|
Post by dino2gnt on Jan 30, 2022 3:27:41 GMT
Sorry. I keep confusing myself trying to wrap my head around 20 bit addressing for the CPU16 vs 24 bit addressing for the bus.
|
|
|
Post by dino2gnt on Jan 30, 2022 5:29:09 GMT
I think I figured it out. When requesting a memory read of a register address, the ECU will respond with the content of the register, but nothing else. So for example if I request a dump starting at 0xFF820 going until 0xFFFFF, I get the 32 bytes of the control register, but nothing past that, and I have to reset the ECU to get the BDM going again. This is probably a quirk of the BDM I am using.
|
|
|
Post by dino2gnt on Jan 30, 2022 6:00:17 GMT
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 30, 2022 11:58:53 GMT
Great job! Looks like the bootloader is present at 0xFE0000 or 0x7E0000. Please try to read this area separately.
Konstantin.
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 30, 2022 13:58:00 GMT
Hi dino2gnt !
It turns out the following: Location ROM Base addres 0xFE0000 Initial ZK = 0x0, SK = 0xF, PK = 0xE Initial PC = 0x0004 => 0xE0004 (PK=0xE) Initial SP = 0xFD4E => 0xFFD4E (SK=0xF) Initial IZ = 0x0000 => 0x00000 (ZK=0x0)
It is necessary to read the ROM area when +20 V is applied.
Konstantin.
|
|
|
Post by dino2gnt on Jan 30, 2022 15:31:27 GMT
Great job! Looks like the bootloader is present at 0xFE0000 or 0x7E0000. Please try to read this area separately. Konstantin. I got the same result. To make sure I understand:
ROMBAH = 00FE
ROMBAL = 0000
In the high word, we only care the first 8 bits, thus: 11111110
in the low word, it's all zeros, thus: 0000000000000000
Giving us a 24bit address 111111100000000000000000 or 0xFE0000 which should map to a 20bit address in CPU-space of .. something? 0xE0000? 0xFE000 ?
|
|
|
Post by dino2gnt on Jan 30, 2022 15:35:09 GMT
Hi dino2gnt ! It turns out the following: Location ROM Base addres 0xFE0000 Initial ZK = 0x0, SK = 0xF, PK = 0xE Initial PC = 0x0004 => 0xE0004 (PK=0xE) Initial SP = 0xFD4E => 0xFFD4E (SK=0xF) Initial IZ = 0x0000 => 0x00000 (ZK=0x0) This is the ROM bootstrap words at $FF830 to $FF836, correct?
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 30, 2022 15:42:33 GMT
Hi dino2gnt ! It turns out the following: Location ROM Base addres 0xFE0000 Initial ZK = 0x0, SK = 0xF, PK = 0xE Initial PC = 0x0004 => 0xE0004 (PK=0xE) Initial SP = 0xFD4E => 0xFFD4E (SK=0xF) Initial IZ = 0x0000 => 0x00000 (ZK=0x0) This is the ROM bootstrap words at $FF830 to $FF836, correct? Yes, you think right.
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 30, 2022 15:44:40 GMT
Great job! Looks like the bootloader is present at 0xFE0000 or 0x7E0000. Please try to read this area separately. Konstantin. I got the same result. To make sure I understand:
ROMBAH = 00FE
ROMBAL = 0000
In the high word, we only care the first 8 bits, thus: 11111110
in the low word, it's all zeros, thus: 0000000000000000
Giving us a 24bit address 111111100000000000000000 or 0xFE0000 which should map to a 20bit address in CPU-space of .. something? 0xE0000? 0xFE000 ?
0xE0000, if when +20 V is applied.
|
|
|
Post by dino2gnt on Jan 30, 2022 15:46:24 GMT
I was already chasing it down
Here's something fun and interesting.
Attachments:0xE0000.bin (126.75 KB)
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 30, 2022 16:11:22 GMT
Will Chrysler lawyers come to us? Based chip ECU MC68HC16Z3, 8-Kbyte ROM bootstrap. It looks like the bootloader is in the MASKED ROM MODULE. MASKED ROM MODULE The masked ROM module (MRM) is only available with the MC68HC16Z2 and the MC68HC16Z3. The MRM can be configured to support system bootstrap during reset.
|
|
|
Post by dino2gnt on Jan 30, 2022 16:17:50 GMT
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 30, 2022 16:25:30 GMT
The weekend was not in vain. Thank you very much.
|
|
|
Post by dino2gnt on Jan 30, 2022 16:33:13 GMT
The weekend was not in vain. Thank you very much. Thank you for looking at it; your disassembly tools are better and disassembly experience are far greater than mine. I'm mostly using a hex editor and a copy of DDS XTOOLS; and I have no idea how to annotate the disassembled code or separate code & data while using it.
I only ask that we continue to share knowledge and collaborate, hopefully towards a goal of understanding the reflash procedure and eventually making these ECUs trivially re-flashable.
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 30, 2022 16:52:04 GMT
The weekend was not in vain. Thank you very much. Thank you for looking at it; your disassembly tools are better and disassembly experience are far greater than mine. I'm mostly using a hex editor and a copy of DDS XTOOLS; and I have no idea how to annotate the disassembled code or separate code & data while using it.
I only ask that we continue to share knowledge and collaborate, hopefully towards a goal of understanding the reflash procedure and eventually making these ECUs trivially re-flashable.
Promise. For me, this is not a business, but a hobby. I sent you a private message, did you read it?
|
|