Reverse Engineering Information
Contents
Purpose of this section
Helpful links
https://www.infineon.com/dgdl/TriCore_EABI_v2_3.pdf?fileId=db3a304412b407950112b40f8d7a142b
Quick Reference
Memory address lookup
Registers a0, a1, a8, and a9 are used as offsets when the code needs to reference different memory locations. There's a table in the ECU that sets up those offsets at boot:
0000:808835CC movh.a a0, #0xD002 0000:808835D0 lea a0, [a0]-0x8000 0000:808835D4 movh.a a1, #0xA081 0000:808835D8 lea a1, [a1]-0x8000 0000:808835DC movh.a a8, #0x8005 0000:808835E0 lea a8, [a8]-0x7800 0000:808835E4 movh.a a9, #0xD001 0000:808835E8 lea a9, [a9]-0x4000
What that means, is that at any point in the code, these registers always have the following values:
a0: 0xD0018000 a1: 0xA0808000 a8: 0x80048800 a9: 0xD000C000
18.10:
a0: 0xD0018000 a1: 0x80828000 a8: 0x80028800 a9: 0xD000C000
A quick example of how this is implemented in code:
8019044a c9 00 de c9 ld.h d0,[a0]-0x60e2
This takes the value of a0 (0xD0018000), subtracts 0x60e2 (=0xD0011F1E), and pulls the value of that memory address into d0. In the case of one common software version, that's:
/begin MEASUREMENT tia_cha_up
"Air Temperature upstream the Charger"
SWORD
_CNV_A_R_CHRG_LINEA_171_CM
1
100.
-48.
335.994140625
DISPLAY_IDENTIFIER TIA_CHA_UP
ECU_ADDRESS 0xd0011f1e
FORMAT "%7.3"
/begin IF_DATA ETK
KP_BLOB
0xd0011f1e
INTERN
2
RASTER 30
/end IF_DATA
/end MEASUREMENT
Table address lookup
Table lookup in the calibration isn't as straightforward. Occasionally you'll see reference in code to something like "0x8083DF8C". 0x8------- is the same as 0xA-------. So "0x8083DF8C" in the ASM is actually reference to 0xA083DF8C
