Manuel sent me this PM, and rather than respond in private I thought I would discuss it in public so others can benefit. We have covered some of the 'dirty tricks' used by Toyota to save memory, and this is another example (see post 66 where we discuss a similar scheme)
Basically, the instruction "brn 0D26Dh" is a glorified 2 byte no-operation. It does nothing since brn is "branch never" and so the relative address following is ignored.
That means you can put anything in the last byte and it will always just be skipped over. Now, suppose that you purposely have a test somewhere in the code that branches to the second byte of the brn instruction. This is normally considered illegal, and disassemblers will flag it as an error as IDA does, but it is perfectly okay to do this if you are doing it on purpose to save space. In this case, the BLE instruction at address 201 does exactly that It looks illegal, but is in fact 100% intended. Thus, it will use, in this case, 67h (the offset to address D26Dh) as the instruction opcode, which is
SET c
This saves space because they don't need to add a branch after the "clr c" code to steer around it, since it blasts thru the brn as a NOP, saving one byte of code space. Yeah, one lousy byte, but they only had 12kB to work with, so it matters. I think this philosophy has it roots in even earlier ECU processors having as little as 2kB of ROM.
Note that the DOUT register is typically used to drive injectors and ignition. That fragment code looks familiar, and I think it is part of the ignition computation.
auto351 said:
just working on the I/O mapping but had a quick look at the code again and I found a problem with the disassemble flow
the BRN is a branch never but IDA puts a red line to the address which follow the instruction,
this cause code to show up in the data area
the delow data should ends at D281 but finished at D,26B, becuse of the BRN
here is the call and below that is the calling code
ROM1FB shl d
ROM1FC shl d
ROM1FD sub a, #06h
ROM1FF cmp a, $0C7h
ROM201 ble 0D205h
ROM203 clrc
ROM204 brn 0D26Dh ; CODE XREF: ROM201j
ROM206 ret
ROM206 ; ---------------------------------------------------------------------------
ROM207 .db 60h ; `
ROM208 .db 22h ; "
ROM209 .db 70h ; p
ROM20A .db 26h ; &
ROM20B .db 80h ; Ç
ROM
rem RAM data loaded when batt lost?
ROM263 .dw 9500h
ROM265 .dw 9680h
ROM267 .dw 9700h
ROM269 .dw 9855h
ROM26B .dw 9955h
ROM26D ; ---------------------------------------------------------------------------
ROM26D
ROM26D loc_D26D: ; CODE XREF: ROM204j
ROM26D st d, $55h
ROM26F ld s, $55h
ROM271 cmp x, $55h
ROM273 cmp y, $00h ; Port A i/o config
ROM275 cmp x, #608Dh
ROM278 ld y, $9Eh
ROM27A nop
ROM27B ld y, $00h ; Port A i/o config
ROM27D ld d, #5587h
ROM280 st d, x + 00h
ROM282 nop
ROM283 shl d
ROM284 shl $01h ; Port B i/o config
ROM286 dec x + 01h
ROM288 nmi
