OBD2 LT1 XDF $EE EEX creation

[In-Tech]

Yes please,Steveo, if you can whip me/us up a quick test version we might have an answer shortly before I head to the shop today or I will do some testing when I get home, I only have a '96 here to test on though.



There was a reason I was asking someone to test the pin for flashing CEL and it wasn't for checking codes

Yes, Steveo, it runs fine on my Win7 machine.

There is a procedure that I am playing with on the '96 here and it shows promise. I'll see if I can track down a 94/95 pcm today to test/blow up.

[Tom H]

- set the SCI baud rate with a byte of 1s or 0s. FF=low baud 00=high baud (should be 8192 with this processor, right?)

Looked it up for you... With our crystal frequency the two speeds are 1,890 and 12,288. As I previously mentioned, my serial cable does not work at 12,288.

User sends $FF and IF received correctly, baud rate is 12,288.
User sends $FF at slower rate, the start bit will be much wider and FF will not be received, probably a $07 or $0F. In this case code changes baud to 1890

User sends $00 or break and it jumps to EEPROM and runs whatever is there.

-Tom

[Tom H]

Hi,
Yesterday I wrote some code that dumps out the content of flash in bootstrap mode. To do this, it was necessary to remove both bootstrap ROM and EEPROM from the memory map. This done, the routine works and is able to dump the entire content.

Should we want to include this in other software, the output format may need to be changed. I will rely on you to tell me the format that should be returned. For now, this is what I used:

[DEVICE]
$F4
[LENGTH]
$D7
[MODE]
$06
[MESSAGE …]
$AA

Followed by $80 hex bytes

[CHECKSUM]
$xx

Code for this is below. It is downloaded into the PRU at $1810 and executed there. Since it is a reply to download and execute, the reply is mode $06. I was not sure if the reply should start with $AA or $55 because there are a total of 448 replies.

Also, I have found the enable signal for the flash VPP generator. The actual regulator is on the Eside. There is a control on the Tside and perhaps (?) there could be one on the Eside. I will do a bit of investigation today and see what I can find. Please let me know if you have changes to suggest to the format of the replies. Code is below.

-Tom

Code:

        ORG    $0000            ; SET ORIGIN

        DB    $F4            ; TARGET DEVICE
        DB    $81            ; LENGTH
        DB    $06            ; UPLOAD AND EXECUTE PROGRAM SEGMENT
        DB    $18            ; ADDRESS H
        DB    $10            ; ADDRESS L

        LDY    #$2000            ; INITIAL LOCATION LESS $80

NEXT_BLOCK    LDX    #$1F7E            ; BUFFER

        LDD    #$06AA            ; MODE:MESSAGE BYTE 1
        STD    $00,X            ; A-OK

        LDAB    #$80            ; SET THE BYTE COUNT

        CPY    #$0000            ; TEST FOR COMPLETE
        BEQ    COMPLETE        ;


XFER_LOOP    LDAA    $00,Y            ; READ FLASH
        STAA    $02,X            ; SAVE TO BUFFER

        INY                ; INCREMENT SOURCE
        INX                ; INCREMENT DESTINATION

        DECB                ; DECREMENT COUNT
        BNE    XFER_LOOP        ; LOOP TILL ZERO

        LDX    #$1F7E            ; BUFFER HEAD

        LDAB    #$82            ; MESSAGE CONTENT LENGTH
        JSR    $0008            ; D_SEND_ALDL

        BRA    NEXT_BLOCK        ; 

COMPLETE    RTS                ; 

        DB    $CD            ; CHECKSUM

[kur4o]

The read format being used

f4 5c 06 02 00 20 0b 20 00 fd

f4 d9 06 aa 20 00 ?\... .?.???.??.
00 f7 3d ff 14 00 00 20 00 ff 00 40 40 40 40 40 .?=?... .?.@@@@@
40 40 40 40 40 40 40 40 40 40 40 02 02 50 f2 50 @@@@@@@@@@@..P?P
40 c5 50 60 20 50 ba fe fe fe fe 80 80 08 88 05 @?P` P???????.Ђ.
0b 60 05 10 00 00 00 00 11 44 44 44 44 44 44 44 .`.......DDDDDDD
44 44 39 33 2e 25 1f 1c 17 17 44 44 44 44 44 44 DD93.%....DDDDDD
44 44 44 39 33 2e 28 22 1c 17 17 44 44 44 44 44 DDD93.("...DDDDD
44 44 4a 47 39 33 2e 28 22 1c 1c 1c 47 50 50 50 DDJG93.("...GPPP
50 50 50 50 44 3f 3f 39 33 28 22 1c 1c 47 50 5b PPPPD??93("..GP[
2e

request
f4 5c 06 [02 00] [20 0b] [20 00] [xx]

[02 00]=load address
[20 0b]=code bra to
[20 00]=start address of data to be read
[xx]=chks


response
f4 d9 06 aa [20 00] [data ....] [chks]

[2000] is the memory offset the data is being read.

[Tom H]

The read format being used

Thank you. Is the device $F4 for both T & E sides?

-Tom

[kur4o]

It is f4=tside and e4=eside.

[Tom H]

I have had a look into the issue of lighting up VPP from the ESide. Not sure why it is so complex but I will explain what I see and request a little help...

On the Eside, the small 8pin soic between the cpu and the heat spreader is the VPP regulator. Output is pin 1. VPP is connected to both flash. It runs between boards on pin 13 of the ribbon.

Tside PRU port A bit 7 enables the regulator through a Rube Goldberg circuit that is to say: it connects to some un-identified philips chip marked 16127472 on pin 8. The philips chip outputs an OR function of that input and the one from the ESide that connects on pin 9. The connection to pin 9 crosses the ribbon on pin 15 of the cable and is sourced by Eside PRU Port A bit 7. The philips chip outputs the ORed enable on pin 10, this is a high going enable. The enable again crosses on the ribbon cable on pin 20. Now back on the Eside ribbon pin 20 drives the base of two NPN transistors, one of which enables the 12V VPP regulator.

I believe when the two boards are properly connected by a ribbon (mine are not at the moment) both sides can enable VPP.

The explanation above is almost too muddled to post, so here is my ask: I can't test this until my connector parts arrive. Could someone try enabling VPP from the Eside? All it would take is a write to location 1800 and 1801 with bit 7 high.
If this works out we can move to integrate UnBrick.

-Tom

[kur4o]

It looks like it will work in case the hardware links are there.

On both 94-95 and 96-97 pcms the vpp enable bit is at tside $1800 bit $80,
I checked the eside diss and 1800 $80 is not used anywhere in the code. So it is very likely that it will work. Do you think eside can sense vpp voltage.

1801 $80 is set high so it is useless to test.

Steveo should be able to make a quick code upload to eside with part of the vpp routine and modify the tside vpp to read the voltage after that to confirm.

I will also be able to test it but it have no idea when that can happen.

Edit:

I looked at some of the flash code and it looks like that the short_vpp is actually a read only vpp voltage routine. It can be used to read the vpp with it form tside.

[Tom H]

It looks like it will work in case the hardware links are there.

I think it is the way I stated in the rambling explanation BUT not 100% sure because my TSide is not connected or powered. I need to get this back working.

On both 94-95 and 96-97 pcms the vpp enable bit is at tside $1800 bit $80,
I checked the eside diss and 1800 $80 is not used anywhere in the code. So it is very likely that it will work.

All depends on the function of the Philips mystery chip

Do you think eside can sense vpp voltage.

Yes. Although different a/d converters are used. I have re-written the routine, it works.

1801 $80 is set high so it is useless to test.

It needs to be high to drive the output. In my case I am not running with GM code so none of the defaults are taken care of unless I do.

Steveo should be able to make a quick code upload to eside with part of the vpp routine and modify the tside vpp to read the voltage after that to confirm.

I will also be able to test it but it have no idea when that can happen.

Great. If you or Steveo would like my code for turn on from ESide, just ask

[/QUOTE]
Edit:
I looked at some of the flash code and it looks like that the short_vpp is actually a read only vpp voltage routine. It can be used to read the vpp with it form tside.
[/QUOTE]
For me, if the code in a PCM is trashed, best to work with one processor at a time. That way you don't rely on something that isn't solid.

[kur4o]

Yes. Although different a/d converters are used. I have re-written the routine, it works.

Can you post the code, I will try to adapt it for 94-95 eside.

I need mostly the port G config and the AD lookup for ign voltage and vpp voltage.

[Tom H]

Can you post the code, I will try to adapt it for 94-95 eside.

I need mostly the port G config and the AD lookup for ign voltage and vpp voltage.

Code you need is below, I included both turn on and off. Port G is a factor on the Tside but not here. Analog goes straight to the processor inputs. Let me know if there is anything else that can help.

-Tom

Code:

*************************************************
* APPLY VPP 12 VOLT: VPPH
*************************************************
SET_VPPH	LDAA	#$00			; START A/D CONVERTER CH0
		STAA	CPU_ADCTL		; 
		ASLD				; TIME DELAY TO A/D COMPLETE
		MUL				; 
		MUL				; 
		MUL				; 
		LDAA	CPU_ADR1		; ESIDE PCM IGNITION VOLTAGE

		STAA	@IGN_VOLTAGE		; IGNITION VOLTAGE FOR REPLY

		CMPA	#$66			; 10.2 VOLTS
		BCS	VPPH_ERR_IVOOR		; IGNITION UNDER VOLTAGE

		CMPA	#$A1			; 16.1 VOLTS
		BLS	VPPH_IVIR		; IGNITION VOLTAGE IN RANGE

VPPH_ERR_IVOOR	LDD	#$0602			; MODE 6 MESSAGE: IGNITION VOLTAGE OUT OF RANGE
		BRA	VPPH_SEND_MSG		; SEND MESSAGE

VPPH_IVIR	LDAA	PRU_PA			; PRU PORT A
		ORAA	#$80			; TURN ON VPP
		STAA	PRU_PA			; UPDATE AND WAIT FOR VPP TO SETTLE

		JSR	@D_RESET_COP		; RESET COP TIMERS
		JSR	@D_D10MS_DELAY		; 10MS DELAY
		JSR	@D_RESET_COP		; RESET COP TIMERS
		JSR	@D_D10MS_DELAY		; 10MS DELAY

		LDAA	#$01			; START A/D CONVERTER CH1
		STAA	CPU_ADCTL		; 
		ASLD				; TIME DELAY TO A/D COMPLETE
		MUL				; 
		MUL				; 
		MUL				; 
		LDAA	CPU_ADR1		; READ VPP VOLTAGE

		STAA	@VPP_VOLTAGE		; VPP VOLTAGE FOR REPLY

		CMPA	#$BC			; 10.5 VOLTS
		BCS	VPPH_ERR_PVOOR		; VPP UNDER VOLTAGE

		CMPA	#$E9			; 13.0 VOLTS
		BLS	VPPH_PVIR		; VPP IN RANGE

VPPH_ERR_PVOOR	LDAA	PRU_PA			; VPP UNDER/OVER VOLTAGE
		ANDA	#$7F			; TURN OFF VPP
		STAA	PRU_PA			; UPDATE

		LDD	#$0603			; MODE 6 MESSAGE: VPP 12V OUT OF RANGE
		BRA	VPPH_SEND_MSG		; SEND MESSAGE

VPPH_PVIR	LDD	#$06AA			; MODE 6 MESSAGE: APPLY VPP 12V SUCCESS

VPPH_SEND_MSG	PSHX				; MAKE ROOM FOR MESSAGE CONTENT ON STACK
		PSHX				; 

		TSX				; MESSAGE POINTER TO IX

		STD	$00,X			; SET MESSAGE CONTENT
		LDAA	@IGN_VOLTAGE		; 
		LDAB	@VPP_VOLTAGE		; 
		STD	$02,X			; 


		LDAB	#$04			; MESSAGE PAYLOAD 4 BYTES
		JSR	@D_SEND_ALDL		; SEND MESSAGE

		PULX				; RESTORE STACK POSITION
		PULX				; 

		RTS				; DONE




*************************************************
* REMOVE VPP 12 VOLT: VPPL
*************************************************
SET_VPPL	LDAA	PRU_PA			; PRU PORT A
		ANDA	#$7F			; TURN OFF VPP
		STAA	PRU_PA			; UPDATE

		LDAA	#$00			; START A/D CONVERTER CH0
		STAA	CPU_ADCTL		; 
		ASLD				; TIME DELAY TO A/D COMPLETE
		MUL				; 
		MUL				; 
		MUL				; 
		LDAA	CPU_ADR1		; ESIDE PCM IGNITION VOLTAGE

		STAA	@IGN_VOLTAGE		; IGNITION VOLTAGE FOR REPLY

		LDAA	#$C8			; WAIT LOOP 200MS
		JSR	N_X_1MS_DELAY		; 

		LDAA	#$01			; START A/D CONVERTER CH1
		STAA	CPU_ADCTL		; 
		ASLD				; TIME DELAY TO A/D COMPLETE
		MUL				; 
		MUL				; 
		MUL				; 
		LDAA	CPU_ADR1		; READ VPP VOLTAGE

		STAA	@VPP_VOLTAGE		; VPP VOLTAGE FOR REPLY

		CMPA	#$5A			; 9 VOLTS
		BLS	VPPL_PVIR		; VPP IN RANGE

		LDD	#$0604			; MODE 6 MESSAGE: VPP OPERATIONAL OUT OF RANGE
		BRA	VPPL_SEND_MSG		; VPP OUT OF RANGE

VPPL_PVIR	LDD	#$06AA			; MODE 6 MESSAGE: REMOVE VPP 12V SUCCESS

VPPL_SEND_MSG	PSHX				; MAKE ROOM FOR MESSAGE CONTENT ON STACK
		PSHX				; 

		TSX				; MESSAGE POINTER TO IX

		STD	$00,X			; SET MESSAGE CONTENT
		LDAA	@IGN_VOLTAGE		; 
		LDAB	@VPP_VOLTAGE		; 
		STD	$02,X			; SET MESSAGE CONTENT


		LDAB	#$04			; MESSAGE PAYLOAD 4 BYTES
		JSR	@D_SEND_ALDL		; SEND MESSAGE

		PULX				; RESTORE STACK POSITION
		PULX				; 

		RTS				; DONE

[Tom H]

The read format being used

request
f4 5c 06 [02 00] [20 0b] [20 00] [xx]

[02 00]=load address
[20 0b]=code bra to
[20 00]=start address of data to be read
[xx]=chks


response
f4 d9 06 aa [20 00] [data ....] [chks]

[2000] is the memory offset the data is being read.

It will be hard for me to get to that format. My loader takes: [DEVICE ID] [LENGTH] [MODE] [MESSAGE …] [CHECKSUM]

In the case of mode $06 (that is all I look for/process) the first two bytes of [Message ...] are taken to be the load address and the execute address. I think the loader plus the support for re-flash take up almost the whole internal ram. Perhaps we could use a reply with message starting with $55 to show more messages will follow. Last to have $AA. My intent here is to dump the whole flash to enable someone to see if it is corrupt. Another thought is to just dump the binary with an appended checksum thus bypassing all the GM format. Thoughts? I have about 16 bytes that remain before I need to start removing stuff.
-Tom

[kur4o]

That is great. I feel confident it will work at the end.

The channel 0 matches the ign lookup on eside and channel 1 is stored once but never used, so it is likely the vpp circuit there.

I will mod the tside vpp to work at eside and will give it a try later.

[kur4o]

It will be hard for me to get to that format. My loader takes: [DEVICE ID] [LENGTH] [MODE] [MESSAGE …] [CHECKSUM]

In the case of mode $06 (that is all I look for/process) the first two bytes of [Message ...] are taken to be the load address and the execute address. I think the loader plus the support for re-flash take up almost the whole internal ram. Perhaps we could use a reply with message starting with $55 to show more messages will follow. Last to have $AA. My intent here is to dump the whole flash to enable someone to see if it is corrupt. Another thought is to just dump the binary with an appended checksum thus bypassing all the GM format. Thoughts? I have about 16 bytes that remain before I need to start removing stuff.
-Tom

If there is no space just use what is possible, In the end it will be much easier to add different reading format on the app side than mod the pcm side to cover the existing one.

[kur4o]

Here is modded vpp for eside. Someone willing to upload to eside and report results.