Page 14 of 34 FirstFirst ... 491011121314151617181924 ... LastLast
Results 196 to 210 of 509

Thread: 1997 F-Body ECM

  1. #196
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    Nice progress. Can you look at the end of injection target and how it is used by the tpu. The math here is some what guessed it will be nice to get a confirmation how to convert the eoit target to degrees.

    14d6 is modified before and after the EOIT target is updated in the tpu.?/some timer maybe. it is missing on the 94-95 code.
    These are the other tpu addresses, there are 4 of them. Could be for some individual eoit targets by cylinders.
    Code:
    loc_5F28:
    std     byte_EA
    lsrd
    lsrd
    lsrd
    lsrd
    adcb    #0
    adca    #0
    pshb
    tab
    clra
    std     word_141C
    std     word_141E
    pulb
    std     word_143C
    std     word_143E
    The value of EOIT target is 00-6f, First digit could be low res pulses from TDC, and the second digit could be some % between low res pulse. 0-f=15 90*/15=6* accuracy.
    It is only speculations but it is also the most logic one.

  2. #197
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Quote Originally Posted by Tom H View Post
    I wrote a simple test that writes a table of values to $1400 and $14B2. I believe $1400 to be injection pulse width and $14B2 to be injector offset. While monitoring the injection signal, I changed both PW and Offset. I looks like the two are added and the pulse width is the sum of both. Next is to measure pulse width vs EClock.
    I posted quickly and missed important detail perhaps obvious (?)
    $1400 is one of eight pulse width channels, there is one for each injector. $1400, $1402, $1404, $1406, $1408, $140A, $140C, $140E are the addresses used to set pulse width. The GM design assumes that all the injectors are powered with the same voltage (I am sure that is valid). The 2port RAM at $14B2 is added to each of the pulse widths to adjust for the delay between when the TPU fires the injector and when fuel starts to flow.

    I will be on the outlook for a similar register with a multiplication factor that might be built in to handle fuel pressure variations. This is not in the system design but might be built in as a contingency.

    Wonder if anyone can name all (most) of the 2port RAM addresses GM uses to set pulse width in the various modes. Since I can't get at the internal code to figure this out, all I can do is to work through more and more assembly code.
    -Tom

  3. #198
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Quote Originally Posted by kur4o View Post
    Can you look at the end of injection target and how it is used by the tpu. The math here is some what guessed it will be nice to get a confirmation how to convert the eoit target to degrees.

    14d6 is modified before and after the EOIT target is updated in the tpu.?/some timer maybe. it is missing on the 94-95 code.
    These are the other tpu addresses, there are 4 of them. Could be for some individual eoit targets by cylinders.


    The value of EOIT target is 00-6f, First digit could be low res pulses from TDC, and the second digit could be some % between low res pulse. 0-f=15 90*/15=6* accuracy.
    It is only speculations but it is also the most logic one.
    EOIT is next up. What can you tell me about locations $1580,2,4,6,8,A,C,E? I believe they are involved with EOIT.

    -Tom

  4. #199
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    What can you tell me about locations $1580,2,4,6,8,A,C,E? I believe they are involved with EOIT.
    Not much. They seem related to the injectors BPW tpu values for the 8th cylinders. They are only cleared by eside. which means they can be some timers related to bpw. On 94-95 code there is some extra code which is runned only 8 low opti pulses. Seems to be in pair with 1400-140e. when one of this is set the corresponding 1580-e is cleared. That is done 1 time for each cylinder at startup. It could be related with some batch firing.

  5. #200
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Quote Originally Posted by kur4o View Post
    Can you look at the end of injection target and how it is used by the tpu. The math here is some what guessed it will be nice to get a confirmation how to convert the eoit target to degrees.

    14d6 is modified before and after the EOIT target is updated in the tpu.?/some timer maybe. it is missing on the 94-95 code.
    These are the other tpu addresses, there are 4 of them. Could be for some individual eoit targets by cylinders.


    The value of EOIT target is 00-6f, First digit could be low res pulses from TDC, and the second digit could be some % between low res pulse. 0-f=15 90*/15=6* accuracy.
    It is only speculations but it is also the most logic one.
    I re-wrote my test tool to give easier access to TPU. I am looking at this now. Do you have a notion how the TPU enters batch fire mode? If no, are the details of what conditions cause the PCM to enter batch fire?


    -Tom

  6. #201
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    It is not clear if the Pcm have a batch fire mode. It is only a guess. One guy measured that the first 2 pulses at starting, the injectors are fired at the same time and that is all I know. I suspect that when the high res signal is lost the pcm can command batch fire mode.
    Code:
    ldab    #$E
    ldaa    #$10
    std     word_1496
    ldaa    word_15CA
    ldd     word_15CA
    std     word_1598
    These are somehow changed on high res error. The error sets byte_1 $20.

    I have a plan to patch the eside to store some tpu data to ram and than read that values on the engine running. Do you need something specific to be checked.

  7. #202
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Quote Originally Posted by kur4o View Post
    I have a plan to patch the eside to store some tpu data to ram and than read that values on the engine running. Do you need something specific to be checked.
    Hi,
    You probably already know but...

    The sequence for reading a word from TPU is to read the high order followed by reading the word. It is important that this sequence not be interrupted or invalid data will result. I made a code error and did not disable interrupts across the sequence. The result was that from time to time data was invalid. You will need to disable interrupts, do an 8b read and then a 16b read then enable interrupts again. There is some suggestion that some locations will need a small (2 cycle) delay between the 8b and 16b reads. A NOP will take care of that if it is necessary.

    The GM test setup is not known to me other than pieces of code that still reside in the production code. This code is enabled only when the test set is detected. They had code there for monitoring the TPU (at least in '97). Here is a snip of that code. It references a location in the calibration where the address of the target TPU location is.

    Code:
    * CALIBRATION $3B85 IS SET TO POINT AT A TPU 
    * LOCATION TO BE MONITORED. DEFAULT $0000
    409C  FE 3B 85        LDX    $3B85        ; CALIBRATION: $0000
    409F  0F              SEI            ; 
    
    40A0  A6 00           LDAA   $00,X        ; 
    40A2  01              NOP            ; 
    40A3  EC 00           LDD    $00,X        ; 
    40A5  FD 04 4D        STD    $044D        ; 
    
    40A8  0E              CLI            ;
    This code is never executed in normal operation. Hope this is of use.

    -Tom

  8. #203
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Quote Originally Posted by kur4o View Post
    EOIT is next up. What can you tell me about locations $1580,2,4,6,8,A,C,E? I believe they are involved with EOIT.

    They seem related to the injectors BPW tpu values for the 8th cylinders.
    They are only cleared by eside. which means they can be some timers related to bpw.
    On 94-95 code there is some extra code which is runned only 8 low opti pulses.
    Seems to be in pair with 1400-140e. when one of this is set the corresponding 1580-e is cleared.
    That is done 1 time for each cylinder at startup. It could be related with some batch firing.
    I had a look at the $1580 - E register set this morning. They do correspond with the $1400 - E set. My test wrote various values into the $1400s and when I read back $1580s the values match 1:1 for each of the eight registers. Plan to look at how adjustments to the pulse width affect the 1580s. For example Injector Offset.
    My working assumption is that the 1580 set controls the pulse width and when the 1400 set is changed some sort of smoothing / filtering takes place such that the change isn't a step function. Almost need to design a whole test just to check how this works. There is just so little ram to work with down low.

    -Tom

  9. #204
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    $400-7ff is ram and $800-dff is some code. I have seen this unreferenced code in all kind of other pcm and it doesn`t seem to do anything unless it is runned by some processor inside the main or by the tpu. If that is a pointer to the code start it makes sense. You can always expand the ram to the flash but having a reflash by bootstrap will be too much work I guess. I can rip some of the code gm uses to reflash the chip, especially the erase and write portions.

