Code: Learning Disassembly Assembly

[EagleMark]

From 1project2many:

EagleMark's post below made me realize it would be a good idea to have a place for code questions. Anything goes, so to speak, as long as it's code related. Assembly, Modula, C++, Motorola, Intel, Whatever.

------------------------------------------------

$4F XDF Fuel VE table goes to 5200 RPM, but the assembly only goes to 4800? Somone started at 400 RPM instead of 0 RPM.

Odd? Have you ever seen how much Air managmant code is in a $6E assembly? And I can't find a way to turn it off? In $42 it's just a temp on and timer...

Since I'm stating to understand looups and sub routines how about a lesson on the commands? I just grabbed this piece and BOLD, Italic and UNDERLINED some examples.

Code:

                 ;--------------------
                ; LK UP  ACCEL ENRICH 
                ; vs Diff TPS 
                ; ** PUMP SHOT **
                ;--------------------
D775:            LDAA    #255
D777:  LD777     LDX     #$D312         ; ACCEL ENRICH vs Diff TPS TBL
                                        ; Contrib vs Diff TPS TBL
D77A:            JSR     LFAD7          ; 2D LK UP 
 ;                                                            
D77D:            LDAB    L00DF
D77F:            ORAB    #$10           ; BIT 4
D781:            BRA     LD786
 ;                                                            
D783:  LD783     CLRA    
D784:            ANDB    #$EF       ; 0111 1111
D786:  LD786     STAB    L00DF
D788:            STAA    L0058      ; BPW, MSB
D78A:            STAA    L009A
D78C:            CLRA    
D78D:            LDAB    L00DF
D78F:            BITB    #4         ; BIT 2
D791:            BEQ     LD796
 ;                                                            
D793:            LDAA    LD28F      ; 183 Usec, BPW ADDER TO BPW WHILE 
                                    ; IAC IS OPENING
                                    ; VAL MSEC = 16.384 
                                    
D796:  LD796     ADDA    L0058      ; BPW, MSB
D798:            BCS     LD79E
                                    ; ... else                               
D79A:            ADDA    L0059      ; BPW, LSB
D79C:            BCC     LD7A0
                                    ; ... else    
D79E:  LD79E     LDAA    #255       ; MAX LMT
D7A0:  LD7A0     BEQ     LD7BE
 ;                                                            
D7A2:            LDAB    L0098
D7A4:            MUL     
D7A5:            LSRD               ; DIV BY 8
D7A6:            LSRD    
D7A7:            LSRD    
D7A8:            ADDD    L0096
D7AA:            STD     L0096
D7AC:            LDAB    L0006
D7AE:            LDAA    L000D
D7B0:            BITA    #$40       ; BIT 6
D7B2:            BNE     LD7B6
                                    ; ...... else                         
D7B4:            ORAB    #8
D7B6:  LD7B6     ORAA    #$C0       ; 1100 0000
D7B8:            ORAB    #1         ; BIT 0
D7BA:            STAB    L0006
D7BC:            BRA     LD7C2
                                                            
D7BE:  LD7BE     LDAA    L000D
D7C0:            ANDA    #$BF       ; 1011 1111
D7C2:  LD7C2     STAA    L000D
D7C4:            LDAB    L0072
D7C6:            BITB    #2         ; BIT 1
D7C8:            BEQ     LD7DD

Code: Learning Disassembly Assembly

[jim_in_dorris]

I'm not sure if I see it correctly myself, but it looks like this is highlighted. If I may.

LDAA #255
D777: LD777 LDX #$D312 ; ACCEL ENRICH vs Diff TPS TBL
; Contrib vs Diff TPS TBL
D77A: JSR LFAD7 ; 2D LK UP ;
D77D: LDAB L00DF

LDAA and LDAB are Load Accumulators A and B.
LDX is Load index register X.
and JSR is Jump to subroutine.

What that piece of code is doing is loading accumulator A with $FF(256), loading the index register X with the address of the routine it wants (ACCEL ENRICH vs Diff TPS TBL)
then jumping to that subroutine to do a lookup. on return it then loads the B accumulator with the contents of $DF which is a status flag most likely. I'm not looking at the
hac of whatever piece of code that come from, but I feel confident that is what is happening

[1project2many]

Mark, working with assembly is kind of like working with a young child. You have to spell out every instruction to get a job done. To the processor, memory locations are mainly for storage. The accumulators are used for doing math operations or a few other larger instructions. If memory is like a storage shelf, then the accumulators are the workbench. Load accumulator means "get this thing from storage and put it on the bench." The instruction by itself doesn't do much. It's the steps that follow it that really do work. In the code section above D77D loads Accumulator B with a value from memory location 00DF. The next line is where something is done... in this case one of the bits is "set" or forced to be "1". Follow the BRA (branch) to the address it specifies and you'll see that the value from Accumulator B is then moved back to location 00DF with a "STAB" (STore Accumulator B) instruction.

