RomRaider

Open Source ECU Tools
 FAQ •  Register •  Login 

RomRaider

Documentation

Community

Developers

It is currently Fri Oct 31, 2014 8:41 am

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 15 posts ] 
Author Message
 Post subject: CEL routines in 32bit ECU explained
PostPosted: Sun Mar 16, 2008 3:02 pm 
Offline
RomRaider Donator
User avatar

Joined: Sun Apr 09, 2006 12:05 pm
Posts: 866
Location: Indianapolis, IN
Thought this would be helpful. All of the 32bit ROMs I've looked at have the same structure used for popping CELs. It is very useful to track down what other memory addresses are. I'm using the SH-2 7055f, 2004 USDM Subaru WRX STI, CALID A2ZJ710J (3rd revision) ROM as an example.

Particularly, you can look for all the calls to the main CEL trigger routine. It is called with a value stored and passed using r4. This value is the index value for a particular CEL. For instance, if MAF voltage is out of range too high an error byte is set in memory. Later, the program looks at this error byte and calls the CEL routine with r4 = the index value for the CEL (in this case, index value #6). The index value is used to both check the master on/off CEL switch table (the place where we use Openecu to turn CELs on and off, a simple 0x0 or 0x1) and another master table (to where the index value is multiplied and added to get to the proper offest because the definitions are not 1 byte long like the master on/off table).

The best thing about this is that if you know how this works, and have the extended Subaru tech Diagnostic Code manual you can find the code that handles a given CEL for a given input pin (like MAP, MAF, TGV sensors, etc) to locate the memory address used to store the data.

Here's an example showing some of the MAF overvolt/undervolt CEL stuff.

The master on/off table. This is what is changed (usually) when you turn CELs on and off with a checkbox in Enguinity:
Image


Here's the general area where further CEL evaluation information is located. I do not know what all this information does, but I do know the data at per offset + 0x8 is the CEL number. See above P0103 has 0x0103 at 0x45D48 + 0x8. 0x45D48 is found by base address + the index value discussed above, to which is multiplied and added to get to 0x45D48. There is one direct addressing you can see, but this is separate. For what I'm covering in this post, 0x45D38 is only addressed relatively so you can't see exactly how it is being addressed here.
Image


Here's the subroutine to pull the raw digital/analog converted value (stored as word 16bit, but DA is only 10bit precise, FYI) for the MAF. Notice the value being set if it is either over or under voltage values. It is compared while still in integer 16bit form and sets a #1 or #2 for the two error states.
Image
(note: later ROMs convert the A/D value to floating point grams/sec in a different subroutine as the error state is set to #0 #1 or #2, but I do not want to digress here, either way they both look at the same memory address to get the raw MAF input pin A/D value 16bit)

Elsewhere, the error state memory address is read. In this case, if it is #1, overvolt, it calls the CEL evaluation subroutine to actually trigger the CEL. r4 is set to #6, the index value for P0103, then is called. Notice back up in the first screenshot I commented 0x45C30 + 0x6 as the P0103 switch.
Image

Here is the master switch table actually being used and checked before the subroutine decides to evaluate and pop the CEL:
Image
Notice the cel_mastersw table (from first screenshot) is being pulled referenced by the index value for the CEL we are trying to pop. If that cel_mastersw indexed byte is set to 0, the whole subroutine bombs out. Thus the CEL cannot be triggered here. That's why it is just a simple checkbox to turn on/off CELs in the 32bit ECU. Digressing a bit, remember this doesn't mean you've "fixed" the problem, just caused the CEL to be skipped over.

I.e. turning off P0420 (rear O2 sensor, catalyst efficiency) may turn off the CEL, but that doesn't mean the rear O2 sensor is still not used to determine fueling in some circumstances. I.e.#2, if you turned off the tumble generator stuck open CEL but you still had TGVs, if they really were stuck open you'd not get a CEL and could have problems with the car running right. This isn't new information and, but worth mentioning in this context.

All these tables, data groups, and subroutines are almost exactly the same in all the Subaru 32bit ECUs I've looked at. Obviously all the offsets are different, but the structure is the same. Happy hunting.


Last edited by Freon on Tue Aug 16, 2011 1:31 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: CEL routines in 32bit ECU explained
PostPosted: Sun Mar 16, 2008 3:24 pm 
Offline
Administrator
User avatar

Joined: Wed Mar 29, 2006 10:38 pm
Posts: 5340
Nice write-up Freon.

