,da,05           jump  825df            goto Sub825DF_Startup;
82005: ff,ff,df,00,ff     ???   
8200a: de,c0              word   c0de


92004: ff,ff,ff,ff,ff,ff  ???   
9200a: ff,ff              word   ffff
Last edited by jsa on Sat Jan 21, 2023 3:21 pm, edited 1 time in total.
Cheers

John

95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag

jamie from oz
Regular
Posts: 122
Joined: Wed Oct 06, 2021 5:10 am

Re: first steps - Disassembly - walkthrough

Post by jamie from oz » Tue Jan 17, 2023 3:23 am

Thanks for the guidance .

This is what i have put into the xls.

Code: Select all

Parameter	Value			
ChecksumStart0	2000			
ChecksumEdn0	FFFF			
ChecksumStart1	2000			
ChecksumEdn1	9FFF			
ChecksumStart8	2000			
ChecksumEdn8	FFFF			
ChecksumStart9	2000			
ChecksumEdn9	FEFF			
ChecksumStore	CHKSUM			( use 8200A)
Target_AFR	14.64			
BankCount	4			
PCMType	EEC_216K			
LTMTB1	0704			
LTMTB2	075A			
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)

jamie from oz
Regular
Posts: 122
Joined: Wed Oct 06, 2021 5:10 am

Re: first steps - Disassembly - walkthrough

Post by jamie from oz » Tue Jan 17, 2023 3:35 am

not sure if there is a BE read of the WANA.bin
so that 8200a is at 0x2800a in the bin i attached.
BE_WANA.BIN
(216 KiB) Downloaded 135 times
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)

jamie from oz
Regular
Posts: 122
Joined: Wed Oct 06, 2021 5:10 am

Re: first steps - Disassembly - walkthrough

Post by jamie from oz » Fri Jan 20, 2023 7:42 pm

jsa wrote: Mon Jan 16, 2023 11:32 pm

This CheckSum Sub is summing all banks together, so a single word in the CheckSum address ranges could be used for the correction of a change in any bank.
When i set ROM_TO 0x1200a or any of the other possible checksum addresses it makes them 00 00 (previously was 59 46 ) with out changing anything in the WANA.bin file just hitting save..

I tried ROM_TO at a area of fill 0x18700 and it went from FF FF to 00 00 also in the bin file.

?? Iwas going to set 0x120BE from 01 to 00 to turn off smartshield then flash it back but not sure if this will need checksum changed ???
or can i change the value at 0x1200a from 59 46 to 58 46 to correct checksum or change in fill at 0x18700 from FF to FE ??


Jamie.
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)

User avatar
tvrfan
Tuning Addict
Posts: 581
Joined: Sat May 14, 2011 11:41 pm
Location: New Zealand

Re: first steps - Disassembly - walkthrough

Post by tvrfan » Fri Jan 20, 2023 10:04 pm

Jamie, John,

It looks to me that the checksum routine has the start and end addresses set directly in the code itself.

I have never used BE, but in case you want to drop the checksum entirely, the simplest fix is probably to overwrite addresses 0456d to 04570 with 0xff (= NOP). That way the error routine is never called. That assumes you have a modifiable copy of the ROM of course.
TVR, kit cars, classic cars. Ex IT geek, development and databases.
https://github.com/tvrfan/EEC-IV-disassembler

jamie from oz
Regular
Posts: 122
Joined: Wed Oct 06, 2021 5:10 am

Re: first steps - Disassembly - walkthrough

Post by jamie from oz » Sat Jan 21, 2023 2:32 am

Thanks you for that suggestion.

BE_WANA.

Code: Select all

04563: 10,09              rombk 9
04565: 66,42,44           ad2w  R44,[R42]        R44 += [R42];
04568: 88,00,44           cmpw  R44,R0           
0456b: df,05              je    04572            if (R44 != 0)  {
0456d: ef,90,0d           call  05300            Sub_05300 (
04570: 34,05                    #arg 1              534 ); }
04572: f0                 ret                    return;

BE_WANA_SMT_LOK_OFF run through SAD.

