Disassembly

As mentioned earlier, "disassembly" is a term that describes is the process of converting the raw numeric representation of a program back into a human-readable form. To the Aprilia ECU, executing the following string of hexadecimal numbers as a sequence of instructions makes perfect sense:

964984288120262BDCD81AB39A77240B1AB39A7924081407802003

The computer decodes that sequence of numbers into a series of machine instructions which it dutifully performs. A disassembler is a program that decodes the same sequence of instructions back into their equivalent human-readable form. If that same sequence of hexadecimal data is fed into a disassembler program, you would get the following:

LC2D9: ldaA L0049

andA #%00101000

cmpA #$20

bne @4

ldD L00D8

cmpD L9A77

bcc @0

cmpD L9A79

bcc @1

bset L0007, #%10000000

jr @1

Non-programmers will argue that the term "human-readable" might be stretching it a bit when looking at the disassembled output of the original sequence. Don't feel bad though, the code shown above is pretty meaningless even to hardened assembly language programmers. Nonetheless, disassembly is the first step in the process of turning the code snippet above into something meaningful. That's because you can go to the processor data sheet and look up what all those instructions like cmpA or ldD do. But doing that just explains what the processor will be doing. It does not explain why the processor should execute that sequence of instructions. What was going on in the person's head who wrote that sequence? What is that sequence of instructions supposed to be doing? Answering those questions involves annotating the code with what you think is happening. Only then does the overall functional picture start to appear.

Getting Started

If you want to get hardcore and decode your own EPROM, a disassembler program is required for your PC. If you want to skip all that, I have a disassembled version of the stock USA Tuono 549USA eprom that you can download, below.

The choice of disassembler is completely dependent on the type of processor in the ECU. As mentioned in the components section, the processor in the Aprilia ECU is a Motorola MC68HC11G. In raw instruction set terms, the difference between a 68HC11G and any of the other 68HC11 variants is immaterial. If you Google for a "Motorola 68HC11 disassembler", you will find a bunch out there.

The one I used is called DHC11 . It uses a "control file" to describe the name of the file where the input comes from and where the output goes. The DHC11 control file also allows you to specify known entry points so that the disassembler can tell the difference between instructions and data. The control file I wrote for disassembling the Aprilia 549US code can be downloaded here. It is pretty generic, but it does define names for all of the interrupt vectors supported by the 68HC11G.

Once you have some EPROM data, the DHC11 disassembler, and the control file loaded on your machine, you are ready to disassemble the code:

~/temp: dhc11.exe control

DHC11 - 68HC11 Disassembler v1.1 (c) Copyright 2000 Tech Edge Pty. Ltd.

Input file: 549us.bin

Input file 549us.bin has 32768 bytes ($8000).

Output file: 549.dis

Code resides from $8000 to $FFFF ($8000 bytes).

** Symbol "tbl1__13" is already Install at $C7CA ("tbl1__15" requested)

** Symbol "reset" is already Install at $C131 ("POR_00" requested)

** Symbol "reset" is already Install at $C131 ("CMF_00" requested)

** Symbol "reset" is already Install at $C131 ("COP_00" requested)

** Symbol "reset" is already Install at $C131 ("ILLEGAL_OP_00" requested)

** Symbol "reset" is already Install at $C131 ("SWI_00" requested)

** Symbol "reset" is already Install at $C131 ("XIRQ_00" requested)

** Symbol "reset" is already Install at $C131 ("IRQ_00" requested)

** Symbol "reset" is already Install at $C131 ("RTII_00" requested)

** Symbol "IC1F_ISR" is already Install at $F2B9 ("IC1F_00" requested)

** Symbol "IC2F_ISR" is already Install at $E545 ("IC2F_00" requested)

** Symbol "reset" is already Install at $C131 ("IC3F_00" requested)

** Symbol "OC1F_ISR" is already Install at $F227 ("OC1F_00" requested)

** Symbol "OC2F_ISR" is already Install at $F270 ("OC2F_00" requested)

** Symbol "reset" is already Install at $C131 ("OC3F_00" requested)

** Symbol "reset" is already Install at $C131 ("OC4F_00" requested)

** Symbol "reset" is already Install at $C131 ("OC5F_00" requested)

** Symbol "reset" is already Install at $C131 ("_00" requested)

** Symbol "reset" is already Install at $C131 ("_01" requested)

** Symbol "reset" is already Install at $C131 ("_02" requested)

** Symbol "reset" is already Install at $C131 ("_03" requested)

** Symbol "reset" is already Install at $C131 ("_04" requested)

** Symbol "reset" is already Install at $C131 ("_05" requested)

** Symbol "reset" is already Install at $C131 ("_06" requested)

** Symbol "reset" is already Install at $C131 ("_07" requested)

** Symbol "reset" is already Install at $C131 ("_08" requested)

** Symbol "reset" is already Install at $C131 ("_09" requested)

** Symbol "reset" is already Install at $C131 ("_10" requested)

** Symbol "reset" is already Install at $C131 ("_11" requested)

** Symbol "reset" is already Install at $C131 ("_12" requested)

** Symbol "reset" is already Install at $C131 ("_13" requested)

** Symbol "reset" is already Install at $C131 ("_14" requested)

** Symbol "reset" is already Install at $C131 ("_15" requested)

Indexed Call/Jump at $C49F, may require a vector table.

Indexed Call/Jump at $C565, may require a vector table.

Indexed Call/Jump at $C5AD, may require a vector table.

Indexed Call/Jump at $C5BC, may require a vector table.

Pass 1 found 1549 new entry points.

Entry point $5000 outside ROM image (ref. from PC = $C00A).

Pass 2 found 22 new entry points.

Pass 3 found 0 new entry points.

Total of 3 iteration(s) to find all code.

~/temp:

At this point, you now have a file on your machine called "549.DIS", and your journey really begins.

To save you some time, I have the 549.DIS file for you to download here. Feel free to look at 549.DIS using any kind of text editor - it's just a text file. In fact, open your 549.DIS text file and search for the text "LC2D9:". You will find the snippet of code I listed as an example at the top of this page.

Next: Annotating the code

Previous: Reading the EPROMs

Up: ECU Software