060A Disassembly

[MidnightTuning]

Hey All,

I've just come off about 4 months' worth of Decompiling Binaries for the J3 Chips and AU falcon EECs (I'll put my GitHub link for my entire repository of files in the Ford section soon). I've had a major blast with all that and it's resulted in me being able to turbocharge my AU on nothing but the factory engine management and a Moats QH, live datalogging and Realtime tuning included.

Anyhow. I wanted to move onto my Commodore Project as I have a cammed (Stg 2 Mace Turbo Grind) and ported L36 with L67 top (Plus other bolt on stuff too) ready to drop in and wanted to run the VY flash PCM, but as I've read here for years that is apparently going to be an issue, specifically with CYLAIR, MAF and RPM Limiter limitations with the Flash PCM. Notably, The1's Binary patches do not carry over to the vy flash PCM at all as he had issues with it based on what I have read here long before I decided to make an account here.

As a last ditch before throwing in the towel and just getting an L67 pcm, pinning my loom and installing an NVRAM I wanted to at-least try look through the binary myself, but I cannot for the life of me make Ghidra play along (I am fairly new to it)

All of my attempts so far have been basically trash, with only a few functions being identified, provided they were even correct at all. It certainly is not as forgiving as SAD806x or EEC-IV disassembler.

Could anyone offer me some much-needed input on this, or should I really just throw in the towel and take the road most traveled, I really don't want to give up on my flash PCM if I can avoid it. I don't mind putting in some work on the flash PCM, if only I could just even decompile the thing first.

Cheers
Rob

[antus]

Not sure what ghidra is like for the 68hc11 cpu as it didn't exist (or should I say it's existence was not publicly known and it was not publicly available until after the Snowden leaks in 2013 when it was decided to open source it). But if you can get it ida pro works well, else there is dhc11 was developed in Australia by TechEdge for Australian ECMs and PCMs https://www.techedge.com.au/utils/dhc11.htm (dos, free), or in America Tuner Cat made their own disassembler which should also work well and has a 30 day trial. http://www.tunercat.com/disasm_desc/disasm_desc.html

Note that the challenge for disassembly of the 128k bins, is the bank switching which the disassemblers can't follow. Essentially you have 0-32kb mapped to 0-32kb address space full time with calibration and common code, then you get 32-64kb mapped in the high half of the address space for engine processing, or 92-128kb mapped to 32-64kb for transmission.

When I did it, I found it was best to make an image of each state and disassemble them separately. Then at least the memory addressing is correct for both, but the disassembler is not aware of the bank switching so it gets harder.

My early work on this is posted here: viewtopic.php?t=237

[MidnightTuning]

Wow antus thank you for that reply. That's everything I wanted to hear!

In my case I was running Ghidra with a publicly available 3rd party cpu definition which supposedly did have support the HC11 family of chips and it was working to some extent, just not a usable extent. Though that dhc11 tool you linked looks a bit more suited for purpose.

I'll have to check out your L67 disassembly too. That looks great and should be a good starting point I can use for the Flash PCM.

Thanks for all your input - Rob!

[antus]

Is your aim to get to the point to reassemble a new OS? That was the aim on the above, and after creating the above I started trying to export the databases, and write scripts to have a common section and one for each bank. So both bins were assemblable and building from the same common code, and different high bank code. But it quickly became a huge time sink, and it became clear that the benefits did not outweigh the time cost to do it. So instead we ended up using the disassembly work to understand the code, but patched the factory bins with jumps to jump out to unused space and implement additional logic there, without reassembling the bin. This side steps the whole bank switching problem quite effectively. Out of interest I've also looked at custom operating system patches from the commercial companies for later generation PCMs and I've found they've taken the same approach. Patch, not rebuild. So by all means disassemble and learn, but if you aim to rebuild, consider the above.

[MidnightTuning]

Is your aim to get to the point to reassemble a new OS? That was the aim on the above, and after creating the above I started trying to export the databases, and write scripts to have a common section and one for each bank. So both bins were assemblable and building from the same common code, and different high bank code. But it quickly became a huge time sink, and it became clear that the benefits did not outweigh the time cost to do it. So instead we ended up using the disassembly work to understand the code, but patched the factory bins with jumps to jump out to unused space and implement additional logic there, without reassembling the bin. This side steps the whole bank switching problem quite effectively. Out of interest I've also looked at custom operating system patches from the commercial companies for later generation PCMs and I've found they've taken the same approach. Patch, not rebuild. So by all means disassemble and learn, but if you aim to rebuild, consider the above.

Hey Antus. No in my case a full reassembly capable decomp is not my goal like in your project, end game for me would be like you say, a simple patch to achieve my goals. My goal currently / initially was just disassembly to reverse engineer out the configurable scalers, tables and functions (at-least initially). Exactly as I did for the F#rds. My skill level currently is most certainly not up to the task of the level of work that you have done for your L67 decomp project, so its still very much a future thought at this stage, or I could even just go grab a L67 PCM and do it the tried and true way.

In saying that, I have already had some strong success porting settings from the $58 (I think?? Otherwise, I mean the VS V6 N/A Binary) XDF to the 060A XDF. As I had seen from my limited playing in the past the holden code and especially configuration areas of the binary's are very modular in a way (Chunk of code and config for just the transmission for example, another for engine, etc.).

So far my Frankenstein XDF has been a great success with many tables and scalers being very easy to port over to 060A. I'll post it up here once its a bit more finished and tested. Until then its already been good fun so far.

[antus]

If you havn't looked at the1s enhanced for VX or VY flash, have a look there first. The scalars and many things are defined and there is a spreadsheet to make it much easier to apply changes to them. The MAF tables are extended to add some more headroom, but like you noted the cylair max is not increased for the flash pcms. You could probably compare several of the enhanced bins back to stock to figure out how the cylair was increased on the other operating systems, then you could try and port the same approach to VX or VY V6.

It may be worth reaching out to the1 as well, he may be willing to share some work with you. I understand the cylair limit was in beta at some stage, but the downloads page don't list it as a feature. I am not sure if the code is there and the lack of a mention of it is a mistake, or if it was never released. It could be working, just that nobody came along with enough boost to be able to test it.

[MidnightTuning]

If you havn't looked at the1s enhanced for VX or VY flash, have a look there first. The scalars and many things are defined and there is a spreadsheet to make it much easier to apply changes to them. The MAF tables are extended to add some more headroom, but like you noted the cylair max is not increased for the flash pcms. You could probably compare several of the enhanced bins back to stock to figure out how the cylair was increased on the other operating systems, then you could try and port the same approach to VX or VY V6.

It may be worth reaching out to the1 as well, he may be willing to share some work with you. I understand the cylair limit was in beta at some stage, but the downloads page don't list it as a feature. I am not sure if the code is there and the lack of a mention of it is a mistake, or if it was never released. It could be working, just that nobody came along with enough boost to be able to test it.

Hey Antus, I did check out the1's enhanced mod some time back (It was the first tuning project I did on my commodore after buying one of Tazzi's cables from his site) and my car already runs the VY flash enhanced binary. The only gain out of it according to the1 is the extended MAF limits (16khz or so freq max and 510g/s extended flow limit). But otherwise, there is no additional benefits on the flash PCMs at-least in the version that can be freely downloaded like you say (That beta sounds interesting though). Don't get me wrong, its already one major hurdle out of the way just with a simple bin flash through OSE, but there is still the annoyance of only being able to tune up-to 750 cylair on the main tables. I'll try sending the1 a PM too see what his take on potentially extending that cylair limit is, or if he perhaps still has that beta version. To be honest it is my only other major limitation in the way of running this flash PCM with my L67 build, everything else I can live with.

Many thanks for all your input on this mate! - Hopefully the1 can come through for me, or it might be time to skill up further and see if I can't patch it myself.

[antus]

Yeah do reach out. I have a backup of it here, but it's not my code to share and he'll have the full story about where it got too.

[MidnightTuning]

Yeah do reach out. I have a backup of it here, but it's not my code to share and he'll have the full story about where it got too.

Checked in with him and he said he had nothing like that for the flash based stuff. Assuming that means it just wasn't ever available for the flash based vy's, or I'm just not worthy of finding out

Thanks for the help though antus anyway. I'm sure I'll find a way around it eventually or just get myself an L67 PCM

[antus]

Note that L67 means stock ecotec VT commodore, auto or manual. So they're not hard or expensive to find. The difference is only in the code, which you can easily swap in. The annoying part is updating the loom to suit.