    My next to do is to get some running values of the inj pairs and see how they correlate. It could be some timer that gets updated. Smoothing is too much work for the TPU, usually it is done by eside. If it is indeed a smoothing there will be some scalar for it, that will define the rate. I wish you could rip the full code from the tpu and we can figure the instruction code. It will save us tons of a guess work.

  10. #205
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Quote Originally Posted by kur4o View Post
    I wish you could rip the full code from the tpu and we can figure the instruction code. It will save us tons of a guess work.
    Agree, but not having any spec for the chip it is hard to see how to read the content. As a recap... Thinking so far is that the microcode I see loaded is just an addendum to the hard coded that the '95s use. The registers at $16F0, C and E are involved with the loading of this code and I think this is understood to a good degree. It is possible that the hard coded program is also used in a specific mode to load the addendum. My only hope to read back the store is that there is another mode that dumps the store to the two ported ram in the $14/15xx range.

    If we can't read the store and unless you see a better way, an iterative approach of speculate:test:confirm is all that we can do (?)

    -Tom

  11. #206
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Quote Originally Posted by kur4o View Post
    I wish you could rip the full code from the tpu and we can figure the instruction code. It will save us tons of a guess work.
    Last ditch effort re readback of internal rom. Looking at the published TPU documentation I read the following:

    Code:
    4.6.1 Test Configuration Register
    The TPU module has one test register to configure and control the module for test purposes. This
    register resides in supervisor data space. Access to this register is also qualified by the MCU
    being in test mode. When read from supervisor data space in nontest mode, the test register reads
    as $0000. In addition to using this register for testing the TPU, a test submodule, described in the
    MC68332 user’s manual (document number MC68332UM/AD (formerly MC68332 SIM User’s
    Manual)) is extensively used in testing the TPU module.
    I notice that the entire $17xx reads back as $0000. Now I wonder if this is a designated "supervisor " area. I have no clue how to enter supervisor or test mode, although they probably exist for development. Can't spend more time on this, just spinning wheels. Plan to continue to find out about TPU from it's reaction to stim.

    -Tom

  12. #207
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    Code:
    RESERVED:A4B3                 ldaa    #$40 ; '@'
    RESERVED:A4B5                 clrb
    RESERVED:A4B6                 std     word_16FE
    RESERVED:A4B9                 nop
    RESERVED:A4BA                 nop
    RESERVED:A4BB                 nop
    RESERVED:A4BC                 clra
    RESERVED:A4BD                 ldab    #3
    RESERVED:A4BF                 std     word_16F0
    RESERVED:A4C2                 ldx     #$A87A
    RESERVED:A4C5                 ldy     #$1400
    RESERVED:A4C9
    RESERVED:A4C9 loc_A4C9:                               ; CODE XREF: _TPU_scalar_resetsub_A4A4+46j
    RESERVED:A4C9                 ldd     0,x
    RESERVED:A4CB                 std     word_16E0
    RESERVED:A4CE                 ldd     2,x
    RESERVED:A4D0                 std     word_16E2
    RESERVED:A4D3                 ldd     4,x
    RESERVED:A4D5                 std     word_16E4
    RESERVED:A4D8                 ldd     6,x
    RESERVED:A4DA                 std     word_16E6
    RESERVED:A4DD                 sty     0,y
    RESERVED:A4E0                 iny
    RESERVED:A4E2                 iny
    RESERVED:A4E4                 ldab    #8
    RESERVED:A4E6                 abx
    RESERVED:A4E7                 cpx     #$B07A
    RESERVED:A4EA                 bcs     loc_A4C9
    RESERVED:A4EC                 ldd     #0
    RESERVED:A4EF                 std     word_16F0
    Looking again at this code, It is the missing puzzle. I somehow under looked what it does.
    Lets make a new brief analysis.
    clra
    ldab #$44 ; 'D'
    std word_16FC

    This is some form of soft reset. A pause is made after that, so that suggest that some time is needed for the TPU to finish the initiated task.

    Than we have
    ldaa #$40 ; '@'
    clrb
    std word_16FE
    Some form of interrupt disable.

    nop
    nop
    nop

    small pause
    clra
    ldab #3
    std word_16F0

    The most important register. Some sort of switch that enables TPU config. Unlocking some config???

    That part is really interesting


    loc_A4C9:
    ldd 0,x
    std word_16E0
    ldd 2,x
    std word_16E2
    ldd 4,x
    std word_16E4
    ldd 6,x
    std word_16E6
    sty 0,y
    iny
    iny
    ldab #8
    abx
    cpx #$B07A
    bcs loc_A4C9


    We have $800 bytes that are stored to buffer[16e0-16e8] in 8bytes a cycle,
    each cycle 8 bytes are written to the same buffer[16e0-16e8]. What is the purpose of it. The TPU reads the buffer each cycle and copies it to another location.
    The most interesting part is that each cycle a word from 1400-1600 range is read and stored at the same location. For example the first cycle the eside reads the value of 1400 and than stores it again at 1400, 2nd cycle at 1402, 3rd cycle at 1404, and so on until the end of 1600 is reached.
    The real reason for this sequence is hardly imaginable. Could this be some pointer for the TPU to store the buffer at specific location. 2 dword long.


    When the $800 bytes are transferred to tpu the
    ldd #0
    std word_16F0
    register is cleared. exiting setup mode.


    Can we assume there is a backdoor for debugging. Bootstrap the tpu if it even exist might be the only option.

    When you are doing the tpu testing, does the tpu gets initialized by the routine at A4A4.

    I can`t think of any other unintrusive ways of hacking the chip.


    Make a list of the more important registers and start setting them on a sequence base and check the 1700- range for any available data.

  13. #208
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Quote Originally Posted by kur4o View Post
    Looking again at this code, It is the missing puzzle. I somehow under looked what it does.
    Hi,

    Post 120: http://www.gearhead-efi.com/Fuel-Inj...ll=1#post79688
    from this thread details some of what you have found. If you could send along the content of the $800 bytes, I will see if they are the same between years. The fact that the '95 contains this code is a game changer. It re-opens the possibility that the $800 bytes are the whole microcode. If true, there is analysis I was well into before the suggestion that the $800 were just addendum came up. Once I get a look that effort can be re-started.

    This is the best hope for understanding the TPU yet. Onward&upward.

    -Tom
    Last edited by Tom H; 02-28-2020 at 02:52 PM.

  14. #209
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Hi,

    I wonder if someone could give me information about XDF files. I would like details of the format used in these files. Best would be a specification, but a web page or thread URL would work as well.

    Thanks,
    Tom

  15. #210
    Fuel Injected!
    Join Date
    Nov 2017
    Location
    Californiacation
    Age
    57
    Posts
    811
    I have only used TunerPro a couple of times out of pure curiousity. I just noticed this thread, not sure it will help but here's a link anyway. http://www.gearhead-efi.com/Fuel-Inj...0500#post80500
    -Carl

Similar Threads

  1. 94-95 LT1 $EE Y-body vs. F/B-body PCM differences
    By johnny_b in forum GM EFI Systems
    Replies: 5
    Last Post: 01-15-2023, 02:41 PM
  2. Tuner Pro XDF 1999-2000 F Body + Y Body
    By john h in forum OBDII Tuning
    Replies: 33
    Last Post: 02-02-2020, 11:12 PM
  3. Replies: 31
    Last Post: 09-20-2018, 06:00 AM
  4. F-body engine install to B-body
    By serge_an in forum GM EFI Systems
    Replies: 4
    Last Post: 09-22-2016, 02:51 PM
  5. 95 F-body Fuel Pump with 95 B-Body Engine/Tank
    By EPS3 in forum GM EFI Systems
    Replies: 7
    Last Post: 09-19-2016, 02:40 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •