Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 26, 2022 22:01:25 GMT
It looks like the bootloader is in the MASKED ROM MODULE. MASKED ROM MODULE The masked ROM module (MRM) is only available with the MC68HC16Z2 and the MC68HC16Z3. The MRM can be configured to support system bootstrap during reset.
|
|
|
Post by dino2gnt on Jan 26, 2022 22:14:06 GMT
It looks like the bootloader is in the MASKED ROM MODULE. MASKED ROM MODULE The masked ROM module (MRM) is only available with the MC68HC16Z2 and the MC68HC16Z3. The MRM can be configured to support system bootstrap during reset.
It may be. If it's not the MRM, it's in some other MCU memory location that's mapped to $000000.
I'm planning to dust off my BDM interface tonight, I'll share what I learn.
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 27, 2022 21:19:53 GMT
It may be. If it's not the MRM, it's in some other MCU memory location that's mapped to $000000.
I'm planning to dust off my BDM interface tonight, I'll share what I learn.
If possible, try to read the entire address space of the processor. First of all, the space of control registers from address 0xFFF000 to the end is interesting.
|
|
|
Post by dino2gnt on Jan 27, 2022 21:44:18 GMT
If possible, try to read the entire address space of the processor. That's the plan. I was hoping to find vias in the board or test pads connected to any of the pins I need for the BDM, but I spent hours probing this board last night and wasn't able to locate any. Reluctant to attempt to solder directly to the MCU pins, but its looking like I may have no alternative. There's even a bare 10-pin header on the board that _looks_ like it would be for a BDM, but it's not connected to anything I need
|
|
|
Post by dino2gnt on Jan 29, 2022 4:56:20 GMT
Good thing the limit for attachments is 1MB.
Binary output from the BDM interface. This was booted with +20V applied to SCI RX, then removed.
Booted normally, I am able to access 0x00000 to 0x3FFFF, which just gives me the 256KB running code.
Curiously, booted with +20V applied and left connected, I am able to dump exactly 4096 bytes. I have attached that as well.
I have not yet inspected any of these beyond a quick once through with a hex editor.
Attachments:bootstrap1.bin (1 MB)
bsdump.bin (4 KB)
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 29, 2022 13:48:07 GMT
Curiously, booted with +20V applied and left connected, I am able to dump exactly 4096 bytes. I have attached that as well. It looks like a hard reset is working, it's the same Watchdog. Attachments seem to be true, only I do not see the values of internal registers.
|
|
|
Post by admin on Jan 29, 2022 14:37:43 GMT
Chiming in with observations.
bsdump.bin is the SBEC3 RAM dump. Normally SCI 26 0F 80 00 - 26 0F 97 FF reads the same offsets, though not all firmware allows hijacking the read ROM command like this. And it reads a total of 6 kB of RAM which has repeated parts at the end. The VIN read from EEPROM is stored at 0x00000951. So it's safe to say that RAM is 4 kB.
bootstrap1.bin has the full 256k flash at the beginning and some additional functions at the end, probably boot related. To be analyzed later!
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 29, 2022 15:48:27 GMT
bootstrap1.bin has the full 256k flash at the beginning and some additional functions at the end, probably boot related. To be analyzed later! Not quite so, for example, the memory area from the address 0xF0000 completely matches the memory area 0x00000. (bootstrap1.bin) When reading with BDM, area 0xF0000 must contain internal registers. For example, a memory dump with the same processor obtained using BDM, from Mazda Demio: ICE B5-223119 / DW5W 303745
|
|
|
Post by dino2gnt on Jan 29, 2022 18:24:15 GMT
More than happy to pull any other memory addresses you can think of while I have this jigged up and working. Now's the time, the connections are directly to the MCU pins and are quite delicate, I'm not sure I can move it around without breaking them.
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 29, 2022 18:50:14 GMT
First try to read the memory area from 0xF8000-0xFFFFF via BDM. Without supply +20 volts.
|
|
|
Post by dino2gnt on Jan 29, 2022 20:28:04 GMT
It read to 0xF97FF (if I'm reading it right) and the ECU doesn't respond further.
Tried starting at FA000, FB000, FC000, FD000, FE000, and FF000. No response, have to reset the ECU to knock the BDM loose.
Attachments:0xf8000-0xfffff.bin (998 KB)
|
|
|
Post by dino2gnt on Jan 29, 2022 20:36:11 GMT
bsdump.bin is the SBEC3 RAM dump. Interesting that it was mapped to 0x00000 when I read it...
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 29, 2022 20:50:20 GMT
Please try the range from $FFF000 to $FFFFFF.- Where $Y can be F or 7. Attachments:
|
|
|
Post by dino2gnt on Jan 29, 2022 21:03:20 GMT
Please try the range from $FFF000 to $FFFFFF.- Not possible for that to exist in the CPU's 20-bit address space AFAIK.
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Jan 29, 2022 21:15:41 GMT
I know.
|
|