FreeFuel ECU patch - a flex fuel implementation to Evo ECU
#378
EvoM Guru
iTrader: (4)
I spent some quality time with IDA Pro over the past few weekends. Need to justify my IDA license renewal cost for the year somehow.
First and foremost: Huge thanks to ast for generously posting his well-documented source code and notes.
Second: I just barely started disassembling the Evo ECU last week, so consider everything here to be very preliminary until I can get a better grasp of what's going on in the ECU. There's a lot of assembly to sift through.
ast documented the addresses of the patched table lookup calls in his 96530706 ROM in the Address_map.TXT file included with his source code. I matched those patch points to the following locations in my 88592715 ROM. These patch points require some double-checking from someone with a more complete disassembly.
Tephra V7 Table Addresses. These are easily translated from the corresponding .XMLs:
Other memory locations:
The following constants and tables from the Flex Fuel patch need to be relocated elsewhere in the 8859 ROM:
Likewise, the following RAM variables need to be relocated to an unused portion of the 8859 RAM segment:
I can't actually run E85 in my current autocross class, so I don't yet expect to take this much farther. However, hopefully my notes can be helpful to someone with a more complete disassembly who is already tooled up to generate ECU patches. I would love to have this as an option in the future.
First and foremost: Huge thanks to ast for generously posting his well-documented source code and notes.
Second: I just barely started disassembling the Evo ECU last week, so consider everything here to be very preliminary until I can get a better grasp of what's going on in the ECU. There's a lot of assembly to sift through.
ast documented the addresses of the patched table lookup calls in his 96530706 ROM in the Address_map.TXT file included with his source code. I matched those patch points to the following locations in my 88592715 ROM. These patch points require some double-checking from someone with a more complete disassembly.
Code:
Routine 9653 8859 --------- ------- ------- Fuel 0x1489A 0x17D6E Ignition 0x182C0 0x1BBD2 Primer 0x16C36 0x1A280 BWGDC 0x3f20E 0x5120E BDEL 0x3F150 0x51150
Code:
Tables 9653 8859 --------------------- ------- ------- GAS_BDEL_TB_ADDR: .long 0x399C2 0x4b9c2 ! TephraMod V7 BDEL map ETH_BDEL_TB_ADDR: .long 0x381C2 0x4a1c2 ! TephraMod V7 ALT BDEL map GAS_BWGDC_TB_ADDR: .long 0x39942 0x4b942 ! TephraMod V7 BWGDC map ETH_BWGDC_TB_ADDR: .long 0x38142 0x4a142 ! TephraMod V7 ALT BWGDC map GAS_INJ_SCALING_ADDR: .long 0x1506 0x1106 ! Tephra V7 Inj Scaling ETH_INJ_SCALING_ADDR: .long 0x37B40 0x49B40 ! Tephra V7 ALT inj scaling GAS_FUEL_TB_ADDR: .long 0x38742 0x4a742 ! Tephra V7 HI Fuel map ETH_FUEL_TB_ADDR: .long 0x37B42 0x49b42 ! Tephra V7 ALT FUEL map GAS_IGN_TB_ADDR: .long 0x38D42 0x4ad42 ! Tephra V7 HI IGN map ETH_IGN_TB_ADDR: .long 0x37E42 0x49e42 ! Tephra V7 ALT IGN map GAS_PRIMER_TB_ADDR: .long 0x58C8 0x52aa ! Tephra V7 HI IGN map ETH_PRIMER_TB_ADDR: .long 0x38244 0x4a244 ! Tephra V7 ALT IGN map
Code:
Variables 9653 8859 ------------------------ ---------- ---------- TEPHRA_BDEL_PTR_ADDR: .long 0xFFFF8430 0xFFFF8430 ! tephra pointer for active BDEL table, used if boost interpolation is disabled TEPHRA_BWGDC_PTR_ADDR: .long 0xFFFF842C 0xFFFF842C ! tephra pointer for active BWGDC table, used if boost interpolation is disabled FF_SENSOR_ADC_ADDR: .long 0xFFFF8950 0xFFFF6B0C ???? ! address of the ADC input LOAD_ADDR: .long 0xFFFF897A 0xFFFF6B36 ???? ! ECULoad (8-bit) RPM_ADDR: .long 0xFFFF896C 0xFFFF6B28 ! RPM (8-bit)
