Structure of the code and disassembly

[Chris@HPTuners]

Hi guys,

Been a bit busy lately but thought i'd share some info in regards to the code structure.

Boot Block: $0 - $4000
- This is the only code that needs to be present to boot the PCM into a state that allows basic communications with the PCM. The rest of the PCM can be corrupted or deleted and you will still have a functioning PCM if this code is intact.
- this block contains the boot code and most of the CPU and hardware setup routines.
- the RESET vector (0x04) usually points to $440 so starting disasembly from there is a good thing
- You will also notice towards the end of the initialisation routines a jump to an indexed routine (usually $2xxxx something), this is the the beginning

The rest of the Operatin System code is in the $20000-$7FFFF space and most of it is code, with a few tables in there and IndexedJumpVectorTables as well near the end.

MAIN LOOPS
There are a number of main loops in the code but there are 7 that are of real importance during normal operation. There is a few ways to find them but if you look around the $2xxxx area you will find something that looks like this:

Code:

seg1b:0002A2A2 MAIN_LOOP_Setup:            ; CODE XREF: LOOP_A+1A8p
seg1b:0002A2A2         movem.l d0-d1/a0-a1/a4,-(sp)
seg1b:0002A2A6         move.l #$FFC872,-(sp)
seg1b:0002A2AC         moveq  #$64,d1 ; 'd'
seg1b:0002A2AE         movea.l #MLOOP7loc,a1
seg1b:0002A2B4         move.l #$150,d0
seg1b:0002A2BA         movea.l #$FF95C6,a4
seg1b:0002A2C0         movea.l a4,a0
seg1b:0002A2C2         jsr   sub_28696
seg1b:0002A2C8         moveq  #$50,d0 ; 'P'
seg1b:0002A2CA         movea.l #$FF9560,a1
seg1b:0002A2D0         movea.l a4,a0
seg1b:0002A2D2         jsr   sub_286FC
seg1b:0002A2D8         move.l #$FFC71C,-(sp)
seg1b:0002A2DE         moveq  #$5A,d1 ; 'Z'
seg1b:0002A2E0         movea.l #MLOOP6loc,a1
seg1b:0002A2E6         move.l #$156,d0
seg1b:0002A2EC         movea.l #$FF95B6,a4
seg1b:0002A2F2         movea.l a4,a0
seg1b:0002A2F4         jsr   sub_28696
seg1b:0002A2FA         moveq  #$10,d0
seg1b:0002A2FC         movea.l #$FF955A,a1
seg1b:0002A302         movea.l a4,a0
seg1b:0002A304         jsr   sub_286FC
seg1b:0002A30A         move.l #$FFC45A,-(sp)
seg1b:0002A310         moveq  #$50,d1 ; 'P'
seg1b:0002A312         movea.l #MLOOP5loc,a1
seg1b:0002A318         move.l #$166,d0
seg1b:0002A31E         movea.l #$FF95A6,a4
seg1b:0002A324         movea.l a4,a0
seg1b:0002A326         jsr   sub_28696
seg1b:0002A32C         moveq  #8,d0
seg1b:0002A32E         movea.l #$FF9554,a1
seg1b:0002A334         movea.l a4,a0
seg1b:0002A336         jsr   sub_286FC
seg1b:0002A33C         move.l #$FFC5C0,-(sp)
seg1b:0002A342         moveq  #$46,d1 ; 'F'
seg1b:0002A344         movea.l #MLOOP4loc,a1
seg1b:0002A34A         move.l #$15C,d0
seg1b:0002A350         movea.l #$FF9596,a4
seg1b:0002A356         movea.l a4,a0
seg1b:0002A358         jsr   sub_28696
seg1b:0002A35E         moveq  #4,d0
seg1b:0002A360         movea.l #$FF954E,a1
seg1b:0002A366         movea.l a4,a0
seg1b:0002A368         jsr   sub_286FC
seg1b:0002A36E         move.l #$FFC136,-(sp)
seg1b:0002A374         moveq  #$3C,d1 ; '<'
seg1b:0002A376         movea.l #MLOOP3loc,a1
seg1b:0002A37C         move.l #$1AC,d0
seg1b:0002A382         movea.l #$FF9586,a4
seg1b:0002A388         movea.l a4,a0
seg1b:0002A38A         jsr   sub_28696
seg1b:0002A390         moveq  #2,d0
seg1b:0002A392         movea.l #$FF9548,a1
seg1b:0002A398         movea.l a4,a0
seg1b:0002A39A         jsr   sub_286FC
seg1b:0002A3A0         move.l #$FFC2E2,-(sp)
seg1b:0002A3A6         moveq  #$32,d1 ; '2'
seg1b:0002A3A8         movea.l #MLOOP2loc,a1
seg1b:0002A3AE         move.l #$178,d0
seg1b:0002A3B4         movea.l #$FF9576,a4
seg1b:0002A3BA         movea.l a4,a0
seg1b:0002A3BC         jsr   sub_28696
seg1b:0002A3C2         moveq  #1,d0
seg1b:0002A3C4         movea.l #$FF9542,a1
seg1b:0002A3CA         movea.l a4,a0
seg1b:0002A3CC         jsr   sub_286FC
seg1b:0002A3D2         clr.l  (dword_FFFF953C).w
seg1b:0002A3D6         clr.w  (word_FFFF9540).w
seg1b:0002A3DA         move.l #$FFC9C2,-(sp)
seg1b:0002A3E0         moveq  #$A,d1
seg1b:0002A3E2         movea.l #MLOOP1loc,a1
seg1b:0002A3E8         move.l #$136,d0
seg1b:0002A3EE         movea.l #$FF9566,a4
seg1b:0002A3F4         movea.l a4,a0
seg1b:0002A3F6         jsr   sub_28696
seg1b:0002A3FC         movea.l a4,a0
seg1b:0002A3FE         jsr   sub_2874A
seg1b:0002A404         movem.l (sp)+,d0-d1/a0-a1/a4
seg1b:0002A408         rts   
seg1b:0002A408 ; End of function MAIN_LOOP_Setup

this indexes routines that look like this and contain the subroutine addresses for the actual mainloops. Like this (note this is usually directly above the main loop setup routine):

Code:

seg1b:0002A1DE ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
seg1b:0002A1DE 
seg1b:0002A1DE 
seg1b:0002A1DE MLOOP1loc:               ; DATA XREF: MAIN_LOOP_Setup+140o
seg1b:0002A1DE         move  sr,-(sp)
seg1b:0002A1E0         andi  #$F8FF,sr
seg1b:0002A1E4         move.l a0,-(sp)
seg1b:0002A1E6 
seg1b:0002A1E6 loc_2A1E6:               ; CODE XREF: MLOOP1loc+1Aj
seg1b:0002A1E6         movea.l #$FF953C,a0
seg1b:0002A1EC         jsr   sub_28782
seg1b:0002A1F2         jsr   MAIN_LOOP_1
seg1b:0002A1F8         bra.s  loc_2A1E6
seg1b:0002A1F8 ; End of function MLOOP1loc
seg1b:0002A1F8 
seg1b:0002A1FA 
seg1b:0002A1FA ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
seg1b:0002A1FA 
seg1b:0002A1FA 
seg1b:0002A1FA MLOOP2loc:               ; DATA XREF: MAIN_LOOP_Setup+106o
seg1b:0002A1FA         move  sr,-(sp)
seg1b:0002A1FC         andi  #$F8FF,sr
seg1b:0002A200         move.l a0,-(sp)
seg1b:0002A202 
seg1b:0002A202 loc_2A202:               ; CODE XREF: MLOOP2loc+1Aj
seg1b:0002A202         movea.l #$FF9542,a0
seg1b:0002A208         jsr   sub_28782
seg1b:0002A20E         jsr   MAIN_LOOP_2
seg1b:0002A214         bra.s  loc_2A202
seg1b:0002A214 ; End of function MLOOP2loc
seg1b:0002A214 
seg1b:0002A216 

etc...

From there you can disassemble the main loops, since they are probably not at this stage. The main loops are long and do many things... but at least now you'll have most of the important code disassembled. I number the Main Loops 1-7 from top to bottom.

Here's a high level of the main things in each loop:

MainLoop1
- reads most of the inputs such as IGNV, MAP, TPS etc.
- calculates the RPM
- Calculates the Airflow (MAF or VE)
- Knock Retard and Burst Knock calcs
- Spark Advance routines and corrections
- Injector calcs (BPW, Offsets etc.)
- AFR (or Fuel/Air) calcs
- Knock Sensor stuff

MainLoop2
- some security stuff (lots of cool stuff about flash chip in here)
- Fuel Cutoff
- Inj PW calc
- trans stuff
- RAM/ROM memory checking (check sum algo in here)

MainLoop3
- more input reads
- O2 calcs
- engine run state calc
- torque management
- closed loop checks
- BLM cell, LTFTs, STFT's
- Cruise control
- AC calcs
- system checks
- Idle calcs

MainLoop4
- gear calcs
- trans stuff

MainLoop5
- more input reads
- PE mode calc
- trans checks
- abuse mode
- VATS
- FANS
- FUel Pump

MainLoop6
- lots of checks
- misfire
- message serviceing
- Fuel Status calcs
- Knock Learn
- Idle stuff
- AC checks
- Clutch Switch checks
- RAM/ROM checks (again)
- CKP checks

MainLoop7
- more reads
- Over Temp stuff (including COT, ECTover etc...)
- lots of checks
- CAT overtemp

There's more detail, but when i get some more time maybe.

Hope thats useful to someone anyway

[The_Highlander]

How are loops related to the tables we are trying to change? Is it really important to know this or just know where the tables are?

[Chris@HPTuners]

it's almost impossible to find and understand the meaning, conversion factors, axis variables of tables, constants etc. without disassembling the code and understanding it.

[The_Highlander]

I know conversion factors from other sources etc etc etc... but it all looks greek to me right now.. any way to understand that code a bit better?

I know where almost all tables are, conversion factors and everything needed, yet I did that using hex workshop...

[Chris@HPTuners]

I know where almost all tables are, conversion factors and everything needed, yet I did that using hex workshop...

So can you tell me where the Lean Cruise AFR table is?

[The_Highlander]

I wasn't aware it was a table. I always thought it was a constant... If you mean the stoich AFR which the computer tries to achieve in part throttle?

the 14.737 AFR? right?

[Chris@HPTuners]

I wasn't aware it was a table. I always thought it was a constant... If you mean the stoich AFR which the computer tries to achieve in part throttle?

the 14.737 AFR? right?

No.

[The_Highlander]

I'll look into it.... When I have it I will post here...

[The_Highlander]

Is it a 1 cell table???

[Chris@HPTuners]

nah, it's okay. I know where the table is. Its a 3d table vs RPM vs CylAir

I'm just interested to know how you can find the tables using hex workshop and not disassembling the code. It's hard enough understanding things even with a disassembly

Cheers.

[The_Highlander]

Maybe I have that table with a different name?

I did start looking....

I have over 70 tables from looking at the hex code.. which wasn't easy...

for which cars is this?

[Casey]

I wasn't aware it was a table. I always thought it was a constant... If you mean the stoich AFR which the computer tries to achieve in part throttle?

the 14.737 AFR? right?

Starting with late 03 models the base 14.7 AFR is now a 2d lookup table, not a constant. GM has not implemented it yet so it will always pull the first value.

There are also two identical open loop afr tables. So changes must be made equally to both or else you will wind up with the difference of those two tables used as a %multiplier against stoich.


I'm also really curious how you can find a table using only Hex Workshop. There are tables and then there are indexes. Both are considered arrays. Not to mention how do you know if it is a byte table or word table?

Super_Sport_x2

[Casey]

So in case anybody is wondering what the multiple fuel tables are for, it's the variable fuel option for the 5.3L engines.

The tables are referenced to either a petroluem or alcohol based fuel. If both are present a compostion ratio detector tells the VCM what's in the tank.

So look for the factory 90lb/hr injectors on these motors. I bet those will become popular


Super_Sport_x2