Members Login
Username 
 
Password 
    Remember Me  
Post Info TOPIC: Disassembling the TL1000S


Veteran Member

Status: Offline
Posts: 74
Date:
Disassembling the TL1000S




-- Edited by ffaspector on Saturday 17th of October 2009 11:45:53 AM

__________________
pad


Member

Status: Offline
Posts: 12
Date:

Looks like sum useful code offset from the start of the file is 0x3000.
Im not much good at this Motorola stuff ether .

Therese around 16k of code there so it may be the whole thing.
We need to take a look at the hardware to see what
CSBOOT and BERR pins are doing on reset.
That should tell us if the cpu is running with internal rom
Or booting to the external eprom.

Im guessing that since the ecu probably started its design around 1995 that
That mask rom was to expensive for the size of the production runs
FlashRam was quite new and a little dodgy
Suzuki/denzo would have taken the nice safe path and used an external eprom
For all the code and data.

Looks like your doing sum good work on the R.
Now that its getting into winter hear I should be able to spend more time on it.



-- Edited by pad at 12:20, 2008-04-11

__________________


Guru

Status: Offline
Posts: 963
Date:

I took a look at the one you posted, 32920-02F41.bin....

The first thing I noticed is there are obviously maps in there below 0x3000. Above that it really looks like code. There are no reset vectors at the top of the rom so either there is code in the cpu or its not 68hc16. There does appear to be code though.

So I checked the end of the rom and found what looked like a bunch of 16bit vectors. Meaning it has 64K addressable space. Process of elimination the 68hc11 worked good. BTW the vectors are all between 8000 and FFFF so you need to load the rom with a 8000 offset.

In IDA select a new bin, type embedded,

Processor Selection select motorola series 6811

Memory organization:
create ram section
start 0000
size 8000

create rom section
start 8000
size 8000

input file
loading address 8000
loading offset 000000
loading size 8000

go back and make sure ram size is still 8000

hit OK

Select 68HC11E1

hit ok and your good to go. It should start auto disassembling if not go to address B47D and hit 'C'





__________________


Guru

Status: Offline
Posts: 963
Date:

CrankPeriod variable is at 0x00DB

RPM * 5.12 variable is at 0x0060

The period values for the rev limiters start at 0xA71D (rom 271D + 0x8000 offset)

1500 = 10,000
1470 = 10,200
1364 = 11,000
1340 = 11,195



__________________


Veteran Member

Status: Offline
Posts: 74
Date:



-- Edited by ffaspector on Saturday 17th of October 2009 11:45:05 AM

__________________


Newbie

Status: Offline
Posts: 3
Date:

Continuing an old thread here.
I doubt it's an HC11 as I cannot find any 84 pin packages for that processor. At least not from FreeScale...

__________________


Newbie

Status: Offline
Posts: 3
Date:

Might just have to take that back now.

There is a flavour named MC68HC11K, with several sub types, that were shipped in a PLCC84 package.

Need to start reading about these now that I have a pin layout to understand the connections to it.

__________________
Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.

Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse
Powered by ActiveBoard