Code:
FF_FORCE_ADDR: .long 0x2E00 FF_FORCE_VALUE_ADDR: .long 0x2E02 FF_SAFETY_ADDR: .long 0x2E04 FF_SAFETY_LL_ADDR: .long 0x2E06 FF_SAFETY_HL_ADDR: .long 0x2E08 FF_UPDATE_MAX_LOAD_ADDR: .long 0x2E0A FF_UPDATE_MAX_RPM_ADDR: .long 0x2E0C FF_BOOST_INTPOL_ENA_ADDR: .long 0x2E0E AX_FF_SENSOR_FUEL_ADDR: .long 0x2E20 ! FF sensor scale axis for fuel (2 items) AX_FF_SENSOR_IGN_ADDR: .long 0x2E40 ! FF sensor scale axis for IGN (4 items) FF_FUEL_INTPOL_TB_ADDR: .long 0x2E60 ! fuel interpolation table (2 items) FF_IGN_INTPOL_TB_ADDR: .long 0x2E72 ! IGN interpolation table (4 items) FF_INJECTOR_CORR_TB_ADDR: .long 0x2E84 ! Injector correction table to handle possible unlinearity AX_FF_ETHANOL_CONTENT_ADDR: .long 0x2E96 ! Ethanol content scale axis for injector correction table
Code:
FF_SENSOR_FILT_ADDR: .long 0xFFFF94C0 ! updated if under max load or force on FF_INJ_SCALING_ADDR: .long 0xFFFF94C2 TLR_FF_FUEL_INTPOL_ADDR: .long 0xFFFF94C4 TLR_FF_IGN_INTPOL_ADDR: .long 0xFFFF94C6 TLR_FF_GAS_FUEL_ADDR: .long 0xFFFF94C8 TLR_FF_ETH_FUEL_ADDR: .long 0xFFFF94CA FF_FUEL_RES_DBG: .long 0xFFFF94CC TLR_FF_GAS_IGN: .long 0xFFFF94CE TLR_FF_ETH_IGN: .long 0xFFFF94D0 FF_IGN_RES_DBG: .long 0xFFFF94D2 TLR_FF_GAS_PRIMER: .long 0xFFFF94D4 TLR_FF_ETH_PRIMER: .long 0xFFFF94D6 FF_PRIMER_RES_DBG: .long 0xFFFF94D8 TLR_FF_INJECTOR_CORR_ADDR: .long 0xFFFF94E0 TLR_FF_GAS_BWGDC: .long 0xFFFF94E2 TLR_FF_ETH_BWGDC: .long 0xFFFF94E4 FF_BWGDC_RES_DBG: .long 0xFFFF94E6 TLR_FF_GAS_BDEL: .long 0xFFFF94E8 TLR_FF_ETH_BDEL: .long 0xFFFF94EA FF_BDEL_RES_DBG: .long 0xFFFF94EC
The following 2 users liked this post by Construct:
3SgteGuru (Feb 8, 2017),
dr_latino999 (Nov 17, 2016)
#380
Newbie
I have been looking into converting to the 3 plug Evo VIII ECU.
I'd need to make an adaptor loom, because the car is a 1995 Lancer GSR (Similar to Evo III). I've got it running on a VII ECU currently, but looks like flex fuel aint gonna be a thing on that ECU.
I can make my own adaptor loom, and source an VIII ECU, might be the easier option.
Is there an actual guide on how to set this all up, or do I have to read all 26 pages
I'd need to make an adaptor loom, because the car is a 1995 Lancer GSR (Similar to Evo III). I've got it running on a VII ECU currently, but looks like flex fuel aint gonna be a thing on that ECU.
I can make my own adaptor loom, and source an VIII ECU, might be the easier option.
Is there an actual guide on how to set this all up, or do I have to read all 26 pages
Last edited by 3VOLUTIONIST; Nov 18, 2016 at 05:57 PM.
#381
Evolving Member
iTrader: (12)
Tephra V7 Table Addresses. These are easily translated from the corresponding .XMLs:
Code:
Tables 9653 8859 --------------------- ------- ------- GAS_BDEL_TB_ADDR: .long 0x399C2 0x4b9c2 ! TephraMod V7 BDEL map ETH_BDEL_TB_ADDR: .long 0x381C2 0x4a1c2 ! TephraMod V7 ALT BDEL map GAS_BWGDC_TB_ADDR: .long 0x39942 0x4b942 ! TephraMod V7 BWGDC map ETH_BWGDC_TB_ADDR: .long 0x38142 0x4a142 ! TephraMod V7 ALT BWGDC map GAS_INJ_SCALING_ADDR: .long 0x1506 0x1106 ! Tephra V7 Inj Scaling ETH_INJ_SCALING_ADDR: .long 0x37B40 0x49B40 ! Tephra V7 ALT inj scaling GAS_FUEL_TB_ADDR: .long 0x38742 0x4a742 ! Tephra V7 HI Fuel map ETH_FUEL_TB_ADDR: .long 0x37B42 0x49b42 ! Tephra V7 ALT FUEL map GAS_IGN_TB_ADDR: .long 0x38D42 0x4ad42 ! Tephra V7 HI IGN map ETH_IGN_TB_ADDR: .long 0x37E42 0x49e42 ! Tephra V7 ALT IGN map GAS_PRIMER_TB_ADDR: .long 0x58C8 0x52aa ! Tephra V7 HI IGN map ETH_PRIMER_TB_ADDR: .long 0x38244 0x4a244 ! Tephra V7 ALT IGN map
All your table addresses ending in 2 end in the XML's as d. Is there any particular reason that I'm missing for this to happen, or should I drink more coffee?
#382
EvoM Guru
iTrader: (4)
The XML address is the beginning of the actual table data. The above addresses are the beginning of the table header in the ROM. EcuFlash only cares about the actual table data, but the table lookup routines in the ROM need to work with the extra values in the table headers.
#383
Evolving Member
iTrader: (12)
The XML address is the beginning of the actual table data. The above addresses are the beginning of the table header in the ROM. EcuFlash only cares about the actual table data, but the table lookup routines in the ROM need to work with the extra values in the table headers.
#384
Evolved Member
iTrader: (2)
I have been looking into converting to the 3 plug Evo VIII ECU.
I'd need to make an adaptor loom, because the car is a 1995 Lancer GSR (Similar to Evo III). I've got it running on a VII ECU currently, but looks like flex fuel aint gonna be a thing on that ECU.
I can make my own adaptor loom, and source an VIII ECU, might be the easier option.
Is there an actual guide on how to set this all up, or do I have to read all 26 pages
I'd need to make an adaptor loom, because the car is a 1995 Lancer GSR (Similar to Evo III). I've got it running on a VII ECU currently, but looks like flex fuel aint gonna be a thing on that ECU.
I can make my own adaptor loom, and source an VIII ECU, might be the easier option.
Is there an actual guide on how to set this all up, or do I have to read all 26 pages
#387
Evolved Member
iTrader: (3)
I spent some quality time with IDA Pro over the past few weekends. Need to justify my IDA license renewal cost for the year somehow.
First and foremost: Huge thanks to ast for generously posting his well-documented source code and notes.
Second: I just barely started disassembling the Evo ECU last week, so consider everything here to be very preliminary until I can get a better grasp of what's going on in the ECU. There's a lot of assembly to sift through.
ast documented the addresses of the patched table lookup calls in his 96530706 ROM in the Address_map.TXT file included with his source code. I matched those patch points to the following locations in my 88592715 ROM. These patch points require some double-checking from someone with a more complete disassembly.
Tephra V7 Table Addresses. These are easily translated from the corresponding .XMLs:
Other memory locations:
The following constants and tables from the Flex Fuel patch need to be relocated elsewhere in the 8859 ROM:
Likewise, the following RAM variables need to be relocated to an unused portion of the 8859 RAM segment:
I can't actually run E85 in my current autocross class, so I don't yet expect to take this much farther. However, hopefully my notes can be helpful to someone with a more complete disassembly who is already tooled up to generate ECU patches. I would love to have this as an option in the future.
First and foremost: Huge thanks to ast for generously posting his well-documented source code and notes.
Second: I just barely started disassembling the Evo ECU last week, so consider everything here to be very preliminary until I can get a better grasp of what's going on in the ECU. There's a lot of assembly to sift through.
ast documented the addresses of the patched table lookup calls in his 96530706 ROM in the Address_map.TXT file included with his source code. I matched those patch points to the following locations in my 88592715 ROM. These patch points require some double-checking from someone with a more complete disassembly.
