PCM Hammer P12 development

[antus]

try this payload

Code: Select all

start:
wait01:
    bsr.w   ResetWatchdog
    bsr.w   WasteTime
    jmp.s   wait01
    
WasteTime:
    nop
    nop
    nop
    nop
    rts

ResetWatchdog:
    move.b  #0x55, (0xFFFA55).l			| Reset COP1
    move.b  #0xAA, (0xFFFA55).l
    bclr    #7,	(0xFFFA21).l			| Reset COP2
    bset    #7,	(0xFFFA21).l		
    rts	

.end

[Tazzi]

Antus, is that code not assuming FA21 already has bit 7 enabled? Might be better using the eori.b command instead.

[antus]

Thats what I use in my other kernels for ls1-flash free, cut down so its just the delay and watchdog code, updated to the addresses to what should suit here. I think getting rid of compiler weirdness from c and using bare bones known good asm was worth a try.

[Gampy]

12587603 has bclr/bset, FFFF0000 disassembly is bset/bclr.

Have not ripped the bin posted by darkman5001 apart yet ... However if someone that has, searches for $AAAA and finds,

Code: Select all

    move.w  #$AAAA,(a4)
    move.w  #$5555,(a5)
    move.w  #$A0A0,(a4)

Just below that a little should be the COPs.
What it looks like In 12587603,

Code: Select all

    move.b  #$55,($FFFFFA27).w ; 'U' ; COPA
    move.b  #$AA,($FFFFFA27).w ; COPA
    bclr    #7,($FFFFD006).w ; COPB
    bset    #7,($FFFFD006).w ; COPB

What order is it ... bset/bclr or bclr/bset.

I'll take odds 10 to 1 on a beer that it dies, just like the simplest C with COPs.

What is expected, how will we (or the tester) know what's happened ... It does not complete, therefor there is no completion ack sent.
Wouldn't it be better to have a loop that lives longer then the COP timeout, but not to long, then exit, thus returning an ack, thus we know the scratch is working.

[Gampy]

And to advance my ASM skills, does this do that ??
Edit; I'm no math genius, is 1000 enough to out live the COP timeout ... Now that I think about it, it probably should be like 3000 (>2500) ??

Code: Select all

start:
    clr.w   %d0
wait01:
    bsr.w   ResetWatchdog
    bsr.w   WasteTime
    addq.w  #1, %d0
    cmpi.w  #1000, %d0
    beq.w   Exit1
    jmp.s   wait01
   
WasteTime:
    nop
    nop
    nop
    nop
    rts

ResetWatchdog:
    move.b  #0x55, (0xFFFA55).l         | Reset COP1
    move.b  #0xAA, (0xFFFA55).l
    bclr    #7,   (0xFFFA21).l         | Reset COP2
    bset    #7,   (0xFFFA21).l      
    rts   

Exit1:

.end

WatchDog-SimpleLoop-FF2000.bin

(68 Bytes) Downloaded 290 times

It's back ... I do not know for sure how to just end the routine/program and return to the caller!
I don't want to reset, I don't want to rts, I have no way to test ATM ... working on that ASAP!

I took it down posted it back, it's not going to do harm, just educate!

[darkman5001]

Has anyone been able to decompile the bin of the flash chip that I uploaded?

[Gampy]

I have not tried yet, been a rough morning ...

Try the two posted bin files.

[ironduke]

Has anyone been able to decompile the bin of the flash chip that I uploaded?

I took a quick peek of the one antus fixed..
Something seems off to me..
The OS looks ok but the OS has the other segments addresses right in the beginning.. The ones I read do not match up. Secondly if you take the vin that's there and go to tis2web and pull up the calibration info the cal id's aren't there anywhere never mind at the beginning of the segment location that the OS pints to for that segment like they usually are..

Gotta say, I don't do much work on the older, pretty much just E38 and E92 but I do see similarities across ecu's including the OS "header" having addresses forthe rest of the segments.. Those addresses in your bin make sense, just the data at the locations don't..

Please whomever feel free to correct me if I am incorrect, this is just my thoughts.. I am sure I am using the wrong terminology, spelling, and thought process, lol..

[turbo_v6]

I'm attempting to disassemble the one antus posted. It seems like it worked, but it is very different from the P01/P59 OS's that I've disassembled.

There seem to be a lot of NOP's throughout.

I'll look a little more but I haven't found what Gampy was looking for, but I found this that looks similar:

Code: Select all

move.b  #$55,(byte_FFFA55).w
move.b  #$AA,(byte_FFFA55).w
eori.b  #$80,(byte_FFFA21).w

Not sure exactly what else I should be looking for, but I can keep looking if that's not right.

[Gampy]

I ain't no genius at this disassembly stuff ... I'm stumbling like an old man!
Seems y'all got me beat ...

Using CPU32, based 0x0/1m, what RAM base/size ??

I did repost my hack of Antus's assembly, it can't hurt, only educate ...