Code: Select all

04565: 66,42,44           ad2w  R44,[R42]        R44 += [R42];
04568: 88,00,44           cmpw  R44,R0           
0456b: df,05              je    04572            if (R44 != 0)  {
0456d: ff                 nop                    
0456e: ff                 nop                    
0456f: ff                 nop                    
04570: ff                 nop                    
04571: ff                 nop                     }
04572: f0                 ret                    return;
I might set BE ROM_TO 0x18700 that is in filler so BE thinks its doing something and dosent freak out.
Will flash it to a spare WANA eec-v and see if it will run.

Thank you.
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)

jsa
Tuning Addict
Posts: 1155
Joined: Sat Nov 23, 2013 7:28 pm
Location: 'straya

Re: first steps - Disassembly - walkthrough

Post by jsa » Sat Jan 21, 2023 7:19 am

jamie from oz wrote: Tue Jan 17, 2023 3:23 am Thanks for the guidance .

This is what i have put into the xls.

Code: Select all

Parameter	Value			
ChecksumStart0	2000			
ChecksumEdn0	FFFF			
ChecksumStart1	2000			
ChecksumEdn1	9FFF			
ChecksumStart8	2000			
ChecksumEdn8	FFFF			
ChecksumStart9	2000			
ChecksumEdn9	FEFF			
ChecksumStore	CHKSUM			( use 8200A)
Target_AFR	14.64			
BankCount	4			
PCMType	EEC_216K			
LTMTB1	0704			
LTMTB2	075A			
EDIT: see sailorbobs reply below.
This looks OK (NOT), with the proviso that you have a scalar for CHKSUM with address to suit the bin.

jamie from oz wrote: Fri Jan 20, 2023 7:42 pm When i set ROM_TO 0x1200a or any of the other possible checksum addresses it makes them 00 00 (previously was 59 46 ) with out changing anything in the WANA.bin file just hitting save..
Is ChecksumStore set to ROM_TO?
I tried ROM_TO at a area of fill 0x18700 and it went from FF FF to 00 00 also in the bin file.
Is ChecksumStore set to ROM_TO?
?? Iwas going to set 0x120BE from 01 to 00 to turn off smartshield then flash it back but not sure if this will need checksum changed ???
or can i change the value at 0x1200a from 59 46 to 58 46 to correct checksum or change in fill at 0x18700 from FF to FE ??
Jamie.
Yes it will need a checksum adjustment.
An adjustment for the decrease from 01 to 00 would require in an increase elsewhere.
IIRC it may not be as simple as adjusting an address of your choosing due to the impact of sum without carry, but give it a try and see what you get.
You can also use your hex editor to calculate the 16bit little endian no carry checksum of the edited BIN and change the bin as necessary to get zero.
tvrfan wrote: Fri Jan 20, 2023 10:04 pm Jamie, John,

It looks to me that the checksum routine has the start and end addresses set directly in the code itself.

I have never used BE, but in case you want to drop the checksum entirely, the simplest fix is probably to overwrite addresses 0456d to 04570 with 0xff (= NOP). That way the error routine is never called. That assumes you have a modifiable copy of the ROM of course.
Yes the addresses are immediate values.

0xF0, Return, at address 0x04511 would bypass the whole checksum, with the same risk of not catching any ROM check sum issue.

All that said, I have seen some unexpected checksum behaviour with older versions of BE when using ChecksumStore set to something other than ROM_TO at 0x200A.
Last edited by jsa on Sat Jan 21, 2023 2:56 pm, edited 1 time in total.
Cheers

John

95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag

sailorbob
BIN Hacker
Posts: 1759
Joined: Tue Jul 12, 2005 6:10 am

Re: first steps - Disassembly - walkthrough

Post by sailorbob » Sat Jan 21, 2023 10:57 am

BE probably is not calculating the checksum because you have 'ChecksumEdn' instead of 'ChecksumEnd' in your definition.

The ROM_TO value is at 0x12004.

You also need to have the 'EEC' parameter in the 'Confg' worksheet set to 'True'.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests