Disassembling an obd1 bin

[32v_dohc]

To disassemble a hc11 bin file you must first get a disassembler.

There are two kinds you can get. The first is a straight disassembler. This kind looks at the next byte determines the op code; writes the op code and cursory bytes, and then goes to the next byte. This type of diassembler is not worried about the program only the next byte. It will diassembler anything but it may look like total nonsense. Tunercat is an example of this type of disassembler.

The second type of disassembler is code seeking. It follows the code through the bin and disassembles the program that will be run. This type of disassembler will error if it gets an illegal op code mostly because it gets confused. Examples of these are the Dewtronics Disassembler and DHC11.

Personally I use DHC11. It has a few issues but for the most part it works as it should.

Code seeking disassemblers require control files. A control file is a text file that tells the disassembler what to do. In its simpliest form the control file is just an input and output statement. It may look like this:

; This control file is called tpi
;
input 8d_1.bin ;this is the binary input file
output 8d_1.DIS ;this is the disassembly source/listing file

The attached file 8d_1 dis was created with this file.

If you look at the very end of the file 8d_1.dis you find the following:

F171 fill $00, 3709
FFEE db $88, $CD, $60, $00, $B2, $04, $E3, $F5, $60, $00
FFF8 db $B0, $00, $B0, $00, $B0, $00
FFFE LFFFE: dw LB000

This can be rearranged to look like this:

F171 fill $00, 3709
FFEE dw $88CD
$6000
$B204
$E3F5
$6000
FFF8 dw $B000
$B000
$B000
FFFE LFFFE: dw LB000

We can tell from this that there are no more than 9 reset vectors. If we run the program with 9 vectors we will find that it does not disassemble correctly. Next we run it with 8. It will disassemble correctly with 8. The new cotrol file will look like this:

; This control file is called tpi
;
input 8d_1.bin ;this is the binary input file
output 8d_2.DIS ;this is the disassembly source/listing file
vectors $fff0 8 hc11vec hc11vector

The attached file 8d_2 dis was created with this file.

At this point we find that the disassembler is telling us that it found an indexed call at $B6BB. Going to $B6BB we find:

LB6B0 ldaB L0000
andB #%00001111
ldX #$B6D8
lslB
aBX
ldX 0, X
call 0, X
bclr L0039, #%00000100
LB6C0 ei

From this piece of code we can see that L0000 (a RAM value) is loaded. Then it is trimmed to be 0-15. Next we load X (our pointer) with the table location (LB6D8). Then we convert B (our 0 - 15 counter) to 0-15 words (double bytes). Next we choose the vector by adding 0-15 words to the pointer. Finally we load the vector from the table and call the subroutine (minor vector).

If we look at the table location we find:

LB6D3 ldX #$01C2
jr LB6C8
;
;
db $CE, $64, $CE, $C5, $D1, $29, $D2, $78, $D1, $69
db $D2, $85, $E4, $C0, $D5, $14, $D5, $64, $D5, $CE
db $D6, $C9, $D8, $1A, $D8, $85, $DA, $04, $DE, $51
db $E1, $CE, $39
;
LB6F9 ldaA L0038
andA #%00000100

This area can be rearranged to look like this:

dw $CE64
$CEC5
$D129
$D278
$D169
dw $D285
$E4C0
$D514
$D564
$D5CE
dw $D6C9
$D81A
$D885
$DA04
$DE51
dw $E1CE
db $39

This area contains 16 vectors that correspond with the minor loops of the program. The bin is disassembled again using this control file:

; This control file is called tpi
;
input 8d_1.bin ;this is the binary input file
output 8d_1.DIS ;this is the disassembly source/listing file
vectors $fff0 8 hc11vec hc11vector
vectors $b6d8 16 minorloop minorloop

The attached file 8d_3 dis was created with this file.

At this point we have all of the code disassembled. I will post more as I get a bit more time.

HTH

John

[Keith@HPTuners]

This is some very good info.

I'm going to move it to the OBD-I Flash file hacking though. Seems a little more programming based rather than hardware based yea?

I'll IM ya... again.

[32v_dohc]

Sorry so long....

Ok. So now you have taken your bin and completely disassembled it going through all of the non-disassembled parts and checking that each is cal and not code. What you end up with now that you have a completed disassembly is still far from telling you much about where the fuel and spark tables you want to change are. The next thing you need to do is start the process of assigning names to the various RAM values that are used to index the various tables, and derive the various outputs.

The easiest way to start this process is by using the ALDL data stream parameters. Basically you want to find where and more importantly what locations are accessed to provide information to the scantool. By finding the location accessed to export the RPM value for instance you can find where the code goes to find RPM.

Finding this information is not as difficult as it sounds. For the P4 processor we are currently working with we know that the following locations are reserved:

$4007 Transmit status register
$4008 Receive status register
$4009 Receive data register
$400A Transmit data register

For the HC11 the SCI regesters are defined in the Pink Book.

Searching through our code for 4009 (receive data) we find:

LEA25: ldaB L4008
ldaA L4009
ldX L014C
clr L019E
bitB #%00001110
bne LEAAD
tAB
addB L014B
staB L014B
ldaB L014A
bne LEA5F
ldX #$8882
LEA44 cmpA 2, X
beq LEA4E
ldX 0, X
bne LEA44
jr LEAAD
;
LEA4E cmpA #$F4
bne LEA55
bset L0038, #%00100000
LEA55 stX L014C
ldaA #$25
staA L4007
jr LEAA2
;
LEA5F decB
bne LEA6B
subA #$55
bcs LEAAD
staA L019D
jr LEAA2
;
LEA6B decB
cmpB L019D
bcc LEAA8
tstB
bne LEA9D
brclr L0038, #%00100000, LEA9D
ldX #$8978
cmpA #$0A
bhi LEAAD
beq LEA98
cmpA #$07
bhi LEAAD
beq LEA94
cmpA #$04
bhi LEAAD
pushB
tAB
lslB
aBX
popB
ldX 0, X
jr LEA9A

Here we are receiving data. Once we get past comparing to $F4 for device ID and subtracting $55 for message length then you should notice that we are being referred to a table of locations which starts at L8978by the following:

ldX #$8978

Looking at L8978 we find:

db $01, $4E, $01, $4E, $00, $00, $F4, $80, $80, $01
db $4E, $01, $4E, $88, $BB, $88, $C4, $89, $4B, $89
db $54, $89, $5D, $89, $66, $89, $6F
L8986: dw $FFFF
L8988: fill $00, 9848

The part we need to look at is better shown by:

L8978 dw $88BB; MODE 0
$88C4; MODE 1
$894B; MODE 2
$8954; MODE 3
$895D; MODE 4
$8966; MODE 7
$896F; MODE 10

[32v_dohc]

Looking at L88C4 we find(I already counted to the correct place and formated the data):

L88C4 db $F4
db $80
db $40
dw $014E
dw $014E
dw $8000
dw $8001
dw $0004
dw $0005
dw $0006
dw $0007
dw $0008
dw $005F
dw $0060
dw $0094
dw $0058
dw $30B3
dw $30B4
dw $0081
dw $0003
dw $0140
dw $008E
dw $00FC
dw $00E8
dw $00E0
dw $00DF
dw $00EB
dw $002B
dw $0095
dw $0112
dw $0075
dw $0030
dw $0033
dw $0002
dw $013C
dw $0123
dw $0125
dw $0041
dw $0103
dw $0104
dw $0043
dw $002D
dw $01BD
dw $3128
dw $3129
dw $30BD
dw $30BE
dw $00C1
dw $00C4
dw $30E4
dw $30E5
dw $30F3
dw $30F4
dw $3130
dw $3131
dw $0134
dw $3019
dw $301A
dw $0038
dw $004A
dw $0031
dw $0037
dw $0001
dw $004B
dw $003E
dw $003F
dw $003C
dw $0047


This data corresponds with the 64 byte aldl data stream. If you have this for your application then it is as easy saying Prom ID MSB is the first byte of the data stream so that must be located at L8000.

[32v_dohc]

I am including the data stream which I copied from ECMGUY's 8D hack:

L88C4: FDB $0000 ; NXT MSG ENTRY ADDER
;
FCB $F4 ; DEVICE ID
;
FCB $80 ; MEM FLAG, OUTPUT IS ROM TBL
FCB 64 ; NUM BYTE TO OUTPUT
;
FDB $014E ; ADDR OF OUTPUT BUFFER
FDB $014E ; ADDR OF INPUT BUFFER
;----------------------------
FDB $8000 ; 1 PROM ID MSB
FDB $8001 ; 2 PROM ID LSB
;----------------------------
FDB $0004 ; 3 MAL FUNCT WD 1
;
; b7, 1
; b6, 1
; b5, 1
; b4, 1
;
; b3, 1
; b2, 1
; b1, 1
; b0, 1
;----------------------------
FDB $0005 ; 4 MAL FUNCT WD 2
;
; b7, 1
; b6, 1
; b5, 1
; b4, 1
;
; b3, 1
; b2, 1
; b1, 1
; b0, 1
;----------------------------
FDB $0006 ; 5 MAL FUNCT WD 3
;
; b7, 1
; b6, 1
; b5, 1
; b4, 1
;
; b3, 1
; b2, 1
; b1, 1
; b0, 1
;----------------------------
FDB $0007 ; 6 MAL FUNCT WD 4
;
; b7, 1
; b6, 1
; b5, 1
; b4, 1
;
; b3, 1
; b2, 1
; b1, 1
; b0, 1
;----------------------------
FDB $0008 ; 7 MAL FUNCT WD 5
;
; b7, 1
; b6, 1
; b5, 1
; b4, 1
;
; b3, 1
; b2, 1
; b1, 1
; b0, 1
;----------------------------
FDB $005F ; 8. COOLANT TEMP, (DEG C +40) * (256/192)
;
;----------------------------
FDB $0060 ; 9. TEMP, (DEG C +40) * (256/192)
;
;----------------------------
FDB $0094 ; 10. A/D TPS
;
;----------------------------
FDB $0058 ; 11. RPM, RPM/25
;
;----------------------------
FDB $30B3 ; 12. NEW REF PER + $3000, (65536 * 15)/RPM
FDB $30B4 ; 13. NEW REF PER + $3001, (65536 * 15)/RPM
;
;----------------------------
FDB $0081 ; 14. MPH
;
;----------------------------
FDB $0003 ; 15. FUEL/AIR MODE WD 1
;
;----------------------------
FDB $0140 ; 16. TRANS RATIO
;
;----------------------------
FDB $008E ; 17. FILTERED o2 A/D VAL
;
;----------------------------
FDB $00FC ; 18. ALDL CNT'R
;
;----------------------------
FDB $00E8 ; 19. COR RCL
;
;----------------------------
FDB $00E0 ; 20. BLM VALUE
;
;----------------------------
FDB $00DF ; 21. BLM CELL NUMBER
;
;----------------------------
FDB $00EB ; 22. INT
;
;----------------------------
FDB $002B ; 23. CURRENT IAC
;
;----------------------------
FDB $0095 ; 24. TPS, %TPS * 2.56
;
;----------------------------
FDB $0112 ; 25. RPM/12.5
;
;----------------------------
FDB $0075 ; 26. MAP A/D VALUE
;
;----------------------------
FDB $0030 ; 27. SC1 SDI
;
;----------------------------
FDB $0033 ; 28. FMD SDI
;----------------------------
FDB $0002 ; 29. Non Vol MW1
;
;----------------------------
FDB $013C ; 30. MAT A/D
;
;----------------------------
FDB $0123 ; 31. EGR D.C.
;----------------------------
FDB $0125 ; 32. PURGE D.C.
;
;----------------------------
FDB $0041 ; 33. DIAG MW2
;
;----------------------------
FDB $0103 ; 34. BATTERY A/D VALUE
;
;----------------------------
FDB $0104 ; 35. PUMP VDC
;
;----------------------------
FDB $0043 ; 36. DIAG MW4
;
;----------------------------
FDB $002D ; 37. CURRENT IAC
;
;----------------------------
FDB $01BD ; 38. OIL A/D VALUE
;
;----------------------------
FDB $3128 ; 39. SA (256/90)
FDB $3129 ; 40. SA
;
;----------------------------
FDB $30BD ; 41. SA + REF
FDB $30BE ; 42. SA + REF
;
;----------------------------
FDB $00C1 ; 43. OLD PA3 CNT
FDB $00C4 ; 44. KNK RETARD (256/90)
;----------------------------
FDB $30E4 ; 45. INJ, Msec * 65.536
FDB $30E5 ; 46. INJ, Msec * 65.536
;
;----------------------------
FDB $30F3 ; 47. AFR, MSB, (445 = 14.7)
FDB $30F4 ; 48. AFR, LSB
;
;----------------------------
FDB $3130 ; 49. IP FUEL, Msec * 0.256
FDB $3131 ; 50. IP FUEL, Msec * 0.256
;
;----------------------------
FDB $0134 ; 51. ACUM DIST
;
;----------------------------
FDB $3019 ; 52. TIME, SECONDS, MSB
FDB $301A ; 53. TIME, SECONDS, LSB
;
;----------------------------
FDB $0038 ; 54. MW 2
;
; b7, 1
; b6, 1
; b5, 1
; b4, 1
;
; b3, 1
; b2, 1
; b1, 1
; b0, 1
;----------------------------
FDB $004A ; 55. TCC MW
;
; b7, 1
; b6, 1
; b5, 1
; b4, 1
;
; b3, 1
; b2, 1
; b1, 1
; b0, 1
;----------------------------
FDB $0031 ; 56. FMD BYTE 1
;
; b7, 1, A/C CLUTCH 0FF
; b6, 1, HEAD PRESS HI
; b5
; b4
;
; b3, 1, PWR STEER SW, (CRAMP)
; b2
; b1, 1 = IN 3rd or 4th GR
; b0, 1 = Pk/Neut, 0 = Over Drive
;----------------------------
FDB $0037 ; 57. MW 1
;
; b7, 1
; b6, 1
; b5, 1
; b4, 1
;
; b3, 1
; b2, 1
; b1, 1
; b0, 1
;----------------------------
FDB $0001 ; 58. NON VOL MW
;
; b7, 1
; b6, 1
; b5, 1
; b4, 1
;
; b3, 1
; b2, 1
; b1, 1
; b0, 1
;----------------------------
FDB $004B ; 59. CARS MW
;
; b7, 1
; b6, 1
; b5, 1
; b4, 1
; b3, 1
; b2, 1
; b1, 1
; b0, 1
;----------------------------
FDB $003E ; 60. CLC MW
;
; b7, 1
; b6, 1
; b5, 1
; b4, 1
; b3, 1
; b2, 1
; b1, 1
; b0, 1
;----------------------------
FDB $003F ; 61. AIR MW
;
; b7, 1
; b6, 1
; b5, 1
; b4, 1
; b3, 1
; b2, 1
; b1, 1
; b0, 1
;----------------------------
FDB $003C ; 62. LCC PWM
;
;----------------------------
FDB $0047 ; 63. FUEL/AIR MODE WD 1
;
;----------------------------
;--------------------------------------------


HTH

John

[RoboGeek]

coupla questions..

how would you seperate the code from the cal? since some code looks an awful lot like a 2d table? I assume there is no easy way? Or is every ldx a table?

and how do you access the ALDL datastream? with what program I should say?

[32v_dohc]

how would you seperate the code from the cal? since some code looks an awful lot like a 2d table? I assume there is no easy way? Or is every ldx a table?

Code can only be accessed by vector interupt or by calling a subroutine. LDX can be used to call code by writing something similiar to:

LDX #$ DDDD
some intructions
CALL 0,X

This would allow you to load a vector table location (the minor loop table is a good example) pull a subroutine location from the table and then execute that subroutine.

For tables LDX will usaully be followed (or preceded) by LDA that loads the variable by which the table will be looked up. After that the program will jump to a subroutine that does the following (or something like it)

inc x ; set to first location
LDB $10 ; sixteen sections of table
mul ; d = a * b
; where a is number of increments and b is the
; remainder
push B ; save remainder
tab ;
abx ; add increments to location
ldd 0,x ; get d from location true value will be
; between a and b
sba ; find difference between values
pop b ; get remainder from stack
mul ; scale difference for remainder
ldb 0,x ; get leading edge of area interpolated from
aba ; add scaled difference to leading edge
; this gives the correct interpolated 2d value
; in A
rts

Once you find this type of routine then every time it is referenced you should find at least 1 table that it interpolates from. You can use what you beleive to be tables to indentify the interpolation routines. Then you can use the interpolation routines to identify tables.

and how do you access the ALDL datastream? with what program I should say?

Any scantool will access the data stream. In fact if the aldl protocol is not published then you may want to start with a known scantool to tell you what is in the data stream. Then you can take a program like craig moates' software or gcars and modify it to allow you to see only the bytes with no math performed. Then with the engine off make a change to tps or map voltage and identify which byte changes. Go through each parameter the scantool had data for and identify the byte of the stream. Once you have derived the stream you can plug those names into you disassembly.

HTH

John

[RoboGeek]

if you look at my electronics posts I have a few circuits that will modify MAP or TPS. Those should work wonders.
I have a datalogger but its for 160 baud but I have the source code so I should be able to change it if needed.

problem I have is i get PIDs instead of data with the programs I have.. I need to get some of my old stuff out and see if it works different

[Diesell]

Wow, I think thats some really good info. ??? Robo, sorry I haven't wrote to you in a bit. All of these codes, they are obviously for the 68hc11... right. If I print these codes out for my buddy, do you think he can make his adjustments by looking at them?? Would those codes help him be able to ulter my codes when he gets to them???? Please get back to me....

[email protected]

[RoboGeek]

nope, that wont help your bud... the theory will but the numbers are not for your car. Finding a table, then figuring out its purpose is the main challenge. The 3D tables are easiest to find, then the 2D, and the rest get alot harder.

Does your friend have a bin file for your car? If so.. I'll trade a cookie for it! ;D

[Diesell]

Actually, I went to a jumk yard and asked them if they had a ecu for the exact yaer and they wanted 125 Canadian for it, and I don't even know if it works.... should I just get a reman. or can I still use that used one even if it doesn't work??? Do you think it is possible to extract the codes from an ecu that may not work??? ???

[RoboGeek]

if the flash is ok, yes.. talk em down to $50..lol

the flash chip is what holds the info.. the rest is a/d converters, drivers, regulators, interface crap and the CPU

[grudges]

Has anyone made changes to this code to actually add tables to it??? resolution or the such??? Im searching for a code change for the LT1 pcm to handle boost... I know it has been done for the ls1 i believe...