[gregs78cam]

.....the accumulators are the workbench.

HAHAHAHAHA, story of my life.

[jim_in_dorris]

1project2many that's a nice analogy. I'll have to remember it. Unfortunately, I don't get to tutor many people in assembly anymore, everybody wants to learn an object oriented programing language.

[EagleMark]

I'll bet you could have a full class here!

Although I understood Jim, the analogy given by 1project2many made me look at it differantly, both accomplish the same thing. It's taken a long time to go througn ASM files to be able and add paremeters (stogage shelf) to the XDF files. But after that it's taken a while to find them and what they are doing with them (moved to accumulater). Then jumps to subroutines which could be a lookup? Stabbed in place as a vaule that is used... in general.

I've got more from your guys 2 posts then hours of searching and reaeding for what/why how...

Please go on, there's a lot more commands there, some may be coming together. I'll take a guess ADDA is add A? ANDA is and A? CLRA is clear A? LSRD Load Sub Routine? BEQ? BNA?

[jim_in_dorris]

A really big help might be to download the microsoft pink book for the 68hc11 microcontrollers. The book has a section with all the instructions and their variations.

http://www.technologicalarts.com/myfiles/links.html

you want the reference manual. it's the 3rd link down and is a pdf.

It is loads of help. if you want, we can actually start using this page to walk thru sections of code, it's also good for me to practice a skill I don't get to use except here.

One big problem I have is using the editor on this page and formatting code, I guess I will have to edit it in HTML to get it to look right. Using the scroll box like you did is an excellent way to insert code, but when you want to comment on what is happening, you probably need to do it in this editor, hence the HTML.

[EagleMark]

If you click reply and then advanced there is a [Code] [HTML] and other options instead of just the [quote] available in Quick reply.

You can paste in code and then comment.

I'll take a look at those links. Learning way around them helps, but most everything we need is already done and available. Need to get a 0411 LS ASM...

[1project2many]

Jim,
I had a huge problem with OO programming. Having taught myself basic, cobol, and the smallest amount of TI's assembly in the days when arcade games were new and security wasn't much more than a two letter password, I just couldn't grasp that object oriented programming isn't about the language. It's about organizing and structuring the resulting code. To make matters worse, I was learning OO along with C++ which really made it tough for me to recognize the difference. C and C++ are so closely related after all that solutions always seemed to present themselves to me long before I'd worked my way around to the OO lesson being presented. It took a year or so after the last class for me to catch on. Overall it can be a much better way to structure large programs but for ones it always feels like an unnecessary level of complexity.

Mark, the Motorola "Pink Book" (the cover of a real copy is pink) contains all the rules for HC11 assembly code. It's dry reading. Trying to read it and memorize the contents takes a much different mind than my own. What I found effective was to grab a chunk of code and a disassembly that was already partly commented and see about matching up the instructions, comments, and the code. There's an index for "instruction set details" that is going to be your favorite place to hang out. Every instruction is there along with all relevant information for that instruction. Get used to using search in your pdf reading software. You'll need it frequently.

Before talking about what the actual instructions are, it's probably helpful to give you some expectations as to what you'll see when working out a disassembly. System control programs are really about making decisions then acting on them. This process is very easy to see at the assembly language level because there just aren't many other options. Using the instructions above it doesn't take long to find a great example of this.

Code:

D7AE:            LDAA    L000D
D7B0:            BITA    #$40       ; BIT 6
D7B2:            BNE     LD7B6
                                    ; ...... else                         
D7B4:            ORAB    #8

These four lines make a decision and act on it.

Code:

Load the value from memory location 000D.
Check to see if bit 6 is a "one"
Run the code starting at D7B6 if it's not, 
or set bit 3 in the data stored in accumulator B if it is.

These patterns of "get, check, do" occur over and over and they are how the ecm reacts to sensor input. If you're going through a disassembly these tests are what you're looking for. Sometimes they're short and sweet like above. Sometimes you'll read many, many lines of code before you can see the complete test. But these are what the code is all about.

Now for the actual question:

Please go on, there's a lot more commands there, some may be coming together. I'll take a guess ADDA is add A? ANDA is and A? CLRA is clear A? LSRD Load Sub Routine? BEQ? BNA?

ADD, AND, CLR, and LSR are all ways for the processor to manipulate data. ADD sums two numbers and CLR replaces a number with zeros. AND and LSR are logical operations. LSR is a logical shift right. If you have a byte that looks like this: 11100111 , performing an LSR would turn it into 01110011. Imagine zeros moving in from the left and pushing everything else to the right. AND can be tricky. It's a way to set or clear bits in a byte using a comparison. AND will compare two binary numbers and put the results in a specific location. If a bit is one in both numbers, it will remain one. If a bit is zero in either number it will be set to zero in the result.

BEQ and BNE are decisions. They can result in branches in the code. "If this is true, start running code at a new location." BEQ is Branch if EQual. In it's purest form it's found after a CMP instruction although there are plenty of ways to use it without a CMP (such as after BITA). BNE is just the opposite. Branch if not equal.

The conditional branch instructions like above can be the most complex to get a handle on. There are a lot of rules to understand. For example, I could add 1 and -1, follow them with a BEQ, and the code would branch. You'll see conditional branches used in strange ways and there's usually a darn good reason if you can get to it.

[RobertISaar]

now that its been mentioned... i actually chopped off everything before and after the instruction set and made a new PDF out of it...

might be useful. i generally only have to look at it when BCC or BCS instructions come up... they have corresponding BLO and i think BHS "alternatives", it's sometimes easier to think about when a compare is done in terms of "lower" or "higher/same" instead of "did the carry bit get set"?

sometimes, you'll see a load, immediately followed by a BCS/BCC, which confused me for a long time.... i wasn't sure how the carry bit could ever get set from simply loading an accumulator... turns out, when loading an accumulator, the carry bit can be set based on the most significant bit of the byte loaded.... it's normally used to simplify the code a little bit to prevent an unnecessary compare being done when you have 2's compliment values(i think that's the only time i see it).

[jim_in_dorris]

1project2many, you actually sound like you would make a good teacher, your explanations are clear and concise. I understand your problem with oop's. I actually learned IBM360 assembly first, then moved to 6502 assembly and a few others including Z80 and early motorola chips while learning pascal, basic, fortran, and some military specific languages. My first exposure to object oriented lanugages was ADA when I was working on the space shuttle as a programmer. Talk about not getting it. LOL.

Robert, I wish I had that pdf before i printed out the entire pink book and stuck it in a binder. Good idea.

I think that one of the biggest problems with trying to duplicate disassembly in an ASM file is the addressing modes, and how to force them. When I went thru the $42 code (ASDU and ASDX with hiway cruise and ECS test disabled) in Dec., forcing a particular addressing mode to make certain that the ASM file matched the BIN was about 1/2 of the work of getting the ASM file correct.

[EagleMark]

Force them? 1project2many said this was like children, instruct them?

Wow 2 differant teachers!

When I first started looking at ASM files all I was intrested in was the memory loactions so I could add things to XDF. (Correct, memory?) Then it started sinking in that memory was not always the answer because of accumulaters... but really the workbench was where I needed to be... just a few hours after a couple posts from you guys and it's all making sense (although got very complicated).

I don't want to slow you guys down... but... is there a point I have to start trying to use a dissasmbler and assembler again? First shots were horrible... and what to use? I've read about a lot of programs, some won't even run in windows. Why does no one recomend TunerCat dissasembler? Seems to be designed for these?

When I learned HTML/CGI etc needed for websites I did it the old fasion way, typing code in notpad. WYSIWYG made things go faster years later but many times I could type in the code I wanted faster then finding the right button. Glad I actually learned it and not how to use a software program.

Making cars run better is my intrest, I'm more intrested in data coming out of car, back to this, I need to know why and how? I've tempted this a few times before and backed away because of the learning curve and time. But it keeps coming back as software just does not have all paremeters and sometimes I need to know how they work. $42 started like any other mask, just the basics, now it has more paremeters then LT1 $EE, Vortec 96, 97 98-00. Heck it's got stuff I'd like to use in my LS 0411 PCM that has not been included in expensive tuning software! WIthout a ASM, I can't add things! So I'm back here again, always seemed to get away from this because of available ASM files and learning enough how to find and add what I need.

