Moderators: cgrey8, EDS50, Jon 94GT, 2Shaker
first steps - Disassembly - walkthrough
hi guys,
this topic is about me as a beginner trying to sort out a partially correct defintion file..
i will be using the SAD (Semi Automatic Disassembler for Ford EEC-IV and V binaries) from here --->
https://github.com/tvrfan/EEC-IV-disass ... 407_16.exe
the bin is from a 1999 Au1.5 Ford falcon (austalian) 6cyl it is WANA catch code.
I pulled the bin myself using quaterhorse (QH) and TunerProRT (TPRT), so it is a 256K file.
a WANA bin was also available from Ti, but it has 14 bytes difference right near the end of the file.. the ti having all FF in those 14 bytes and mine have something else.. not sure why the difference but i am ignoring it for now and using my bin not theirs..
the def i am using to begin with is one from TiPerformance .. ---> https://www.tiperformance.com.au/Defini ... XL1_v4.xdf
OK,
lets start..
first problem upon opening up the bin and def in TPRT is that i can see obvious errors in some of the tables..
starting from the top :
adaptive fuel (12x9) - has all cells filled with 255 -- is this data valid - -doubtful.. col/row labelling seems right
Fuel Base Table -- values are all over the place -- table is obviously not aligned properly, starting address is wrong.. col/row labeling wrong
Fuel startup table -- values all over the place --- col/row labels missing/wrong
MFA fuel multiplier table --- values wrong -- cols labelled correct, rows labelled wrong
spark table borderline knock -- values wrong -- col/row labels seem correct
spark table borderline knock MPG -- values wrong -- col/row labels seem correct
from previous experience i know what roughly these tablels should look like and i am able to mostly correct them manually by just looking in the bins using other good bins and defs from ti as a guide, but this is still not always working..
anyway I am confident that i have the spark and fuel tables correct.. with my corrected def . . "N9XL1N6_v8 Corrected for WANA.xdf"
i would like to use the dissemblers and see what they can do..
so then i tried to use https://github.com/tvrfan/EEC-IV-disassembler and the guide on decipha's site http://www.efidynotuning.com/dis.htm
but it all went wrong when it got to the _msg.txt - Messages with no real explanation of what was going on or why..
then i went to the SAD806x disassembler https://github.com/OpenEEC-Project/SAD806x and read the SAD806x.pdf ..
but again it went wrong when the first thing i read is :
"Installation:
SAD806x can be installed everywhere on a Microsoft Windows system, using Framework 2.0
at least. Following files should be present in its folder to permit it to work properly:
- SAD806x.exe : the executable file.
- NCalc.dll : Mathematical Expressions Evaluator for .NET
(https://github.com/sheetsync/NCalc)
- System.Windows.Forms.DataVisualization.dll : Microsoft Charting for .NET "
well Ncalc.dll wasnt available on that link, and where do you get System.Windows.Forms.DataVisualization.dll , maybe i have it already but couldnt find it on my system..
anyway ...
i went ahead and ran the SAD_407_16.EXE
AND well well well ... it didnt find any of the tables that i was sure i had found.. it did find 43 tables (supposedly)..
but it didnt locate :
fuel base
fuel stabilized
fuel startup
MFA fuel multiplier
spark mbt
spark mbt mpg
spark bdln knock
spark bdln knock mpg
volumetric eff
and these were the ones i thought i had right..
SO OK.. where to now?
what is the next step?
what did it get right?
(see following post for all the files i used)
this topic is about me as a beginner trying to sort out a partially correct defintion file..
i will be using the SAD (Semi Automatic Disassembler for Ford EEC-IV and V binaries) from here --->
https://github.com/tvrfan/EEC-IV-disass ... 407_16.exe
the bin is from a 1999 Au1.5 Ford falcon (austalian) 6cyl it is WANA catch code.
I pulled the bin myself using quaterhorse (QH) and TunerProRT (TPRT), so it is a 256K file.
a WANA bin was also available from Ti, but it has 14 bytes difference right near the end of the file.. the ti having all FF in those 14 bytes and mine have something else.. not sure why the difference but i am ignoring it for now and using my bin not theirs..
the def i am using to begin with is one from TiPerformance .. ---> https://www.tiperformance.com.au/Defini ... XL1_v4.xdf
OK,
lets start..
first problem upon opening up the bin and def in TPRT is that i can see obvious errors in some of the tables..
starting from the top :
adaptive fuel (12x9) - has all cells filled with 255 -- is this data valid - -doubtful.. col/row labelling seems right
Fuel Base Table -- values are all over the place -- table is obviously not aligned properly, starting address is wrong.. col/row labeling wrong
Fuel startup table -- values all over the place --- col/row labels missing/wrong
MFA fuel multiplier table --- values wrong -- cols labelled correct, rows labelled wrong
spark table borderline knock -- values wrong -- col/row labels seem correct
spark table borderline knock MPG -- values wrong -- col/row labels seem correct
from previous experience i know what roughly these tablels should look like and i am able to mostly correct them manually by just looking in the bins using other good bins and defs from ti as a guide, but this is still not always working..
anyway I am confident that i have the spark and fuel tables correct.. with my corrected def . . "N9XL1N6_v8 Corrected for WANA.xdf"
i would like to use the dissemblers and see what they can do..
so then i tried to use https://github.com/tvrfan/EEC-IV-disassembler and the guide on decipha's site http://www.efidynotuning.com/dis.htm
but it all went wrong when it got to the _msg.txt - Messages with no real explanation of what was going on or why..
then i went to the SAD806x disassembler https://github.com/OpenEEC-Project/SAD806x and read the SAD806x.pdf ..
but again it went wrong when the first thing i read is :
"Installation:
SAD806x can be installed everywhere on a Microsoft Windows system, using Framework 2.0
at least. Following files should be present in its folder to permit it to work properly:
- SAD806x.exe : the executable file.
- NCalc.dll : Mathematical Expressions Evaluator for .NET
(https://github.com/sheetsync/NCalc)
- System.Windows.Forms.DataVisualization.dll : Microsoft Charting for .NET "
well Ncalc.dll wasnt available on that link, and where do you get System.Windows.Forms.DataVisualization.dll , maybe i have it already but couldnt find it on my system..
anyway ...
i went ahead and ran the SAD_407_16.EXE
AND well well well ... it didnt find any of the tables that i was sure i had found.. it did find 43 tables (supposedly)..
but it didnt locate :
fuel base
fuel stabilized
fuel startup
MFA fuel multiplier
spark mbt
spark mbt mpg
spark bdln knock
spark bdln knock mpg
volumetric eff
and these were the ones i thought i had right..
SO OK.. where to now?
what is the next step?
what did it get right?
(see following post for all the files i used)
Last edited by OzFalcon on Fri Feb 18, 2022 9:44 am, edited 3 times in total.
