Reverse Engineering Information
Jump to navigation
Jump to search
Purpose of this section
Helpful links
Quick Reference
Memory address lookup
Registers a0, a1, a8, and a9 are used as offsets when the code needs to reference different memory locations. There's a table in the ECU that sets up those offsets at boot:
0000:808835CC movh.a a0, #0xD002 0000:808835D0 lea a0, [a0]-0x8000 0000:808835D4 movh.a a1, #0xA081 0000:808835D8 lea a1, [a1]-0x8000 0000:808835DC movh.a a8, #0x8005 0000:808835E0 lea a8, [a8]-0x7800 0000:808835E4 movh.a a9, #0xD001 0000:808835E8 lea a9, [a9]-0x4000
What that means, is that at any point in the code, these registers always have the following values:
a0: 0xD0018000 a1: 0xA0808000 a8: 0x80048800 a9: 0xD000C000
18.10:
a0: 0xD0018000 a1: 0x80828000 a8: 0x80028800 a9: 0xD000C000
A quick example of how this is implemented in code:
8019044a c9 00 de c9 ld.h d0,[a0]-0x60e2
This takes the value of a0 (0xD0018000), subtracts 0x60e2 (=0xD0011F1E), and pulls the value of that memory address into d0. In the case of one common software version, that's:
/begin MEASUREMENT tia_cha_up
"Air Temperature upstream the Charger"
SWORD
_CNV_A_R_CHRG_LINEA_171_CM
1
100.
-48.
335.994140625
DISPLAY_IDENTIFIER TIA_CHA_UP
ECU_ADDRESS 0xd0011f1e
FORMAT "%7.3"
/begin IF_DATA ETK
KP_BLOB
0xd0011f1e
INTERN
2
RASTER 30
/end IF_DATA
/end MEASUREMENT
Table address lookup
Table lookup in the calibration isn't as straightforward. Occasionally you'll see reference in code to something like "0x8083DF8C". 0x8------- is the same as 0xA-------. So "0x8083DF8C" in the ASM is actually reference to 0xA083DF8C
