MPC56xx / PowerPC table lookup examples?

[Tazzi]

If a custom kernel was made to read the flash and then write back to it, then it could be added to a flashing application.
Biggest part is making the kernel.

Its usually best to look at what the GM one does, then create from that. These usually have the complex needed parts done for you (unlock flash, erase ect), the actual writing and reading memory is the easy part.

[Highlander]

I may have fixed it.

You can change the processor language for an existing project. It's irreversible, so they recommend you back up your project file before you do it. I switched from "PPC big endian 32 bit" to "PPC big endian 64 bit VLE with 32 bit addressing". The code block disassembles now.

Code: Select all

                             LAB_0015fc90                                    XREF[1]:     0015fc78(j)  
        0015fc90 81 8e 31 ac     lwz        r12,DAT_000031ac(r14)
        0015fc94 3d 60 00 09     lis        r11,0x9
        0015fc98 81 6b 91 00     lwz        r11,-0x6f00(r11)[b][u]=>DAT_00089100[/u][/b]                   = 41800000h
        0015fc9c 10 8c 5a cc     efscmpgt   cr1,r12,r11
        0015fca0 40 85 00 18     ble        cr1,LAB_0015fcb8
        0015fca4 39 80 00 00     li         r12,0x0
        0015fca8 b1 8e 32 84     sth        r12,0x3284(r14[b][i][u])=>DAT_4000b274[/u][/i][/b]
        0015fcac 38 60 18 05     li         r3=>DAT_00001805,0x1805
        0015fcb0 48 00 4a b1     bl         FUN_00164760                                     undefined FUN_00164760()
        0015fcb4 48 00 00 38     b          LAB_0015fcec

EFSCMPGT is apparently Floating-Point Single-Precision Compare Greater Than.

Are these: =>DAT_00089100 your annotations?

[antus]

It looks to me like Ghidras built in default naming convention, eg for a function its FUN_address and for a data address reference its DAT_address, similar to IDA using subroutine SUB_address, and you have the option to rename them to something more meaningful as you figure it out.

[Tre-Cool]

coz im kinda retarded at this sort of stuff, but can bumble/half ass my way through. I'd like to do a similar thing for the T43 trans controller bin. I'm trying to find a limiter preventing the use of 6th gear past an input shaft speed of 3757rpm.

Anyone able help out? ive got ghidra installed but lost from there

[Tre-Cool]

coz im kinda retarded at this sort of stuff, but can bumble/half ass my way through. I'd like to do a similar thing for the T43 trans controller bin. I'm trying to find a limiter preventing the use of 6th gear past an input shaft speed of 3757rpm.

Anyone able help out? ive got ghidra installed but lost from there

I managed to find the limiter tables a few months ago. There is what i suspect a High RPM that when triggered forces the downshift, then a lower re-engage rpm limiter. Similar to how engine rpm limiter works in the E38.

I've now added a bunch of different os locations to some efilive cax files for them (rpm does vary calibration to calibration).

Worked it all out just by logging the trans & seeing what rpm the trans downshifted at, then went looking, surprisingly didn't take that long.

Then today checked that ghidra showed the particular locations linked to function blocks.

[Gatecrasher]

That's cool. Nice job.