Hi,
I have completed my look through the '96-7 Tside FLASH programming code & commented the operation. The comments are best efforts only, I hope they are of use to you.
Big thanks to kur4o for his help with the tricky bits.
-Tom
Hi,
I have completed my look through the '96-7 Tside FLASH programming code & commented the operation. The comments are best efforts only, I hope they are of use to you.
Big thanks to kur4o for his help with the tricky bits.
-Tom
Hi,
I have completed my look through the '96-7 Eside FLASH programming code & commented the operation. The comments are best efforts only, I hope they are of use to you. It is interesting to look at the Programming Exec which has a mode (upload $35) that is new to me. I am thinking to write code for the upload section, but first I am planning to test my theory on an easy way to unbrick.
I am posting the Tside again, this time with a correction where code was cut out.
-Tom
Nice work on the comments, much better to understand and complete.
Mode 35 is a built in mode for reading bin over odb2 port. Some of the earlier obd2 pcms have that built in the code, but later it got removed.
I need some confirmation....
Message format over aldl is [DEVICE ID] [LENGTH] [MODE] [MESSAGE …] [CHECKSUM]
for mode $06 and message $55, does this mean command in progress, not completed yet?
THX -Tom
yep, or in other words just to tell the tester 'wait until next message'
in practice, the only code that seems to use it is the erase routine (being the only code that could potentially run long enough to need it)
Some small progress to tell you about...
This morning I was able to download all the flash routines while in bootstrap mode. UnBrick is not yet alive, but showing signs of life. So far, just the ESide... still waiting for parts from china to get to the TSide, w a i t i n g & w a i t i n g
-Tom
Question regarding mode 6, I happened on an unusual fail. I wanted to execute code without download. That is, a transfer of 0 data, execute at the location. Please confirm if you agree or don't...
Consider a download & execute message of $F4 $57 $06 $00 $00 $AE
$F4 passes the test for valid device
$58 passes the length test (>$56)
$06 mode 6
$00 address h
$00 address l
$AE checksum
The routine assumes the download isn't 0 and writes the checksum as if it were data. Then decrements the count which will underflow. The next 256 characters sent will over-write. The 257th byte it gets will be interpreted as checksum and will likely fail and return to the main loop IF it has not been overwritten. Also possible that the 256 writes disturb ram used by this code and crash.
I think: All code that permits download should also include a test for this and prevent it.
Do I have this right?
-Tom
Bookmarks