Primary car : 1999 Falcon AU 1.5 australian 6cyl
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse
from Vic, Australia
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse
from Vic, Australia
Re: first steps - Disassembly - walkthrough
i have no idea where the files i attached are..
i will try to attach them here
i will try to attach them here
- Attachments
-
- N9XL1N6_v8 Corrected for WANA.xdf
- (112.15 KiB) Downloaded 381 times
-
- WANA_msg.txt
- (79.32 KiB) Downloaded 408 times
-
- WANA_lst.txt
- (1.43 MiB) Downloaded 387 times
-
- WANA.bin
- (256 KiB) Downloaded 384 times
Primary car : 1999 Falcon AU 1.5 australian 6cyl
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse
from Vic, Australia
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse
from Vic, Australia
Re: first steps - Disassembly - walkthrough
I now just ran the SAD806x.exe..
1st thing was an error but it did run -- the errror was "calibration elements conflict : 1 5a58 vs 5a59".. what does this mean.. can it be ignored?
aside from that, it gave the same results as SAD_407_16.exe..
43 tables found... but none of the ones i expected or needed..
was hoping it would confirm that my table xdf was correct.. either it didnt find them or i was wrong in my address... i m 95% condfident that i have those tables right..
one thing to answer for my previous questions is that SAD806x installs those Ncalc.dll and ther other files.. so that is that answered
1st thing was an error but it did run -- the errror was "calibration elements conflict : 1 5a58 vs 5a59".. what does this mean.. can it be ignored?
aside from that, it gave the same results as SAD_407_16.exe..
43 tables found... but none of the ones i expected or needed..
was hoping it would confirm that my table xdf was correct.. either it didnt find them or i was wrong in my address... i m 95% condfident that i have those tables right..
one thing to answer for my previous questions is that SAD806x installs those Ncalc.dll and ther other files.. so that is that answered
Primary car : 1999 Falcon AU 1.5 australian 6cyl
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse
from Vic, Australia
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse
from Vic, Australia
Re: first steps - Disassembly - walkthrough
Use the BIN you pulled from your car to tune with.OzFalcon wrote: ↑Fri Feb 18, 2022 9:12 am the bin is from a 1999 Au1.5 Ford falcon (austalian) 6cyl it is WANA catch code.
I pulled the bin myself using quaterhorse (QH) and TunerProRT (TPRT), so it is a 256K file.
a WANA bin was also available from Ti, but it has 14 bytes difference right near the end of the file.. the ti having all FF in those 14 bytes and mine have something else.. not sure why the difference but i am ignoring it for now and using my bin not theirs..
Yep, still errors in the ACT Transfer function address, in the Corrected v8 xdf you posted above.first problem upon opening up the bin and def in TPRT is that i can see obvious errors in some of the tables..
starting from the top :
Note the input range from maximum to minimum.
Code: Select all
# Volts F*
F.?703A_ECT?/ACT_Transfer:
124b6: ff,ff,00,ec func 5.12 , -40
124ba: c0,ff,00,ec func 5.11 , -40
124be: 80,f7,00,f5 func 4.95 , -22
124c2: 48,f0,00,fe func 4.81 , -4
124c6: 00,e7,00,07 func 4.62 , 14
124ca: f3,da,00,10 func 4.38 , 32
124ce: b3,cb,00,19 func 4.07 , 50
124d2: cd,b6,00,22 func 3.66 , 68
124d6: e6,a0,00,2b func 3.22 , 86
124da: 0d,89,00,34 func 2.74 , 104
124de: 33,73,00,3d func 2.3 , 122
124e2: 26,60,00,46 func 1.92 , 140
124e6: 40,4d,00,4f func 1.54 , 158
124ea: 8d,3e,00,58 func 1.25 , 176
124ee: 80,31,00,61 func 0.99 , 194
124f2: da,26,00,6a func 0.78 , 212
124f6: 80,1d,00,73 func 0.59 , 230
124fa: 00,14,00,7c func 0.4 , 248
124fe: 00,00,00,7f func 0 , 254
So define them in WANNA_DIR.txtanyway I am confident that i have the spark and fuel tables correct.. with my corrected def . . "N9XL1N6_v8 Corrected for WANA.xdf"
If you are sure you are right, DIRect SAD to do what you want.anyway ...
i went ahead and ran the SAD_407_16.EXE
AND well well well ... it didnt find any of the tables that i was sure i had found.. it did find 43 tables (supposedly)..
but it didnt locate :
fuel base
fuel stabilized
fuel startup
....
and these were the ones i thought i had right..
SO OK.. where to now?
SAD's golden rule; The user is always right.
I took your WANNA.bin from above and created a WANNA_DIR.txt file in the same folder as the bin.
These DIR commands were written using the info in your V8 XDF from above.
Copy and paste the following to your DIR;
Code: Select all
fun 124B6 12501 "F.?703A_ECT?/ACT_Transfer" :UW V12800 :SW V128 P5 # From OzFalcon V8 xdf
tab 136B8 13723 "T.FN1360_FuelStabilisedTbl" :O12 UY V8.7432 P1 # From OzFalcon V8 xdf
tab 13724 1377D "T.FN1362_FuelBaseTbl" :O10 UY V8.7432 P1 # From OzFalcon V8 xdf
tab 1377E 137CD "T.FN1361_FuelStartupTbl" :O10 UY V8.7432 P1 # From OzFalcon V8 xdf
You can create a comments file as well. I created a WANNA_CMT.txt file in the same folder as the bin.
Copy and paste the following to your CMT;
Code: Select all
124B5 \n\n# \t40Volts \t54F*
Last edited by jsa on Sun Feb 20, 2022 2:14 pm, edited 1 time in total.
Cheers
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
Re: first steps - Disassembly - walkthrough
ok so i made a WANA_dir.txt file
put this in it, which i took from the WANA_msg.txt file outputed by SAD406
(yes i am still using SAD406 because it gave the correct tables addresses that i found manually..)
rbase 62 680
rbase 64 780
rbase 66 880
rbase 68 980
rbase 6a a80
rbase 6c b80
rbase 6e d94
rbase 70 1080
rbase 72 1180
rbase f0 12060 # cmd
rbase f2 126bc # cmd
rbase f4 134fa # cmd
rbase f6 14832 # cmd
rbase f8 1502c # cmd
rbase fa 1577e # cmd
rbase fc 15bbe # cmd
rbase fe 17c8a # cmd
I then re-ran SAD406...
the results are exactly the same.. my first WANA_lst file is the same as this one run with the dir file.
how was this dir file and the rbase command supposed to help? what am i missing/ not understanding?
Q.. are these rbase values permanent (RAM??) addresses stored in the chips onboard memory..
are they the "payload" addresses for things like KAMRF and LAMBSE and RPM etc etc?
if so wouldnt it be better to label them something helpful so u can see them in the lst file output?
Q. what is the SYM command used for and can i use that at this point..
attached is the 2nd WANA_lst.txt file i ran after making the dir file and running it through SAD406..
put this in it, which i took from the WANA_msg.txt file outputed by SAD406
(yes i am still using SAD406 because it gave the correct tables addresses that i found manually..)
rbase 62 680
rbase 64 780
rbase 66 880
rbase 68 980
rbase 6a a80
rbase 6c b80
rbase 6e d94
rbase 70 1080
rbase 72 1180
rbase f0 12060 # cmd
rbase f2 126bc # cmd
rbase f4 134fa # cmd
rbase f6 14832 # cmd
rbase f8 1502c # cmd
rbase fa 1577e # cmd
rbase fc 15bbe # cmd
rbase fe 17c8a # cmd
I then re-ran SAD406...
the results are exactly the same.. my first WANA_lst file is the same as this one run with the dir file.
how was this dir file and the rbase command supposed to help? what am i missing/ not understanding?
Q.. are these rbase values permanent (RAM??) addresses stored in the chips onboard memory..
are they the "payload" addresses for things like KAMRF and LAMBSE and RPM etc etc?
if so wouldnt it be better to label them something helpful so u can see them in the lst file output?
Q. what is the SYM command used for and can i use that at this point..
attached is the 2nd WANA_lst.txt file i ran after making the dir file and running it through SAD406..
- Attachments
-
- WANA_dir.txt
- (350 Bytes) Downloaded 367 times
-
- WANA_lst.txt
- (1.69 MiB) Downloaded 390 times
Primary car : 1999 Falcon AU 1.5 australian 6cyl
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse
from Vic, Australia
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse
from Vic, Australia
Re: first steps - Disassembly - walkthrough
Msg contains a list of commands that SAD found automatically plus those from the DIR.OzFalcon wrote: ↑Sun Feb 20, 2022 2:09 am ok so i made a WANA_dir.txt file
put this in it, which i took from the WANA_msg.txt
the results are exactly the same.. my first WANA_lst file is the same as this one run with the dir file.
how was this dir file and the rbase command supposed to help? what am i missing/ not understanding?
It also contains warnings and errors if there are any.
As you copied over from MSG without change, nothing is going to change in LST.
SAD used to do very little without a DIR, but now it gets a lot right automatically and a little wrong. 4.06 gets more wrong than 40716.
DIR is for the user to DIRect SAD where needed. Rbase was not needed in DIR as it happened automatically as seen in MSG.
Have you read SAD help?
https://github.com/tvrfan/EEC-IV-disass ... aster/Docs
https://github.com/tvrfan/EEC-IV-disass ... rsions.txt
Rbases are values used by certain addressing modes as a base to offset from.Q.. are these rbase values permanent (RAM??) addresses stored in the chips onboard memory..
are they the "payload" addresses for things like KAMRF and LAMBSE and RPM etc etc?
Read about it in this reference manual.
https://github.com/OpenEEC-Project/Usef ... Manual.pdf
Payloads are all the parameters that are logged. KAMRF and LAMBSE and RPM are 3 examples.
Yes you can use sym to name them.if so wouldnt it be better to label them something helpful so u can see them in the lst file output?
Q. what is the SYM command used for and can i use that at this point..
Read the SAD help file.
Do the stuff in my previous post.
Cheers
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
Re: first steps - Disassembly - walkthrough
Rbase in action
Code: Select all
rbase 62 680
021d9: a3,62,ce,38 ldw R38,[R62+ce] R38 = [64e];
Cheers
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
Re: first steps - Disassembly - walkthrough
ok so added all the tables and functions that i thought were right..jsa wrote: ↑Fri Feb 18, 2022 7:19 pm
These DIR commands were written using the info in your V8 XDF from above.
Copy and paste the following to your DIR;Go ahead and add in all the other parameters you think you have right. Post it up here for review.Code: Select all
fun 124B6 12501 "F.?703A_ECT?/ACT_Transfer" :UW V12800 :SW V128 P5 # From OzFalcon V8 xdf tab 136B8 13723 "T.FN1360_FuelStabilisedTbl" :O12 UY V8.7432 P1 # From OzFalcon V8 xdf tab 13724 1377D "T.FN1362_FuelBaseTbl" :O10 UY V8.7432 P1 # From OzFalcon V8 xdf tab 1377E 137CD "T.FN1361_FuelStartupTbl" :O10 UY V8.7432 P1 # From OzFalcon V8 xdf
You can create a comments file as well. I created a WANNA_CMT.txt file in the same folder as the bin.
Copy and paste the following to your DIR;Code: Select all
124B5 \n\n# \t40Volts \t54F*
i also cleaned up the def file so that has changed, i deleted a lot of the tables and functions that werent right..
there are also some scalars that i would like to add to to the dir file but what do u refer to them as
"124B5 \n\n# \t40Volts \t54F*" ... i have no idea what that is.. i put it in the dir file as you said... couldnt see anything in the lst that was different as a result..
also i noticed u used fun and tab instead of func and table... i used func because that was what the lst file called it, but used tab for the tables (i got lazy and gave up shortening them.. (((OK - i ran the test and you must call it fun and tab else it doesnt work))) leaving this here for anyone else in the future trying to do this..
also is it fine to use spaces when nameing the tables for SAD? (((OK - i ran a test and you must NOT use spaces else it doesnt work))) leaving this here for anyone else in the future trying to do this..
i also didnt provide the divisions for the functions (V12800 :SW V128 P5) and that last bit on each table (the V8.7432 P1 that u had -- i couldnt see where it came from so i left it off) plus it was a lot of effort to go back and forward looking at the defs... besides it doesnt help much at the moment
here is the dir file i made
and here is the updated def
- Attachments
-
- WANA_dir.txt
- (1.99 KiB) Downloaded 401 times
-
- N9XL1N6_v11 Corrected for WANA.xdf
- (55.81 KiB) Downloaded 392 times
Last edited by OzFalcon on Sun Feb 20, 2022 9:51 am, edited 3 times in total.
Primary car : 1999 Falcon AU 1.5 australian 6cyl
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse
from Vic, Australia
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse
from Vic, Australia
Re: first steps - Disassembly - walkthrough
ok so after spending a couple of hours looking at and scrolling through the new lst files generated using my new dir file it seems i am going in circles..
at this stage it is probably pretty clear that i have absolutely no idea what i am doing..
i am so off the path that i dont even know what i am trying to do anymore..
the only thing i have actually acheived is the cleaning up of the def file by looking at other working defs and finding the same byte patterns in my bins (which i then update the def with)..
the disassemblers havent shown me anything and all the posts i read confuse me.. all the guides ive read are for very experienced programmers and it all just goes from 0-100 in the blink of an eye..
i started out wanting to be able to read things like KAM and LAMBSE as the QH is supposed to be good for that ... well all ive used it for is reading a bin and making basic changes .. to get data all i knew was that i needed patch code and an ADX.. just even finding out what those were was a major effort..
i then went looking at the disassemblers because that is what i "thought" you were supposed to use to find the hidden addresses of the payload data (am i even refering to this correctly??).. i then thought oh, the disassemblers can find tables and functions.. oh that would be handy i thought because my tables and functions were a mess... well it didnt help me find any... the opposite -- i found the tables for it -- im telling it where the tables are... what is even the point...
