Page 1 of 3

SAD 806x Disassembler

Unread postPosted: Mon Nov 20, 2017 12:56 pm
by Pym
Like promised, I will provide you quickly, the first release of this disassembler, with its really original name SAD 806x for Ford EEC IV & EEC V, 8061 & 8065.
It takes me a bit more time than expected, to do it work properly on 8061 & 8065 early roms and on Visteon roms, that I had never tried before.
8061 early roms have many specificities.
8065 early roms use a strange Bank 1 and I am currently trying to make their word tables work.
I do not talk about the GUI, it takes me more time.

Many things will not be present in first release,
the ability to add your own signatures, personally, I use 3 different methods to identify routines, I will have to combine them and find a way to create a simple setup for them,
and the automatic structure discovery, it will take me time to create something strong.

Do not expect the best disassembled code, this was not my goal, other people know better this subject,
my goal was to be able to quickly be able to disassemble a binary, all binaries in fact, to read their data, not their code.

I will ask you some questions, to achieve the job, but for now, I continue on it.

Re: SAD 806x Disassembler

Unread postPosted: Mon Nov 20, 2017 1:05 pm
by decipha
cool, ill give it a go when you release it

Re: SAD 806x Disassembler

Unread postPosted: Mon Nov 20, 2017 1:10 pm
by motorhead1991
I'd be happy to put it up in the github organization for ya :D. Unless you want privileges there.

Re: SAD 806x Disassembler

Unread postPosted: Mon Nov 20, 2017 1:28 pm
by jsa
Good stuff Pym.

Re: SAD 806x Disassembler

Unread postPosted: Thu Nov 23, 2017 2:42 am
by Pym
It is now time to discover issues on this disassembler, in its second version.

Keep somewhere binaries that fail or are not recognized, to be able to manage them later on.
Feel free to ask questions, as there is no user guide for now, it should be the only way to process.

I let you play with it, my questions will come after that, because I know many things are still to be done.

Re: SAD 806x Disassembler

Unread postPosted: Thu Nov 23, 2017 2:45 am
by decipha
im bouta check it out soon as i get home

Re: SAD 806x Disassembler

Unread postPosted: Thu Nov 23, 2017 3:11 am
by decipha
thats titties i like it

Re: SAD 806x Disassembler

Unread postPosted: Thu Nov 23, 2017 4:35 am
by jsa
Pym,

SAD806x looks very good. You have moved the community forward.

Well Done, and thank you.

I will spend some more time with it, to understand it.

Re: SAD 806x Disassembler

Unread postPosted: Thu Nov 23, 2017 3:39 pm
by jsa
Hello Pym,

My first request is minor. I'm continuing to look at the core stuff.

Can the text output file name be saved in the s6x file so that the text file is tied to a binary file.

Example:
Disassemble ANTI.bin, choose to output text, default name of ANTI.txt until I choose some other name, say, ANTI_Name I Choose.txt and save s6x
Then open another bin
Say disassemble ZX3.bin and output text file, SAD806x wants to save to ANTI_Name I Choose.txt. I'd liked it to save to default ZX3.txt unless I choose a name
Now reopen ANTI.bin, then output text file. I would like SAD806x to default to last ANTI_Name I Choose.txt

Re: SAD 806x Disassembler

Unread postPosted: Thu Nov 23, 2017 4:23 pm
by jsa
Here is a code portion for the Engineering Console Present routine typical of many bins.

Note Line BCF1 & BCF4 versus line BCA8
Could its result along with its Label be displayed as a result on line BCF4?
Could Line BCA8 be resolved to Vectors?
Code: Select all
8 bca8: 00,c0,00,10,00,10,00,c2                       Unknown Operation/Structure
8 bcb0: 00,12,00,12                                   Unknown Operation/Structure


8 bcb4: 06,d0                d006  Bank 8 Vector       
8 bcb6: 06,c0                c006  Bank 8 Vector       
8 bcb8: 06,e0                e006  Bank 8 Vector       
8 bcba: 09,d0                d009  Bank 8 Vector       
8 bcbc: 09,c0                c009  Bank 8 Vector       
8 bcbe: 09,e0                e009  Bank 8 Vector       
8 bcc0: fa,a3                a3fa  Bank 8 Vector      Sub0305


Sub0341:
8 bcc1: a3,01,00,0d,14       ldw   R14,[d00]          R14 = CC_PRESENT;   
8 bcc6: 99,2a,15             cmpb  R15,2a                                 
8 bcc9: d7,3b                jne   bd06               if (R15 != 2a) goto bd06;
8 bccb: 3c,24,1e             jb    B4,R24,bcec        if (B4_R24) goto Sub0342;
8 bcce: 38,0a,1b             jb    B0,R0a,bcec        if (B0_HSO_OVF) goto Sub0342;
8 bcd1: 47,01,0e,20,06,7c    ad3w  R7c,R06,[200e]     [R7c] = IO_TIMER + [200e];
8 bcd7: d7,02                jne   bcdb               if (IO_TIMER != [200e]) goto bcdb;
8 bcd9: 07,7c                incw  R7c                [R7c]++;             
8 bcdb: a0,7c,0e             ldw   R0e,R7c            HSO_TIME = [R7c];   
8 bcde: b1,0f,0d             ldb   R0d,f              HSO_CMD = f;         
8 bce1: c9,ec,bc             push  bcec               push(Sub0342);       
8 bce4: ad,04,30             ldzbw R30,4              R30 = (uns)4;       
8 bce7: cb,31,b4,bc          push  [R30+bcb4]         push([R30+bcb4]);   
8 bceb: f0                   ret                      return;             

