Deciphering the ECU - LotusTalk - The Lotus Cars Community
Reply
 
LinkBack Thread Tools Display Modes
post #1 of 65 (permalink) Old 06-16-2006, 07:30 PM Thread Starter
Registered User
 
Join Date: Dec 2004
Posts: 3,826
Deciphering the ECU

Attached is a Motorola Hex File. It contains the Code that runs the ECU for the 05 Elise. I know there are quite a few Computer experts out there so how about us getting a group together to decipher the ECU.

The first items on the agenda should be:
1) Identify what the Maps are
2) Identify how the ECU learns and adapts

I am also going to attach some links to demo software that can be used to find the Maps and be used to decode the hex file.

IDA Pro demo http://www.datarescue.com/
WinOLS demo http://www.evc.de/en/download/default.asp
Attached Files
File Type: zip ECU Code.zip (803.1 KB, 289 views)

Last edited by scottyb; 06-16-2006 at 08:01 PM.
scottyb is offline  
Sponsored Links
Advertisement
 
post #2 of 65 (permalink) Old 06-16-2006, 07:34 PM
Registered User
 
Beanie's Avatar
 
Join Date: Oct 2004
Location: Jacksonville, FL
Posts: 2,925
It is a Motorola _______?

It is all about "Other".
Beanie is offline  
post #3 of 65 (permalink) Old 06-16-2006, 07:38 PM Thread Starter
Registered User
 
Join Date: Dec 2004
Posts: 3,826
Quote:
Originally Posted by Beanie
It is a Motorola _______?
Our Processor for 05 ECU is Motorola 68376BGVFT25.

Most programs will show the series as Motorola 68330 series processor.
scottyb is offline  
 
post #4 of 65 (permalink) Old 06-16-2006, 08:00 PM Thread Starter
Registered User
 
Join Date: Dec 2004
Posts: 3,826
According to WinOLS:

Map 1 appears to be between addresses 73642 to 73C96

Map 2 appears to be between 86251 and 86A94

Map 3 between 0A4215 and 0A5052

Map 4 starts around 0C52EA

Map 5 between 0EG23C and 0E66B0

These may or may-not be the actual address.
scottyb is offline  
post #5 of 65 (permalink) Old 06-16-2006, 09:03 PM
Registered User
 
raygr's Avatar
 
Join Date: Oct 2005
Location: Seattle Area
Posts: 371
Scottyb, I see your profile says you are a pediatric dentist. So, by what means and skills did you come up with this stuff?

Good job!

Ray in Washington State - 07 Exige S
raygr is offline  
post #6 of 65 (permalink) Old 06-17-2006, 04:57 AM Thread Starter
Registered User
 
Join Date: Dec 2004
Posts: 3,826
Quote:
Originally Posted by raygr
Scottyb, I see your profile says you are a pediatric dentist. So, by what means and skills did you come up with this stuff?
Past Life
scottyb is offline  
post #7 of 65 (permalink) Old 06-19-2006, 09:22 PM
Registered User
 
APOGEE's Avatar
 
Join Date: Aug 2004
Location: Newport Beach Ca
Posts: 859
Talking ecu

Quote:
Originally Posted by Stan
Time will tell...the boxes will be figured out.
****, did you say ? Don.

'' I always tell my students to follow their bliss- where
the deep sense of being is from, and where your body and soul want to go''. Joseph Campell

Last edited by APOGEE; 06-19-2006 at 10:27 PM. Reason: too much beer
APOGEE is offline  
post #8 of 65 (permalink) Old 06-20-2006, 01:19 PM
Registered User
 
rob13572468's Avatar
 
Join Date: Feb 2005
Location: chicago
Posts: 1,122
can register config starts at 142F6:

Code:
|  S U B	R O U T	I N E 

| Attributes: bp-based frame

sub_000142F6:				| CODE XREF: sub_0002868E+196p
		link	a6, #0
		ori.w	#0x200,	(CANCONFIG_0xFFF080).l

loc_00014302:				| CODE XREF: sub_000142F6+14j
		btst	#1, (CANCONFIG_0xFFF080).l
		bne.s	loc_00014302

		ori.w	#0x1000, (CANCONFIG_0xFFF080).l

loc_00014314:				| CODE XREF: sub_000142F6+2Cj
		move.w	(CANCONFIG_0xFFF080).l,	d0
		andi.w	#0x900,	d0
		cmpi.w	#0x900,	d0
		bne.s	loc_00014314

		move.b	#-0x40,	(CANCTRL0_0xFFF086).l
		move.b	#3, (CANCTRL1_0xFFF087).l
		move.b	#0xA, (CANCTRL2_0xFFF089).l
		move.b	#1, (PRESDIV_0xFFF088).l
		clr.w	(CAN0_STAT_0xFFF100).l
		clr.w	(CAN0IDH_0xFFF102).l
		clr.w	(CAN0IDL_0xFFF104).l
		ori.w	#0x80, (CAN0_STAT_0xFFF100).l |	''
		clr.w	(unk_00FFF110).l
		clr.w	(unk_00FFF112).l
		clr.w	(unk_00FFF114).l
		ori.w	#0x80, (unk_00FFF110).l	| ''
		clr.w	(unk_00FFF120).l
		clr.w	(unk_00FFF122).l
		clr.w	(unk_00FFF124).l
		ori.w	#0x80, (unk_00FFF120).l	| ''
		clr.w	(unk_00FFF130).l
		clr.w	(unk_00FFF132).l
		clr.w	(unk_00FFF134).l
		ori.w	#0x80, (unk_00FFF130).l	| ''
		clr.w	(unk_00FFF140).l
		clr.w	(unk_00FFF142).l
		clr.w	(unk_00FFF144).l
		ori.w	#0x80, (unk_00FFF140).l	| ''
		clr.w	(unk_00FFF150).l
		clr.w	(unk_00FFF152).l
		clr.w	(unk_00FFF154).l
		ori.w	#0x80, (unk_00FFF150).l	| ''
		clr.w	(unk_00FFF160).l
		clr.w	(unk_00FFF162).l
		clr.w	(unk_00FFF164).l
		ori.w	#0x80, (unk_00FFF160).l	| ''
		clr.w	(unk_00FFF170).l
		clr.w	(unk_00FFF172).l
		clr.w	(unk_00FFF174).l
		ori.w	#0x80, (unk_00FFF170).l	| ''
		clr.w	(unk_00FFF180).l
		clr.w	(unk_00FFF182).l
		clr.w	(unk_00FFF184).l
		ori.w	#0x80, (unk_00FFF180).l	| ''
		clr.w	(unk_00FFF190).l
		clr.w	(unk_00FFF192).l
		clr.w	(unk_00FFF194).l
		ori.w	#0x80, (unk_00FFF190).l	| ''
		clr.w	(unk_00FFF1A0).l
		clr.w	(unk_00FFF1A2).l
		clr.w	(unk_00FFF1A4).l
		ori.w	#0x80, (unk_00FFF1A0).l	| ''
		clr.w	(unk_00FFF1B0).l
		clr.w	(unk_00FFF1B2).l
		clr.w	(unk_00FFF1B4).l
		ori.w	#0x80, (unk_00FFF1B0).l	| ''
		clr.w	(unk_00FFF1C0).l
		clr.w	(unk_00FFF1C2).l
		clr.w	(unk_00FFF1C4).l
		ori.w	#0x80, (unk_00FFF1C0).l	| ''
		clr.w	(unk_00FFF1D0).l
		move.w	#0x2000, (unk_00FFF1D2).l
		clr.w	(unk_00FFF1D4).l
		ori.w	#0x40, (unk_00FFF1D0).l	| '@'
		clr.w	(unk_00FFF1E0).l
		move.w	#0x1000, (unk_00FFF1E2).l
		clr.w	(unk_00FFF1E4).l
		ori.w	#0x40, (unk_00FFF1E0).l	| '@'
		clr.w	(unk_00FFF1F0).l
		move.w	#0xA00,	(unk_00FFF1F2).l
		clr.w	(unk_00FFF1F4).l
		ori.w	#0x40, (unk_00FFF1F0).l	| '@'
		move.w	#-0xF1,	(unk_00FFF090).l
		move.w	#-2, (unk_00FFF092).l
		move.w	#-0x11,	(unk_00FFF094).l
		move.w	#-2, (unk_00FFF096).l
		move.w	#-0xF1,	(unk_00FFF098).l
		move.w	#-2, (unk_00FFF09A).l
		andi.w	#-8, (unk_00FFF0A0).l
		ori.w	#0xE, (CANCONFIG_0xFFF080).l
		move.w	#0x360,	(unk_00FFF084).l
		move.w	#-0x1FF1, (unk_00FFF0A2).l
		andi.w	#-0x1001, (CANCONFIG_0xFFF080).l
		unlk	a6
		rts	

| End of function sub_000142F6

can registers are FFF080-FFF0FF
can buffers are FFF100-FFF1FF
rob13572468 is offline  
post #9 of 65 (permalink) Old 06-20-2006, 01:34 PM
OSX Black hat
 
charliex's Avatar
 
Join Date: Feb 2005
Location: Las Vegas , NV
Posts: 10,000
here is my version of the same routine,.
vbulletin stinks for formatting!

Code:
SetupCAN:                               
                link    a6,#0
                ori.w   #$200,(CANMCR).l ; TouCAN Module Configuration Register

loc_14282:                              
                btst    #1,(CANMCR).l   ; TouCAN Module Configuration Register
                bne.s   loc_14282
                ori.w   #$1000,(CANMCR).l ; TouCAN Module Configuration Register

loc_14294:                              
                move.w  (CANMCR).l,d0   ; TouCAN Module Configuration Register
                andi.w  #$900,d0
                cmpi.w  #$900,d0
                bne.s   loc_14294
                move.b  #$C0,(CANCTRL0).l ; Control Register 0 (CANCTRL0)
                move.b  #3,(CANCTRL1).l ; Control Register 1 (CANCTRL1)
                move.b  #$A,(CANCTRL2).l
                move.b  #1,(PRESDIV).l  ; Prescaler Divider Register
                clr.w   (CONSTAT).l     ; Control / Status CAN Message
                                        ; 15:8 Time Stamp
                                        ; 7:4 Code
                                        ; 3:0 Length
                                        ;
                clr.w   (ID_HIGH).l     ; ID High CAN
                                        ; 28:18 ID
                                        ; RTR
                                        ; 0
                                        ; 0
                                        ; 0
                                        ; 0
                                        ;
                clr.w   (ID_LOW).l      ; ID Low CAN
                                        ; 16 bit time stamp
                ori.w   #$80,(CONSTAT).l ;  ; Control / Status CAN Message
                                        ; 15:8 Time Stamp
                                        ; 7:4 Code
                                        ; 3:0 Length
                                        ;
                clr.w   (CANMSGBUF1).l
                clr.w   (CANMSGBUF1A).l
                clr.w   (CAMMSGBUF1c).l
                ori.w   #$80,(CANMSGBUF1).l ; 
                clr.w   (CANMSGBUF2).l
                clr.w   (CANMSGBUF2a).l
                clr.w   (CANMSGBUF2b).l
                ori.w   #$80,(CANMSGBUF2).l ; 
                clr.w   (CANMSGBUF3).l
                clr.w   (CANMSGBUF3a).l
                clr.w   (unk_FFF134).l
                ori.w   #$80,(CANMSGBUF3).l ; 
                clr.w   (CANMSGBUF4).l
                clr.w   (CAMMSGBUF4b).l
                clr.w   (CANMSGBUF4a).l
                ori.w   #$80,(CANMSGBUF4).l ; 
                clr.w   (CANMSGBUF5).l
                clr.w   (CANMSGBUF5a).l
                clr.w   (unk_FFF154).l
                ori.w   #$80,(CANMSGBUF5).l ; 
                clr.w   (CANMSGBUF6).l
                clr.w   (CANMSGBUF6a).l
                clr.w   (CANMSGBUF6b).l
                ori.w   #$80,(CANMSGBUF6).l ; 
                clr.w   (CANMSGBUF7).l
                clr.w   (CANMSGBUF7a).l
                clr.w   (CANMSGBUF7b).l
                ori.w   #$80,(CANMSGBUF7).l ; 
                clr.w   (CANMSGBUF8).l
                clr.w   (CANMSGBUF8a).l
                clr.w   (CANMSGBUF8b).l
                ori.w   #$80,(CANMSGBUF8).l ; 
                clr.w   (CANMSGBUF9).l
                clr.w   (CANMSGBUF9a).l
                clr.w   (CANMSGBUF9b).l
                ori.w   #$80,(CANMSGBUF9).l ; 
                clr.w   (CANMSGBUF10).l
                clr.w   (CANMSGBUF10a).l
                clr.w   (CANMSGBUF10b).l
                ori.w   #$80,(CANMSGBUF10).l ; 
                clr.w   (CANMSGBUF11).l
                clr.w   (CANMSGBUF11b).l
                clr.w   (CANMSGBUF11c).l
                ori.w   #$80,(CANMSGBUF11).l ; 
                clr.w   (CANMSGBUF12).l
                clr.w   (CANMSGBUF12b).l
                clr.w   (CANMSGBUF12c).l
                ori.w   #$80,(CANMSGBUF12).l ; 
                clr.w   (CANMSGBUF13).l
                move.w  #$2000,(CANMSGBUF13b).l
                clr.w   (CANMSGBUF13c).l
                ori.w   #$40,(CANMSGBUF13).l ; 
                clr.w   (CANMSGBUF14).l
                move.w  #$1000,(CANMSGBUF14b).l
                clr.w   (CANMSGBUF14c).l
                ori.w   #$40,(CANMSGBUF14).l ; 
                clr.w   (CANMSGBUF15).l
                move.w  #$A00,(CANMSGBUF15b).l
                clr.w   (CANMSGBUF15c).l ; msg buff
                ori.w   #$40,(CANMSGBUF15).l ; 
                move.w  #$FF0F,(RXGMSKHI).l ; Receive Global Mask High
                move.w  #$FFFE,(RXGMSKLO).l ; Receive Global Mask Low
                move.w  #$FFEF,(RX14MSKHI).l
                move.w  #$FFFE,(RX14MSKLO).l
                move.w  #$FF0F,(RX15MSKHI).l
                move.w  #$FFFE,(RX15MSKLO).l
                andi.w  #$FFF8,(ESTAT).l ; Error and Status Register
                ori.w   #$E,(CANMCR).l  ; TouCAN Module Configuration Register
                move.w  #$360,(CANICR).l ; TouCAN Interrupt Register
                move.w  #$E00F,(IMASK).l ; IMASK contains two 8-bit fields, IMASKH and IMASKL. IMASK can be accessed w
                                        ; a 16-bit read or write, and IMASKH and IMASKL can be accessed with byte read
                                        ; writes.
                                        ; IMASK contains one interrupt mask bit per buffer. It allows the CPU32 to design
                                        ; which buffers will generate interrupts after successful transmission/reception. Set
                                        ; a bit in IMASK enables interrupt requests for the corresponding message buffer.
                andi.w  #$EFFF,(CANMCR).l ; TouCAN Module Configuration Register
                unlk    a6
                rts
; End of function SetupCAN

Black Exige S / Elan M100. Don't run a smaller pulley without an upgraded fuel pump! http://www.goth.am ecu stuff.. New reflash box coming soon!

Last edited by charliex; 06-20-2006 at 01:40 PM.
charliex is offline  
post #10 of 65 (permalink) Old 06-25-2006, 10:51 AM
Registered User
 
rob13572468's Avatar
 
Join Date: Feb 2005
Location: chicago
Posts: 1,122
Quote:
Originally Posted by charliex
here is my version of the same routine,.
vbulletin stinks for formatting!
i know... and ive never been too enthusiastic with the way ida formats the disassemblies but its still a great app for this kind of work.

anyway here is the subroutine for the 0400 frame that sends data to the cluster for anyone who wants to start working on modifying the data that goes out:

Code:
000154A2 |  S U B R O U T I N E 
000154A2 
000154A2 							| Attributes: bp-based frame
000154A2 
000154A2 sendCANframe400:                       		| CODE XREF: sub_0001AC0E+198p
000154A2 
000154A2 arg_0           =  8
000154A2 
000154A2                 link    a6, #-0xC
000154A6                 movem.l a2-a3, (sp)
000154AA                 movea.l arg_0(a6), a3
000154AE                 movea.l #0xFFF146, a2   		| a2=ptr=data byte 0
000154B4                 move.w  #0x88, (unk_00FFF140).l | '' 	| set buffer to hold
000154BC                 move.w  #-0x8000, (unk_00FFF142).l 	| set can frame ID to 0400
000154C4                 move.w  (a3), (a2)+     		| data byte 0,1 speed
000154C6                 move.w  2(a3), (a2)+    		| data byte 2,3 tach rpm
000154CA                 move.b  4(a3), (a2)+    		| data byte 4 fuel
000154CE                 move.b  5(a3), (a2)+    		| data byte 5 temp
000154D2                 move.b  6(a3), (a2)+    		| data byte 6 MIL
000154D6                 move.b  7(a3), (a2)     		| data byte 7  ???
000154DA                 move.w  #0xC8, (unk_00FFF140).l | '+' 	| send can frame
000154E2                 movem.l (sp), a2-a3
000154E6                 unlk    a6
000154E8                 rts     
000154E8 
000154E8 							| End of function sendCANframe400
000154E8

on another note, if anyone has the their ecu out and opened, it would be quite helpful if they could take a couple of high res pics of the board so that the circuit paths can be traced from the microcontroller to the various peripherals. this will allow a peripheral register map to be built that will tell what registers correspond to physical outputs on the ecu. pics should be high enough resolution to discern the individual traces on the board.
rob13572468 is offline  
post #11 of 65 (permalink) Old 06-25-2006, 11:04 AM
OSX Black hat
 
charliex's Avatar
 
Join Date: Feb 2005
Location: Las Vegas , NV
Posts: 10,000
Here is mine from the newer firmware, its at 0x15422

this routine just writes out what its told, it doesn't build the message

Code:
Write2CAN:                              ; CODE XREF: sub_1AB8E+198p
msg             =  8
                link    a6,#-$C
                movem.l a2-a3,(sp)
                movea.l msg(a6),a3
                movea.l #CANMSGBUF4e,a2
                move.w  #$88,(CANMSGBUF4).l ; ''
                move.w  #$8000,(CAMMSGBUF4b).l
                move.w  (a3),(a2)+
                move.w  2(a3),(a2)+
                move.b  4(a3),(a2)+
                move.b  5(a3),(a2)+
                move.b  6(a3),(a2)+
                move.b  7(a3),(a2)
                move.w  #200,(CANMSGBUF4).l
                movem.l (sp),a2-a3
                unlk    a6
                rts
; End of function Write2CAN

Black Exige S / Elan M100. Don't run a smaller pulley without an upgraded fuel pump! http://www.goth.am ecu stuff.. New reflash box coming soon!
charliex is offline  
post #12 of 65 (permalink) Old 06-25-2006, 11:57 AM Thread Starter
Registered User
 
Join Date: Dec 2004
Posts: 3,826
Quote:
Originally Posted by rob13572468
on another note, if anyone has the their ecu out and opened, it would be quite helpful if they could take a couple of high res pics of the board so that the circuit paths can be traced from the microcontroller to the various peripherals. this will allow a peripheral register map to be built that will tell what registers correspond to physical outputs on the ecu. pics should be high enough resolution to discern the individual traces on the board.
Here you go Rob. I have higher res if you need.
Attached Images
   
scottyb is offline  
post #13 of 65 (permalink) Old 06-25-2006, 12:54 PM
Registered User
 
rob13572468's Avatar
 
Join Date: Feb 2005
Location: chicago
Posts: 1,122
Quote:
Originally Posted by charliex
Here is mine from the newer firmware, its at 0x15422

this routine just writes out what its told, it doesn't build the message

Code:
Write2CAN:                              ; CODE XREF: sub_1AB8E+198p
msg             =  8
                link    a6,#-$C
                movem.l a2-a3,(sp)
                movea.l msg(a6),a3
                movea.l #CANMSGBUF4e,a2
                move.w  #$88,(CANMSGBUF4).l ; ''
                move.w  #$8000,(CAMMSGBUF4b).l
                move.w  (a3),(a2)+
                move.w  2(a3),(a2)+
                move.b  4(a3),(a2)+
                move.b  5(a3),(a2)+
                move.b  6(a3),(a2)+
                move.b  7(a3),(a2)
                move.w  #200,(CANMSGBUF4).l
                movem.l (sp),a2-a3
                unlk    a6
                rts
; End of function Write2CAN
its a little bit more specific: while the routine moves data from the array pointed by a3, this routine only sends out 0400 frames; you can see this when you look at the move.w #$8000,(CAMMSGBUF4b).l instruction... if you bit shift the 8000 over 5 bits to remove the rtr and reserved bits you get 0400.

at any rate one can patch the routine just before the transmit bits are set to do whatever is desired; a good example would be to do the speed correction that i believe groundloop talked about but instead of building a device that sits on the bus it can be done with a few lines of code.
rob13572468 is offline  
post #14 of 65 (permalink) Old 06-25-2006, 01:07 PM
OSX Black hat
 
charliex's Avatar
 
Join Date: Feb 2005
Location: Las Vegas , NV
Posts: 10,000
Quote:
Originally Posted by rob13572468
its a little bit more specific: while the routine moves data from the array pointed by a3, this routine only sends out 0400 frames; you can see this when you look at the move.w #$8000,(CAMMSGBUF4b).l instruction... if you bit shift the 8000 over 5 bits to remove the rtr and reserved bits you get 0400.

at any rate one can patch the routine just before the transmit bits are set to do whatever is desired; a good example would be to do the speed correction that i believe groundloop talked about but instead of building a device that sits on the bus it can be done with a few lines of code.
Right its called via an exception, but the routine itself is basicaly just copying the prebuilt 'string' to the CAN controller and embedding the ID, the working out of the data thats actually sent is elsewhere, the routine by itself isn't terribly useful.

in the later version of the firmware you want 0x1AB8E, in yours i believe it'll be around 100bytes or so within that.

Code:
¦(
ROM:0001AC32                          CalcFuelTank:                           ; CODE XREF: HandleCANCluster+9Cj
ROM:0001AC32 7000                                     moveq   #0,d0           ; Move Quick
ROM:0001AC34 1004                                     move.b  d4,d0           ; Move Data from Source to Destination
ROM:0001AC36 7200                                     moveq   #0,d1           ; Move Quick
ROM:0001AC38 1203                                     move.b  d3,d1           ; Move Data from Source to Destination
ROM:0001AC3A 9041                                     sub.w   d1,d0           ; Subtract
ROM:0001AC3C 7200                                     moveq   #0,d1           ; Move Quick
ROM:0001AC3E 1215                                     move.b  (a5),d1         ; Move Data from Source to Destination
ROM:0001AC40 7C00                                     moveq   #0,d6           ; Move Quick
ROM:0001AC42 1C03                                     move.b  d3,d6           ; Move Data from Source to Destination
ROM:0001AC44 9246                                     sub.w   d6,d1           ; Subtract
ROM:0001AC46 3C01                                     move.w  d1,d6           ; Move Data from Source to Destination
ROM:0001AC48 E149                                     lsl.w   #8,d1           ; Logical Shift Left
ROM:0001AC4A 9246                                     sub.w   d6,d1           ; Subtract
ROM:0001AC4C 4841                                     swap    d1              ; Swap Register Halves
ROM:0001AC4E 4241                                     clr.w   d1              ; Clear an Operand
ROM:0001AC50 4841                                     swap    d1              ; Swap Register Halves
ROM:0001AC52 82C0                                     divu.w  d0,d1           ; Unsigned Divide
ROM:0001AC54 1681                                     move.b  d1,(a3)         ; Move Data from Source to Destination
this is part of that routine, calculating the fuel tank amount. Just after that is the speed, but it either uses the value thats precalculated in the main ecu loop, or pulls from a seperate table, I'd insert the code jump into that routine and apply the correction factor there, if memory serves its off by around 10%?

more useful would be to know what the correction factor needed to be, it'd be easy to add the code for it then, if its not linear we can precalculate the table and do a tblu for the corrected value, cutting down the code needed.

Black Exige S / Elan M100. Don't run a smaller pulley without an upgraded fuel pump! http://www.goth.am ecu stuff.. New reflash box coming soon!
charliex is offline  
post #15 of 65 (permalink) Old 06-25-2006, 01:14 PM
Registered User
 
rob13572468's Avatar
 
Join Date: Feb 2005
Location: chicago
Posts: 1,122
Quote:
Originally Posted by scottyb
Here you go Rob. I have higher res if you need.
if you could go higher it would be really helpful; ideally it would be nice to have direct top down shots with the part numbers on the chips visible; also a shot of the bottom of the board is needed. this will allow mapping from the connector pins to (for instance) the driver transistors to the ecu peripheral pins. then the disassembly can be annotated to show which port registers and thus which routines control what functions (e.g. changing the cam switchover, etc.)

depending on your camera resolution, you might need to take 4 individual shots of the board surface to get the necessary detail.
rob13572468 is offline  
post #16 of 65 (permalink) Old 06-25-2006, 01:54 PM
Registered User
 
rob13572468's Avatar
 
Join Date: Feb 2005
Location: chicago
Posts: 1,122
Quote:
Originally Posted by charliex
Right its called via an exception, but the routine itself is basicaly just copying the prebuilt 'string' to the CAN controller and embedding the ID, the working out of the data thats actually sent is elsewhere, the routine by itself isn't terribly useful.

in the later version of the firmware you want 0x1AB8E, in yours i believe it'll be around 100bytes or so within that.

Code:
(
ROM:0001AC32                          CalcFuelTank:                           ; CODE XREF: HandleCANCluster+9Cj
ROM:0001AC32 7000                                     moveq   #0,d0           ; Move Quick
ROM:0001AC34 1004                                     move.b  d4,d0           ; Move Data from Source to Destination
ROM:0001AC36 7200                                     moveq   #0,d1           ; Move Quick
ROM:0001AC38 1203                                     move.b  d3,d1           ; Move Data from Source to Destination
ROM:0001AC3A 9041                                     sub.w   d1,d0           ; Subtract
ROM:0001AC3C 7200                                     moveq   #0,d1           ; Move Quick
ROM:0001AC3E 1215                                     move.b  (a5),d1         ; Move Data from Source to Destination
ROM:0001AC40 7C00                                     moveq   #0,d6           ; Move Quick
ROM:0001AC42 1C03                                     move.b  d3,d6           ; Move Data from Source to Destination
ROM:0001AC44 9246                                     sub.w   d6,d1           ; Subtract
ROM:0001AC46 3C01                                     move.w  d1,d6           ; Move Data from Source to Destination
ROM:0001AC48 E149                                     lsl.w   #8,d1           ; Logical Shift Left
ROM:0001AC4A 9246                                     sub.w   d6,d1           ; Subtract
ROM:0001AC4C 4841                                     swap    d1              ; Swap Register Halves
ROM:0001AC4E 4241                                     clr.w   d1              ; Clear an Operand
ROM:0001AC50 4841                                     swap    d1              ; Swap Register Halves
ROM:0001AC52 82C0                                     divu.w  d0,d1           ; Unsigned Divide
ROM:0001AC54 1681                                     move.b  d1,(a3)         ; Move Data from Source to Destination
this is part of that routine, calculating the fuel tank amount. Just after that is the speed, but it either uses the value thats precalculated in the main ecu loop, or pulls from a seperate table, I'd insert the code jump into that routine and apply the correction factor there, if memory serves its off by around 10%?

more useful would be to know what the correction factor needed to be, it'd be easy to add the code for it then, if its not linear we can precalculate the table and do a tblu for the corrected value, cutting down the code needed.
nice job finding the setup routines... i hadnt even looked at those yet. i get the feeling its just going to be the three of us; hopefully a few more will pop in to help out.
rob13572468 is offline  
post #17 of 65 (permalink) Old 06-25-2006, 02:07 PM
Registered User
 
nvrblu's Avatar
 
Join Date: Jan 2006
Location: Mesa, AZ
Posts: 3,393
Quote:
Originally Posted by scottyb
Our Processor for 05 ECU is Motorola 68376BGVFT25.

