Reverse Engineering Information

From Simos Wiki
Revision as of 02:06, 4 December 2020 by Joedubs (talk | contribs) (→‎Quick Reference)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Purpose of this section

Helpful links

https://www.infineon.com/dgdl/tc_v131_instructionset_v138.pdf?fileId=db3a304412b407950112b409b6dd0352

https://www.infineon.com/dgdl/Infineon-SAK-TC1796-256F150E%20BE-DS-v01_00-EN.pdf?fileId=5546d46249a28d750149a34e1f28045d

https://www.infineon.com/dgdl/TriCore_EABI_v2_3.pdf?fileId=db3a304412b407950112b40f8d7a142b

Quick Reference

Memory address lookup

Registers a0, a1, a8, and a9 are used as offsets when the code needs to reference different memory locations. There's a table in the ECU that sets up those offsets at boot:

0000:808835CC                movh.a         a0, #0xD002
0000:808835D0                lea            a0, [a0]-0x8000
0000:808835D4                movh.a         a1, #0xA081
0000:808835D8                lea            a1, [a1]-0x8000
0000:808835DC                movh.a         a8, #0x8005
0000:808835E0                lea            a8, [a8]-0x7800
0000:808835E4                movh.a         a9, #0xD001
0000:808835E8                lea            a9, [a9]-0x4000

What that means, is that at any point in the code, these registers always have the following values:

a0:  0xD0018000
a1:  0xA0808000
a8:  0x80048800
a9:  0xD000C000

A quick example of how this is implemented in code:

8019044a c9 00 de c9     ld.h       d0,[a0]-0x60e2

This takes the value of a0 (0xD0018000), subtracts 0x60e2 (=0xD0011F1E), and pulls the value of that memory address into d0. In the case of one common software version, that's:

      /begin MEASUREMENT tia_cha_up
         "Air Temperature upstream the Charger"
         SWORD
         _CNV_A_R_CHRG_LINEA_171_CM
         1
         100.
         -48.
         335.994140625
         DISPLAY_IDENTIFIER TIA_CHA_UP
         ECU_ADDRESS 0xd0011f1e
         FORMAT "%7.3"
         /begin IF_DATA ETK
            KP_BLOB
            0xd0011f1e
            INTERN
            2
            RASTER 30
         /end IF_DATA
      /end MEASUREMENT

Table address lookup

Table lookup in the calibration isn't as straightforward. Occasionally you'll see reference in code to something like "0x8083DF8C". 0x8------- is the same as 0xA-------. So "0x8083DF8C" in the ASM is actually reference to 0xA083DF8C