Code:
Routine 9653 8859 --------- ------- ------- Fuel 0x1489A 0x17D6E Ignition 0x182C0 0x1BBD2 Primer 0x16C36 0x1A280 BWGDC 0x3f20E 0x5120E BDEL 0x3F150 0x51150
Code:
Tables 9653 8859 --------------------- ------- ------- GAS_BDEL_TB_ADDR: .long 0x399C2 0x4b9c2 ! TephraMod V7 BDEL map ETH_BDEL_TB_ADDR: .long 0x381C2 0x4a1c2 ! TephraMod V7 ALT BDEL map GAS_BWGDC_TB_ADDR: .long 0x39942 0x4b942 ! TephraMod V7 BWGDC map ETH_BWGDC_TB_ADDR: .long 0x38142 0x4a142 ! TephraMod V7 ALT BWGDC map GAS_INJ_SCALING_ADDR: .long 0x1506 0x1106 ! Tephra V7 Inj Scaling ETH_INJ_SCALING_ADDR: .long 0x37B40 0x49B40 ! Tephra V7 ALT inj scaling GAS_FUEL_TB_ADDR: .long 0x38742 0x4a742 ! Tephra V7 HI Fuel map ETH_FUEL_TB_ADDR: .long 0x37B42 0x49b42 ! Tephra V7 ALT FUEL map GAS_IGN_TB_ADDR: .long 0x38D42 0x4ad42 ! Tephra V7 HI IGN map ETH_IGN_TB_ADDR: .long 0x37E42 0x49e42 ! Tephra V7 ALT IGN map GAS_PRIMER_TB_ADDR: .long 0x58C8 0x52aa ! Tephra V7 HI IGN map ETH_PRIMER_TB_ADDR: .long 0x38244 0x4a244 ! Tephra V7 ALT IGN map
Code:
Variables 9653 8859 ------------------------ ---------- ---------- TEPHRA_BDEL_PTR_ADDR: .long 0xFFFF8430 0xFFFF8430 ! tephra pointer for active BDEL table, used if boost interpolation is disabled TEPHRA_BWGDC_PTR_ADDR: .long 0xFFFF842C 0xFFFF842C ! tephra pointer for active BWGDC table, used if boost interpolation is disabled FF_SENSOR_ADC_ADDR: .long 0xFFFF8950 0xFFFF6B0C ???? ! address of the ADC input LOAD_ADDR: .long 0xFFFF897A 0xFFFF6B36 ???? ! ECULoad (8-bit) RPM_ADDR: .long 0xFFFF896C 0xFFFF6B28 ! RPM (8-bit)
Code:
FF_FORCE_ADDR: .long 0x2E00 FF_FORCE_VALUE_ADDR: .long 0x2E02 FF_SAFETY_ADDR: .long 0x2E04 FF_SAFETY_LL_ADDR: .long 0x2E06 FF_SAFETY_HL_ADDR: .long 0x2E08 FF_UPDATE_MAX_LOAD_ADDR: .long 0x2E0A FF_UPDATE_MAX_RPM_ADDR: .long 0x2E0C FF_BOOST_INTPOL_ENA_ADDR: .long 0x2E0E AX_FF_SENSOR_FUEL_ADDR: .long 0x2E20 ! FF sensor scale axis for fuel (2 items) AX_FF_SENSOR_IGN_ADDR: .long 0x2E40 ! FF sensor scale axis for IGN (4 items) FF_FUEL_INTPOL_TB_ADDR: .long 0x2E60 ! fuel interpolation table (2 items) FF_IGN_INTPOL_TB_ADDR: .long 0x2E72 ! IGN interpolation table (4 items) FF_INJECTOR_CORR_TB_ADDR: .long 0x2E84 ! Injector correction table to handle possible unlinearity AX_FF_ETHANOL_CONTENT_ADDR: .long 0x2E96 ! Ethanol content scale axis for injector correction table
Code:
FF_SENSOR_FILT_ADDR: .long 0xFFFF94C0 ! updated if under max load or force on FF_INJ_SCALING_ADDR: .long 0xFFFF94C2 TLR_FF_FUEL_INTPOL_ADDR: .long 0xFFFF94C4 TLR_FF_IGN_INTPOL_ADDR: .long 0xFFFF94C6 TLR_FF_GAS_FUEL_ADDR: .long 0xFFFF94C8 TLR_FF_ETH_FUEL_ADDR: .long 0xFFFF94CA FF_FUEL_RES_DBG: .long 0xFFFF94CC TLR_FF_GAS_IGN: .long 0xFFFF94CE TLR_FF_ETH_IGN: .long 0xFFFF94D0 FF_IGN_RES_DBG: .long 0xFFFF94D2 TLR_FF_GAS_PRIMER: .long 0xFFFF94D4 TLR_FF_ETH_PRIMER: .long 0xFFFF94D6 FF_PRIMER_RES_DBG: .long 0xFFFF94D8 TLR_FF_INJECTOR_CORR_ADDR: .long 0xFFFF94E0 TLR_FF_GAS_BWGDC: .long 0xFFFF94E2 TLR_FF_ETH_BWGDC: .long 0xFFFF94E4 FF_BWGDC_RES_DBG: .long 0xFFFF94E6 TLR_FF_GAS_BDEL: .long 0xFFFF94E8 TLR_FF_ETH_BDEL: .long 0xFFFF94EA FF_BDEL_RES_DBG: .long 0xFFFF94EC
The data ive been looking for
Can't wait for this to be finished. Im fuel swapping right now. Anything i can do to help Let me know, I have access to a dyno and im not completely illiterate when it comes to assembly. (i understand like 2% of it)