Profil Logo Patch selectable Help

[charlielao]

@Rc-flitzer and other Masters:
Will you kindly explain some questions please?
From disassebling Profile Logo Patch:
27D690: D7 40 36 00 : extp #36h, #1
27D694: F2 FC 6C 09 : mov r12, mem_96C
27D698: 9A FC 0C 40 : jnb r12.4, loc_27D6B4
above are for the selectable part. How about these parts below?
27D69C: E0 04 : mov r4, #0 <= what is r4 and #0?
27D69E: DA A4 66 98 : calls 0A4h, loc_A49866 <=what's in this location(A49866)?
27D6A2: 06 F4 20 02 : add r4, #220h <= drawn from the fw image 220hex
27D6A6: F0 E4 : mov r14, r4 <= what is r14 and r4?
27D6A8: E6 FC 30 00 : mov r12, #30h <= for the x position
27D6AC: E6 FD 43 00 : mov r13, #43h <= for the y position
27D6B0: DA C1 EC 22 : calls 0C1h, loc_C122EC <= calls on C122EC for the main screen graphics
27D6B4: DB 00 : loc_27D6B4:
27D6B4: DB 00 : rets

[lalo.lerry]

Fisrt of all let me complete your patch disasm:

...
above are for the selectable part. How about these parts below?
27D69C: E0 04 : mov r4, #0 ;store word 0 in r4 (needed to set 0 the rh4)
27D69E: DA A4 66 98 : calls 0A4h, loc_A49866 ; getProfile (): it gets temporary profile in use in rl4: 0-7 =profle 1-8
27D6A2: 06 F4 20 02 : add r4, #220h ;add 220 to r4= get profile in use picture ID
27D6A6: F0 E4 : mov r14, r4
27D6A8: E6 FC 30 00 : mov r12, #30h <= for the x position
27D6AC: E6 FD 43 00 : mov r13, #43h <= for the y position
27D6B0: DA C1 EC 22 : calls 0C1h, loc_C122EC ;drowPITPicture () : it drows the ID picture specified by r14 at r12(=x) and r13(=y) position
27D6B4: DB 00 : loc_27D6B4:
27D6B4: DB 00 : rets

Now is more clear?

Then.. have you understood what are r0-r15?
The are called General Purpose Register (o GPRs) and are used to store variable word datas inside a routine.
The first 0-7 registers are byte addressable and can be addressed by their low or high byte.
There are also other used registers, called Special Function Registers (o SFRs)

Calls and their registers answers can be tested with the Debugger, as well as get a look at RAM locations.
calls must have their registers rightly setted before calling them, to obtain the right effect.

Bye

Lalo

[charlielao]

@lalo:
some more questions
r0-r7 are byte addressable <= what does this mean?
Hi byte and low byte <= what does this mean?
How about the r8-r15? how will i know which Rw to use?

[lalo.lerry]

@charlie:
bit/byte addressable mean that you can point to a specific bit/byte with right asm commands (for example, extp, jb, jnbc, movb, cmpb ...)

1word = 2 bytes = 4 nibbles = 16 bits... right?
high byte and low bytes are called the 2 bytes that make a word
r0-r7 can be used also with only one byte of they word (rh0,fl0,rh1,rl1,....fh7,rl7)
while r8-r15 have to be used enterely, the whole word.

which registers use... look how they are used in orginal fw.
E.g: r12 is very often used to specific a function in a call, r4 is very often used to store state functions, r9:r8 and r15:r14 are used to carry Page:Ofsets...

But you can use anyone (exept r0), if you previoulsy saved it.

[charlielao]

@lalo:
Thank you for your answers. Sorry for all the questions. I tried to read your explanation in another forum but it is in German. The online translation is not very good Here are more questions
27D690: D7 40 36 00 : extp #36h, #1 <= EXTP is a condition to do the
routine of the patch? where did we get #36h and #1?
27D69C: E0 04 : mov r4, #0 ;store word 0 in r4 (needed to set 0 the rh4)
<= why do we need to set the r4 High byte to 0?
27D69E: DA A4 66 98 : calls 0A4h, loc_A49866 ; getProfile (): it gets temporary profile in use in rl4: 0-7 =profle 1-8
<= how do we know that getProfile is loc A49866? ex. where do i look to get loc of games/the maze/level?
27D6A6: F0 E4 : mov r14, r4 <= store r4 word to r14 so we can put a x and y position to r14 and draw it on the mainscreen?

[lalo.lerry]

@charlie:

Quote:

27D690: D7 40 36 00 : extp #36h, #1 <= EXTP is a condition to do the
routine of the patch? where did we get #36h and #1?

Not exactly, my friend

command EXTP= Begin EXTended Page Sequence

Theoretically:
Quote for C166 Istruction Set Manual, pg.78 (I strongly raccomand to read it)

Quote:

... Overrides the standard DPP addressing scheme of the long and
indirect addressing modes for a specified number of instructions.
During their execution both standard/PEC interrupts and class A
hardware traps are locked. The EXTP instruction becomes
immediately active such that no additional NOPs are required.
For any long (‘mem’) or indirect ([…]) address in the EXTP
instruction sequence, the 10-bit page number (address bits A23 -
A14) is not determined by the contents of a DPP register but by the
value of op1 itself. The 14-bit page offset (address bits A13 - A0)
is derived from the long or indirect address as usual. The value of
op2 defines the length of the effected instruction sequence. ...

Pratically:
extp is a comand that makes Instruction Pointer to jump to a specific location, make it's instruction (read/write a byte/word), and come back to the current rouitine.
Which location is specified by operand 1 for Page, and by the following instructions for Offset.
Operand 2 specified how many instruction are to be exectued at the extended page.

Now look back to the patch:
27D690: D7 40 36 00 : extp #36h, #1
27D694: F2 FC 6C 09 : mov r12, mem_96C

this mean;
for the next instruction, jump for the next 1 instruction to 36:096C an store it's word value in r12.
RAM location 36:096C (=0D896C in Seg:Offset writing) is the word where NAM settings are stored.
So at the end of it you will have NAM settings in r12.

Answering to you question:
36=page of RAM NAM word (choosed by patch creator=RizaPN)
1=only one following instruction is affected.

Quote:

27D69C: E0 04 : mov r4, #0 ;store word 0 in r4 (needed to set 0 the rh4)
<= why do we need to set the r4 High byte to 0?
27D69E: DA A4 66 98 : calls 0A4h, loc_A49866 ; getProfile (): it gets temporary profile in use in rl4: 0-7 =profle 1-8

after you have called A49866, you have in return profile number in rl4.
Mean, only low byte of word r4 store number of temporary used profile.
High byte is unaffected by this command, so rh4 will have a unknow value.
But in the following part of routine you have to add this word in r4 to a #data16 (220hex), and you need that value in word r4 is only rl4 right value.
So you can previoulsy set the entire r4 word to 0, as RC-Flitzer did.

Quote:

27D69E: DA A4 66 98 : calls 0A4h, loc_A49866 ; getProfile (): it gets temporary profile in use in rl4: 0-7 =profle 1-8
<= how do we know that getProfile is loc A49866? ex. where do i look to get loc of games/the maze/level?

3 passibilities:
-fw routines studiing, testing and understandings
-others patches studiing and understanding
-other patchmaster database

Quote:

27D6A6: F0 E4 : mov r14, r4 <= store r4 word to r14 so we can put a x and y position to r14 and draw it on the mainscreen?

No, x e y position are stored in r12 and r13 rispectively.

the motivation is in the call C122EC ;drowPITPicture ()
Let's look as it must be called rightly:

in r12 must be stored x pos
in r13 must be stored y pos
in r14 must be stored picture ID
call C122EC ;drowPITPicture ()

So, that mov r4,r14 is needed to set wanted picture ID in r14 before the drow call


I'VE FINISHED THE LESSION!
So, it's hard to get started with fw patching, isn't it?
GO HAED!
Bye

Lalo



BTW:

Quote:

I tried to read your explanation in another forum but it is in German.

Where? I don't remeber to have written about this on other forum exept my Italian one and in this one.

[charlielao]

@lalo:
hehe sorry, it was rc-flitzer who wrote the German instructions but you posted the webpages
Thank you for your time Professor. I will try to understand more of the C166 programming. It IS VERY HARD to start understanding fw programming. But i will surely ask for more questions

[charlielao]

@Prof Lalo:
I read the C166 inst manual but couldnt understand some of it. I had to work "hands on" Please see if i understood this correctly (from free SMS indicator of MSP):

40CDC0: D7 40 0E 00 : extp #0Eh, #1
40CDC4: F2 FC 42 3A : mov r12, mem_3BA42 <= jump to RAM loc 000E:3A42 (Offset=383A42?) and store word value to r12
using Hexit i did this: 0E * 4000 = 38
and 3BA42 % 4000 = 3A42 (correct?)
40CDC8: 9A FC 30 E0 : jnb r12.14, loc_40CE2C <= if bit is clear then go to loc40CE2C, ELSE next line
r12.14 means function 14?
40CDCC: 88 70 : mov [-r0], r7 <= this i dont know
40CDCE: 88 80 : mov [-r0], r8 <= this i dont know
40CDD0: E6 F8 1E 02 : mov r8, #21Eh <= r8 equals picID #21Eh
40CDD4: D7 40 0D 00 : extp #0Dh, #1
40CDD8: F2 FC D8 29 : mov r12, mem_29D8 <= jump to RAM loc 0D:29D8 (Offset=3429D8?) and store word value in r12
40CDDC: 3D 05 : jmpr cc_NZ, loc_40CDE8 <= if ??? is not Zero jump to loc 40CDE8, ELSE go to next line. (what is ???)
40CDDE: D7 40 0D 00 : extp #0Dh, #1
40CDE2: F2 FC D4 29 : mov r12, mem_29D4 <= jump to RAM loc 0D:29D4 (Offset=3429D4?) and store word value in r12
40CDE6: 0D 02 : jmpr cc_UC, loc_40CDEC <= Unconditional. Just go to loc 40CDEC?
;------------------------------------------------------------
40CDE8: E6 F8 1F 02 : loc_40CDE8:
40CDE8: E6 F8 1F 02 : mov r8, #21Fh <= r8 picID #21Fh
40CDEC: E6 FE 01 02 : loc_40CDEC:
40CDEC: E6 FE 01 02 : mov r14, #201h <= r14 picID #201h
40CDF0: F6 FC 0E FE : mov mem_FE0E, r12 <= store r12 value to mem_FE0E RAM loc 0D:FE0E?
Is mem_FE0E the RAM loc of free sms on sim location?
40CDF4: E0 A7 : mov r7, #0Ah <= where did #0Ah come from?
40CDF6: 5B 77 : divu r7 <= use div to make r7 mem_xxxx word so we can store next line?
40CDF8: F2 F7 0C FE : mov r7, mem_FE0C <= r7 equals mem_FE0E
40CDFC: 02 FE 0E FE : add r14, mem_FE0E <= add mem_FE0E to picID in r14?
40CE00: E6 FC 51 00 : mov r12, #51h <= xpos
40CE04: E0 9D : mov r13, #9 <= ypos
40CE06: 88 D0 : mov [-r0], r13 <= this is dont know
40CE08: DA C1 EC 22 : calls 0C1h, loc_C122EC <= calls C122EC to draw pic
40CE0C: E6 FE 01 02 : mov r14, #201h <= r14 equals picID #201h
40CE10: 00 E7 : add r14, r7 <= add r7 to r14
40CE12: E6 FC 57 00 : mov r12, #57h <= xpos
40CE16: A8 D0 : mov r13, [r0] <= this i dont know
40CE18: DA C1 EC 22 : calls 0C1h, loc_C122EC
40CE1C: F0 E8 : mov r14, r8 <= r14 becomes picID #21Fh
40CE1E: E6 FC 5D 00 : mov r12, #5Dh <= xpos
40CE22: 98 D0 : mov r13, [r0+] <= this i dont know
40CE24: DA C1 EC 22 : calls 0C1h, loc_C122EC <= like 40CE08
40CE28: 98 80 : mov r8, [r0+] <= this i dont know
40CE2A: 98 70 : mov r7, [r0+] <= this i dont know
40CE2C: DB 00 : rets
;------------------------------------------------------------

[lalo.lerry]

@Scholar Charlie:

Quiite, right... you already made great improuvents.
Let me sing only your misunderstandings:

40CDC0: D7 40 0E 00 : extp #0Eh, #1
40CDC4: F2 FC 42 3A : mov r12, mem_3BA42 <= jump to RAM loc 000E:3A42 (Offset=383A42?) and store word value to r12
using Hexit i did this: 0E * 4000 = 38
and 3BA42 % 4000 = 3A42 (correct?)
Not completely. Segment:Offset=(Page*4000)+Offset
In this case:
000E:3A42 = 3BA42 (=unread SMS RAM location)
You have misunderstood mem_3BA42, this is already in Seg:Off notation
To convert from two addressing methods use AlexSid's calc166 (or similar, e.g Smelter integratd one)
BTW, I suggest to use latest release of SFE (v2.39), it writes it in both notations

0CDC8: 9A FC 30 E0 : jnb r12.14, loc_40CE2C <= if bit is clear then go to loc40CE2C, ELSE next line
r12.14 means function 14?
Not completely right:
this instruction say: "if bit 14 of word in r12 is not set, jump of 3 word ahead (to loc_40CE2C), ELSE do the following line

40CDCC: 88 70 : mov [-r0], r7 <= this i dont know
40CDCE: 88 80 : mov [-r0], r8 <= this i dont know
Store word r7 and r8 to r0 (system stack). Just a way to save a register value
This is made because these registers will be used in the patch, and so they values will vary - but this values are needed for rest of fw routine, if the are changed phone crash. To prevent it, just save at the beginning of the patch and restore at the end of it.

0CDD0: E6 F8 1E 02 : mov r8, #21Eh <= r8 equals picID #21Eh
No, just store value #21E in r8

0CDD4: D7 40 0D 00 : extp #0Dh, #1
40CDD8: F2 FC D8 29 : mov r12, mem_29D8 <= jump to RAM loc 0D:29D8 (Offset=3429D8?) and store word value in r12
40CDDC: 3D 05 : jmpr cc_NZ, loc_40CDE8 <= if ??? is not Zero jump to loc 40CDE8, ELSE go to next line. (what is ???)
if previously used register (r12) is NOT ZERO, jump 5 word ahead
He just decided to save a word of command.
In some cases, like this one, you don't need to specified the compare operands.

0CDE6: 0D 02 : jmpr cc_UC, loc_40CDEC <= Unconditional. Just go to loc 40CDEC?
Yes

40CDF0: F6 FC 0E FE : mov mem_FE0E, r12 <= store r12 value to mem_FE0E RAM loc 0D:FE0E?
Is mem_FE0E the RAM loc of free sms on sim location?
40CDF4: E0 A7 : mov r7, #0Ah <= where did #0Ah come from?
40CDF6: 5B 77 : divu r7 <= use div to make r7 mem_xxxx word so we can store next line?
40CDF8: F2 F7 0C FE : mov r7, mem_FE0C <= r7 equals mem_FE0E
Ehehehe.. no, my dear scholar:
MDH and MDL are SFRs (special function registers) used to make multiplication or division (see C166 ism)
FE0E=MDL register
FE0C=MDH register
so, the sense of this part is:

r12 : 10dec , and store it's rest(=only the decimals) in r7


40CE06: 88 D0 : mov [-r0], r13 <= this is dont know = save register value

40CE16: A8 D0 : mov r13, [r0] <= this i dont know = restore register value

0CE28: 98 80 : mov r8, [r0+] <= this i dont know = restore prevously saved register value
40CE2A: 98 70 : mov r7, [r0+] <= this i dont know = restore prevously saved register value

END OF LESSION 4!

[charlielao]

@Prof Lalo:

40CDCC: 88 70 : mov [-r0], r7
40CDCE: 88 80 : mov [-r0], r8
Store r7 and r8 to system stack r0 because the fw will use this the whole
time the patch is set to on? What will happen if we just use r7 and r8 and not save its value to r0?

40CDF4: E0 A7 : mov r7, #0Ah <= where did #0Ah come from?

r12 : 10dec , and store it's rest(=only the decimals) in r7
Why did he have to do this part of the routine? What is its connection
to the other parts of the patch?

40CE06: 88 D0 : mov [-r0], r13 <= store ypos value (#9) to r0 pre-decremented by 2 to move the integer 2 spaces to the left?
40CE10: 00 E7 : add r14, r7 <= add r7 to show the number of free sms?
40CE16: A8 D0 : mov r13, [r0] <= ypos=r0 because previous r13 value was stored in r0 already?
40CE22: 98 D0 : mov r13, [r0+] <= ypos=r0 post-incremented by 2 to move the next number indicator 2 spaces to the right?

On another topic:
I downloaded IDA Pro but dont know how to use the Display Graph of each routine.
I think i can learn more if i can see the graph of where each line of a patch goes.

In APPv3 Profile 1, if i store mem_3CA42 to r12, then the functions 1-16
will be r12.0,r12.1,to r12.15?
What mnemonic is used to set/clear a flag?

[lalo.lerry]

- deleted because double posted -

[lalo.lerry]

@Little Charlie:

40CDCC: 88 70 : mov [-r0], r7
40CDCE: 88 80 : mov [-r0], r8
Store r7 and r8 to system stack r0 because the fw will use this the whole
time the patch is set to on? What will happen if we just use r7 and r8 and not save its value to r0?
Already answered!
I don't know which values are stored in r7 and r8 in this case (-certainlly inportant values for the next rotines- usally in r8:r7 there is Page:Offset for RAM display buffer, but SL45 don't use the same registers that S45i), but these values are changed in the patch routine.
At the end, if these values aren't corrected by restoring them PHONE CRASH (or at least have strange behaviours).
Try it if you don't believe me!!!
BTW, this trick to save-restore registers at the beggining/end of routines is CONSTANTLY USED in original fw.


40CDF4: E0 A7 : mov r7, #0Ah <= where did #0Ah come from?

r12 : 10dec , and store it's rest(=only the decimals) in r7
Why did he have to do this part of the routine? What is its connection
to the other parts of the patch?

Well, I'm not RC-Flitzer, neither I don't tried this patch, nor seen any patch explanation.
But I think is only to delete to drow leading 0
Anyway, better ask him...


40CE06: 88 D0 : mov [-r0], r13 <= store ypos value (#9) to r0 pre-decremented by 2 to move the integer 2 spaces to the left?
40CE10: 00 E7 : add r14, r7 <= add r7 to show the number of free sms?
40CE16: A8 D0 : mov r13, [r0] <= ypos=r0 because previous r13 value was stored in r0 already?
40CE22: 98 D0 : mov r13, [r0+] <= ypos=r0 post-incremented by 2 to move the next number indicator 2 spaces to the right?
Yes

On another topic:
I downloaded IDA Pro but dont know how to use the Display Graph of each routine.
I think i can learn more if i can see the graph of where each line of a patch goes.
I never used this feature.
For me dispay graph is too messy, not usefull.
But this is only in IMHO.


In APPv3 Profile 1, if i store mem_3CA42 to r12, then the functions 1-16
will be r12.0,r12.1,to r12.15?
What mnemonic is used to set/clear a flag?
YES!
mem is:
bset to set a specific bit in a register word
bclr to clear it

END OF 5TH LESSION!
Bye

Lalo

[charlielao]

@Professor Lalo:
Thank you for the answers. I'll try to read it later to understand it more

Quote:

Try it if you don't believe me!!!

Yes sir I believe you. I just wanted to ask out loud what i was thinking
I'll edit this post again later to add MORE questions. Thank you again. Have a good night's sleep Professor.

[lalo.lerry]

Go ahead my little schoolboy...

[charlielao]

@Professor Lalo:
Using sfe inline assembler, how do i enter this: mov r12, mem_3BA42
I tried typing: sfe a "mov r12, mem_3BA42" but it says illegal operation.
and also sfe a "jnb r9.7, loc_12345"

Is this correct? (Adapted from A_Alex patch Auto Profile Swapping. Please excuse me for using our patch sir A_Alex.)
88 C0 : mov [-r0], r12
88 D0 : mov [-r0], r13
88 90 : mov [-r0], r9
D7 40 0E 00 : extp #0Eh, #1
F2 F9 42 3A : mov r9, mem_3A42
?? ?? ?? ?? : jnb r9.7, loc_xxxxx
D7 40 36 00 : extp #36h, #1
?? ?? ?? ?? : mov r12, mem_D896C <=store word value of RAM loc 0036:096C; APP Profile 2
F2 FD DE 25 : mov r13, mem_25DE ;0D:25DE= RAM time hours
46 FD 11 00 : cmp r13, #11h ; compare r13=hours, with #11h=17:00
?? ?? : jmpr cc_C, loc_xxxxx ;if hour < or = 17:00 jump to loc_xxxxx (i dont know how to type this in sfe assembler)
2F 00 : bset r12.2 <= to set flag of APP Profile2 Function 3
98 90 : mov r9, [r0+] ; this is located at loc_xxxxx
98 D0 : mov r13, [r0+]
98 C0 : mov r12, [r0+]
CB 00 : ret

I applied trustkill's moving and changing operator name location which is this:
18E692: 09 f8; y-pos of operator name string (normal mode)
If i use Winhex, 18E692: F8 and 18E672: F8. But if i use sfe disasm this comes up:
18E690: 01 00 : addb rl0, rl0
18E694: 00 00 : add r0, r0
18E696: 00 00 : add r0, r0
How come 18E692 isnt shown?

There are some patches i didnt use on my sl45, but i want to disassemble them. How can i do that without having to patch them on my phone?

I saw this on S45 patches. Can you do it for sl45v56 Professor?
HFI. 12AM-PM Hours Format in Idle screen