RomRaider Logo

RomRaider

Open Source ECU Tools
 FAQ •  Register •  Login 

RomRaider

Documentation

Community

Developers

It is currently Mon May 17, 2021 12:05 am

All times are UTC - 5 hours [ DST ]





Post new topic Reply to topic  [ 472 posts ]  Go to page Previous  1 ... 21, 22, 23, 24, 25, 26, 27 ... 32  Next
Author Message
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Mon Jan 13, 2014 2:39 am 
Offline
Newbie

Joined: Thu Oct 24, 2013 4:34 am
Posts: 27
Found the MAF Voltage RAM address (same for A00C and A01G ROMS)

Code:
paramname = MAF_V
paramid = 0xFFF842AC
databits = 16
scalingrpn = x,0.000076293945,*


Steep learning curve into reverse engineering code when coming from scratch. Headache is starting to ease...
Many thanks to NSFW, dschultz, and td-d for their HEW and IDA contributions on this site.
Work here is on the A00C ROM though my car runs the A01G ROM.

As above, I was interested in getting the MAF_Voltage RAM address. The MAF scaling table is referenced directly at 10E00, but there are no direct references to either 10E00 or D0560 otherwise:

Code:
ROM:00010DF8 off_10DF8:      .data.l stru_D0530      ; DATA XREF: sub_2B14A:loc_2B17E
ROM:00010DFC                 .data.l stru_D0524
ROM:00010E00 off_10E00:      .data.l MAF_Scaling     ;(stru_D0560)   

ROM:000D0530 stru_D0530:     Table_type <h'1E, 0, 0> ; DATA XREF: ROM:off_10DF8
ROM:000D0534                 .data.l h'11FA4C
ROM:000D0538                 .data.l h'11FAC4
ROM:000D053C stru_D053C:     Table_type <h'1F, 0, 0> ; DATA XREF: ROM:00010E04
ROM:000D0540                 .data.l h'11FB3C
ROM:000D0544                 .data.l h'11FBB8
ROM:000D0548 stru_D0548:     Table_type <3, 0, 0>    ; DATA XREF: ROM:00010E08
ROM:000D054C                 .data.l dword_11FC34
ROM:000D0550                 .data.l dword_11FC40
ROM:000D0554 stru_D0554:     Table_type <h'11, 0, 0> ; DATA XREF: sub_4A43C+4C
ROM:000D0554                                         ; ROM:off_4A5C0
ROM:000D0558                 .data.l h'11FC4C
ROM:000D055C                 .data.l h'11FC90
ROM:000D0560 MAF_Scaling:    Table_type <h'36, 0, 0> ; DATA XREF: ROM:off_10E00
ROM:000D0560                                         ; table descriptor: elements 36 (54)
ROM:000D0564                 .data.l MAF_V
ROM:000D0568                 .data.l MAF_G_S


The key was going up to 10DF8 which is referenced in loc_2B17E of sub_2B14A:

Code:
ROM:0002B14A sub_2B14A:                              ; CODE XREF: sub_2B056+28
ROM:0002B14A                 sts.l   pr, @-r15       
ROM:0002B14C                 fldi0   fr4           
ROM:0002B14E                 extu.w  r5, r2         
ROM:0002B150                 lds     r2, fpul       
ROM:0002B152                 float   fpul, fr0     
ROM:0002B154                 mova    h'2B214, r0   
ROM:0002B156                 fmov.s  @r0, fr8       
ROM:0002B158                 fmac    fr0, fr8, fr4
ROM:0002B15A                 extu.b  r4, r4          ; r4 must equal 05 to pull MAF table
ROM:0002B15C                 mov     #h'C, r0        ; r0=0C
ROM:0002B15E                 mulr    r0, r4          ; r4=60
ROM:0002B160                 mov     r4, r0          ; r0=60
ROM:0002B162                 mov.l   #word_10D0C, r4 ; r4=10D0C
ROM:0002B164                 mov     r4, r2          ; r2=10D0C
ROM:0002B166                 add     #6, r2          ; r2=10D12
ROM:0002B168                 mov.b   @(r0,r2), r6    ; r6=@(r0+10D12)=@10D72=02
ROM:0002B16A                 add     #5, r4          ; r4=10D11
ROM:0002B16C                 mov.b   @(r0,r4), r2    ; r2=@(r0+10D11)=@10D71=01
ROM:0002B16E                 extu.b  r2, r0          ;
ROM:0002B170                 cmp/eq  #1, r0          ; r0=01
ROM:0002B172                 bt/s    loc_2B17E     
ROM:0002B174                 extu.b  r6, r6         
ROM:0002B174
ROM:0002B176                 cmp/eq  #2, r0         
ROM:0002B178                 bt      loc_2B190     
ROM:0002B178
ROM:0002B17A                 bra     loc_2B1A6     
ROM:0002B17C                 nop                     
ROM:0002B17C
ROM:0002B17E loc_2B17E:                              ; CODE XREF: sub_2B14A+28
ROM:0002B17E                 mov.l   #off_10DF8, r2
ROM:0002B180                 shll2   r6              ; r6=02 SHLL -> r6=08
ROM:0002B182                 mov     r6, r0          ; r0=08
ROM:0002B184                 mov.l   @(r0,r2), r4    ; r4=@(8+10DF8)=@10E00=D0560
ROM:0002B186                 movi20  #Pull2D, r2   
ROM:0002B18A                 jsr/n   @r2 ; Pull2D 
ROM:0002B18A
ROM:0002B18C                 bra     loc_2B1A8     
ROM:0002B18E                 fmov    fr0, fr9       


