Some RAM questions
 

@Masters and other patchers:
I tired experimenting on ACID's Siemens Debugger and found this:
0dfa06 to 0dfa09 <- 4 digit batt voltage
0dfa0b to 0dfa0f <- 4 digit and : sign of current time
the batt voltage and current time are shown in the right column of the debugger. How come the RAM used by Master Riza for Batt voltage is 000E:39E2 ?
And how do i use the RAM locations i found?

@Student Charlie:
RAM value can be fond and understood:
-by fw routine studies, e.g. a RAM location is called/modified in a known routine (better way)
-by randomic RAM exploration

Anyway, going on with your RAM studies you will see the same RAM values are often repeated more than one in RAM, usually in close offsets (as you found out for Battery Voltage).
Usually they are identical in that moment but may not be the same in all situations, as they are controlled by different routines.
You can guess which to use only by deep understanding of laying routines or by great testing.

How to use a RAM location?
I've already told you, just look here

Hello Prof,
If time is 12:12
0dfa0b shows 1
0dfa0c shows 2
odfa0d shows :
odfa0e shows 1
0dfa0f shows 2 in the right hand portion of the debugger. When i use the Monitor button, it displays the current time (same as that shown in my phone).
if i use 37h:3A0B (0dfa0b <-correct?)
extp#37h,#1 mov r12, 3A0Bh what will be the value of r12? will it be 1? and some of the patches use this: mov r12,37h mov r13,3A0Bh what will happen to the values of r12 and r13?

Hello Student,

if i use 37h:3A0B (0dfa0b <-correct?) yes

extp#37h,#1 mov r12, 3A0Bh what will be the value of r12? will it be 1? yes!

and some of the patches use this: mov r12,37h mov r13,3A0Bh what will happen to the values of r12 and r13?
If you have copied right, in r12 will be 37 hex value and in r13 3A0B value.

but I think you have miscopied, a very used piece of commands is:

extp#37h,#2 ;op1=2=extp for next 2 instructions
mov r12, 3A0Bh ;word value present in 37:3A0B stored in r12
mov r13, 3A0Dh ;word value present in 37:3A0D stored in r13

NOTE: op1 can be a value between 1 and 4

Clear?

extp#37h,#1 mov r12, 3A0Bh what will be the value of r12? will it be 1? yes!
The value will be 1 (which is on the right column of debugger) or will it be the hex value on the left side column of the debugger?
From Menu Button Text patch:
27E97A: E6 FC 06 3A : mov r12, #3A06h
27E97E: E6 FD 37 00 : mov r13, #37h
this is what i was asking about Prof. Isnt 37h:3A06h a RAM location? so r12 and r13 were assigned with their corresponding values above. What happens to their values?
op1 can be 1to4
so this means we can use extp #37h, #4, which correspond to 4x use of it?

hello student,
here I'm again!

extp#37h,#1 mov r12, 3A0Bh what will be the value of r12? will it be 1? yes!
The value will be 1 (which is on the right column of debugger) or will it be the hex value on the left side column of the debugger?

Sorry, I answer you in too hurry.
Of course value is the one on left side of debugger, so it's 31h.
Right side is only the conversation in ASCII character of left side values, it a corresponding character is possible.
It's just for help, as in hex editors.


From Menu Button Text patch:
27E97A: E6 FC 06 3A : mov r12, #3A06h
27E97E: E6 FD 37 00 : mov r13, #37h
this is what i was asking about Prof. Isnt 37h:3A06h a RAM location? so r12 and r13 were assigned with their corresponding values above. What happens to their values?
I've looked quicky into MTB patch so I can tell you that 37:3A06 is a RAM location choosen by Riza to store MTB time buffer
r12 and r13 are setted before a call, see call routine to understand how they are used.

op1 can be 1to4
so this means we can use extp #37h, #4, which correspond to 4x use of it?

yes, the following 4 instruction are in extp page.
BTW, if you want to set an extp page for more than 4 instruction, or for instructions that are not in row, you can set DPP0 (a special function register) to that extp page.
Bye

Lalo

Hello Prof:
If i use 37:3A0F which contains the minutes (ones) of current time, can i use it as a jumper to execute a command after 5 minutes (for example) like this:
extp #37h,#1 mov r12,3a0fh add r12,#5 jmpr cc_NC, got to command

hello Student,
no, routine cannot be so simple to obtain what you want.
2 problem in your routine:

1. it check a RAM location related to a patch (MTB). So it will not work if that patch is not installed.
In fw there are plenty of RAM time locations.
E.g. use the one used in hourly Beep

2.in r12 there is a variable number that is udpated every few second (or each minute), depending in which routine you insert it. So conditional code will never be sotisfied.
Use a different routine,e.g hourly beep one.

3.IHMO, to insert a delay it's better to use original fw built-in delay () routines... work perfect and saves a lot of bytes


BTW, why you always try to develop such a difficul patches, even if you are still a young patching student?
I myself didn't start with these (middle) difficult ones... they are for intermedied level patching students!


Bye :)

prof

Hi Prof:
So Hourly beep has a better RAm loc?
3.IHMO, to insert a delay it's better to use original fw built-in delay () routines... work perfect and saves a lot of bytes
Do you know these routines?
BTW, why you always try to develop such a difficul patches, even if you are still a young patching student?
Hehehe because the easier patches have already been done Prof :)

hello Stu:

So Hourly beep has a better RAm loc?
yes, this one, 0D:25DE, as RAM hours location
So, if RAM locations are used in a similar way as in my S45i (as very often), there should be also in that area these locations:

0D:25DA = 365DA :seconds (only when inserted)
0D:25DC = 365DC :minutes
0D:25DE = 365DE :hours
0D:25E0 = 365E0 :day
0D:25E2 = 365E2 :month
0D:25E4 = 365E4 :year

Please check them, because I cannot not having SL45.

Do you know these routines?
I know them in S45i, and searched one of it in SL45 for you.
Should be:

mov r13, #Off
mov r14, #Seg ;where r14:r13= Seg:Off is call to be executed after delay
mov [-r0], r14
mov [-r0], r13
mov r12, #Off
mov r13, #Page ;where r13:r12= Page:Off of RAM timer location (just choose a free RAM area)
mov r14, #n ,where n is time in ms/0,25
mov r15, #0
calls C1CA86 ;delay1 ()
add r0, #4


Enjoy it

prof

Thanks for the quick answer Prof. Ill be studying it first then post many many more stupid questions for you hehehe. Now im redoing the Blank Screen when key locked by Master because if there is an unread sms, after some time, the screen goes back to blank.

mov r13, #Off
mov r14, #Seg ;where r14:r13= Seg:Off is call to be executed after delay
mov [-r0], r14
mov [-r0], r13 <- why make r13 and r14 0 again?
mov r12, #Off
mov r13, #Page ;where r13:r12= Page:Off of RAM timer location (just choose a free RAM area) <- ill use debugger and find RAM loc with FFFFFFFF... ?
mov r14, #n ,where n is time in ms/0,25
mov r15, #0 <- where did r15 come from and why move #0 into it?
calls C1CA86 ;delay1 ()
add r0, #4 <- what is r0 and why add #4?

hello Student,
here are your answers:


mov r13, #Off
mov r14, #Seg ;where r14:r13= Seg:Off is call to be executed after delay
mov [-r0], r14
mov [-r0], r13 <- why make r13 and r14 0 again?
to store Seg:Offset in sistem stack.
I think is due on how fw-hw machine interaction work.
Anyway, this routine is used plenty of time in this exactly way.


mov r12, #Off
mov r13, #Page ;where r13:r12= Page:Off of RAM timer location (just choose a free RAM area) <- ill use debugger and find RAM loc with FFFFFFFF... ?
free RAM areas can be find searching FFFFF (usually related to EEPROM RAM areas9 or 00000 (normal RAM areas)
be carefully, because some RAM areas may seems to be free, but only because not used when you are looking at them in that specific moment.
I suggest you to use a RAM location close to one used by other patchmasters, should be already well tested and bug-free.
BTW, usually a patchmaster tend to use always the same RAM area for his patches, as well as a patchmaster has his "own" area in fw to store patches routines.


