Ok! Thanks! my rom is 96530006! (Evo VIII)

 

OK, I *think* I found the table that mrfred refers to as the rear 02 sim hook for the 96940011 ROM. Now, I have the task of figuring out the rest.



Eric

 

Is there any hope of simulating the voltage for the heater circuit in the rom?

 

The ECU expects the rear O2 signal to be somewhat like an attenuated version of the front O2 signal. What I've done is divide the front O2 signal by four, and then to bring the midpoint of the reduced front O2 signal back up, I added it to the load160 divided by eight. So:

sim rearO2 = frontO2/4 + load160/8

I then insert the simulated value in place of the real value just after the real value is read by the ECU. Works great and code size is nice and small.

 

Probably, but need to find the time. I just got my TBE installed and am tuning mode for a little while. And I need to get my darned LC-1 installed so I can tune properly. After that, I'll have time again before I embark on installing all the flex fuel components. :-)

 

Thanks for the explanation. I'm just about to follow your new code, looking at the 88590015 ROM in IDA Pro. I'm going to attempt to patch the 96940011, if I think I know what I am doing. I'll probably post up some screenshots here for you to take a look at to see if I am on the right track or not.


Eric

 

Also, to expand upon this a little more, the FSM states the following for the cat to pass the efficiency test:

The heated oxygen sensor (rear) signal frequency
divided by heated oxygen sensor (front)
signal frequency = 0.15 or more.

I'm not sure how the frequency relates to voltage, but if they are proportional, basically this is saying that the rear O2 voltage needs to always be greater than .15 (assuming that 1V is the max for our narrband sensors).

Using your equation even at the low end of the front O2 voltage, like .1, and a load of about 30 should still should satisfy what the ECU is looking for:

.1/4 +30/8 = 3.775

So, it looks like you did good. But, thinking about this a little more, wouldn't it simply be easier to have it read a variable that held a value like .5 or something like that, rather than having to have it lookup the front O2 sensor value and the load160 value? Just asking questions...you know more about disassembly than me, since I know next to nothing.

BTW, here is the page from the SM:



Eric

 

Key things you'll need to work out:

- Find front O2 main (ADC) RAM variable
- Find load160 RAM variable
- Find rear O2 main (ADC) RAM variable
- Find an unused ADC poll routine. This is where I hook into the ROM. Could be challenging to find this.

I saw your second message about using a constant. Tried that. Doesn't work. :-) If you look at some of the other rear O2 CEL codes, you'll see that a code is generated when the rear O2 signal is static for some period of time. Found that out after the trying a constant didn't work. I believe that there is also another code that is generated if the rear O2 signal doesn't go to zero (or nearly zero) during decel. Lots of hoops to jump through. That's why I was very happy to find a relatively simple solution.

 

OK, figured you did it that way for a good reason...just trying to learn more for myself.

Thanks for the pointers above. I think I found the same routine in my ROM that you used in your ROM, so I think I can take it from here...*maybe*. I might throw some questions at you here and there.

One thing I found though...Tephra is right. There is almost no free space in the 96940011 ROM to add new code. But, your code is pretty small, so it shouldn't be a problem.


Eric

 

Cleaned up the simulation code. Now four lines shorter.

 

mrfred,

Quick question for you before I go ahead and post up my IDA Pro screenshots for this patch for 96940011 ROM. I think I followed everything that you have done for your ROM and have found the correct variables from my ROM.

My question is for your ROM, what is variable FFFF6A74?

I see that you used the following variables and from looking at the mut table and requests, this is what I can tell:

FFFF 6A64 request 13 (front O2)
FFFF 6B36 request 1C (load160)
FFFF 6A68 request 3C (rear O2)
FFFF 6A74 request 5C (???????)



Thanks,
Eric

 

Looks like you've got the RAM addresses worked out. Check out my revised code. FFFF6A74 is no longer called. That was actually a bit of legacy code that I forgot to remove after I got everything working. Remember when looking up the RAM addresses at those MUT requests that the RAM address listed is just the low byte. I'm sure you know that, but just want to be sure.

Next two steps:
1) Find a section of used ROM space where you can insert the sim subroutine

2) Find a redundant ADC lookup. In the Evo 9 ROM code, ADC channel 8 is looked up twice. Only one of the lookups is used. For the Evo 9 ROM, the second one is unused. This is where it could take you a while. I suggest using my ADC notes as a guide:

https://www.evolutionm.net/forums/sh...d.php?t=314779

If a few of the ADC channels in your ROM are used for the same things as in my ROM, then you should be safe to use ADC 08-2.

 

Where is your revised code? I used this extra address in adding my new code, except using the address for my ROM, as I didn't know it wasn't in your revised code. As far as the RAM addresses at the MUT requests, yes I figured out that they are simply the low byte, since the MUT table is showing a value one higher than those address values.


This is where I will most likely need your help, as I really don't understand this part. What I did here was looked at the code in your ROM and location that you hooked in. I found that exact same code in my ROM and used the same location to hook in. I don't know if that is right or not, but I in the next post, I will post up screenshots for you to look at to see if it makes sense. Believe me when I say I know pretty much nothing about disassembly, so I'm pretty much taking shots in the dark. I'm hoping after you look at my next post, you can nudge me in the right direction or just let me know that I am completely lost.


Thanks,
Eric

 

mrfred,

OK, as promised, here is what I have for my ROM, 96940011. Here are some screenshots comparing your ROM, before and after, and my ROM, before and after. Let me know if this looks like it is correct or what I would have to do to tell if it is correct. I read what you wrote above, but once you got into the ADC lookups, I'm lost at that point.

OK, here is a screenshot of the changes you made to your ROM. I'm sure you are very familiar with this, but for reference and comparison to my ROM. The screenshot shows the 'sim hook' location in the original ROM, the patched code, and the new subroutine:



Next, here is a screenshot showing my ROM (96940011) showing what I think is the same code reference as you used for your sim hook. Again, the first code is the stock ROM, then the patched code, then the new subroutine.



Here are the MUT tables, just to show that I am using the same addresses (the low byte) as you have used in your subroutine.




So, does it look like I am doing this right? I'm guessing that the location that I am using for the sim hook needs to be verified if it is a redundant ADC lookup? I think that is where I'm not sure what to do.

Anyway, thanks for helping and let me know where I should go from here or if this looks right, as far as you can tell.


Thanks,
Eric

 

Revised code is in my post where I first showed the code.