10DF8 is loaded into register r2 then data from the location @(r0+10DF8)=@10E00 is passed to the Pull2D function. We want r0 to equal 08, thus r6 passed onto sub_217E must equal 02 for the MAF scaling table to be pulled, and r0 at 2B170 must equal 01 for loc_2B17E to be accessed.
Following code back, loc_2B17E is ultimately called, amongst other things, by sub_2AF98. This subroutine runs with a counter in r13 from r13=00 to r13=0E. Tracing multiple indirect references, the MAF scaling table is pulled in loc_2B17E when r13=08.

Going back to the front end of sub_2AF98 and running with r13=08:

sub_12FCC is called with r4=@(60+10D0C)=@10D6C=0005

Code:
sub_12FCC:                              ; CODE XREF: sub_2A822+18
ROM:00012FCC                                         
ROM:00012FCC                 sts.l   pr, @-r15       
ROM:00012FCE                 add     #-4, r15       
ROM:00012FD0                 mov.w   r4, @r15        ; @r15=0005
ROM:00012FD2                 movu.b  @(0,r15), r0    ; r0=00 first byte @r15
ROM:00012FD6                 tst     r0, r0          ; T
ROM:00012FD8                 bt      loc_12FE6     
ROM:00012FD8
ROM:00012FDA                 cmp/eq  #1, r0       
ROM:00012FDC                 bt      loc_12FF2     
ROM:00012FDC
ROM:00012FDE                 cmp/eq  #2, r0         
ROM:00012FE0                 bt      loc_12FFE     
ROM:00012FE0
ROM:00012FE2                 bra     loc_1300A   
ROM:00012FE4                 nop               
ROM:00012FE4
ROM:00012FE6 ; ---------------------------------------------------------------------------
ROM:00012FE6
ROM:00012FE6 loc_12FE6:                              ; CODE XREF: sub_12FCC+C
ROM:00012FE6                 mov.b   @(1,r15), r0    ; r0=05 second byte @r15
ROM:00012FE8                 mov.l   #sub_129C4, r1 
ROM:00012FEA                 jsr     @r1 ; sub_129C4
ROM:00012FEC                 mov     r0, r4          ; r4=05
ROM:00012FEC
ROM:00012FEE                 bra     loc_1300C     
ROM:00012FF0                 mov     r0, r2         
ROM:00012FF0
ROM:00012FF2 ; ---------------------------------------------------------------------------
ROM:00012FF2
ROM:00012FF2 loc_12FF2:                              ; CODE XREF: sub_12FCC+10
ROM:00012FF2                 movu.b  @(1,r15), r0   
ROM:00012FF6                 mov.l   #h'FFF848FE, r5
ROM:00012FF8                 shll    r0             
ROM:00012FFA                 bra     loc_1300C       
ROM:00012FFC                 mov.w   @(r0,r5), r2   
ROM:00012FFC
ROM:00012FFE ; ---------------------------------------------------------------------------
ROM:00012FFE
ROM:00012FFE loc_12FFE:                              ; CODE XREF: sub_12FCC+14
ROM:00012FFE                 movu.b  @(1,r15), r0   
ROM:00013002                 mov.l   #h'FFF8490E, r6
ROM:00013004                 shll    r0             
ROM:00013006                 bra     loc_1300C     
ROM:00013008                 mov.w   @(r0,r6), r2   
ROM:00013008
ROM:0001300A ; ---------------------------------------------------------------------------
ROM:0001300A
ROM:0001300A loc_1300A:                              ; CODE XREF: sub_12FCC+16
ROM:0001300A                 mov     #0, r2         
ROM:0001300A
ROM:0001300C
ROM:0001300C loc_1300C:                              ; CODE XREF: sub_12FCC+22
ROM:0001300C                 add     #4, r15         
ROM:0001300E                 lds.l   @r15+, pr       
ROM:00013010                 rtv/n   r2              ; Return r0 in r2


