I will attempt to update this thread with information as it becomes available. Consider this a Work in Progress.

Entry Points

In order to dissasemble a ROM you must find an "entry point." An entry point is a portion of code that is generally followed by Program Execution Code. Knowing these locations allows the Interactive Dissasembler to derive logic and references for you. It's something that can be simple to understand, however is not for the general user.

Processor Notes

Subaru HC16 - MY01-MY05 192k using Motorola HC16

0000: 0220 -> unused/ZK/SK/PK initial values
0002: 0220 -> reset vector (PC, PK+PC)
0004: 08F6 -> stack pointer (SP, SK+SP)
0006: 0000 -> page pointer (IZ, ZK+IZ)

0000: xx ZK SK PK
0002: PC PC PC PC
0004: SP SP SP SP
0006: IZ IZ IZ IZ

Subaru SH7058 - MY04 STi 512k using Hitachi SH4B

Power-on reset
PC 0 H'00000000–H'00000003
SP 1 H'00000004–H'00000007

Manual reset
PC 2 H'00000008–H'0000000B
SP 3 H'0000000C–H'0000000F


So from here I've gathered entry points of 0xF554, 0xF8A4, 0xFBD0, 0x10000, 0x103D4, 0x10AF4, 0x11060 by locating the byte sequences below:

D26E 420B 0009 D36E 430B 0009 D26D 420B


Known Entry Points

Subaru HC16 - 0x220, 0x8F6, 0x240, 0x252, 0x264

Subaru SH7058 (512k) - 0xF554, 0xF8A4, 0xFBD0, 0x10000, 0x103D4, 0x10AF4, 0x11060.

I know it will be a long shot, but would you be able to explain sorta what this all means..

Screen caps might help a learner like me

Can you get the freeware version of IDA to do this or do you have to have IDA Pro (which is $500, right)?

Any update on this?

I understand that you were searching for op-codes, but how did you come up with those specific offsets to open the whole ROM? I have searched for op-codes before to open up the ROM and it always takes forever to hit 'c' on each one, but following your method it took all of 5 seconds. I'm starting to get a decent grasp on the 04 STi but I really need to figure out the rest of them as well so that I can start working on the 2010 stuff. Thanks!

Andy