I will have some time soon, and might do some dissasembly for previous years. What needs to be done. Porting some switches from later bins to earlier should be pretty straightforward, when we have...

Something I have been waiting for a long time. Definitely will build a test rig and get the opportunity of blackbox logging.

Some help on the setup will be highly appreciated. I am in no hurry, a...

Speaking of blackbox logging and passive dumps of mode1 msg0 message, I just got that brilliant idea to use the built in mode7 schedule of dumping data on the bus. There are 16 slots that can dump...

I think some key-on sniff log will help much more. The key is calculated in the main code of pcm, but the ccm comm code is good covered that is hard to get any idea what it does.

I can try to...

I think ccm is just echoing the seed and not converting it to key for the pcm.

Maybe something in the ccm says theft is not good echo the seed, and pcm can`t figure it and keeps polling ccm for...

Steveo can you run some pcm patch.

1b8e5
[26 0e] --> 01 01

I still suspect some theft loop. The ccm is not unlocked at just echo the key instead of calculating a key from pcm seed.

The...

Some initial theory how it works.

Pcm responds for 2 seconds with 0000 at reset. Maybe some time for initialization.

Ccm sends seed to pcm.
Pcm process seed and convert to key. Respond with...

I suspect theft communication is critical and before it got initialized ccm wont go over normal communication mode and will loop the pcm till hadshake is good, Also at reset or ign on if modules are...

1983 seems related with vats communication between pcm and ccm.
0000 means theft not completed, and some initial timer expired.
FFFF means theft completed pcm unlocked
random data means there is...

THE ALDL COMM


RESERVED:F345 fcb $40 ; @ ; ALDL INSTUMENT PANEL 2 Y
RESERVED:F346 fcb $41 ; A
RESERVED:F347 fcb $80 ; À...

I looked at the ee code and when vin is updated, it is written straight with no eeprom registers involved. Might be unlocked on default.



And than updated in a loop with no delays or whatever....

Great work so far.

Adding tables to eeprom will be a matter of just changing table lookup address. so it will be a permanent setting. One drawback will be that writing bin will not update the...

Realtime tuning through eeprom tables is very good idea, but I doubt we can write there while engine is running.
We can write some unique identifier on each flash to manage version of bins. I will...

ffb0 = 7e f4 26 [jump to loc_f426]

Now I figured why it didn`t worked.
You need to execute here at ffbo. I was loading ffbo as an index and the jump was to 7ef4 instead of loading f426 and jump...

I can get rpo codes from vin stored in the file, so it won`t be an issue if there is a need to see the options.

Test 2

ldy 18 ce XXXX
ldab c6 YY
ldx off_ffb0 fe ff b0 update fix

jsr 0,x ad 00 fix
rtn 39

XXXX start address of read

some food for testing
Send in mode 6 download and execute.

ldaa #YY 86 YY
staa byte_fc 97 fc
ldy xxxx 18 ce XX XX
ldx off_ffb0 fe ff b0 update fix

jsr 0,x ...

I will make some test headers lately for experimentation. The way I see it custom mode 6 with jump to vector subroutine will read the bin in large chucks. It might be read fully without some data...

PPROG is cleared to zero at reset, and that`s it. Only one subroutine uses it and it is triggered by oci1 at some timer interval.

I can confirm that the vector is there and is the same. It jumps to mode6 response that is not referenced in the main code.
In the response it will be [f1] [56+lenghtof message] [06]. [0,y loop] I...

Some more food for the obscene scene.

from ee code




From ccm

When eeporm is copied to 7000 area it is also copied after that at 6xxx area.It is there where pcm add stuff and maybe later write to eeprom from there. & 7000 might be some area that survive more...

Don`t take the addresses too much, since they might be valid only for 95 ccms. The 94 code is a litlle bit different and some of the data might be located at other places. There is also different...

FOund some other stuff. Byte_70CA bit $01 if it is set you can enter m5 without pin set.

Stock is FE, I guess if changed to FF, you will enter m5.

Too bad at one point there is a check a 607c...

It is not that straightforward as writing to ram than it looks. There are some registers that`s need to be set, and the timing is critical.

We can borrow some code form ee, where it updates the...