sub_129C4 is called with with r4=05

Code:
ROM:000129C4 sub_129C4:                              ; CODE XREF:sub_12FCC+1E
ROM:000129C4                 extu.b  r4, r0          ; r0=05
ROM:000129C6                 add     #1, r0          ; r0=06
ROM:000129C8                 movi20  #h'FFF842A0, r5 ; r5=FFF842A0
ROM:000129CC                 shll    r0              ; r0=0C
ROM:000129CE                 rts                     
ROM:000129D0                 mov.w   @(r0,r5), r0    ; r0=@(0C+FFF842A0)=@FFF842AC


The 16 bit value @FFF842AC gets scaled by multiplying by 0.000076293945 before ending up at loc_2B17E where the MAF scaling table is called.

I suspect that there is quite a lot of useful data to be gained by picking the main sub_2AF98 routine apart running from r13=00 to 0E.


Last edited by ztan on Wed Jan 15, 2014 10:45 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Mon Jan 13, 2014 2:48 am 
Offline
Moderator

Joined: Thu May 20, 2010 4:01 am
Posts: 3095
Location: Johannesburg, South Africa
Nicely done, Ztan! I thought it was an array / table of various sensor inputs - never had the patience to trawl through all the bloody indirect referencing ;)

These roms are absolutely full of indirect referencing, much more so than the older ones - makes finding parameters a real pain.

_________________
He who dies with the most gadgets wins.

Please do not PM me - use the email option.


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Mon Jan 13, 2014 10:56 am 
Offline
RomRaider Developer

Joined: Wed May 20, 2009 9:49 pm
Posts: 6617
Location: Canada eh!
ztan wrote:
Can anyone show me where the MAF voltage to g/s conversion happens or where the A/D sensor lookup routine sits?

I've updated the sh3.cfg file with the SH72531 registers, you might want to grab it and then re-select your Device in IDA options and re-analyze.



PS: I'm working on updates to the RomRaider Logger to allow it to log via CAN OBD mode 01 initially. If anyone wishes to test it, as I don't have a CAN vehicle let me know.


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Mon Jan 13, 2014 1:16 pm 
Offline
Experienced
User avatar

Joined: Wed Nov 10, 2010 7:56 am
Posts: 418
dschultz wrote:
PS: I'm working on updates to the RomRaider Logger to allow it to log via CAN OBD mode 01 initially. If anyone wishes to test it, as I don't have a CAN vehicle let me know.


Diesel E5 ECU got a "ony CAN diagnosis".
If E4 Diesel communicates via CAN to OBD-II, I don´t know, but for testing, I got both ECUs :D

So give me a shoot...

_________________
performence based on engineering..


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Mon Jan 13, 2014 2:23 pm 
Offline
Senior Member

Joined: Mon Jan 19, 2009 2:31 pm
Posts: 1589
Location: Moscow, Russia
Jochen_145 wrote:
If E4 Diesel communicates via CAN to OBD-II, I don´t know, but for testing, I got both ECUs :D

So give me a shoot...


I should say that Hitachi MY07+ supports just CAN OBDII. I have not tested Denso.


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Mon Jan 13, 2014 6:53 pm 
Offline
Newbie

Joined: Thu Oct 24, 2013 4:34 am
Posts: 27
dschultz wrote:
ztan wrote:
Can anyone show me where the MAF voltage to g/s conversion happens or where the A/D sensor lookup routine sits?

I've updated the sh3.cfg file with the SH72531 registers, you might want to grab it and then re-select your Device in IDA options and re-analyze.



PS: I'm working on updates to the RomRaider Logger to allow it to log via CAN OBD mode 01 initially. If anyone wishes to test it, as I don't have a CAN vehicle let me know.


Thanks. Will do and see how much of an indirect snarl getting sensor data off the ADC registers turns out to be.


