MonoMotronic MA3.0

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
Post Reply
WinWoj
Posts: 5
Joined: Tue Feb 28, 2012 6:10 am

MonoMotronic MA3.0

Post by WinWoj »

Hi Friends.

Few time ago I decided to learn assembly, but ECU hack passion was stronger, so I started disassembly ECU. First on table was Audi A8 D2 MMI Control Head unit, but was too hard for me, so I looked for something easier in my garage and found some little MonoJetronics from VAG and PSA. VAG Ecu seems to have internal PROM in MCU, so I leave it for future, and started disassembling ECU from Peugeot 205 (1,1i 8V) and Citroen AX (1,4i 8V) because 00000 offset in EPROM wasn't empty.

Please correct me, if possible in below first lines... I want to learn 8051 Assembly and also stategies and function this small ECU's.
All done by hand, becouse I can't understand IDA PRO output at this time...


ADD------HEX---------OPCODE------------PC-------SP-----------Description
--------+------------+------------------+---------+-----------+-----------------------------------------
0000-----02 02 5C-----LJMP 025C---------000-------07----------Jump to address 025C
025C-----75 90 FF-----MOV P1, #FF-------25C-------07----------Set all P1 bits to state 1
025F-----C2 B5--------CLR P3.5-----------25F-------07----------Set P3.5 to state 0
0261-----75 81 2F-----MOV SP, #2F-------261-------2F----------Move 2F to Stack Pointer SP
0264-----90 62 00-----MOV DPTR, 6200----264-------2F----------Move 6200 to Data Pointer
0267-----E0-----------MOVX A, @DPTR----267-------2F----------Move byte from external RAM to ACC from
-----------------------------------------------------------------address in DPTR
0268-----75 D0 00-----MOV PSW, #00-----268-------2F----------Move to PSW state 0 to all bits (Carry = 0)
026B-----78 64--------MOV R0, #64-------26B-------2F----------Move to R0 value 64H
026D-----79 7F--------MOV R1, #7F-------26D-------2F----------Move to R1 value 7F
026F-----E4-----------CLR A --------------26F-------2F----------Set state 0 to ACC
0270-----F7-----------MOV @R1, A--------270-------2F----------Set to address placed in R1 value from ACC
0271-----19-----------DEC R1-------------271-------2F----------Decrement R1
0272-----B9 01 FB-----CJNE R1, #01, FBH--272-------2F----------Compare R1 with value 01,
-|----------------------------------------------------------------and if R1=1 then go to address 275 [PC=PC+3]
-|----------------------------------------------------------------if R1!=1 then go to address 370 [PC=PC+3+FB]
-|-275---B2 B5--------CPL P3.5------------275-------2F----------Complementary bit P3.5
-|-277---E0-----------MOVX A, @DPTR-----277-------2F----------Move byte from external RAM to ACC
-|----------------------------------------------------------------from address in DPTR
-|-278---24 81--------ADD A, #81H--------278--------2F----------Add value 81h to ACC
-|-27A---40 02--------JC 02H--------------27A-------2F----------Jump if Carry is not set (C=0) go to address 27C
-|----------------------------------------------------------------if Carry is set (C=1) go to address 27E
-|-27C---D8 EF--------DJNZ R0, EF---------27C-------2F----------Decrement R0 and if R0=0 go to address 27E
-|----------------------------------------------------------------if R0!=0 go to address 36D [PC=PC+02+EF]
-|-27E---90 60 00-----MOV DPTR, 6000-----27E-------2F----------Move 6200 to Data Pointer
-|-281---E0-----------MOVX A, @DPTR-----281-------2F----------Move byte from external RAM to ACC from
-|----------------------------------------------------------------address in DPTR
-|-282---75 A0 BF-----MOV P2, #BF--------282-------2F----------Set P2 bits to state: 10111111
-|-285---D2 3B--------SETB 3B-------------285-------2F----------Set bit in IRAM area in address 3B to state 1
-|-287---78 55--------MOV R0, #55---------287------2F-----------Move to R0 value 55H
-|-289---74 55--------MOV A, #55----------289------2F-----------Move to ACC value 55H
-|-28B---F2-----------MOVX @R0, A--------28B------2F-----------Write to external RAM byte with value stored
-|-----------------------------------------------------------------in ACC to address stored in R0.
-|-28C---E4-----------CLR A---------------28C-------2F-----------Set state 0 to ACC
-|-28D---E2-----------MOVX A, @R0-------28D-------2F-----------Move byte from external RAM, at address stored
-|-----------------------------------------------------------------in R0 to ACC.
-|-28E---64 55--------XRL A, #55----------28E-------2F-----------Logical XOR (add modulo 2) ACC and 55h
-|-290---70 1F--------JNZ 1F--------------290-------2F-----------Jump to 01F if ACC!=0, if ACC=0 jump to 292
-|-292---74 AA--------MOV A, #AA---------292-------2F-----------Move to ACC value AAh
-|-294---F2-----------MOVX @R0, A--------294-------2F-----------Write to external RAM byte with value stored
-|-----------------------------------------------------------------in ACC to address stored in R0.
Attachments
02-27c256-0280000724.rar
(8.01 KiB) Downloaded 372 times
Last edited by WinWoj on Wed May 16, 2018 10:12 pm, edited 1 time in total.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: MonoJetronic MA3.0

Post by antus »

Good work! From the message body it looks about right. Ida will save you a lot of time though. Hit options and set opcode bytes to 6 or so, so you can see the hex as well as the decompiled code too. And you can also turn on auto comments to get it to add comments similar to your annotation above.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
WinWoj
Posts: 5
Joined: Tue Feb 28, 2012 6:10 am

Re: MonoJetronic MA3.0

Post by WinWoj »

Thanks, soon I going to post 1st part od schematic of this ECU, becouse some of MCU's pin are operated in this first lines. I worry, that manually work will kill my curent excitation, so I will play with Ida again.

Little EDIT: line with opcode 70 xx----JNZ xxx---- has another description, it means that jump if no zero is not for xx, but for PC+02+xx :-) Best regards!
Post Reply