Most programs will show the series as Motorola 68330 series processor.
Motorola spun-off its semiconductor business as a new company about 2 years ago -- Freescale Semiconductor, Inc. That's my employer. I spent some time in the past year transferring ROM processing software from an external contractor back into the company. We used to do a lot of mask programmed parts a long time ago. The ROM processing software is primarily used for field programmable parts now.

Cool to see Freescale parts used in my car
nvrblu is offline  
post #18 of 65 (permalink) Old 06-25-2006, 02:07 PM
OSX Black hat
 
charliex's Avatar
 
Join Date: Feb 2005
Location: Las Vegas , NV
Posts: 10,000
I hit the maximum post length

this is the bootstrap code.

Code:
bootstrap:                              ; CODE XREF: ROM:0000052Ej
                                        ; DATA XREF: ROM:off_4o
                movea.l #TOPRAM,sp      ; stack ptr
                movea.l #TOPRAM,a0      ; stack ptr
                move    a0,usp          ; Move Data from Source to Destination
                movea.l #0,a0           ; Move Address
                movec   a0,vbr          ; Move Control Register
                move.w  #$FF,(RAMBAH).l ; ram base address register high
                move.w  #$E000,(RAMBAL).l ; ram base address register low
                move.w  (RAMMCR).l,d0   ; RAMMCR - RAM Module Configuration Register
                bclr    #$F,d0          ; Test a Bit and Clear
                bclr    #8,d0           ; Test a Bit and Clear
                bset    #9,d0           ; Test a Bit and Set
                bset    #$B,d0          ; Test a Bit and Set
                move.w  d0,(RAMMCR).l   ; RAMMCR - RAM Module Configuration Register
                move.w  #$FFD0,(TRAMBAR).l ; TRAMBAR - TPURAM Base Address and Status Register $YFFB04
                                        ; 1514131211109876543210
                                        ; ADDRADDRADDRADDRADDRADDRADDRADDRADDRADDRADDRADDR0
                                        ; 00RAMDS
                                        ; 232221201918171615141312
                                        ; RESET:
                                        ; 0000000000000000
                                        ; ADDR[23:11] - TPURAM Array Base Address
                                        ; These bits specify ADDR[23:12] of the base address of the TPURAM array when
                                        ; enabled. The 3.5-Kbyte array resides at the lower end of the 4-Kbyte page into which
                                        ; it is mapped.
                                        ; RAMDS - RAM Array Disable
                                        ; 0 = RAM array is enabled.
                                        ; 1 = RAM array is disabled.
                                        ; RAMDS indicates whether the TPURAM is active or disabled. The array is disabled at
                                        ; reset. Writing a valid base address into TRAMBAR clears the RAMDS bit and enables
                                        ; the array.
                                        ;
                move.w  (SIMMCR).l,d0   ; sim module configuration register
                bclr    #$D,d0          ; Test a Bit and Clear
                move.w  d0,(SIMMCR).l   ; sim module configuration register
                move.w  (SYNCR).l,d0    ; clock synthesizer control
                andi.w  #$7F,d0         ; AND Immediate
                ori.w   #$D300,d0       ; Inclusive-OR
                move.w  d0,(SYNCR).l    ; clock synthesizer control
                movea.l #0,a6           ; Move Address
                jsr     (CheckforColdBootAndSetup).l ; This routine determines if the ECU has cold booted, or reset from a software watchdog.
                                        ; if so it will either just jump straight to RAM and execute that code, or it'll copy up the new routines and the learn tables etc.
                                        ;
                move.l  #0,-(sp)        ; shouldn't get to here
                move.l  #0,-(sp)        ; Move Data from Source to Destination
infiniteLoop1:                          ; CODE XREF: ROM:0000048Aj
                nop                     ; No Operation
                bra.s   infiniteLoop1   ; Branch Always

; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
; this is an odd routine, it loads up looking to copy, but never does
; then clears 4 bytes at 0x80000
;
; doesn't call watchdog in copy
; clear is short
clearWorkRam4:                          ; CODE XREF: Set_CS_OptionsEtc+10Ep
                movem.l a0-a1,-(sp)     ; Move Multiple Registers
                movea.l #workram,a0     ; target
                movea.l #byte_3F40,a1   ; source
                bra.s   skipstart       ; Always equal
; ---------------------------------------------------------------------------
innercopy:                              ; CODE XREF: clearWorkRam4+1Aj
                move.b  (a1)+,(a0)+     ; Move Data from Source to Destination
skipstart:                              ; CODE XREF: clearWorkRam4+10j
                cmpa.l  #byte_3F40,a1   ; Always equal
                bcs.s   innercopy       ; Branch if Carry Set
                move.l  #dword_80004,d0 ; end segment
                movea.l #workram,a0     ; start (target)
                sub.l   a0,d0           ; calculate length
                bra.s   skipstart1      ; handle big loops
; ---------------------------------------------------------------------------
outerclear:                             ; CODE XREF: clearWorkRam4+36j
                swap    d0              ; Swap Register Halves
inncerclear:                            ; CODE XREF: clearWorkRam4:skipstart1j
                clr.b   (a0)+           ; clear one byte of memory at a0
skipstart1:                             ; CODE XREF: clearWorkRam4+2Aj
                dbf     d0,inncerclear  ; handle big loops
                swap    d0              ; Swap Register Halves
                dbf     d0,outerclear   ; If False Decrement and Branch
                movem.l (sp)+,a0-a1     ; Move Multiple Registers
                rts                     ; Return from Subroutine
; End of function clearWorkRam4
; ---------------------------------------------------------------------------
nullexcpt:                              ; DATA XREF: ROM:off_24o
                bgnd                    ; Enter Background Mode
                rte                     ; Return from Exception
; ---------------------------------------------------------------------------
nullexcpt1:                             ; DATA XREF: ROM:off_8o ROM:off_Co ...
                bgnd                    ; Enter Background Mode
                rte                     ; Return from Exception
; ---------------------------------------------------------------------------
nullexcept2:                            ; Enter Background Mode
                bgnd
                rte                     ; Return from Exception

