Piton
Junior Member
Posts: 94
|
Post by Piton on Feb 1, 2022 13:12:33 GMT
Thanks for the pointers! There was 1 mystery byte near the part number changing between almost identical flash files. So that's for correction. The devil's always in the details.
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Mar 15, 2022 19:10:46 GMT
Read PN. My comment to utility LdPNRtn_p
1) Read Addr PAGE ( fixed addr 0x0201) 2) Read pointer Addr DATA ( fixed addr 0x0202) 3) Return 20 bytes .
Chrysler's general rule, and not just for ECU. Applies to automatic transmission control modules.
ROM:021E EPROM_RD: ; CODE XREF: LdPNRtn:RD_EPROMp ROM:021E tykb ROM:0220 tba ROM:0222 txkb ROM:0224 pshm D, X ROM:0226 ldab #4 ROM:0228 tbyk ROM:022A ; assume YK = 4 ROM:022A ldy #200h ; offseet 0x200 (total YK:IY = 0x40200) ROM:022E ldaa 1, Y ; Get page addr (offset 0x40201) ROM:0230 cmpa #4 ; Check Page ROM:0232 bhi error ; Error if page >= 4 ROM:0234 aba ROM:0236 tab ROM:0238 tbxk ROM:023A ldx 2, Y ; Get pointer to data PN ROM:023C lde #14h ; Size read (20 bytes) ROM:0240 jsr ReadBlock ; Out data (size rE) ROM:0244 bra EndRead ROM:0246 ; --------------------------------------------------------------------------- ROM:0246
ROM:0246 error: ; CODE XREF: EPROM_RD+14j ROM:0246 jsr Out_20_FF ; Out 20 bytes value 0xFF ROM:024A ROM:024A EndRead: ; CODE XREF: EPROM_RD+26j ROM:024A pulm X, D ROM:024C tbxk ROM:024E tab ROM:0250 tbyk ROM:0252 ; assume YK = 0 ROM:0252 rts ROM:0252 ; End of function EPROM_RD ROM:0252 ROM:0254 ROM:0254 ; =============== S U B R O U T I N E ======================================= ROM:0254 ROM:0254 ; Out 20 bytes value 0xFF
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Mar 15, 2022 19:55:39 GMT
TCM PN 05019701AC page 0 addr 0x0302
|
|
|
Post by darkcorp on Mar 17, 2022 10:08:43 GMT
Awesome!
|
|
|
Post by dino2gnt on Apr 3, 2022 16:45:59 GMT
SCI Command 14. Are the functions / data in numerical order?
I've got:
ROM:357E8 DiagDataRequest14: ; CODE XREF: ROM:35010j ROM:357E8 clr SCI_RX_ID, Z ROM:357EC ldab unk_92F, Z ROM:357F0 beq locret_3584A ROM:357F2 cmpb #10h ROM:357F4 beq loc_35808 ROM:357F6 bclr unk_C30, Z, #2 ROM:357FA cmpb #40h ROM:357FC bcs loc_35802 ROM:357FE cmpb #4Ch ROM:35800 bcs loc_3584C ROM:35802 <...> ROM:3584C ; --------------------------------------------------------------------------- ROM:3584C ROM:3584C loc_3584C: ; CODE XREF: ROM:35800j ROM:3584C subb #40h ROM:3584E aslb ROM:35850 bcs locret_3584A ROM:35852 aslb ROM:35854 bcs locret_3584A ROM:35856 cmpb #30h ROM:35858 bcc locret_3584A ROM:3585A clra ROM:3585C xgdx ROM:3585E ----->>> jmp 509Ch, X ; This is 0x3509C Which jumps to:
ROM:3509C SCI_14_DATA_FUNCTIONS: ; DATA XREF: ROM:3585Eo ROM:3509C jmp loc_35862 ROM:350A0 ; --------------------------------------------------------------------------- ROM:350A0 jmp loc_3587C ROM:350A4 ; --------------------------------------------------------------------------- ROM:350A4 jmp loc_35882 ROM:350A8 ; --------------------------------------------------------------------------- ROM:350A8 jmp loc_358AC ROM:350AC ; --------------------------------------------------------------------------- ROM:350AC jmp loc_358AE ROM:350B0 ; --------------------------------------------------------------------------- ROM:350B0 jmp loc_358B0 ROM:350B4 ; --------------------------------------------------------------------------- ROM:350B4 jmp loc_358B6 ROM:350B8 ; --------------------------------------------------------------------------- ROM:350B8 jmp loc_358D0 ROM:350BC ; --------------------------------------------------------------------------- ROM:350BC jmp loc_35888 ROM:350C0 ; --------------------------------------------------------------------------- ROM:350C0 jmp loc_358D6 ROM:350C4 ; --------------------------------------------------------------------------- ROM:350C4 jmp loc_3588E ROM:350C8 ; --------------------------------------------------------------------------- ROM:350C8 jmp loc_35894 ROM:350CC ; --------------------------------------------------------------------------- Each jump reads from a memory address or an ADC, e.g.
ROM:35862 loc_35862: ; CODE XREF: ROM:SCI_14_DATA_FUNCTIONSj ROM:35862 orp #0E0h ROM:35866 clra ROM:35868 staa ADCTL1 ROM:3586C ROM:3586C loc_3586C: ; CODE XREF: ROM:35870j ROM:3586C lde ADCSTAT ROM:35870 bpl loc_3586C ROM:35872 ldaa ADC_RJURR0 ROM:35876 andp #0FF1Fh ROM:3587A bra WRITE_SCIDR How can I determine which SCI 14 subcommand command equates to each jump?
I'm trying to identify which sensors are on which ADC channels.
|
|
|
Post by admin on Apr 3, 2022 17:13:41 GMT
Follow the calculations before the jump. B is loaded with the parameter followed by $14.
This particular jump table works for parameters greater or equal to $40 and less than $4C.
ROM:3584C loc_3584C: ; CODE XREF: ROM:35800j ROM:3584C subb #40h ROM:3584E aslb ROM:35850 bcs locret_3584A ROM:35852 aslb ROM:35854 bcs locret_3584A ROM:35856 cmpb #30h ROM:35858 bcc locret_3584A ROM:3585A clra ROM:3585C xgdx ROM:3585E ----->>> jmp 509Ch, X ; This is 0x3509C
Example:
TX: 14 40 40 - 40 = 00 00 << 2 = 00 jmp 3509C, X + 00
TX: 14 41 41 - 40 = 01 01 << 2 = 04 jmp 3509C, X + 04
This range seems to be in numerical ascending order.
|
|
|
Post by dino2gnt on Apr 4, 2022 2:37:07 GMT
Do you have a list of all the Command 14 parameters? DRBReader only shows 42, 46, 48. I have a disassembly from piton that includes the rest, but is there a definitive source for that info I can reference? I don't want to make assumptions and have them turn out to be incorrect, especially because the code is different between the disassembly I'm using as a reference and the code I'm exploring.
|
|
|
Post by admin on Apr 4, 2022 6:28:52 GMT
|
|
|
Post by dino2gnt on Apr 4, 2022 13:55:02 GMT
This is why I'm confused about the definitions. We have
ROM:35882 ; --------------------------------------------------------------------------- ROM:35882 ROM:35882 cmd14_0x42: ; CODE XREF: ROM:350A4j ROM:35882 ldab O2S_11, Z ROM:35886 bra loc_35898 ROM:35888 ; --------------------------------------------------------------------------- ROM:35888 ROM:35888 cmd14_0x48: ; CODE XREF: ROM:350BCj ROM:35888 ldab O2S_21, Z ROM:3588C bra loc_35898 ROM:3588E ; --------------------------------------------------------------------------- ROM:3588E ROM:3588E cmd14_0x4a: ; CODE XREF: ROM:350C4j ROM:3588E ldab O2S_12, Z ROM:35892 bra loc_35898 ROM:35894 ; --------------------------------------------------------------------------- ROM:35894 ROM:35894 cmd14_0x4b: ; CODE XREF: ROM:350C8j ROM:35894 ldab O2S_22, Z ROM:35898 ROM:35898 loc_35898: ; CODE XREF: ROM:35886j ROM:35898 ; ROM:3588Cj ... ROM:35898 ldaa #0FFh ROM:3589A cmpb MAX_O2 ; 0x1E ROM:3589E bhi loc_358A8 ROM:358A0 cmpb MIN_O2 ; 0x12 ROM:358A4 bhi loc_358AA ROM:358A6 anda #0A0h ROM:358A8 ROM:358A8 loc_358A8: ; CODE XREF: ROM:3589Ej ROM:358A8 anda #0B1h ROM:358AA ROM:358AA loc_358AA: ; CODE XREF: ROM:358A4j ROM:358AA bra WRITE_SCIDR ROM:358AC ; ---------------------------------------------------------------------------
Makes sense, right? O2 sensor voltages from their memory locations.
And 14-40, which should be the MAP sensor, we read raw right off the ADC channel and return it:
ROM:35862 ; --------------------------------------------------------------------------- ROM:35862 ROM:35862 cmd14_0x40: ; CODE XREF: ROM:SCI_14_DATA_FUNCTIONSj ROM:35862 orp #0E0h ROM:35866 clra ROM:35868 staa ADCTL1 ROM:3586C ROM:3586C loc_3586C: ; CODE XREF: ROM:35870j ROM:3586C lde ADCSTAT ROM:35870 bpl loc_3586C ROM:35872 ldaa ADC_RJURR0 ROM:35876 andp #0FF1Fh ROM:3587A bra WRITE_SCIDR
But elsewhere in the code, looking at ADC reads, I see... ROM:A6C0 loc_A6C0: ; CODE XREF: ROM:A566j ROM:A6C0 ; ROM:A57Ej ... ROM:A6C0 brclr ADCSTAT, #80h, loc_A6C0 ROM:A6C6 brset unk_75E, Z, #2, loc_A6DE ROM:A6CC ldab ADC_RJURR0 ROM:A6D0 stab O2S_11, Z ROM:A6D4 ldab ADC_RJURR1 ROM:A6D8 stab O2S_21, Z ROM:A6DC bra loc_A6FE ...the same memory address being updated by a read from ADC0. So is this MAP, or is it O2 Bank 1 Sensor 1 voltage?
Dino
|
|
|
Post by admin on Apr 4, 2022 14:20:27 GMT
It's all good, both code snippet is correct. ADCTL1 is setup differently when doing multi-channel ADC reading and when reading an individual ADC channel.
When the code does multiple readings in every loop:
ROM:A50C loc_A50C: ; CODE XREF: sub_A4E6:loc_A4F8j ROM:A50C ldaa #24h ROM:A50E ROM:A50E loc_A50E: ; CODE XREF: sub_A4E6+24j ROM:A50E staa ADCTL1
When reading MAP sensor on request:
ROM:35866 clra ROM:35868 staa ADCTL1
|
|
|
Post by dino2gnt on Apr 4, 2022 15:38:18 GMT
Okay, I think I superficially understand how this works, but reading the docs I can't quite wrap my head around it. I'll have to study this a while.
Thanks Daniel!
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Apr 4, 2022 15:47:23 GMT
ADC ONE. staa ADCTL1 Channel Selection (Select HARDWARE pin to ADC)
[CD:CA] 4 bit-> 16 Channels.
Bits in this field select input channel or channels for A/D conversion. Conversion mode determines which channel or channels are selected for conversion and which result registers are used to store conversion results. Tables D-29 and D-30 contain a summary of the effects of ADCTL1 bits and fields.
|
|
|
Post by ayashiko on Oct 18, 2023 16:29:45 GMT
56041606AG.bin (256 KB)Hello guys, I can’t figure out how to properly upload a file to ida. JTEC 56041606AG how to register registers correctly? I want to understand how to disable catalyst control errors.
|
|
|
Post by admin on Oct 20, 2023 9:23:36 GMT
1. Load a new binary file. 2. Select "Motorola MC68HC16" processor (double click) and click OK. 3. Leave memory organization settings as is and click OK. 4. "IDA cannot identify entry point automatically", click OK. Proper way to label registers and RAM offsets is to use Enumerations. Navigate to the "Enums" tab, hit "Insert" key, name it "HC16REG_enum", select hexadecimal, click OK. Then put cursor within the new enum and hit "N" to create new members. I attached HC16 MCU register offsets. Rest of the RAM offsets are largely unknown but Piton shared his "56044563AI.i64" disassembly once with lots of JTEC discoveries, do you have it? Do the same with a new enum "RAM_enum", where you put variable names stored in RAM. Now when you analyze the disassembled code you will come across expressions like this: ldaa 0F5h, Z Put the cursor somewhere inbetween "0F5h" and hit "M" key to bring up enums. When there is a record with value 0xF5 it will allow renaming 0F5h to your custom name: ldaa RAM_asdasd, Z MCU registers are typically in the "7700h, Z" range. Rest are pointing to RAM. Once you rename some stuff you can see all references to the name by hitting "X" key. It makes searching easier. I don't know where to find catalyst settings, though. Attachments:hc16def.inc (6.95 KB)
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Oct 20, 2023 15:57:07 GMT
Man from a car service center. He writes about the "HP tuner" program, asking questions about what bytes to change in the firmware to disable the catalyst.
|
|