Mapping code vs. data areas
Use a commented disassembly to help navigate the new binary
At this point we have an initial symbol file (ECU.sym) and need to start looking at a reference disassembly to guide us. Luckily we have the famous E391/E392 disassembly by Christian/christi999@hotmail.com to use as an example!
org 8000
data 8000 epromStart
org ceff
code ceff codeStart
data cf02 empty2
data d000 obdTable
code d03e reset
code d052 ecuInit
data E0DB moredata
org ffe0
vector ffe0 intVectorGetting back to our partial disassembly, let's take a look where we hit the data area earlier and see if we can sort things out a little, as there is still a bunch of code to be uncovered.
...
E0CD 7E E5 F2 L4345 jmp $e5f2
E0D0 86 86 ldaa #$86
E0D2 C6 8A ldab #$8a
E0D4 97 ED staa $ed
E0D6 97 EF staa $ef
E0D8 D7 EE stab $ee
E0DA 39 rts
E0DB 02 00 40 00 moredata .byte $02, $00, $40, $00
E0DF 80 00 00 01 .byte $80, $00, $00, $01
...Since the addresses are shifted around we can't just go to the same line in the commented E391/E392 listing. Instead we can poke around a bit. Lets use the last operation before RTS and see if we can find anything familiar. Copy the bytes D7 EE from line E0D8 and do a text search in the commented listing. Only one match! What great luck.
...
6475 E51C #endif
6476 E51C
6477 E51C 97 ED L1448 staa iscY0
6478 E51E 97 EF staa iscY2
6479 E520 D7 EE stab iscY1
6480 E522 39 rts
6481 E523
6482 E523
6483 E523
6484 E523 ;******************************************************************
6485 E523 ;
6486 E523 ;
6487 E523 ; Sensor check related table,
6488 E523 ; correspond one for one to table at t_snsrChk
6489 E523 ; Each entry is the bit to set/reset in the faulth:faultl
6490 E523 ; for the corresponding sensor
6491 E523 ;
6492 E523 ;
6493 E523 ;******************************************************************
6494 E523 02 00 40 00 t_snsrChkBit .word $0200, $4000, $8000, $0001
6494 E527 80 00 00 01
6495 E52B 00 08 00 10 .word $0008, $0010, $0040, $2000
6495 E52F 00 40 20 00
6496 E533 00 04 04 00 .word $0004, $0400, $0800, $0002
6496 E537 08 00 00 02
...Look at that! On line E520 we have the match, and around it all the bytes match up! First lets change the place holder label moredata to the actual table name. In our symbol file we change data E0DB moredata to:
data E0DB t_snsrChkBitRe-run the disassembler and it is labeled properly! If we look in the commented listing file, we see there are two more small data tables before returning to code. Match the bytes from the commented listing file. Update the symbol file as necessary, add the following lines:
data E11B t_obdActMask
data E121 t_obdInjMaskResult:
...
E0CD 7E E5 F2 L4345 jmp $e5f2
E0D0 86 86 ldaa #$86
E0D2 C6 8A ldab #$8a
E0D4 97 ED staa $ed
E0D6 97 EF staa $ef
E0D8 D7 EE stab $ee
E0DA 39 rts
E0DB 02 00 40 00 t_snsrChkBit .byte $02, $00, $40, $00
E0DF 80 00 00 01 .byte $80, $00, $00, $01
E0E3 00 08 00 10 .byte $00, $08, $00, $10
E0E7 00 40 20 00 .byte $00, $40, $20, $00
E0EB 00 04 04 00 .byte $00, $04, $04, $00
E0EF 08 00 00 02 .byte $08, $00, $00, $02
E0F3 11 12 13 14 .byte $11, $12, $13, $14
E0F7 15 21 22 23 .byte $15, $21, $22, $23
E0FB 24 25 31 41 .byte $24, $25, $31, $41
E0FF 42 43 44 00 .byte $42, $43, $44, $00
E103 E3 2F E3 44 .byte $e3, $2f, $e3, $44
E107 E3 51 E3 68 .byte $e3, $51, $e3, $68
E10B E3 8F E3 AF .byte $e3, $8f, $e3, $af
E10F E3 BF E3 EE .byte $e3, $bf, $e3, $ee
E113 E3 D1 E3 D7 .byte $e3, $d1, $e3, $d7
E117 E3 DD E4 2C .byte $e3, $dd, $e4, $2c
E11B 20 10 08 04 t_obdActMask .byte $20, $10, $08, $04
E11F 01 02 .byte $01, $02
E121 FB FD F7 FE t_obdInjMask .byte $fb, $fd, $f7, $fe
E125 B6 01 35 8B .byte $b6, $01, $35, $8b
E129 01 24 19 02 .byte $01, $24, $19, $02
...Getting back to code
Since we know where t_obdInjMask ends we can resume code disassembly after it. Add to the symbol file:
code E125 somecodeRunning it again we get a bunch of new code! However we have landed on another invalid OP code. After some more byte sleuthing we find another small data area t_errCodeShift followed immediately by L_heartBeat. Update the symbol file accordingly:
data E286 t_errCodeShift
code E28E L_heartBeatRinse and repeat a final time
data F3C5 t_somethingFinally the disassembler ends with the vector table and we should have all the code and data areas mapped!
Last updated
Was this helpful?