Write new code?
#31
Evolving Member
Thread Starter
iTrader: (4)
Join Date: Apr 2008
Location: Germany
Posts: 186
Likes: 0
Received 0 Likes
on
0 Posts
So i started writing my own code. Its my first asm code i ever wrote don't expect much.
What it should do:
1.) Replace the EGR function call with my new function.
2.) Set the EGR_Dutycycle to 0 or 128, depending on RPM.
eg. under 4500rpm -> egr_dc 0; over 4500rpm egr_dc 128 (switch point editable by ecuflash)
3.) being able to switch back to the oem egr code, by one setting via ecuflash (cyclone_switch)
I compiles fine without errors.
Only problem 'mov #0x80, r12' is shown in ida pro as 'mov #unk_FFFFFF80, r12'.
i can't test it, because car isn't running.
can someone look over the code and look if there are some errors?
I will test it by myself as soon as possible.
What it should do:
1.) Replace the EGR function call with my new function.
2.) Set the EGR_Dutycycle to 0 or 128, depending on RPM.
eg. under 4500rpm -> egr_dc 0; over 4500rpm egr_dc 128 (switch point editable by ecuflash)
3.) being able to switch back to the oem egr code, by one setting via ecuflash (cyclone_switch)
I compiles fine without errors.
Only problem 'mov #0x80, r12' is shown in ida pro as 'mov #unk_FFFFFF80, r12'.
i can't test it, because car isn't running.
can someone look over the code and look if there are some errors?
I will test it by myself as soon as possible.
Code:
Cyclone: sts.l pr,@-r15 mov.l r0,@-r15 mov.l r10,@-r15 mov.l r12,@-r15 mov.l r13,@-r15 mov.l (cyclone_switch), r10 mov.b @r10, r10 tst r10, r10 bt no_cyclone start: mov.l (rpm_switch_point), r13 mov.w @r13, r13 mov.l (RPM_VAR), r10 mov.w @r10, r10 cmp/hi r13, r10 bt egr_low mov #0x80, r12 bsr update_dc egr_low: mov #0, r12 update_dc: mov.l (EGR_DC_VAR), r13 mov.w r12, @r13 bsr exit no_cyclone: mov.l (old_func), r10 jsr @r10 exit: mov.l @r15+,r13 mov.l @r15+,r12 mov.l @r15+,r10 mov.l @r15+,r0 lds.l @r15+,pr rte nop cyclone_switch: .long 0x0000102E ! rom adress new switch add 0x01 to 0x102E for enable old_func: .long 0x0001B6DC ! rom adress of the original egr function RPM_VAR: .long 0xFFFF8845 ! ram adress for rpm EGR_DC_VAR: .long 0xFFFF8B72 ! ram adress for EGR dutycycle rpm_switch_point: .long 0x0003AC00 ! rom adress of switch point rpm
Last edited by Deepnine; May 7, 2009 at 11:44 PM.
#33
Evolved Member
iTrader: (2)
I'm guessing you're planning to control the butterflies on a cyclone intake manifold with this, going off the address names?
Have you thought about keying the opening point off of MAP or airflow rather than RPM? It seems to me that you might get more appropriate results by opening based on the amount of air entering the engine rather than the speed the pistons are moving, but I admit I haven't spent too much time pondering it yet (my 2g with a cyclone needs quite a bit more work before it'll be running again).
(For people who don't know: a "cyclone intake" is a 1g-style DSM intake manifold that has dual runners, one of which is controlled by butterflies driven by a vacuum actuator; think wastegates, and you have an idea. It's a similar thing to Subaru's TGV. In cars that came with it as an OEM piece, there's a solenoid very similar to the EGR solenoid that controls actuation.)
Have you thought about keying the opening point off of MAP or airflow rather than RPM? It seems to me that you might get more appropriate results by opening based on the amount of air entering the engine rather than the speed the pistons are moving, but I admit I haven't spent too much time pondering it yet (my 2g with a cyclone needs quite a bit more work before it'll be running again).
(For people who don't know: a "cyclone intake" is a 1g-style DSM intake manifold that has dual runners, one of which is controlled by butterflies driven by a vacuum actuator; think wastegates, and you have an idea. It's a similar thing to Subaru's TGV. In cars that came with it as an OEM piece, there's a solenoid very similar to the EGR solenoid that controls actuation.)
#34
Evolving Member
Thread Starter
iTrader: (4)
Join Date: Apr 2008
Location: Germany
Posts: 186
Likes: 0
Received 0 Likes
on
0 Posts
Yes, its a jdm cyclone.
i have done a lot of reseach about this piece and on every car with such a thing its based on rpm. but i will try different options when its working with rpm. (and when the car is ready).
i also think about a smooth map for opening slowly. but thats needs testing with the car.
i will find the best way making power.
@tephra
thanks i will try it.
i have done a lot of reseach about this piece and on every car with such a thing its based on rpm. but i will try different options when its working with rpm. (and when the car is ready).
i also think about a smooth map for opening slowly. but thats needs testing with the car.
i will find the best way making power.
@tephra
thanks i will try it.
#35
Evolving Member
Thread Starter
iTrader: (4)
Join Date: Apr 2008
Location: Germany
Posts: 186
Likes: 0
Received 0 Likes
on
0 Posts
new problem!
i compiled the code above.
extracted from the elf file.
then i added the code at 0x2F500 of my rom.
replaced the oem egr function call with 0x2f500.
but my ecu stops working after flashing.
i wrote a small function only with the function call of the oem egr function. still no luck.
is there something to be careful of when adding new code? maybe some alignments?
can you describe me your process of adding a new function.
thx jan
i compiled the code above.
extracted from the elf file.
then i added the code at 0x2F500 of my rom.
replaced the oem egr function call with 0x2f500.
but my ecu stops working after flashing.
i wrote a small function only with the function call of the oem egr function. still no luck.
is there something to be careful of when adding new code? maybe some alignments?
can you describe me your process of adding a new function.
thx jan
Last edited by Deepnine; May 13, 2009 at 06:45 PM.
#41
Evolving Member
Thread Starter
iTrader: (4)
Join Date: Apr 2008
Location: Germany
Posts: 186
Likes: 0
Received 0 Likes
on
0 Posts
I don't know what i'm doing wrong.
Here the step i do:
1.) Write my custom code:
New subroutine with a call to another oem subroutine. That's simple and it should work.
2.)
> sh-elf-as -o rom.o file.asm
> sh-elf-ld -o file.bin file.o
No errors apear, just a warning about entry symbol start
3.) Open hex editor with 90550001 rom. Locate the adress of the routine call of the function i like to replace (0x0001B6DC).
Change the 0x0001B6DC to 0x0002F500
4.) Open my new code bin file with hex editor. Locate code at 0x80, copy and paste it in my 90550001 file at 2F500. I checked that the rom files is still the correct size.
5.) Upload it to ecu.
-> No logging. If i turn off ignition the mpi relais emediatly shuts off. Normaly it takes some seconds.
Now the questions do you see any errors i did?
Here the step i do:
1.) Write my custom code:
New subroutine with a call to another oem subroutine. That's simple and it should work.
Code:
sts.l pr,@-r15 mov.l r0,@-r15 mov.l r10,@-r15 mov.l r12,@-r15 mov.l r13,@-r15 mov.l (old_func), r10 jsr @r10 mov.l @r15+,r13 mov.l @r15+,r12 mov.l @r15+,r10 mov.l @r15+,r0 lds.l @r15+,pr rte nop .align 4 old_func: .long 0x0001B6DC ! rom adress of the original egr function
> sh-elf-as -o rom.o file.asm
> sh-elf-ld -o file.bin file.o
No errors apear, just a warning about entry symbol start
3.) Open hex editor with 90550001 rom. Locate the adress of the routine call of the function i like to replace (0x0001B6DC).
Change the 0x0001B6DC to 0x0002F500
4.) Open my new code bin file with hex editor. Locate code at 0x80, copy and paste it in my 90550001 file at 2F500. I checked that the rom files is still the correct size.
5.) Upload it to ecu.
-> No logging. If i turn off ignition the mpi relais emediatly shuts off. Normaly it takes some seconds.
Now the questions do you see any errors i did?
#43
Evolving Member
Thread Starter
iTrader: (4)
Join Date: Apr 2008
Location: Germany
Posts: 186
Likes: 0
Received 0 Likes
on
0 Posts
Thank you very much!
I was sure my code was perfect and the error is some where else.
I still can't remember the new commands, i was working with for, switch, if, else, return and while for 15 years. It's more difficult to understand all that binary stuff. I never thought about some silly bits before.
Keep waiting for the next stupid thing from me.
Last edited by Deepnine; May 13, 2009 at 10:11 PM.
#45
Evolved Member
Join Date: Mar 2008
Location: Lattitude 48.38°, Longitude 17.58°, Altitude 146m = Slovakia, for common dude
Posts: 730
Likes: 0
Received 2 Likes
on
2 Posts
Tephra, how do you choose free RAM addresses?
I mean anything what is not referenced by code can be used?
I have tried to port your Knock CEL thingy into my ROM, and I am getting
half lit CEL with engine even not started. So my assumtion is it is overwritten somewhere and it flip-flops on and off. Any hint appreciated.
I mean anything what is not referenced by code can be used?
I have tried to port your Knock CEL thingy into my ROM, and I am getting
half lit CEL with engine even not started. So my assumtion is it is overwritten somewhere and it flip-flops on and off. Any hint appreciated.