Calibration Id

Reply Subscribe

Thread Tools

Search this Thread

Dec 8, 2008 | 05:25 AM

acamus

Thread Starter

Evolved Member

Joined: Mar 2008

Posts: 730

Likes: 3

From: Lattitude 48.38°, Longitude 17.58°, Altitude 146m = Slovakia, for common dude

Calibration Id

I have been deciphering OBD routines and found CalibrationID, its universal at F6A.
Maybe some of you with OBD test machines can tell what bits are what number.

Last edited by acamus; Dec 8, 2008 at 06:02 AM.

Dec 8, 2008 | 08:19 AM

JohnBradley

Evolved Member

iTrader: (30)

Joined: Jan 2004

Posts: 11,406

Likes: 78

From: Northwest

Acamus, how many bits?

Dec 8, 2008 | 09:54 AM

acamus

Thread Starter

Evolved Member

Joined: Mar 2008

Posts: 730

Likes: 3

From: Lattitude 48.38°, Longitude 17.58°, Altitude 146m = Slovakia, for common dude

88590015 example

00000F6A .data.l h'80413465
00000F6E .data.l h'80413465
00000F72 .data.l h'80413465
00000F76 .data.l h'80413465
00000F7A .data.l h'80413465
00000F7E .data.l h'80413465
00000F82 .data.l h'80413465
00000F86 .data.l h'80413465

Last edited by acamus; Nov 4, 2009 at 10:48 PM.

Dec 9, 2008 | 03:17 AM

acamus

Thread Starter

Evolved Member

Joined: Mar 2008

Posts: 730

Likes: 3

From: Lattitude 48.38°, Longitude 17.58°, Altitude 146m = Slovakia, for common dude

Quote:

Originally Posted by JohnBradley

Acamus, how many bits?

first byte - OBD reply
binary(hex) - hex

10000000 (h'80) - 31383630
10010000 (h'90) - 38363331
00010000 (h'10) - 4D42XXYY
00100000 (h'20) - 4D44XXYY
00110000 (h'30) - 4D52XXYY
01100000 (h'60) - 4D4EXXYY

where
XX = 2nd byte (upper nibble) + h'30
YY = 2nd byte (lower nibble) + h'30

Last edited by acamus; Dec 9, 2008 at 03:31 AM.

Dec 9, 2008 | 06:53 AM

MalibuJack

EvoM Guru

iTrader: (5)

Joined: Feb 2003

Posts: 10,572

Likes: 14

From: Royse City, TX

Its the ECUID, This address is common to all mitsubishi roms, altering the data in this location (the first 4 bytes, as it repeats portions several times) alters the ECUID and would confuse the Mitsubishi MUT Tool. This address is frequently manipulated by some tuners to "obfuscate" roms to prevent normal users from easily using them with ECUFlash. (tuners should take note that it can also confuse the MUT tool into overwriting someones rom with what it thinks is an update for the wrong car/year)

Dec 9, 2008 | 07:01 AM

acamus

Thread Starter

Evolved Member

Joined: Mar 2008

Posts: 730

Likes: 3

From: Lattitude 48.38°, Longitude 17.58°, Altitude 146m = Slovakia, for common dude

Quote:

Originally Posted by MalibuJack

Ecu Type Id is at F8A if I am not mistaken

i am speaking about F6A

88590015:
F8A: .data.w h'E4C7

This is also shown in EvoScan.

Last edited by acamus; Nov 4, 2009 at 10:48 PM.

Dec 9, 2008 | 07:13 AM

logic

Evolved Member

iTrader: (2)

Joined: Apr 2003

Posts: 1,022

Likes: 7

From: Berkeley, CA

Jack, I think you're referring to the series at 0xF44 (first word) and 0xF54 (second word), no?

Interestingly, 96530006 has this series:

Code:

                .org 0xF6A
unk_F6A:        .long 0x80412176
                .long 0x80FFFFFF
                .long 0x80FFFFFF
                .long 0x80FFFFFF
                .long 0x80FFFFFF
                .long 0x80FFFFFF
                .long 0x80FFFFFF
                .long 0x80FFFFFF

Similar first longword, but the rest is odd. Meanwhile, 96940011 looks more normal:

Code:

                .org 0xF6A
unk_F6A:        .long 0x80413118
                .long 0x80413119
                .long 0x80413118
                .long 0x80413118
                .long 0x80413118
                .long 0x80413118
                .long 0x80413118
                .long 0x80413119

This pattern is similar to others on 96940011 (which, I suspect, should actually be called 96930011); the first and third longwords are off by one compared to the rest, just like most of the other F44 and up 8-word sequences in this ROM.

Trending Topics

Headgasket to use for high boost applicaton

7

198
Tephra / Spark cut patch not working

4

296
2026: What Did You Do To Your Evo Today?

8k

1.1M
Evolution IX - NA Production Numbers (updated)

175

99.9k
Help identify this odd oem wing

2

169

Dec 9, 2008 | 07:22 AM

logic

Evolved Member

iTrader: (2)

Joined: Apr 2003

Posts: 1,022

Likes: 7

From: Berkeley, CA

Another interesting observation that came up while doing some disassembly; am I the only one who started seeing similarities between core ROM functionality and the descriptions of Renesas' Ho7000 operating system?

Links:

(Sorry for the random off-topic blurb, just thought those manuals were an interesting read.)

Dec 9, 2008 | 10:02 PM

acamus

Thread Starter

Evolved Member

Joined: Mar 2008

Posts: 730

Likes: 3

From: Lattitude 48.38°, Longitude 17.58°, Altitude 146m = Slovakia, for common dude

Quote:

Originally Posted by MalibuJack

MalibuJack, the initialization sequence is

h'FE - immobilizer
h'FF - init code
h'FE - immobilizer
h'FF - init code
h'FD - immo status
h'FD - immo status
h'FD - immo status

Until immo is confirmed to be valid / is configured in periphery bits, h'FE and h'FF returns F8A

The F6A is used with requests 0xEC,0xED,0xEE,0xEF
you can retrieve words of F6A with these requests.

Value of 0xEC request is then used also with OBD Mode 09, PID 04 request.

Am I overseeing something?

Dec 11, 2008 | 10:01 AM

#10

acamus

Thread Starter

Evolved Member

Joined: Mar 2008

Posts: 730

Likes: 3

From: Lattitude 48.38°, Longitude 17.58°, Altitude 146m = Slovakia, for common dude

bump 4 MalibuJack & JohnBradley

Dec 11, 2008 | 12:19 PM

#11

MalibuJack

EvoM Guru

iTrader: (5)

Joined: Feb 2003

Posts: 10,572

Likes: 14

From: Royse City, TX

It makes perfect sense that the MUT Init returns that info, the MUT tool relies on that information to determine which rompacks and patches to load.

Duhh, I had a brain fart earlier about the code, haven't looked at any of this stuff in several months. I haven't gone deep enough into any of the disassembly to offer much more though.

Dec 11, 2008 | 12:21 PM

#12

jcsbanks

Evolved Member

Joined: May 2006

Posts: 2,399

Likes: 6

From: UK

To log MUT though you don't actually need all this init stuff even if the MUT tool does it for its own purposes, just an 1800ms break signal and then wait about 250ms (ie 5 baud 0x00).

Apr 16, 2010 | 08:45 AM

#13

acamus

Thread Starter

Evolved Member

Joined: Mar 2008

Posts: 730

Likes: 3

From: Lattitude 48.38°, Longitude 17.58°, Altitude 146m = Slovakia, for common dude

Recently I have found the values return Case ID (like 1860A118 or MN132874)
I will work out the scaling later.

Apr 16, 2010 | 11:14 AM

#14

sba

Evolving Member

Joined: Nov 2007

Posts: 153

Likes: 2

From: East Europe

Nice findings!

Quote:

Originally Posted by acamus

Recently I have found the values return Case ID (like 1860A118 or MN132874)
I will work out the scaling later.

Apr 16, 2010 | 05:47 PM

#15

Ceddy

Evolving Member

Joined: Apr 2008

Posts: 265

Likes: 1

From: Reading, PA

Quote:

Originally Posted by acamus

Recently I have found the values return Case ID (like 1860A118 or MN132874)
I will work out the scaling later.

Now that you pointed it out, its obvious.

Have you worked out the scaling for letters?
The few roms I've looked at have 0x20 as first letter, and the Case Id is "MD"

Reply Share

First
Prev
1 / 2
Next
Last