Another hex dump interpretation

[log1call]

Ok, Sunday afternoon.
I followed through your process and  interperated that the trouble codes that are recorded in 4042 are
Maf     04   9dc4
Temp   01   9df7
O2      20    9e98
Knock  02   9fbd
Inj      40   9fcc
ISC     08   a547
Purge  80   a4c1

So I read sub 9dc4 and it seemed to be comparing a reading with various samples and deciding whether to use it or reevalaluate it again and, at the same time, set a counter to the maf code as in your earlier examples. I added notes as I went through it. I was wondering Phil... you say that a bcc means branch if less than, in the instructions it says branch if it is a 0, can you verify which is more correct or is it instance specific, ie sometimes a comparison is either a 0 or a 1.... or is it always 0 or 1 in programming?

009DC4    AE7C40        ldx     0x407c                          ; Call target from 9CF3
009DC7    EC808C        cpx     0x8c80 ;compare 407c with 8c80
009DCA    9026          bcc     0x9df2 ;branch if less, load 41af to memory
009DCC    EC828C        cpx     0x8c82 ;compare 407c with 8c82
009DCF    B021          bcs     0x9df2 ;branch if 1
009DD1    AE2D40        ldx     0x402d ;load 402d
009DD4    EC848C        cpx     0x8c84 ;compare with 8c84
009DD7    B005          bcs     0x9dde ;Clear maf code if 1
009DD9    EC868C        cpx     0x8c86 ;compare to 8c86
009DDC    B010          bcs     0x9dee ;clear maf code if 1
009DDE    A2AF41        ldx     #0x41af ; load to x register                       ; Branch target from 9DD7
009DE1    20DFA3        jsr     0xa3df ; Add 1 to counter at X
009DE4    CD888C        cmp     al, 0x8c88
009DE7    9004          bcc     0x9ded compare and exit if less
009DE9    0C424004      seb     #0x04, 0x4042 ;set maf code
009DED    60            rts                                     ; Branch target from 9DE7

009DEE    1C424004      clb     #0x04, 0x4042                   ; Branch target from 9DDC
009DF2    9CAF4100      ldm     #0x00, 0x41af                   ; Branch target from 9DCA, Branch target from 9DCF
009DF6    60            rts     

Eventually I decided I was side-tracked... again... and so I went to see what stored what at 407c which led me to sub ea43. Then i remembered you had already found 407c to be a rev count, which set me thinking that perhaps the comparison earlier was to see that when we had revs we had a sensible reading off the MAF and that the actual maf reading was at 41af. When I looked at what read to or from 41af though I found there was nothing doing a store at that address, the only reference is the sub 9dc4 ant there is no reference to the A/D chip which I was looking for. All my searches seem to lead me back to sub 9dc4. The only address in there that seems to be likely is 41af so I will log that tomorrow and see if it gives any readings that seem right. If it does prove to be correct does that mean that the MAF reads straight from memory with no stored record? 

All in all, I am more confused now, than I was when I staggered in from the hot midday sun three hours ago!
  I will keep you posted. Brett.

[mrdjc]

Brett,

Its relieving to see I'm not the only one struggling to come to terms with it all!

BCC is Branch if Carry Flag Clear (I.e. 0)
There is also a BCS which is Branch if Carry Flag Set (I.e. 1)

So when it does a CPX (ComPare with X)
Like you know, it checks the value of the address, In this case 407C with 8C80.
If the value at 407C is higher or equal than the value at 8C80 the result is "0", and the code branches to 9DF2 using BCC.
If the value is lower, the result is "1", which there is no line of code to deal with just yet, so it moves on to the next line of code.

It compares it again this time to 8C82, again if the value of 407C is higher or equal than the value at 8C82 the result is "0" If the value is lower, the result is "1".
If the value at 407C is lower than the value at 8C82 the result is "1", and the code branches to 9DF2 using BCS. If it is higher or equal it moves onto the next line of code.

So that means if the value of 407C is higher than the upper limit at 8C80 or less than the lower limit at 8C82 it branches to 9DF2. Otherwise, the code moves on to the next line, in this case: LDX 402D


You are definitely in the right file as you have the lines of code that set and clear the error code.
I would trace 402D and have a look in there, if your already certain 407C is rev counter.
If you also go over to my thread and take a look with regards to your problem with 41AF, it might help a bit. We found no STX for my CO Resistor error code, and it was loading direct values rather than addresses. Phil has (attempted) to explain why its like that, and I've had another go and found a parameter. Sometimes I think its better to just accept the way it is and work with it rather than trying to understand it all!

Cheers,
Daniel.

[b3lha]

Ok, Sunday afternoon.
I followed through your process and  interperated that the trouble codes that are recorded in 4042 are
Maf     04   9dc4
Temp   01   9df7
O2      20    9e98
Knock  02   9fbd
Inj      40   9fcc
ISC     08   a547
Purge  80   a4c1

Good.

So I read sub 9dc4 and it seemed to be comparing a reading with various samples and deciding whether to use it or reevalaluate it again and, at the same time, set a counter to the maf code as in your earlier examples. I added notes as I went through it. I was wondering Phil... you say that a bcc means branch if less than, in the instructions it says branch if it is a 0, can you verify which is more correct or is it instance specific, ie sometimes a comparison is either a 0 or a 1.... or is it always 0 or 1 in programming?

Daniel is correct in what he says. Let me explain it a little more.
The CPU has a register of flags that it uses to pass information from one instruction to the next. Each of these flags can be 0 or 1. Two of the most important ones are the "Carry flag" and the "Zero flag". The compare instruction sets or clears the Zero and Carry flags according to the result of the comparison.

For example: In the comparison: CPX 0x8C80

If X = the contents of address 0x8C80: The Zero flag gets set to 1. The Carry flag gets set to 1.
If X > the contents of address 0x8C80: The Zero flag gets set to 0. The Carry flag gets set to 1.
If X < the contents of address 0x8C80: The Zero flag gets set to 0. The Carry flag gets set to 0.

Now we have the branch instructions:
BEQ means Branch if EQual: Branch if the Zero flag is 1: Branch if X is equal to the value in Memory.

BNE means Branch if Not Equal: Branch if the Zero flag is 0. Branch if X is not equal to the value in Memory.

BCC means Branch if Carry Clear: Branch if the Carry flag is 0. Branch if X is less than the value in memory.

BCS means Branch if Carry Set: Branch if the Carry flag is 1. Branch if X is greater than or equal to the value in Memory.

009DC4    AE7C40        ldx     0x407c                          ; Call target from 9CF3
009DC7    EC808C        cpx     0x8c80 ;compare 407c with 8c80
009DCA    9026          bcc     0x9df2 ;branch if less, load 41af to memory
009DCC    EC828C        cpx     0x8c82 ;compare 407c with 8c82
009DCF    B021          bcs     0x9df2 ;branch if 1
009DD1    AE2D40        ldx     0x402d ;load 402d
009DD4    EC848C        cpx     0x8c84 ;compare with 8c84
009DD7    B005          bcs     0x9dde ;Clear maf code if 1
009DD9    EC868C        cpx     0x8c86 ;compare to 8c86
009DDC    B010          bcs     0x9dee ;clear maf code if 1
009DDE    A2AF41        ldx     #0x41af ; load to x register                       ; Branch target from 9DD7
009DE1    20DFA3        jsr     0xa3df ; Add 1 to counter at X
009DE4    CD888C        cmp     al, 0x8c88
009DE7    9004          bcc     0x9ded compare and exit if less
009DE9    0C424004      seb     #0x04, 0x4042 ;set maf code
009DED    60            rts                                     ; Branch target from 9DE7

009DEE    1C424004      clb     #0x04, 0x4042                   ; Branch target from 9DDC
009DF2    9CAF4100      ldm     #0x00, 0x41af                   ; Branch target from 9DCA, Branch target from 9DCF
009DF6    60            rts     

Eventually I decided I was side-tracked... again... and so I went to see what stored what at 407c which led me to sub ea43. Then i remembered you had already found 407c to be a rev count, which set me thinking that perhaps the comparison earlier was to see that when we had revs we had a sensible reading off the MAF and that the actual maf reading was at 41af. When I looked at what read to or from 41af though I found there was nothing doing a store at that address, the only reference is the sub 9dc4 ant there is no reference to the A/D chip which I was looking for. All my searches seem to lead me back to sub 9dc4. The only address in there that seems to be likely is 41af so I will log that tomorrow and see if it gives any readings that seem right. If it does prove to be correct does that mean that the MAF reads straight from memory with no stored record? 

All in all, I am more confused now, than I was when I staggered in from the hot midday sun three hours ago!
  I will keep you posted. Brett.

You are on the right track. 407C is a rev count and the program is checking whether the revs are within a certain range before it checks the MAF reading. You can tell that this is a precondition and not the actual test because if the value is outside the limit, the subroutine exits without setting or clearing the error flag, or incrementing the error counter. ie. It didn't perform the test so it doesn't mark it as pass or fail.

I think you got confused by the LDM #0x00,0x41AF. That means load the value 00 to memory address 0x41AF. If you look further up at 9DDE, you can see that 41AF is the MAF error counter. So this instruction is zeroing the error counter.

As Daniel said, after checking the rpm precondition, the subroutine proceeds to load 402D and compare it against limits. That is the one you want to trace.