Sub0342:
8 bcec: a3,01,80,0c,14       ldw   R14,[c80]          R14 = [c80];         
8 bcf1: ad,04,30             ldzbw R30,4              R30 = (uns)4;       
8 bcf4: a3,31,a8,bc,42       ldw   R42,[R30+bca8]     R42 = [R30+bca8];   
8 bcf9: c6,42,00             stb   [R42],0            [R42] = 0;           
8 bcfc: 36,14,07             jnb   B6,R14,bd06        if (!B6_R14) goto bd06;
8 bcff: a3,31,ae,bc,14       ldw   R14,[R30+bcae]     R14 = [R30+bcae];   
8 bd04: 20,04                sjmp  bd0a               goto bd0a;           


Rbase Vector repeat at BCA8
Code: Select all
8 2022: 00,c0                c000  Rbase              Rf0
.
.
8 bca8: 00,c0,00,10,00,10,00,c2                       Unknown Operation/Structure

Re: SAD 806x Disassembler

Unread postPosted: Thu Nov 23, 2017 4:47 pm
by Pym
I see what you mean, but to do it, I think it is better to store in an history like principle.
When working on different binaries based on same strategy you will work with only one S6x file, but you should have different ouputs.
I note this update for next version.

Just a tip, when saving S6x after disassembly, it saves automatically detected registers, which is an issue, it should not.
The result, really visible on Visteon binaries, is that it will process translations for all available registers (which have not been modified).
For 400 registers disassembly time is doubled, yes it is searching them in all operations all parameters, for nothing in this case.
To obtain normal duration for disassembly, just skip all registers and unskip only reworked ones.

Re: SAD 806x Disassembler

Unread postPosted: Thu Nov 23, 2017 5:03 pm
by jsa
Pym wrote:I see what you mean, but to do it, I think it is better to store in an history like principle.
When working on different binaries based on same strategy you will work with only one S6x file, but you should have different ouputs.
I note this update for next version.


Hmm, yes, the one strategy multiple binaries conundrum. I do not see how to save to a Strategy_Name_I_choose.s6x. Always seems to save to Name_of_Bin.s6x.

With a 1_Startegy_All_Bins.s6x, multiple text file entries could be the solution.
GHAJ0 > CARD > CARD_Some_Name.txt
GHAJ0 > ANTI > ANTI_Some_Name.txt

Pym wrote:For 400 registers disassembly time is doubled, yes it is searching them in all operations all parameters, for nothing in this case.

Ahh, thanks, noticed an increase from 1 sec to 3 secs.

Re: SAD 806x Disassembler

Unread postPosted: Thu Nov 23, 2017 5:27 pm
by jsa
Part of the second vector list in GHAJ0/ANTI and typical of many others;

Code: Select all
8 21e6: c0,bc                bcc0  Bank 8 Vector       


I'm leaning toward SAD's disassembly...

SAD806x disassembly
Code: Select all
8 bcc0: fa,a3                a3fa  Bank 8 Vector      Sub0305

Sub0341:
8 bcc1: a3,01,00,0d,14       ldw   R14,[d00]          R14 = CC_PRESENT;   


SAD disassembly
Code: Select all
21e6: c0,bc             vect  bcc0,          Sub2
.
.
  Sub2:
bcc0: fa                di                   disable ints;
  Sub52:
bcc1: a3,01,00,0d,14    ldw   R14,[d00]      R14 = CC_PRESENT;

Re: SAD 806x Disassembler

Unread postPosted: Thu Nov 23, 2017 5:43 pm
by jsa
In the Tree View pane, left side of SAD806x, what is the Registers branch intended to convey?

Re: SAD 806x Disassembler

Unread postPosted: Thu Nov 23, 2017 6:05 pm
by jsa
Also GHAJ0 / ANTI with similar in other strategy bins.

Code: Select all
  Sub56:
8ac4: a1,80,01,6a       ldw   R6a,180        R6a = 180;                     # Called from L208B
8ac8: a1,80,02,6c       ldw   R6c,280        R6c = 280;
8acc: a1,80,03,6e       ldw   R6e,380        R6e = 380;
8ad0: a1,80,04,70       ldw   R70,480        R70 = 480;
8ad4: a1,80,05,72       ldw   R72,580        R72 = 580;
8ad8: a1,40,07,40       ldw   R40,740        R40 = 740;
8adc: 65,80,00,40       ad2w  R40,80         R40 += 80;
8ae0: a0,40,74          ldw   R74,R40        R74 = R40;


Gives
Code: Select all
R6A R6B Rbase/Vector Address 0x0180 as a word
R6C R6D Rbase/Vector Address 0x0280 as a word
R6E R6F Rbase/Vector Address 0x0380 as a word
R70 R71 Rbase/Vector Address 0x0480 as a word
R72 R73 Rbase/Vector Address 0x0580 as a word
R74 R75 Rbase/Vector Address 0x07C0 as a word


I have picked up on certain registers being compared many times but only written once.
R76 is an example. For some reason, R77 is in the Tree View Registers Branch of SAD806x?

SAD806x
Code: Select all
Sub0043:
8 2cfc: 45,ff,00,fe,76       ad3w  R76,Rfe,ff         R76 = Sc0599; 


SAD
Code: Select all
  Sub105:
2cfc: 45,ff,00,fe,76    ad3w  R76,Rfe,ff     R76 = dc53;


My thoughts
Code: Select all
R76 R77 Rbase/Vector Address 0xDC53 as a word. ad3w R76=DC53

Re: SAD 806x Disassembler

Unread postPosted: Thu Nov 23, 2017 6:13 pm
by jsa
Another minor feature request, the called/jumped from address next to or near the subroutine is handy in the output file.

I realise it could get messy when called/jumped from multiple places. Maybe a line/s directly below the SubName and before code line/s.

Re: SAD 806x Disassembler

Unread postPosted: Thu Nov 23, 2017 6:21 pm
by Pym
I am not sure to properly understand first part, but what I call additional vectors (Bank X Vector),
are essentially identified by something like
R30 = (uns)4;
push([R30+bcb4]);
With this start source address and the number I suppose I have a list of vectors and with additional conditions, the result if often good. But normally we should have a loop.
Clearly a3fa is not a vector address, but the others have to be ignored too, I have seen them in many binaries. I do not known what they mean exactly, but not vectors.
bca8 is for me not related with first Rbase.

Real Vector bcc0 is detected too at 21e6, but is in conflict with the other detection, the good one is ignored.

Additional vectors addresses are stored like structures, and in fact they should be analysed in the same way, from A to Z.
I have still this hard part to do.

I will continue to answer tomorrow.

Re: SAD 806x Disassembler

Unread postPosted: Thu Nov 23, 2017 7:31 pm
by jsa
Pym wrote:I am not sure to properly understand first part, but what I call additional vectors (Bank X Vector),
are essentially identified by something like
R30 = (uns)4;
push([R30+bcb4]);


I stand to be corrected , however I think that resolves to
push 4+BCB4=[BCB8]=E006
So preceding code checks for [D00]=0x2A and IO / Timer conditions are met then places E006 on the stack displacing the calling routine's stack address.
The following F0 return takes E006 from the stack as the next routine to run.

Apparently the address range E000 on up is reserved for the engineering console.
So the engineering console is plugged to the J3 port much like a chip and runs code from E006 doing what ever the engineers see fit.

A subject for another thread, it presents another way to trigger a logging patch.

With this start source address and the number I suppose I have a list of vectors and with additional conditions, the result if often good. But normally we should have a loop.


Does SAD806x look at the opcode / address mode to conclude what is likely a vector or signed?

Clearly a3fa is not a vector address, but the others have to be ignored too, I have seen them in many binaries. I do not known what they mean exactly, but not vectors.
bca8 is for me not related with first Rbase.


I am not certain about the purpose of BCA8 either, but the opcode / address mode makes me think it resolves to a vector.

Real Vector bcc0 is detected too at 21e6, but is in conflict with the other detection, the good one is ignored.

Additional vectors addresses are stored like structures, and in fact they should be analysed in the same way, from A to Z.
I have still this hard part to do.

I will continue to answer tomorrow.


All good, SAD806x is a fine base to build on with understanding.

Have a good night. Sorry, I've bombarded you with a pile of posts.

Re: SAD 806x Disassembler

Unread postPosted: Fri Nov 24, 2017 1:24 am
by jsa
I tried to add an element for a function with word values.

The function starts at C020 with FF FF, and I got an address already used message.

I was unable to delete Rf0+20 from the scalars branch of the tree.

Code: Select all
8 c020: ff                Rf0+20 Sc0015       byte        ff                 255


8 c021: ff,87,0b,00,50,87,0b,00               Unknown Calibration

Re: SAD 806x Disassembler

Unread postPosted: Fri Nov 24, 2017 2:02 am
by Pym
jsa wrote:In the Tree View pane, left side of SAD806x, what is the Registers branch intended to convey?

Now I can continue ...

On ANTI (R6a to R74), like on other late 8061 and on 8065, I identify a routine that I call Init routine and I call these registers in code RConst.
They are essentially used as shortcuts to address registers with big addresses. I could output them somewhere, but normally they do not appear on translated operations.
And routine is easy to found in tree (Calibration Init - CalInit).

To talk about Registers part in the tree, at the beginning, I was not supposed to identify them automatically (this explains the issue when saving S6x).
But at the moment to table scalers, it was necessary to store registers for linking object and I have found it was dumb to not output this interesting information.
So, registers that are automatically detected are only related with tables and functions, which should cover 90% of the interesting registers.
Effectively, I can now add another detection when related with scalars.

To come back to this engineering console that I did not know, it explains many things.
So d006, d009, ... are really vectors, but when related with routine using [d00], we are not talking about rom addresses.
It explains the use of d006(); that I had never understood. I will had this in identification.
Any idea on the meaning of [C80] address ?

Does SAD806x look at the opcode / address mode to conclude what is likely a vector or signed?

For vectors, it looks at push ope and previous ones and check that resulting address in not in conflict with other elements.
For scalars, it looks at the opcode to detect type and sign.

For bca8+4(=>1000) or bcae+4(C200), finally it is related with Rbase, but not is classical definition, this code is more clear :
Code: Select all
8 4195: a3,01,80,0c,32       ldw   R32,[c80]          R32 = [c80];         
8 419a: 36,32,06             jnb   B6,R32,41a3        if (!B6_R32) goto 41a3;
8 419d: a1,00,c2,30          ldw   R30,c200           R30 = c200;          // Same value that for ANTI but directly in code here, not in a structure
8 41a1: 20,09                sjmp  41ac               goto 41ac;           

8 41a3: c7,01,00,c0,00       stb   [c000],0           [c000] = 0;         
8 41a8: a1,22,20,30          ldw   R30,2022           R30 = 2022;          // First RBase rom address
8 41ac: a1,7c,00,32          ldw   R32,7c             R32 = 7c;                // First Rbase Code
8 41b0: b3,01,20,20,34       ldb   R34,[2020]         R34 = [2020];       // Levels number
8 41b5: a2,31,36             ldw   R36,[R30++]        R36 = [R30++];       
8 41b8: c2,33,36             stw   [R32++],R36        [R32++] = R36;       
8 41bb: e0,34,f7             djnz  R34,41b5           R34--; if (R34 !=  0) goto 41b5;

We can see 2 modes for execution (based on B6_[c80]) :
The most important for me, the understandable and usable one, to load Rbases from RBase rom addresses ([2022] to [2030]) when !B6_[c80]
and the other one to load Rbases from [C200] to [C208], this engineering console ?
I hope it is the engineering console, because ANTI is using calibration elements at C200 and after.
On my side I am using patches on CXXX addresses.

On 8065 I do not see the same thing, I have a double loop on Rbases (one from startup and one from a vector, but Rbases always load normal rom addresses).

Re: SAD 806x Disassembler

Unread postPosted: Fri Nov 24, 2017 2:21 am
by Pym
jsa wrote:I tried to add an element for a function with word values.
The function starts at C020 with FF FF, and I got an address already used message.
I was unable to delete Rf0+20 from the scalars branch of the tree.
Code: Select all
8 c020: ff                Rf0+20 Sc0015       byte        ff                 255
8 c021: ff,87,0b,00,50,87,0b,00               Unknown Calibration


Yes you can not remove elements generated automatically, which is normal after disassembly.
If you skip scalar and create function, it will not work too, because it will check the existing address without taking the skip flag into account.
If you create function before disassembling (without having Scalar in the list), I have tested, it crashes, this is an issue.
I can not let possibility to create duplicated addresses, but I should let the option to overwrite existing element, instead of showing a duplicate message.

Still a lot to do.

Re: SAD 806x Disassembler

Unread postPosted: Fri Nov 24, 2017 3:33 am
by jsa
Pym wrote:Now I can continue ...

Thanks, time zones are fun!
My head is ready to shutdown for the day LOL.

Pym wrote:On ANTI (R6a to R74), like on other late 8061 and on 8065, I identify a routine that I call Init routine and I call these registers in code RConst.
They are essentially used as shortcuts to address registers with big addresses. I could output them somewhere, but normally they do not appear on translated operations.
And routine is easy to found in tree (Calibration Init - CalInit).


Ok, I see Calibration Init. It would be nice to see the R and its value in the tree somewhere.

Pym wrote:To come back to this engineering console that I did not know, it explains many things.
So d006, d009, ... are really vectors, but when related with routine using [d00], we are not talking about rom addresses.
It explains the use of d006(); that I had never understood. I will had this in identification.
Any idea on the meaning of [C80] address ?


Yeah, it is a big jigsaw puzzle with information piece scattered all over the place. It takes time to piece it together.

I believe D006 and D009 to be single byte scalars. EDIT: Ignore: See post, down 7, for OFAB

[C80] has me baffled. I do not see it elsewhere in ANTI or a couple other similar bins.
Incidentally R14=[C80] is overwritten by logging patch code, at the moment, in the definition.

Pym wrote:For bca8+4(=>1000) or bcae+4(C200), finally it is related with Rbase, but not is classical definition, this code is more clear :
Code: Select all
8 4195: a3,01,80,0c,32       ldw   R32,[c80]          R32 = [c80];         
8 419a: 36,32,06             jnb   B6,R32,41a3        if (!B6_R32) goto 41a3;
8 419d: a1,00,c2,30          ldw   R30,c200           R30 = c200;          // Same value that for ANTI but directly in code here, not in a structure
8 41a1: 20,09                sjmp  41ac               goto 41ac;           

8 41a3: c7,01,00,c0,00       stb   [c000],0           [c000] = 0;         
8 41a8: a1,22,20,30          ldw   R30,2022           R30 = 2022;          // First RBase rom address
8 41ac: a1,7c,00,32          ldw   R32,7c             R32 = 7c;                // First Rbase Code
8 41b0: b3,01,20,20,34       ldb   R34,[2020]         R34 = [2020];       // Levels number
8 41b5: a2,31,36             ldw   R36,[R30++]        R36 = [R30++];       
8 41b8: c2,33,36             stw   [R32++],R36        [R32++] = R36;       
8 41bb: e0,34,f7             djnz  R34,41b5           R34--; if (R34 !=  0) goto 41b5;

We can see 2 modes for execution (based on B6_[c80]) :




This code is not ANTI, what bin is it?

Pym wrote:The most important for me, the understandable and usable one, to load Rbases from RBase rom addresses ([2022] to [2030]) when !B6_[c80]
and the other one to load Rbases from [C200] to [C208], this engineering console ?
I hope it is the engineering console, because ANTI is using calibration elements at C200 and after.
On my side I am using patches on CXXX addresses.


C200 to C208 contains single byte scalars. EDIT: Ignore: See post, down 7, for OFAB

Pym wrote:On 8065 I do not see the same thing, I have a double loop on Rbases (one from startup and one from a vector, but Rbases always load normal rom addresses).


Decipha knows EEC-V. I have had very little to do with them.

Re: SAD 806x Disassembler

Unread postPosted: Fri Nov 24, 2017 4:02 am
by Pym
jsa wrote:This code is not ANTI, what bin is it?

Its coming from 0FAB bin and globally the same for all 88-91 euro EEC IV.

jsa wrote:
Pym wrote:The most important for me, the understandable and usable one, to load Rbases from RBase rom addresses ([2022] to [2030]) when !B6_[c80]
and the other one to load Rbases from [C200] to [C208], this engineering console ?
I hope it is the engineering console, because ANTI is using calibration elements at C200 and after.
On my side I am using patches on CXXX addresses.


C200 to C208 contains single byte scalars.

But not in this case, routine is using [d00] and [c80], as conclusion addresses are not the ones from ROM, but from J3 or something else.
Even if ANTI stores calibration elements from c000 to de14, this is not the case for previous EEC-IV, often storing this element starting at 2400.
but this is "always" the same code using this c200.
[/quote]

I will try to provide quickly a corrected version for conflicts between S6x declared elements and automatically detected elements,
I know it is called SAD806x, but it was more created at start on an 100% automatic principle, S6x "directive" definition was created later, for labels and comments at the beginning.
So S6x declared objects are really processed at the end of the disassembly. For example, when importing SAD directive file, vectors are purely ignored, because the tools should be able to detect them alone.
I have to manage S6x declared objects earlier in disassembly and as result it could get better performances.

You are talking about time zones ? I should be at 300 or 400kms away from you.

Re: SAD 806x Disassembler

Unread postPosted: Fri Nov 24, 2017 4:55 am
by jsa
Brisbane, Australia, 8.54pm. You in Europe, France or Belgium maybe ?

I will look at a couple other bin tomorrow.

Re: SAD 806x Disassembler

Unread postPosted: Fri Nov 24, 2017 5:46 am
by Pym
jsa wrote:Brisbane, Australia, 8.54pm. You in Europe, France or Belgium maybe ?

In France, so it is much more than this distance ... I have always thought you were in UK, probably because of the Escort ;)

Re: SAD 806x Disassembler

Unread postPosted: Fri Nov 24, 2017 8:29 am
by Pym
jsa wrote:Another minor feature request, the called/jumped from address next to or near the subroutine is handy in the output file.
I realise it could get messy when called/jumped from multiple places. Maybe a line/s directly below the SubName and before code line/s.

Could you please provide an example ? Thanks

Re: SAD 806x Disassembler

Unread postPosted: Fri Nov 24, 2017 1:19 pm
by Pym
I have just uploaded a new version, essentially to give flexibility when wanting to override and detect item with a specified one,
for example, to permit to override a detected scalar, with a function like a MAF transfer ;)
I do not understand why I have not though, it could have to be done, probably because I was hopping detecting everything ...
Issue with Registers vs performance is corrected and same thing for vectors on ANTI (it was finally a mistake in the code, detection principle is good enough and stays as is).
And other things, but you do not need to know.

Re: SAD 806x Disassembler

Unread postPosted: Fri Nov 24, 2017 1:39 pm
by jsa
Jump, push and call examples, again pieces of ANTI code



Most jumps are relatively local, so see the from addresses added to the end of relevant lines for jumps within a Subroutine
Code: Select all
Sub0007:
8 22fb: b3,6e,a8,42          ldb   R42,[R6e+a8]       R42 = [328];         
8 22ff: 9b,f8,48,42          cmpb  R42,[Rf8+48]                           
8 2303: db,05                jc    230a               if ((uns) R42 >= [Sc0404]) goto 230a;
8 2305: 91,10,4b             orrb  R4b,10             R4b |= 10;           
8 2308: 20,09                sjmp  2313               goto 2313;           

8 230a: 9b,f8,47,42          cmpb  R42,[Rf8+47]                           
8 230e: d3,03                jnc   2313               if ((uns) R42 < [Sc0403]) goto 2313;
8 2310: 71,ef,4b             an2b  R4b,ef             R4b &= ef;           
8 2313: a3,6e,9c,42          ldw   R42,[R6e+9c]       R42 = [[31c]]             from 2308;
8 2317: 8b,f8,4c,42          cmpw  R42,[Rf8+4c]                           
8 231b: d3,05                jnc   2322               if ((uns) R42 < [Sc0406]) goto 2322;
8 231d: 91,08,4b             orrb  R4b,8              R4b |= 8;           
8 2320: 20,09                sjmp  232b               goto 232b;               

8 2322: 8b,f8,4a,42          cmpw  R42,[Rf8+4a]                           
8 2326: db,03                jc    232b               if ((uns) R42 >= [Sc0405]) goto 232b;
8 2328: 71,f7,4b             an2b  R4b,f7             R4b &= f7;           
8 232b: 3f,ce,0b             jb    B7,Rce,2339        if (B7_Rce)      from 2320 goto 2339;
8 232e: 34,4b,08             jnb   B4,R4b,2339        if (!B4_R4b)               goto 2339;
8 2331: 33,4b,05             jnb   B3,R4b,2339        if (!B3_R4b)               goto 2339;
8 2334: 91,20,4b             orrb  R4b,20             R4b |= 20;           
8 2337: 20,03                sjmp  233c               goto 233c;           

8 2339: 71,df,4b             an2b  R4b,df             R4b &= df;      from 232b 232e 2331;   
8 233c: 3a,da,10             jb    B2,Rda,234f        if (B2_Rda)     from 233c goto 234f;
8 233f: 3d,4b,0d             jb    B5,R4b,234f        if (B5_R4b)               goto 234f;
8 2342: fa                   di                       disable ints;       
8 2343: 36,4b,06             jnb   B6,R4b,234c        if (!B6_R4b) goto 234c;
8 2346: 71,bf,4b             an2b  R4b,bf             R4b &= bf;           
8 2349: 91,80,4b             orrb  R4b,80             R4b |= 80;           
8 234c: fb                   ei                       enable ints               from 2343;         
8 234d: f8                   clc                      CY = 0;             
8 234e: f0                   ret                      return;             


Calls tend to be from other Subs, so an extra line for a sub to sub call.
Code: Select all
Sub0048:
Call    8 3980 Sub0047    8 3987 Sub0047    8 3991 Sub0047    8 3998 Sub0047

8 39f4: b3,6c,91,18          ldb   R18,[R6c+91]       R18 = [211];         


A possible (would need to follow all code branches to confirm) Push example
and Sjump from other Subs to Sub0057
Code: Select all
Sub0052:
.
.
8 4079: 20,7f                sjmp  40fa               goto Sub0057;       
.
.
.
Sub0057:
Jump   8 4079 Sub0052
Push   8 446a Sub0075

8 40fa: ae,19,14             ldzbw R14,[R18++]        R14 = (uns)[R18++]; 


Sub0075:
.
.
8 446a: c9,fa,40             push  40fa               push(Sub0057);       
       


Re: SAD 806x Disassembler

Unread postPosted: Fri Nov 24, 2017 1:47 pm
by jsa
Pym wrote:In France, so it is much more than this distance ... I have always thought you were in UK, probably because of the Escort ;)


Yeah, not many Cossies down under.

Pym wrote:I have just uploaded a new version
.
.
.
And other things, but you do not need to know


Thanks I'll give it a whirl.
What I don't know don't hurt ;)

Re: SAD 806x Disassembler

Unread postPosted: Fri Nov 24, 2017 4:57 pm
by jsa
Pym wrote:
jsa wrote:This code is not ANTI, what bin is it?

Its coming from 0FAB bin and globally the same for all 88-91 euro EEC IV.


Ok. I follow now.

First some more info for you. Apparently there was a Calibration Console as well using D000 to DFFF.
GHAJ0/ANTI's console routines are layed out similar to USA GUFB and CBAZA strategies. I think for Year of release reasons, not geographical. OFAB console routine layout looks like earlier USA bins like LA3 and PK.

Looking at OFAB code;

This for me is the "Engineering Console" routine to target for a logging patchcode.
Because it has the IO and timing checks.
Code: Select all
Sub0002:
8 2032: ef,36,27             call  476b               Sub0036();           
8 2035: 38,0a,fd             jb    B0,R0a,2035        if (B0_HSO_OVF) goto 2035;
8 2038: b0,0b,d0             ldb   Rd0,R0b            Rd0 = HSI_SAMP;     
8 203b: b0,d1,0c             ldb   R0c,Rd1            HSI_MASK = Rd1;     
8 203e: b1,2b,08             ldb   R08,2b             INT_MASK = 2b;       
8 2041: c3,01,00,02,06       stw   [200],R06          [200] = IO_TIMER;   
8 2046: a3,01,00,0d,30       ldw   R30,[d00]          R30 = CC_PRESENT;   
8 204b: 99,2a,30             cmpb  R30,2a                                 
8 204e: d7,17                jne   2067               if (R30 != 2a) goto 2067;
8 2050: 45,20,03,06,9e       ad3w  R9e,R06,320        R9e = IO_TIMER + 320;
8 2055: a0,9e,0e             ldw   R0e,R9e            HSO_TIME = R9e;     
8 2058: b1,0f,0d             ldb   R0d,f              HSO_CMD = f;         
8 205b: 91,10,ed             orrb  Red,10             Red |= 10;           
8 205e: 17,05                incb  R05                WD_TIMER++;         
8 2060: 17,05                incb  R05                WD_TIMER++;         
8 2062: ef,a1,af             call  d006               d006();             
8 2065: 20,0b                sjmp  2072               goto 2072;           


This one, the subject of your previous post.
I have commented, at the end of code, how I think it works.
Code: Select all
Sub0021:
8 417c: fb                   ei                       enable ints;         
8 417d: a3,01,00,0d,32       ldw   R32,[d00]          R32 = CC_PRESENT;               
8 4182: 99,2a,32             cmpb  R32,2a                                             # [RD00]=0x2A=Console Present
8 4185: d7,38                jne   41bf               if (R32 != 2a) goto 41bf;       # Console Not Present goto 41bf
8 4187: a3,01,30,c0,30       ldw   R30,[c030]         R30 = [ECn8007];                # Console c030 must contain a RAM address
8 418c: fa                   di                       disable ints;       
8 418d: ff                   ff                                           
8 418e: 91,10,ed             orrb  Red,10             Red |= 10;                      # Red Bit 4 set to 1
8 4191: ef,72,8e             call  d006               d006(); Call                    # Immediate 4194+8e72=d006
                                                                                      # 0xd006 Must be address of subroutine served by console
8 4194: fb                   ei                       enable ints;         
8 4195: a3,01,80,0c,32       ldw   R32,[c80]          R32 = [c80];                    # c80 must be bit bits see 8 419a
                                                                                      # Possibly c80 written by console Sub0xd006?
                                                                                      # 8 2f78 not looking relevant
8 419a: 36,32,06             jnb   B6,R32,41a3        if (!B6_R32) goto 41a3;         # B6 of [c80] clear 0 so goto 41a3
                                                                                      # Default [c80] at startup likely to be 0x00
                                                                                      # So unless console sets [c80]
                                                                                      # normal Rbases are loaded.
                                                                                      # Console sets [c80] then
                                                                                      # console Rbases are loaded
8 419d: a1,00,c2,30          ldw   R30,c200           R30 = c200;         
8 41a1: 20,09                sjmp  41ac               goto 41ac;           

8 41a3: c7,01,00,c0,00       stb   [c000],0           [c000] = 0;         
8 41a8: a1,22,20,30          ldw   R30,2022           R30 = 2022;         
8 41ac: a1,7c,00,32          ldw   R32,7c             R32 = 7c;           
8 41b0: b3,01,20,20,34       ldb   R34,[2020]         R34 = [2020];       
8 41b5: a2,31,36             ldw   R36,[R30++]        R36 = [R30++];       
8 41b8: c2,33,36             stw   [R32++],R36        [R32++] = R36;       
8 41bb: e0,34,f7             djnz  R34,41b5           R34--; if (R34 !=  0) goto 41b5;
8 41be: f0                   ret                      return;             

8 41bf: 91,10,ed             orrb  Red,10             Red |= 10;            From 4185;# Console Not Present



Code: Select all
8 4205: a3,01,00,0d,32       ldw   R32,[d00]          R32 = CC_PRESENT;   
8 420a: 99,2a,32             cmpb  R32,2a                                 
8 420d: d7,99                jne   41a8               if (R32 != 2a) goto 41a8;


With mysterious console Subroutine D009
Code: Select all
8 45fe: 71,ef,ed             an2b  Red,ef             Red &= ef;           
8 4601: a3,01,00,0d,54       ldw   R54,[d00]          R54 = CC_PRESENT;   
8 4606: 99,2a,54             cmpb  R54,2a                                 
8 4609: d7,f1                jne   45fc               if (R54 != 2a) goto 45fc;
8 460b: f3                   popp                     pop(PSW);           
8 460c: e7,fa,89             jump  d009               goto d009;           


Pym wrote:The most important for me, the understandable and usable one, to load Rbases from RBase rom addresses ([2022] to [2030]) when !B6_[c80]


As noted with code above, my best guess, [C80] has not been set by the console, so the routine proceeds with normal Rbase loading.
For d006() and d009() it is Call _Immediate_ address mode, so I think D006 is the address of a subroutine served by a Console.
Not a [Vector] stored in d006 or d009.

Pym wrote:But not in this case, routine is using [d00] and [c80], as conclusion addresses are not the ones from ROM, but from J3 or something else.
Even if ANTI stores calibration elements from c000 to de14, this is not the case for previous EEC-IV, often storing this element starting at 2400.
but this is "always" the same code using this c200.


I think eventually Ford run out of space and had to use higher addresses for calibration elements. CBAZA has calibration elements up in the Dxxx range. So purely on an age basis a layout change was made using console space for normal code.
So the console routines would overwrite some normal calibration elements, once the console takes over, and the console code managed that some how. Who knows, maybe the "Calibration Console" became redundant and only the "Engineering" remained as a tool.

From a disassembly perspective, the normal calibration elements must take precedence over Console Routine elements, as a console must be present and other conditions met before console elements are served in place of normal.

Pym wrote:I will try to provide quickly a corrected version for conflicts between S6x declared elements and automatically detected elements,

V1.1 does the trick, thank you.

Re: SAD 806x Disassembler

Unread postPosted: Sat Nov 25, 2017 12:41 am
by Pym
Thank you for the information, this is what I was supposing.
The best thing I can do, is to detect the routine using [d00], [c80], to prefix related addresses with "CC_", to flag related vectors in the same way
and to not manage them at all when creating scalars.
I will have a look to the technical documentation to find additional information.

Re: SAD 806x Disassembler

Unread postPosted: Sat Nov 25, 2017 1:07 am
by Pym
On the same topic, information on Calibration Console, related with EEC IV 2nd generation.
I can see reference to EEC IV 8065 Pilot, have you ever heard about it ?

Re: SAD 806x Disassembler

Unread postPosted: Sat Nov 25, 2017 1:34 am
by jsa
Oh, yes, been a while, I knew I read about the console address ranges somswhere. Maybe also in the eectech document.
The document ties in nicely with the code, so that makes things clear.

Saw some pics of a console on ebay a long time ago.

I asked sailorbob about the eec-v pilot some time ago, and he had never seen one in the wild.

Re: SAD 806x Disassembler

Unread postPosted: Sat Nov 25, 2017 3:12 am
by Pym
EEC Technical notes 1998 describes 2 tools :
Engineering Console : a lab instrument for real-time program debug and monitor of the EEC-IV system
and
Calibration Console : a portable unit for vehicle use to permit field display
and modification of program memory

with dedicated and separated memory addresses :
Calibration Console : Registers between [c00] and [fff], memory between [c000] and [dfff]
Engineering Console : Registers between [1000] and [1fff], memory between [e000] and [ffff]

It becomes more clear, we had not talk about these addresses in code [1e00], [1ff2], but now I know how to manage them.

Same principle, they will have a prefix EC or CC based on their range, based on the routine using related registers addresses.

Re: SAD 806x Disassembler

Unread postPosted: Sat Nov 25, 2017 8:43 pm
by jsa
Pym wrote:EEC Technical notes 1998 describes 2 tools :
.
.
Calibration Console : a portable unit for vehicle use to permit field display
and modification of program memory


With the introduction of FDS2000 and WDS, you can imagine the calibration console would become redundant.

Pym wrote: we had not talk about these addresses in code [1e00], [1ff2], but now I know how to manage them.

Same principle, they will have a prefix EC or CC based on their range, based on the routine using related registers addresses.


Indeed.

Be aware more recent bins, including GHAJ0/ANTI, use [1f1c].

Here is GUFB/A9L which has a bit of both.
Code: Select all
Sub0258:
8 84b2: a3,01,00,0d,14       ldw   R14,[d00]          R14 = CC_PRESENT;   
8 84b7: 99,2a,15             cmpb  R15,2a                                 
8 84ba: d7,2c                jne   84e8               if (R15 != 2a) goto 84e8;
8 84bc: 3c,24,1b             jb    B4,R24,84da        if (B4_R24) goto 84da;
8 84bf: 38,0a,18             jb    B0,R0a,84da        if (B0_HSO_OVF) goto 84da;
8 84c2: 47,01,0e,20,06,80    ad3w  R80,R06,[200e]     R80 = IO_TIMER + [200e];
8 84c8: d7,02                jne   84cc               if (IO_TIMER != [200e]) goto 84cc;
8 84ca: 07,80                incw  R80                R80++;               
8 84cc: c3,01,1a,c1,80       stw   [c11a],R80         [c11a] = R80;       
8 84d1: a0,80,0e             ldw   R0e,R80            HSO_TIME = R80;     
8 84d4: b1,0f,0d             ldb   R0d,f              HSO_CMD = f;         
8 84d7: ef,2c,4b             call  d006               d006();             
8 84da: a3,01,80,0c,14       ldw   R14,[c80]          R14 = [c80];         
8 84df: 36,14,06             jnb   B6,R14,84e8        if (!B6_R14) goto 84e8;
8 84e2: a1,00,c2,14          ldw   R14,c200           R14 = c200;         
8 84e6: 20,09                sjmp  84f1               goto 84f1;           

8 84e8: c7,01,00,c0,00       stb   [c000],0           [c000] = 0;         
8 84ed: a1,22,20,14          ldw   R14,2022           R14 = 2022;         
8 84f1: 3c,24,01             jb    B4,R24,84f5        if (B4_R24) goto 84f5;
8 84f4: fb                   ei                       enable ints;         
8 84f5: a1,f0,00,18          ldw   R18,f0             R18 = f0;           
8 84f9: b3,01,20,20,1a       ldb   R1a,[2020]         R1a = [2020];       
8 84fe: a2,15,1c             ldw   R1c,[R14++]        R1c = [R14++];       
8 8501: c2,19,1c             stw   [R18++],R1c        [R18++] = R1c;       
8 8504: e0,1a,f7             djnz  R1a,84fe           R1a--; if (R1a !=  0) goto 84fe;
8 8507: 3c,24,22             jb    B4,R24,852c        if (B4_R24) goto Sub0259;
8 850a: a3,01,f2,1f,42       ldw   R42,[1ff2]         R42 = [1ff2];       
8 850f: 89,1c,1f,42          cmpw  R42,1f1c                               
8 8513: d7,17                jne   852c               if (R42 != 1f1c) goto Sub0259;
8 8515: a1,a5,a5,42          ldw   R42,a5a5           R42 = a5a5;         
8 8519: c3,01,f6,1f,42       stw   [1ff6],R42         [1ff6] = R42;       
8 851e: 8b,01,f6,1f,42       cmpw  R42,[1ff6]                             
8 8523: d7,07                jne   852c               if (R42 != [1ff6]) goto Sub0259;
8 8525: c9,2c,85             push  852c               push(Sub0259);       
8 8528: cb,01,f2,1f          push  [1ff2]             push([1ff2]);       

Re: SAD 806x Disassembler

Unread postPosted: Sat Nov 25, 2017 8:57 pm
by jsa
What are the input conditions for multibanks with regard to size and order?

4TAD causes crash. See attached pic. BIN also attached.
Open 4TAD
Save s6x
Select Disassemble
SAD806x exits
SAD806xcrash.png

Re: SAD 806x Disassembler Feature Request

Unread postPosted: Sat Nov 25, 2017 9:37 pm
by jsa
Another feature requests to consider.

Add a menu item under Output to open the output text file with the chosen windows default text editor.

Re: SAD 806x Disassembler

Unread postPosted: Sun Nov 26, 2017 2:55 am
by Pym
jsa wrote:What are the input conditions for multibanks with regard to size and order?

4TAD causes crash. See attached pic. BIN also attached.
Open 4TAD
Save s6x
Select Disassemble
SAD806x exits
SAD806xcrash.png


Disassembly menu should not be active when binary file is not recognized, it seems that when you save the S6x, it activates the menu, it is an issue.
Binary is recognized as single bank 8065, but I have not managed this for 8065, first time I see one.
Do you know the year of the related car, was it really an EEC V ?

jsa wrote:Another feature requests to consider.
Add a menu item under Output to open the output text file with the chosen windows default text editor.

Double click on the name of the text file in the menu, it will do what your are expecting.
Some other things like this have to be known.
- VID Block information, when available, is accessible when clicking on the top status box.
- Corrected checksum, when checksum is calculated as invalid, is accessible when clicking on the bottom status box.

Re: SAD 806x Disassembler

Unread postPosted: Sun Nov 26, 2017 3:19 am
by jsa
SAD reports as EEC-V.

Supposedly 88kb.
viewtopic.php?f=99&t=2084&p=26528&hilit=4tad#p26528

I will PM Ranga83. 96 Falcon according to his profile.

Ah, hence the unusual way the file name appears in the menu.

Re: SAD 806x Disassembler

Unread postPosted: Sun Nov 26, 2017 3:41 am
by Pym
jsa wrote:SAD reports as EEC-V.

Supposedly 88kb.
http://www.efidynotuning.com/forum/view ... tad#p26528

I will PM Ranga83. 96 Falcon according to his profile.

Ah, hence the unusual way the file name appears in the menu.

Interruption vectors tell it is a 8065, but if you look at code, it is clearly not, it is a late 8061.
Probably this EEC IV 8065 pilot we were talking about, able to manage 8065 external chips and labelled EEC V.
I will do something to manage it.