pcmhacking.net

gmtech825 wrote:

ironduke wrote:So is this possible some sort of scaler that was mentioned earlier??

Btw, loving this discussion, showing me how much I am lacking... lol..

yeah exactly. I found one value that looks very interesting. It is 0x0A in the calibration, then is multiplied by 0x14, then divided by 0x14...so essentially it is still 0x0A = 10.

that value (10) gets moved to a ram location, then compared to see if it is <= to another ram value which is incremented by 1 (engine run timer maybe) and seems to trace back to my original function that checks the remote start enable byte.

it requires way more investigation...or maybe I'll change that value and see what happens when I finally get some time.

ironduke wrote:
I'll probably have a little time this weekend, I didn't end up with a brick yet so I'll volunteer to try 01 if you can tell me which one to try? or where? or which calibration, lol...

Tazzi wrote:gmtech825, what processor are you selecting in Ghidra? When I tried using one of the RSIC options (For fujitsu), it wasnt disassembling nicely. Well that was on irondukes file he uploaded with all cals implemented.

void UndefinedFunction_000c49be(void)

{
  int in_r13;
  
                    /* WARNING: Could not recover jumptable at 0x000c49c6. Too many branches */
                    /* WARNING: Treating indirect jump as call */
  (*(code *)(&switchD_000c49c6::switchdataD_000fa390)[in_r13])();
  return;
}

Tazzi wrote:Ill need to read the opcode definitions to understand better.

But it looks like it loads the value FA390 into r12, shifts r13 left by 2 (we do not know the value of r13) then loads data from address (r13+r12) into r12
Then it jumps to the address saved at location r12.

Its a bit of a roundabout way of doing it all. Im pretty sure the '@' sign is being used as a pointer. Meaning you need to look at the address that is saved in that register.