SVX Network Forums Live Chat! SVX or Subaru Links Old Lockers Photo Post How-To Documents Message Archive SVX Shop Search |
IRC users: |
#961
|
||||
|
||||
Re: Memory dump of ECU
Sorry. I'm an idiot. Here you go.
__________________
Subaru ECU and TCU Website 1992 Alcyone SVX Version L 1992 Alcyone SVX Version L 1994 Alcyone SVX S40-II 2004 Subaru Legacy 2.5 SE Sports Tourer 1996 Subaru Legacy 2.2 GX Wagon 1988 Subaru Justy J12 SL-II |
#962
|
|||
|
|||
Re: Memory dump of ECU
Nice.
Now I am slightly stuck with these eor commands. I've looked it up in the software manual, but the explanation doesn't make it any clearer for me. May as well make sure about the sbc also. 00E22D A422 ldy dp + 0x22 ; Read from A/D successive approximation register 00E22F 98 tya 00E230 38 sec 00E231 EDD411 sbc ax, 0x11d4 00E234 B004 bcs 0xe23a 00E236 49FFFF eor ax, #0xffff So here the tps value from the A/D converter is loaded to index register y. It is then transferred to register a. The carry flag is set (C=1). The value stored at 11d4 is subtracted from register a. If the result is greater than or equal to zero the program branches to e23a. I know this much. With the carry flag set does it also subtract 1 from register a (ie. A=A-(0x11d4 +1))? What does the eor compare? We have the value in register a and the hex value ffff, but what about them? There doesn't seem to be enough values to do anything with. It looks like the majority of the eors use #0xff or #0xffff. I don't know what the significance of this is. Right now it is just an observation. |
#963
|
||||
|
||||
Re: Memory dump of ECU
Quote:
On this type of processor, you have to set the carry flag before a subtraction in order to get the right answer. If you look through the code you'll see an SEC before every SBC. I can't explain it very well, but the reason is that the subtract instruction is designed so that when you are subtracting 16bit numbers, you can do it in 2 chunks of 8 bits at a time. The carry flag stores the sign of the result of each subtraction and it gets fed into the next stage of the subtraction. There's an example of this at EC68 where it subtracts a 16 bit value at 1098(and 1099) from a 16 bit value at 1096 (and 1097). But It's not really important to understand how that mechanism works, as long as you can recognise when you see it. EOR, also known as XOR, is a boolean "exclusive-or" operation. It means either/or but not both. If you want to XOR two 8 bit numbers, you line them up on top of each other and calculate each column separately. The result is 1 if the bits are different and 0 if they are the same. 11000011 10101110 --------- 01101101 An XOR by FF, in the case of a byte, or FFFF in the case of a word, is the same as a NOT operation. Every zero will be changed to a 1 and every one will be changed to a zero. This piece of code here: Code:
00E236 49FFFF eor ax, #0xffff 00E239 3A inc ax For example: 11111011 is -5. If you XOR by FF (11111111) you get 00000100 which is +4. Add 1 and you get +5. So the code is saying, do the subtraction, and if the result is negative, convert it to positive. If the result is positive then it jumps over that bit of code and continues with the positive value. I hope that makes sense.
__________________
Subaru ECU and TCU Website 1992 Alcyone SVX Version L 1992 Alcyone SVX Version L 1994 Alcyone SVX S40-II 2004 Subaru Legacy 2.5 SE Sports Tourer 1996 Subaru Legacy 2.2 GX Wagon 1988 Subaru Justy J12 SL-II |
#964
|
|||
|
|||
Re: Memory dump of ECU
That makes perfect sense. Sorry to bombard you with these big chunks of code, but I think they can be summed up easily and I want to verify I have the fine details correct as it seems a little strange.
Quote:
I am doubting my understanding of the carry flag here. I would assume that the program would want the bigger change, but the way I read it if the second read/compare is greater than or equal to the first the program skips over the command to transfer the contents of y (second read/compare) to x and stores the tps value corresponding the first (and smaller change) tps value. [QUOTE= 00E253 2C2610101E bbs #0x10, 0x1026, 0xe276 ; Errorflags 1 ; TPS Error [/QUOTE] I will take the easy route here and I will say that the program has detected a fault with the tps and the bit corresponding to a tps error has been set. Quote:
bit 01 of 1025 is set and the program branches to e28c where e28c-e292 is executed 11 times total(104e-1044). During this loop the default value (in this example) that has been loaded into A is stored 11 times somewhere (dp + 0x00 + ix). I am pretty sure that the 104e-1044 makes up the ix portion of the equation, so is it just 104e-1044 that the value is written to? Quote:
Store the value in A at 1285. Store the value in A at 4018. Return. |
#965
|
|||
|
|||
Re: Memory dump of ECU
That code came out pretty hard to read. I meant to mention that bit 01 at 1025. It seems like some sort of indicator that a default value has been loaded, but I don't see anywhere else in the program where that bit is specifically looked at. Main things making me scratch my head are the dp + 0x00 + ix and if i interpreted the carry flag correctly.
|
#966
|
||||
|
||||
Re: Memory dump of ECU
I don't really understand how the A/D converter works, except that it somehow converts an input voltage to a binary number. If you want to know, read chapter 9 of the 7733 User Manual on the Renesas site. It's not exactly the same CPU as ours, but it is similar.
Code:
http://documentation.renesas.com/eng/products/mpumcu/e7733um.pdf Quote:
It looks to me as though bit #20 of 101e indicates whether the history buffer has been initialised. If the history buffer has not been initialised, then it is filled with the TPS value, or a default value if the TPS error flag is set. I think you are right that bit #01 of 1025 indicates whether the value is real or default. If the buffer has already been initialised, then the code at E2C6 shifts it along one byte and then the new value is inserted at 1044. Phil. Edit: I forgot to mention, the value of dp is always 0 on this system, so you can ignore it. "sta al, dp + 0x00 + ix" just means " store AL at address 0+X"
__________________
Subaru ECU and TCU Website 1992 Alcyone SVX Version L 1992 Alcyone SVX Version L 1994 Alcyone SVX S40-II 2004 Subaru Legacy 2.5 SE Sports Tourer 1996 Subaru Legacy 2.2 GX Wagon 1988 Subaru Justy J12 SL-II Last edited by b3lha; 12-26-2009 at 04:08 PM. |
#967
|
|||
|
|||
Re: Memory dump of ECU
Thanks Phil
Great info as usual. I didn't realize that the comparison thing that was going on there was part of the A/D logic(?). I guess in retrospect it doesn't matter how it chooses the value that the program uses. What is important is how the value(s) it does choose interact with the rest of the program. I need to try to stay focused on that. Just from what I have had a good look at so far I can see I should be able to find more things to label, like 1243 and 12c8 seem to hold either default values or (TPS Volts) dependent on certain conditions. I think I have a long road ahead of me breaking down each function into simple if/else statements then trying to pull it all together and make like a flow chart describing the program. About these little Indians: Quote:
Quote:
|
#968
|
||||
|
||||
Re: Memory dump of ECU
Quote:
8665 is 000A At some point you'll discover a nasty little trick in the code where they write a 16 bit value to an address and then never use it. Sometimes, they just read the high byte from (address+1) and use that instead of the whole 16 bits. There's also some 24-bit numbers. Again, these are stored low byte first, high byte last.
__________________
Subaru ECU and TCU Website 1992 Alcyone SVX Version L 1992 Alcyone SVX Version L 1994 Alcyone SVX S40-II 2004 Subaru Legacy 2.5 SE Sports Tourer 1996 Subaru Legacy 2.2 GX Wagon 1988 Subaru Justy J12 SL-II |
#969
|
|||
|
|||
Re: Memory dump of ECU
Sweet. I have run into something like what you are talking about here:
Quote:
|
#970
|
||||
|
||||
Re: Memory dump of ECU
Phil, et al,
This thread has definitely been interesting reading Any thoughts on the end result of all this hard work? Is it realistic to think that it will be the ability to reprogram (flash) our stock ECU like the WRX/STi folks can? -Bill
__________________
Retired NASA Rocket Scientist Most famous NASA "Child" - OSIRIS-REx delivered samples from asteroid BENNU to Earth in Sept. 2023 Center Network Member #989 '92 Fully caged, 5 speed, waiting for its fully built EG33 '92 "Test Mule", 4:44 Auto, JDM 4:44 Rear Diff with Mech LSD, Tuned headers, Full one-off suspension '92(?) Laguna, 6 spd and other stuff (still at OT's place) My Locker |
#971
|
|||
|
|||
Re: Memory dump of ECU
AFAIK you cannot "flash" these ECUs like the OBD2 ECUs. You can build a board and burn chips as Phil describes on his site. Most of the useful parameters are documented and can easily be changed and burnt to a new chip. I am trying to analyze the code using the information others have already found as a starting point. I hope to understand some of the finer points of the program.
|
#972
|
||||
|
||||
Re: Memory dump of ECU
Quote:
It is definitely realistic. We are actually really close to that point right now. We have a well-tested memory adapter design. We know where to find the fuel and timing maps and approximately how they work. All that's really needed is for somebody with tuning skills to fiddle with those maps and log the results and prove that they do work the way we think they do. So many people have contributed to this thread and I'm amazed at the amount of good stuff has come out of it, directly or indirectly: * An interface cable for connecting a PC to the car. * Software that can display and log the ECU and TCU data. * The locations of the parameters in the ECU and TCU. * The TCU pin A4 power mode mod for USDM cars. * The TCU software power mode mod for Euro/Aussie cars. * A collection of ROM versions from different years and markets. * A document showing the tuning differences between markets. * A method for chipping the TCU. * A daughterboard to adapt the ECU for modern eeproms. * Decoding the TCU shift and torque converter maps * Decoding some of the ECU maps and finally, on a personal note, * I got a full time job cracking ECUs. That's just off the top of my head. There's probably a load of other stuff I can remember right now. And it doesn't include stuff outside the SVX world. I regularly get emails from people thanking me for information they've taken from my website and used for their own projects. I'm particularly pleased that we cracked the TCU. I think we were the first people ever to crack the subaru TCU. In fact I've never heard of any car club cracking a TCU before. I just wish I had more time to devote to it. I now have a two year old daughter and a 2 month old son, that I didn't have when I started this thread.
__________________
Subaru ECU and TCU Website 1992 Alcyone SVX Version L 1992 Alcyone SVX Version L 1994 Alcyone SVX S40-II 2004 Subaru Legacy 2.5 SE Sports Tourer 1996 Subaru Legacy 2.2 GX Wagon 1988 Subaru Justy J12 SL-II |
#973
|
||||
|
||||
Re: Memory dump of ECU
Yeah, don't get me wrong. You can't "flash" these ECUs. They are too old. Flash chips were not available when these units were designed. To modify the ECU, you modify the rom file, burn it into two chips, plug them into the adapter and then plug the adapter into the ECU.
It's not hard to do, but it's not quite as easy as just hooking up a cable like the WRX guys do. In some ways it's better. The flashable ECUs can only be flashed a certain number of times and then they die and they're expensive to replace. With ours, you can replace the chips as often as you like. (I suspect the OBD2 SVX ECU may be flashable, but I've never seen one and I don't know for sure one way or the other).
__________________
Subaru ECU and TCU Website 1992 Alcyone SVX Version L 1992 Alcyone SVX Version L 1994 Alcyone SVX S40-II 2004 Subaru Legacy 2.5 SE Sports Tourer 1996 Subaru Legacy 2.2 GX Wagon 1988 Subaru Justy J12 SL-II |
#974
|
||||
|
||||
Re: Memory dump of ECU
Quote:
The Z flag gets set if zero is loaded to bl. I think this code wants to end up with a number between 00 and FF in AL. If BL is not zero (ie. the result of the calculation is >= hex 100) then it sets AL to the maximum value of FF.
__________________
Subaru ECU and TCU Website 1992 Alcyone SVX Version L 1992 Alcyone SVX Version L 1994 Alcyone SVX S40-II 2004 Subaru Legacy 2.5 SE Sports Tourer 1996 Subaru Legacy 2.2 GX Wagon 1988 Subaru Justy J12 SL-II |
#975
|
||||
|
||||
Re: Memory dump of ECU
Quote:
-Bill Phil, Can't thank you enough for all the work you've done to date! -Bill
__________________
Retired NASA Rocket Scientist Most famous NASA "Child" - OSIRIS-REx delivered samples from asteroid BENNU to Earth in Sept. 2023 Center Network Member #989 '92 Fully caged, 5 speed, waiting for its fully built EG33 '92 "Test Mule", 4:44 Auto, JDM 4:44 Rear Diff with Mech LSD, Tuned headers, Full one-off suspension '92(?) Laguna, 6 spd and other stuff (still at OT's place) My Locker Last edited by SVXRide; 12-27-2009 at 09:07 PM. |
Thread Tools | |
Display Modes | |
|
|