CONTENTS of 8051_dis.zip file ******************************************** wagn_ecm.dis - commented disassembly of E side PCM code wagn_tcm.dis - commented disassembly of T side PCM code 8051_e, 8051_t - control files for DHC11 disassembler, contain mem labels & vector tables 8051_ecm.txt,8051_tcm.txt - comments stripped from commented .dis file, to paste into next disassembly wagn000.bin,6spdz004.bin - bin files wagn_t.bin,6spd_t.bin - t side bin files wagn_e.bin,6spd_e.bin - e side bin files comment.exe - dos qb program to paste comments into disassembler output dcomment.exe - dos qb program to strip all comments out of a commented disassembly split.exe - dos qb program to split an .lt1 or .bin file into the t & e side images 8051.bat - batch file to split a .lt1 & .bin, disassemble & comment both sides 8051_e.bat - batch file to disassemble & comment e sides for 6spd & wagn bins 8051_t.bat - batch file to disassemble & comment t sides for 6spd & wagn bins dc_wagn.bat - batch file to strip comments out of e & t sides of wagn disassembly E_out.txt,T_out.txt - disassembler output messages notes.txt - this file 080200 in a tc .bin file, the t is the first half $00000 to $0ffff the e is the second half $10000 to $1ffff the lt1_edit .lt1 file is the opposite 083100 just call the two halves E and T, they may not be just engine and trans only 091600 Looking at Z004.bin file Delco copyright at 2000 & 12000 text with programming error messages for 'time' side from 3c8b to 3f0f 'event' side from 12fe0 to 13266 in a .bin file, T is first half, E is second half. split z004 into z004_e.bin & z004_t.bin tried out dhc11 on E side, see 8051_e, &.bat files made two passes 091700 revised second pass, started adding vectors from hc11 information 091800 should set org to $2000, heard that was true somewhere... how to check? adding load 2000 to config file, get same number of entry points found, this may be good, means disassem is not getting lost up where it shouldn't be going anyway. what memory locations are located from 0-2000 in each half of the .bin file, could find out by logging comms from pcmread during a download, or ask lt1_edit list 093000 added all vectors from virtual micro design's HC11 documentation (had started 091700) and reran pass2 093100 disassembled t side same as e side. load at 2000 does make a difference, with load 2000 Indexed Call/Jump at $4F83, may require a vector table. Entry point $0D24 outside ROM image (ref. from PC = $8924). Indexed Call/Jump at $B987, may require a vector table. Indexed Call/Jump at $BF35, may require a vector table. Indexed Call/Jump at $D326, may require a vector table. Pass 1 found 488 new entry points. Entry point $0CBA outside ROM image (ref. from PC = $3B3C). Indexed Call/Jump at $3C13, may require a vector table. Pass 2 found 213 new entry points. Pass 3 found 0 new entry points. Total of 3 iteration(s) to find all code. ** Cannot find local label target LB74F, at PC $B74F without load 2000 Indexed Call/Jump at $4F83, may require a vector table. Indexed Call/Jump at $B987, may require a vector table. Indexed Call/Jump at $BF35, may require a vector table. Indexed Call/Jump at $D326, may require a vector table. Pass 1 found 489 new entry points. *** Decode error (-1) at PC = $0E09. Pass 2 found -489 new entry points. Total of 2 iteration(s) to find all code. ** Cannot find local label target LB74F, at PC $B74F ** Cannot find local label target LEDB9, at PC $EDB0 what do these mean? Entry point $0CBA outside ROM image (ref. from PC = $3B3C). --means what it says: 0cba is outside of $2000-$ffff being disassembled 100700 chopped first 8k (up to $1fff) off t side. first 8k is memory? dh's files just have $2000 - $ffff. 8051_t2.bin works same, still have to use load 2000 command, I think. just use whole file 100800 figured out how to set up vector tables see 8051_t, 8051_e control files added t side mem labels from dh's t_map.doc t side handles aldl communication using the sci, e & t side communicate with each other via the spi. otherwise running independently? 