i made a poor assumption about mode 6, that it had different operating 'messages' kind of like a mode 1. it made me totally ignore the fact that the addresses are right in front of me, and it only does one thing: 'write and execute'.
i also can only assume that it's 'execute only' because i can write a jump instruction to memory and it works, but if i write something that doesn't jump, the ecm locks up. i bet this is because control flow simply tries to go through memory from its new entry point and it goes haywire....
anyway, write and execute:
Code:
[addr] [length] 0x06 [low addr] [high addr] [data ...] [cksum]
there is no seperate 'data length' specifier like you'd expect, i can only assume that the mode6 sub uses the standard msg length header byte to figure how long the payload is.
so perhaps to actually write arbitrary ram with mode 6, you'd have to write some code that stores your values then jumps back to the main event loop after; and write that to an unused portion of ram somewhere.
now, how is the (relatively large) flash routine is loaded in multiple messages then executed when complete?
took me a few minutes to understand, but makes sense.
its' written to memory backwards, starting at the top, with a small prefix of code that seems like it jumps back to the mode6 code, or some such thing. each following payload is offset to write over the previous's loader prefix. this loader is as follows:
Code:
86 aa 36 18 30 86 06 c6 01 fe ff bc ad 00 32 39
it continues to load the routine into early ram until it reaches 0x00 where no loader is placed in memory, and the entire payload can be executed starting at 0x0000. so that's how you load a large routine.
so using that loading knowledge, i peiced together the code binary for each side by yanking it right out of the datastream.
i really want to disassemble it and see how it works.
t-side:
Code:
20 49 20 47 00 00 00 00 00 00 00 00 00 00 00 00 20 00 ff ff 7e 01 2c 7e 01 93 7e 01 a9 7e 01 b2 7e 01 bb 7e 01 be 7e 01 e0 7e 01 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8e 00 4a 0f b6 18 01 8a 80 b7 18 01 b6 18 00 84 7f b7 18 00 b6 18 03 84 bf b7 18 03 b6 10 09 8a 01 b7 10 09 b6 10 08 84 fd b7 10 08 b6 10 03 8a 08 b7 10 03 bd 01 a9 3c 30 13 32 01 07 cc 06 01 ed 00 20 08 14 32 01 cc 06 aa ed 00 c6 02 bd 01 2c 38 ce 10 00 86 04 a7 2d ec 2e 4f 97 2e 1c 2d 02 8d 52 81 f4 26 eb 8d 4c 80 56 25 e5 97 31 8d 44 81 05 27 2e 81 06 26 d9 8d 3a 97 2c 7a 00 31 8d 33 97 2d 7a 00 31 18 de 2c 8d 29 18 a7 00 18 08 7a 00 31 26 f4 8d 1d 5d 26 b7 18 de 2c 18 ad 00 20 af 8d 10 3c 30 cc 05 aa ed 00 c6 02 bd 01 2c 38 7e 00 9d 18 3c 18 ce 05 75 7f 00 2f 7a 00 2f 26 04 18 09 27 07 bd 01 93 1f 2e 0e 05 38 38 7e 00 9d 1f 2e 20 e7 a6 2f 16 db 2e d7 2e 18 38 39 36 18 3c 3c 18 38 ce 10 00 86 08 a7 2d 37 c6 0b 5a 26 fd 33 b6 18 03 8a 40 b7 18 03 b6 18 02 8a 40 b7 18 02 4f 97 2e 86 f4 8d 2e 17 8b 55 8d 29 18 a6 00 8d 24 18 08 5a 26 f6 96 2e 40 8d 1a 1f 2e 40 fc b6 18 03 84 bf b7 18 03 37 c6 0b 5a 26 fd 33 1d 2d 08 18 38 32 39 bd 01 93 1f 2e 80 f9 a7 2f 9b 2e 97 2e 39 37 c6 55 f7 10 3a 53 f7 10 3a c6 50 f7 18 06 c6 a0 f7 18 06 33 39 3c ce 10 02 1d 00 08 38 39 3c ce 10 02 1c 00 08 38 39 36 20 03 36 86 0a 37 4d 27 0b c6 4b bd 01 93 5a 26 fa 4a 26 f5 33 32 39 37 fc 10 0e fd 10 16 33 7f 10 22 20 07 b6 10 23 84 80 27 05 86 80 b7 10 23 39
e-side:
Code:
20 3c 20 47 00 00 00 00 00 00 00 00 00 00 00 00 20 00 ff ff 7e 01 24 7e 01 8b 7e 01 a1 7e 01 aa 7e 01 b3 7e 01 b6 7e 01 d8 7e 01 cb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f b6 18 02 84 fc b7 18 02 86 49 97 01 8e 00 4a 0f b6 18 01 8a 7f b7 18 01 b6 18 03 84 fb b7 18 03 b6 10 09 8a 01 b7 10 09 b6 10 08 84 fd b7 10 08 b6 10 03 8a 08 b7 10 03 bd 01 a1 3c 30 13 32 01 07 cc 06 01 ed 00 20 08 14 32 01 cc 06 aa ed 00 c6 02 bd 01 24 38 ce 10 00 86 04 a7 2d ec 2e 4f 97 2e 1c 2d 02 8d 52 81 e4 26 eb 8d 4c 80 56 25 e5 97 31 8d 44 81 05 27 2e 81 06 26 d9 8d 3a 97 2c 7a 00 31 8d 33 97 2d 7a 00 31 18 de 2c 8d 29 18 a7 00 18 08 7a 00 31 26 f4 8d 1d 5d 26 b7 18 de 2c 18 ad 00 20 af 8d 10 3c 30 cc 05 aa ed 00 c6 02 bd 01 24 38 7e 00 95 18 3c 18 ce 05 75 7f 00 2f 7a 00 2f 26 04 18 09 27 07 bd 01 8b 1f 2e 0e 05 38 38 7e 00 95 1f 2e 20 e7 a6 2f 16 db 2e d7 2e 18 38 39 36 18 3c 3c 18 38 ce 10 00 86 08 a7 2d 37 c6 0b 5a 26 fd 33 b6 18 03 8a 04 b7 18 03 b6 18 02 8a 04 b7 18 02 4f 97 2e 86 e4 8d 2e 17 8b 55 8d 29 18 a6 00 8d 24 18 08 5a 26 f6 96 2e 40 8d 1a 1f 2e 40 fc b6 18 03 84 fb b7 18 03 37 c6 0b 5a 26 fd 33 1d 2d 08 18 38 32 39 bd 01 8b 1f 2e 80 f9 a7 2f 9b 2e 97 2e 39 37 c6 55 f7 10 3a 53 f7 10 3a c6 50 f7 18 06 c6 a0 f7 18 06 33 39 3c ce 10 02 1d 00 08 38 39 3c ce 10 02 1c 00 08 38 39 36 20 03 36 86 0a 37 4d 27 0b c6 4b bd 01 8b 5a 26 fa 4a 26 f5 33 32 39 37 fc 10 0e fd 10 16 33 7f 10 22 20 07 b6 10 23 84 80 27 05 86 80 b7 10 23 39
so how does it work? i haven't disassembled it yet, but i have confirmed the following...
another mode 6 request will write a payload to memory at 0x0300 (well past the range of the existing code):
Code:
[addr] [len] 06 BD 02 1A [low_addr] [high_addr] [n_bytes] [payload ...] [cksum]
i think 0xBD is 'jump to subroutine'. so after placing the data there, it calls what i can only presume is the flash sub, which comes back and writes that data before exiting. that way it can drop its data payload without executing it.
to read flash memory:
Code:
[addr] [len] 06 02 00 20 0B [low_addr] [high_addr] [cksum]
reply is
Code:
[addr] [len] 06 AA ?? ?? [payload ...] ?? (CKSUM)
Bookmarks