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Tue Jan 14, 2014 5:42 pm 
Offline
RomRaider Developer

Joined: Wed May 20, 2009 9:49 pm
Posts: 6617
Location: Canada eh!
ztan wrote:
Thanks. Will do and see how much of an indirect snarl getting sensor data off the ADC registers turns out to be.
I looked briefly and can see the routine the reads the ADC to RAM, but I haven't found the target in RAM the routine is indirectly writing to. Most likely the target address is loaded from some lookup table in another routine or derived from a bit shifted register plus other funky obscure calculations.


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Fri Jan 17, 2014 1:10 am 
Offline
RomRaider Developer

Joined: Wed May 20, 2009 9:49 pm
Posts: 6617
Location: Canada eh!
A Logger teaser... (very, very alpha though)
viewtopic.php?t=10284


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Fri Jan 17, 2014 2:31 am 
Offline
RomRaider Donator

Joined: Wed May 22, 2013 4:29 am
Posts: 10
dschultz wrote:
A Logger teaser... (very, very alpha though)
viewtopic.php?t=10284


For what it's worth, I have been logging with the Tactrix and it works well. I'm just amazed at how fast it polls compared to Torque and bluetooth. I'm also amazed at how fast the files grow. Thanks to all of you who have made this work!


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Fri Jan 17, 2014 3:13 am 
Offline
Moderator

Joined: Thu May 20, 2010 4:01 am
Posts: 3095
Location: Johannesburg, South Africa
Awesome work, Dale. Too bad I don't have a BRZ to test drive it ;)

_________________
He who dies with the most gadgets wins.

Please do not PM me - use the email option.


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Fri Jan 17, 2014 11:16 am 
Offline
RomRaider Developer

Joined: Wed May 20, 2009 9:49 pm
Posts: 6617
Location: Canada eh!
td-d wrote:
Awesome work, Dale. Too bad I don't have a BRZ to test drive it ;)

With OBD query mode 1 you should be able log from any vehicle that supports OBD on CAN. So go ahead and try it on your non-BRZ vehicle and let me know what bugs you find.


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Mon Jan 20, 2014 8:29 pm 
Offline
RomRaider Developer

Joined: Wed May 20, 2009 9:49 pm
Posts: 6617
Location: Canada eh!
jsimon7777 wrote:
dschultz wrote:
A Logger teaser... (very, very alpha though)
viewtopic.php?t=10284


For what it's worth, I have been logging with the Tactrix and it works well. I'm just amazed at how fast it polls compared to Torque and bluetooth. I'm also amazed at how fast the files grow. Thanks to all of you who have made this work!

If you have a chance to try it, it would still be worth it to me. Thanks.


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Mon Jan 27, 2014 9:40 pm 
Offline
Newbie

Joined: Wed Sep 04, 2013 12:49 am
Posts: 14
Can someone please point in the right direction here?

I recently purchased a CANBUS analyzer. I'm trying to log the RPM value at the highest frequency possible off of the CANBUS, so the message ID is not going to be the same as the PID for the OBD mode. Does anyone if there is a resource for the high-speed message IDs yet for this car?


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Mon Jan 27, 2014 9:54 pm 
Offline
Newbie

Joined: Wed Sep 04, 2013 12:49 am
Posts: 14
ztan wrote:
Lots of potential being seen:

ECU 0x07E8

CAN-ID 0x01
01 Calculated load
04 05 MAF
0B 0C Engine speed
0D Vehicle speed
32 Oil Temp

CAN-ID 0x03
07 Ignition advance

CAN-ID 0x37
09 0A FLKC
0B 0C FBKC

CAN-ID 0x41
06 07 Accel position

VSC module 0x07B8

CAN-ID 0x05
0B 0C Real engine torque

CAN-ID 0x47
01 Lateral G
02 Front/Rear G
03 Yaw rate
04 05 Steering wheel angle

Is it possible to get standalone engine + VSC logging with the OP2.0?


All of these values are being read at a slow refresh rate correct because you're still in OBD Mode 1? Is it possible to read a higher frequency?


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Tue Jan 28, 2014 11:40 am 
Offline
RomRaider Developer

Joined: Wed May 20, 2009 9:49 pm
Posts: 6617
Location: Canada eh!
CANbus messaging is typically sent at set intervals which are not user defined.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 472 posts ]  Go to page Previous  1 ... 21, 22, 23, 24, 25, 26, 27 ... 32  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style based on FI Subsilver by phpBBservice.nl