EvolutionM - Mitsubishi Lancer and Lancer Evolution Community

Notices
ECU Flash

ECU disassembling?

Thread Tools
 
Search this Thread
 
Old Mar 30, 2008 | 01:55 AM
Share
  #1  
JoeBee's Avatar
JoeBee
Thread Starter
Evolving Member
 
Joined: Sep 2006
Posts: 152
Likes: 0
From: Germany
Question ECU disassembling?
Hello to all.

Actual I'm disassembling my EVO VII Rom.

Can anybody of the cracks give me a tip, which routine or interrupt vector will be used when the ignition goes on?

When ignition is off, have somebody find out what the ecu/processor is doing? Is there an something like an idle queue?

How did you check ignition on/off in your ROM patches?

Another one : How did you check the engine running? RPM Variable?

And a third : How did you check a time. For example press ICS Button for more than 2 sec?

Or are all these secrets?

By the way:
Meanwhile I have completely understand the fuel table lookup with all the interpolation.
If there is a need to add more rows/lines. It is possible.

Greetings
Joe
Reply
0
Old Mar 30, 2008 | 04:56 AM
Share
  #2  
jcsbanks's Avatar
jcsbanks
Evolved Member
 
Joined: May 2006
Posts: 2,399
Likes: 6
From: UK
I've mainly looked at the IO stuff as that has been my interest. However, it looks like there is a main loop that is called off the reset vectors, and some of the other stuff is called off timer interrupts IIRC.

I don't test for ignition on/off as my patches have been setup from MUT or serial receive interrupts and then run through serial or DMA interrupts.

Tephra calls his routine off the main loop replacing the call to the CEL routines, which he then calls after his patch has run. I also run off the same hook to test for a serial timeout to allow me to reset the DMA.

Tephra has done work on time, and basically seems to count the number of calls to his routine through the main loop which seems to be about 100Hz.

Do you have a plan to patch something that depends on whether the engine is running? I'll try to make suggestions of how I would approach it if you like.
Reply
0
Old Mar 30, 2008 | 05:31 AM
Share
  #3  
tephra's Avatar
tephra
EvoM Guru
15 Year Member
iTrader: (6)
 
Joined: Feb 2007
Posts: 9,486
Likes: 67
From: Melbourne, Australia
Originally Posted by JoeBee
Hello to all.

Actual I'm disassembling my EVO VII Rom.

Can anybody of the cracks give me a tip, which routine or interrupt vector will be used when the ignition goes on?

When ignition is off, have somebody find out what the ecu/processor is doing? Is there an something like an idle queue?

How did you check ignition on/off in your ROM patches?
The ECU is unpowered when the IGN is off, so therefor if the code is running then the IGN is ON

Another one : How did you check the engine running? RPM Variable?
Yup, RPM > 0 = engine running, basic but works ok

And a third : How did you check a time. For example press ICS Button for more than 2 sec?
ECU seems to loop 102ish times a second, so I just use that as my scaling for timing values in EcuFlash

Or are all these secrets?
Yes I am very secretive about my mods! Next time post this in the disassembly thread that is floating around - maybe a MOD will merge??

By the way:
Meanwhile I have completely understand the fuel table lookup with all the interpolation.
If there is a need to add more rows/lines. It is possible.
Yes, however you will need to transpose the tables to a free ROM location as adding rows/columns will inevitably increase the size of the table. This is pretty time consuming so most people just rescale the current axis's to give different resolution!

HTH's
D.
Reply
0
Old Mar 30, 2008 | 06:24 AM
Share
  #4  
jcsbanks's Avatar
jcsbanks
Evolved Member
 
Joined: May 2006
Posts: 2,399
Likes: 6
From: UK
The ECU still has some power when the ignition is off because it holds its RAM contents, yet loses them when the middle plug is removed, do you think/know it goes into a sleep mode Dave?
Reply
0
Old Mar 30, 2008 | 06:36 AM
Share
  #5  
tephra's Avatar
tephra
EvoM Guru
15 Year Member
iTrader: (6)
 
Joined: Feb 2007
Posts: 9,486
Likes: 67
From: Melbourne, Australia
sorry ^ correcto

um i presume that 5v which connects to one of the pins takes it out of "suspend" mode.

I take it you have the SH705x manuals? There is a section on suspend mode
Reply
0
Old Mar 30, 2008 | 06:48 AM
Share
  #6  
jcsbanks's Avatar
jcsbanks
Evolved Member
 
Joined: May 2006
Posts: 2,399
Likes: 6
From: UK
It is big and complex

I just had the silly idea that I might think about how to write changes back to flash, but reading the chapter on the flash programming scared me silly The timers section is frightful too.
Reply
0
Old Mar 30, 2008 | 09:40 AM
Share
  #7  
JoeBee's Avatar
JoeBee
Thread Starter
Evolving Member
 
Joined: Sep 2006
Posts: 152
Likes: 0
From: Germany
Thank you guys.
Ok, powerdown means the execution stops. So no detection necessary.
This 100Hz time is a good way. Thanks for that.

Where is this disassembly thread? I missed lot of stuff while done my Cisco CCNP.
Sometimes it is to hard for me to read these threads with 30 and more pages.

I say "secrets" because I have not find source codes.
Reply
0

Trending Topics

Old Mar 30, 2008 | 10:05 AM
Share
  #8  
JoeBee's Avatar
JoeBee
Thread Starter
Evolving Member
 
Joined: Sep 2006
Posts: 152
Likes: 0
From: Germany
Code:
ROM:000099A4 POR_Reset:                              ; CODE XREF: ROM:000099D2j
ROM:000099A4                                         ; DATA XREF: ROM:off_0o ...
ROM:000099A4                 mov.l   @(h'14,pc), r15 ; [000099BC] = RAM_Stackpointe
ROM:000099A6                 mov.l   @(h'18,pc), r0 ; [000099C0] = RAM_IRQ_Mem
ROM:000099A8                 mov.l   @(h'18,pc), r1 ; [000099C4] = RAM_IRQ_Mem
ROM:000099AA                 mov.l   r1, @r0
ROM:000099AC                 mov     #0, r0
ROM:000099AE                 ldc     r0, vbr
ROM:000099B0                 ldc     r0, gbr
ROM:000099B2                 mov.l   @(h'14,pc), r0 ; [000099C8] = Main_Loop_Start
ROM:000099B4                 jsr     @r0 ; Main_Loop_Start
ROM:000099B6                 nop
ROM:000099B8                 bra     loc_99CC
ROM:000099BA                 nop
ROM:000099BA ; ---------------------------------------------------------------------------
ROM:000099BC off_99BC:       .data.l RAM_Stackpointe ; DATA XREF: ROM:POR_Resetr
ROM:000099C0 off_99C0:       .data.l RAM_IRQ_Mem     ; DATA XREF: ROM:000099A6r
ROM:000099C4 off_99C4:       .data.l RAM_IRQ_Mem     ; DATA XREF: ROM:000099A8r
ROM:000099C8 off_99C8:       .data.l Main_Loop_Start ; DATA XREF: ROM:000099B2r
ROM:000099CC ; ---------------------------------------------------------------------------
ROM:000099CC
I think the main loop begins here "Main_Loop_Start", right?
Were do you place your vars in the ram?
Have you try/use the part behind "RAM_IRQ_Mem" (FFFF9BA0 for my rom)?
Reply
0
Old Mar 30, 2008 | 11:01 AM
Share
  #9  
jcsbanks's Avatar
jcsbanks
Evolved Member
 
Joined: May 2006
Posts: 2,399
Likes: 6
From: UK
1. Yes
2. FFFF8400 seems to be available on most/all ECUs for variables, Tephra is using that bit, I will use probably FFFF8480
3. The stack moves downwards, leave "enough" space for it. I've not measured its size.
Reply
0
Old Apr 5, 2008 | 06:56 AM
Share
  #10  
JoeBee's Avatar
JoeBee
Thread Starter
Evolving Member
 
Joined: Sep 2006
Posts: 152
Likes: 0
From: Germany
Another one
Can anybody give me a tip which Port/Pin/Variable will be used for the ICS Switch Auto position?
Reply
0
Old Apr 5, 2008 | 07:25 AM
Share
  #11  
jcsbanks's Avatar
jcsbanks
Evolved Member
 
Joined: May 2006
Posts: 2,399
Likes: 6
From: UK
http://www.aktivematrix.com/forum/vi...tercooler+port
Reply
0
Old Apr 5, 2008 | 08:14 AM
Share
  #12  
JoeBee's Avatar
JoeBee
Thread Starter
Evolving Member
 
Joined: Sep 2006
Posts: 152
Likes: 0
From: Germany
Already read this thread (and post in it), but there is no information about the Switch "auto" position.
I have logged this morning all that Processor ports that where possible through mut, but no BIT change occure. I have found the change at PJDR Bit 0 for the led.

Now I am a little bit confused, because tephra is using it in his patches.

Where is this Bit? (LOL the search for ONE Bit in a world of Terabytes)
Last edited by JoeBee; Apr 5, 2008 at 08:16 AM.
Reply
0
Old Apr 5, 2008 | 08:34 AM
Share
  #13  
jcsbanks's Avatar
jcsbanks
Evolved Member
 
Joined: May 2006
Posts: 2,399
Likes: 6
From: UK
IIRC, I probed all the ports and found nothing to show auto position, only the state of the spray or the light.

Ask tephra for a disasm of his V5 patch and it will show how he handles restoring the status.
Reply
0
Old Apr 5, 2008 | 09:24 AM
Share
  #14  
Jack_of_Trades's Avatar
Jack_of_Trades
Evolved Member
iTrader: (17)
 
Joined: Jun 2007
Posts: 3,523
Likes: 2
From: Opelika,AL
Originally Posted by tephra



Yes, however you will need to transpose the tables to a free ROM location as adding rows/columns will inevitably increase the size of the table. This is pretty time consuming so most people just rescale the current axis's to give different resolution!

I personally would LOVE to have a larger, more detailed fuel/timing map arrangement. This is the #1 argument any tuning shop will give you regarding an upgrade to a stand-alone. I hate plateau'ing large load areas with just one value and then have it JUMP to another plateau'd cell with a much higher/lower value. We'd be able to tune more accurately before the onset of knock, which translates to more reliable,consistent and powerful runs.
Reply
0
Old Apr 5, 2008 | 01:14 PM
Share
  #15  
nothere's Avatar
nothere
Evolved Member
iTrader: (23)
 
Joined: Jan 2004
Posts: 2,680
Likes: 1
From: Bellevue. WA
Originally Posted by Jack_of_Trades
I personally would LOVE to have a larger, more detailed fuel/timing map arrangement. This is the #1 argument any tuning shop will give you regarding an upgrade to a stand-alone. I hate plateau'ing large load areas with just one value and then have it JUMP to another plateau'd cell with a much higher/lower value. We'd be able to tune more accurately before the onset of knock, which translates to more reliable,consistent and powerful runs.
the huge maps are pretty, but the (aftermarket) computer only acknowledges a few cells on the way up the pull.
Reply
0



Advanced Search

All times are GMT -7. The time now is 11:35 AM.