well it seems it can and cant .. it can find them but given there is literally hundreds of functions and tables it doesnt help much at all.. and then it misses the MAJOR and most important tables u need -- the spark and fuel tables!!
sorry to sound ungrateful, i certainly am not, i do appreciate the time spent helping... just the past 3/4 days efforts are making me feel stupid..
at this stage it is probably pretty clear that i have absolutely no idea what i am doing..
i am so off the path that i dont even know what i am trying to do anymore..
the only thing i have actually acheived is the cleaning up of the def file by looking at other working defs and finding the same byte patterns in my bins (which i then update the def with)..
the disassemblers havent shown me anything and all the posts i read confuse me.. all the guides ive read are for very experienced programmers and it all just goes from 0-100 in the blink of an eye..
i started out wanting to be able to read things like KAM and LAMBSE as the QH is supposed to be good for that ... well all ive used it for is reading a bin and making basic changes .. to get data all i knew was that i needed patch code and an ADX.. just even finding out what those were was a major effort..
i then went looking at the disassemblers because that is what i "thought" you were supposed to use to find the hidden addresses of the payload data (am i even refering to this correctly??).. i then thought oh, the disassemblers can find tables and functions.. oh that would be handy i thought because my tables and functions were a mess... well it didnt help me find any... the opposite -- i found the tables for it -- im telling it where the tables are... what is even the point...
well it seems it can and cant .. it can find them but given there is literally hundreds of functions and tables it doesnt help much at all.. and then it misses the MAJOR and most important tables u need -- the spark and fuel tables!!
sorry to sound ungrateful, i certainly am not, i do appreciate the time spent helping... just the past 3/4 days efforts are making me feel stupid..
Primary car : 1999 Falcon AU 1.5 australian 6cyl
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse
from Vic, Australia
ECU : EEC-V
WANA / 9XL1N6
EDIS with Speed Density
Using TunerPro / Quarterhorse
from Vic, Australia
Re: first steps - Disassembly - walkthrough
Sorry, Copy and Paste, failed to edit error on my part. It has to go in the CMT file only.OzFalcon wrote: ↑Sun Feb 20, 2022 6:55 amjsa wrote: ↑Fri Feb 18, 2022 7:19 pm
These DIR commands were written using the info in your V8 XDF from above.
Copy and paste the following to your DIR;Go ahead and add in all the other parameters you think you have right. Post it up here for review.Code: Select all
fun 124B6 12501 "F.?703A_ECT?/ACT_Transfer" :UW V12800 :SW V128 P5 # From OzFalcon V8 xdf tab 136B8 13723 "T.FN1360_FuelStabilisedTbl" :O12 UY V8.7432 P1 # From OzFalcon V8 xdf tab 13724 1377D "T.FN1362_FuelBaseTbl" :O10 UY V8.7432 P1 # From OzFalcon V8 xdf tab 1377E 137CD "T.FN1361_FuelStartupTbl" :O10 UY V8.7432 P1 # From OzFalcon V8 xdf
You can create a comments file as well. I created a WANNA_CMT.txt file in the same folder as the bin.
Copy and paste the following to your CMT;Code: Select all
124B5 \n\n# \t40Volts \t54F*
- Attachments
-
- WANA_CMT.txt
- (32 Bytes) Downloaded 382 times
Cheers
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
Re: first steps - Disassembly - walkthrough
Ok, so I run your DIR and looked at MSG. You can't have repeats. Keep the DIR entries in a logical, sequential and tidy order, otherwise we'll get nowhere. No Mess
I'll post an ammeded DIR below.
Code: Select all
## fun 12122 1212b "VE_Multiplier_for_ACT" : SY :UY
Warning - Duplicate Command
Warning - Symname replaces previous "VE_Multiplier_for_ACT"
## fun 12562 12579 "possible_MAP_Transfer_Function" : UW : UW
Warning - Duplicate Command
Warning - Symname replaces previous "possible_MAP_Transfer_Function"
## fun 125a6 125d5 "Table_Scaler_for_Abs_Exhaust_Pressure" : UW : UW
Warning - Duplicate Command
Warning - Symname replaces previous "Tbl_Sclr_for_Abs_Exhst_Press"
## fun 125d6 125f1 "Table_Scaler_for_RPM" : UW : UW
Warning - Duplicate Command
Warning - Symname replaces previous "Table_Scaler_for_RPM"
## fun 1261a 12635 "Table_Scaler_for_MAP" :UW :UW
Warning - Duplicate Command
Warning - Symname replaces previous "Table_Scaler_for_MAP"
Ok, not looked at it, spent available time on DIR.i also cleaned up the def file so that has changed, i deleted a lot of the tables and functions that werent right..
That would depend on what they are. Post some details.there are also some scalars that i would like to add to to the dir file but what do u refer to them as
Three letter commands are in the SAD help file I linked above. Try using 4.07.16 instead of 4.06. Let me know how you get on.also i noticed u used fun and tab instead of func and table... i used func because that was what the lst file called it, but used tab for the tables (i got lazy and gave up shortening them..
Nope, follow the examples in the help file linked above.also is it fine to use spaces when nameing the tables for SAD?
128/14.64=8.7432i also didnt provide the divisions for the functions (V12800 :SW V128 P5) and that last bit on each table (the V8.7432 P1 that u had -- i couldnt see where it came from so i left it off) plus it was a lot of effort to go back and forward looking at the defs... besides it doesnt help much at the moment
Cheers
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
Re: first steps - Disassembly - walkthrough
There is a plan. You have tables and functions and you know what they are for. You can use that info to discover stuff, like payloads. Examples to follow.OzFalcon wrote: ↑Sun Feb 20, 2022 8:54 am ok so after spending a couple of hours looking at and scrolling through the new lst files generated using my new dir file it seems i am going in circles..
at this stage it is probably pretty clear that i have absolutely no idea what i am doing..
i am so off the path that i dont even know what i am trying to do anymore..
You keep saying 4.06 is better at finding stuff, great, get the DIR setup so 4.07.16 finds the same stuff. You need to be using 4.07.16.
Good, that is progress also.the only thing i have actually acheived is the cleaning up of the def file by looking at other working defs and finding the same byte patterns in my bins (which i then update the def with)..
The disassemblers have turned hexadecimal into something we can comprehend.the disassemblers havent shown me anything and all the posts i read confuse me..
You need the addresses of the payloads you want to log.i started out wanting to be able to read things like KAM and LAMBSE as the QH is supposed to be good for that ... well all ive used it for is reading a bin and making basic changes .. to get data all i knew was that i needed patch code and an ADX.. just even finding out what those were was a major effort..
You need a place for the patchcode to go in the binary.
