patch method demo
05-21-2002 | 09:56 AM
#1
Thread Starter
Moderator
iTrader: (1)
Joined: Mar 2002
Posts: 18,432
Likes: 227
From: Chasing Electrons
Car: check
Engine: check
Transmission: check
patch method demo
Note: the patches listed in this thread only work with the early '8746 $61 mask. These are the rev_limit and the forced knock patches.
The patches work with the ANLU and ANTT BCCs. And probably others in that series.
The patches do not work with the AX series of BINs. This includes AXKT, AXKS, AXKU, and AXKW. And proabably others.
This purpose of this post is to demonstrate an easy method
of creating, applying and releasing code patches. The tools
used are in the attached zip file. The author of the S19_PAT
utility has released that tool into the public domain.
The AS11 assembler is a freebie from Motorola.
For this demonstration a patch will be created to change the
TBI '8746 ECM speed limiter into an RPM limiter (rev-limiter).
According to the hac of the 1228746 code the speed limiter
is located within the EPROM. This allows it to be changed
easily. Hac may be found at:
http://www.diy-efi.org/gmecm/ecm_info/1228746/8746.dsm
Here are the two speed limit parameters. For the patch
they will become RPM limits. (Note that the restore/kill
labels are reversed).
LD261: FCB 255 ; min mph threshold to restore fuel
LD262: FCB 255 ; max mph threshold to kill fuel
This is the original code:
In order to change this routine to a rev-limiter one
instruction is required to be changed. The compare
of the MPH threshold to the MPH variable at the LD6F3
label.
This needs to be changed so that the threshold is
compared to the RPM variable instead. Change this:
LD6F3: CMPB L0030 ; mph / 1, filtered
To this:
LD6F3: CMPB $1B ; rpm / 25
This is so the assembler knows to use RAM variable
location $1B. Could also define L001B, the above is
just easier.
The two data locations get changed as such:
Note that the RPM threshold is divided by 25 and placed
into the data area. Also note that the maximum RPM
is 6375. If a rev-limit higher then 6375 is desired a
different method is required.
The actual patch looks like this:
The 'OPT l' tells the assembler to create a listing. The
'ORG $D261' tells the assembler the address of the code.
The command line to assemble is:
AS11 REV.ASM
The listing will be output to the screen. The key is another
file is created: an S19 file. This file: REV.S19, contains
the patch information. The S19_PAT utility reads this S19
file and applies the code changes to the BIN file.
To apply the patch use this command line:
S19_PAT REV.S19 0xD000 file.bin
The '0xD000' is the EPROM start address once it is in the ECM.
For a TPI SD system ('730), this value would be 0x8000
(And no, don't apply this patch to a TPI SD system!).
The 'file.bin' is the EPROM image (bin file) that is going to
be patched. This should be a copy of your latest cal.
Once the patch is applied recalculate and update the checksum.
Burn a new EPROM and test it out. You may want to set the
limits to a lower value such as 2400 RPM. You can then test the
patch in the security of your own driveway.
If you want to change the rev-limit settings any bin editor
may be used. Pull up the speed limit locations, divide the
desired RPM by 25 and use that as the mph limit.
Files included in the attached zip:
AS11.EXE assembler
S19_PAT.EXE patch utility
REV.ASM source for rev limiter patch
REV.S19 s19 file of rev limiter patch
REV.TXT contents of this post
In order to distribute a patch include the source code and the
S19 file. Also include a text file with a description of the
patch and what it does.
RBob.
The patches work with the ANLU and ANTT BCCs. And probably others in that series.
The patches do not work with the AX series of BINs. This includes AXKT, AXKS, AXKU, and AXKW. And proabably others.
This purpose of this post is to demonstrate an easy method
of creating, applying and releasing code patches. The tools
used are in the attached zip file. The author of the S19_PAT
utility has released that tool into the public domain.
The AS11 assembler is a freebie from Motorola.
For this demonstration a patch will be created to change the
TBI '8746 ECM speed limiter into an RPM limiter (rev-limiter).
According to the hac of the 1228746 code the speed limiter
is located within the EPROM. This allows it to be changed
easily. Hac may be found at:
http://www.diy-efi.org/gmecm/ecm_info/1228746/8746.dsm
Here are the two speed limit parameters. For the patch
they will become RPM limits. (Note that the restore/kill
labels are reversed).
LD261: FCB 255 ; min mph threshold to restore fuel
LD262: FCB 255 ; max mph threshold to kill fuel
This is the original code:
Code:
;
; Check for high speed fuel shutoff
;
LDAB LD261 ; 255 mph
LDAA L000F ; status word
BITA #$01 ; fuel kill bit, 1 == in kill
BEQ LD6F3 ; bra if b0 == 0
;
DEC L000F ; set b0 to 0
LDAB LD262 ; 255 mph
;
LD6F3: CMPB L0030 ; mph / 1, filtered
BHI LD6FD ; bra if thres > current mph, all OK
INC L000F ; set b0 of L000F to 1
JMP LD874 ; kill engine
LD6FD: instruction is required to be changed. The compare
of the MPH threshold to the MPH variable at the LD6F3
label.
This needs to be changed so that the threshold is
compared to the RPM variable instead. Change this:
LD6F3: CMPB L0030 ; mph / 1, filtered
To this:
LD6F3: CMPB $1B ; rpm / 25
This is so the assembler knows to use RAM variable
location $1B. Could also define L001B, the above is
just easier.
The two data locations get changed as such:
Code:
LD261: FCB 240 ; 6000 rpm, min rpm to kill fuel LD262: FCB 236 ; 5900 rpm, max rpm to restore fuel
into the data area. Also note that the maximum RPM
is 6375. If a rev-limit higher then 6375 is desired a
different method is required.
The actual patch looks like this:
Code:
; ----------------------
OPT l
ORG $D261
LD261: FCB 240 ; 6000 rpm, rpm / 25 to kill fuel
LD262: FCB 236 ; 5900 rpm, rpm / 25 to resume fuel
;
; Check for high speed fuel shutoff
;
ORG $D6F3
CMPB $1B ; rpm / 25 variable
; ---------------------- 'ORG $D261' tells the assembler the address of the code.
The command line to assemble is:
AS11 REV.ASM
The listing will be output to the screen. The key is another
file is created: an S19 file. This file: REV.S19, contains
the patch information. The S19_PAT utility reads this S19
file and applies the code changes to the BIN file.
To apply the patch use this command line:
S19_PAT REV.S19 0xD000 file.bin
The '0xD000' is the EPROM start address once it is in the ECM.
For a TPI SD system ('730), this value would be 0x8000
(And no, don't apply this patch to a TPI SD system!).
The 'file.bin' is the EPROM image (bin file) that is going to
be patched. This should be a copy of your latest cal.
Once the patch is applied recalculate and update the checksum.
Burn a new EPROM and test it out. You may want to set the
limits to a lower value such as 2400 RPM. You can then test the
patch in the security of your own driveway.
If you want to change the rev-limit settings any bin editor
may be used. Pull up the speed limit locations, divide the
desired RPM by 25 and use that as the mph limit.
Files included in the attached zip:
AS11.EXE assembler
S19_PAT.EXE patch utility
REV.ASM source for rev limiter patch
REV.S19 s19 file of rev limiter patch
REV.TXT contents of this post
In order to distribute a patch include the source code and the
S19 file. Also include a text file with a description of the
patch and what it does.
RBob.
Last edited by RBob; 07-01-2006 at 10:56 AM.
05-23-2002 | 12:14 PM
#4
Member
Joined: Jun 2000
Posts: 164
Likes: 0
From: Lake Havasu City, AZ
This cant be what it looks like can it? Is this a tool for changing the source code for the ecm? All we need now is some people who know how to write some new code and then its patches for everyone. Wohoo! I cant wait for the day we can download a patch to fix the 255g/s limit on maf cars and other cool fixes.
05-23-2002 | 01:27 PM
#5
Thread Starter
Moderator
iTrader: (1)
Joined: Mar 2002
Posts: 18,432
Likes: 227
From: Chasing Electrons
Car: check
Engine: check
Transmission: check
Yes, that is exactly what it is: a tool for applying patches
to bin files. Easy to use too.
For one of my vehicles I've created a patch file. Instead of
modifying the bin or the source I have a assembly file that
contains the desired changes. Edit it, assemble it, apply it
to the stock bin, recalc the cksum and burn.
I just created the rev-limit patch to help with the demo.
Also seemed to be a useful change.
RBob.
to bin files. Easy to use too.
For one of my vehicles I've created a patch file. Instead of
modifying the bin or the source I have a assembly file that
contains the desired changes. Edit it, assemble it, apply it
to the stock bin, recalc the cksum and burn.
I just created the rev-limit patch to help with the demo.
