|
Post by dino2gnt on Jan 30, 2022 16:53:34 GMT
I sent you a private message, did you read it? Yessir! I replied, did you get it?
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 30, 2022 20:30:43 GMT
It turned out that in the bootloader mode for the stack memory, the buffer memory of the QSM module with a size of 80 bytes is used.
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 31, 2022 0:50:06 GMT
Bootstrap disassembling Ida
ROM:E0000 ;
ROM:E0000 ; Input MD5 : B427ED3EAFCBAFC41B487A036B3F2740
ROM:E0000 ; Input CRC32 : 7E22EBAF
ROM:E0000
ROM:E0000 ; File Name : D:\Jeep\WJ_JEEP\Ida\0xE0000.bin
ROM:E0000 ; Format : Binary file
ROM:E0000 ; Base Address: 0000h Range: E0000h - E2000h Loaded length: 00002000h
ROM:E0000
ROM:E0000 ; Processor : 6816 [MC68HC16Z]
ROM:E0000 ; Target assembler: CA6816
ROM:E0000
ROM:E0000 include "adc.s"
ROM:E0000 include "gpt.s"
ROM:E0000 include "sim.s"
ROM:E0000 include "stbram.s"
ROM:E0000 include "qsm.s"
ROM:E0000
ROM:E0000
ROM:E0000 ; ===========================================================================
ROM:E0000
ROM:E0000 ; Segment type: Pure code
ROM:E0000 ROM: section
ROM:E0000 ; assume EK = 0
ROM:E0000 ; assume XK = 0
ROM:E0000 ; assume YK = 0
ROM:E0000 ; assume ZK = 0
ROM:E0000 dc.b 37h ; 7
ROM:E0001 dc.b 80h ; А
ROM:E0002 dc.b 0
ROM:E0003 dc.b 0C6h ; ¦
ROM:E0004
ROM:E0004 ; =============== S U B R O U T I N E =======================================
ROM:E0004
ROM:E0004
ROM:E0004 Begin_BootStrap:
ROM:E0004 ldab #0Fh
ROM:E0006 tbek
ROM:E0008 ; assume EK = 0Fh
ROM:E0008 ldab PEPAR
ROM:E000C bclr DDRE, #10h
ROM:E0010 bclr PEPAR, #10h
ROM:E0014 nop
ROM:E0016 nop
ROM:E0018 nop
ROM:E001A nop
ROM:E001C ldaa PORTE
ROM:E0020 stab PEPAR
ROM:E0024 bita #10h ; Test pin Mode
ROM:E0026 lbeq Mode2 ; goto Mode2
ROM:E0026 ;
ROM:E0026 ; Mode1
ROM:E002A clrb
ROM:E002C tbxk
ROM:E002E tbyk
ROM:E0030 ldd MCR
ROM:E0034 std MCR
ROM:E0038 bset MRMCR, #8 ; set bit MRMCR ASPC Program access only
ROM:E003C clr PFPAR
ROM:E0040 clrw CSORBT
ROM:E0044 ldaa #7Fh
ROM:E0046 staa SYNCR ; Set reg SYNCR
ROM:E0046 ; W=0
ROM:E0046 ; X=1 (Prescaler)
ROM:E0046 ; Y[5:0]=0x3F (Counter)
ROM:E004A
ROM:E004A Wait_EDIV: ; CODE XREF: Begin_BootStrap+52j
ROM:E004A ldaa #55h
ROM:E004C staa SWSR
ROM:E0050 ldaa #0AAh
ROM:E0052 staa SWSR ; Break WatchDog
ROM:E0056 brclr 0FA05h, #8, Wait_EDIV
ROM:E005C clrw RAMBAH
ROM:E0060 clrw RAMBAL
ROM:E0064 clr RAMMCR ; set RAM BASE 0x00000
ROM:E0068 ldd #1
ROM:E006C std SCCR0 ; Max Speed
ROM:E0070 ldd #1101b ; Enable RX & TX, Send Break
ROM:E0074 std SCCR1
ROM:E0078 lbra MAIN
ROM:E0078 ; End of function Begin_BootStrap
ROM:E0078
ROM:E007C ; ---------------------------------------------------------------------------
ROM:E007C ; START OF FUNCTION CHUNK FOR Mode2
ROM:E007C
ROM:E007C MAIN: ; CODE XREF: Begin_BootStrap+74j
ROM:E007C ; Mode2+186j
ROM:E007C ldd #55AAh
ROM:E0080
ROM:E0080 wait_rx1: ; CODE XREF: Mode2-178j
ROM:E0080 staa SWSR
ROM:E0084 ldz TCNT ; Save to reg Z
ROM:E0088 stab SWSR ; Break WatchDog
ROM:E008C brclr 0FC0Dh, #40h, wait_rx1 ; Check flag RDRF (SCI Status Register)
ROM:E0092 ldaa 0FC0Fh ; get char
ROM:E0096 bclr 0FC0Bh, #1 ; Stop SBK (Send Break )
ROM:E009A ldd #55AAh
ROM:E009E
ROM:E009E wait_rx2: ; CODE XREF: Mode2-15Aj
ROM:E009E staa SWSR
ROM:E00A2 lde TCNT ; Save to reg E
ROM:E00A6 stab SWSR
ROM:E00AA brclr SCSR_L, #40h, wait_rx2 ;
ROM:E00AA ; Math speed
ROM:E00B0 ldaa 0FC0Fh ; get char
ROM:E00B4 xgdz
ROM:E00B6 sde
ROM:E00B8 lsre
ROM:E00BA lsre
ROM:E00BC lsre
ROM:E00BE lsre
ROM:E00C0 lsre
ROM:E00C2 lsre
ROM:E00C4 adce #0 ; add carry Flag
ROM:E00C8 ste SCCR0 ; Set Baud
ROM:E00CC ldab #0Fh
ROM:E00CE tbek
ROM:E00D0 tbsk
ROM:E00D2 clrb
ROM:E00D4 tbxk
ROM:E00D6 tbyk
ROM:E00D8 lds #0FD4Eh ; Reinit Stack
ROM:E00DC bclr SPCR1, #80h ; SPE=0 Disable
ROM:E00E0 ldaa #6 ; out char 0x06
ROM:E00E2 lbsr Tx_Char
ROM:E00E6 jsr Seed ; Seed
ROM:E00EA
ROM:E00EA Main_Loop: ; CODE XREF: Mode2-CEj
ROM:E00EA ; Mode2-AAj
ROM:E00EA lbsr Rx_Char
ROM:E00EE cmpa #4Ch ; Cmd_Load ?
