DSM-ECU
  • Welcome
  • Resources
  • Disassembly from scratch
    • Things you need
    • Starting disassembly of a new binary
    • Mapping code vs. data areas
    • Assembly
    • Registers
    • Routine labels - easy mode
    • RAM/Variables
    • The "fun" part
  • Disassembly with Ghidra
    • Add TMP76C75T to Ghidra
    • Easy mode
    • SLEIGH Hints
  • Chips
    • IC MH6111 (TMP76C75T)
    • TMP76C75T Engineering Sample
    • IC MH6311F (TMP76C55T)
    • IC E303 (M60011)
    • IC E310 (M59107)
    • IC E315 (M65013L)
    • IC E320 (M65025)
    • 27C256
  • Hybrid boards
    • E528A
    • E518A
    • E527/E538
    • MA7815(B)
    • M67805 (Knock)
  • MC6801 vs. TMP76C75T
    • xDIV
  • Jellybean
    • Resistors
    • Driver Transistors
    • Power Transistors
  • MH6211 Differences
    • Vector Tables
Powered by GitBook
On this page
  • Initial symbol file
  • Vector Table

Was this helpful?

  1. Disassembly from scratch

Starting disassembly of a new binary

Building a symbol file for an unknown binary

Initial symbol file

Using known fixed addresses in most (era appropriate) Mitsubishi ECU code, we can get started. Create a symbol file (ECU.sym as an example here) and add the following lines:

ECU.sym
org 8000
data	8000		epromStart
org	ceff
code	ceff		codeStart
data	cf02		empty2
data	d000		obdTable
code	d03e		reset
code	d052		ecuInit

Once you have that ready, test it out:

$ ./7675Disassm -l -r ECU.bin ECU.sym

At this point only a partial disassembly will be produced. It will probably halt on a line like this:

...
E0F2 02 11 12                        andm    $11, #$12
E0F5                                 0x13    
10000                                  .end

On line E0F5 there is a 13h (0x13) which means the byte it was decoding is an invalid OP code. This means that it is probably in a data area. Looking at the code further shows a number of TEST and NOP operations, which again is a sure sign of being in a data area:

...
E0DA 39                              rts     
E0DB 02 00 40                        andm    $00, #$40
E0DE 00                              test    
E0DF 80 00                           suba    #$00
E0E1 00                              test    
E0E2 01                              nop     
E0E3 00                              test    
E0E4 08                              inx     
E0E5 00                              test    
E0E6 10                              sba     
E0E7 00                              test    
E0E8 40                              nega    
E0E9 20 00                           bra     L4346
E0EB 00          L4346               test    
E0EC 04                              lsrd    
E0ED 04                              lsrd    
E0EE 00                              test    
E0EF 08                              inx     
E0F0 00                              test    
E0F1 00                              test    
E0F2 02 11 12                        andm    $11, #$12
E0F5                                 0x13   
...

Spotting a RTS just before tests and NOPs start showing up looks like valid code, so we tell the disassembler to start a data area just after it. Add the following to the symbol file:

ECU.sym
data  E0DB    moredata

At this point we should be getting most, if not all of the binary out, mostly as if it were data. Don't panic, we still have some known fixed addresses to help sort things out.

Vector Table

Add the following to the symbol file:

ECU.sym
org	ffe0
vector	ffe0		intVector

At this point the disassembler should run through the entire binary, ending with a vector table.

PreviousThings you needNextMapping code vs. data areas

Last updated 3 years ago

Was this helpful?