Sure. What's a "clean dump," though? How is a clean dump different from the dumps of my 94 and 95 I already made? I want to make sure I get you guys what you need.Originally Posted by steveo
Sure. What's a "clean dump," though? How is a clean dump different from the dumps of my 94 and 95 I already made? I want to make sure I get you guys what you need.
1990 Corvette (Manual)
1994 Corvette (Automatic)
1995 Corvette (Manual)
Test 2
ldy 18 ce XXXX
ldab c6 YY
ldx off_ffb0 fe ff b0 update fix
jsr 0,x ad 00 fix
rtn 39
XXXX start address of read
YY length
I am sure this one will work. Than we can work out how to make an echo message of the upload.
If you want mode 6 response with aa
18 ce f4 9d c6 01 fe ff b0 ad 00 39
Sorry. Again, please verify what I sent is what was intended.
Also, it has occurred to me I probably haven't uploaded a "clean" read either, but I'm getting an imagemagik runtime error when I try uploading. Will try to upload to my wp site later.Code:TX+F15605B4 RX+F15705AA09 TX+F16406600018CEF49DC601FEFFB0AD003974 RX+NO REPLY
Nevermind, I guess the upload worked regardless.
Last edited by spfautsch; 10-02-2021 at 02:23 AM.
kur4o i'm trying to figure out how this works so i can use it, can you help ?
LDX loc_FFB0 ... the rom contains 0x7EF0 there, and then we jump there, but 0x7EF0 contains gibberish
maybe i'm missing something
ffb0 = 7e f4 26 [jump to loc_f426]
Now I figured why it didn`t worked.
You need to execute here at ffbo. I was loading ffbo as an index and the jump was to 7ef4 instead of loading f426 and jump there.
Current code may work if you change ffb0 with ffb1, or change it and make it execute at ffb0.
You can try changing fe ff b0 to
1. CE FF B0
or
2. FE FF B1
Last edited by kur4o; 10-17-2021 at 11:03 AM.
makes sense thanks.
i disassembled that aldl message routine too, i had overlooked it before
im going to run some experiments writing the onboard eeprom on EE, wish me luck.
if successful we could relocate some tables there for "quick tuning" that would be safer/faster
my idea is to just write both eeproms as part of the regular flash procedure
might also be possible to bake this code into EE itself so we can update eeprom values over aldl for some true realtime tuning (since we cant run mode 6 with engine running) but not sure if anyone would be interested in that.
Realtime tuning through eeprom tables is very good idea, but I doubt we can write there while engine is running.
We can write some unique identifier on each flash to manage version of bins. I will think more about it how we can use it.
I already did some patches that will alocate some tables to ram, main ones are ve and maf, but there is a lack of good interface to update it. It will be awesome if you make some better interface. Now you need to select single cell in a row/column and put a value.
im thinking updating it while running will work im theory but some trickery might be necessary
if that doesn't work we can certainly have a good method for very quickly updating some relocated tables with zero risk without engine running. and those changes will be persistent
Does this mean you know what the missing parts of the $41 message represent? Specifically what each of the bits in the two status bit bytes are referring to, and what the last several bytes represent? I assume the last several bytes have something to do with the automatic transmission since they're missing on $DA2 and don't appear to do anything on manual $EE cars.
1990 Corvette (Manual)
1994 Corvette (Automatic)
1995 Corvette (Manual)
no idea on the message contents. i bet kur4o knows where to find them in ee though. he knows the comms area pretty well.
yeah, those
i don't have them, can you remind me where you posted them ?
steveo it's over in the flashhack thread [link].
I'm at the office today so won't be able to test anything until this evening.
I didn't mean to make it sound like I was checking out on the project. I do intend to build an .xdf for these. From what I've been able to gather, the 94-96 models are interchangeable. I might try buying a used one for a 90-91 and 92-93 just to verify the location of the reman pin.
I also intend to figure out the vats authentication so the key code can be read on the test bench. I suspect the unit wants to see the key in pin go off at the same time the two ign inputs go high before it checks the adc count. I just haven't taken the time to locate some dpdt switches and make some additional test leads.
I think I need to give some thought to whether to disclose the location or not. Frankly, it's pretty obvious and I'd hate to be the guy that started an avalanche of stupid. On the other hand I think as long as we omit the odometer from the .xdf that should raise the difficulty level enough to keep things sane. People should have to do some work if they want to enjoy the free stuff. What do you guys think?
I will make a suggestion on the write / erase routines steveo. There's so little that needs to be written and the eeprom block is so small, I'd suggest reading the whole thing to memory and diffing with the .bin, then only erasing / writing the necessary bytes. I know it complicates things, but I don't think we want to overwrite the erase counter on a used unit. Just my $0.02.
Edit: after thinking a bit more, it may make sense to only write $b600-$b66c (odometer), $b67f-$b6ca (oil life, vats, option bytes, lockout bit) and the VIN at $b7ef until we know more about what the 33 bytes at $b6cb are.
Last edited by spfautsch; 10-01-2021 at 11:40 PM.
NomakeWan maybe you have some idea on this. I started working on an .xdf and noticed that based on the location in the datastream definition, the C68 option is not set in any of these bins. That's when it occurred to me that these units have a dedicated input for rear defog request. Is it possible this option became irrelevant after 91 or 93?
The rear defog request hasn't changed between any of the years; it works the same way from 1990 all the way to 1996, and it works the same way regardless of C60 or C68.
My suggestion to you is to change the bit you think is C68, then check the idle datastream for $10 broadcast messages. That should be the only functional difference between a car with C60 and a car with C68 as far as the CCM is concerned. Now, if GM were really cheeky, then it wouldn't actually matter at all since there's no response to the $10 broadcast, but we'll see. I'm going to assume that all four BINs we have (my 94, my 95, your 95, your reman) all had C68. It was the most common RPO. So if we assume that, then it's safe to assume that whatever the HVAC bit is set to is the correct setting for C68, and so the opposite bit must be C60.
1990 Corvette (Manual)
1994 Corvette (Automatic)
1995 Corvette (Manual)
Any idea if the C68 programmer responds to anything? I seem to recall you telling me it wasn't attached to the aldl, but my 95 fsm show pins 9 & 10 connecting to the bus.
I'll try to do some experimenting later today or tomorrow. My plan today is pulling both of the climate control pieces out to replace the caps and bulbs. I'd like to go out and put some miles on the CCM just for fun, but it's raining so I might as well get this done.
Here's a "clean" dump of the reman ccm. Well, sort of clean - I forgot to erase the doodles I wrote to the unused FF bytes.
Posting Permissions
Reply With Quote
Bookmarks