Black Exige S / Elan M100. Don't run a smaller pulley without an upgraded fuel pump! http://www.goth.am ecu stuff.. New reflash box coming soon!
charliex is offline  
post #19 of 65 (permalink) Old 06-25-2006, 02:08 PM
OSX Black hat
 
charliex's Avatar
 
Join Date: Feb 2005
Location: Las Vegas , NV
Posts: 10,000
part 2
Code:
---------------------------------------------------------------------------
rebootException:                        ; Move Multiple Registers
                movem.l d0,-(sp)
                move.w  $A(sp),d0       ; Move Data from Source to Destination
                move.w  d0,(word_83F00).l ; Move Data from Source to Destination
                move.l  $C(sp),(off_83F08).l ; Move Data from Source to Destination
                move.w  4(sp),(word_83F02).l ; Move Data from Source to Destination
                move.l  6(sp),(word_83F04).l ; Move Data from Source to Destination
                move.w  $12(sp),(word_83F0C).l ; Move Data from Source to Destination
                andi.l  #$FFF,d0        ; AND Immediate
                lsr.w   #2,d0           ; Logical Shift Right
                cmpi.b  #2,d0           ; Compare Immediate
                beq.s   loc_526         ; Branch if Equal
                cmpi.b  #3,d0           ; Compare Immediate
                beq.s   loc_526         ; Branch if Equal
                cmpi.b  #$E,d0          ; Compare Immediate
                beq.s   loc_526         ; Branch if Equal
                movem.l (sp)+,d0        ; Move Multiple Registers
                rte                     ; Return from Exception
; ---------------------------------------------------------------------------
loc_526:                                ; CODE XREF: ROM:00000512j
                                        ; ROM:00000518j ...
                movem.l (sp)+,d0        ; Move Multiple Registers
                ori     #$700,sr        ; Inclusive-OR
                bra.w   bootstrap       ; Branch Always
 
;  S U B R O U T I N E 
; this routine tells the hardware watchdog that everything is OK and the CPU hasn't locked or crashed
;
; Reset software watchdog
; Attributes: bp-based frame
IAmAlive:                               ; CODE XREF: memcpy_withwatchdog:inncercpyp
                                        ; DATA XREF: Set_CS_OptionsEtc+6o ...
                link    a6,#0           ; Link and Allocate
                move.b  #$55,(SWSR).l   ; watchdog software service register
                                        ; 1
                                        ; SWSR - Software Watchdog Service Register$YFFA27
                                        ; 15876543210
                                        ; NOT USED00000000
                                        ; RESET:
                                        ; 00000000
                                        ; NOTES:
                                        ; 1. Register shown with read value.
                                        ; To reset the software watchdog:
                                        ; 1.Write $55 to SWSR.
                                        ; 2.Write $AA to SWSR.
                                        ; Both writes must occur in the order specified before the software watchdog times out,
                                        ; but any number of instructions can occur between the two writes.
                move.b  #$AA,(SWSR).l   ; watchdog software service register
                                        ; 1
                                        ; SWSR - Software Watchdog Service Register$YFFA27
                                        ; 15876543210
                                        ; NOT USED00000000
                                        ; RESET:
                                        ; 00000000
                                        ; NOTES:
                                        ; 1. Register shown with read value.
                                        ; To reset the software watchdog:
                                        ; 1.Write $55 to SWSR.
                                        ; 2.Write $AA to SWSR.
                                        ; Both writes must occur in the order specified before the software watchdog times out,
                                        ; but any number of instructions can occur between the two writes.
                unlk    a6              ; Unlink
                rts                     ; Return from Subroutine
; End of function IAmAlive
 
;  S U B R O U T I N E 
; setup chip
; copy 3f40 to 80000 or just clear 80004
; handle chip base selects etc.
; Attributes: bp-based frame
Set_CS_OptionsEtc:                      ; CODE XREF: CheckforColdBootAndSetup+14p
                link    a6,#-4          ; Link and Allocate
                move.l  a2,(sp)         ; Move Data from Source to Destination
                lea     (IAmAlive).l,a2 ; this routine tells the hardware watchdog that everything is OK and the CPU hasn't locked or crashed
                                        ;
                                        ; Reset software watchdog
                move.w  #$AF,(CSPAR0).l ; '' ; chip select pin assignment register 0
                move.w  #1,(CSPAR1).l   ; chip select pin assignment register 1
                move.b  #$10,(PORTC).l  ; port c data register
                move.b  #0,(PEPAR).l    ; port e pin assignment register
                move.b  #0,(DDRE).l     ; port e data direction register
                move.b  #0,(PFPAR).l    ; port f pin assignment register
                move.b  #5,(DDRF).l     ; port f data direction register
                move.b  #0,(PORTF).l    ; port f data register
                                        ; PORTF is an internal data latch that can be accessed at two locations. It can be read
                                        ; or written at any time. If a port F I/O pin is configured as an output, the corresponding
                                        ; bit value is driven out on the pin. When a pin is configured as an output, a read of
                                        ; PORTF returns the latched bit value; when a pin is configured as an input, a read
                                        ; returns the pin logic level.
                move.w  #5,(CSBARBT).l  ; D.2.18 Chip-Select Base Address Register Boot ROM
                                        ; CSBARBT - Chip-Select Base Address Register Boot ROM$YFFA48
                                        ; 1514131211109876543210
                                        ; ADDRADDRADDRADDRADDRADDRADDRADDRADDRADDRADDRADDRADDR
                                        ; BLKSZ[2:0]
                                        ; 23222120191817161514131211
                                        ; RESET:
                                        ; 0000000000000111
                move.w  #$6BB0,(CSORBT).l ; CSBOOT option register
                                        ; CSORBT - Chip-Select Option Register Boot ROM$YFFA4A
                                        ; 1514131211109876543210
                                        ; MOD
                                        ; BYTE[1:0]R/W[1:0]STRBDSACK[3:0]SPACE[1:0]IPL[2:0]AVEC
                                        ; E
                                        ; RESET:
                                        ; 0111101101110000
                move.w  #5,(CSBAR0).l   ; chip select 0 base address register
                move.w  #$1030,(CSOR0).l ; chip select 0 option register
                move.w  #$806,(CSBAR1).l ; chip select 0 base address register
                move.w  #$7030,(CSOR1).l ; chip select 0 option register
loc_5C6:                                ; chip select 0 base address register
                move.w  #$806,(CSBAR2).l
                move.w  #$6830,(CSOR2).l ; chip select 0 option register
                move.w  #$FFF8,(CSBAR3).l ; setup all the base registers to FFF800
                move.w  #0,(CSOR3).l    ; chip select 0 option register
                move.w  #$FFF8,(CSBAR4).l ; chip select 0 base address register
                move.w  #0,(CSOR4).l    ; chip select 0 option register
                move.w  #$FFF8,(CSBAR5).l ; chip select 0 base address register
                move.w  #0,(CSOR5).l    ; chip select 0 option register
                move.w  #$FFF8,(CSBAR6).l ; chip select 0 base address register
                move.w  #0,(CSOR6).l    ; chip select 0 option register
                move.w  #$FFF8,(CSBAR7).l ; chip select 0 base address register
                move.w  #0,(CSOR7).l    ; chip select 0 option register
                move.w  #$FFF8,(CSBAR8).l ; chip select 0 base address register
                move.w  #0,(CSOR8).l    ; chip select 0 option register
                move.w  #$FFF8,(CSBAR9).l ; chip select 0 base address register
loc_63E:                                ; chip select 0 option register
                move.w  #0,(CSOR9).l
                move.w  #$FFF8,(CSBAR10).l ; chip select 0 base address register
                move.w  #$7881,(CSOR10).l ; chip select 0 option register
                jsr     (a2)            ; call i'm alive
                jsr     (clearWorkRam4).l ; this is an odd routine, it loads up looking to copy, but never does
                                        ; then clears 4 bytes at 0x80000
                                        ;
                                        ; doesn't call watchdog in copy
                                        ; clear is short
                jsr     (a2)            ; call I Am Alive
                jsr     (setupQSMIntVecLevel).l ; Setup QILR, QIVR,QMCR,SCCR1,SCSR
                jsr     (a2)            ; call i am alive
                movea.l (sp),a2         ; Move Address
                unlk    a6              ; Unlink
                rts                     ; Return from Subroutine
; End of function Set_CS_OptionsEtc
 