Also seemed to be a useful change.
RBob.
05-23-2002 | 01:35 PM
#6
TGO Supporter
Joined: Jul 2000
Posts: 812
Likes: 1
Engine: 5.7L V8
Transmission: 700R4
Wow! Cool. I haven't had time to test it, but I'm sure I'll use it in the future. Have you mentioned this to the GMECM list? I haven't seen it in the emails.
Hehe, yeah, who wants a speed limiter. 
Originally posted by RBob
I just created the rev-limit patch to help with the demo.
Also seemed to be a useful change.
I just created the rev-limit patch to help with the demo.
Also seemed to be a useful change.
05-23-2002 | 02:09 PM
#7
Senior Member
Joined: May 2001
Posts: 502
Likes: 0
From: Hollywood, FL
Car: 78 Regal
Engine: 82 FBod LG4 305, 730 ECM
Transmission: M20
Axle/Gears: 4.10
Bob, I have a question for you if you don't mind answering. In the original code it is told to look at a value that is a number in dec which relates directly to mph. In the patch the rpm is looked up and then divided by 25. I can see that in plain writing but how in hex does the ecm know? Or more clearly, how does the instruction in the assembly turn into the hex code?
Trending Topics
05-23-2002 | 07:39 PM
#9
Thread Starter
Moderator
iTrader: (1)
Joined: Mar 2002
Posts: 18,432
Likes: 227
From: Chasing Electrons
Car: check
Engine: check
Transmission: check
Bob, I have a question for you if you
don't mind answering. In the original code it
is told to look at a value that is a number in dec
which relates directly to mph. In the patch the
rpm is looked up and then divided by 25. I can see
that in plain writing but how in hex does the
ecm know? Or more clearly, how does the
instruction in the assembly turn into the hex
code?
don't mind answering. In the original code it
is told to look at a value that is a number in dec
which relates directly to mph. In the patch the
rpm is looked up and then divided by 25. I can see
that in plain writing but how in hex does the
ecm know? Or more clearly, how does the
instruction in the assembly turn into the hex
code?
capable of various math functions. For example
both of these instructions produce the same
result:
LDAA #$80 ; load reg A
LDAA #128 ; load reg A
The '#' tells the assembler that it is an
immediate value (load that value). The "$"
tells the assembler that that value is in hex.
Otherwise it is decimal (as in the second line).
With $80 the same value as 128, reg A ends up
with the same value in it ($80 == 128).
Back to the demo patch, these two macros also
do the same thing:
FCB 236 ; 5900 RPM
FCB 5900/25 ; 5900 RPM
Can also be used in an instruction:
LDAA 236 ;
LDAA 5900/25 ;
Both times the end result is the value 236
decimal. Which the assembler will convert to $EC
and plug that into the bin. Note the listing:
E:\EFI\moto>as11 tst.asm
0001 OPT l
0002
0003 d000 ORG $D000
0004
0005
0006 d000 ec FCB 236
0007 d001 ec FCB 5900/25
0008
0009 d002 86 ec LDAA #236
0010 d004 86 ec LDAA #5900/25
0011
Number of errors 0
E:\EFI\moto>
The 'ec' in the above listing is the hex
equivilent(sp?) of 236.
RBob.
P.S. Can't seem to get the spacing correct. If
you can change the font to a fixed wisth it
will be easier to look at the lines of code.
05-23-2002 | 08:06 PM
#10
Senior Member
Joined: May 2001
Posts: 502
Likes: 0
From: Hollywood, FL
Car: 78 Regal
Engine: 82 FBod LG4 305, 730 ECM
Transmission: M20
Axle/Gears: 4.10
Sorry Bob, my bad. What I was asking was how the assembler was going to make 5900 into 236 when the value was 5900. I didn't look at L0001B which states rpm/25. I thought L0001B was rpm/1. Which brings us to something you said about a max rpm of 6375 (255*25). If we wanted to go higher, how would that be achieved? You said a different method could be used.
05-23-2002 | 08:37 PM
#11
Supreme Member
Joined: Jun 2000
Posts: 1,612
Likes: 0
From: the garage
Car: 84 SVO
Engine: Volvo headed 2.3T
Transmission: WCT5
Axle/Gears: 8.8" 3.73
thanks for the definitions/explainations, I am just starting to look into the code side of things and am not upto speed on all the lingo..been too long since I wrote in hex..like on a Apple 2C..
05-23-2002 | 09:01 PM
#12
Thread Starter
Moderator
iTrader: (1)
Joined: Mar 2002
Posts: 18,432
Likes: 227
From: Chasing Electrons
Car: check
Engine: check
Transmission: check
Originally posted by hectorsn
Sorry Bob, my bad. What I was asking was how the assembler was going to make 5900 into 236 when the value was 5900. I didn't look at L0001B which states rpm/25. I thought L0001B was rpm/1. Which brings us to something you said about a max rpm of 6375 (255*25). If we wanted to go higher, how would that be achieved? You said a different method could be used.
Sorry Bob, my bad. What I was asking was how the assembler was going to make 5900 into 236 when the value was 5900. I didn't look at L0001B which states rpm/25. I thought L0001B was rpm/1. Which brings us to something you said about a max rpm of 6375 (255*25). If we wanted to go higher, how would that be achieved? You said a different method could be used.
variable that contains the amount of time between
DRP's. Using this variable RPM may be measured
into the 9K RPM range (w/reasonable accuracy).
Due to the use of 16 bit (2 byte) instructions
it would not fit within the same code space as
the example given.
RBob.
05-23-2002 | 09:05 PM
#13
Thread Starter
Moderator
iTrader: (1)
Joined: Mar 2002
Posts: 18,432
Likes: 227
From: Chasing Electrons
Car: check
Engine: check
Transmission: check
Originally posted by SATURN5
thanks for the definitions/explainations, I am just starting to look into the code side of things and am not upto speed on all the lingo..been too long since I wrote in hex..like on a Apple 2C..
thanks for the definitions/explainations, I am just starting to look into the code side of things and am not upto speed on all the lingo..been too long since I wrote in hex..like on a Apple 2C..
will help immensely. The most important item is
to understand how u-procs operate. Then it is
a matter of understanding the particular op-codes
for the u-proc in use.
DEC systems had op-codes that would auto-decrement
and auto-increment an index register. No-can-do
on the C3/P4 ECM u-procs.
RBob.
05-23-2002 | 10:47 PM
#14
Senior Member
Joined: Oct 1999
Posts: 6,621
Likes: 2
Car: 91 Red Sled
Axle/Gears: 10bolt Richmond 3.73 Torsen
WOW, finally some more insite on this board.
I know Grumpy isn't taking any internships but what about you Rob? I hope to see you guys this weekend.
I'll reply more to this post but I've got work in the morning and saving up for a 6 speed swap isn't cheap
.
I know Grumpy isn't taking any internships but what about you Rob? I hope to see you guys this weekend.
I'll reply more to this post but I've got work in the morning and saving up for a 6 speed swap isn't cheap
.
05-24-2002 | 08:09 PM
#15
Member
Joined: Apr 2001
Posts: 171
Likes: 0
Originally posted by RBob
P.S. Can't seem to get the spacing correct. If
you can change the font to a fixed wisth it
will be easier to look at the lines of code.
P.S. Can't seem to get the spacing correct. If
you can change the font to a fixed wisth it
will be easier to look at the lines of code.
(code) Enter text or paste text here (/code)
Change the "(" and ")" to "[" and "]"
It will look like this:
Code:
E:\EFI\moto>as11 tst.asm 0001 OPT l 0002 0003 d000 ORG $D000 0004 0005 0006 d000 ec FCB 236 0007 d001 ec FCB 5900/25 0008 0009 d002 86 ec LDAA #236 0010 d004 86 ec LDAA #5900/25 0011 Number of errors 0 E:\EFI\moto> The 'ec' in the above listing is the hex equivilent(sp?) of 236. Note: This was posted by RBob
-Matt-
05-26-2002 | 01:12 PM
#16
Senior Member
Joined: May 2001
Posts: 502
Likes: 0
From: Hollywood, FL
Car: 78 Regal
Engine: 82 FBod LG4 305, 730 ECM
Transmission: M20
Axle/Gears: 4.10
OK, so I've been looking at the ANHT hac and it shows a rev limiter in the code. Problem is it shows a higher fuel return than a fuel cutoff in the stock bin. I tried looking through the hac but could only find one entry for fuel cutoff and it is this:
; FUEL CUT OFF
;
LDX #$83F4 ; MPH FOR FUEL CUT OFF
LDAA L0081 ; FILT MPH
;
BRCLR L0046,#$40,LE93B ; BR IF NOT b6, o2 RICH
; ... else
LDX #$83F7 ; MPH FOR FUEL BACK ON
;
LE93B: BCLR L0046,#$40 ; CLR b6, o2 RICH
;
CMPA 0,X ; MPH GT THRESH
BHI LE949 ; BR IF YES
; ... else
LDD L00B3 ; CURRENT MNR LOOP DRP PERIOD
CPD 1,X ; RPM GT THRESH
BCC LE953 ; BR IF NOT
; .... else
LE949: BSET L0046,#$40 ; SET b6, o2 RICH
;
;------------------------
; ZERO BPW IF VATS FAIL
; ZERO BPW IF IGN OFF
; ZERO BPW IF DECEL C/O
;-----------------------
Now, the only thing I see there pertaining to rpm doesn't make sense to me, not that I understand code but it doens't go in tune with the mph limiter. Is this the RAM DRP variable you referred to? Funny thing is that it shows a double byte value (I don't know if that means it's 16 bit) at the parameter value:
;---------------------------------------
; FUEL CUT OFF/ON PARAMS
;---------------------------------------
L83F4: FCB 255 ; 255 MPH FUEL CUT OFF
L83F5: FDB 0098 ; 9080 RPM FUEL CUT OFF
;
L83F7: FCB 254 ; 254 MPH FUEL RETURN
L83F9: FDB 0103 ; 9544 RPM FUEL RETURN
Isn't that what FDB means? It's not really 16 bit but does use two byte words? Does the rpm limiter work in the 8D as is? Sorry if this has been covered before.
Oh, and where can I find the addresses like L0081? Are this RAM values? Is there a listing of these somewhere?
; FUEL CUT OFF
;
LDX #$83F4 ; MPH FOR FUEL CUT OFF
LDAA L0081 ; FILT MPH
;
BRCLR L0046,#$40,LE93B ; BR IF NOT b6, o2 RICH
; ... else
LDX #$83F7 ; MPH FOR FUEL BACK ON
;
LE93B: BCLR L0046,#$40 ; CLR b6, o2 RICH
;
CMPA 0,X ; MPH GT THRESH
BHI LE949 ; BR IF YES
; ... else
LDD L00B3 ; CURRENT MNR LOOP DRP PERIOD
CPD 1,X ; RPM GT THRESH
BCC LE953 ; BR IF NOT
; .... else
LE949: BSET L0046,#$40 ; SET b6, o2 RICH
;
;------------------------
; ZERO BPW IF VATS FAIL
; ZERO BPW IF IGN OFF
; ZERO BPW IF DECEL C/O
;-----------------------
Now, the only thing I see there pertaining to rpm doesn't make sense to me, not that I understand code but it doens't go in tune with the mph limiter. Is this the RAM DRP variable you referred to? Funny thing is that it shows a double byte value (I don't know if that means it's 16 bit) at the parameter value:
;---------------------------------------
; FUEL CUT OFF/ON PARAMS
;---------------------------------------
L83F4: FCB 255 ; 255 MPH FUEL CUT OFF
L83F5: FDB 0098 ; 9080 RPM FUEL CUT OFF
;
L83F7: FCB 254 ; 254 MPH FUEL RETURN
L83F9: FDB 0103 ; 9544 RPM FUEL RETURN
Isn't that what FDB means? It's not really 16 bit but does use two byte words? Does the rpm limiter work in the 8D as is? Sorry if this has been covered before.
Oh, and where can I find the addresses like L0081? Are this RAM values? Is there a listing of these somewhere?
Last edited by hectorsn; 05-26-2002 at 01:15 PM.
05-27-2002 | 08:26 AM
#17
Thread Starter
Moderator
iTrader: (1)
Joined: Mar 2002
Posts: 18,432
Likes: 227
From: Chasing Electrons
Car: check
Engine: check
Transmission: check
The DRP value is the number of 15.26 usec counts
between each plug firing. Hence it is the inverse
of the RPM.
The equation:
N = (65536 * 120) / (rpm * #cyl's)
It is a 16 bit value using 2 bytes (8 bits to a
byte). Note the code (cut from above).
(thank you Matt for the proper spacing).
The FDB is a double byte storage macro. The LDD
is a load double (both regs A & B are used). The
CPD is a compare with a double value.
Right off the storage requirements of the RPM
values is double over the original example. Yes,
the rev-limiter works in $8D.
The RAM locations need to be searched out in the
code hac. Need to look for STAA, STAB, STD
instructions to the location of interest and
see what is being placed there.
Oh, I think that one question you have is the use
of the X reg as an index. The X register is loaded
with the address of a parameter (not the
parameter value). It is then used to index to the
parameter of choice.
The above shows that. The 0,X and 1,X has the
0 & 1 being an offset from the address in X.
(Add X & the offset together for the end address).
RBob.
between each plug firing. Hence it is the inverse
of the RPM.
The equation:
N = (65536 * 120) / (rpm * #cyl's)
It is a 16 bit value using 2 bytes (8 bits to a
byte). Note the code (cut from above).
Code:
L83F5: FDB 0098 ; 9080 RPM FUEL CUT OFF
LDD L00B3 ; CURRENT MNR LOOP DRP PERIOD
CPD 1,X ; RPM GT THRESH The FDB is a double byte storage macro. The LDD
is a load double (both regs A & B are used). The
CPD is a compare with a double value.
Right off the storage requirements of the RPM
values is double over the original example. Yes,
the rev-limiter works in $8D.
The RAM locations need to be searched out in the
code hac. Need to look for STAA, STAB, STD
instructions to the location of interest and
see what is being placed there.
Oh, I think that one question you have is the use
of the X reg as an index. The X register is loaded
with the address of a parameter (not the
parameter value). It is then used to index to the
parameter of choice.
Code:
CMPA 0,X ; MPH GT THRESH
CPD 1,X ; RPM GT THRESH 0 & 1 being an offset from the address in X.
(Add X & the offset together for the end address).
RBob.
05-28-2002 | 02:15 AM
#19
Senior Member
Joined: Oct 1999
Posts: 6,621
Likes: 2
Car: 91 Red Sled
Axle/Gears: 10bolt Richmond 3.73 Torsen
Originally posted by Glenn91L98GTA
I am going to make this post "sticky" and eventually get around to "merging" it with a few of the other Source Code posts.
I am going to make this post "sticky" and eventually get around to "merging" it with a few of the other Source Code posts.
I've just noticed that there are a LOT of basic tuning questions mixed with a sprinkle of advanced stuff. As more and more people get into the source code, it's going to be an even larger gap between the average tuner and the guys that write their own code!, just a thought. Besides, I wouldn't spend any less time on a general tuning board than I would the advanced section only because there is probably not going to be as many advanced questions to scan through.
BTW, this source code doesn't look so bad now that I've actually sat down and read it a few hundred times
05-30-2002 | 10:56 PM
#20
Supreme Member
Joined: Jun 2000
Posts: 7,554
Likes: 1
From: In reality
Car: An Ol Buick
Engine: Vsick
Transmission: Janis Tranny Yank Converter
Originally posted by JPrevost
Good idea. This post REALLY helped spark more interest. BTW, this source code doesn't look so bad now that I've actually sat down and read it a few hundred times
Good idea. This post REALLY helped spark more interest. BTW, this source code doesn't look so bad now that I've actually sat down and read it a few hundred times
The GN has a bunch of new code, some code deleted, and some ignored now. It's like driving a 5 Spd now. No 3rd gear TCC stuff, it all off of the 4th gear switch. There is a TPS and coolant temp part to it.
Finally I have my MAT timing table all filled in, just can't wait to verify that.
So far I'd bet the ecm bench has saved over 50 hours of test driving the car. being able to verify things on the bench first is just necessary.
While the stock code is neat, it's just a beginning.
05-30-2002 | 11:29 PM
#21
Senior Member
Joined: Oct 1999
Posts: 6,621
Likes: 2
Car: 91 Red Sled
Axle/Gears: 10bolt Richmond 3.73 Torsen
My near future goals are to expand the VE table to a higher rpm for ****s and giggles, remove the adder table and EGR code, use the ecm to control the fan (off after a certain vehicle speed), and see what I can do with the VATS frequency info. Might be cool to have the rev limiter and speed limiter on a key that doesn't have the correct resistance. There is also the a/c input line that I have ideas about. Maybe something to do with car stereo being on = raise idle speed and nothing more.
I like the stock code but there is a lot of it that I don't need. There is also lots that I don't understand yet and so I don't want to even try to start from scratch like you are with your GN. I only have money for x amount of headache pills and I don't want to have to resort to alcohol.
Which Bob was it that I was talking to that had updated the 8746 hack? He had round glasses and seemed very genuine about helping me out with going through and fixing some of TunerCat's mistakes. He had modified the 7747 code for an application where he removed the adder table and just had one large VE table.
Bruce, I think I left my notbook at your place on Saturday. It's blue cover and has an expensive pen with my name carved on the side which is clipped onto the sprial bindings. If you find it please let me know so I can stop sweating over it. It's got a bunch of my brainstorming ideas, the cover is plastic, not standard cardboard, thanks.
I like the stock code but there is a lot of it that I don't need. There is also lots that I don't understand yet and so I don't want to even try to start from scratch like you are with your GN. I only have money for x amount of headache pills and I don't want to have to resort to alcohol
.Which Bob was it that I was talking to that had updated the 8746 hack? He had round glasses and seemed very genuine about helping me out with going through and fixing some of TunerCat's mistakes. He had modified the 7747 code for an application where he removed the adder table and just had one large VE table.
Bruce, I think I left my notbook at your place on Saturday. It's blue cover and has an expensive pen with my name carved on the side which is clipped onto the sprial bindings. If you find it please let me know so I can stop sweating over it. It's got a bunch of my brainstorming ideas, the cover is plastic, not standard cardboard, thanks.
05-31-2002 | 11:14 AM
#22
Thread Starter
Moderator
iTrader: (1)
Joined: Mar 2002
Posts: 18,432
Likes: 227
From: Chasing Electrons
Car: check
Engine: check
Transmission: check
Originally posted by JPrevost
Which Bob was it that I was talking to that had updated the 8746 hack? He had round glasses and seemed very genuine about helping me out with going through and fixing some of TunerCat's mistakes. He had modified the 7747 code for an application where he removed the adder table and just had one large VE table.
Which Bob was it that I was talking to that had updated the 8746 hack? He had round glasses and seemed very genuine about helping me out with going through and fixing some of TunerCat's mistakes. He had modified the 7747 code for an application where he removed the adder table and just had one large VE table.
RBob.
05-31-2002 | 02:46 PM
#23
Supreme Member
Joined: Jun 2000
Posts: 7,554
Likes: 1
From: In reality
Car: An Ol Buick
Engine: Vsick
Transmission: Janis Tranny Yank Converter
Originally posted by JPrevost
Bruce, I think I left my notbook at your place on Saturday. It's blue cover and has an expensive pen with my name carved on the side which is clipped onto the sprial bindings. If you find it please let me know so I can stop sweating over it. It's got a bunch of my brainstorming ideas, the cover is plastic, not standard cardboard, thanks.
Bruce, I think I left my notbook at your place on Saturday. It's blue cover and has an expensive pen with my name carved on the side which is clipped onto the sprial bindings. If you find it please let me know so I can stop sweating over it. It's got a bunch of my brainstorming ideas, the cover is plastic, not standard cardboard, thanks.
Ya there's a Blue notebook here, no appraisal on the pen.
Send me your addy.
06-05-2002 | 12:12 AM
#24
Senior Member
Joined: Oct 1999
Posts: 6,621
Likes: 2
Car: 91 Red Sled
Axle/Gears: 10bolt Richmond 3.73 Torsen
I'm looking to get rid of the second VE adder table and just have a larger main table that goes up to the 6400. It would just make things a little easier to look at if anything. Understandable that it won't make any difference in driving (since not much time is spent above 3200 cruising with a light pedal), but I just would like to have only 1 main table to play with. I don't have EGR so all that code can get trashed.
I also want to trash the air diverter code and use that output for a fan relay that has a speed threashold along with the "normal" temp on/off.
Lastly, I would like to know the basic steps of just removing code. For example, the cranking AFR vs startup coolant temp table. Scrap it, it seems to always like the values between 6.5 and 8 no matter what the temp. How does one go about removing that specific code?
I'd also like to know what assembler you guys are using, I remember Grumpy talking about it but I don't remember seeing an agreement. Pablo and I are helping each other better understand the 8746 code. Hopefully these darn puzzle pieces start to fall together and make more sence. Oh yeah, and where is the code that does the arithmatic? All I see is stuff like LDAA and LDAB (registers), BSA, and a bunch of other terms followed by a location. I understand what some of them do but I haven't been able to figure out how to "track" stuff like final pulse width. Timing on the other hand looks like it's not as complicated. AAHHHHH headache!!!! Help a guy out, sorry for all the questions and yes, I'm sure a lot of it is in the archives but could you give me a time period. 140mb of text is a LOT of reading material to just read through. Besides, this is sticky, rehashing old topics is common proceedure.
I also want to trash the air diverter code and use that output for a fan relay that has a speed threashold along with the "normal" temp on/off.
Lastly, I would like to know the basic steps of just removing code. For example, the cranking AFR vs startup coolant temp table. Scrap it, it seems to always like the values between 6.5 and 8 no matter what the temp. How does one go about removing that specific code?
I'd also like to know what assembler you guys are using, I remember Grumpy talking about it but I don't remember seeing an agreement. Pablo and I are helping each other better understand the 8746 code. Hopefully these darn puzzle pieces start to fall together and make more sence. Oh yeah, and where is the code that does the arithmatic? All I see is stuff like LDAA and LDAB (registers), BSA, and a bunch of other terms followed by a location. I understand what some of them do but I haven't been able to figure out how to "track" stuff like final pulse width. Timing on the other hand looks like it's not as complicated. AAHHHHH headache!!!! Help a guy out, sorry for all the questions and yes, I'm sure a lot of it is in the archives but could you give me a time period. 140mb of text is a LOT of reading material to just read through. Besides, this is sticky
, rehashing old topics is common proceedure.
06-05-2002 | 11:11 AM
#25
Thread Starter
Moderator
iTrader: (1)
Joined: Mar 2002
Posts: 18,432
Likes: 227
From: Chasing Electrons
Car: check
Engine: check
Transmission: check
I'll answer a question at a reply.
I use two assemblers, AS11 and Dunfield's ASM11. The AS11
assembler is free and limited in its capability. It is good for
patch files and testing op-code and such.
The Dunfield XTools package is a purchased product ($50US). I
use it to assemble entire bins. It includes cross assemblers
for a bunch of different u-procs along with disassemblers.
see: www.dunfield.com
For beginners I highly recommend the patch method using the
AS11 assembler. It eliminates a lot of frustration in getting
an entire source to assemble into a usable bin. Not only that,
I still use a patch file for one of my vehicles.
Remember that both the '8746 & '7747 ECM have 2/3rd's of
the code in ROM. Unless converted to ROMless (tm by Grumpy)
you cannot change the code in ROM.
The area from $D000 through $DFFF is in EPROM. From $E000
through $FFFF is in ROM.
RBob.
I use two assemblers, AS11 and Dunfield's ASM11. The AS11
assembler is free and limited in its capability. It is good for
patch files and testing op-code and such.
The Dunfield XTools package is a purchased product ($50US). I
use it to assemble entire bins. It includes cross assemblers
for a bunch of different u-procs along with disassemblers.
see: www.dunfield.com
For beginners I highly recommend the patch method using the
AS11 assembler. It eliminates a lot of frustration in getting
an entire source to assemble into a usable bin. Not only that,
I still use a patch file for one of my vehicles.
Remember that both the '8746 & '7747 ECM have 2/3rd's of
the code in ROM. Unless converted to ROMless (tm by Grumpy)
you cannot change the code in ROM.
The area from $D000 through $DFFF is in EPROM. From $E000
through $FFFF is in ROM.
RBob.
06-05-2002 | 01:57 PM
#26
Senior Member
Joined: Oct 1999
Posts: 6,621
Likes: 2
Car: 91 Red Sled
Axle/Gears: 10bolt Richmond 3.73 Torsen
I understand the ROM and how all the actual code is stored on it while the eprom seems to only have stored values (FCB and FDB). The rom has all the EQU, load, store, and actual calculations in it. Wouldn't the only "correct" way to start programming in assembly be to remove the rom and replace it with an eprom or eeprom?
Where is the rom in the ecm? It looks like it's below the daughter board on the injector driver side of the mother board, but looks like there are 2.
Thanks for the advice on the assembler. Now if only there was a more complete description on the commands and what they do. Because I still don't see in the code, anywhere, that actually does any adding, subtracting, dividing (of FDB/16 bit), etc. I can only see the B__ commands which are branch for conditions and jump too commands. Then I understand the LDAA/LDAB, and STAA/STAB but everything else seems to be confusing me. Can somebody post a link to where ALL the code is described?
Where is the rom in the ecm? It looks like it's below the daughter board on the injector driver side of the mother board, but looks like there are 2.
Thanks for the advice on the assembler. Now if only there was a more complete description on the commands and what they do. Because I still don't see in the code, anywhere, that actually does any adding, subtracting, dividing (of FDB/16 bit), etc. I can only see the B__ commands which are branch for conditions and jump too commands. Then I understand the LDAA/LDAB, and STAA/STAB but everything else seems to be confusing me. Can somebody post a link to where ALL the code is described?
06-05-2002 | 02:09 PM
#27
Thread Starter
Moderator
iTrader: (1)
Joined: Mar 2002
Posts: 18,432
Likes: 227
From: Chasing Electrons
Car: check
Engine: check
Transmission: check
Math. This is accomplished using several methods. There are
the add/subtract (ADDx/SUBx), decrement/increment (DECx/INCx),
multiply (MUL), and shift (LSLx/LSRx) instructions.
There are also subroutines for operation with 16 bit values. This
is used in the BPW calculations:
This routine is called from several points in the program. Note the
JSR (jump and set return) to LFC05. The routine at LFC05 multiplies
the value in reg A (8 bit) by the value pointed to in reg X (16 bit), then
divides the result by 256. The result is left in regs A & B as a
16 bit value. As such the BPW is calculated as a 16 bit value.
The BPW at the injector is calculated as the number of 15.26usec
counts. If the BPW value is 1370, the BPW will be:
1370 * 15.26usec = 20906usec or 20.9msec
A common instruction will be the LSLA, logical shift left A. It has
the effect of multipling the the value in reg A by 2. Doubling it.
Two in a row is a multiply by 4:
LSLA ; A *= 2
LSLA ; A *= 2
This is used as it is faster then using the MUL instruction. The above
two LSLA will be 4 clock cycles while the MUL is 10. The MUL
instruction also requires the use of reg B. It is reg A * reg B with
the result in A & B (16 bits).
Note that the combined A & B regs are referred to as the D register.
LDD #1370
This will load the combined registers A & B with the value 1370.
RBob.
the add/subtract (ADDx/SUBx), decrement/increment (DECx/INCx),
multiply (MUL), and shift (LSLx/LSRx) instructions.
There are also subroutines for operation with 16 bit values. This
is used in the BPW calculations:
Code:
;----------------------------------------------- ; ; Subroutine to add to BPW ; ;----------------------------------------------- LD729: CE 00 AA LDX #$00AA ; point to sync bpw LD72C: BD FC 05 JSR LFC05 ; AB = (A x *X) / 256 LD72F: DD AA STD L00AA ; sync bpw LD731: 39 RTS ;
JSR (jump and set return) to LFC05. The routine at LFC05 multiplies
the value in reg A (8 bit) by the value pointed to in reg X (16 bit), then
divides the result by 256. The result is left in regs A & B as a
16 bit value. As such the BPW is calculated as a 16 bit value.
The BPW at the injector is calculated as the number of 15.26usec
counts. If the BPW value is 1370, the BPW will be:
1370 * 15.26usec = 20906usec or 20.9msec
A common instruction will be the LSLA, logical shift left A. It has
the effect of multipling the the value in reg A by 2. Doubling it.
Two in a row is a multiply by 4:
LSLA ; A *= 2
LSLA ; A *= 2
This is used as it is faster then using the MUL instruction. The above
two LSLA will be 4 clock cycles while the MUL is 10. The MUL
instruction also requires the use of reg B. It is reg A * reg B with
the result in A & B (16 bits).
Note that the combined A & B regs are referred to as the D register.
LDD #1370
This will load the combined registers A & B with the value 1370.
RBob.
Last edited by RBob; 06-05-2002 at 03:27 PM.
06-05-2002 | 02:14 PM
#28
Thread Starter
Moderator
iTrader: (1)
Joined: Mar 2002
Posts: 18,432
Likes: 227
From: Chasing Electrons
Car: check
Engine: check
Transmission: check
The ROM should not be removed. Doing so will remove I/O, RAM
and other functionality. The ROM can be disabled. Grounding
the ROMENB line will turn off the ROM.
You need to get the Motorola 68HC11 reference manual. It is
on their site {someplace}. I have a link for it and will post it
later.
Once you have that manual print out the instruction set from
the appendix and throw the rest away. Note that the C3 ECMs
do not support all of the instructions found in the ref manual.
RBob.
and other functionality. The ROM can be disabled. Grounding
the ROMENB line will turn off the ROM.
You need to get the Motorola 68HC11 reference manual. It is
on their site {someplace}. I have a link for it and will post it
later.
Once you have that manual print out the instruction set from
the appendix and throw the rest away. Note that the C3 ECMs
do not support all of the instructions found in the ref manual.
RBob.
06-05-2002 | 03:25 PM
#29
Thread Starter
Moderator
iTrader: (1)
Joined: Mar 2002
Posts: 18,432
Likes: 227
From: Chasing Electrons
Car: check
Engine: check
Transmission: check
Link to reference manual:
http://e-www.motorola.com/brdata/PDF.../M68HC11RM.pdf
Note that it is ~6MB.
RBob.
http://e-www.motorola.com/brdata/PDF.../M68HC11RM.pdf
Note that it is ~6MB.
RBob.
06-13-2002 | 08:04 PM
#31
Senior Member
Joined: Oct 1999
Posts: 6,621
Likes: 2
Car: 91 Red Sled
Axle/Gears: 10bolt Richmond 3.73 Torsen
Okay, now that finals are done you'll be hearing a lot from me. I think I understand it now. I had to look at the actual LFC05 location in the hack to understand what you were saying.
So the run down of this subroutine would be; Store A into location L0049. Load reg X from acu A and B, Multiply by shift left of acu B (not sure what this shift does but I think there is an output of C that is either a 0 or a 1) then ADCA...I'm lost.
STAA loads the acu A with value at location L004A. LDAA loads acu A multiplied by acu B which happens to be at location L0049 and the output is stored into acu A at L0049, acu is cleared, not sure why this has to be a command but maybe it's necissary because of the command ADDD. Then returns to the code where it was called from.
I'm lost on what ADDD is and I have no idea what C or D is, it's hard enough understanding A and B along with X and Y. From the M68HC11MR file, ADDD is Operation: ACCD <- (ACCD) + (M : M + 1)
Description: Adds the contents of M concatenated with M + 1 to the contents of ACCD
and places the result in ACCD. Accumulator A corresponds to the
high-order half of the 16-bit double accumulator D.
If somebody would mind telling me what M is, I'd appreciate it. I know I'm all wrong with some of this logic but it's the best I can muster for right now. I should probably take a CIS class here at OSU next quarter. From what my roommate says, they use an emulator and program source code for the same motorola processor
Code:
;*================================================== ;* ;* 8 x 16 Multiply Routine ;* ;* AB = (A * *X) / 256 ;* ;* Enter With: ;* ;* A = op1 ;* X = address of op2 ;* ;* Exit With: ;* ;* AB = result ;* ;*================================================== LFC05: 97 49 STAA L0049 ; LFC07: E6 01 LDAB 1,X ; LFC09: 3D MUL ; LFC0A: 58 LSLB ; LFC0B: 89 00 ADCA #0 ; ; LFC0D: 97 4A STAA L004A ; LFC0F: A6 00 LDAA 0,X ; LFC11: D6 49 LDAB L0049 ; LFC13: 3D MUL ; LFC14: 97 49 STAA L0049 ; LFC16: 4F CLRA ; LFC17: D3 49 ADDD L0049 ; LFC19: 39 RTS ;
STAA loads the acu A with value at location L004A. LDAA loads acu A multiplied by acu B which happens to be at location L0049 and the output is stored into acu A at L0049, acu is cleared, not sure why this has to be a command but maybe it's necissary because of the command ADDD. Then returns to the code where it was called from.
I'm lost on what ADDD is and I have no idea what C or D is, it's hard enough understanding A and B along with X and Y. From the M68HC11MR file, ADDD is Operation: ACCD <- (ACCD) + (M : M + 1)
Description: Adds the contents of M concatenated with M + 1 to the contents of ACCD
and places the result in ACCD. Accumulator A corresponds to the
high-order half of the 16-bit double accumulator D.
If somebody would mind telling me what M is, I'd appreciate it. I know I'm all wrong with some of this logic but it's the best I can muster for right now. I should probably take a CIS class here at OSU next quarter. From what my roommate says, they use an emulator and program source code for the same motorola processor
06-13-2002 | 10:12 PM
#32
Senior Member
Joined: May 2001
Posts: 502
Likes: 0
From: Hollywood, FL
Car: 78 Regal
Engine: 82 FBod LG4 305, 730 ECM
Transmission: M20
Axle/Gears: 4.10
M is the hex location or address. M+1 is a 16 bit address and that's why it needs the D accumulator, which is a 16 bit acc to hold the value, which is actually just acca and accb. STAA means to store acca, and in this case with location (M) L0049. LDAB means to load accb with.... I have no idea what 1,x means. I think it means L0049 which is just above it. Which I guess means you are mult L0049 with L0049. I'll let Bob explain it since he actually knows what he's talking about. I'm just picking things up as days go by.
06-14-2002 | 10:54 AM
#33
Thread Starter
Moderator
iTrader: (1)
Joined: Mar 2002
Posts: 18,432
Likes: 227
From: Chasing Electrons
Car: check
Engine: check
Transmission: check
Before entering this routine the A reg is loaded with an 8 bit value. The X register
is loaded with the address of the 16 bit value. The 8 bit value is multiplied by the 16
bit value, divided by 256 and saved in the D reg (A&B).
It is important to understand that the X reg is pointing to the 16 bit value. It does
not contain the value itself, only the address of the value. (16 bits is 2 bytes).
D = (op1 * op2) / 256
An easy way to understand all of this is by running some numbers through it. Lets try
multiplying the values 112 by 1321. Convert to hex first: $70 and $529. If the routine
works the answer should be: $242, or 578 decimal. EQ: (112 * 1321) / 256 = 577.93 = $0242
Upon entry reg A = $70 and reg X points to $0529:
RBob.
is loaded with the address of the 16 bit value. The 8 bit value is multiplied by the 16
bit value, divided by 256 and saved in the D reg (A&B).
It is important to understand that the X reg is pointing to the 16 bit value. It does
not contain the value itself, only the address of the value. (16 bits is 2 bytes).
D = (op1 * op2) / 256
Code:
;*================================================== ;* ;* 8 x 16 Multiply Routine ;* ;* AB = (A * *X) / 256 ;* ;* Enter With: ;* ;* A = op1 ;* X = address of op2 ;* ;* Exit With: ;* ;* AB = result ;* ;*================================================== LFC05: 97 49 STAA L0049 ; save op1 in RAM ; LFC07: E6 01 LDAB 1,X ; Load the LSB of the 16 bit value (op2) ; into reg B. This is an indexed instruction. ; X being the pointer and the 1 an additional ; address offset to the 16 bit value. This ; only loads the right most byte of op2! ; LFC09: 3D MUL ; Multiply reg A by reg B, result in D (A&B) ; The routine is only going to use the upper or MSB of the NUL result. IOW only reg A. For ; greater accuracy reg A is going to be rounded up. LFC0A: 58 LSLB ; Shift left reg B once. This puts b7 of reg B ; into the carry flag. ; LFC0B: 89 00 ADCA #0 ; Now add the carry flag to reg A. Reg A is now ; rounded up. If reg B b7 was zero, no change is ; made to reg A. If reg B b7 was a one, then reg ; A has been incremented by one. ; LFC0D: 97 4A STAA L004A ; Save reg A in RAM location L004A. This forms ; the LSB of this routines result. ; LFC0F: A6 00 LDAA 0,X ; Load the MSB of the 16 bit value (op2) ; into reg A. Notice the index offset of 0. ; LFC11: D6 49 LDAB L0049 ; Load reg B with the original op1 value ; LFC13: 3D MUL ; multiply reg A by reg B, result in D (A&B) ; ; Note that address LFC0D (above) the result was stored in RAM location L004A. That and RAM ; location L0049 form a 16 bit value. LFC14: 97 49 STAA L0049 ; Save the MSB of the MUL result in RAM L0049 ; LFC16: 4F CLRA ; Clear reg A (make it zero) ; LFC17: D3 49 ADDD L0049 ; Add the 16 bit value from RAM L0049 & L004A ; into reg D (A & B). This is basically adding ; the LSB of the MUL result into the final result. ; LFC19: 39 RTS ; and done
An easy way to understand all of this is by running some numbers through it. Lets try
multiplying the values 112 by 1321. Convert to hex first: $70 and $529. If the routine
works the answer should be: $242, or 578 decimal. EQ: (112 * 1321) / 256 = 577.93 = $0242
Upon entry reg A = $70 and reg X points to $0529:
Code:
LFC05: 97 49 STAA L0049 ; L0049 = $70 ; LFC07: E6 01 LDAB 1,X ; B = $29 (only the LSB of $529!) ; LFC09: 3D MUL ; D = $70 * $29 = $11F0 (A = $11, B = $F0) LFC0A: 58 LSLB ; C flag = 1, since B = $F0 and b7 = 1 ; LFC0B: 89 00 ADCA #0 ; A = $12 ; LFC0D: 97 4A STAA L004A ; L004A = $12 ; LFC0F: A6 00 LDAA 0,X ; A = $05 (the MSB of $529) ; LFC11: D6 49 LDAB L0049 ; B = $70 (the original op1) ; LFC13: 3D MUL ; D = $05 * $70 = $230 (A = $02, B = $30) ; LFC14: 97 49 STAA L0049 ; L0049 = $02 ; LFC16: 4F CLRA ; A = 0 ; ; Now: A = 0, B = $30. L0049 = $02, L004A = $12 ; LFC17: D3 49 ADDD L0049 ; D = D + L0049, L004A = $0030 + $0212 = $242 (!!!!!) ; LFC19: 39 RTS ; and done
RBob.
09-05-2002 | 07:23 AM
#34
Thread Starter
Moderator
iTrader: (1)
Joined: Mar 2002
Posts: 18,432
Likes: 227
From: Chasing Electrons
Car: check
Engine: check
Transmission: check
Another patch for the '8746. This one too is being released in the patch format as shown in the first post of this thread. The most difficult part of developing this patch was finding a good location within the code for it. It replaces code that would never be used other then by GM.
The purpose of this patch is to eliminate the forced knock malfunction diagnostic test. The patch sets the status such that the ECM believes that the test has already been run successfully. Due to this there are no side effects.
The reason to eliminate the forced knock test is two fold. First is to prevent the forcing of detonation by the ECM. Second is in the case of a modified engine that will not detonate with this test. It prevents the DTC 43 from being set along with the subsequent loss of power.
By using this patch (as opposed to turning off the code 43 diagnostics), is that the run-away knock test is still executed. So, if a DTC 43 does show up it is due to run-away knock.
To apply the patch use the s19_pat utility from first post of thread. Update the checksum and go.
RBob.
Note that this patch only works on the early '8746 $61 mask code. Such as ANLU & ANTT. It does not work on the AX series such as AXKT, AXKW, and AXKU.
The purpose of this patch is to eliminate the forced knock malfunction diagnostic test. The patch sets the status such that the ECM believes that the test has already been run successfully. Due to this there are no side effects.
The reason to eliminate the forced knock test is two fold. First is to prevent the forcing of detonation by the ECM. Second is in the case of a modified engine that will not detonate with this test. It prevents the DTC 43 from being set along with the subsequent loss of power.
By using this patch (as opposed to turning off the code 43 diagnostics), is that the run-away knock test is still executed. So, if a DTC 43 does show up it is due to run-away knock.
To apply the patch use the s19_pat utility from first post of thread. Update the checksum and go.
RBob.
Note that this patch only works on the early '8746 $61 mask code. Such as ANLU & ANTT. It does not work on the AX series such as AXKT, AXKW, and AXKU.
Last edited by RBob; 07-01-2006 at 10:59 AM.
02-03-2003 | 03:55 PM
#35
Supreme Member
Joined: Jan 2003
Posts: 1,931
Likes: 1
From: Ontario, Canada
Car: 1989 IROC-Z
Engine: 5.7L EFI LTR setup
Transmission: T-5 World Class
Alright where the heck did you guys g oto school !?!?!?!!
All this computer lingo is WAY TO mUCH above me to learn .........
zTZ^(%$ ^%$)%*^ < --------- makes absolutly no sense to me so ........ what are my alternatives ..... keep in mind I need a custom prom for sure ....... no flameing here , just an honest Q
All this computer lingo is WAY TO mUCH above me to learn .........
zTZ^(%$ ^%$)%*^ < --------- makes absolutly no sense to me so ........ what are my alternatives ..... keep in mind I need a custom prom for sure ....... no flameing here , just an honest Q
02-03-2003 | 05:04 PM
#36
Senior Member
Joined: Oct 1999
Posts: 6,621
Likes: 2
Car: 91 Red Sled
Axle/Gears: 10bolt Richmond 3.73 Torsen
lol, you think this is where to start? bad idea, very bad idea.
This board is just like a university, there are lots of levels, some intro, some practical, others more of a doctorate. This is one of those high level classes. Pay no attention to these posts, it isn't something you need to get your car running well, it's for doing geeky things like adding a rev limiter or a shift light, or fan control to an ecm that doesn't normally control the fan.
It's rather simple, you get the burner which reads and writes to the eprom/eeprom/flash proms, sometimes if you're using the stock chips you need to get a UV light eraser. That way you can rewrite, but flash proms don't require an eraser, you can just flash over a new program and be ready in seconds. Obviously you've got a PC else you won't be reading this post. Use the winbin software to edit your binary files (images of your eprom calibration), save it with the same program, then burn it to a chip and go test it out. There is seriously nothing more too it except simple read the directions. There are LOTS of options to go about doing your own eproms. Some are exotic and not needed for the average Joe. A good example are the flash prom adaptors that Craig Moate's sells on his site. You don't need to have 8+ different calibrations ready at a switch, this is just an extra tuning tool used by guys like me that can't get enough of this higher level learning.
Oh, and since you asked, it's Ohio State University. Read the tuning papers over at www.diy-efi.org . They're for the 7747 but the idea is similar. Also, I highly recommend you either have a laptop or access to one. This way you can run either winaldl or Craig's software (depending on your ecm) to verify good changes. The cables aren't hard to build but if it seems too much there are guys that'll make the cables for you for a VERY reasonable cost. Just think about all the money you're saving since you're not spending in on the actual tuning software (winbin is freeware, forgot to mention).
Depending on your ecm you might want to consider TunerCat at www.tunercat.com , he's got great software that's idiot proof and more supported ecm's.
This board is just like a university, there are lots of levels, some intro, some practical, others more of a doctorate. This is one of those high level classes. Pay no attention to these posts, it isn't something you need to get your car running well, it's for doing geeky things like adding a rev limiter or a shift light, or fan control to an ecm that doesn't normally control the fan.
It's rather simple, you get the burner which reads and writes to the eprom/eeprom/flash proms, sometimes if you're using the stock chips you need to get a UV light eraser. That way you can rewrite, but flash proms don't require an eraser, you can just flash over a new program and be ready in seconds. Obviously you've got a PC else you won't be reading this post. Use the winbin software to edit your binary files (images of your eprom calibration), save it with the same program, then burn it to a chip and go test it out. There is seriously nothing more too it except simple read the directions. There are LOTS of options to go about doing your own eproms. Some are exotic and not needed for the average Joe. A good example are the flash prom adaptors that Craig Moate's sells on his site. You don't need to have 8+ different calibrations ready at a switch, this is just an extra tuning tool used by guys like me that can't get enough of this higher level learning.
Oh, and since you asked, it's Ohio State University. Read the tuning papers over at www.diy-efi.org . They're for the 7747 but the idea is similar. Also, I highly recommend you either have a laptop or access to one. This way you can run either winaldl or Craig's software (depending on your ecm) to verify good changes. The cables aren't hard to build but if it seems too much there are guys that'll make the cables for you for a VERY reasonable cost. Just think about all the money you're saving since you're not spending in on the actual tuning software (winbin is freeware, forgot to mention).
Depending on your ecm you might want to consider TunerCat at www.tunercat.com , he's got great software that's idiot proof and more supported ecm's.
06-20-2003 | 03:26 PM
#37
Moderator
Joined: Feb 2000
Posts: 7,015
Likes: 1
From: Schererville , IN
Car: 91 GTA, 91 Formula, 89 TTA
Engine: all 225+ RWHP
Transmission: all OD
Axle/Gears: Always the good ones
Been tinkering(very unsuccessfully) to rework some code and attempt a patch or 2. Im extremely clueless and make a giant mess of it when i get the urge to dabble... Im trying to do it using the PPII program and no having any luck......Can someone throw out a beginner help in plain jane english language on what code language i need to use and how exactly i pick the determined point etc and what i need to do to save it correctly?
thanks
Jeremy
thanks
Jeremy
06-20-2003 | 03:26 PM
#38
Moderator
Joined: Feb 2000
Posts: 7,015
Likes: 1
From: Schererville , IN
Car: 91 GTA, 91 Formula, 89 TTA
Engine: all 225+ RWHP
Transmission: all OD
Axle/Gears: Always the good ones
Been tinkering(very unsuccessfully) to rework some code and attempt a patch or 2. Im extremely clueless and make a giant mess of it when i get the urge to dabble... Im trying to do it using the PPII program and no having any luck......Can someone throw out a beginner help in plain jane english language on what code language i need to use and how exactly i pick the determined point etc and what i need to do to save it correctly?
thanks
Jeremy
thanks
Jeremy
06-21-2003 | 08:11 AM
#39
Thread Starter
Moderator
iTrader: (1)
Joined: Mar 2002
Posts: 18,432
Likes: 227
From: Chasing Electrons
Car: check
Engine: check
Transmission: check
Originally posted by 3.8TransAM
Been tinkering(very unsuccessfully) to rework some code and attempt a patch or 2. Im extremely clueless and make a giant mess of it when i get the urge to dabble... Im trying to do it using the PPII program and no having any luck......Can someone throw out a beginner help in plain jane english language on what code language i need to use and how exactly i pick the determined point etc and what i need to do to save it correctly?
thanks
Jeremy
Been tinkering(very unsuccessfully) to rework some code and attempt a patch or 2. Im extremely clueless and make a giant mess of it when i get the urge to dabble... Im trying to do it using the PPII program and no having any luck......Can someone throw out a beginner help in plain jane english language on what code language i need to use and how exactly i pick the determined point etc and what i need to do to save it correctly?
thanks
Jeremy
When using a hex editor to patch the code the location to patch is offset by the physical addressing of the hardware (the ECM). Looking at a hack you will notice that the code/data in the EPROM starts at address $8000 (for some, $C000 or $D000 for others, it varies). But, the EPROM starts at address $0. The offset ($8000, or $C000) needs to be subtracted from the physical address to get the EPROM address. So if you see soemthing like this:
Code:
LFC05: 97 49 STAA L0049 ; save op1 in RAM
Now the offset will vary, so be sure to get the correct offset address first.
I've never used a PP so I can't help there. The Hex Workshop is another utility that some people use. Of course don't forget to update the checksum once the patch has been implimented.
RBob.
06-22-2003 | 10:54 PM
#40
Moderator
Joined: Feb 2000
Posts: 7,015
Likes: 1
From: Schererville , IN
Car: 91 GTA, 91 Formula, 89 TTA
Engine: all 225+ RWHP
Transmission: all OD
Axle/Gears: Always the good ones
appreciate it rbob, this is going to take me awhile . your post did manage to get the litebulb dimmly glowing, think i at least see why i had such issues trying to identify where to make the actual change to edit the code.
2 more engine swaps and i can finally sit down and start plugging away in the code editing world. Trying to collect the basics so i can at least walk into not looking like a deer in headlites :-)
appreciated
Jeremy
2 more engine swaps and i can finally sit down and start plugging away in the code editing world. Trying to collect the basics so i can at least walk into not looking like a deer in headlites :-)
appreciated
Jeremy
02-09-2006 | 11:35 AM
#41
Supreme Member
iTrader: (1)
Joined: Apr 2004
Posts: 3,178
Likes: 3
From: Browns Town
Car: 86 Monte SS (730,$8D,G3,AP,4K,S_V4)
Engine: 406 Hyd Roller 236/242
Transmission: 700R4 HomeBrew, 2.4K stall
Axle/Gears: 3:73 Posi, 7.5 Soon to break
Back from the archives
When configuring for a Patch update,
How would I specify a new variable assignment in the memory section?
I need to ensure an EQU is assigned to a couple new entrys.
Without the EQU definition, I am not sure they can be directly addressed without error. Code does not assemble if I do not specify them.
These are some parameters for my code:
And a few others, but I'll handle those once I see the examples.
TIA
How would I specify a new variable assignment in the memory section?
I need to ensure an EQU is assigned to a couple new entrys.
Without the EQU definition, I am not sure they can be directly addressed without error. Code does not assemble if I do not specify them.
These are some parameters for my code:
Code:
Used L0056, b6 for "last Pass" KS failure indication ; MUST ADD "EQU" IN MEMORY SECTION of CODE (L0056 EQU $0056) ; Uses L0055 as Dwell Timer ; MUST ADD "EQU" IN MEMORY SECTION of CODE (L0055 EQU $0055) ; Uses L8990 as dwell Timer default time ; MUST ADD "ITEM" IN CALIBRATION SECTION of CODE (L8990 FCB $20)
TIA
02-09-2006 | 11:52 AM
#42
Supreme Member
iTrader: (2)
Joined: Jan 2002
Posts: 9,962
Likes: 3
From: Moorestown, NJ
Car: 88 Camaro SC
Engine: SFI'd 350
Transmission: TKO 500
Axle/Gears: 9-bolt w/ 3.23's
What you have posted in quotes looks like your answer
its simply
L0100 EQU $0100
or
LVARIABLE EQU $0100
or what have you. The assembler will simply put whatever number you have set the variable EQUal to into the compiled machine code. For example LVARIABLE will be treated as 0x0100 whenever it is encountered by the assemblerin your code. Just place them at the beginning of the patch.
its simply
L0100 EQU $0100
or
LVARIABLE EQU $0100
or what have you. The assembler will simply put whatever number you have set the variable EQUal to into the compiled machine code. For example LVARIABLE will be treated as 0x0100 whenever it is encountered by the assemblerin your code. Just place them at the beginning of the patch.
02-09-2006 | 08:25 PM
#44
Supreme Member
iTrader: (1)
Joined: Apr 2004
Posts: 3,178
Likes: 3
From: Browns Town
Car: 86 Monte SS (730,$8D,G3,AP,4K,S_V4)
Engine: 406 Hyd Roller 236/242
Transmission: 700R4 HomeBrew, 2.4K stall
Axle/Gears: 3:73 Posi, 7.5 Soon to break
OK, got the code to assemble to an S19 but the offset of 0x8000 gives me an error when running the S19_Pat.
"S19 address is less than the offset"
Which would be correct because I am specifying a memory location, before the $8000 cal section.
Tryed putting individual "ORG"s before each of the equ statements to locate them and then ran with 0x000 offset.
The bin patches everything at $0000.
Obviously, I'm doing something wrong.
Any ideas?, Or am I stuck ?
"S19 address is less than the offset"
Which would be correct because I am specifying a memory location, before the $8000 cal section.
Code:
L003A EQU $003A L003C EQU $003C L0055 EQU $0055 L0056 EQU $0056 L3FCC EQU $3FCC ORG $898E L898E FCB $50 ORG $8990 L8990 FCB $20 ORG $8992 L8992 FDB $00, $66 ; ; -------- COMMENT OUT THE FOLLOWING LINE ; LD125: stx L3FCC ; ; --------------------------------------------------------- ; ORG $D125 LD125: nop ; ORG 0x9000 KL_IN: NOP ; START OF ROUTINE LDAA L898E ; Check If "ByPass" is Enabled BITA #$01 ; If Not Set (b0) BNE *KLIGHT ; No Check Performed, ; else... KS_CHK: BRSET L003C,#$20,*KFAIL ........Lots more
The bin patches everything at $0000.
Obviously, I'm doing something wrong.
Any ideas?, Or am I stuck ?
02-10-2006 | 12:32 AM
#45
Supreme Member
Joined: Sep 2003
Posts: 1,409
Likes: 1
From: Texas
Are you doing this for the sim?
I ran into a similar problem and ended up switching to AS6811 to do it.
AS6811 shouldn't choke on the new ram location when doing a patch.
AS11 will choke IIRC.
ASHC11 will work too.
Have a look at my RPM patch code I did about a year ago.
If your HD didn't eat the zip.
Don't forget to use the * for addresses less than $100.
I ran into a similar problem and ended up switching to AS6811 to do it.
AS6811 shouldn't choke on the new ram location when doing a patch.
AS11 will choke IIRC.
ASHC11 will work too.
Have a look at my RPM patch code I did about a year ago.
If your HD didn't eat the zip.
Don't forget to use the * for addresses less than $100.
02-10-2006 | 11:24 AM
#46
Thread Starter
Moderator
iTrader: (1)
Joined: Mar 2002
Posts: 18,432
Likes: 227
From: Chasing Electrons
Car: check
Engine: check
Transmission: check
Originally posted by JP86SS
Tryed putting individual "ORG"s before each of the equ statements to locate them and then ran with 0x000 offset.
The bin patches everything at $0000.
Obviously, I'm doing something wrong.
Any ideas?, Or am I stuck ?
Tryed putting individual "ORG"s before each of the equ statements to locate them and then ran with 0x000 offset.
The bin patches everything at $0000.
Obviously, I'm doing something wrong.
Any ideas?, Or am I stuck ?
. Check the 0x in front of the 9000, needs to be $. I assembled what you posted with the as11 Motorola assembler and it looks OK. Some undefined branches but that is expected. Note the 'opt l' to provide a listing.RBob.
Code:
0001 opt l 0002 0003 003a L003A EQU $003A 0004 003c L003C EQU $003C 0005 0055 L0055 EQU $0055 0006 0056 L0056 EQU $0056 0007 3fcc L3FCC EQU $3FCC 0008 0009 898e ORG $898E 0010 0011 898e 50 L898E FCB $50 0012 0013 8990 ORG $8990 0014 0015 8990 20 L8990 FCB $20 0016 0017 8992 ORG $8992 0018 0019 8992 00 00 00 66 L8992 FDB $00, $66 0020 0021 ; 0022 ; -------- COMMENT OUT THE FOLLOWING LINE 0023 ; LD125: stx L3FCC ; 0024 ; --------------------------------------------------------- 0025 ; 0026 0027 d125 ORG $D125 0028 0029 d125 01 LD125: nop ; 0030 0031 9000 ORG $9000 0032 0033 9000 01 KL_IN: NOP ; START OF ROUTINE 0034 9001 b6 89 8e LDAA L898E ; Check If "ByPass" is Enabled 0035 9004 85 01 BITA #$01 ; If Not Set (b0) 36: symbol Undefined on pass 2 36: Branch out of Range 0036 9006 26 fe BNE KLIGHT ; No Check Performed, 0037 ; else... 38: Branch out of Range 0038 9008 1e 3c 20 fc KS_CHK: BRSET L003C,#$20,KFAIL ; ........Lots more 0039 0040 ;-------------------------------------------------------------------------------- 0041 0042 0043 0044 0045 Number of errors 3
Last edited by RBob; 02-10-2006 at 11:43 AM.
02-10-2006 | 11:27 AM
#47
Supreme Member
iTrader: (1)
Joined: Apr 2004
Posts: 3,178
Likes: 3
From: Browns Town
Car: 86 Monte SS (730,$8D,G3,AP,4K,S_V4)
Engine: 406 Hyd Roller 236/242
Transmission: 700R4 HomeBrew, 2.4K stall
Axle/Gears: 3:73 Posi, 7.5 Soon to break
Originally posted by Z69
Are you doing this for the sim?
Don't forget to use the * for addresses less than $100.
Are you doing this for the sim?
Don't forget to use the * for addresses less than $100.
Used both assemblers and they both require the "EQU" s to be there or they choke. No S19 can be generated correctly.
Both assemble fine with them in there, just the PAT.exe can't deal with the memory locations.
I did look at that one last night but I didn't see any memory locations (might have missed it) everything I saw used existing location. Will look again tonight.
Thanks,
02-12-2006 | 04:21 PM
#49
Okay, new question... I have the code I need.
I picked the memory location as above...
An ALDL address that was pointing to a redundant TPS A/D raw count will be changed to this stack value. (Who needs TPS% AND TPS raw?) Now, changing that address using the patch method is simple enough. BUT, when you have new code like above, that you need to add to the program loop....
How do you do it? I'm guessing I have to disassemble the whole binary, stick that in the main loop, and assemble it. I HOPE that's not the case, because I have had extreme difficulty just disassembling the stupid binary.
edit: The disassembly shows subroutines at the bottom, followed by a few dozen lines of
I assume this just means "woohoo! free space!". But then the question remains, which line(s) do I change to call the new sub I create here?
Code:
ldaa #0x00 ;select channel 00 jsr LF642 ;DO MUX READ staa L01DE ;store value in stack
An ALDL address that was pointing to a redundant TPS A/D raw count will be changed to this stack value. (Who needs TPS% AND TPS raw?) Now, changing that address using the patch method is simple enough. BUT, when you have new code like above, that you need to add to the program loop....
How do you do it? I'm guessing I have to disassemble the whole binary, stick that in the main loop, and assemble it. I HOPE that's not the case, because I have had extreme difficulty just disassembling the stupid binary.
edit: The disassembly shows subroutines at the bottom, followed by a few dozen lines of
Code:
FDCC .byte 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 FDD4 .byte 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 FDDC .byte 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
Last edited by ryan.h; 02-12-2006 at 04:55 PM.
02-12-2006 | 06:35 PM
#50
Supreme Member
Joined: Sep 2003
Posts: 1,409
Likes: 1
From: Texas
You figure out where you want the calc to be run in loop time. Then you find a JSR cmd.
Then you change the address of that JSR to your new code.
Execute your code.
Add the the cmd's necessary to fix the jsr you altered.
RTS to original code.
Instead of jumping to A routine.
You jump to B routine instead. And make sure to add the A routine stuff needed into the B routine at the end.
Do a compare of aujp and the Davis WB aujp bin.
Disassemble the Davis WB aujp bin or work through it in a hex editor.
You'll see what I mean.
Then you change the address of that JSR to your new code.
Execute your code.
Add the the cmd's necessary to fix the jsr you altered.
RTS to original code.
Instead of jumping to A routine.
You jump to B routine instead. And make sure to add the A routine stuff needed into the B routine at the end.
Do a compare of aujp and the Davis WB aujp bin.
Disassemble the Davis WB aujp bin or work through it in a hex editor.
You'll see what I mean.