Hello
I'm reverse engineering a car ECU and patching/adding code but cannot get my jmps or calls to work. I think I've completely missed something and hope that someone can help.
Thank you for any help!
Example: A list of calls and in one of the subroutines I can make a successful local JMPS (example1) but the long JMPS (ex. 2) or CALLS (ex. 3) to another segment makes the ecu crash or at least misbehave. I need to jmps away from the subroutine to add code and then return to the original subroutine. The code (mov to an external ram address) that is removed to allow me to add a JMPS/CALLS will be put at end of my far away code before return or in some cases I can simple remove it. I've made similar patches at other parts of program with 100% function but might not have been in interrupt sub routine)
loc_800xxx:(probably an interrupt subroutine) . CALLS 80h, loc_802000 . CALLS 81h, loc_812000 . CALLS 82h, loc_821000 . CALLS 80h, loc_807000 (this calls my example) . CALLS 83h, loc_838000 . RETS
======================================================= example 1 --------- sub_807000: 807000 jmps 80h, loc_807008 (this jmps within the subroutine works well) 807004 nop 807006 nop 807008 mov word_381010, r5 80700c ...
======================================================= example2 -------- sub_807000: 807000 JMPS 87h, loc_87e000 (this jmps with a jmps to return to 807004 does not work and seems to hang ecu) 807004 mov word_381010, r5 807006 .... 807008 .... 80700c ....
87e000: . NOP . NOP . JMPS 80h, loc_807004
======================================================= example3 -------- sub_807000: 807000 CALLS 87h, loc_87e000 (this CALLS with a RETS to return to 807004 does not work and seems to hang ecu) 807004 mov word_381010, r5 807006 .... 807008 .... 80700c ....
87e000: . NOP . NOP . RETS
I forgot to state that 0x800000-0x87ffff is external FLASHrom and that is where code is executed, external RAM is at 0x380000