There is no magic wand, just time and effort to find what you need in the LST.i then went looking at the disassemblers because that is what i "thought" you were supposed to use to find the hidden addresses of the payload data (am i even refering to this correctly??).. i then thought oh, the disassemblers can find tables and functions.. oh that would be handy i thought because my tables and functions were a mess... well it didnt help me find any... the opposite -- i found the tables for it -- im telling it where the tables are... what is even the point...
You can compare your disassembly subroutines to the strategy books available on github to see what the parameters are.
You can compare your disassembly subroutines to other strategy disassembly subroutines available on github to see what the parameters are.
Chin up, you're trying to jump to the good stuff without reading and understanding the available literature first.sorry to sound ungrateful, i certainly am not, i do appreciate the time spent helping... just the past 3/4 days efforts are making me feel stupid..
Cheers
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
Re: first steps - Disassembly - walkthrough
So, having run the updated DIR, search LST for LU_
A table we know about can be found, along with the lookup.
Having read and understood the software manual linked above, you will follow this code to the subroutine @ 8453C.
You will see;
Arg 1 is the location of the function
Arg 2 is the input value to lookup
R40 has the output value from the lookup
0x108CE is the address where the output value is stored
If your naming is correct then 0x00610 contains RPM and 0x108CE contains the table scaler.
You have a payload for RPM.
Two entries get added to the DIR.
Run the updated DIR.
Search LST for RPM
As above, you now know func_1450e uses RPM
Another entry gets added to DIR.
The function output is unknown at this point.
You can search LST for RPM_Sclr and find;
You can make a table entry in DIR. Hint a is 10.
You can search for all LU_ in LST and add more entries to DIR.
Updated DIR here
A table we know about can be found, along with the lookup.
Having read and understood the software manual linked above, you will follow this code to the subroutine @ 8453C.
You will see;
Arg 1 is the location of the function
Arg 2 is the input value to lookup
R40 has the output value from the lookup
0x108CE is the address where the output value is stored
Code: Select all
84fe8: ef,51,f5 call 8453c UUWFuncLU_8453c (
84feb: 76,05 #arg 1 Table_Scaler_for_RPM,
84fed: 10,06 #arg 2 610 );
84fef: c3,66,4e,40 stw R40,[R66+4e] [108ce] = R40;
You have a payload for RPM.
Two entries get added to the DIR.
Code: Select all
SYM 610 "RPM" #UW # L84FED
SYM 108CE "RPM_Sclr" #UW # L84FEF
Search LST for RPM
As above, you now know func_1450e uses RPM
Code: Select all
86874: ef,c5,dc call 8453c UUWFuncLU_8453c (
86877: 14,50 #arg 1 Func_1450e,
86879: 10,06 #arg 2 RPM );
The function output is unknown at this point.
Code: Select all
fun 1450E 1452D "F.1450E_RPM_???" :UW :UW #
Code: Select all
86f05: a3,66,4e,38 ldw R38,[R66+4e] R38 = RPM_Sclr;
86f09: a3,66,50,3a ldw R3a,[R66+50] R3a = [108d0];
86f0d: ad,0a,3c ldzbw R3c,a wR3c = a;
86f10: 45,de,12,f4,40 ad3w R40,Rf4,12de R40 = Table_147d8;
You can search for all LU_ in LST and add more entries to DIR.
Updated DIR here
Cheers
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
-
- Regular
- Posts: 143
- Joined: Wed Oct 06, 2021 5:10 am
Re: first steps - Disassembly - walkthrough
how do you put the rpm [610] into a payload to log ?
as it is above the hidden ram how do we make the QH read it?
cmd hex string example from a ADX .
0x51 0x54 0x01 0x01 0x1F 0x1F 0x02 0x01 0x16 0x16 0x02 0x01 0x14 0x26 0x01 0x01 0xC0 0x79
as it is above the hidden ram how do we make the QH read it?
cmd hex string example from a ADX .
0x51 0x54 0x01 0x01 0x1F 0x1F 0x02 0x01 0x16 0x16 0x02 0x01 0x14 0x26 0x01 0x01 0xC0 0x79
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
Re: first steps - Disassembly - walkthrough
I don't use TP, in any case patchcode is not required.
This is GUFB payloads in BE. Row 17 is RPM for word size data.
Address would become 0x0610
This is GUFB payloads in BE. Row 17 is RPM for word size data.
Address would become 0x0610
Cheers
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
Re: first steps - Disassembly - walkthrough
A couple of general notes in case they help everybody -
SAD is still a work in progress, and still being worked on (I am trying, but other stuff keeps getting in the way).
I designed it to be happy to run with NO _dir file. The base idea is you should get a mostly correct disassembly (the code anyway) and then use extra .dir commands to 'home in' and correct things (and set names). So unless you know that your bin matches exactly with one of the same strategy (which is unlikely), try not using a dir for the first run. And don't think SAD is always right....
For most code, SAD does a 'static' analysis.
First job is to identify the bank starts in the bin file. I had a method that works really well, until FM20M06 bin came along.
FM20M06 bin doesn't work because Ford broke its own coding rules for interrupts..... AARRGGGHHH!!!! I haven't sorted out how to get around this yet...
Second (biggest) job. Start at the very first jump (= bank 8 0x2000) run down the code and track all the jumps and calls as new places to start a scan. It continues until all the jumps and calls have been scanned. But this already needs some extra bits, as many subroutines are called from a 'master task list' of addresses, which use a PUSH(address), ... RET; to call each one.
Third job. Use a 'fingerprint' type match to find the main lookup routines (table and function), and then track back to find the addresses fed in to those subroutines to try to find the data structures. This is good in theory, but there are things that don't work. For example some of the later bins use a lookup list (one seems to even have a combo of table-func, table-func, table-func, in sets) and this is not handled properly.
There's other things too, but these are main jobs.
Some stuff is still TOUGH to sort out. Subroutines with arguments (=parameters) is an example, as some handle variable number of arguments, and the only way to sort this out is to do a local emulation of the code. Some bins (e.g. CARD) actually do a PUSH(address) to effectively insert an extra bit of code to be run. It's a total pain in the A*S, frankly. So from above, some subroutine calls are then marked as 'must emulate this bit' and done over.
SAD still misses some code after all the above, because of the use of code 'tricks'. These are not bad programming or anything, but can ruin my nice flow model of the code, and so SAD will miss a block now and then. Sometimes I reckon code shows a 'patch', a jump which looks to be inserted to jump over some code, that code is never called, so never disassembled...
YES there ARE both tables and functions which are DUMMY. it's NOT unusual to see a table with all zeroes or all 0xff, and functions with one 0xff and all zeroes. Either they aren't used in this strategy, or aren't used in this particular model/engine/trans(/country?) combination, but kept there for a 'marker' ?. I don't know why exactly.
And, now and again, some binary appears which has something different somewhere, and messes everything up (e.g. FM20M06) and I have to come up with a new fix ....
Yes, I am still looking at better ways to identify everything. I do have a 'scan_gaps' type pass in latest 'stable' release, but it also produces false data matches.... so I took it away in latest development versions....
Working on next major version now, but somehow it's been a year gone by....
Perhaps one of the alternate tools may prove to be better. I can handle that !
I don't know sometimes... perhaps there's a better way lurking out there ...
SAD is still a work in progress, and still being worked on (I am trying, but other stuff keeps getting in the way).
I designed it to be happy to run with NO _dir file. The base idea is you should get a mostly correct disassembly (the code anyway) and then use extra .dir commands to 'home in' and correct things (and set names). So unless you know that your bin matches exactly with one of the same strategy (which is unlikely), try not using a dir for the first run. And don't think SAD is always right....
For most code, SAD does a 'static' analysis.
First job is to identify the bank starts in the bin file. I had a method that works really well, until FM20M06 bin came along.
FM20M06 bin doesn't work because Ford broke its own coding rules for interrupts..... AARRGGGHHH!!!! I haven't sorted out how to get around this yet...
Second (biggest) job. Start at the very first jump (= bank 8 0x2000) run down the code and track all the jumps and calls as new places to start a scan. It continues until all the jumps and calls have been scanned. But this already needs some extra bits, as many subroutines are called from a 'master task list' of addresses, which use a PUSH(address), ... RET; to call each one.
Third job. Use a 'fingerprint' type match to find the main lookup routines (table and function), and then track back to find the addresses fed in to those subroutines to try to find the data structures. This is good in theory, but there are things that don't work. For example some of the later bins use a lookup list (one seems to even have a combo of table-func, table-func, table-func, in sets) and this is not handled properly.
There's other things too, but these are main jobs.
Some stuff is still TOUGH to sort out. Subroutines with arguments (=parameters) is an example, as some handle variable number of arguments, and the only way to sort this out is to do a local emulation of the code. Some bins (e.g. CARD) actually do a PUSH(address) to effectively insert an extra bit of code to be run. It's a total pain in the A*S, frankly. So from above, some subroutine calls are then marked as 'must emulate this bit' and done over.
SAD still misses some code after all the above, because of the use of code 'tricks'. These are not bad programming or anything, but can ruin my nice flow model of the code, and so SAD will miss a block now and then. Sometimes I reckon code shows a 'patch', a jump which looks to be inserted to jump over some code, that code is never called, so never disassembled...
YES there ARE both tables and functions which are DUMMY. it's NOT unusual to see a table with all zeroes or all 0xff, and functions with one 0xff and all zeroes. Either they aren't used in this strategy, or aren't used in this particular model/engine/trans(/country?) combination, but kept there for a 'marker' ?. I don't know why exactly.
And, now and again, some binary appears which has something different somewhere, and messes everything up (e.g. FM20M06) and I have to come up with a new fix ....
Yes, I am still looking at better ways to identify everything. I do have a 'scan_gaps' type pass in latest 'stable' release, but it also produces false data matches.... so I took it away in latest development versions....
Working on next major version now, but somehow it's been a year gone by....
Perhaps one of the alternate tools may prove to be better. I can handle that !
I don't know sometimes... perhaps there's a better way lurking out there ...
TVR, kit cars, classic cars. Ex IT geek, development and databases.
https://github.com/tvrfan/EEC-IV-disassembler
https://github.com/tvrfan/EEC-IV-disassembler
-
- Regular
- Posts: 143
- Joined: Wed Oct 06, 2021 5:10 am
Re: first steps - Disassembly - walkthrough
Thanks jsa i get it now and can probably make my file in BE also .
tvrfan and jsa i find your work on SAD amazing and its great that you are so willing to help .
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
Re: first steps - Disassembly - walkthrough
Cool and thanks.
Cheers
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
-
- Regular
- Posts: 143
- Joined: Wed Oct 06, 2021 5:10 am
Re: first steps - Disassembly - walkthrough
Was just looking through the WANA dissasembly and want to confirm the checksum location and start end points as i can't seem to find the data in the code.
i think checksum is 0x1200a
is start 0x02000 and end 0x0ffff for bank 0 ??
is start 0x12000 and end 0x1ffff for bank 1 ??
i think checksum is 0x1200a
is start 0x02000 and end 0x0ffff for bank 0 ??
is start 0x12000 and end 0x1ffff for bank 1 ??
Code: Select all
########################################################################
# Bank 1 file offset 12000-1ffff, (12000 - 1ffff)
########################################################################
12000: 27,fe sjmp 12000 goto 12000;
12002: 0c,20 ???
12004: 8e byte 8e
12005: 22 byte 22
12006: ff byte ff
12007: ff byte ff
12008: ff byte ff
12009: ff ???
1200a: 59,46 word 4659
1200c: ff,ff word ffff
1200e: ff,ff word ffff
12010: 60,84 vect 18460 I1_HSO_0
12012: 65,84 vect 18465 I1_HSO_1
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
-
- Regular
- Posts: 143
- Joined: Wed Oct 06, 2021 5:10 am
Re: first steps - Disassembly - walkthrough
and bank 8
check sum at 0x8200a
start 0x2000 and end at 0x0e000 ??
check sum at 0x8200a
start 0x2000 and end at 0x0e000 ??
Code: Select all
########################################################################
# Bank 8 file offset 22000-2ffff, (82000 - 8ffff)
########################################################################
82000: ff nop
82001: fa di disable intps;
82002: e7,da,05 jump 825df goto 825df;
82005: ff,ff,df,00,ff ???
8200a: de,c0 word c0de
8200c: 00,e0 word e000
8200e: 5d,00 word 5d
82010: 72,20 vect 82072 I8_HSO_0
82012: 75,20 vect 82075 I8_HSO_1
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
Re: first steps - Disassembly - walkthrough
Jamie,
I ran your bin with SAD 4.0.6 (latest stable on SAD GIT website). This got quite a lot of data by the looks of it. Data is all in bank 1.
Those bank directives have the first two values as file offsets, so that if SAD gets the order or bank number wrong, the user can edit them to specify exactly what they/you want. Normally just leave them as comment.
A quick look at the listing seems pretty good, bank 9 is empty, code in banks 0 and 8 and data in bank 1. Looks like one of the common layouts. Interrupt handlers seem to line up, so chances are this is the right order.
8200a is checksum 'correction' value, so the checksum subroutine returns zero. Checksum subroutine is at 04511 I think. This looks like there is only ONE grand checksum value, as banks are added together?
The 8200c probably is end of ROM, but this is used to tell cal console (or other Ford plugin tools) where it can map a virtual memory block, and 8200e is nearly always 5d and has something to do with those tools too, but I can't remember exactly , it's something to do with I/O timer.
Hope that helps !
I ran your bin with SAD 4.0.6 (latest stable on SAD GIT website). This got quite a lot of data by the looks of it. Data is all in bank 1.
Those bank directives have the first two values as file offsets, so that if SAD gets the order or bank number wrong, the user can edit them to specify exactly what they/you want. Normally just leave them as comment.
A quick look at the listing seems pretty good, bank 9 is empty, code in banks 0 and 8 and data in bank 1. Looks like one of the common layouts. Interrupt handlers seem to line up, so chances are this is the right order.