Back to Vortec for instance, everyone siad it can't be tuned right? Well I found dimented247 98 vortec ASM and guess what? All the missing paremeters are there! No on'es ever put them into a mask. This is my real goal! Masks!

Direction/suggestions?

[1project2many]

"Who is that masked man??"

There are only a few reasons to grab the disassembler. 1) You can't find an existing disassembly. 2) You want the experience. 3) You want to make a disassembly that can be reassembled later. Most people will never need get to the point where they're trying to reassemble code but you won't need to ask if you get there.

Adding items to an XDF is easy of course. Naming them correctly is tougher and getting a correct description of what they do takes even more time. Often you'll need to be able to step through the lines of code to see just what a value is for. An "upper closed loop tps limit" could be used several different ways and without reading the code you're not going to know which is correct. Sounds like you've run into this already.

Jim's talking about trying to reassemble code from a disassembly. The ASM file is what's used as a template for the assembler. Addressing modes refer to how the processor gets data from memory. If you don't get the right mode the processor looks in the wrong place.

I'm not sure why no one recommends the TC disassembler. I don't because I think there are more powerful tools. I like the old Dewtronics tool that I've posted here (code seeking disassembler). It's easy to use and was employed by a well know player on the market for a while. IDA Pro is good in a different way. It can format code, mark jumps and branches for easy tracing later, and does a decent job with labels. It's also expensive.

Jim, thanks. We've had a lot of newbies here in the shop and because I work for a company that handles special needs children I frequently have a "work study" kid here as well. If I can't teach them what needs to be done, I end up doing twice as much work myself. So I use my experiences with good teachers from my past in order to do what I do. Plus, there's the magic of proofreading and editing here. ;)

What are you using for an assembler? Does it have operands to force addressing modes? Will it adhere to your commands?

[RobertISaar]

FWIW: i don't use an assembler... i disassemble a LOT of stuff though.

the tunercat disassembler..... i've only ever had bad results with. i might not be setting it up correctly, but i seem to remember it liking to turn everything in the BIN into an instruction.... no calibration left.

IDA..... sweet zombie jesus does it make things 10,000X easier than the simple "pass, pass, pass, spit out ASM file" disassemblers... there's nothing wrong with those, but IDA allows for you to look at so much more information at once, it's easier to "link" things together. i generally don't use a "template" in IDA since it definitely doesn't work well with the P4s, works with the P6 units since they are full-fledged 68HC11F1, not the P4 where it's an offshoot of another variant.

[EagleMark]

It's a little late to start doing OBDI as most are done. $EE was left in the dust with the Vortec, but they are newer P6 correct?

Right now I am OBDII software poor so I don't see getting IDA.. Ha! For websites I still use a 2004 copy of Dreamweaver, but I can type whatever it cant... and about same year Adobe Photoshop which has always been more then I need for websites. They both still work in WIndows 7.

LS 0411 is what's needed right now and the 2002 OS 12212156 would cover any conversion and can be flashed into any 0411 PCM, seems to be where future is right now. It would cover the next 10 years... then I don't think there will be a standard cure all replacement?

Adding items to an XDF is easy of course. Naming them correctly is tougher and getting a correct description of what they do takes even more time. Often you'll need to be able to step through the lines of code to see just what a value is for. An "upper closed loop tps limit" could be used several different ways and without reading the code you're not going to know which is correct. Sounds like you've run into this already.

I've got several years into $42, adding, fixing, tweaking and correcting. It's amazing that anyone could have got a motor running right let alone tweaked to efficency with what I started with!

Been adding discriptions and notes to paremeters after double checking ASM and field test on vehicles, been well worth it as it has transfered over to everything else. Even now working on $0D I go back to my notes in $42 for descriptions, check ASM, check vehicle and add them. I've been on the edge of releasing my personal $42 for months. Jims new ASM stopped me and I found more stuff wrong, then added the ESC and HiWay Lean Cruise patch stuff correctly. It's really a history lesson and tuners guide now!

The closest thing I have ever seen that is complete would be $0D stuff, even then not much for tips or tuner instuctions, let alone all the tricks of TunerPro installed... BTW I just fixed all the history tables in $0D and added some data tracing, simplified the catigories, added new item lists to adx to see usable info instead of all info, all infor item lists are still there... I'll bet I have 20 hours into it!