|
Post by admin on Feb 23, 2022 15:14:56 GMT
Excuse my ignorance but how come flash starts at 0x40000? In normal mode SCI ID 26 is serviced like this:
ROM:35E3A ; =============== S U B R O U T I N E ======================================= ROM:35E3A ROM:35E3A ; SCI ID 26 READ ROM ROM:35E3A ; ------------------ ROM:35E3A ; TX: 26 XX YY ZZ ROM:35E3A ; RX: 26 XX YY ZZ MM ROM:35E3A ; ROM:35E3A ; XX YY ZZ: ROM offset ROM:35E3A ; MM: ROM value at given offset ROM:35E3A ; ROM:35E3A ; SCI ID 26 READ RAM ROM:35E3A ; ------------------ ROM:35E3A ; TX: 26 0F XX YY ROM:35E3A ; RX: 26 0F XX YY NN ROM:35E3A ; ROM:35E3A ; XX YY: RAM offset (8000 - 97FF) ROM:35E3A ; NN: RAM value at given offset ROM:35E3A ; ROM:35E3A ; This might not work for all ROM:35E3A ; SBEC3 computers. ROM:35E3A ROM:35E3A ReadROMRAM: ; CODE XREF: SCI_ID_JUMP+58j ROM:35E3A clr SCI_RX_ID, Z ROM:35E3E ldab SCI_RX_03, Z ROM:35E42 cmpb #0Fh ; read RAM instead of ROM (0F 80 00 - 0F 97 FF) ROM:35E44 beq loc_35E4A ROM:35E46 bitb #0FEh ; ---128k read bug, should be FC--- ROM:35E48 bne locret_35E5A ROM:35E4A ROM:35E4A loc_35E4A: ; CODE XREF: ReadROMRAM+Aj ROM:35E4A tbxk ROM:35E4C ldd SCI_RX_01, Z ROM:35E50 xgab ROM:35E52 xgdx ROM:35E54 ldaa 0, X ROM:35E56 jmp SCI_WRITE ; write SCI byte from A ROM:35E5A ; --------------------------------------------------------------------------- ROM:35E5A ROM:35E5A locret_35E5A: ; CODE XREF: ReadROMRAM+Ej ROM:35E5A rts ROM:35E5A ; End of function ReadROMRAM Here XK:IX ranges between 0x00000 - 0x03FFFF and in a special case 0x0F8000 - 0x0F97FF to read RAM. Also just found out yesterday that at 0x0FF700 and above you can read some register values, ADC GPT SIM SRAM QSM. Is memory mapping different when the bootloader is running?
|
|
|
Post by dino2gnt on Feb 23, 2022 15:29:53 GMT
Is memory mapping different when the bootloader is running? Yes:
In the bootloader:
ROM:01E0 ldd #11001111b ROM:01E4 std 7A44h, Z ; configure CSPAR0 ROM:01E4 ; CSBTPA = 11 ROM:01E4 ; CS0PA = 11 (16bit port) ROM:01E4 ; CS1PA = 00 (output) ROM:01E4 ; CS2PA = 11 (16bit port) ROM:01E8 ldd #10000000101b ROM:01EC std 7A48h, Z ; configure CSBARBT ROM:01EC ; BLKSZ = 101 = 256Kb ROM:01EC ; ADDR = 0x40000 ROM:01F0 std 7A4Ch, Z ; configure CSBAR0 ROM:01F0 ; BLKSZ = 101 = 256Kb ROM:01F0 ; ADDR = 0x40000
We mount the flash chip to 0x40000 with a block size of 256KB, and talk to it in 16bit words.
|
|
|
Post by admin on Feb 23, 2022 15:32:25 GMT
All clear now, thank you! Feeling less noob than yesterday!
|
|
|
Post by dino2gnt on Feb 23, 2022 18:56:57 GMT
At 62500 baud you can dump the flash memory pretty quickly in large blocks (16-128 bytes).
When I say "replicate command 26" i mean more along the lines of: command byte0 (arbitrary in this example)
bank byte1 addrH byte2 addrL byte3 read and echo starting byte1:byte2:byte3 until... 16 bytes? 32 bytes? More? Should I make it variable length, in a 5th byte, 1-256 ?
If it's variable length, should we specify a series of characters as terminator ? 0x2BA115 ?
I think the bootstrap code allows for a bootloader up to 1023 bytes long, so I have a little room to work with. Even more so if I strip out the worker function handling code and make this purely a "do stuff we want" bootloader.
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Feb 23, 2022 19:06:52 GMT
When I say "replicate command 26" i mean more along the lines of: command byte0 (arbitrary in this example)
bank byte1 addrH byte2 addrL byte3 read and echo starting byte1:byte2:byte3 until... 16 bytes? 32 bytes? More? Should I make it variable length, in a 5th byte, 1-256 ?
If it's variable length, should we specify a series of characters as terminator ? 0x2BA115 ? I think the bootstrap code allows for a bootloader up to 1023 bytes long, so I have a little room to work with. Even more so if I strip out the worker function handling code and make this purely a "do stuff we want" bootloader.
Imho: Make it variable length, in 4th and 5th bytes, 1-65535, not terminator. My principle is less code in the ECU, more PC.
|
|
|
Post by admin on Feb 23, 2022 19:35:30 GMT
Right! I see now what you meant and agree with Konstantin. Command byte could be the same as in normal mode.
Example:
TX: 26 AA BB CC DD EE CS RX: 26 AA BB CC DD EE XX YY ZZ CS
26: read memory AA: bank BB: addrH CC: addrL DD: read length H EE: read length L CS: checksum
XX YY ZZ: series of bytes returned The CCD/SCI scanner has a 256 bytes SCI-bus buffer, so we are talking about at least 128 byte transfers in one go. Involving checksum calculation is highly recommended at packets this size.
A single-use bootloader is a good idea! Do you code the instructions manually or do you have a software for that?
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Feb 23, 2022 19:47:55 GMT
|
|
|
Post by dino2gnt on Feb 23, 2022 19:51:03 GMT
Do you code the instructions manually or do you have a software for that?
I have an HC16 compiler, but I'm just writing in vim. Instructions go together like Lego, but addressing for branches and jumps is hard. I make changes, compile, disassemble and verify, correct, and repeat until the disassembly looks right.
At one point yesterday I had written a source file that would compile into an identical binary of the bootloader, but I didn't think to save a copy before I started changing things.
|
|
|
Post by admin on Feb 23, 2022 20:24:55 GMT
Thanks both of you! Dino, do you mind sharing that source code? I'm wondering how you managed to do it.
|
|
|
Post by dino2gnt on Feb 23, 2022 20:30:57 GMT
Shared it on github, check your email for invite.
Here's what I hammered together so far for "command 0x45"
do_command45: ldab #46h ; complete respnse will be like: ; 0x46 0x00 0xFF 0xFF for request ; 0x45 0x00 0xFF 0xFF and should return (in this example) 65535 bytes jsr TX_byte ; send 0x46 as 0x45 acknowledge jsr RX_byte ; addb #4 ; Flash starts at 0x40000 tbxk ; Byte 0 is bank jsr TX_byte ; echo back bank byte0 jsr RX_byte ; This will be IX high byte tba clrb xgdx ; A is the high byte of D -> to IX tab jsr TX_byte ; echo addr byte jsr RX_byte ; read payload-size byte0 stab Word_0x01B7 ; store it jsr TX_byte ; echo it jsr RX_byte ; read payload-size byte1 stab Word_0x01B7+1 ; store it jsr TX_byte ; echo payload-size byte1 Rd_xmit: ldab 0,X jsr TX_byte ; Echo it ldd $190h jsr Delay ; it probably does this for a reason :) aix #1 decw Word_0x01B7 ; decrement the stored payload-size bne Rd_xmit ; if not zero loop rts
Not compile tested or sanity checked, from my fingers to your forum.
|
|
|
Post by admin on Feb 23, 2022 20:44:25 GMT
Got it, thank you! Is there a particular reason why the flash memory is mapped to 0x40000 instead of 0x0?
|
|
|
Post by dino2gnt on Feb 23, 2022 20:54:29 GMT
Got it, thank you! Is there a particular reason why the flash memory is mapped to 0x40000 instead of 0x0? I haven't looked too closely at the control registers while in bootstrap (aside from the MRMCR) to tell you exactly how memory is configured, but I assume this is because 0x00000 is the default location from which the MCU will boot (except in bootstrap, when it's burned-in to boot from 0xE0000), and 0x00000 to 0x003FF needs to be RAM during bootstrap, because we write the bootloader and worker functions there when we're running in bootstrap mode. Code reuse probably has a lot to do with it, too, some of this software was probably originally written for the HC11 or HC12 and ported to the HC16 in '96.
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Feb 23, 2022 20:58:41 GMT
Shared it on github, check your email for invite. Here's what I hammered together so far for "command 0x45"
do_command45: ldab #46h ; complete respnse will be like: ; 0x46 0x00 0xFF 0xFF for request ; 0x45 0x00 0xFF 0xFF and should return (in this example) 65535 bytes jsr TX_byte ; send 0x46 as 0x45 acknowledge jsr RX_byte ; addb #4 ; Flash starts at 0x40000 tbxk ; Byte 0 is bank jsr TX_byte ; echo back bank byte0 jsr RX_byte ; This will be IX high byte tba clrb xgdx ; A is the high byte of D -> to IX tab jsr TX_byte ; echo addr byte jsr RX_byte ; read payload-size byte0 stab Word_0x01B7 ; store it jsr TX_byte ; echo it jsr RX_byte ; read payload-size byte1 stab Word_0x01B7+1 ; store it jsr TX_byte ; echo payload-size byte1 Rd_xmit: ldab 0,X jsr TX_byte ; Echo it ldd $190h jsr Delay ; it probably does this for a reason :) aix #1 decw Word_0x01B7 ; decrement the stored payload-size bne Rd_xmit ; if not zero loop rts
Not compile tested or sanity checked, from my fingers to your forum.
I wouldn't do it. addb #4 ; Flash starts at 0x40000 The host program must be responsible for the page.
|
|
|
Post by dino2gnt on Feb 23, 2022 21:04:16 GMT
Shared it on github, check your email for invite. Here's what I hammered together so far for "command 0x45"
do_command45: ldab #46h ; complete respnse will be like: ; 0x46 0x00 0xFF 0xFF for request ; 0x45 0x00 0xFF 0xFF and should return (in this example) 65535 bytes jsr TX_byte ; send 0x46 as 0x45 acknowledge jsr RX_byte ; addb #4 ; Flash starts at 0x40000 tbxk ; Byte 0 is bank jsr TX_byte ; echo back bank byte0 jsr RX_byte ; This will be IX high byte tba clrb xgdx ; A is the high byte of D -> to IX tab jsr TX_byte ; echo addr byte jsr RX_byte ; read payload-size byte0 stab Word_0x01B7 ; store it jsr TX_byte ; echo it jsr RX_byte ; read payload-size byte1 stab Word_0x01B7+1 ; store it jsr TX_byte ; echo payload-size byte1 Rd_xmit: ldab 0,X jsr TX_byte ; Echo it ldd $190h jsr Delay ; it probably does this for a reason :) aix #1 decw Word_0x01B7 ; decrement the stored payload-size bne Rd_xmit ; if not zero loop rts
Not compile tested or sanity checked, from my fingers to your forum.
I wouldn't do it. addb #4 ; Flash starts at 0x40000 The host program must be responsible for the page.
It's not set in stone, but there's precedent for this in the existing bootloader:
ROM:02B2 ROM:02B2 read_offset_bytes: ; CODE XREF: get_command+Aj ROM:02B2 ; get_command+Ej ROM:02B2 ldab #31h ROM:02B4 jsr TX_Byte ; Send 0x31 ROM:02B8 jsr RX_Byte ; Read a byte ROM:02BC tba ; Hold the original byte in A ROM:02BE addb #4 ; Add 4 to the byte we received ROM:02C0 tbxk ; XK is now Byte+4 - this is the bank/page we're writing? ROM:02C2 tab ; Move byte in A back to B ROM:02C4 jsr TX_Byte ; Echo the byte back ROM:02C8 jsr RX_Byte ; read a new byte ROM:02CC stab addr_word ; Store byte to 0x030A It was largely a copy and paste
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Feb 23, 2022 21:12:54 GMT
They stepped on their own balls.;-) Read page 0 must be passed minus 4.
|
|