The one thing I did was write a simple app given the switch offset and first pcode offset (always P0335) and generate the switch offset for each CEL. That way, I could check are references to the CEL routine and quickly determine which code it pertained to. Example below is an 06 WRX.

Quote:
A8DH200X

0x0 P0335_CRANKSHAFTPOS.SENSORAMALFUNCTION
0x1 P0336_CRANKSHAFTPOS.SENSORARANGEPERF
0x2 P0341_CAMSHAFTPOS.SENSORARANGEPERF - DISABLED
0x3 P0340_CAMSHAFTPOS.SENSORAMALFUNCTION - DISABLED
0x4 P0604_CONTROLMODULERAMERROR
0x5 P0102_MAFSENSORLOWINPUT
0x6 P0103_MAFSENSORHIGHINPUT
0x7 P0500_VEHICLESPEEDSENSORA - DISABLED
0x8 P0327_KNOCKSENSOR1LOWINPUT
0x9 P0328_KNOCKSENSOR1HIGHINPUT
0xA P0122_TPSALOWINPUT
0xB P0123_TPSAHIGHINPUT
0xC P0121_TPSRANGEPERF - DISABLED
0xD P0117_COOLANTTEMPSENSORLOWINPUT
0xE P0118_COOLANTTEMPSENSORHIGHINPUT
0xF P0464_FUELLEVELSENSORINTERMITTENT
0x10 P0125_INSUFFICIENTCOOLANTTEMP(FUELING)
0x11 P0462_FUELLEVELSENSORLOWINPUT
0x12 P0463_FUELLEVELSENSORHIGHINPUT
0x13 P0461_FUELLEVELSENSORRANGEPERF
0x14 P0350_IGNITIONCOILPRIMARYSECONDARY - DISABLED
0x15 P1518_STARTERSWITCHLOWINPUT
0x16 P0512_STARTERREQUESTCIRCUIT
0x17 P0452_EVAPPRESSURESENSORLOWINPUT
0x18 P0453_EVAPPRESSURESENSORHIGHINPUT
0x19 P0451_EVAPPRESSURESENSORRANGEPERF
0x1A P0851_NEUTRALSWITCHINPUTLOW
0x1B P0182_FUELTEMPSENSORALOWINPUT
0x1C P0183_FUELTEMPSENSORAHIGHINPUT
0x1D P0181_FUELTEMPSENSORARANGEPERF
0x1E P0852_NEUTRALSWITCHINPUTHIGH
0x1F P0508_IDLECONTROLCIRCUITLOW - DISABLED
0x20 P0509_IDLECONTROLCIRCUITHIGH - DISABLED
0x21 P0506_IDLECONTROLRPMLOWERTHANEXPECTED
0x22 P0507_IDLECONTROLRPMHIGHTHANEXPECTED
0x23 P0691_RADIATORFANCIRCUITLOW
0x24 P0692_RADIATORFANCIRCUITHIGH
0x25 P0483_RADIATORFANRATIONALITYCHECK
0x26 P0864_TCMCOMMUNICATIONRANGEPERF - DISABLED
0x27 P0365_CAMSHAFTPOS.SENSORBBANK1 - DISABLED
0x28 P0390_CAMSHAFTPOS.SENSORBBANK2 - DISABLED
0x29 P0011_CAMSHAFTPOS.-TIMINGOVER-ADVANCED1
0x2A P0021_CAMSHAFTPOS.-TIMINGOVER-ADVANCED2
0x2B P1400_FUELTANKPRESSURESOL.LOW
0x2C P1420_FUELTANKPRESSURESOL.HIGHINPUT
0x2D P0458_EVAPPURGEVALVECIRCUITLOW
0x2E P0459_EVAPPURGEVALVECIRCUITHIGH
0x2F P0865_TCMCOMMUNICATIONCIRCUITLOW - DISABLED
0x30 P0866_TCMCOMMUNICATIONCIRCUITHIGH - DISABLED
0x31 P1443_VENTCONTROLSOLENOIDFUNCTIONPROBLEM
0x32 P0447_EVAPVENTCONTROLCIRCUITOPEN
0x33 P0448_EVAPVENTCONTROLCIRCUITSHORTED
0x34 P0133_FRONTO2SENSORSLOWRESPONSE
0x35 P0139_REARO2SENSORSLOWRESPONSE
0x36 P1152_FRONTO2SENSORRANGEPERFLOWB1S1
0x37 P1153_FRONTO2SENSORRANGEPERFHIGHB1S1
0x38 P0420_CATEFFICIENCYBELOWTHRESHOLD
0x39 P0442_EVAPLEAKDETECTED(SMALL)
0x3A P0456_EVAPLEAKDETECTED(VERYSMALL)
0x3B P0171_SYSTEMTOOLEAN
0x3C P0172_SYSTEMTOORICH
0x3D P0301_MISFIRECYLINDER1
0x3E P0302_MISFIRECYLINDER2
0x3F P0303_MISFIRECYLINDER3
0x40 P0304_MISFIRECYLINDER4
0x41 P1301_MISFIRE(HIGHTEMPEXHAUSTGAS) - DISABLED
0x42 P0457_EVAPLEAKDETECTED(FUELCAP)
0x43 P0000_PASSCODE(NODTCDETECTED)
0x44 P0000_PASSCODE(NODTCDETECTED)
0x45 P0137_REARO2SENSORLOWVOLTAGE
0x46 P0131_FRONTO2SENSORLOWINPUT
0x47 P0132_FRONTO2SENSORHIGHINPUT
0x48 P0138_REARO2SENSORHIGHVOLTAGE
0x49 P0112_IATSENSORLOWINPUT
0x4A P0113_IATSENSORHIGHINPUT
0x4B P0111_IATSENSORRANGEPERF
0x4C P0038_REARO2SENSORHIGHINPUT
0x4D P0032_FRONTO2SENSORHIGHINPUT
0x4E P0037_REARO2SENSORLOWINPUT
0x4F P0031_FRONTO2SENSORLOWINPUT
0x50 P0107_MAPSENSORLOWINPUT
0x51 P0108_MAPSENSORHIGHINPUT
0x52 P0128_THERMOSTATMALFUNCTION
0x53 P1491_PCV(BLOWBY)FUNCTIONPROBLEM
0x54 P1560_BACK-UPVOLTAGEMALFUNCTION
0x55 P0562_SYSTEMVOLTAGELOW - DISABLED
0x56 P0563_SYSTEMVOLTAGEHIGH - DISABLED
0x57 P0245_WASTEGATESOLENOIDALOW
0x58 P0246_WASTEGATESOLENOIDAHIGH
0x59 P0244_WASTEGATESOLENOIDARANGEPERF
0x5A P0261_FUELINJECTOR#1CIRCUITLOW - DISABLED
0x5B P0264_FUELINJECTOR#2CIRCUITLOW - DISABLED
0x5C P0267_FUELINJECTOR#3CIRCUITLOW - DISABLED
0x5D P0270_FUELINJECTOR#4CIRCUITLOW - DISABLED
0x5E P0545_EGTSENSORCIRCUITLOW - DISABLED
0x5F P0546_EGTSENSORCIRCUITHIGH - DISABLED
0x60 P1312_EGTSENSORMALFUNCTION - DISABLED
0x61 P1544_EGTTOOHIGH - DISABLED
0x62 P0502_VEHICLESPEEDSENSORLOWINPUT
0x63 P0230_FUELPUMPPRIMARYCIRCUIT
0x64 P0068_MAPSENSORRANGEPERF
0x65 P0519_IDLECONTROLMALFUNCTION(FAIL-SAFE)
0x66 P0101_MAFSENSORRANGEPERF
0x67 P0134_FRONTO2SENSORNOACTIVITY
0x68 P0030_FRONTO2SENSORRANGEPERF
0x69 P0503_VEHICLESPEEDSENSORINTERMITTENT
0x6A P2109_TPSAMINIMUMSTOPPERF
0x6B P0222_TPSBLOWINPUT
0x6C P0223_TPSBHIGHINPUT
0x6D P1160_ABNORMALRETURNSPRING
0x6E P2102_THROTTLEACTUATORCIRCUITLOW
0x6F P2103_THROTTLEACTUATORCIRCUITHIGH
0x70 P2101_THROTTLEACTUATORCIRCUITRANGEPERF
0x71 P2096_POSTCATALYSTTOOLEANB1
0x72 P0638_THROTTLEACTUATORRANGEPERF
0x73 P0607_CONTROLMODULEPERFORMANCE
0x74 P2138_TPSDEVOLTAGE
0x75 P2127_TPSECIRCUITLOWINPUT
0x76 P2128_TPSECIRCUITHIGHINPUT
0x77 P2122_TPSDCIRCUITLOWINPUT
0x78 P2123_TPSDCIRCUITHIGHINPUT
0x79 P2135_TPSABVOLTAGE
0x7A P2097_POSTCATALYSTTOORICHB1
0x7B P0600_SERIALCOMMUNICATIONLINK
0x7C P0390_CAMSHAFTPOS.SENSORBBANK2 - DISABLED
0x7D P0365_CAMSHAFTPOS.SENSORBBANK1 - DISABLED
0x7E P0345_CAMSHAFTPOS.SENSORABANK2
0x7F P0340_CAMSHAFTPOS.SENSORAMALFUNCTION
0x80 P0605_CONTROLMODULEROMERROR
0x81 P2095_OCVSOLENOIDB2CIRCUITSHORT - DISABLED
0x82 P2094_OCVSOLENOIDB2CIRCUITOPEN - DISABLED
0x83 P2091_OCVSOLENOIDB1CIRCUITSHORT - DISABLED
0x84 P2090_OCVSOLENOIDB1CIRCUITOPEN - DISABLED
0x85 P2093_OCVSOLENOIDA2CIRCUITSHORT
0x86 P2092_OCVSOLENOIDA2CIRCUITOPEN
0x87 P2089_OCVSOLENOIDA1CIRCUITSHORT
0x88 P2088_OCVSOLENOIDA1CIRCUITOPEN
0x89 P0700_TRANSMISSIONCONTROLSYSTEM
0x8A P2504_CHARGINGSYSTEMVOLTAGEHIGH - DISABLED
0x8B P2503_CHARGINGSYSTEMVOLTAGELOW - DISABLED
0x8C P2004_TGV-INTAKEMANIFOLDRUNNER1STUCKOPEN
0x8D P2006_TGV-INTAKEMANIFOLDRUNNER1STUCKCLOSED
0x8E P2005_TGV-INTAKEMANIFOLDRUNNER2STUCKOPEN
0x8F P2007_TGV-INTAKEMANIFOLDRUNNER2STUCKCLOSED
0x90 P2227_BARO.PRESSURECIRCUITRANGEPERF
0x91 P0126_INSUFFICIENTCOOLANTTEMP(OPERATION)
0x92 P2229_BARO.PRESSURECIRCUITHIGHINPUT
0x93 P2228_BARO.PRESSURECIRCUITLOWINPUT
0x94 P2016_TGV-INTAKEMANIFOLDRUNNER1POS.SENSORLOW
0x95 P2017_TGV-INTAKEMANIFOLDRUNNER1POS.SENSORHIGH
0x96 P2021_TGV-INTAKEMANIFOLDRUNNER2POS.SENSORLOW
0x97 P2022_TGV-INTAKEMANIFOLDRUNNER2POS.SENSORHIGH
0x98 P2009_TGV-INTAKEMANIFOLDRUNNER1CIRCUITLOW
0x99 P2012_TGV-INTAKEMANIFOLDRUNNER2CIRCUITLOW
0x9A P2008_TGV-INTAKEMANIFOLDRUNNER1CIRCUITOPEN
0x9B P2011_TGV-INTAKEMANIFOLDRUNNER2CIRCUITOPEN
0x9C P2444_SECONDARYAIRPUMP1STUCKONB1
0x9D P0411_SECONDARYAIRPUMPINCORRECTFLOW
0x9E P0410_SECONDARYAIRPUMPSYSTEM
0x9F P2431_SECONDARYAIRPUMPCIRCUITRANGEPERF
0xA0 P2433_SECONDARYAIRPUMPCIRCUITHIGH
0xA1 P2432_SECONDARYAIRPUMPCIRCUITLOW
0xA2 P0413_SECONDARYAIRPUMPAOPEN
0xA3 P0418_SECONDARYAIRPUMPRELAYA
0xA4 P0140_REARO2SENSORNOACTIVITY
0xA5 P0414_SECONDARYAIRPUMPASHORTED
0xA6 P1418_FUELLEVELSENSORSIGNALHIGH
0xA7 P0018_CRANKSHAFTCAMSHAFTCORRELATION2A
0xA8 P0016_CRANKSHAFTCAMSHAFTCORRELATION1A
0xA9 P1410_FUELTANKPRESSURESYSTEMMALFUNCTION
0xAA P2443_SECONDARYAIRPUMP2STUCKCLOSED
0xAB P2442_SECONDARYAIRPUMPVALVE2STUCKOPEN
0xAC P2441_SECONDARYAIRPUMPVALVE1STUCKCLOSED
0xAD P2440_SECONDARYAIRPUMPVALVE1STUCKOPEN
0xAE P0417_SECONDARYAIRPUMPBSHORTED
0xAF P0416_SECONDARYAIRPUMPBOPEN


Top
 Profile  
 
 Post subject: Re: CEL routines in 32bit ECU explained
PostPosted: Sun Mar 23, 2008 9:14 pm 
Offline
Experienced

Joined: Wed Jul 26, 2006 3:19 pm
Posts: 650
Location: Connecticut, USA
So, while browsing in the trouble code handler, anyone spot where the MIL is manipulated? It seems like there should be 4 states for the MIL:
Off
On (steady)
On (flashing to indicate misfire)
On (rapid flashing to indicate test mode connectors are joined)

Also, the ECU is required to turn on the MIL for a few seconds when the engine is started to demonstrate that the MIL works.


Top
 Profile  
 
 Post subject: Re: CEL routines in 32bit ECU explained
PostPosted: Sun Mar 23, 2008 10:32 pm 
Offline
Experienced
User avatar

Joined: Tue Aug 15, 2006 7:40 pm
Posts: 170
Location: Calgary
Are you trying to figure out how to flash the cel to indicate knock? That would be a great addition.

Jeff

_________________
'04 WRX, v7 EJ207, VF30
"Genius has its limits, but stupidity is boundless"


Top
 Profile  
 
 Post subject: Re: CEL routines in 32bit ECU explained
PostPosted: Tue Apr 22, 2008 12:40 am 
Offline
Newbie
User avatar

Joined: Wed Aug 23, 2006 7:22 am
Posts: 71
Location: Sydney, Australia
Great write up m8!

Were do u guys find the time to do this..

Thanks again Freon!

_________________
Post added by using recycled electrons


Top
 Profile  
 
 Post subject: Re: CEL routines in 32bit ECU explained
PostPosted: Tue Aug 19, 2008 12:59 pm 
Offline
Experienced
User avatar

Joined: Tue Feb 12, 2008 11:00 pm
Posts: 153
I've managed to find all the cel tables and what looks like 2 cel evaluation routines in my A8DH200X. Both check the same bits for a ready state, and are referenced (with #6 in r4) by what looks like a slightly different maf error checking subroutine.

I'm trying to clear this all up to track down the maf_flow routine, but I can't seem to grasp the referencing to the maf scaling table.

In the A2ZJ710J, it points to 0x55945

Ecu defs give the following for A2ZJ710J:
Code:
 <table name="MAF Sensor Scaling" storageaddress="0x618C8">
   <table type="Y Axis" storageaddress="0x617F0" />
  </table>


I'm not sure what's going on here so I've hit a bit of a wall here. I'm looking into the pull_2d routine to make sense of it but so far I've had no luck.

Any help would be greatly appreciated.

_________________
06 Wrx Wagon 2.3 longrod in the works


Last edited by fujiillin on Tue Aug 19, 2008 3:27 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: CEL routines in 32bit ECU explained
PostPosted: Tue Aug 19, 2008 1:14 pm 
Offline
Administrator
User avatar

Joined: Wed Mar 29, 2006 10:38 pm
Posts: 5340
fujiillin wrote:
In the A2ZJ710J, it points to 0x55945 which holds longword h'360000

Ecu defs give the following for A2ZJ710J:
Code:
 <table name="MAF Sensor Scaling" storageaddress="0x618C8">
   <table type="Y Axis" storageaddress="0x617F0" />
  </table>


Since there is no address 360000, I figured it might be indirectly addressed using the word at 0x55945 (h'36), but there is no reference at 0x618C8 - 0x36 or 0x617F0 - 0x36, so I've hit a bit of a wall here.

Any help would be greatly appreciated.

Actually, 0x5594C would be the map offset look-up table with, for a 2d table, the first word being the table size (0x0036 = 54d), the second word being the data type (0x0 = undefined - determined by function, 0x0400 = 8-bit, 0x0800 = 16-bit), the offsets follow doublewords (row, data) and then multiplier/additive (none in this case, so start of next table).


Top
 Profile  
 
 Post subject: Re: CEL routines in 32bit ECU explained
PostPosted: Tue Aug 19, 2008 3:43 pm 
Offline
Experienced
User avatar

Joined: Tue Feb 12, 2008 11:00 pm
Posts: 153
Thanks, just noticed the pull2d routine parsing through there.

Also just found the table addy in the lookup.

On the subject of lookup tables, I compiled some stuff in HEW and it keeps giving me a table def with blank addresses for axes and data, is this acceptable if the axes and data are immediately after the definition?

Thanks!

_________________
06 Wrx Wagon 2.3 longrod in the works


Top
 Profile  
 
 Post subject: Re: CEL routines in 32bit ECU explained
PostPosted: Thu Aug 21, 2008 9:38 pm 
Offline
RomRaider Donator
User avatar

Joined: Sun Apr 09, 2006 12:05 pm
Posts: 866
Location: Indianapolis, IN
If you're interested in seeing working table references and data builds, the SD code has it. I am only using the command line assembler and writing straight assembly, though. Not sure if you're trying to write C.


Top
 Profile  
 
 Post subject: Re: CEL routines in 32bit ECU explained
PostPosted: Tue Aug 26, 2008 5:05 pm 
Offline
Experienced
User avatar

Joined: Tue Feb 12, 2008 11:00 pm
Posts: 153
I've been using the library wizard, and putting *.asm in the preprocessed assemblies folder and compiling with the GUI. I'll have to read into the command line assembler. The code always reads good in IDA, but it always has a 'header' full of garbage.

I figured it out though, of course it's not going to give me a direct address when it doesn't know where I'm putting the code :P

_________________
06 Wrx Wagon 2.3 longrod in the works


Top
 Profile  
 
 Post subject: Re: CEL routines in 32bit ECU explained
PostPosted: Tue Aug 26, 2008 7:39 pm 
Offline
RomRaider Donator
User avatar

Joined: Sun Apr 09, 2006 12:05 pm
Posts: 866
Location: Indianapolis, IN
Yeah I have to manually paste the code in with a hex editor and make sure the references are ok. Relative addressing is ok, but the map def has to be fixed. And calls to MAF are manually changed to jump to the location where I put my code.


Top
 Profile  
 
 Post subject: Re: CEL routines in 32bit ECU explained
PostPosted: Tue Jan 04, 2011 6:33 am 
Offline
Moderator

Joined: Wed Nov 22, 2006 10:23 pm
Posts: 2306
Stickyfied.

_________________
2005 Legacy GT w/ ATP 3076, IWG, MBC, BCS, LC, FFS, OMG
Please don't send me tuning questions via PM - use the forums instead. Thanks!


Top
 Profile  
 
 Post subject: Re: CEL routines in 32bit ECU explained
PostPosted: Wed Feb 02, 2011 8:34 am 
Offline
Experienced

Joined: Sat May 31, 2008 10:14 pm
Posts: 125
Location: Quebec
Anyone found anything on that??

evo guys have flashing MIL on knock event... we should be able too :)

Mart

Jon [in CT] wrote:
So, while browsing in the trouble code handler, anyone spot where the MIL is manipulated? It seems like there should be 4 states for the MIL:
Off
On (steady)
On (flashing to indicate misfire)
On (rapid flashing to indicate test mode connectors are joined)

Also, the ECU is required to turn on the MIL for a few seconds when the engine is started to demonstrate that the MIL works.


Top
 Profile  
 
 Post subject: Re: CEL routines in 32bit ECU explained
PostPosted: Wed Aug 10, 2011 6:30 pm 
Offline
RomRaider Developer

Joined: Wed May 20, 2009 9:49 pm
Posts: 4467
Location: Canada eh!
How I locate the DTC tables.
  1. Perform a byte search for the sequence 0335.
  2. If you get more than one result review each result until you find a byte sequence of 03 35 01 with a large section of 01 and 00 bytes about a page above (PageUp).
  3. Four bytes before the sequence of 03 35 01 is the beginning of the CEL Routines.
  4. The beginning of the 01 and 00 bytes sequences is the target for the P0335 DTC. This is the area that the ecu_defs.xml file points to for enabling/disabling DTCs.
  5. The first byte can be marked as the CEL Switch table and it will continue down to the CEL Routines.
  6. With these two locations identified, run the IDA script to mark and dump the DTC definitions.

Script: MakeCELPointers.idc


Top
 Profile  
 
 Post subject: Re: CEL routines in 32bit ECU explained
PostPosted: Thu Aug 11, 2011 1:21 am 
Offline
Moderator

Joined: Wed Nov 22, 2006 10:23 pm
Posts: 2306
Cool, I look forward to checking that out.

_________________
2005 Legacy GT w/ ATP 3076, IWG, MBC, BCS, LC, FFS, OMG
Please don't send me tuning questions via PM - use the forums instead. Thanks!


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 15 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style based on FI Subsilver by phpBBservice.nl