ROM:E00F0 lbne Case_0x47 ; no,check cmd run
ROM:E00F0 ; else
ROM:E00F0 ; load size & data
ROM:E00F4 lbsr Tx_Char
ROM:E00F8 bsr Rx_Char
ROM:E00FA lbsr Check_Size ; Check max
ROM:E00FE bcs Error
ROM:E0100 lbsr Tx_Char
ROM:E0104 tab
ROM:E0106 bsr Rx_Char
ROM:E0108 bsr Tx_Char
ROM:E010A xgab
ROM:E010C xgdx
ROM:E010E bsr Rx_Char
ROM:E0110 bsr Check_Size ; Check max
ROM:E0112 bcs Error
ROM:E0114 bsr Tx_Char
ROM:E0116 tab
ROM:E0118 bsr Rx_Char
ROM:E011A bsr Tx_Char
ROM:E011C xgab
ROM:E011E xgdy
ROM:E0120
ROM:E0120 Loop_Rx: ; CODE XREF: Mode2-D0j
ROM:E0120 bsr Rx_Char
ROM:E0122 staa 0, X
ROM:E0124 ldaa 0, X
ROM:E0126 bsr Tx_Char
ROM:E0128 aix #1
ROM:E012A txz
ROM:E012C xgdz
ROM:E012E tyz
ROM:E0130 xgez
ROM:E0132 sde
ROM:E0134 bpl Loop_Rx
ROM:E0136 lbra Main_Loop
ROM:E013A ; ---------------------------------------------------------------------------
ROM:E013A
ROM:E013A Case_0x47: ; CODE XREF: Mode2-114j
ROM:E013A cmpa #47h ; Cmd_RUN
ROM:E013C bne Error
ROM:E013E bsr Tx_Char
ROM:E0140 bsr Rx_Char
ROM:E0142 bsr Check_Size
ROM:E0144 bcs Error
ROM:E0146 bsr Tx_Char
ROM:E0148 tab
ROM:E014A bsr Rx_Char
ROM:E014C bsr Tx_Char
ROM:E014E xgab
ROM:E0150 xgdx
ROM:E0152 jmp 0, X
ROM:E0156 ; ---------------------------------------------------------------------------
ROM:E0156
ROM:E0156 Error: ; CODE XREF: Mode2-106j
ROM:E0156 ; Mode2-F2j ...
ROM:E0156 coma
ROM:E0158 bsr Tx_Char
ROM:E015A lbra Main_Loop
ROM:E015A ; END OF FUNCTION CHUNK FOR Mode2
ROM:E015E
ROM:E015E ; =============== S U B R O U T I N E =======================================
ROM:E015E
ROM:E015E
ROM:E015E Rx_Char: ; CODE XREF: Mode2:Main_Loopp
ROM:E015E ; Mode2-10Cp ...
ROM:E015E ldaa #55h
ROM:E0160 staa SWSR
ROM:E0164 ldaa #0AAh
ROM:E0166 staa SWSR
ROM:E016A brclr SCSR_L, #40h, Rx_Char ; Check flag RDRF
ROM:E0170 ldaa 0FC0Fh
ROM:E0174 rts
ROM:E0174 ; End of function Rx_Char
ROM:E0174
ROM:E0176
ROM:E0176 ; =============== S U B R O U T I N E =======================================
ROM:E0176
ROM:E0176
ROM:E0176 Tx_Char: ; CODE XREF: Mode2-122p
ROM:E0176 ; Mode2-110p ...
ROM:E0176 brclr SCSR, #1, Tx_Char
ROM:E017C staa 0FC0Fh
ROM:E0180 rts
ROM:E0180 ; End of function Tx_Char
ROM:E0180
ROM:E0182
ROM:E0182 ; =============== S U B R O U T I N E =======================================
ROM:E0182
ROM:E0182
ROM:E0182 Check_Size: ; CODE XREF: Mode2-10Ap
ROM:E0182 ; Mode2-F4p ...
ROM:E0182 cmpa #7
ROM:E0184 bls Check_Ok
ROM:E0186 ldab 0FA02h
ROM:E018A cmpb #83h
ROM:E018C beq Check_Err
ROM:E018E cmpa #0Fh
ROM:E0190 bls Check_Ok
ROM:E0192
ROM:E0192 Check_Err: ; CODE XREF: Check_Size+Aj
ROM:E0192 orp #100h
ROM:E0196 bra break
ROM:E0198 ; ---------------------------------------------------------------------------
ROM:E0198
ROM:E0198 Check_Ok: ; CODE XREF: Check_Size+2j
ROM:E0198 ; Check_Size+Ej
ROM:E0198 andp #0FEFFh
ROM:E019C
ROM:E019C break: ; CODE XREF: Check_Size+14j
ROM:E019C rts
ROM:E019C ; End of function Check_Size
ROM:E019C
ROM:E019C ; ---------------------------------------------------------------------------
ROM:E019E dc.b 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh
ROM:E019E dc.b 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh
ROM:E019E dc.b 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh
ROM:E019E dc.b 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh
ROM:E019E dc.b 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh
ROM:E019E dc.b 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh
ROM:E019E dc.b 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh
ROM:E019E dc.b 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh
ROM:E019E dc.b 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh
ROM:E019E dc.b 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh
ROM:E019E dc.b 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 37h
ROM:E019E dc.b 80h, 0FEh, 0C6h
ROM:E0204
ROM:E0204 ; =============== S U B R O U T I N E =======================================
ROM:E0204
ROM:E0204 ; Attributes: noreturn
ROM:E0204
ROM:E0204 Mode2: ; CODE XREF: Begin_BootStrap+22j
ROM:E0204 ; Mode2+E8j ...
ROM:E0204
ROM:E0204 ; FUNCTION CHUNK AT ROM:E007C SIZE 000000E2 BYTES
ROM:E0204
ROM:E0204 ldab #0Fh
ROM:E0206 tbek
ROM:E0208 clrb
ROM:E020A tbxk
ROM:E020C tbyk
ROM:E020E clr PFPAR
ROM:E0212 ldab PORTF
ROM:E0216 bitb #40h ; Test pin MODE
ROM:E0218 lbne Goto_Ext_EEPROM ; goto Mode3
ROM:E0218 ;
ROM:E0218 ; else
ROM:E0218 ;
ROM:E0218 ; SPI mode
ROM:E021C ldd MCR
ROM:E0220 std MCR
ROM:E0224 bset 0F820h, #8
ROM:E0228 clrw CSORBT
ROM:E022C ldaa #7Fh
ROM:E022E staa SYNCR
ROM:E0232 ldd PACTL
ROM:E0236 ord #4000h
ROM:E023A std PACTL
ROM:E023E
ROM:E023E lp1: ; CODE XREF: Mode2+46j
ROM:E023E ldaa #55h
ROM:E0240 staa SWSR
ROM:E0244 ldaa #0AAh
ROM:E0246 staa SWSR
ROM:E024A brclr 0FA05h, #8, lp1
ROM:E0250 clrw RAMBAH
ROM:E0254 clrw RAMBAL
ROM:E0258 clr RAMMCR
ROM:E025C clr SPCR3
ROM:E0260 ldd #8108h
ROM:E0264 std SPCR0
ROM:E0268 ldd #404h
ROM:E026C std SPCR1
ROM:E0270 ldaa #7Ch
ROM:E0272 staa QPDR
ROM:E0276 ldaa #7Eh
ROM:E0278 staa QDDR
ROM:E027C ldaa #7Fh
ROM:E027E staa QPAR
ROM:E0282
ROM:E0282 loc_E0282: ; CODE XREF: Mode2+82j
ROM:E0282 ldaa PACNT
ROM:E0286 beq loc_E0282
ROM:E0288 ldaa #55h
ROM:E028A staa SWSR
ROM:E028E ldaa #0AAh
ROM:E0290 staa SWSR
ROM:E0294 ldab #8Fh
ROM:E0296 clra
ROM:E0298 std TRAN_RAM
ROM:E029C clre
ROM:E029E ste SPCR2
ROM:E02A2 ldaa #1Eh
ROM:E02A4 staa COMD_RAM
ROM:E02A8 lde #8404h
ROM:E02AC ste SPCR1
ROM:E02B0
ROM:E02B0 loc_E02B0: ; CODE XREF: Mode2+B0j
ROM:E02B0 ldaa SPSR
ROM:E02B4 bpl loc_E02B0
ROM:E02B6 clra
ROM:E02B8 staa SPSR
ROM:E02BC
ROM:E02BC loc_E02BC: ; CODE XREF: Mode2+BEj
ROM:E02BC ldaa PORTF
ROM:E02C0 bita #20h
ROM:E02C2 bne loc_E02BC
ROM:E02C4 clrw TRAN_RAM
ROM:E02C8 ste SPCR1
ROM:E02CC
ROM:E02CC loc_E02CC: ; CODE XREF: Mode2+CCj
ROM:E02CC ldaa SPSR
ROM:E02D0 bpl loc_E02CC
ROM:E02D2 clra
ROM:E02D4 staa SPSR
ROM:E02D8
ROM:E02D8 loc_E02D8: ; CODE XREF: Mode2+DAj
ROM:E02D8 ldaa PORTF
ROM:E02DC bita #20h
ROM:E02DE bne loc_E02D8
ROM:E02E0 clr PACNT
ROM:E02E4 ldab 0FD01h
ROM:E02E8 ldaa #8Fh
ROM:E02EA aba
ROM:E02EC lbne Mode2
ROM:E02F0 ldaa #55h
ROM:E02F2 staa SWSR
ROM:E02F6 ldaa #0AAh
ROM:E02F8 staa SWSR
ROM:E02FC ldab #8Fh
ROM:E02FE clra
ROM:E0300 std TRAN_RAM
ROM:E0304 clre
ROM:E0306 ste SPCR2
ROM:E030A ldaa #1Dh
ROM:E030C staa COMD_RAM
ROM:E0310 lde #8404h
ROM:E0314 ste SPCR1
ROM:E0318
ROM:E0318 loc_E0318: ; CODE XREF: Mode2+118j
ROM:E0318 ldaa SPSR
ROM:E031C bpl loc_E0318
ROM:E031E clra
ROM:E0320 staa SPSR
ROM:E0324
ROM:E0324 loc_E0324: ; CODE XREF: Mode2+126j
ROM:E0324 ldaa PORTF
ROM:E0328 bita #20h
ROM:E032A bne loc_E0324
ROM:E032C clrw TRAN_RAM
ROM:E0330 ste SPCR1
ROM:E0334
ROM:E0334 loc_E0334: ; CODE XREF: Mode2+134j
ROM:E0334 ldaa SPSR
ROM:E0338 bpl loc_E0334
ROM:E033A clra
ROM:E033C staa SPSR
ROM:E0340
ROM:E0340 loc_E0340: ; CODE XREF: Mode2+142j
ROM:E0340 ldaa PORTF
ROM:E0344 bita #20h
ROM:E0346 bne loc_E0340
ROM:E0348 ldab 0FD01h
ROM:E034C ldaa #8Fh
ROM:E034E aba
ROM:E0350 lbne Mode2 ; Loop Mode2
ROM:E0354 ldd #1
ROM:E0358 std SCCR0
ROM:E035C ldd #0Dh
ROM:E0360 std SCCR1
ROM:E0364
ROM:E0364 loc_E0364: ; CODE XREF: Mode2+172j
ROM:E0364 ldaa #55h
ROM:E0366 staa SWSR
ROM:E036A ldaa #0AAh
ROM:E036C staa SWSR
ROM:E0370 ldab PORTF
ROM:E0374 bitb #40h
ROM:E0376 beq loc_E0364
ROM:E0378 ldd #75h
ROM:E037C
ROM:E037C delay: ; CODE XREF: Mode2+17Cj
ROM:E037C subd #1
ROM:E0380 bne delay
ROM:E0382 ldd SCSR
ROM:E0386 ldd SCDR
ROM:E038A lbra MAIN
ROM:E038E ; ---------------------------------------------------------------------------
ROM:E038E
ROM:E038E Goto_Ext_EEPROM: ; CODE XREF: Mode2+14j
ROM:E038E ldd #6870h ; Start external EEPROM
ROM:E0392 std CSOR10
ROM:E0396 ldd #5
ROM:E039A std CSBAR10
ROM:E039E jmp 10000h
ROM:E039E ; End of function Mode2
ROM:E039E
ROM:E039E ; ---------------------------------------------------------------------------
ROM:E03A2 dc.b 43h ; C
ROM:E03A3 dc.b 6Fh ; o
ROM:E03A4 dc.b 70h ; p
ROM:E03A5 dc.b 79h ; y
ROM:E03A6 dc.b 72h ; r
ROM:E03A7 dc.b 69h ; i
ROM:E03A8 dc.b 67h ; g
ROM:E03A9 dc.b 68h ; h
ROM:E03AA dc.b 74h ; t
ROM:E03AB dc.b 20h
ROM:E03AC dc.b 31h ; 1
ROM:E03AD dc.b 39h ; 9
ROM:E03AE dc.b 39h ; 9
ROM:E03AF dc.b 34h ; 4
ROM:E03B0 dc.b 20h
ROM:E03B1 dc.b 55h ; U
ROM:E03B2 dc.b 6Eh ; n
ROM:E03B3 dc.b 69h ; i
ROM:E03B4 dc.b 71h ; q
ROM:E03B5 dc.b 75h ; u
ROM:E03B6 dc.b 65h ; e
ROM:E03B7 dc.b 20h
ROM:E03B8 dc.b 53h ; S
ROM:E03B9 dc.b 79h ; y
ROM:E03BA dc.b 73h ; s
ROM:E03BB dc.b 74h ; t
ROM:E03BC dc.b 65h ; e
ROM:E03BD dc.b 6Dh ; m
ROM:E03BE dc.b 73h ; s
ROM:E03BF dc.b 20h
ROM:E03C0 dc.b 44h ; D
ROM:E03C1 dc.b 65h ; e
ROM:E03C2 dc.b 73h ; s
ROM:E03C3 dc.b 69h ; i
ROM:E03C4 dc.b 67h ; g
ROM:E03C5 dc.b 6Eh ; n
ROM:E03C6 dc.b 2Ch ; ,
ROM:E03C7 dc.b 20h
ROM:E03C8 dc.b 49h ; I
ROM:E03C9 dc.b 6Eh ; n
ROM:E03CA dc.b 63h ; c
ROM:E03CB dc.b 2Eh
ROM:E03CC
ROM:E03CC ; =============== S U B R O U T I N E =======================================
ROM:E03CC
ROM:E03CC
ROM:E03CC Seed: ; CODE XREF: Mode2-11Ep
ROM:E03CC pshm X, Y, K
ROM:E03CE ldab #0Fh
ROM:E03D0 tbek
ROM:E03D2 tbyk
ROM:E03D4 ; assume YK = 0Fh
ROM:E03D4
ROM:E03D4 loop: ; CODE XREF: Seed+Cj
ROM:E03D4 ; Seed+18j ...
ROM:E03D4 jsr sub_E049C
ROM:E03D8 bcs loop
ROM:E03DA cpe #27C1h
ROM:E03DE beq loc_E03EE
ROM:E03E0 cpe #27C2h
ROM:E03E4 bne loop
ROM:E03E6 ldaa #0C0h
ROM:E03E8 jsr sub_E0440
ROM:E03EC bra loop
ROM:E03EE ; ---------------------------------------------------------------------------
ROM:E03EE
ROM:E03EE loc_E03EE: ; CODE XREF: Seed+12j
ROM:E03EE ; Seed+36j
ROM:E03EE jsr sub_E041E ; Out Seed
ROM:E03F2 jsr sub_E049C
ROM:E03F6 bcs loop
ROM:E03F8 cpe #27C2h
ROM:E03FC beq loc_E0406
ROM:E03FE cpe #27C1h
ROM:E0402 beq loc_E03EE
ROM:E0404 bra loop
ROM:E0406 ; ---------------------------------------------------------------------------
ROM:E0406
ROM:E0406 loc_E0406: ; CODE XREF: Seed+30j
ROM:E0406 jsr sub_E0592
ROM:E040A bcs loc_E0412
ROM:E040C jsr sub_E0434
ROM:E0410 bra loc_E041A
ROM:E0412 ; ---------------------------------------------------------------------------
ROM:E0412
ROM:E0412 loc_E0412: ; CODE XREF: Seed+3Ej
ROM:E0412 ldaa #35h
ROM:E0414 jsr sub_E0440
ROM:E0418 bra loop
ROM:E041A ; ---------------------------------------------------------------------------
ROM:E041A
ROM:E041A loc_E041A: ; CODE XREF: Seed+44j
ROM:E041A pulm K, Y, X
ROM:E041C rts
ROM:E041C ; End of function Seed
ROM:E041C
ROM:E041E
ROM:E041E ; =============== S U B R O U T I N E =======================================
ROM:E041E
ROM:E041E
ROM:E041E sub_E041E: ; CODE XREF: Seed:loc_E03EEp
ROM:E041E ; sub_E041E+4j
ROM:E041E ldy TCNT
ROM:E0422 beq sub_E041E
ROM:E0424 sty 0FD03h
ROM:E0428 lde #67C1h
ROM:E042C ldab #7
ROM:E042E jsr sub_E044E
ROM:E0432 rts
ROM:E0432 ; End of function sub_E041E
ROM:E0432
ROM:E0434
ROM:E0434 ; =============== S U B R O U T I N E =======================================
ROM:E0434
ROM:E0434
ROM:E0434 sub_E0434: ; CODE XREF: Seed+40p
ROM:E0434 lde #67C2h
ROM:E0438 ldab #5
ROM:E043A jsr sub_E044E
ROM:E043E rts
ROM:E043E ; End of function sub_E0434
ROM:E043E
ROM:E0440
ROM:E0440 ; =============== S U B R O U T I N E =======================================
ROM:E0440
ROM:E0440
ROM:E0440 sub_E0440: ; CODE XREF: Seed+1Cp
ROM:E0440 ; Seed+48p
ROM:E0440 xgdy ; rE->rY
ROM:E0442 lde #7F27h
ROM:E0446 ldab #6 ; Size
ROM:E0448 jsr sub_E044E
ROM:E044C rts
ROM:E044C ; End of function sub_E0440
ROM:E044C
ROM:E044E
ROM:E044E ; =============== S U B R O U T I N E =======================================
ROM:E044E
ROM:E044E
ROM:E044E sub_E044E: ; CODE XREF: sub_E041E+10p
ROM:E044E ; sub_E0434+6p ...
ROM:E044E stab 0FD07h
ROM:E0452 ste 0FD0Ah
ROM:E0456 sty 0FD0Ch
ROM:E045A ldd #26D0h
ROM:E045E std 0FD08h ;
ROM:E045E ; Math CS
ROM:E0462 ldy #0FD08h ; Pointer
ROM:E0466 ldab 0FD07h ; Size
ROM:E046A decb
ROM:E046C jsr Math_CS
ROM:E0470 stab 0, Y ; Save CS
ROM:E0472 ldy #0FD08h ; Pnt
ROM:E0476 ldab 0FD07h ; Size
ROM:E047A jsr Out_buf ; rB Size
ROM:E047A ; rY Pointer
ROM:E047E rts
ROM:E047E ; End of function sub_E044E
ROM:E047E
ROM:E0480
ROM:E0480 ; =============== S U B R O U T I N E =======================================
ROM:E0480
ROM:E0480 ; rB Size
ROM:E0480 ; rY Pointer
ROM:E0480
ROM:E0480 Out_buf: ; CODE XREF: sub_E044E+2Cp
ROM:E0480 ; Out_buf+18j
ROM:E0480 ldaa 0, Y
ROM:E0482 jsr Tx_Char
ROM:E0486 decb
ROM:E0488 beq exit
ROM:E048A aiy #1
ROM:E048C ldaa #16h
ROM:E048E jsr sub_E0518
ROM:E0492
ROM:E0492 loc_E0492: ; CODE XREF: Out_buf+16j
ROM:E0492 jsr sub_E053C
ROM:E0496 bcc loc_E0492
ROM:E0498 bra Out_buf ; rB Size
ROM:E0498 ; rY Pointer
ROM:E049A ; ---------------------------------------------------------------------------
ROM:E049A
ROM:E049A exit: ; CODE XREF: Out_buf+8j
ROM:E049A rts
ROM:E049A ; End of function Out_buf
ROM:E049A
ROM:E049C
ROM:E049C ; =============== S U B R O U T I N E =======================================
ROM:E049C
ROM:E049C
ROM:E049C sub_E049C: ; CODE XREF: Seed:loopp
ROM:E049C ; Seed+26p
ROM:E049C jsr sub_E04B0
ROM:E04A0 bcs exit
ROM:E04A2 lde 0FD14h
ROM:E04A6 ldd 0FD16h
ROM:E04AA andp #0FEFFh
ROM:E04AE
ROM:E04AE exit: ; CODE XREF: sub_E049C+4j
ROM:E04AE rts
ROM:E04AE ; End of function sub_E049C
ROM:E04AE
ROM:E04B0
ROM:E04B0 ; =============== S U B R O U T I N E =======================================
ROM:E04B0
ROM:E04B0
ROM:E04B0 sub_E04B0: ; CODE XREF: sub_E049Cp
ROM:E04B0 jsr sub_E04DC ; Read 8 byte
ROM:E04B4 ste 0FD10h
ROM:E04B8 bcs locret_E04DA
ROM:E04BA cpe #5
ROM:E04BE bcs loc_E04D6
ROM:E04C0 xgde
ROM:E04C2 decb
ROM:E04C4 jsr Math_CS
ROM:E04C8 cmpb 0, Y
ROM:E04CA bne loc_E04D6
ROM:E04CC ldd 0FD12h
ROM:E04D0 cpd #24D0h
ROM:E04D4 beq locret_E04DA
ROM:E04D6
ROM:E04D6 loc_E04D6: ; CODE XREF: sub_E04B0+Ej
ROM:E04D6 ; sub_E04B0+1Aj
ROM:E04D6 orp #100h
ROM:E04DA
ROM:E04DA locret_E04DA: ; CODE XREF: sub_E04B0+8j
ROM:E04DA ; sub_E04B0+24j
ROM:E04DA rts
ROM:E04DA ; End of function sub_E04B0
ROM:E04DA
ROM:E04DC
ROM:E04DC ; =============== S U B R O U T I N E =======================================
ROM:E04DC
ROM:E04DC
ROM:E04DC sub_E04DC: ; CODE XREF: sub_E04B0p
ROM:E04DC ldy #0FD12h
ROM:E04E0 lde #0
ROM:E04E4 jsr Rx_Char
ROM:E04E8 staa E, Y
ROM:E04EA adde #1
ROM:E04EC
ROM:E04EC repeat: ; CODE XREF: sub_E04DC+28j
ROM:E04EC ldaa #16h
ROM:E04EE jsr sub_E0518
ROM:E04F2
ROM:E04F2 loc_E04F2: ; CODE XREF: sub_E04DC+34j
ROM:E04F2 brclr 0FC0Dh, #40h, loc_E050C
ROM:E04F8 ldaa 0FC0Fh
ROM:E04FC staa E, Y
ROM:E04FE adde #1
ROM:E0500 cpe #8
ROM:E0504 bls repeat
ROM:E0506 orp #100h
ROM:E050A bra break
ROM:E050C ; ---------------------------------------------------------------------------
ROM:E050C
ROM:E050C loc_E050C: ; CODE XREF: sub_E04DC:loc_E04F2j
ROM:E050C jsr sub_E053C
ROM:E0510 bcc loc_E04F2
ROM:E0512 andp #0FEFFh
ROM:E0516
ROM:E0516 break: ; CODE XREF: sub_E04DC+2Ej
ROM:E0516 rts
ROM:E0516 ; End of function sub_E04DC
ROM:E0516
ROM:E0518
ROM:E0518 ; =============== S U B R O U T I N E =======================================
ROM:E0518
ROM:E0518
ROM:E0518 sub_E0518: ; CODE XREF: Out_buf+Ep
ROM:E0518 ; sub_E04DC+12p
ROM:E0518 pshm D
ROM:E051A clrb
ROM:E051C lsrd
ROM:E051E lsrd
ROM:E0520 lsrd
ROM:E0522 lsrd
ROM:E0524 staa REC_RAM
ROM:E0528 tba
ROM:E052A clrb
ROM:E052C addd TCNT
ROM:E0530 std 0FD01h
ROM:E0534 jsr sub_E0574
ROM:E0538 pulm D
ROM:E053A rts
ROM:E053A ; End of function sub_E0518
ROM:E053A
ROM:E053C
ROM:E053C ; =============== S U B R O U T I N E =======================================
ROM:E053C
ROM:E053C
ROM:E053C sub_E053C: ; CODE XREF: Out_buf:loc_E0492p
ROM:E053C ; sub_E04DC:loc_E050Cp
ROM:E053C ldaa #55h
ROM:E053E staa SWSR
ROM:E0542 ldaa #0AAh
ROM:E0544 staa SWSR
ROM:E0548 ldaa TFLG1
ROM:E054C anda #10h
ROM:E054E beq loc_E0568
ROM:E0550 ldaa REC_RAM
ROM:E0554 beq loc_E056E ; Set C
ROM:E0556 deca
ROM:E0558 staa REC_RAM
ROM:E055C pshm D
ROM:E055E ldd 0FD01h
ROM:E0562 jsr sub_E0574
ROM:E0566 pulm D
ROM:E0568
ROM:E0568 loc_E0568: ; CODE XREF: sub_E053C+12j
ROM:E0568 andp #0FEFFh ; clear C
ROM:E056C bra locret_E0572
ROM:E056E ; ---------------------------------------------------------------------------
ROM:E056E
ROM:E056E loc_E056E: ; CODE XREF: sub_E053C+18j
ROM:E056E orp #100h ; Set C
ROM:E0572
ROM:E0572 locret_E0572: ; CODE XREF: sub_E053C+30j
ROM:E0572 rts
ROM:E0572 ; End of function sub_E053C
ROM:E0572
ROM:E0574
ROM:E0574 ; =============== S U B R O U T I N E =======================================
ROM:E0574
ROM:E0574
ROM:E0574 sub_E0574: ; CODE XREF: sub_E0518+1Cp
ROM:E0574 ; sub_E053C+26p
ROM:E0574 std TOC2
ROM:E0578 ldaa TFLG1
ROM:E057C anda #0EFh
ROM:E057E staa TFLG1
ROM:E0582 rts
ROM:E0582 ; End of function sub_E0574
ROM:E0582
ROM:E0584
ROM:E0584 ; =============== S U B R O U T I N E =======================================
ROM:E0584
ROM:E0584
ROM:E0584 Math_CS: ; CODE XREF: sub_E044E+1Ep
ROM:E0584 ; sub_E04B0+14p
ROM:E0584 clra
ROM:E0586
ROM:E0586 lpcs: ; CODE XREF: Math_CS+8j
ROM:E0586 adda 0, Y
ROM:E0588 aiy #1
ROM:E058A decb
ROM:E058C bne lpcs
ROM:E058E tab
ROM:E0590 rts
ROM:E0590 ; End of function Math_CS
ROM:E0590
ROM:E0592
ROM:E0592 ; =============== S U B R O U T I N E =======================================
ROM:E0592
ROM:E0592
ROM:E0592 sub_E0592: ; CODE XREF: Seed:loc_E0406p
ROM:E0592 std 0FD05h
ROM:E0596 ldd 0FD03h
ROM:E059A addd #247Ch
ROM:E059E ord #5
ROM:E05A2 tde
ROM:E05A4 ande #0Fh
ROM:E05A8
ROM:E05A8 loc_E05A8: ; CODE XREF: sub_E0592+26j
ROM:E05A8 ; sub_E0592+2Cj
ROM:E05A8 cpe #0
ROM:E05AC beq loc_E05C0
ROM:E05AE sube #1
ROM:E05B2 andp #0FEFFh
ROM:E05B6 rord
ROM:E05B8 bcc loc_E05A8
ROM:E05BA ord #8000h
ROM:E05BE bra loc_E05A8
ROM:E05C0 ; ---------------------------------------------------------------------------
ROM:E05C0
ROM:E05C0 loc_E05C0: ; CODE XREF: sub_E0592+1Aj
ROM:E05C0 ord #247Ch
ROM:E05C4 cpd 0FD05h
ROM:E05C8 beq locret_E05CE
ROM:E05CA orp #100h
ROM:E05CE
ROM:E05CE locret_E05CE: ; CODE XREF: sub_E0592+36j
ROM:E05CE rts
ROM:E05CE ; End of function sub_E0592
ROM:E05CE
ROM:E05CE ; ---------------------------------------------------------------------------
ROM:E05D0 dc.b 0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh
ROM:E05D0 dc.b 0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh
ROM:E05D0 dc.b 0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh
ROM:E0600
ROM:E0600 ; =============== S U B R O U T I N E =======================================
ROM:E0600
ROM:E0600
ROM:E0600 Stop: ; CODE XREF: Stopj
ROM:E0600 bra Stop
ROM:E0600 ; End of function Stop
ROM:E0600
Attachments:0xE0000.i64 (160.35 KB)
|
|
|
Post by admin on Jan 31, 2022 12:58:34 GMT
Great work dino2gnt and Piton ! sub_E0592 contains the seed algorithm which encodes the saved timer counter value. It's similar to the algorithm used in normal mode but twisted here and there. In short: - constant value is added to saved timer counter value (0x247C), - result is ORd with 5, - rotate count value is derived from lower 4 bits from the last result, - bits are rotated right once every loop, - finally the same constant value (0x247C) is ORd with the last result. During the loop carry bit in CCR register is always cleared and ORd, if it would have been set, at the beginning of the word. The 3 examples in the re-programming thread can be reproduced with above method. I added a security seed calculator to the CCD/SCI scanner GUI. public const ushort PCMUnlockKeyBootloader = 0x247C;
[...]
private void BootloaderModeSeedSolveButton_Click(object sender, EventArgs e) { byte[] bytes = Util.HexStringToByte(BootloaderModeSeedMessageTextBox.Text); byte checksum = (byte)(bytes[0] + bytes[1] + bytes[2] + bytes[3] + bytes[4] + bytes[5]);
if (checksum == bytes[6]) // checksum ok { ushort seed = (ushort)((bytes[4] << 8) | bytes[5]); ushort buff = (ushort)((seed + PCMUnlockKeyBootloader) | 5); byte rotatecount = (byte)(buff & 0x0F); buff = RotateRightBits(buff, rotatecount); ushort solution = (ushort)(buff | PCMUnlockKeyBootloader); byte solutionHB = (byte)(solution >> 8); byte solutionLB = (byte)(solution); byte solutionChecksum = (byte)(0x24 + 0xD0 + 0x27 + 0xC2 + solutionHB + solutionLB); byte[] solutionArray = { 0x24, 0xD0, 0x27, 0xC2, solutionHB, solutionLB, solutionChecksum };
BootloaderModeSeedSolutionTextBox.Text = Util.ByteToHexString(solutionArray, 0, solutionArray.Length); } else // checksum error { BootloaderModeSeedSolutionTextBox.Text = "checksum error"; }
private ushort RotateRightBits(ushort input, ushort n) { return (ushort)((input >> n) | (input << ((sizeof(ushort) * 8) - n))); }
Edit: renaming bootloader to bootstrap...
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 31, 2022 15:20:56 GMT
Great work dino2gnt and Piton ! I added a security seed calculator to the CCD/SCI scanner GUI. This is good, but has no practical meaning (only to test the algorithm). The reception waiting time is very short. It is better to store the code directly in the scanner. My code. uint16_t Math_Seed(uint16_t input) { uint16_t seed = (input+0x247c) | 5; int i= seed & 0xF; while(i--) if(seed & 1) seed=(seed>>1) | 0x8000; else seed>>=1; return (seed | 0x247c); }
|
|
|
Post by dino2gnt on Jan 31, 2022 15:27:37 GMT
The reception waiting time is very short. How long is the time window to respond to the challenge? What happens when the time window expires? My understanding of HC16 assembly is still not good, but I am learning.
|
|
|
Post by admin on Jan 31, 2022 15:32:41 GMT
This is good, but has no practical meaning (only to test the algorithm). The reception waiting time is very short. It is better to store the code directly in the scanner. My code. uint16_t Math_Seed(uint16_t input) { uint16_t seed = (input+0x247c) | 5; int i= seed & 0xF; while(i--) if(seed & 1) seed=(seed>>1) | 0x8000; else seed>>=1; return (seed | 0x247c); } Agreed. It's just for giggles. How short waiting time are we talking about? On a different subject, do you know where the flash checksum is stored and how is it calculated? I don't know if there's more to it than just summing all the bytes. We have tried patching the SCI ID 26 READ ROM command in the flash file to read the full 256kB instead of 128kB by changing a single FE value to FC. Re-calculated checksum which the DRB3 accepted before re-programming. Then the patched function worked flawlessly but checksum DTC was set.
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 31, 2022 15:58:07 GMT
The reception waiting time is very short. How long is the time window to respond to the challenge? What happens when the time window expires? My understanding of HC16 assembly is still not good, but I am learning. The condition will be met in ROM:E03F6 bcs Loop_Unloc Don't rush, I'll tell you. Haven't counted the time window yet.
ROM:E03CC Unloc_ECU: ; CODE XREF: ROM:E00E6p
ROM:E03CC pshm X, Y, K
ROM:E03CE ldab #0Fh
ROM:E03D0 tbek
ROM:E03D2 tbyk
ROM:E03D4 ; assume YK = 0Fh
ROM:E03D4
ROM:E03D4 Loop_Unloc: ; CODE XREF: Unloc_ECU+Cj
ROM:E03D4 ; Unloc_ECU+18j ...
ROM:E03D4 jsr GetRequst
ROM:E03D8 bcs Loop_Unloc
ROM:E03DA cpe #27C1h ; Cmd Get Seed ?
ROM:E03DE beq Get_Seed
ROM:E03E0 cpe #27C2h
ROM:E03E4 bne Loop_Unloc
ROM:E03E6 ldaa #0C0h
ROM:E03E8 jsr Out_Error
ROM:E03EC bra Loop_Unloc
ROM:E03EE ; ---------------------------------------------------------------------------
ROM:E03EE
ROM:E03EE Get_Seed: ; CODE XREF: Unloc_ECU+12j
ROM:E03EE ; Unloc_ECU+36j
ROM:E03EE jsr Out_Seed ; Out Seed
ROM:E03F2 jsr GetRequst
ROM:E03F6 bcs Loop_Unloc ; Time Out
ROM:E03F8 cpe #27C2h
ROM:E03FC beq Check
ROM:E03FE cpe #27C1h
ROM:E0402 beq Get_Seed
ROM:E0404 bra Loop_Unloc
ROM:E0406 ; ---------------------------------------------------------------------------
ROM:E0406
ROM:E0406 Check: ; CODE XREF: Unloc_ECU+30j
ROM:E0406 jsr Check_Seed
ROM:E040A bcs Error_Seed
ROM:E040C jsr Out_Ok
ROM:E0410 bra return
ROM:E0412 ; ---------------------------------------------------------------------------
ROM:E0412
ROM:E0412 Error_Seed: ; CODE XREF: Unloc_ECU+3Ej
ROM:E0412 ldaa #35h
ROM:E0414 jsr Out_Error
ROM:E0418 bra Loop_Unloc
ROM:E041A ; ---------------------------------------------------------------------------
ROM:E041A
ROM:E041A return: ; CODE XREF: Unloc_ECU+44j
ROM:E041A pulm K, Y, X
ROM:E041C rts
ROM:E041C ; End of function Unloc_ECU
ROM:E041C
ROM:E041E
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 31, 2022 16:41:29 GMT
I know. First, the checksum is present in the part number (). for example 56044563AI, where 63 is the checksum. [56][04][45][63][41][69] This is a general rule at Chrysler. By code ROM:1490C MATH_CS_ROM: ; CODE XREF: sub_3B280:TEST_CS_ROMp
ROM:1490C clrd
ROM:1490E tbxk
ROM:14910 ; assume XK = 0
ROM:14910 ldx #0 ; Start Addr = 0x00000
ROM:14914
ROM:14914 NextArray: ; CODE XREF: MATH_CS_ROM+4Aj
ROM:14914 ; MATH_CS_ROM+52j
ROM:14914 lde #10h
ROM:14918
ROM:14918 cs_256_byte: ; CODE XREF: MATH_CS_ROM+32j
ROM:14918 adda 0, X
ROM:1491A adda 1, X
ROM:1491C adda 2, X
ROM:1491E adda 3, X
ROM:14920 adda 4, X
ROM:14922 adda 5, X
ROM:14924 adda 6, X
ROM:14926 adda 7, X
ROM:14928 adda 8, X
ROM:1492A adda 9, X
ROM:1492C adda 0Ah, X
ROM:1492E adda 0Bh, X
ROM:14930 adda 0Ch, X
ROM:14932 adda 0Dh, X
ROM:14934 adda 0Eh, X
ROM:14936 adda 0Fh, X ; Size Array 16 byte
ROM:14938 aix #10h ; Next Pointer + Size Array
ROM:1493A sube #1
ROM:1493E bne cs_256_byte ; Repeat math cs array 16*16 => 256 byte
ROM:1493E ; ;
ROM:14940 ldab #55h ; clear WD
ROM:14942 stab SWSR, Z
ROM:14946 ldab #0AAh
ROM:14948 stab SWSR, Z ;
ROM:14948 ; ;
ROM:1494C brset 7A19h, Z, #4, _break ; Break if check Port F Data Register 0 (PORTF0)
ROM:14952 txkb
ROM:14954 cmpb #3 ; Check Page_N (page Size = 0x10000 byte)
ROM:14956 bcs NextArray ; Page < 3
ROM:14958 bhi _CheckCS ; Page > 3
ROM:1495A cpx #END_ROM ; Check remainder page 3 (END Rom addr = 0x3bb90)
ROM:1495E bcs NextArray
ROM:14960
ROM:14960 _CheckCS: ; CODE XREF: MATH_CS_ROM+4Cj
ROM:14960 ldab Page_0
ROM:14964 tbyk ; CS constant to Page ROM
ROM:14966 ; assume YK = 0
ROM:14966 ldy pPartNumber ; Set pointer YI to PN
ROM:1496A cmpa 3, Y ; compare Index=3
ROM:1496C beq NotErrorCS
ROM:1496E bset 0B02h, Z, #40h ; >>>>>>>>>>>>>>> SET ERROR CS_ROM
ROM:14972 bra _break
ROM:14974 ; ---------------------------------------------------------------------------
ROM:14974
ROM:14974 NotErrorCS: ; CODE XREF: MATH_CS_ROM+60j
ROM:14974 bset 0B02h, Z, #20h ; >>>>>>>>>>>>>> Clear ERROR CS_ROM
ROM:14978
ROM:14978 _break: ; CODE XREF: MATH_CS_ROM+40j
ROM:14978 ; MATH_CS_ROM+66j
ROM:14978 rts
ROM:14978 ; End of function MATH_CS_ROM Highlight, double pointer ROM:14960 _CheckCS: ; CODE XREF: MATH_CS_ROM+4Cj ROM:14960 ldab Page_0 ROM:14964 tbyk ; CS constant to Page ROM ROM:14966 ; assume YK = 0 ROM:14966 ldy pPartNumber ; Set pointer YI to PN ROM:1496A cmpa 3, Y ; compare Index=3 ROM:1496C beq NotErrorCS
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 31, 2022 17:11:23 GMT
Man, you are legend, thank you! Will investigate. You better add spoilers for the forum. You have to enter it manually.
|
|
|
Post by admin on Jan 31, 2022 20:07:40 GMT
You better add spoilers for the forum. You have to enter it manually. Added a spoiler plugin. The new button pops up a window to enter plain text. Best I can do right now.
|
|
|
Post by admin on Feb 1, 2022 8:46:23 GMT
Is there a standard practice to re-calculate the part number so that the checksum byte adds up to the right amount, or you have to cycle through different variations until it is just right?
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Feb 1, 2022 12:39:37 GMT
Out of 256 KB, use one byte for checksum correction. Moreover, the checksum cannot be more than 99.
|
|
|
Post by admin on Feb 1, 2022 12:49:11 GMT
Thanks for the pointers! There was 1 mystery byte near the part number changing between almost identical flash files. So that's for correction.
|
|