102000 let's try to find these.... Fuel Cutoff is enabled at 1350 RPM, and will stay in effect down to 900 RPM. rpm/25 1350=$36 900=$24 rpm/12.5 1350=$6c 900=$48 Fuel Cutoff Max KPA to enable is 23 Kpa, Max Kpa to remain in shutoff is 27 Kpa. 23 kpa-10.4/.369? = $22 27 kpa = $2d Min 18 MPH for fuel Cutoff. = $12 ******************************************* * DECELL FUEL C/O PARAMS ******************************************* L85E1: FCB 56 ; IF RPM > 1400, ENABLE C/O (upper hyst) L85E2: FCB 44 ; IF RPM > 1100 STAY IN C/O, (low hyst) L85E3: FCB 20 ; IF Kpa < 20, ENABLE C/O (low hyst) L85E4: FCB 28 ; IF Kpa < 28, STAY IN C/O (upper Hyst) L85E5: FCB 4 ; 50 RPM MAX INCR TO REMAIN IN C/O, (12.5 INTERVAL) L85E6: FCB 7 ; 87.5 RPM FOR STALL SAVER L85E7: FCB 80 ; 0.25 SEC C/O REQUSITE TIME FOR ENABLE L85E8: FCB 0 ; DEG C FOR DISABLE OF C/O L85E9: FCB 15 ; 15 MPH MIN SPD FOR C/O L85EA: FCB 0 ; %TPS C/O STALL SV'R L85EB: FCB 30 ; 0.38 SEC STALL SV'R TPS FOLLOW TIME L85EC: FDB 128 ; DECEL FUEL C/O STALL SVR can't find a set of these bytes right by each other..in t or e side, should be in t side I guess. found IAC something calibration, maybe, woohoo! on t side (thanks to to dave's mem labels of course!) these 3 spots read it, and put into memory 4365 B6 28 15 ldaA L2815 4368 B7 18 26 staA l_1826_ISMNPKA 483B B6 28 15 ldaA b_2815_IacMinPosStallSaver? 483E B7 18 26 staA l_1826_ISMNPKA 82AC B6 28 15 ldaA b_2815_IacMinPosStallSaver? 82AF B7 18 26 staA l_1826_ISMNPKA bytes 2815 1 b_2815_IacMinPosStallSaver? keep-alive IAC min motor pos, stall saver? REMEMBER!!!! Different Mnemonics for DHC11, from P Gargano's information The following mnemonics are different to those as specified by Motorola. DHC11's Mnemonics Motorola's Function Performed call JSR Call callr BSR Call Relative (short call) cmpD, cmpX cmpY CP? Compare (16 bit register) decX, decY, decS DE? Decrement (16 bit register) di SEI Disable Interrupts ei CLI Enable Interrupts incX, incY, incS IN? Increment (16 bit register) jr BRA Jump Relative (short jump) push, pushB, pushX, pushY PSH? Push on to stack popA, popB, popX, popY PUL? Pop off stack ret RTS Return (from subroutine) reti RTI Return From Interrupt xorA, xorB EOR? eXclusive Or 102200 labeling convention for masks, b3 means mask bit #3, or 8 mask I get confuused with the 1,2,4,8,10,20,40,80 mask convention. 01xx01 02xx01 found some subroutines on t side that are straight out of anht_hac. table lookup, lag filter from this, started labeling additional variables & cal tables boy I have a headache. 021801 found tcc slip contingency cals for min max slip. made winbin .ecu file for t side (winbin does only one checksum for you) with these values later when I changed the fluid in the wagon, I see that I have a non-pwm tcc, so this item wouldn't do anything for me. Should have known, pwm tcc wasn't used until 95. 022001 compared 94 wagon & 95 Z 6spd bins. only one difference in code section, except a different lookup address. ie: it's only all the cals that are different, all code works the same, it's just the different switch byte settings. 030701 comment 'utility' now runs from command line, from disassembler batch file and does both wagon & 6spd bins just for fun. It works with 3 parameters, like this..... comment input_uncommented_disassembly.xyz comment_file.xyz output_commented_disassembly.xyz the comment_file.xyz has to have A: addresses that match the input disassembly B: addresses in order C: two semicolons in front of a comment line that you want to go after an address D: one semicolon in front of a comment that you want to go on an address line. only the text after the semicolon will be pasted in. After running the disassembler, edit the output and add comments. As you do sections of code, copy the commented parts into the comment_file. set up e side batch file. found two little cals for vats, maybe min max freq that pcm is looking for from vats key module? different values for Z & wagon. have to look at other bins to see if it's always different, or just different for non-vats vehicle(cop wagon) 031001 IDEA! - maybe this ($0cba) is where the code jumps to, to run from memory after code for doing the aldl communication during reprogramming has been copied there. Look into this sometime.... what do these mean? Entry point $0CBA outside ROM image (ref. from PC = $3B3C). --means what it says: 0cba is outside of $2000-$ffff being disassembled 032401 picked out bits to disable some tcc unlock conditions: min tps, brake on, the others are all there to be worked out also. found IAC follower steps vs. mph table that I've wanted for so long. made a qb program to split an .lt1 or .bin into the e & t sides, although can't get it to work with command line arguments!! 8051.bat file runs split.exe to split a file and then runs it thru the disassembler. run the batch file, which calls split.exe (which prompts for the bin file to split) and sends the split bin to the disassembler & comments the output for both e & t sides. the bin to be split must be a 4 character filename, .lt1 or .bin is fine. like wagn.bin or 6spd.lt1. made a qb program to dcomment a commented .dis file, extracting all comments to a file named 8051_ecm.txt or 8051_tcm.txt, depending if e or t side file was given to it. now don't have to hand copy comments out to the comment file. use caution to keep backup copies of the comment file, in case to comments don't get put back correctly & then dcomment is run, overwriting the good comment file with mostly nothing. The comment.exe program fails if it doesn't find a memory label, like when a comment has been added for a ram address like L0289, and then I label that ram address as l_0289_gee_Im_tired, comment.exe can't find L0289 and doesn't add any comments to any later addresses. 032701 cm_0_t vs cm12_t 2c50 was changed, don't see immediately what it is..... 2018,2021c2018,2021 < 2C4E L2C4E: dw $1450, $00FF, $342F < 2C54 bt6_DetentUpDownMPH: < 2C54 dw $2D55, $9320, $518B, $2D55, $9320 < 2C5E dw $518B, $7D7B, $807D, $7B80 --- > 2C4E L2C4E: dw $1450, $00FF, $3433 > 2C54 bt6_DetentUpDownMPH: > 2C54 dw $315D, $A023, $5898, $315D, $A023 > 2C5E dw $5898, $7D7B, $807D, $7B80 2030,2032c2030,2032 < 2C9A fill $1C, 17 < 2CAB fill $00, 34 < 2CCD fill $1A, 17 --- > 2C9A fill $1E, 17 > 2CAB fill $00, 34 > 2CCD fill $1C, 17 and shift map changes, probably perf shift tables 032801 cm_0_e vs cm12_e no changes to anything that's not already known 040401 labeling convention for variables being passed between the e & t sides on the spi tes - to e side(in t side), fes - from e side(in t side) tts - to t side(in e side), fts - from t side(in e side) working on spi communication between e & t sides. t side is labeled/commented, now need to do eside & pair up tside tes & fes addresses(to & from eside) with tts & fts on eside later will need to follow addresses to see if they meet up with something labeled, some go directly to aldl datastream addrs, so they are easy & already labeled 041001 eside spi is commented enough to match up e & t side addresses. labeled these on the eside, by tracing where things come from on the tside, eventually they meet up with addresses that are labeled from the aldl documents label 01d0 l_01d0_fts_RBLM*RCORRCL*2 label 01d1 l_01d1_fts_LBLM*LCORRCL*2 label 01d3 l_01d3_fts_ADMAP label 01d9 l_01d9_CoolTmp_fltrd_$f0 041701 commented many/most lkup2d_nooff_16spc sections on eside. eside doesn't usually call as a subroutine. MAP & Coolant temp variables labeled 042101 from what I read in the gmecm archives, the hc11f1 used here has a 12MHz crystal, and the pr01 bits are set in tside to give the timer rate at 16 * the E rate. 5.333 micro sec for timer rate. I may easily be incorrect on this..... reread old gmecm archives, realized/reminded that similar variables with different scaling/filtering would usually be next to each other.... labeled a couple more coolant temp & rpm variables with different scaling. 042201 labeled a couple more O2 volts filtered variables, TPS and Baro/Map variables 042401 think I have labeled correctly the eside rpm variables. neat, there is a 3 rpm/bit variable and found lagfilter sub 042501 labeled a couple filtered variables on e side, there are only 3 or so that use that lagfilter sub aagggghhh, d*mn crack in csh is letting in those lousy signals again..... oh, wait, that's the smoke alarm going off........ 042801 on tside, labeled more variables, found section for tps defaulting (I think), found more tcc contingency calibration variables 042901 B060 14 C4 08 bset l_00c4_tcc_flgs, #%00001000 ; Brake ON, TCC Off ;; to disable brake on contingency, change bset to bclr ;; 14 10100 to 15 10101, use switch b060 addr, mask 1, checked disables contingency we'll see if this works.... nope, still unlocks with brk on.... 050401 looked at spi code between e & t side. labeled known multiplexed data sent tts, based on labels known on tside (pulsewidth,maf). Positive that it is figured out right, because bit pattern $2000-$2003 lines up, went to label it on t side, but already known via aldl datastream. 050601 tside has lag filter, 2d lkup, 8x16 mult, 3d lkup subroutines in SAME order as anht_hac. also has similar 16x16 mult subroutine eside has same 8x16 sub, and inline version of it that doesn't bother preserving X each time, and variations of 3dlkup & 16x16 mult both sides use variations of anht's 16x16 subroutine 051401 worked out DFCO parameters, the desire that started it all, finally I can sleep...%^) , most spark tables (there are EGR, & warmup spark tables) and how spark works, some injector bpw things labeled. labeled a number of important newly found variables on eside; tpsldt, map