Gauge sweep

Disassemble Convers+ firmware 7M2T-14C026-AG using IDA Pro
Post Reply
Go4IT
Pro
Posts: 967
Joined: 08 Feb 2019, 12:25

Re: Mk4 convers gauge sweep

Post by Go4IT »

So, go for first sub and see what it does. This is the callgraph of it:
callgraph_dspi.png
I analyzed it to be a SPI-Sending function. It's purpose is to send a byte (up to 16 Bits) stored in R0 when calling this function to a SPI-Slave specified in the upper bits of the register R0 (PCS...) and wait until it receives an answer. For this, it tries 1000 times to get an answer until it gives up.

Code: Select all

; R0 = Data to be send to SPI slave(s)
;      Bits 0-15 = DATA
;      Bits 16-23 = PCS0-PCS7 (Chip-Selects of slaves)
; Returns answer received from SPI slave in R0

dspiA_send                              ; CODE XREF: sub_198A2+20↑p
                                        ; sub_198A2+28↑p ...
                PUSH    {R4,LR}
                LDR     R1, =0xFC000000
                MOVS    R2, #0xB4000
                ADDS    R1, R1, R2      ; 0xFC0B 4000 = Base address of DSPI_A
                                        ; See datasheet 22-453 (PDF-page 519)
                LDR     R2, [R1]        ; load current status of DSPI configuration register "DSPIA_MCR"
                MOVS    R3, #0b10000000000
                ORRS    R2, R3
                STR     R2, [R1]        ; Clear RX FIFO Buffer (set Bit 10 to 1)
                LDR     R2, [R1]
                MOVS    R3, #1
                BICS    R2, R3
                STR     R2, [R1]        ; Stop DSPI transfers (set Bit 0 to 1)
                LSLS    R2, R3, #31     ; R2 = 0b10000000 00000000 00000000 00000000
                ADDS    R0, R0, R2      ; Adds R2 value to R0 (parameter from call of this sub)
                                        ; Bit 31 = 1 = Keep periphal chip select signals asserted between transfers
                STR     R0, [R1,#0x34]  ; Push data in R0 into TX FIFO

dspiA_wait_txFifo_empty                 ; CODE XREF: dspiA_send+28↓j
                LDR     R0, [R1,#0x2C]  ; Read back DSPI status register at 0xFC0B 402C (PDF-page 528)
                LSLS    R0, R0, #16
                LSRS    R0, R0, #28     ; Masks TXCTR into lowest Bits of R0 (value is 0 if all bytes of TX FIFO are sent)
                BNE     dspiA_wait_txFifo_empty ; Read back DSPI status register at 0xFC0B 402C (PDF-page 528)
                LDR     R2, =0x40003EC4 ; Used by DSPI_A transfer
                MOVS    R0, #1000       ; set "i" = 1000
                STR     R0, [R2]        ; Store "i" in RAM at 0x40003EC4
                B       wait_until_answer

wait_loop                               ; CODE XREF: dspiA_send+44↓j
                SUBS    R0, #1
                STR     R0, [R2]        ; Decrement "i"

wait_until_answer                       ; CODE XREF: dspiA_send+32↑j
                LDR     R0, [R1,#0x2C]
                LSLS    R0, R0, #24
                LSRS    R0, R0, #28     ; Masks RXCTR register
                BNE     read_answer     ; Load value of DSPI POP RX FIFO Register into R4
                LDR     R0, [R2]        ; Used by DSPI_A transfer
                CMP     R0, #0
                BNE     wait_loop       ; Loop until variable at 0x40003EC4 is 0

read_answer                             ; CODE XREF: dspiA_send+3E↑j
                LDR     R4, [R1,#0x38]  ; Load the next value from the RX FIFO Register into R4
                MOVS    R0, #10
                BL      sub_7206        ; delay by 10 units
                LSLS    R0, R4, #16     ; Masks RX data Bits
                POP     {R4}
                POP     {R3}
                LSRS    R0, R0, #16
                BX      R3              ; return from sub to caller, leaving R0 with the last byte received by SPI
; End of function dspiA_send
You do not have the required permissions to view the files attached to this post.
Top
Post Reply

Return to “Disassemble Convers+ Firmware”