8200a is checksum 'correction' value, so the checksum subroutine returns zero. Checksum subroutine is at 04511 I think. This looks like there is only ONE grand checksum value, as banks are added together?
The 8200c probably is end of ROM, but this is used to tell cal console (or other Ford plugin tools) where it can map a virtual memory block, and 8200e is nearly always 5d and has something to do with those tools too, but I can't remember exactly , it's something to do with I/O timer.
Hope that helps !
TVR, kit cars, classic cars. Ex IT geek, development and databases.
https://github.com/tvrfan/EEC-IV-disassembler
https://github.com/tvrfan/EEC-IV-disassembler
-
- Regular
- Posts: 143
- Joined: Wed Oct 06, 2021 5:10 am
Re: first steps - Disassembly - walkthrough
Thanks.
Just wasn't sure and wanted to check.
I use both 406 and 7###
Thank you very much.
Just wasn't sure and wanted to check.
I use both 406 and 7###
Thank you very much.
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
Re: first steps - Disassembly - walkthrough
Search for 2000 in the _LST to find candidates for the CheckSum Sub. Look for the Sub that compares Sum to Zero, and call a fault code sub if not zero.jamie from oz wrote: ↑Sun Jan 15, 2023 3:19 pm Was just looking through the WANA dissasembly and want to confirm the checksum location and start end points as i can't seem to find the data in the code.
i think checksum is 0x1200a
is start 0x02000 and end 0x0ffff for bank 0 ??
is start 0x12000 and end 0x1ffff for bank 1 ??
In the code below you can see where the start address is loaded prior to looping through each bank.
In the code below the CheckSum word end address for each bank is the value that exits the loop.
This CheckSum Sub is summing all banks together, so a single word in the CheckSum address ranges could be used for the correction of a change in any bank.
BE definitions have the end address as the high byte of the last word, so ending with FF, not FE.
Code: Select all
Sub04511_CheckSum:
04511: 01,44 clrw R44 R44 = 0;
04513: a1,00,20,42 ldw R42,2000 R42 = 2000; # Bank 8 Checksum Start Address
# JNC Loop from L04523 for address 82000-8FFFC
04517: b1,ff,05 ldb R5,ff WDG_Timer = ff;
0451a: 10,08 rombk 8
0451c: 66,43,44 ad2w R44,[R42++] R44 += [R42++];
0451f: 89,fe,ff,42 cmpw R42,fffe # Bank 8 Checksum End Address
04523: d3,f2 jnc 04517 if (R42 < fffe) goto 04517;
# Cont from L04523 for address 8FFFE
04525: 10,08 rombk 8
04527: 66,42,44 ad2w R44,[R42] R44 += [R42]; # Sum Word 8FFFE
0452a: a1,00,20,42 ldw R42,2000 R42 = 2000; # Bank 1 Checksum Start Address
# JLEU Loop from L04538 for address 12000-19FFE
0452e: b1,ff,05 ldb R5,ff WDG_Timer = ff;
04531: 66,43,44 ad2w R44,[R42++] R44 += [R42++];
04534: 89,fe,9f,42 cmpw R42,9ffe # Bank 1 Checksum End Address
04538: d1,f4 jleu 0452e if (R42 <= 9ffe) goto 0452e;
# Cont from L04538 for address 1A000
0453a: a1,00,20,42 ldw R42,2000 R42 = 2000; # Bank 0 Checksum Start Address
# JNC Loop from L0454A for address 02000-0FFFC
0453e: b1,ff,05 ldb R5,ff WDG_Timer = ff;
04541: 10,00 rombk 0
04543: 66,43,44 ad2w R44,[R42++] R44 += [R42++];
04546: 89,fe,ff,42 cmpw R42,fffe # Bank 0 Checksum End Address
0454a: d3,f2 jnc 0453e if (R42 < fffe) goto 0453e;
# Cont from L0454A for address 0FFFE
0454c: 10,00 rombk 0
0454e: 66,42,44 ad2w R44,[R42] R44 += [R42]; # Sum Word 0FFFE
04551: a1,00,20,42 ldw R42,2000 R42 = 2000; # Bank 9 Checksum Start Address
# JNC Loop from L04561 for address 92000-9FEFC
04555: b1,ff,05 ldb R5,ff WDG_Timer = ff;
04558: 10,09 rombk 9
0455a: 66,43,44 ad2w R44,[R42++] R44 += [R42++];
0455d: 89,fe,fe,42 cmpw R42,fefe # Bank 9 Checksum End Address
04561: d3,f2 jnc 04555 if (R42 < fefe) goto 04555;
# Cont from L04561 for address 9FEFE
04563: 10,09 rombk 9
04565: 66,42,44 ad2w R44,[R42] R44 += [R42]; # Sum Word 9FEFE
04568: 88,00,44 cmpw R44,R0
0456b: df,05 je 04572 if (R44 != 0) {
# Cont from L0456B Incorrect Checksum
0456d: ef,90,0d call 05300 Sub_05300 (
04570: 34,05 #arg 1 534 ); }
# JE from L0456B correct Checksum = 0
04572: f0 ret return;
Search for ROM_TO and FIXSUM in the strategy documents. Their addresses are 0x200A and 0x2004 respectively.
But then Ford don't seem to read their own documents, WANA Bank 8 has code at 0x8004.
You could choose an address in fill for BE's ChecksumStore or ROM_TO.
Code: Select all
02004: ff,ff,ff,ff,ff,ff ???
0200a: ff,ff word ffff
12004: 8e byte 8e
12005: 22 byte 22
12006: ff byte ff
12007: ff byte ff
12008: ff byte ff
12009: ff byte ff
1200a: 59,46 word 4659
Sub82000_Boot:
82000: ff nop
82001: fa di interrupts OFF;
82002: e7,da,05 jump 825df goto Sub825DF_Startup;
82005: ff,ff,df,00,ff ???
8200a: de,c0 word c0de
92004: ff,ff,ff,ff,ff,ff ???
9200a: ff,ff word ffff
Last edited by jsa on Sat Jan 21, 2023 3:21 pm, edited 1 time in total.
Cheers
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
-
- Regular
- Posts: 143
- Joined: Wed Oct 06, 2021 5:10 am
Re: first steps - Disassembly - walkthrough
Thanks for the guidance .
This is what i have put into the xls.
This is what i have put into the xls.
Code: Select all
Parameter Value
ChecksumStart0 2000
ChecksumEdn0 FFFF
ChecksumStart1 2000
ChecksumEdn1 9FFF
ChecksumStart8 2000
ChecksumEdn8 FFFF
ChecksumStart9 2000
ChecksumEdn9 FEFF
ChecksumStore CHKSUM ( use 8200A)
Target_AFR 14.64
BankCount 4
PCMType EEC_216K
LTMTB1 0704
LTMTB2 075A
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
-
- Regular
- Posts: 143
- Joined: Wed Oct 06, 2021 5:10 am
Re: first steps - Disassembly - walkthrough
not sure if there is a BE read of the WANA.bin
so that 8200a is at 0x2800a in the bin i attached.
so that 8200a is at 0x2800a in the bin i attached.