mov r14, #n ,where n is time in ms/0,25
mov r15, #0 <- where did r15 come from and why move #0 into it?
r15 is just set so before the delay call, search in call to understand why.
Anyway, very often r15 is setted to 0.
Sometime r15 is used to store time if time value is greater than FFFF and cannot be saved in only one register, but haven't check if this is the right case.


calls C1CA86 ;delay1 ()
add r0, #4 <- what is r0 and why add #4?
r0 is used for system stack, you have to add 4 (=2 words) because you have stored r13 and r14 without resuming it.
many "function" subroutines add something to system stack as last command of them, just explore original fw routines.

bye

Lalo

Prof:
i got this from your hourly beep v1:
27DC72: D7 40 11 00 : extp #11h, #1
27DC76: F7 F8 40 38 : movb 47840h, rl4 ; (0011:3840)
what ram loc is it pointing to?

who remember it, my friend.... who remember?!
(I'll check out ASAP)

Hi Prof, here is another out of the blue question:
Master Riza expalined this from his cdr patch:
From CDR.asm (Call Detail Record) source:
mov r8, #200h+'R' <- R(eceived)
- put "received sms" flag in the register R8
mov r12, #315h
- set R12 with value hexa 315
mov r5, #32h
- and R5 with 32h
R5:R12 is prepared to store the pointer to incoming SMS sender number (32h:0315h).
extp r5, #1
- work in page values stored in register R5 (32h)
movb rl4, 2F0h
- get the byte value of RAM 32h:02F0h and store it in the RL4. 32h:02f0 for incoming SMS is storing the SMS type, including normal or delivery status SMS. I don't know about another values meaning ...
andb rl4, #40h
jmpr cc_Z, sdr_001
- make some test. if (RL4 and 40h==0) goto sdr_001
mov r8, #200h+'D'
add r12, #1
- if the result of test is not zero (RL4 and 40h != 0), then set the flag with 'D' (Delivery status SMS), and change the incoming SMS sender number pointer to 32h:0316h ...

I used debugger and got these while there is new incoming sms:
09196262888:<-sender number
0C8300: 01 03 01 07 91 36 19 08 00 30 17 00 14 04 0C 00
0C8310: 00 00 01 14 04 0C 91 36 19 69 62 82 88 00 00 50
0C8320: 40 03 20 01 95 00 01 41 10 2E 07 C5 68 3A D8 4C
0C8330: 97 7D D7 E5 A0 71 5D 2E 2F BB E9 20 71 98 1D 76

the numbers are shown in red, but they are alternated in the RAM,
I tried using Master's CDR EP 44e6fc: E6FE2600 for incoming sms but if i receive an incoming sms, my phone shuts down :(
This is a simple patch test i made that causes it:
44e6fc: E6FE2600 DABA77BB
1ABB77: FFFF 8880
1ABB79: FFFFFFFF D7403200 ; extp #32h, #1
1ABB7D: FFFFFFFF F2F81B03 ; mov r8, 31bh
1ABB81: FFFFFFFF 46F85200 ; cmp r8, #82
1ABB85: FFFF 3D04 ; jmpr cc_NZ, 11
1ABB87: FFFFFFFF E6FC3a00 ; mov r12, #3a
1ABB8B: FFFFFFFF DAC3B600 ; calls 0C3h, loc_C300B6 (play tone)
1ABB8F: FFFFFFFF D7403200 ; extp #32h, #1
1ABB93: FFFFFFFF F6F81B03 ; mov 31bh, r8
1ABB97: FFFFFFFF E6FE2600
1ABB9B: FFFF 9880
1ABB9D: FFFF DB00
What's wrong prof?
I also saw that the RAM loc (000C:326C) you used in Blacklist is the same loc used when there is an incoming SMS for Postcode data. I tried using it in the above patch but it doesnt play the tone, but my phone didnt shut off. How come we have to use the low byte in the RAM loc above to compare the Postcode data? why cant we use the whole word?