Members Login
Username 
 
Password 
    Remember Me  
Post Info TOPIC: Basics of reading ECU code


Guru

Status: Offline
Posts: 963
Date:
Basics of reading ECU code


For those of you not familiar with reading assembly code in general or the 6816 processor used by the ECU in particular I though I would share some of the basics on reading the code that may help you get started.

First it is pretty obvious from all the redundant and wasteful code that the software was originally written and compiled from a higher level language. On the other hand the way it compiles means that it always does the same thing the same way.

Memory Mapping:
The CPU can map the ROM, RAM, etc to any addresses it likes. The ECU is mapped as follows.

Flash Bank 2 is ROM at 0000:0000 to 0000:7FFF.  This is where the operational software or code is located.
Flash Bank 1 is ROM at 0000:8000 to 0000:FFFF. This is where the map data is located
RAM is 4096 bytes at 000E:0000 to 000E:0FFF.  This is system RAM and stack memory area
CPU hardware I/O registers are FFFF:0000 to FFFF:FFFF. This area is used to access the various hardware modules like CTM, ADC, SICA etc.

Indexed Addressing:
Almost all the memory locations are accessed through the index registers X, Y, and Z. In other words to access a memory location you must first point a register to the memory.

The Z register is always used for RAM. The extended Z register is always set to 0E making Z = 000E:0000. When accessing a RAM location the compiler always uses the Z offset. For example to load the data at RAM location 000E:0060 into accumulator A you will see

ldaa    60h, Z

The effective address is 60h + 000E:0000

The Y register is almost always used to access I/O memory. BTW the 0F extended address mirrors to FFFF so setting the Y extended register to 0F sets the effective Y to FFFF:0000

For example if the compile needs to access the PortA I/O port data register located at FFFF:FA0A the compiler would write the following code

ldab    #0Fh
tbyk                      ;sets extended Y to 0F, Y=FFFF:0000
ldy     #0FA00h    ;set Y to FA00, Y = FFFF:FA00
ldd    0Ah, Y       ;load accumulator D with Y + 0Ah, Y=FFFF:FA0A

So if you wanted to find what code turned on and off coil 1 which is driven by cpu pin 5 you would first look up pin 5 in the data sheet and see it is CTM10A. Looking up CTM10A you find its data register address is FFFF:F952. But to find it in the code you would search for value 52h, not F952 or FFFFF952.

Once you find all the occurrences of 52h find the 52h, Y and then check up the code to make sure the last load y was F900.

The X register is many times used for accessing MAP data. Its extended address is usually 00 setting X to 0000:0000. Anytime you see X pointing above 8000h it is usually pointing at map data.  Example

ldab    #0
tbxk                   ;set extended X to 00, X=0000:0000
ldx     #8026h    ;set X= 8026,  X=0000:8026
ldaa   0,X           ; load accumulator A with map data from address 0000:8026

Hope that helps a little. I'll post more later. Don't want to make the post to big.    




__________________


Veteran Member

Status: Offline
Posts: 74
Date:



-- Edited by ffaspector on Saturday 17th of October 2009 11:11:03 AM

__________________
pad


Member

Status: Offline
Posts: 12
Date:

Any tips on the ADC.
Im looking at AN5/PADA5 the Gear position input and need a hand
On getting started with understanding how the ADC unit works

Thanks



__________________


Guru

Status: Offline
Posts: 963
Date:

There is not a lot you need to know. What your looking for is any read of the LJURR5  (left justified, unsigned results register for ADC5). It is a 16 bit number that represents a voltage between 0 and 5 volts.  (LJURR5 / 65536) * 5 would equal the input voltage.

I'm not sure what version your looking at but in the 32920-02FA0 ECU code there is only one line at 0x00001470 where that register is read.
It is saved to ram location 0x210 which is saved to ram location 0x5F as an 8 bit value.

At 0x000028FE in the code the gear value at 0x5F is compared to some map values and depending on which one it is between sets a bit flag in ram byte 0x10

So for gear voltage Gv

Gv > 4.84V  then 0x10, bit0 set
4.84V > Gv > 4.51V  then 0x10 bit6 set
4.51V > Gv > 4.00V  then 0x10 bit5 set
4.00V > Gv > 3.32V  then 0x10 bit4 set
3.32V > Gv > 2.62V  then 0x10 bit3 set
2.26V > Gv > 2.01V  then 0x10 bit2 set
2.01V > Gv > 0.86V  then 0x10 bit1 set
Gv < 0.86 then 0x10 bit 6 set


In all the other versions of denso software I've seen bit0 is neutral, bit1 gear 1, etc.

You can see an example of loading different map pointers depending on the value of 0x10 at 0x000033A2

__________________


Veteran Member

Status: Offline
Posts: 74
Date:



-- Edited by ffaspector on Saturday 17th of October 2009 11:10:52 AM

__________________


Guru

Status: Offline
Posts: 963
Date:

Well the PB0 should be easy to find. Just search the MC68HC16R1UM.pdf for PB0 and start checking the found items from the bottom of the list up.

BTW PB is at address FFA0B. (pg 314)

Remember however that the software will load the Y extended register with 0x0F, Then load Y with FA00 and then actually access the port as 0B, Y. If you search for FA0B you won't find it in the code.

Also input ports like PB are debounced and then saved in a RAM address. The ram address is then tested exclusively for map select, starter button, clutch etc.

For the -02FA0 version at least, it looks like ram location E000E is the debounced portB address. So to find where the clutch PB0 is tested in the code search for

0Eh, Z, #1




__________________


Veteran Member

Status: Offline
Posts: 74
Date:



-- Edited by ffaspector on Saturday 17th of October 2009 11:10:33 AM

__________________


Member

Status: Offline
Posts: 12
Date:

Hi PROs,

do you have a starting point for the TLS ECU too?
Do you guys know which type of 68HC11 the TLS ECU has in fact?
(I read that it might be a 68HC11K type, but which exactly ?)

Thanks in advance !!!

Balze

__________________
Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.

Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse
Powered by ActiveBoard