|
Post by admin on Feb 19, 2022 18:08:23 GMT
Thank you Piton, it's much appreciated! Sorry for padding the binary file's beginning, I don't know how to set ROM offset in IDA properly. I tried this but it doesn't work:
|
|
|
Post by dino2gnt on Feb 19, 2022 18:20:23 GMT
My small contribution with my comments <button disabled="" class="c-attachment-insert--linked o-btn--sm">Attachment Deleted</button> <button disabled="" class="c-attachment-insert--linked o-btn--sm">Attachment Deleted</button> This is super helpful, I've been working on the 04_PgmSGS function, this clarifies some addressing for me!
|
|
|
Post by admin on Feb 19, 2022 18:35:37 GMT
This is super helpful, I've been working on the 04_PgmSGS function, this clarifies some addressing for me! Have you checked the padded folder? I had that worker function reversed already.
|
|
|
Post by dino2gnt on Feb 19, 2022 18:41:46 GMT
This is super helpful, I've been working on the 04_PgmSGS function, this clarifies some addressing for me! Have you checked the padded folder? I had that worker function reversed already. I learn by doing. I understand them better when I walk through the disassembly myself, I have actually been _avoiding_ looking at your disassembly
|
|
|
Post by admin on Feb 19, 2022 18:44:36 GMT
My apologies, have at it!
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Feb 19, 2022 19:14:16 GMT
My small contribution with my comments <button disabled="" class="c-attachment-insert--linked o-btn--sm">Attachment Deleted</button> <button disabled="" class="c-attachment-insert--linked o-btn--sm">Attachment Deleted</button> This is super helpful, I've been working on the 04_PgmSGS function, this clarifies some addressing for me! My comments ROM:0200 ; Flash programmer function ROM:0200 ROM:0200 LdPGmSGS: ROM:0200 ldab #0 ; load B with value ROM:0202 tbyk ; YK = B = 0 ROM:0204 ldy #680h ; load Y with value ROM:0204 ; this is where the flash block is first saved ROM:0208
ROM:0208 main_loop: ; CODE XREF: LdPGmSGS+56j
ROM:0208 jsr READ_DATA ; read block data to write
ROM:020C bcs break ; branch to exit if error read block data
ROM:020E ldd #50h ; cmd Clear Status
ROM:0212 std E, X ; Set CMD
ROM:0214
ROM:0214 WriteFlash: ; CODE XREF: LdPGmSGS+54j
ROM:0214 ldd E, Y ; Check data to write
ROM:0216 cpd #0FFFFh ; if data to write 0xFFFF
ROM:021A beq skip_write ; skip write
ROM:021C ldd #40h ; Cmd Word program
ROM:0220 std E, X ; Set Cmd
ROM:0222 ldd E, Y ; load Data to write
ROM:0224 std E, X ; Write New Data
ROM:0226
ROM:0226 Check_Ready: ; CODE XREF: LdPGmSGS+32j
ROM:0226 ldd #70h ; Cmd read Status Register
ROM:022A std E, X ; Set CMD
ROM:022C ldd E, X ; Read rStatus
ROM:022E andd #80h ; check bit Ready
ROM:0232 beq Check_Ready ; wait fReady
ROM:0234 ldd E, X ; Check
ROM:0236 andd #78h ; other errors
ROM:023A bne Error ; branch if others error
ROM:023C
ROM:023C skip_write: ; CODE XREF: LdPGmSGS+1Aj
ROM:023C ldd #0FFh ; Cmd read Array
ROM:0240 std E, X ; Set cmd
ROM:0242 ldd E, X ; Check data current
ROM:0244 subd E, Y ; and write
ROM:0246 bne Error ; branch if not compare
ROM:0248 ldd E, X ; else echo out data EEPROM
ROM:024A jsr ECHO_FLASH_BYTE ; echo 2 bytes of flash content
ROM:024E adde #2 ; Next pointer to write data
ROM:0250 cpe blksize ; compare E to block size
ROM:0254 blt WriteFlash ; repeat if not end
ROM:0256 bra main_loop ; branch load and write new data
ROM:0258 ; ---------------------------------------------------------------------------
ROM:0258
ROM:0258 Error: ; CODE XREF: LdPGmSGS+3Aj
ROM:0258 ; LdPGmSGS+46j
ROM:0258 ldd #0FFFFh ; load D with value (problematic areas are overwritten with FF)
ROM:025C std E, X ; store D to flash memory at X + value
ROM:025E ldab #1 ; load B with value (error writing flash)
ROM:0260 jsr SCI_TX ; write SCI byte from B
ROM:0264
ROM:0264 break: ; CODE XREF: LdPGmSGS+Cj
ROM:0264 rts ; return from subroutine
ROM:0264 ; End of function LdPGmSGS
|
|
|
Post by admin on Feb 19, 2022 19:22:32 GMT
I got some of this wrong, thank you for clarifying it! The command bus definitions table is really helpful. I have to make a habit of checking out datasheets...
So by erasing the flash all values become FF and that's why FFFF words are skipped.
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Feb 19, 2022 19:32:29 GMT
I got some of this wrong, thank you for clarifying it! The command bus definitions table is really helpful. I have to make a habit of checking out datasheets... So by erasing the flash all values become FF and that's why FFFF words are skipped. Yes. but below is the check ROM:0242 ldd E, X ; Check data current ROM:0244 subd E, Y ; and write Kill a programmer for this code ROM:0226 Check_Ready: ; CODE XREF: LdPGmSGS+32j ROM:0226 ldd #70h ; Cmd read Status Register ROM:022A std E, X ; Set CMD ROM:022C ldd E, X ; Read rStatus ROM:022E andd #80h ; check bit Ready ROM:0232 beq Check_Ready ; wait fReady eternal cycle.
|
|
|
Post by admin on Feb 19, 2022 19:35:10 GMT
Piton dino2gnt, what are your thoughts on interrupted re-flashing procedures? Say the OBD2 plug gets accidentally disconnected halfway through. The controller is now bricked but it's not completely lost, right? The bootstrap mechanism still works, it is not erased. So in theory re-flashing can be restarted no matter what?
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Feb 19, 2022 19:43:46 GMT
Piton dino2gnt , what are your thoughts on interrupted re-flashing procedures? Say the OBD2 plug gets accidentally disconnected halfway through. The controller is now bricked but it's not completely lost, right? The bootstrap mechanism still works, it is not erased. So in theory re-flashing can be restarted no matter what? Best case scenario " The bootstrap mechanism still works, it is not erased." There may be problems with the memory chip
|
|
|
Post by dino2gnt on Feb 19, 2022 21:08:50 GMT
The bootstrap code is in the masked rom and isn't writable. Even if you trash the code in the flash chip, you'd still be able to get into bootstrap, load a bootloader, and upload new code to the flash. It's pretty un-brick-able.
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Feb 23, 2022 13:41:04 GMT
|
|
|
Post by dino2gnt on Feb 23, 2022 14:22:20 GMT
I'm compiling an 01_LdBoot with an additional function to dump the content of the flash via command. I have a working proof of concept now, but I'm wondering if would it be better to replicate the the SCI Command 26 functionality in the bootloader to dump the full 256K, or follow some other format? Since there is already Cmd26 compatibility in the CCDSCIScanner GUI, i figure that will be the path of least resistance, but I'm curious to know your thoughts.
|
|
|
Post by admin on Feb 23, 2022 14:47:31 GMT
Thank you Konstantin for your valuable insights!
Dino, definitely go for it! Your method is way faster than the SCI Command 26 headache. At 62500 baud you can dump the flash memory pretty quickly in large blocks (16-128 bytes). With SCI ID 26 at 7812.5 baud a bunch of bytes are ignored (echo), out of 9 bytes only 1 goes to the binary file (response). And some controllers block the request after 128 kB. Offset check has not been updated with flash memory size increase. I'm wondering if it's on purpose.
Let's figure out a message format that the scanner and GUI can understand in high-speed mode and I update the scanner firmare / GUI. The transmitted blocks from the bootloader need to have some kind of header (sync byte + size). The current F0...FD check as first byte needs to disappear, that's for sure.
|
|
|
Post by dino2gnt on Feb 23, 2022 14:54:25 GMT
PoC function is really simple:
ROM:030A ; =============== S U B R O U T I N E ======================================= ROM:030A ROM:030A ROM:030A sub_30A: ; CODE XREF: sub_206-F4p ROM:030A ldab #4 ROM:030C tbxk ROM:030E ldx #0 ROM:0312 ROM:0312 loc_312: ; CODE XREF: sub_30A+14j ROM:0312 ldab 0, X ROM:0314 jsr sub_188 ROM:0318 aix #1 ROM:031A txkb ROM:031C cmpb #8 ROM:031E bne loc_312 ROM:0320 rts XK:IX = 0x40000 which is the start of flash as the bootloader configures it
Stop echoing bytes at 0x80000 (256K) It starts and I can execute it, but of course it just spews data until it stops and is completely unintelligible.
Need an actual format.
|
|