;  S U B R O U T I N E 
; copy from src to dest and poll watchdog after every byte copied
; Attributes: bp-based frame
memcpy_withwatchdog:                    ; CODE XREF: CheckforColdBootAndSetup+30p
dest            =  8
src             =  $C
length          =  $10
                link    a6,#-8          ; Link and Allocate
                movem.l a2-a3,(sp)      ; Move Multiple Registers
                movea.l dest(a6),a2     ; Move Address
                movea.l src(a6),a3      ; Move Address
                bra.s   skipstart       ; Branch Always
; ---------------------------------------------------------------------------
inncercpy:                              ; CODE XREF: memcpy_withwatchdog+22j
                bsr.w   IAmAlive        ; this routine tells the hardware watchdog that everything is OK and the CPU hasn't locked or crashed
                                        ;
                                        ; Reset software watchdog
                move.b  (a3)+,(a2)+     ; Move Data from Source to Destination
skipstart:                              ; CODE XREF: memcpy_withwatchdog+10j
                move.l  length(a6),d0   ; Move Data from Source to Destination
                subq.l  #1,length(a6)   ; Subtract Quick
                tst.l   d0              ; Test an Operand
                bne.s   inncercpy       ; Branch if Not Equal
                movem.l (sp),a2-a3      ; Move Multiple Registers
                unlk    a6              ; Unlink
                rts                     ; Return from Subroutine
; End of function memcpy_withwatchdog
 
;  S U B R O U T I N E 
; This routine determines if the ECU has cold booted, or reset from a software watchdog.
; if so it will either just jump straight to RAM and execute that code, or it'll copy up the new routines and the learn tables etc.
;
; Attributes: bp-based frame
CheckforColdBootAndSetup:               ; CODE XREF: ROM:00000476p
; FUNCTION CHUNK AT ROM:000006E0 SIZE 00000002 BYTES
; FUNCTION CHUNK AT ROM:00008400 SIZE 00000090 BYTES
; FUNCTION CHUNK AT ROM:00084000 SIZE 0000076C BYTES
                link    a6,#-8          ; Link and Allocate
                lea     (IAmAlive).l,a2 ; this routine tells the hardware watchdog that everything is OK and the CPU hasn't locked or crashed
                                        ;
                                        ; Reset software watchdog
                btst    #1,(PORTF).l    ; port f data register (this is a latch)
                                        ; cold/warm boot test
                                        ;
                bne.s   AlreadySetupJustGO ; skip to here to bypass all the setup code, data is already in RAM
                                        ; call watchdog
                                        ;
                                        ;
                bsr.w   Set_CS_OptionsEtc ; setup chip
                                        ; copy 3f40 to 80000 or just clear 80004
                                        ; handle chip base selects etc.
                jsr     (a2)            ; call i'm alive
                jsr     (a2)            ; call i'm alive
                move.l  #loc_374A,d0    ; Move Data from Source to Destination
                move.l  d0,(sp)         ; Move Data from Source to Destination
                pea     (ECUMain2).l    ; load up the base program
                pea     (targmem84K).l  ; where to copy it to in RAM
                bsr.s   memcpy_withwatchdog ; copy from src to dest and poll watchdog after every byte copied
                addq.l  #8,sp           ; Add Quick
                jsr     (a2)            ; call i'm alive
                jmp     targmem84K      ; "T420F01  05-04-2004 11:26       "
; ---------------------------------------------------------------------------
                bra.s   infiniteLoop    ; if it somehow got here, it'd jump to an infinite loop in cupertino
; ---------------------------------------------------------------------------
AlreadySetupJustGO:                     ; CODE XREF: CheckforColdBootAndSetup+12j
                jsr     (a2)            ; skip to here to bypass all the setup code, data is already in RAM
                                        ; call watchdog
                                        ;
                                        ;
                jmp     loc_8400        ; Jump to the code that was just copied from main2
                                        ; or code already existing
; End of function CheckforColdBootAndSetup

Black Exige S / Elan M100. Don't run a smaller pulley without an upgraded fuel pump! http://www.goth.am ecu stuff.. New reflash box coming soon!
charliex is offline  
post #20 of 65 (permalink) Old 06-25-2006, 02:09 PM
OSX Black hat
 
charliex's Avatar
 
Join Date: Feb 2005
Location: Las Vegas , NV
Posts: 10,000
Part III

Code:
setupQSMIntVecLevel:                    ; CODE XREF: Set_CS_OptionsEtc+116p
                                        ; sub_8854A+116p
                link    a6,#0           ; Link and Allocate
                move.b  #%1010101,(QILR).l ; qsm interrupt level register
                move.b  #%1000000,(QIVR).l ; qsm interrupt vector register
                move.w  #%10000001,(QMCR).l ; use full 32-bit address for sign extended addresses

loc_6FE:                                ; sci control register 0
                move.w  #%1000001,(SCCR0).l

loc_706:                                ; sc control 1 register
                ori.w   #4,(SCCR1).l
                unlk    a6              ; Unlink
                rts                     ; Return from Subroutine

; End of function setupQSMIntVecLevel


; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦

; Attributes: bp-based frame

sub_712:                                ; CODE XREF: ROM:000007A6p

arg_0           =  8
arg_4           =  $C

                link    a6,#-$16        ; Link and Allocate
                movem.l d2-d3/a2-a3,(sp) ; Move Multiple Registers
                movea.l arg_0(a6),a2    ; Move Address
                lea     (IAmAlive).l,a3 ; this routine tells the hardware watchdog that everything is OK and the CPU hasn't locked or crashed
                                        ;
                                        ; Reset software watchdog
                andi.w  #$FFFB,(SCCR1).l ; sc control 1 register
                btst    #6,((SCSR+1)).l ; sci status register
                beq.s   loc_73C         ; Branch if Equal

                move.w  (SCDR).l,d3     ; sci data register

loc_73C:                                ; CODE XREF: sub_712+22j
                move.w  #8,(SCCR1).l    ; sc control 1 register
                moveq   #0,d2           ; Move Quick
                bra.s   loc_74A         ; Branch Always

; ---------------------------------------------------------------------------

loc_748:                                ; CODE XREF: sub_712+40j
                jsr     (a3)            ; imAlive
                                        ;


loc_74A:                                ; CODE XREF: sub_712+34j sub_712+54j
                btst    #0,(SCSR).l     ; sci status register
                beq.s   loc_748         ; imAlive
                                        ;

                moveq   #0,d0           ; Move Quick
                move.b  (a2)+,d0        ; Move Data from Source to Destination
                move.w  d0,(SCDR).l     ; sci data register
                addq.l  #1,d2           ; Add Quick
                move.l  arg_4(a6),d0    ; Move Data from Source to Destination
                cmp.l   d2,d0           ; Compare
                bne.s   loc_74A         ; Branch if Not Equal

                bra.s   loc_76C         ; Branch Always

; ---------------------------------------------------------------------------

loc_76A:                                ; CODE XREF: sub_712+62j
                jsr     (a3)            ; I'm Alive


loc_76C:                                ; CODE XREF: sub_712+56j
                btst    #7,(SCSR+1).l   ; sci status register
                beq.s   loc_76A         ; I'm Alive

                andi.w  #$FFF7,(SCCR1).l ; sc control 1 register
                ori.w   #4,(SCCR1).l    ; sc control 1 register
                movem.l (sp),d2-d3/a2-a3 ; Move Multiple Registers
                unlk    a6              ; Unlink
                rts                     ; Return from Subroutine

; End of function sub_712

; ---------------------------------------------------------------------------
                link    a6,#-8          ; Link and Allocate
                move.l  a2,4(sp)        ; Move Data from Source to Destination
                movea.l 8(a6),a2        ; Move Address
                bra.s   loc_7AC         ; Branch Always

; ---------------------------------------------------------------------------

loc_79C:                                ; CODE XREF: ROM:000007AEj
                moveq   #1,d0           ; Move Quick
                move.l  d0,(sp)         ; Move Data from Source to Destination
                move.l  a2,d0           ; Move Data from Source to Destination
                addq.l  #1,a2           ; Add Quick
                move.l  d0,-(sp)        ; Move Data from Source to Destination
                bsr.w   sub_712         ; Branch to Subroutine

                addq.l  #4,sp           ; Add Quick

loc_7AC:                                ; CODE XREF: ROM:0000079Aj
                tst.b   (a2)            ; Test an Operand
                bne.s   loc_79C         ; Branch if Not Equal

                movea.l 4(sp),a2        ; Move Address
                unlk    a6              ; Unlink
                rts                     ; Return from Subroutine


; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦

; Attributes: bp-based frame

sub_7B8:                                ; CODE XREF: ROM:loc_7E0p
                link    a6,#0           ; Link and Allocate
                btst    #6,(SCSR+1).l   ; sci status register
                beq.s   loc_7CA         ; Branch if Equal

                moveq   #1,d0           ; Move Quick
                bra.s   loc_7CE         ; Branch Always

; ---------------------------------------------------------------------------

loc_7CA:                                ; CODE XREF: sub_7B8+Cj
                moveq   #0,d0           ; Move Quick
                nop                     ; No Operation

loc_7CE:                                ; CODE XREF: sub_7B8+10j
                unlk    a6              ; Unlink

locret_7D0:                             ; Return from Subroutine
                rts

; End of function sub_7B8

; ---------------------------------------------------------------------------
                link    a6,#-6          ; Link and Allocate
                move.l  d2,(sp)         ; Move Data from Source to Destination
                ori.w   #4,(SCCR1).l    ; sc control 1 register

loc_7E0:                                ; CODE XREF: ROM:000007E4j
                bsr.s   sub_7B8         ; Branch to Subroutine

                tst.l   d0              ; Test an Operand
                beq.s   loc_7E0         ; Branch if Equal

                move.w  (SCDR).l,d2     ; sci data register
                moveq   #0,d0           ; Move Quick
                move.b  d2,d0           ; Move Data from Source to Destination
                move.l  (sp),d2         ; Move Data from Source to Destination
                unlk    a6              ; Unlink
                rts                     ; Return from Subroutine

; ---------------------------------------------------------------------------

ECUMain2:                               ; CODE XREF: ROM:00000924j
                                        ; DATA XREF: CheckforColdBootAndSetup+24o
                movea.l #TOPRAM,sp      ; stack ptr

loc_7FC:                                ; stack ptr
                movea.l #TOPRAM,a0
                move    a0,usp          ; Move Data from Source to Destination
                movea.l #word_84132,a0  ; VBR base
                movec   a0,vbr          ; Move Control Register
                move.w  #$FF,(RAMBAH).l ; ram base address register high
                move.w  #$E000,(RAMBAL).l ; ram base address register low
                                        ; set to 0xFFE000
                                        ;
                                        ;
                                        ;
                                        ;
                move.w  (RAMMCR).l,d0   ; rammcr
                                        ;
                bclr    #$F,d0          ; Test a Bit and Clear
                bclr    #8,d0           ; Test a Bit and Clear
                bset    #9,d0           ; Test a Bit and Set
                bset    #$B,d0          ; Test a Bit and Set
                move.w  d0,(RAMMCR).l   ; RAMMCR - RAM Module Configuration Register
                move.w  #$FFD0,(TRAMBAR).l ; TRAMBAR - TPURAM Base Address and Status Register $YFFB04
                                        ; 1514131211109876543210
                                        ; ADDRADDRADDRADDRADDRADDRADDRADDRADDRADDRADDRADDR0
                                        ; 00RAMDS
                                        ; 232221201918171615141312
                                        ; RESET:
                                        ; 0000000000000000
                                        ; ADDR[23:11] - TPURAM Array Base Address
                                        ; These bits specify ADDR[23:12] of the base address of the TPURAM array when
                                        ; enabled. The 3.5-Kbyte array resides at the lower end of the 4-Kbyte page into which
                                        ; it is mapped.
                                        ; RAMDS - RAM Array Disable
                                        ; 0 = RAM array is enabled.
                                        ; 1 = RAM array is disabled.
                                        ; RAMDS indicates whether the TPURAM is active or disabled. The array is disabled at
                                        ; reset. Writing a valid base address into TRAMBAR clears the RAMDS bit and enables
                                        ; the array.
                                        ;
                move.w  (SIMMCR).l,d0   ; sim module configuration register
                bclr    #$D,d0          ; Test a Bit and Clear
                move.w  d0,(SIMMCR).l   ; sim module configuration register
                move.w  (SYNCR).l,d0    ; clock synthesizer control
                andi.w  #%1111111,d0    ; AND Immediate
                ori.w   #%1101001100000000,d0 ; Inclusive-OR
                move.w  d0,(SYNCR).l    ; clock synthesizer control
                movea.l #0,a6           ; Move Address
                jsr     $84A54          ; jump to (0xA54+0x7F6) or 0x124A ecumain_0

                move.l  #0,-(sp)        ; Move Data from Source to Destination

loc_878:                                ; Move Data from Source to Destination
                move.l  #0,-(sp)

infiniteLoop_:                          ; CODE XREF: ROM:00000880j
                nop                     ; No Operation
                bra.s   infiniteLoop_   ; Branch Always

; ---------------------------------------------------------------------------
corrected a couple of incorrect labels.

Black Exige S / Elan M100. Don't run a smaller pulley without an upgraded fuel pump! http://www.goth.am ecu stuff.. New reflash box coming soon!

Last edited by charliex; 07-09-2006 at 02:59 PM.
charliex is offline  
Sponsored Links
Advertisement
 
Reply

  LotusTalk - The Lotus Cars Community > Lotus Discussions > Powertrain (Engine, Transmission, etc)

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the LotusTalk - The Lotus Cars Community forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in











Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Display Modes
Linear Mode Linear Mode



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome