[Diy_efi] Re: Motronic checksum
henrik_j at bigfoot.com
Tue Jun 15 20:58:17 GMT 2004
======= At 2004-06-11, 19:29:00 you wrote: =======
>Which motronic are you reversing? I was looking into versions 1.3 and 2.5.
>Can you send me the bin?
I'm looking at ML4.1. Several binaries are available in the Yahoo Group for Alfa 75.
>A saw a message on this forum, where a guy compared stock and aftermarket
>performance motronic bins. There were only two locations different in data
>area (rev limiter and something he couldn't identify), and last two bytes.
>I've also seen a few chips that had only a couple of bytes different, and
>of course the last two bytes.. That's why I made a conclusion that checksum
>is stored in last two bytes.
Perhaps it is on that version, I just mentioned that on some Motronics it isn't. But that doesn't necessarily mean that the entire PROM is included in calculation of that particular checksum. There may be separate checksums for different parts of the PROM for instance.
>As far as disassembler is concerned, I was wondering if there is an
>'intelligent' one, that can distinguish between code and data. I have a
>disassembler for 68HC11, that works flawlessly when it comes to recognition
>of code/data (that's easy because vector addresses are known from bin
>file). As for motronic, I couldn't really tell where the code 'starts'. I
>expected to find a LJMPs and beginning of the file that would point to
>code, but that was not the case. How come??
I use D52, http://www.8052.com/users/disasm/
It works pretty well, but you may still have to help it a bit. Haven't tried the latest version yet though.
>I am sure my boxes have a 8051 derivative CPU, since WinOLS software
>recognized the bins and stated the processor is 8051.
What I was hinting at was that perhaps it is some enhanced version, perhaps even with an enhanced instruction set, in which case the output from a disassembler may look pretty weird. I'm pretty sure both of the systems you work on use the 80C515.
>At which address the EPROM file starts, is it 0, or not?
Some systems have part of the code in an internal PROM in the CPU which may mess things up a bit. I think at least the 1.3 does. I finally found the old message I was looking for, it could perhaps help you:
>Can you point out the code that is making the checksum calculation, so I
>can try to identify it in my EPROMs?
Don't know how I could do that, but all access to the EPROM must be done through the "movx a, at dptr" instruction. This means that most likely the DPTR register is at some time set up to point at the beginning of the EPROM, probably using the "mov dptr,#Xnnnn" instruction. All access to data tables are done in the same way so this instruction is used quite often, but since data tables are often placed towards the end of the PROM the set up for checksum calculation should be easy to identify.
diy_efi mailing list
diy_efi at diy-efi.org
More information about the Diy_efi