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
-
- Regular
- Posts: 143
- Joined: Wed Oct 06, 2021 5:10 am
Re: first steps - Disassembly - walkthrough
When i set ROM_TO 0x1200a or any of the other possible checksum addresses it makes them 00 00 (previously was 59 46 ) with out changing anything in the WANA.bin file just hitting save..
I tried ROM_TO at a area of fill 0x18700 and it went from FF FF to 00 00 also in the bin file.
?? Iwas going to set 0x120BE from 01 to 00 to turn off smartshield then flash it back but not sure if this will need checksum changed ???
or can i change the value at 0x1200a from 59 46 to 58 46 to correct checksum or change in fill at 0x18700 from FF to FE ??
Jamie.
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
Re: first steps - Disassembly - walkthrough
Jamie, John,
It looks to me that the checksum routine has the start and end addresses set directly in the code itself.
I have never used BE, but in case you want to drop the checksum entirely, the simplest fix is probably to overwrite addresses 0456d to 04570 with 0xff (= NOP). That way the error routine is never called. That assumes you have a modifiable copy of the ROM of course.
It looks to me that the checksum routine has the start and end addresses set directly in the code itself.
I have never used BE, but in case you want to drop the checksum entirely, the simplest fix is probably to overwrite addresses 0456d to 04570 with 0xff (= NOP). That way the error routine is never called. That assumes you have a modifiable copy of the ROM of course.
TVR, kit cars, classic cars. Ex IT geek, development and databases.
https://github.com/tvrfan/EEC-IV-disassembler
https://github.com/tvrfan/EEC-IV-disassembler
-
- Regular
- Posts: 143
- Joined: Wed Oct 06, 2021 5:10 am
Re: first steps - Disassembly - walkthrough
Thanks you for that suggestion.
BE_WANA.
BE_WANA_SMT_LOK_OFF run through SAD.
I might set BE ROM_TO 0x18700 that is in filler so BE thinks its doing something and dosent freak out.
Will flash it to a spare WANA eec-v and see if it will run.
Thank you.
BE_WANA.
Code: Select all
04563: 10,09 rombk 9
04565: 66,42,44 ad2w R44,[R42] R44 += [R42];
04568: 88,00,44 cmpw R44,R0
0456b: df,05 je 04572 if (R44 != 0) {
0456d: ef,90,0d call 05300 Sub_05300 (
04570: 34,05 #arg 1 534 ); }
04572: f0 ret return;
BE_WANA_SMT_LOK_OFF run through SAD.
Code: Select all
04565: 66,42,44 ad2w R44,[R42] R44 += [R42];
04568: 88,00,44 cmpw R44,R0
0456b: df,05 je 04572 if (R44 != 0) {
0456d: ff nop
0456e: ff nop
0456f: ff nop
04570: ff nop
04571: ff nop }
04572: f0 ret return;
Will flash it to a spare WANA eec-v and see if it will run.
Thank you.
Falcon XH xr6 i6 4.0L ute1995.
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
Falcon XH v8 5.0L ute 1996 / NVMG84 and 6DGD.bin using sailor bob Def/cry ( ho engine185kw)
Falcon AU2 v8 5.0L ute 2000 / NGVB5 and Y3EE / WALG (factory GT40P heads and intake 200kw )
Falcon EL v8 5.0L with 6cyl SD EEC-V HWAD and 6dbd ETV-513 (JSA'S help with 6dbd_56k_x bin and 6dbd_56k_x Xls)
Re: first steps - Disassembly - walkthrough
EDIT: see sailorbobs reply below.jamie from oz wrote: ↑Tue Jan 17, 2023 3:23 am Thanks for the guidance .
This is what i have put into the xls.
Code: Select all
Parameter Value ChecksumStart0 2000 ChecksumEdn0 FFFF ChecksumStart1 2000 ChecksumEdn1 9FFF ChecksumStart8 2000 ChecksumEdn8 FFFF ChecksumStart9 2000 ChecksumEdn9 FEFF ChecksumStore CHKSUM ( use 8200A) Target_AFR 14.64 BankCount 4 PCMType EEC_216K LTMTB1 0704 LTMTB2 075A
This looks OK (NOT), with the proviso that you have a scalar for CHKSUM with address to suit the bin.
Is ChecksumStore set to ROM_TO?jamie from oz wrote: ↑Fri Jan 20, 2023 7:42 pm When i set ROM_TO 0x1200a or any of the other possible checksum addresses it makes them 00 00 (previously was 59 46 ) with out changing anything in the WANA.bin file just hitting save..
Is ChecksumStore set to ROM_TO?I tried ROM_TO at a area of fill 0x18700 and it went from FF FF to 00 00 also in the bin file.
Yes it will need a checksum adjustment.?? Iwas going to set 0x120BE from 01 to 00 to turn off smartshield then flash it back but not sure if this will need checksum changed ???
or can i change the value at 0x1200a from 59 46 to 58 46 to correct checksum or change in fill at 0x18700 from FF to FE ??
Jamie.
An adjustment for the decrease from 01 to 00 would require in an increase elsewhere.
IIRC it may not be as simple as adjusting an address of your choosing due to the impact of sum without carry, but give it a try and see what you get.
You can also use your hex editor to calculate the 16bit little endian no carry checksum of the edited BIN and change the bin as necessary to get zero.
Yes the addresses are immediate values.tvrfan wrote: ↑Fri Jan 20, 2023 10:04 pm Jamie, John,
It looks to me that the checksum routine has the start and end addresses set directly in the code itself.
I have never used BE, but in case you want to drop the checksum entirely, the simplest fix is probably to overwrite addresses 0456d to 04570 with 0xff (= NOP). That way the error routine is never called. That assumes you have a modifiable copy of the ROM of course.
0xF0, Return, at address 0x04511 would bypass the whole checksum, with the same risk of not catching any ROM check sum issue.
All that said, I have seen some unexpected checksum behaviour with older versions of BE when using ChecksumStore set to something other than ROM_TO at 0x200A.
Last edited by jsa on Sat Jan 21, 2023 2:56 pm, edited 1 time in total.
Cheers
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
John
95 Escort RS Cosworth - CARD QUIK COSY ANTI / GHAJ0
Moates QH & BE
ForDiag
Re: first steps - Disassembly - walkthrough
BE probably is not calculating the checksum because you have 'ChecksumEdn' instead of 'ChecksumEnd' in your definition.
The ROM_TO value is at 0x12004.
You also need to have the 'EEC' parameter in the 'Confg' worksheet set to 'True'.
The ROM_TO value is at 0x12004.
You also need to have the 'EEC' parameter in the 'Confg' worksheet set to 'True'.
Who is online
Users browsing this forum: No registered users and 6 guests