For those of you not familiar with reading assembly code in general or the 6816 processor used by the ECU in particular I though I would share some of the basics on reading the code that may help you get started.
First it is pretty obvious from all the redundant and wasteful code that the software was originally written and compiled from a higher level language. On the other hand the way it compiles means that it always does the same thing the same way.
Memory Mapping:The CPU can map the ROM, RAM, etc to any addresses it likes. The ECU is mapped as follows.
Flash Bank 2 is ROM at 0000:0000 to 0000:7FFF. This is where the operational software or code is located.Flash Bank 1 is ROM at 0000:8000 to 0000:FFFF. This is where the map data is located RAM is 4096 bytes at 000E:0000 to 000E:0FFF. This is system RAM and stack memory areaCPU hardware I/O registers are FFFF:0000 to FFFF:FFFF. This area is used to access the various hardware modules like CTM, ADC, SICA etc.
Indexed Addressing:Almost all the memory locations are accessed through the index registers X, Y, and Z. In other words to access a memory location you must first point a register to the memory.
The Z register is always used for RAM. The extended Z register is always set to 0E making Z = 000E:0000. When accessing a RAM location the compiler always uses the Z offset. For example to load the data at RAM location 000E:0060 into accumulator A you will see
ldaa 60h, Z
The effective address is 60h + 000E:0000
The Y register is almost always used to access I/O memory. BTW the 0F extended address mirrors to FFFF so setting the Y extended register to 0F sets the effective Y to FFFF:0000
For example if the compile needs to access the PortA I/O port data register located at FFFF:FA0A the compiler would write the following code
ldab #0Fhtbyk ;sets extended Y to 0F, Y=FFFF:0000ldy #0FA00h ;set Y to FA00, Y = FFFF:FA00ldd 0Ah, Y ;load accumulator D with Y + 0Ah, Y=FFFF:FA0A
So if you wanted to find what code turned on and off coil 1 which is driven by cpu pin 5 you would first look up pin 5 in the data sheet and see it is CTM10A. Looking up CTM10A you find its data register address is FFFF:F952. But to find it in the code you would search for value 52h, not F952 or FFFFF952.
Once you find all the occurrences of 52h find the 52h, Y and then check up the code to make sure the last load y was F900.
The X register is many times used for accessing MAP data. Its extended address is usually 00 setting X to 0000:0000. Anytime you see X pointing above 8000h it is usually pointing at map data. Example
ldab #0tbxk ;set extended X to 00, X=0000:0000ldx #8026h ;set X= 8026, X=0000:8026ldaa 0,X ; load accumulator A with map data from address 0000:8026
Hope that helps a little. I'll post more later. Don't want to make the post to big.