Deciphering the ECU - Page 2 - LotusTalk - The Lotus Cars Community
Reply
 
LinkBack Thread Tools Display Modes
post #21 of 65 (permalink) Old 06-25-2006, 02:09 PM
OSX Black hat
 
charliex's Avatar
 
Join Date: Feb 2005
Location: Las Vegas , NV
Posts: 10,000
Quote:
Originally Posted by nvrblu
Motorola spun-off its semiconductor business as a new company about 2 years ago -- Freescale Semiconductor, Inc. That's my employer. I spent some time in the past year transferring ROM processing software from an external contractor back into the company. We used to do a lot of mask programmed parts a long time ago. The ROM processing software is primarily used for field programmable parts now.

Cool to see Freescale parts used in my car
you're my new best friend

though i don't think i can ever drop the habit of using motorola instead of freescale.


Randy, is there any way we can have the code/php window wider ? so that it doesn't max out so quickly. (Thanks!)

Black Exige S / Elan M100. Don't run a smaller pulley without an upgraded fuel pump! http://www.goth.am ecu stuff.. New reflash box coming soon!

Last edited by charliex; 06-25-2006 at 02:22 PM.
charliex is offline  
Sponsored Links
Advertisement
 
post #22 of 65 (permalink) Old 06-25-2006, 02:22 PM
Forum Founder
 
Randy Chase's Avatar
 
Join Date: Apr 2002
Location: Tail of the Dragon
Posts: 29,083
Garage
Quote:
Originally Posted by charliex
Randy, is there any way we can have the code/php window wider ? so that it doesn't max out so quickly.

I have some options for code window width and length. I tweaked length a bit longer. Width was set a 640px and I have now set it to AUTO, but I can also set another fixed pixel size if that makes more sense.

#somethingwickedthiswaycomes... the new Origin Noble M and the Origin 7

Zenos E10S for Sale! www.zenosforsale.com

There are some very shady dealers in the Lotus business.

2005 Lotus Elise, 1993 MR2, 1995 MR2, 125cc Shifter Kart, Toniq (in build), 2018 Origin 7 (waiting), 2018 Origin Noble M (waiting)
Randy Chase is offline  
post #23 of 65 (permalink) Old 06-25-2006, 02:25 PM
OSX Black hat
 
charliex's Avatar
 
Join Date: Feb 2005
Location: Las Vegas , NV
Posts: 10,000
Quote:
Originally Posted by Randy Chase
I have some options for code window width and length. I tweaked length a bit longer. Width was set a 640px and I have now set it to AUTO, but I can also set another fixed pixel size if that makes more sense.
auto should be fine, then the little monitor people can be ok, i usually have my code set for 79 fixedsys but i had issues with that on vbulletin..

Black Exige S / Elan M100. Don't run a smaller pulley without an upgraded fuel pump! http://www.goth.am ecu stuff.. New reflash box coming soon!
charliex is offline  
 
post #24 of 65 (permalink) Old 06-25-2006, 09:16 PM
Registered User
 
rob13572468's Avatar
 
Join Date: Feb 2005
Location: chicago
Posts: 1,122
nice job on the bootstrap, charliex... its good to see someone else who can work fluently at the assembly level... its starting to become a lost art in the industry, even among embedded programmers.
rob13572468 is offline  
post #25 of 65 (permalink) Old 07-13-2006, 10:07 AM
Registered User
 
rob13572468's Avatar
 
Join Date: Feb 2005
Location: chicago
Posts: 1,122
anyone feel like relashing

ok i had some time this weekend so i finally got around to reversing some more of the code. specifically i found the routines that allow reading and writing to the ECU over CAN.

this will allow *anyone* to read and write to their ECU. all that is needed is a laptop and a serial to CAN or USB to CAN adapter that can do 1Mb/s. the 2534 passthrough stuff is not necessary.



the can frames that do the reading/writing are 05X frames and there are a number of different versions that allow reading/writing a byte, word, or dword as well as some that allow 256 byte read/writes. the format for the frames are as follows:

Code:
CMD	ID	LEN	DATA					RESULT
--------------------------------------------------------------------------------------------------
SEND	050	04	AA BB CC DD				read dword at AABBCCDD
RCV	7A0	04	EE FF GG HH
(outputs value at AABBCCDD)

SEND	051	04	AA BB CC DD				reads word at AABBCCDD
RCV	7A0	02	WW WW


SEND	051	06	II AA BB CC DD 01			send 0A +1 byte
RCV	JJJ	02	0A NN
(JJJ=II*8 + 1) NN= byte at AABBCCDD

SEND	051	06	II AA BB CC DD 02			send 0A +2 byte
RCV	JJJ	03	0A N1 N2
(JJJ=II*8 + 1) NN= byte at AABBCCDD

SEND	051	06	II AA BB CC DD 04			send 0A +4 byte
RCV	JJJ	05	0A N1 N2 N3 N4
(JJJ=II*8 + 1) NN= byte at AABBCCDD



SEND	052	04	AA BB CC DD				return 1 byte from addr
RCV	7A0	01	XX   (xx= byte at addr AABBCCDD)

SEND	052	07	II AA BB CC DD 00 LL			return 1-8 bytes from addr
RCV	JJJ	08	NN NN NN NN NN NN NN NN
( JJJ=(II*8)+2  NN= LL bytes starting at addr AABBCCDD)

SEND	053	05	AA BB CC DD LL				return 01-FF bytes from addr
RCV	7A0	LL	NN NN NN NN NN NN NN NN
(NN=LL bytes (1-8) starting at addr AABBCCDD)

SEND	053	04	AA BB CC DD				store address, return 0002EDEC
RCV	7A0	04	EC ED 02 00
(stores AABBCCDD at 801CC and outputs the above frame)

SEND	053	01	NN					return 0002EDEC with NN-->TR ID
RCV	JJJ	06	A0 00 02 ED EC 00
(JJJ=NN*8 + 3)

SEND	054	08	AA BB CC DD EE FF GG HH			write dword to addr
(writes EEFFGGHH to addr AABBCCDD)

SEND	055	06	AA BB CC DD EE FF			write word to addr
(writes EEFF to addr AABBCCDD)

SEND	056	05	AA BB CC DD EE				write byte to addr
(writes EE to addr AABBCCDD)

SEND	057	LL	NN NN NN NN NN NN NN NN			write LL bytes to addr ptr
(writes LL bytes to address contained at ptr 801D0[global dest addr ptr],
 increments 801D0 by LL, subtracts LL from 801D8[global write counter max val=FF] )

SEND	057	05	AA BB CC DD LL				setup a 01-FF byte write
(stores address [AABBCCDD] to 801D0, stores total # of bytes [LL] to write to 801D8
the ecu tends to reply using ID 7A0 mainly but also builds special frame id's based on input values that you can send. for example if you want to read a 32 bit dword from location 00000400 you would send the following frame:

Code:
ID:050	LEN:04	DATA:00 00 04 00
and the ECU will return:

Code:
ID:7A0	LEN:04	DATA:2E 7C 00 FF
its also worth noting that these routines are not encrypted at all. they allow direct manipulation of all code/data in memory. this also allows them to be used to build a debugger module to get real time readings as the ECU and even the car is running as well as be able to write bootloader code to RAM to do all sorts of interesting things.

the next step is to write some code to access the flash write routines. if anyone can get the high-res pics( of both front and back) that i asked about it will be very helpful.
rob13572468 is offline  
post #26 of 65 (permalink) Old 07-13-2006, 10:11 AM
Registered User
 
rob13572468's Avatar
 
Join Date: Feb 2005
Location: chicago
Posts: 1,122
here is the disassembled and commented code for these routines:

Code:
| ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ S U B	R O U T	I N E ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ

| Attributes: bp-based frame

rcvCAN05XsndCANXXX:
		link	a6, #-0x32
		movem.l	d0-d4/a0-a5, (sp)
		lea	(unk_00080E8E).l, a2
		lea	(dword_00080E8A).l, a3
		lea	(unk_000801D4).l, a4
		lea	(CAN_timer_stored).l, a5
		btst	#4, (byte_00FFF1F1).l	       | check if buffer has message
		beq.s	loc_00014D2A		       | if yes	then jump down


loc_00014D20:					       | CODE XREF: rcvCAN05XsndCANXXX+32j
		btst	#4, (byte_00FFF1F1).l	       | chk again if buffer is	ready
		bne.s	loc_00014D20


loc_00014D2A:					       | CODE XREF: rcvCAN05XsndCANXXX+28j
		move.w	(CAN_F_STAT).l,	d0
		andi.w	#0x60, d0 | '`'                | mask off status bits
		cmpi.w	#0x60, d0 | '`'                | chk for buffer overrun
		bne.s	chkframe050		       | continue if OK


saveTimerAndRtn7:
		move.w	#0x40, (CAN_F_STAT).l |	'@'
		move.w	(CANTIMER_0xFFF08A).l, d0
		move.w	d0, (a5)
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

chkframe050:					       | CODE XREF: rcvCAN05XsndCANXXX+42j
		btst	#5, (byte_00FFF1F1).l
		beq.w	clrCAN_F_IntAndReturn

		move.l	#0xFFF1F6, (a3)
		move.w	(CAN_F_ID).l, d0
		lsr.w	#5, d0
		cmpi.w	#0x50, d0 | 'P'                | chk if frame=050
		bne.s	chkframe051		       | if not	then jump down


CANreadDword:					       | get can stat
		move.w	(CAN_F_STAT).l,	d0
		andi.w	#0xF, d0		       | mask off length
		cmpi.w	#4, d0			       | chk if	length =4
		bne.s	saveTimerAndRtn6	       | if not	then return

		movea.l	(a3), a0		       | a0=FFF1F6
		move.l	(a0), (read_addr).l	       | save first 4 data bytes at 801CC
		move.w	#0x40, (CAN_F_STAT).l |	'@'    | set CAN buffer to empty
		move.w	(CANTIMER_0xFFF08A).l, d0      | put timer in do
		move.w	d0, (a5)		       | and save
		move.l	#0xFFF106, (a2)		       | (a2)=FFF106
		move.w	#0x88, (CAN0_STAT_0xFFF100).l |	'ˆ' | set CAN to hold
		move.w	#-0xC00, (CAN0IDH_0xFFF102).l  | set CANID to 7A0
		movea.l	(read_addr).l, a0	       | get the 4 sent	bytes
		movea.l	(a2), a1		       | a1=FFF106
		move.l	(a0), (a1)		       | get dword pointed to by address
		move.w	#0xC4, (CAN0_STAT_0xFFF100).l |	'Ä' | set transmit 4 bytes
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

saveTimerAndRtn6:				       | CODE XREF: rcvCAN05XsndCANXXX+86j
		move.w	#0x40, (CAN_F_STAT).l |	'@'    | set buffer empty
		move.w	(CANTIMER_0xFFF08A).l, d0      | save CAN timer
		move.w	d0, (a5)
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

chkframe051:					       | CODE XREF: rcvCAN05XsndCANXXX+76j
		move.w	(CAN_F_ID).l, d0	       | get frame ID
		lsr.w	#5, d0			       | mask id#
		cmpi.w	#0x51, d0 | 'Q'                | chk if frame ID=051
		bne.w	chkFrame052		       | if not	jump down

		move.w	(CAN_F_STAT).l,	d0	       | get stat
		andi.w	#0xF, d0		       | mask off len
		cmpi.w	#4, d0			       | chk if	len=4
		bne.s	CANsnd_0A_RR		       | if not	then jump down

		movea.l	(a3), a0		       | ao=FFF1F6
		move.l	(a0), (read_addr).l
		move.w	#0x40, (CAN_F_STAT).l |	'@'
		move.w	(CANTIMER_0xFFF08A).l, d0
		move.w	d0, (a5)
		move.l	#0xFFF106, (a2)
		move.w	#0x88, (CAN0_STAT_0xFFF100).l |	'ˆ'
		move.w	#-0xC00, (CAN0IDH_0xFFF102).l
		movea.l	(read_addr).l, a0
		movea.l	(a2), a1
		move.w	(a0), (a1)
		move.w	#0xC2, (CAN0_STAT_0xFFF100).l |	'Â' | transmit WW WW
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

CANsnd_0A_RR:					       | CODE XREF: rcvCAN05XsndCANXXX+FEj
		move.w	(CAN_F_STAT).l,	d0	       | get stat
		andi.w	#0xF, d0		       | mask len
		cmpi.w	#6, d0			       | chk if	len=6
		bne.w	saveTimerAndRtn5	       | if not	then save timer	and ret

		moveq	#0, d3			       | d3=00
		movea.l	(a3), a0		       | a0=FFF1F6
		addq.l	#1, (a3)		       | inc ptr
		move.b	(a0), d3		       | d3= byte 0
		movea.l	(a3), a0		       | a0=FFF1F7
		addq.l	#1, (a3)		       | inc ptr
		move.b	(a0), (byte_00080F12).l
		movea.l	(a3), a0
		addq.l	#1, (a3)		       | inc ptr
		move.b	(a0), (unk_00080F13).l
		movea.l	(a3), a0
		addq.l	#1, (a3)		       | inc ptr
		move.b	(a0), (byte_00080F14).l
		movea.l	(a3), a0
		addq.l	#1, (a3)		       | inc ptr
		move.b	(a0), (byte_00080F15).l
		movea.l	(a3), a0
		move.b	(a0), d4
		move.w	#0x40, (CAN_F_STAT).l |	'@'
		move.w	(CANTIMER_0xFFF08A).l, d0
		move.w	d0, (a5)
		move.l	(byte_00080F12).l, (a4)
		cmpi.b	#1, d4
		bne.s	CANread2bytes

		move.l	#0xFFF116, (a2)
		move.w	#0x88, (CAN1_STAT).l | 'ˆ'
		move.w	d3, d0
		lsl.w	#8, d0
		ori.w	#0x20, d0 | ' '
		move.w	d0, (CAN_1_ID).l
		movea.l	(a2), a0		       | inc ptr
		addq.l	#1, (a2)		       | inc ptr
		move.b	#0xA, (a0)
		movea.l	(a4), a0
		movea.l	(a2), a1
		move.b	(a0), (a1)
		move.w	#0xC2, (CAN1_STAT).l | 'Â'     | transmit 0A RR
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

CANread2bytes:					       | CODE XREF: rcvCAN05XsndCANXXX+1A4j
		cmpi.b	#2, d4
		bne.s	CANread4bytes

		move.l	#0xFFF116, (a2)
		move.w	#0x88, (CAN1_STAT).l | 'ˆ'
		move.w	d3, d0
		lsl.w	#8, d0
		ori.w	#0x20, d0 | ' '
		move.w	d0, (CAN_1_ID).l
		movea.l	(a2), a0
		addq.l	#1, (a2)		       | inc ptr
		move.b	#0xA, (a0)
		movea.l	(a4), a0
		addq.l	#1, (a4)		       | inc ptr
		movea.l	(a2), a1
		addq.l	#1, (a2)		       | inc ptr
		move.b	(a0), (a1)
		movea.l	(a4), a0
		movea.l	(a2), a1
		move.b	(a0), (a1)
		move.w	#0xC3, (CAN1_STAT).l | 'Ã'     | transmit 0A R1 R2
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

CANread4bytes:					       | CODE XREF: rcvCAN05XsndCANXXX+1E0j
		cmpi.b	#4, d4
		bne.w	clrCAN_F_IntAndReturn

		move.l	#0xFFF116, (a2)
		move.w	#0x88, (CAN1_STAT).l | 'ˆ'
		move.w	d3, d0
		lsl.w	#8, d0
		ori.w	#0x20, d0 | ' '
		move.w	d0, (CAN_1_ID).l
		movea.l	(a2), a0
		addq.l	#1, (a2)		       | inc ptr
		move.b	#0xA, (a0)
		movea.l	(a4), a0
		addq.l	#1, (a4)
		movea.l	(a2), a1
		addq.l	#1, (a2)
		move.b	(a0), (a1)
		movea.l	(a4), a0
		addq.l	#1, (a4)
		movea.l	(a2), a1
		addq.l	#1, (a2)
		move.b	(a0), (a1)
		movea.l	(a4), a0
		addq.l	#1, (a4)
		movea.l	(a2), a1
		addq.l	#1, (a2)
		move.b	(a0), (a1)
		movea.l	(a4), a0
		movea.l	(a2), a1
		move.b	(a0), (a1)
		move.w	#0xC5, (CAN1_STAT).l | 'Å'     | transmit 0A R1 R2 R3 R4
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

saveTimerAndRtn5:				       | CODE XREF: rcvCAN05XsndCANXXX+152j
		move.w	#0x40, (CAN_F_STAT).l |	'@'
		move.w	(CANTIMER_0xFFF08A).l, d0
		move.w	d0, (a5)
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

chkFrame052:					       | CODE XREF: rcvCAN05XsndCANXXX+ECj
		move.w	(CAN_F_ID).l, d0
		lsr.w	#5, d0
		cmpi.w	#0x52, d0 | 'R'
		bne.w	chkframe053


CANreadMEM_1byte:				       | this routine sends the	value of the byte 
		move.w	(CAN_F_STAT).l,	d0	       | at addr made of bytes 0-3
		andi.w	#0xF, d0		       | mask off len
		cmpi.w	#4, d0			       | chk if	len=4
		bne.s	CANreadMEM_Xbytes	       | if not	then jump down

		movea.l	(a3), a0		       | a0=FFF1F6
		move.l	(a0), (read_addr).l	       | put byte 0-3 at 801CC
		move.w	#0x40, (CAN_F_STAT).l |	'@'    | set buffer to empty
		move.w	(CANTIMER_0xFFF08A).l, d0      | store timer
		move.w	d0, (a5)		       | in (a5)
		move.l	#0xFFF106, (a2)		       | (a2)=FFF106
		move.w	#0x88, (CAN0_STAT_0xFFF100).l |	'ˆ' | set buffer to hold
		move.w	#-0xC00, (CAN0IDH_0xFFF102).l  | set ID=7A0
		movea.l	(read_addr).l, a0	       | a0=bytes 0-3
		movea.l	(a2), a1		       | a1=FFF106
		move.b	(a0), (a1)		       | put value of byte at addr into	CAN buffer
		move.w	#0xC1, (CAN0_STAT_0xFFF100).l |	'Á' | send CAN message 1 byte
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

CANreadMEM_Xbytes:				       | CODE XREF: rcvCAN05XsndCANXXX+2B0j
		move.w	(CAN_F_STAT).l,	d0
		andi.w	#0xF, d0		       | mask len and chk
		cmpi.w	#7, d0			       | continue if 7
		bne.w	saveTimerAndRtn4	       | return	if not

		moveq	#0, d3
		movea.l	(a3), a0
		addq.l	#1, (a3)
		move.b	(a0), d3		       | d3=byte 0
		movea.l	(a3), a0
		addq.l	#1, (a3)
		move.b	(a0), (byte_00080F12).l	       | 80F12=byte 1
		movea.l	(a3), a0
		addq.l	#1, (a3)
		move.b	(a0), (unk_00080F13).l	       | 80F13=byte 2
		movea.l	(a3), a0
		addq.l	#1, (a3)
		move.b	(a0), (byte_00080F14).l	       | 80F14=byte 3
		movea.l	(a3), a0
		addq.l	#1, (a3)
		move.b	(a0), (byte_00080F15).l	       | 80F15=byte 4
		moveq	#0, d2
		movea.l	(a3), a0
		addq.l	#1, (a3)
		move.b	(a0), d2		       | byte 5	is discarded
		moveq	#0, d2
		movea.l	(a3), a0
		addq.l	#1, (a3)
		move.b	(a0), d2		       | d2=byte 6
		move.w	#0x40, (CAN_F_STAT).l |	'@'    | set buffer empty
		move.w	(CANTIMER_0xFFF08A).l, d0
		move.w	d0, (a5)		       | save can timer
		move.l	(byte_00080F12).l, (a4)
		move.l	#0xFFF116, (a2)		       | (a2)=FFF116
		move.w	#0x88, (CAN1_STAT).l | 'ˆ'
		move.w	d3, d0			       | d0=byte 0
		lsl.w	#8, d0			       | d0=(byte 0 * 100)
		ori.w	#0x40, d0 | '@'                | d0=(byte0*100)+40
		move.w	d0, (CAN_1_ID).l	       | CANID=d0
						       | (actual ID=[byte0*8]+2	range 2-7FA)
		cmpi.w	#8, d2			       | chk if	d2=8
		bls.s	loc_00015088		       | if less then jump down

		move.w	#8, d2
		bra.s	loc_00015088		       | else make sure	d2=8 max

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

loc_0001507C:					       | CODE XREF: rcvCAN05XsndCANXXX+394j
		movea.l	(a4), a0		       | a0=data bytes 1-4 as ptr
		addq.l	#1, (a4)		       | inc ptr
		movea.l	(a2), a1		       | a1=FFF116-FFF11D
		addq.l	#1, (a2)		       | inc ptr
		move.b	(a0), (a1)		       | get byte from addr and	put in CAN buffer
		subq.w	#1, d2			       | dec counter do	0-8 bytes

loc_00015088:					       | CODE XREF: rcvCAN05XsndCANXXX+37Ej
						       | rcvCAN05XsndCANXXX+384j
		tst.w	d2			       | chk d2
		bne.s	loc_0001507C		       | iloop until d2==00

		move.w	#0xC8, (CAN1_STAT).l | 'È'     | transmit 8 bytes
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

saveTimerAndRtn4:				       | CODE XREF: rcvCAN05XsndCANXXX+304j
		move.w	#0x40, (CAN_F_STAT).l |	'@'
		move.w	(CANTIMER_0xFFF08A).l, d0
		move.w	d0, (a5)
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
rob13572468 is offline  
post #27 of 65 (permalink) Old 07-13-2006, 10:12 AM
Registered User
 
rob13572468's Avatar
 
Join Date: Feb 2005
Location: chicago
Posts: 1,122
part 2

Code:
chkframe053:					       | CODE XREF: rcvCAN05XsndCANXXX+29Ej
		move.w	(CAN_F_ID).l, d0
		lsr.w	#5, d0
		cmpi.w	#0x53, d0 | 'S'
		bne.w	chkframe054

		move.w	(CAN_F_STAT).l,	d0	       | get stat byte
		andi.w	#0xF, d0		       | mask off len
		cmpi.w	#5, d0			       | chk if	len = 5
		bne.w	CANstoreAddrRtn0002EDEC	       | if not	then jump down


CANrtn01toFFbytes:				       | set global counter to 00
		clr.w	(global_write_ctr).l
		movea.l	(a3), a0		       | a0=FFF1F6
		addq.l	#4, (a3)		       | ptr=ptr+4
		move.l	(a0), (read_addr).l	       | put bytes 0-3 at 801CC
		moveq	#0, d0			       | d0=00
		movea.l	(a3), a0		       | a0=FFF1FA
		move.b	(a0), d0		       | put byte 4 into d0
		move.w	d0, (word_000801DA).l	       | put byte 4 into 801DA
		move.w	#0x40, (CAN_F_STAT).l |	'@'    | set buffer empty
		move.w	(CANTIMER_0xFFF08A).l, d0      | store timer
		move.w	d0, (a5)
		move.l	#0xFFF106, (a2)		       | (a2)=FFF106
		move.w	#0x88, (CAN0_STAT_0xFFF100).l |	'ˆ' | set can to hold
		move.w	#-0xC00, (CAN0IDH_0xFFF102).l  | set CANID=7A0
		cmpi.w	#8, (word_000801DA).l	       | chk if	801DA=8
		bls.s	loc_0001514A		       | if less then jump down

		move.w	#8, d2			       | else set counter to 8
		bra.s	loc_00015134		       | and jump down

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

loc_00015120:					       | CODE XREF: rcvCAN05XsndCANXXX+440j
		movea.l	(read_addr).l, a0	       | a0=bytes 0-3 (addr ptr)
		addq.l	#1, (read_addr).l	       | inc ptr
		movea.l	(a2), a1		       | a1=data buffer
		addq.l	#1, (a2)		       | inc ptr
		move.b	(a0), (a1)		       | put 8 bytes from addr into can	buffer
		subq.w	#1, d2			       | dec counter

loc_00015134:					       | CODE XREF: rcvCAN05XsndCANXXX+428j
		tst.w	d2			       | chk if	counter=00
		bne.s	loc_00015120		       | if not	00 then	loop back

		move.w	#0xC8, (CAN0_STAT_0xFFF100).l |	'È' | else transmit message 8 bytes
		subq.w	#8, (word_000801DA).l	       | subtract 8 from global	read counter
		bra.w	clrCAN_F_IntAndReturn	       | and return

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

loc_0001514A:					       | CODE XREF: rcvCAN05XsndCANXXX+422j
		move.w	(word_000801DA).l, d2	       | d2=counter
		bra.s	loc_00015166

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

loc_00015152:					       | CODE XREF: rcvCAN05XsndCANXXX+472j
		movea.l	(read_addr).l, a0	       | a0=address
		addq.l	#1, (read_addr).l	       | increment ptr
		movea.l	(a2), a1		       | a1=data buffer
		addq.l	#1, (a2)		       | inc ptr
		move.b	(a0), (a1)		       | put xx	bytes from address to can buffer
		subq.w	#1, d2			       | decrement counter

loc_00015166:					       | CODE XREF: rcvCAN05XsndCANXXX+45Aj
		tst.w	d2			       | chk if	counter=00
		bne.s	loc_00015152		       | if not	then loop back

		move.w	(word_000801DA).l, d0	       | put global counter into d0
		addi.w	#0xC0, d0 | 'À'                | build status byte
		move.w	d0, (CAN0_STAT_0xFFF100).l     | set transmit X	bytes
		clr.w	(word_000801DA).l	       | and clear global counter
		bra.w	clrCAN_F_IntAndReturn	       | and return

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

CANstoreAddrRtn0002EDEC:			       | CODE XREF: rcvCAN05XsndCANXXX+3D4j
		move.w	(CAN_F_STAT).l,	d0	       | get stat byte
		andi.w	#0xF, d0		       | mask len
		cmpi.w	#4, d0			       | check if len=4
		bne.s	CANrtn0002EDEC		       | if not	4 then jump down

		movea.l	(a3), a0		       | a0=FFF1F6
		move.l	(a0), (read_addr).l	       | put bytes 0-3 at 801CC
		move.w	#0x40, (CAN_F_STAT).l |	'@'    | set buffer empty
		move.w	(CANTIMER_0xFFF08A).l, d0      | save timer
		move.w	d0, (a5)
		move.l	#0xFFF106, (a2)		       | a2=can	buffer
		move.w	#0x88, (CAN0_STAT_0xFFF100).l |	'ˆ' | set hold transmission
		move.w	#-0xC00, (CAN0IDH_0xFFF102).l  | set CANID=7A0
		movea.l	(a2), a0		       | a0=FFF106 can buffer
		move.l	#off_0002EDEC, (a0)	       | put 00	02 ED EC into CAN buffer
		move.w	#0xC4, (CAN0_STAT_0xFFF100).l |	'Ä' | transmit 4 bytes
		bra.w	clrCAN_F_IntAndReturn	       | and return

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

CANrtn0002EDEC:					       | CODE XREF: rcvCAN05XsndCANXXX+49Cj
		move.w	(CAN_F_STAT).l,	d0	       | get stat
		andi.w	#0xF, d0		       | mask off len
		cmpi.w	#1, d0			       | check if len=1
		bne.s	saveTimerAndRtn3	       | if not	then return

		moveq	#0, d3			       | d3=00
		movea.l	(a3), a0		       | a0=FFF1F6
		move.b	(a0), d3		       | d3= byte 0
		move.w	#0x40, (CAN_F_STAT).l |	'@'    | set buffer empty
		move.w	(CANTIMER_0xFFF08A).l, d0      | store timer
		move.w	d0, (a5)
		move.l	#0xFFF116, (a2)		       | (a2)=FFF116
		move.w	#0x88, (CAN1_STAT).l | 'ˆ'     | set hold transmission
		move.w	d3, d0			       | d0=byte 0
		lsl.w	#8, d0			       | d0= (byte0 * 100)
		ori.w	#0x60, d0 | '`'                | d0=(byte0 *100) +60
		move.w	d0, (CAN_1_ID).l	       | CANID=d0
						       | actual	ID=(byte0*8)+3
		move.l	#off_0002EDEC, (a4)	       | (a4)=0002EDEC
		movea.l	(a2), a0		       | a0=FFF116
		addq.l	#1, (a2)		       | inc ptr
		move.b	#0xA, (a0)		       | transmit data byte 0= A0
		move.l	(a4), d0		       | d0=0002EDEC
		moveq	#0x18, d1		       | d1=18
		lsr.l	d1, d0			       | d0=00
		movea.l	(a2), a0		       | a0=FFF117
		addq.l	#1, (a2)		       | inc ptr
		move.b	d0, (a0)		       | byte 1=00
		move.l	(a4), d0		       | d0=0002EDEC
		moveq	#0x10, d1		       | d1=10
		lsr.l	d1, d0			       | d0=02
		movea.l	(a2), a0		       | a0=FFF118
		addq.l	#1, (a2)		       | inc ptr
		move.b	d0, (a0)		       | byte2=02
		move.l	(a4), d0		       | d0=0002EDEC
		lsr.l	#8, d0			       | d0=02ED
		movea.l	(a2), a0		       | a0=FFF119
		addq.l	#1, (a2)		       | inc ptr
		move.b	d0, (a0)		       | byte3=ED
		move.l	(a4), d0		       | d0=0002EDEC
		movea.l	(a2), a0		       | a0=FFF11A
		addq.l	#1, (a2)		       | inc ptr
		move.b	d0, (a0)		       | byte4=EC
		movea.l	(a2), a0		       | a0=FFF11B
		addq.l	#1, (a2)		       | inc ptr
		clr.b	(a0)			       | byte5=00
		move.w	#0xC6, (CAN1_STAT).l | 'Æ'     | transmit A0 00 02 ED EC 00
		bra.w	clrCAN_F_IntAndReturn	       | and return

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

saveTimerAndRtn3:				       | CODE XREF: rcvCAN05XsndCANXXX+4EEj
		move.w	#0x40, (CAN_F_STAT).l |	'@'
		move.w	(CANTIMER_0xFFF08A).l, d0
		move.w	d0, (a5)
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

chkframe054:					       | CODE XREF: rcvCAN05XsndCANXXX+3C2j
		move.w	(CAN_F_ID).l, d0
		lsr.w	#5, d0
		cmpi.w	#0x54, d0 | 'T'
		bne.s	chkframe055


CANwriteDword:					       | this routine writes bytes 4-7 into 
		move.w	(CAN_F_STAT).l,	d0	       | addr contained	at bytes 0-3
		andi.w	#0xF, d0		       | mask off len
		cmpi.w	#8, d0			       | check if len=8
		bne.s	saveTimerAndRtn2	       | if not	then return

		movea.l	(a3), a0		       | a0=FFF1F6
		addq.l	#4, (a3)		       | ptr=ptr+4
		move.l	(a0), (dest_address).l	       | store first 4 bytes at	801D0
		move.w	#0x40, (CAN_F_STAT).l |	'@'    | set buffer empty
		move.w	(CANTIMER_0xFFF08A).l, d0      | store can timer
		move.w	d0, (a5)		       | into a5
		move.l	#0xFFF106, (a2)		       | this doesnt do	anything
		movea.l	(a3), a0		       | a0=FFF1FA
		movea.l	(dest_address).l, a1	       | a1=first 4 bytes
		move.l	(a0), (a1)		       | write second 4	bytes to addr
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

saveTimerAndRtn2:				       | CODE XREF: rcvCAN05XsndCANXXX+59Cj
		move.w	#0x40, (CAN_F_STAT).l |	'@'
		move.w	(CANTIMER_0xFFF08A).l, d0
		move.w	d0, (a5)
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

chkframe055:					       | CODE XREF: rcvCAN05XsndCANXXX+58Cj
		move.w	(CAN_F_ID).l, d0
		lsr.w	#5, d0
		cmpi.w	#0x55, d0 | 'U'
		bne.s	chkframe056


CANwriteWord:
		move.w	(CAN_F_STAT).l,	d0
		andi.w	#0xF, d0		       | mask len
		cmpi.w	#6, d0			       | check if len=6
		bne.s	saveTimerAndRtn1	       | if not	then return

		movea.l	(a3), a0		       | a0=FFF1F6
		addq.l	#4, (a3)		       | ptr=ptr+4
		move.l	(a0), (dest_address).l	       | put data bytes	0-3 into 801D0
		move.w	#0x40, (CAN_F_STAT).l |	'@'    | set buffer empty
		move.w	(CANTIMER_0xFFF08A).l, d0      | save CAN timer
		move.w	d0, (a5)
		movea.l	(a3), a0		       | a0=FFF1FA
		movea.l	(dest_address).l, a1	       | a1=bytes 0-3
		move.w	(a0), (a1)		       | write bytes 4,5 to addr (bytes	0-3)
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

saveTimerAndRtn1:				       | CODE XREF: rcvCAN05XsndCANXXX+5FCj
		move.w	#0x40, (CAN_F_STAT).l |	'@'
		move.w	(CANTIMER_0xFFF08A).l, d0
		move.w	d0, (a5)
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

chkframe056:					       | CODE XREF: rcvCAN05XsndCANXXX+5ECj
		move.w	(CAN_F_ID).l, d0
		lsr.w	#5, d0
		cmpi.w	#0x56, d0 | 'V'
		bne.s	chkframe057


CANwriteByte:
		move.w	(CAN_F_STAT).l,	d0
		andi.w	#0xF, d0		       | mask off len
		cmpi.w	#5, d0			       | chk if	len=5
		bne.s	saveTimerAndRtn8	       | if not	5 then return

		movea.l	(a3), a0		       | a0=FFF1F6
		addq.l	#4, (a3)		       | ptr=ptr+4
		move.l	(a0), (dest_address).l	       | put bytes 0-3 into addr 801D0
		move.w	#0x40, (CAN_F_STAT).l |	'@'    | set buffer empty
		move.w	(CANTIMER_0xFFF08A).l, d0      | save timer
		move.w	d0, (a5)
		movea.l	(a3), a0		       | a0=FFF1FA
		movea.l	(dest_address).l, a1	       | A1=bytes 0-3 (addr ptr)
		move.b	(a0), (a1)		       | write byte 4 at addr (bytes 0-3)
		bra.w	clrCAN_F_IntAndReturn	       | and return

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

saveTimerAndRtn8:				       | CODE XREF: rcvCAN05XsndCANXXX+656j
		move.w	#0x40, (CAN_F_STAT).l |	'@'
		move.w	(CANTIMER_0xFFF08A).l, d0
		move.w	d0, (a5)
		bra.w	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

chkframe057:					       | CODE XREF: rcvCAN05XsndCANXXX+646j
		move.w	(CAN_F_ID).l, d0
		lsr.w	#5, d0
		cmpi.w	#0x57, d0 | 'W'
		bne.w	saveTimerAndRtn11


CANwrite00toFFbytes:				       | check value at	801D8
		tst.w	(global_write_ctr).l
		beq.s	CANwriteSetupParams	       | if 0000 then jump down

		move.w	(CAN_F_STAT).l,	d2	       | get status byte
		andi.w	#0xF, d2		       | mask off len
		bra.s	loc_000153C8		       | jump down

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

CANwriteXXbytes:				       | CODE XREF: rcvCAN05XsndCANXXX+6D4j
		movea.l	(a3), a0		       | a0=FFF1F6
		addq.l	#1, (a3)		       | inc ptr
		movea.l	(dest_address).l, a1	       | a1=address
		addq.l	#1, (dest_address).l	       | increment addr	ptr
		move.b	(a0), (a1)		       | write data byte 0-7 to	address
		subq.w	#1, d2			       | decrement data	byte counter
		subq.w	#1, (global_write_ctr).l       | decrement overall write counter

loc_000153C8:					       | CODE XREF: rcvCAN05XsndCANXXX+6B6j
		tst.w	d2			       | chk if	length=00
		bne.s	CANwriteXXbytes		       | if not	00 then	jump back and continue


saveTimerAndRtn9:
		move.w	#0x40, (CAN_F_STAT).l |	'@'
		move.w	(CANTIMER_0xFFF08A).l, d0
		move.w	d0, (a5)
		bra.s	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

CANwriteSetupParams:				       | CODE XREF: rcvCAN05XsndCANXXX+6AAj
		move.w	(CAN_F_STAT).l,	d0	       | get stat byte
		andi.w	#0xF, d0		       | mask off len
		cmpi.w	#5, d0			       | check if len=5
		bne.s	saveTimerAndRtn10	       | if not	then return

		movea.l	(a3), a0		       | a0=FFF1F6
		addq.l	#4, (a3)		       | ptr=ptr+4
		move.l	(a0), (dest_address).l	       | set bytes 0-3 as dest addr
		moveq	#0, d0			       | d0=0000
		movea.l	(a3), a0		       | a0=FFF1FA
		move.b	(a0), d0		       | set byte 4 as d0
		move.w	d0, (global_write_ctr).l       | set byte 4 as overall counter
		move.w	#0x40, (CAN_F_STAT).l |	'@'    | set buffer empty
		move.w	(CANTIMER_0xFFF08A).l, d0      | save timer
		move.w	d0, (a5)
		bra.s	clrCAN_F_IntAndReturn	       | and return

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

saveTimerAndRtn10:				       | CODE XREF: rcvCAN05XsndCANXXX+6F6j
		move.w	#0x40, (CAN_F_STAT).l |	'@'
		move.w	(CANTIMER_0xFFF08A).l, d0
		move.w	d0, (a5)
		bra.s	clrCAN_F_IntAndReturn

| ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

saveTimerAndRtn11:				       | CODE XREF: rcvCAN05XsndCANXXX+6A0j
		move.w	#0x40, (CAN_F_STAT).l |	'@'
		move.w	(CANTIMER_0xFFF08A).l, d0
		move.w	d0, (a5)

clrCAN_F_IntAndReturn:				       | CODE XREF: rcvCAN05XsndCANXXX+54j
						       | rcvCAN05XsndCANXXX+60j ...
		andi.w	#0x7FFF, (CANIFLAG).l
		movem.l	(sp), d0-d4/a0-a5
		unlk	a6
		rte	

| End of function rcvCAN05XsndCANXXX
rob13572468 is offline  
post #28 of 65 (permalink) Old 07-13-2006, 10:13 AM
Evl
Registered User
 
Evl's Avatar
 
Join Date: Jan 2004
Location: Jacksonville, FL
Posts: 1,721
Quote:
Originally Posted by rob13572468
the next step is to write some code to access the flash write routines. if anyone can get the high-res pics( of both front and back) that i asked about it will be very helpful.
Cool!!

I take it that w/o flash write, nothing is saved after power off, so we can't use this to add T/C or anything else fun yet?
Evl is offline  
post #29 of 65 (permalink) Old 07-13-2006, 10:14 AM
Registered User
 
rob13572468's Avatar
 
Join Date: Feb 2005
Location: chicago
Posts: 1,122
some more examples:

Code:
Message Sent: 050  04  00  00  04  00  00  00  00  00   Rtn Code: 0
6:19:43 PM    7A0h  4          2E  7C  00  FF    
Message Sent: 050  04  00  00  04  04  00  00  00  00   Rtn Code: 0
6:19:48 PM    7A0h  4          E8  00  20  7C    
Message Sent: 050  04  00  00  04  08  00  00  00  00   Rtn Code: 0
6:19:55 PM    7A0h  4          00  FF  E8  00    
Message Sent: 050  04  00  00  04  0C  00  00  00  00   Rtn Code: 0
6:20:00 PM    7A0h  4          4E  60  20  7C    
Message Sent: 050  04  00  00  04  10  00  00  00  00   Rtn Code: 0
6:20:13 PM    7A0h  4          00  00  00  00    
Message Sent: 050  04  00  00  04  14  00  00  00  00   Rtn Code: 0
6:20:37 PM    7A0h  4          4E  7B  88  01    
Message Sent: 050  04  00  00  04  18  00  00  00  00   Rtn Code: 0
6:20:43 PM    7A0h  4          33  FC  00  FF    
Message Sent: 050  04  00  00  04  1C  00  00  00  00   Rtn Code: 0
6:20:47 PM    7A0h  4          00  FF  FB  44    
Message Sent: 050  04  00  00  04  20  00  00  00  00   Rtn Code: 0
6:20:51 PM    7A0h  4          33  FC  E0  00
and some other neat stuff:
Attached Images
 
rob13572468 is offline  
post #30 of 65 (permalink) Old 07-13-2006, 10:24 AM
Registered User
 
rob13572468's Avatar
 
Join Date: Feb 2005
Location: chicago
Posts: 1,122
Quote:
Originally Posted by Evl
Cool!!

I take it that w/o flash write, nothing is saved after power off, so we can't use this to add T/C or anything else fun yet?
actually you can load test code to ram and run it and even link it to the operating system. this gives the added advantage of being able to test things with a safety net. if you upload buggy code accidentally and write it to flash this way you run the chance of having your ecu not start up at all which would then require physically opening the unit and flashing the chip directly. by loading to ram you simply key off and on and you are back to factory code.

at any rate, the flash routines are very simple to reverse... once we have good photos it will be no problem.
rob13572468 is offline  
post #31 of 65 (permalink) Old 07-13-2006, 10:31 AM Thread Starter
Registered User
 
Join Date: Dec 2004
Posts: 3,826
Quote:
Originally Posted by rob13572468
at any rate, the flash routines are very simple to reverse... once we have good photos it will be no problem.
I will snap some more pictures tonight. Just send PM me the email address you want it sent to.
scottyb is offline  
post #32 of 65 (permalink) Old 07-13-2006, 10:34 AM
OSX Black hat
 
charliex's Avatar
 
Join Date: Feb 2005
Location: Las Vegas , NV
Posts: 10,000
nice going rob. i'm going to try that on the 06, i have a feeling we'll be unlucky and it'll be different, the cluster CAN output is significantly different from the 05, maybe they'll have kept the same format.

damn i wish i had that benched ECU 05 now

Black Exige S / Elan M100. Don't run a smaller pulley without an upgraded fuel pump! http://www.goth.am ecu stuff.. New reflash box coming soon!
charliex is offline  
post #33 of 65 (permalink) Old 07-13-2006, 10:35 AM
OSX Black hat
 
charliex's Avatar
 
Join Date: Feb 2005
Location: Las Vegas , NV
Posts: 10,000
the flash routines are the amd 29f400BBs, aaaa/4444/8080/aaaa/5555 etc

how are you transferring control to your uploaded code, the only way i could think of that is to patch one of the existing in ram routines, or can you send a goto command ? since the vectors are in flash.

Black Exige S / Elan M100. Don't run a smaller pulley without an upgraded fuel pump! http://www.goth.am ecu stuff.. New reflash box coming soon!
charliex is offline  
post #34 of 65 (permalink) Old 07-13-2006, 10:44 AM
Registered User
 
rob13572468's Avatar
 
Join Date: Feb 2005
Location: chicago
Posts: 1,122
Quote:
Originally Posted by charliex
the flash routines are the amd 29f400BBs, aaaa/4444/8080/aaaa/5555 etc

how are you transferring control to your uploaded code, the only way i could think of that is to patch one of the existing in ram routines, or can you send a goto command ? since the vectors are in flash.
cool thanks... what we need now are the wiring from the ecu to the flash chip. that is the reason for the high-res pics ive been asking about unless someone has the schematics for our ecu...

transferring control is still easy. since there isnt a command that takes a vector and jumps to the routine the its simply a matter of writing the code to ram and then overwriting the stack so that the ram return vector from the can routine itself now points to the ram code instead. the code then runs as soon as the can routine returns
rob13572468 is offline  
post #35 of 65 (permalink) Old 07-13-2006, 10:48 AM
Registered User
 
rob13572468's Avatar
 
Join Date: Feb 2005
Location: chicago
Posts: 1,122
Quote:
Originally Posted by charliex
nice going rob. i'm going to try that on the 06, i have a feeling we'll be unlucky and it'll be different, the cluster CAN output is significantly different from the 05, maybe they'll have kept the same format.

damn i wish i had that benched ECU 05 now

charliex, can you post the o6 ecu can routines. the 05 can routines are 142F6 to 154EA. i dont know if the 06 are spread around more or are just offset like much of the code.
rob13572468 is offline  
post #36 of 65 (permalink) Old 07-13-2006, 10:59 AM
OSX Black hat
 
charliex's Avatar
 
Join Date: Feb 2005
Location: Las Vegas , NV
Posts: 10,000
Quote:
Originally Posted by rob13572468
cool thanks... what we need now are the wiring from the ecu to the flash chip. that is the reason for the high-res pics ive been asking about unless someone has the schematics for our ecu...

transferring control is still easy. since there isnt a command that takes a vector and jumps to the routine the its simply a matter of writing the code to ram and then overwriting the stack so that the ram return vector from the can routine itself now points to the ram code instead. the code then runs as soon as the can routine returns
yeah so basically patch the code, its easier than doing a fake stack return, since theres a small risk of overrunning and they do some odd stack handling, instead of pushing items, sometimes they just store it directly. , you can just patch the main loop instead. or do a stub function, thats what i do for my speedo fix code.

Black Exige S / Elan M100. Don't run a smaller pulley without an upgraded fuel pump! http://www.goth.am ecu stuff.. New reflash box coming soon!
charliex is offline  
post #37 of 65 (permalink) Old 07-13-2006, 11:08 AM
OSX Black hat
 
charliex's Avatar
 
Join Date: Feb 2005
Location: Las Vegas , NV
Posts: 10,000
Quote:
Originally Posted by rob13572468
charliex, can you post the o6 ecu can routines. the 05 can routines are 142F6 to 154EA. i dont know if the 06 are spread around more or are just offset like much of the code.
i haven't downloaded the 06 code yet, its a powerpc and the ecu is tamperproof (in that you can't take it apart with damaging the case )


i found the can routines by following the user interrupt vectors.

here are a few pictures i took of randys ecu,they're mainly for chip id though not circuit tracing.

http://www.moremonkey.com/images/ecu/index.htm

Black Exige S / Elan M100. Don't run a smaller pulley without an upgraded fuel pump! http://www.goth.am ecu stuff.. New reflash box coming soon!

Last edited by charliex; 07-13-2006 at 11:29 AM.
charliex is offline  
post #38 of 65 (permalink) Old 07-13-2006, 12:17 PM
Registered User
 
rob13572468's Avatar
 
Join Date: Feb 2005
Location: chicago
Posts: 1,122
Quote:
Originally Posted by charliex
yeah so basically patch the code, its easier than doing a fake stack return, since theres a small risk of overrunning and they do some odd stack handling, instead of pushing items, sometimes they just store it directly. , you can just patch the main loop instead. or do a stub function, thats what i do for my speedo fix code.
good point, plus isnt the vector table copied into ram as well so we could patch one of those too...
rob13572468 is offline  
post #39 of 65 (permalink) Old 07-13-2006, 12:27 PM
Registered User
 
rob13572468's Avatar
 
Join Date: Feb 2005
Location: chicago
Posts: 1,122
Quote:
Originally Posted by charliex
i haven't downloaded the 06 code yet, its a powerpc and the ecu is tamperproof (in that you can't take it apart with damaging the case )


i found the can routines by following the user interrupt vectors.

here are a few pictures i took of randys ecu,they're mainly for chip id though not circuit tracing.

http://www.moremonkey.com/images/ecu/index.htm
oh, that might explain why the 06 ecu will not do the data dump as well... they might have removed these routines altogether. it will be interesting to see what happens when you try the read frames on an '06.

nice pics as well... they seem to be showing enough of the circuit traces to do the trick...
rob13572468 is offline  
post #40 of 65 (permalink) Old 07-13-2006, 12:30 PM
OSX Black hat
 
charliex's Avatar
 
Join Date: Feb 2005
Location: Las Vegas , NV
Posts: 10,000
Quote:
Originally Posted by rob13572468
good point, plus isnt the vector table copied into ram as well so we could patch one of those too...
yes and no, the vbr is set to a ram location, however on a reset it'd be cleared, so if you reset it , the vbr would be 0 and call the rom routine, or youd have to patch one of the interrupt routines and call them, which is a lot harder than just patching the main loop to call our code.

Black Exige S / Elan M100. Don't run a smaller pulley without an upgraded fuel pump! http://www.goth.am ecu stuff.. New reflash box coming soon!
charliex is offline  
Sponsored Links
Advertisement
 
Reply

  LotusTalk - The Lotus Cars Community > Lotus Discussions > Powertrain (Engine, Transmission, etc)

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the LotusTalk - The Lotus Cars Community forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in











Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Display Modes
Linear Mode Linear Mode



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome