Page 12 of 35 FirstFirst ... 2789101112131415161722 ... LastLast
Results 166 to 180 of 511

Thread: Corvette CCM Reverse Engineering Anyone?

  1. #166
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    i wrote this sub as a better way of accomplishing a series of single byte modifications to the EEPROM with minimal aldl overhead

    after this sub is in ram each instruction from flashhack need only contain: JMP subroutine_address value address

    it adheres to the standards of the datasheet - erase, delay 10 ms, write, delay 10 ms, compare, and loops if the write is incorrect

    i wrote it to be relocatable with no extended addressing except for the static upload addresses (first few lines) so should work for EE, the CCM, or any 68hcwhatever with onboard eeprom.

    .. it's also only 43 bytes so can be easily uploaded in a single mode 6 command

    Code:
            ; LOAD CONFIG:
    3C      ; PSHX  - save existing X register
    B6 $value_storage_loc ; LDAA xxxx - load value to program into A
    FE $address_storage_loc ; LDX xxxx - load eeprom offset to program into X
    
            ; ERASE:
    C6 16   ; LDAB 0x16 - program mode ELAT/BYTE/ERASE
    8D 0A   ; BSR +10  - call program subroutine
    
            ; PROGRAM:
    C6 16   ; LDAB 0x02 - program mode ELAT
    8D 06   ; BSR +6  - call program subroutine
    
            ; VERIFY:
    A1 00   ; CMPA,X - compare A (value) with memory at X (destination)
    26 F4   ; BNE -12 (to ERASE) if compare fails.
    
            ; COMPLETE:
    38      ; PULX  - restore X register
    39      ; RTS return
            
            ; PROGRAM (start subroutine)
    F7 103B ; STAB 0x103B  - set eeprom control register from B
    A7 00   ; STAA,x  - store A (value) at X (location) (write byte)
    CA 01   ; ORA 0x01 - set EPGM (bit 1) in B
    F7 103B ; STAB 0x103B  - set eeprom control register from B
    
            ; DELAY
    3C      ; PSHX - save X register
    CE 0D06 ; LDX 0xD06 - loop total exec time approx 10ms @ 2mhz clock (6 cycles in loop)
    09      ; DEX  - x--
    26 FD   ; BNE -3 > 0
    38      ; PULX  - restore X register
            ; COMPLETE
    7F 013B ; CLR eeprom control register
    
    39      ; RTS return
            ; PROGRAM (end subroutine)

  2. #167
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    i don't suppose anyone knows if the CCM has a COP watchdog enabled...? i guess i'll try to steal its config register once it's here. i forget what EE's COP config is set to too. don't want that really simple 10ms delay loop causing a reset.

  3. #168
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    Quote Originally Posted by kur4o View Post
    Test 2

    ldy 18 ce XXXX
    ldab c6 YY
    ldx off_ffb0 fe ff b0 update fix

    jsr 0,x ad 00 fix
    rtn 39

    XXXX start address of read
    YY length

    I am sure this one will work. Than we can work out how to make an echo message of the upload.

    If you want mode 6 response with aa

    18 ce f4 9d c6 01 fe ff b0 ad 00 39
    kur4o i'm trying to figure out how this works so i can use it, can you help ?

    LDX loc_FFB0 ... the rom contains 0x7EF0 there, and then we jump there, but 0x7EF0 contains gibberish

    maybe i'm missing something

  4. #169
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    ffb0 = 7e f4 26 [jump to loc_f426]

    Now I figured why it didn`t worked.
    You need to execute here at ffbo. I was loading ffbo as an index and the jump was to 7ef4 instead of loading f426 and jump there.

    Current code may work if you change ffb0 with ffb1, or change it and make it execute at ffb0.

    You can try changing fe ff b0 to
    1. CE FF B0
    or
    2. FE FF B1
    Last edited by kur4o; 10-17-2021 at 11:03 AM.

  5. #170
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    makes sense thanks.

    i disassembled that aldl message routine too, i had overlooked it before

    im going to run some experiments writing the onboard eeprom on EE, wish me luck.

    if successful we could relocate some tables there for "quick tuning" that would be safer/faster

    my idea is to just write both eeproms as part of the regular flash procedure

    might also be possible to bake this code into EE itself so we can update eeprom values over aldl for some true realtime tuning (since we cant run mode 6 with engine running) but not sure if anyone would be interested in that.

  6. #171
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    Realtime tuning through eeprom tables is very good idea, but I doubt we can write there while engine is running.
    We can write some unique identifier on each flash to manage version of bins. I will think more about it how we can use it.

    I already did some patches that will alocate some tables to ram, main ones are ve and maf, but there is a lack of good interface to update it. It will be awesome if you make some better interface. Now you need to select single cell in a row/column and put a value.

  7. #172
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    im thinking updating it while running will work im theory but some trickery might be necessary

    if that doesn't work we can certainly have a good method for very quickly updating some relocated tables with zero risk without engine running. and those changes will be persistent

  8. #173
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    well, a bit of discovering my own bugs and i got this working really well on EE, and so it should only need a slight tweak to work with the CCM.

    still need to fully implement it so it reads/compares the bin, but it's really cool to be able to program stuff to the onboard eeprom of the ECM

    i think once we find a use case for it, WAY more cool than fixing a CCM, so this research has had a really positive side effect

    proof of concept:

    Code:
    DEBUG::Sending raw command: DEVICE=F4 COMMAND=2 DATA=0E90
    Got reply to command: DEVICE=F4 COMMAND=2 DATA=BEEFBEEFBEEFBEEFBEEFBEEFBEEFBEEF

  9. #174
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    Great work so far.

    Adding tables to eeprom will be a matter of just changing table lookup address. so it will be a permanent setting. One drawback will be that writing bin will not update the table only eeprom write will do it. Anyway some good interface will be needed for the table update.

  10. #175
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    Quote Originally Posted by kur4o View Post
    One drawback will be that writing bin will not update the table only eeprom write will do it. Anyway some good interface will be needed for the table update.
    that shouldn't be hard
    flashhack should only write what you change

  11. #176
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    757
    Quote Originally Posted by steveo View Post
    makes sense thanks.

    i disassembled that aldl message routine too, i had overlooked it before
    Does this mean you know what the missing parts of the $41 message represent? Specifically what each of the bits in the two status bit bytes are referring to, and what the last several bytes represent? I assume the last several bytes have something to do with the automatic transmission since they're missing on $DA2 and don't appear to do anything on manual $EE cars.
    1990 Corvette (Manual)
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  12. #177
    Fuel Injected! spfautsch's Avatar
    Join Date
    Apr 2015
    Location
    Montgomery City, MO
    Age
    52
    Posts
    883
    Really cool ideas.

    Quote Originally Posted by steveo View Post
    im thinking updating it while running will work im theory but some trickery might be necessary
    I like your thinking and don't intend to rain on your parade, but...

    Just "riffing", here are a few pitfalls I think you might run into in practice:

    1) When the PPROG register is not cleared i.e. during erase / programming, the datasheet seems to indicate the eeprom cannot be read just like ROM. What will happen? Test it and find out?

    2) Bad things could happen if during an erase + write procedure the PCM needs to read something from a cell of a relocated table for instance like spark advance, and does so immediately after an erase, but before the subsequent program (eeprom contains #$FF). Switching off the table relocation temporarily would remedy this and pitfall #1.

    3) I know almost nothing about how the two $EE programs work, but to draw a parallel to my diy-ltcc firmware I'm almost certain bad things would happen if you blocked the main loop for 10 ms (a write or erase cycle) while the engine was running. You'd need access to a timer / counter here to prevent holding up time-sensitive processing (aka starvation).

    All in all though, still not a bad idea in theory. I don't know what tables could functionally be relocated to eeprom, but tuning tables like VE and spark this way would certainly reduce the need for slower and slightly more hazardous flash erase + programming cycles. I use the qualifier "slightly" because it seems flashhack is nearly bullet and idiot proof.

    Edit: After some more tuning oriented thought, there are probably a half to nearly a dozen different constants that would be incredibly useful to have control over and would likely be extremely benign if fed transiently anomalous data. Injector flow constant, cylinder volume, prime pulsewidth multiplier, probably four or five I haven't thought about in two years. If easily relocated, those would be very useful for injector swaps and extreme VE / displacement changes.

  13. #178
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    i don't think we have to worry about anything reading from the eeprom while we are writing it , the big concern is interrupting things by 10 or 20 ms for sure. that delay probably needs to be reconciled and it might not be worth the effort. it could be done though. i do wonder what actually happens if you try to read while elat is set. i will experiment.
    i think just being able to tune things on the eeprom would be cool enough. we could be doing spark table updates in a few seconds.

  14. #179
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    Quote Originally Posted by NomakeWan View Post
    Does this mean you know what the missing parts of the $41 message represent? Specifically what each of the bits in the two status bit bytes are referring to, and what the last several bytes represent? I assume the last several bytes have something to do with the automatic transmission since they're missing on $DA2 and don't appear to do anything on manual $EE cars.
    no idea on the message contents. i bet kur4o knows where to find them in ee though. he knows the comms area pretty well.

  15. #180
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    does anyone have any arguments about bit level programming a probably flotox style eeprom

    for example we have FF and program it to AA, obviously okay, but how about an AA to a 00?

    my tests say okay but my hunch says "uncharted"

    im a bit more familiar with block flash rather than this old single byte stuff.

Similar Threads

  1. car bogs down when switching into reverse/D
    By CAMMED LT1 in forum GM EFI Systems
    Replies: 4
    Last Post: 09-27-2021, 12:34 AM
  2. 12212156 code reverse engineering project in Ghidra
    By dzidaV8 in forum OBDII Tuning
    Replies: 8
    Last Post: 01-13-2020, 11:04 AM
  3. Help!! 93 Lt1 6M Reverse lockout
    By noeysuarez in forum GM EFI Systems
    Replies: 3
    Last Post: 09-14-2017, 08:17 AM
  4. 4l60e reverse boost valve location and procedure
    By JTodd in forum Introductions
    Replies: 1
    Last Post: 04-19-2013, 01:20 AM
  5. T56 reverse lockout options with TBI PCM
    By CDeeZ in forum GM EFI Systems
    Replies: 1
    Last Post: 02-26-2013, 05:06 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •