Mapping code vs. data areas

Use a commented disassembly to help navigate the new binary

At this point we have an initial symbol file (ECU.sym) and need to start looking at a reference disassembly to guide us. Luckily we have the famous E391/E392 disassembly by Christian/christi999@hotmail.com to use as an example!

Remember our symbol file so far

ECU.sym

org 8000
data	8000		epromStart
org	ceff
code	ceff		codeStart
data	cf02		empty2
data	d000		obdTable
code	d03e		reset
code	d052		ecuInit
data  E0DB    moredata
org	ffe0
vector	ffe0		intVector

Getting back to our partial disassembly, let's take a look where we hit the data area earlier and see if we can sort things out a little, as there is still a bunch of code to be uncovered.

...
E0CD 7E E5 F2    L4345               jmp     $e5f2
E0D0 86 86                           ldaa    #$86
E0D2 C6 8A                           ldab    #$8a
E0D4 97 ED                           staa    $ed
E0D6 97 EF                           staa    $ef
E0D8 D7 EE                           stab    $ee
E0DA 39                              rts     
E0DB 02 00 40 00 moredata            .byte   $02, $00, $40, $00
E0DF 80 00 00 01                     .byte   $80, $00, $00, $01
...

Since the addresses are shifted around we can't just go to the same line in the commented E391/E392 listing. Instead we can poke around a bit. Lets use the last operation before RTS and see if we can find anything familiar. Copy the bytes D7 EE from line E0D8 and do a text search in the commented listing. Only one match! What great luck.

standard_E931.lst

...
6475   E51C             #endif
6476   E51C             
6477   E51C 97 ED       L1448       staa    iscY0                                                 
6478   E51E 97 EF                   staa    iscY2                                                 
6479   E520 D7 EE                   stab    iscY1                                                 
6480   E522 39                      rts                                                          
6481   E523             
6482   E523             
6483   E523             
6484   E523             ;******************************************************************
6485   E523             ;
6486   E523             ;
6487   E523             ; Sensor check related table, 
6488   E523             ; correspond one for one to table at t_snsrChk
6489   E523             ; Each entry is the bit to set/reset in the faulth:faultl 
6490   E523             ; for the corresponding sensor
6491   E523             ;
6492   E523             ;
6493   E523             ;******************************************************************
6494   E523 02 00 40 00 t_snsrChkBit  .word   $0200, $4000, $8000, $0001    
6494   E527 80 00 00 01 
6495   E52B 00 08 00 10               .word   $0008, $0010, $0040, $2000    
6495   E52F 00 40 20 00 
6496   E533 00 04 04 00               .word   $0004, $0400, $0800, $0002    
6496   E537 08 00 00 02
...

Look at that! On line E520 we have the match, and around it all the bytes match up! First lets change the place holder label moredata to the actual table name. In our symbol file we change data E0DB moredata to:

ECU.sym

data  E0DB    t_snsrChkBit

Re-run the disassembler and it is labeled properly! If we look in the commented listing file, we see there are two more small data tables before returning to code. Match the bytes from the commented listing file. Update the symbol file as necessary, add the following lines:

ECU.sym

data  E11B    t_obdActMask
data  E121    t_obdInjMask

Result:

...
E0CD 7E E5 F2    L4345               jmp     $e5f2
E0D0 86 86                           ldaa    #$86
E0D2 C6 8A                           ldab    #$8a
E0D4 97 ED                           staa    $ed
E0D6 97 EF                           staa    $ef
E0D8 D7 EE                           stab    $ee
E0DA 39                              rts     
E0DB 02 00 40 00 t_snsrChkBit        .byte   $02, $00, $40, $00
E0DF 80 00 00 01                     .byte   $80, $00, $00, $01
E0E3 00 08 00 10                     .byte   $00, $08, $00, $10
E0E7 00 40 20 00                     .byte   $00, $40, $20, $00
E0EB 00 04 04 00                     .byte   $00, $04, $04, $00
E0EF 08 00 00 02                     .byte   $08, $00, $00, $02
E0F3 11 12 13 14                     .byte   $11, $12, $13, $14
E0F7 15 21 22 23                     .byte   $15, $21, $22, $23
E0FB 24 25 31 41                     .byte   $24, $25, $31, $41
E0FF 42 43 44 00                     .byte   $42, $43, $44, $00
E103 E3 2F E3 44                     .byte   $e3, $2f, $e3, $44
E107 E3 51 E3 68                     .byte   $e3, $51, $e3, $68
E10B E3 8F E3 AF                     .byte   $e3, $8f, $e3, $af
E10F E3 BF E3 EE                     .byte   $e3, $bf, $e3, $ee
E113 E3 D1 E3 D7                     .byte   $e3, $d1, $e3, $d7
E117 E3 DD E4 2C                     .byte   $e3, $dd, $e4, $2c
E11B 20 10 08 04 t_obdActMask        .byte   $20, $10, $08, $04
E11F 01 02                           .byte   $01, $02
E121 FB FD F7 FE t_obdInjMask        .byte   $fb, $fd, $f7, $fe
E125 B6 01 35 8B                     .byte   $b6, $01, $35, $8b
E129 01 24 19 02                     .byte   $01, $24, $19, $02
...

Getting back to code

Since we know where t_obdInjMask ends we can resume code disassembly after it. Add to the symbol file:

ECU.sym

code  E125    somecode

Running it again we get a bunch of new code! However we have landed on another invalid OP code. After some more byte sleuthing we find another small data area t_errCodeShift followed immediately by L_heartBeat. Update the symbol file accordingly:

ECU.sym

data  E286    t_errCodeShift
code  E28E    L_heartBeat

Rinse and repeat a final time

ECU.sym

data  F3C5    t_something

Finally the disassembler ends with the vector table and we should have all the code and data areas mapped!