Page 2 of 10 FirstFirst 1234567 ... LastLast
Results 16 to 30 of 148

Thread: OBD2 LT1 XDF $EE EEX creation

  1. #16
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Quote Originally Posted by kur4o View Post
    I did it on 94-95 code but I am sure they use the same code. On 96-97 there might be slight difference, but when you get there I will give you a good start.
    Chip enable must be set high with vpp to enable most of the functions.
    Hi Kur4o,

    I am 95% through with the TSide schematic. This was a very difficult task... There are just a few chips that I am unable to identify. Two chips from Philips Semi. I believe one is some sort of amplifier and the other may be sample/hold/comparator. To finish work, I need to hook up a sound source and try to characterize the knock filter/ amp/ comparator. All this while simulating a running engine. This will take a while and I need a break SO...

    I re-wrote my disassembler and it is ready to work through your code. It will be interesting to see the GM code for programming
    -Tom

  2. #17
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Hi Steveo, Rocko
    For those with bricked PCMs...

    Before you remove the flash from the board, I think that there is a better way to refresh the module IF you are willing to wait a bit. Here is why:

    -Removing the FLASH chip opens the conformal coating of the board. Without this waterproof layer, condensation will result in intermittent problems/crashes.
    -Sockets (if used) are often not reliable in vibration

    Should you agree with that, All the signals needed to program the flash are available at the tester connector. This connector is unpopulated on my board and I have already used it to force my code into ram & run test routines. I believe the same thing can be done with a programming routine. I can not promise to work on this straight away, but it is something I plan to work through. The routine for the internal boot loader is published in the ref manual and works well for me. Although the later boards communicate with the outside world using class II, the regular serial NRZ can still be used with the boot loader to solve any loss of flash code that has happened.

    just an idea...

    -Tom

    -Tom

  3. #18
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    Quote Originally Posted by Tom H View Post
    Hi Kur4o,

    I am 95% through with the TSide schematic. This was a very difficult task... There are just a few chips that I am unable to identify. Two chips from Philips Semi. I believe one is some sort of amplifier and the other may be sample/hold/comparator. To finish work, I need to hook up a sound source and try to characterize the knock filter/ amp/ comparator. All this while simulating a running engine. This will take a while and I need a break SO...

    I re-wrote my disassembler and it is ready to work through your code. It will be interesting to see the GM code for programming
    -Tom
    Here is for the 94-95 pcm. All labelled and commented so you can go through it really fast. I am sure the write and erase part will be almost identical in 96-97 pcm.

    I plan to make a diss of that too to compare the difference.
    Attached Files Attached Files

  4. #19
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Hi kkur4o,

    Quickest of looks --> great work. One question, is the code loaded into ram $18xx-$1Fxx? Is this GM code? What was the process provided to GM techs?? Is this code downloaded from the tester or hidden away somewhere in FLASh. Just trying to get my bearings on this.

  5. #20
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    On 94-95 in the expanded area there is no code from factory, I offset it there for nicer look. Main loop is loaded at the 0-200 area and all the other routines are loaded at 200 start address one by one and overwritten. The data message buffer is at 300. It is send by the tool. Nothing is in the pcm code, all send by the tester.

    On 96-97 there is more complex comm loop and the upload buffer is in 1800-on area, since the length of the message is like $400-$800 bytes. And that spi relaying to eside.

  6. #21
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    we have often suspected this is possible

    would love for someone to try or get more details/theories on how

    Quote Originally Posted by Tom H View Post
    Hi Steveo, Rocko
    For those with bricked PCMs...

    Before you remove the flash from the board, I think that there is a better way to refresh the module IF you are willing to wait a bit. Here is why:

    -Removing the FLASH chip opens the conformal coating of the board. Without this waterproof layer, condensation will result in intermittent problems/crashes.
    -Sockets (if used) are often not reliable in vibration

    Should you agree with that, All the signals needed to program the flash are available at the tester connector. This connector is unpopulated on my board and I have already used it to force my code into ram & run test routines. I believe the same thing can be done with a programming routine. I can not promise to work on this straight away, but it is something I plan to work through. The routine for the internal boot loader is published in the ref manual and works well for me. Although the later boards communicate with the outside world using class II, the regular serial NRZ can still be used with the boot loader to solve any loss of flash code that has happened.

    just an idea...

    -Tom

    -Tom

  7. #22
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    Here are the 96-97 ones disassembled and offset. Not too commented but labelled for easy identification. Code is very similar to 94-95 with some extra crap added.
    Attached Files Attached Files

  8. #23
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Quote Originally Posted by kur4o View Post
    Here are the 96-97 ones disassembled and offset. Not too commented but labelled for easy identification. Code is very similar to 94-95 with some extra crap added.
    Hi,

    Would it be possible to get the binary for the flash routines?

    -Tom

  9. #24
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    Sure, here it is.
    Attached Files Attached Files

  10. #25
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Quote Originally Posted by Tom H View Post
    Hi,

    Would it be possible to get the binary for the flash routines?

    -Tom
    Ooops, now understanding the files included ARE the binarys. I will comment the code and post... -Tom

  11. #26
    Fuel Injected!
    Join Date
    Sep 2012
    Location
    Huntsville, AL
    Posts
    237
    Well I got through another 40 parameters. I haven't dug into the disassemblies yet, just using BeyondCompare on the BIN files to do pattern matching between the files. There are definitely a few strange moves where the data will be bit for bit and then all of a sudden ONE value will change. Once I start looking at the disassemblies I'm sure it'll fill in the gaps.

  12. #27
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Hi,

    Started looking at the FLASH code. It is just what would be expected (for once). I am slowly working through some of the routines. I began with the '95 code because it is based on ALDL. For those with bricked modules who would like to revive them using bootstrap, these are the routines you will need.

    A quick update on some of what I am looking at: I have found a number of sent messages and a sequence for receive. Do we know all the messages for modes 5 & 6 of aldl?

    I have gone through the checksum section and found a message: 06 AA <checksum> . I believe length is inserted and the message becomes a mode 6 with content of AA <checksum> . Sound right??

    Here is that section of code:

    Code:
    *************************************************
    * CHECKSUM
    *************************************************
    1C2E  FE 1C 7A       	LDX	$1C7A		; CHECKSUM RANGE END ADDRESS
    1C31  FF 1C 7C       	STX	$1C7C		; COPY END ADDRESS
    
    1C34  FE 1C 78       	LDX	$1C78		; CHECKSUM RANGE START ADDRESS
    
    1C37  CC 00 00       	LDD	#$0000		; INITIAL VALUE OF SUM IS ZERO
    
    1C3A  18 CE 05 DC    	LDY	#$05DC		; WATCHDOG REFRESH COUNT:1500
    1C3E  09             	DEX			; START -1
    
    1C3F  08             	INX			; NEXT BYTE
    
    1C40  EB 00          	ADDB	$00,X		; KEEP SUM IN ACCD
    1C42  89 00          	ADCA	#$00		; ADJUST FOR CARRY OUT OF LS
    
    1C44  18 09          	DEY			; DECREMENT WATCHDOG REFRESH COUNTER
    1C46  26 06          	BNE	$1C4E		; COUNTER NOT EXPIRED
    
    1C48  9D 17          	JSR	@$17		; RESET WATCHDOG TIMERS
    1C4A  18 CE 05 DC    	LDY	#$05DC		; WATCHDOG REFRESH COUNT:1500
    
    1C4E  BC 1C 7C       	CPX	$1C7C		; LAST BYTE OF CHECKSUM
    1C51  26 EC          	BNE	$1C3F		; LOOP THROUGH BLOCK
    
    1C53  3C             	PSHX			; DECREMENT STACK 4 PLACES
    1C54  3C             	PSHX			; 
    
    1C55  30             	TSX			; INDEX TO STACK
    1C56  ED 02          	STD	$02,X		; OVERWRITE WITH MESSAGE MODE
    1C58  CC 06 AA       	LDD	#$06AA		; MODE 6 MESSAGE: UPLOAD,EXECUTE PROGRAM
    1C5B  ED 00          	STD	$00,X		; 
    1C5D  C6 04          	LDAB	#$04		; MESSAGE CONTENT, 4 BYTES: CHECKSUM
    1C5F  9D 14          	JSR	@$14		; SEND CHECKSUM MESSAGE
    
    1C61  38             	PULX			; RESTORE STACK POSITION
    1C62  38             	PULX			; 
    
    1C63  39             	RTS			; DONE
    
    1C64  00 00             			;
    
    
    
    *************************************************
    * DO NOT REFERENCE $1C75: LIKELY CRASH SITE
    *************************************************
    1C75  BD 1C 2E       	JSR	$1C2E		; NOT REFERENCED
    
    1C78  0000					; CHECKSUM RANGE START
    1C7A  0000					; CHECKSUM RANGE END
    1C7C  0000					; WORKING CHECKSUM RANGE END
    
    * NEXT BYTE IS INTERESTING IN THAT IT IS NOT
    * REFERENCED BY CODE. I BELIEVE THAT THIS IS 
    * A MISPLACED INSTRUCTION "RTS" THAT IS INTENDED
    * TO BE PAIRED WITH THE CODE AT $1C75. IN ANY
    * CASE IT IS UNUSED AND AS LONG AS $1C75 IS 
    * NEVER REFERENCED, IT WILL NOT CAUSE HARM.
    * IF $1C75 IS REFERENCED, THE CPU WILL INTERPRET
    * THE RANGE START/END AS CODE AND CRASH.
    1C7E  39					; NOT REFERENCED
    -Tom

  13. #28
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    06 aa is the positive response when upload is good, it can be followed with some data like 2 byte checksum or chipid.

    It is some standard frame response.

    1C75 BD 1C 2E JSR $1C2E ; NOT REFERENCED

    1C78 0000 ; CHECKSUM RANGE START
    1C7A 0000 ; CHECKSUM RANGE END
    1C7C 0000 ; WORKING CHECKSUM RANGE END
    This is the header that is uploaded via mode5 request for a checksum range.
    And you are right it is 7e not bd. This was the initial version that crashes but wasn`t fixed in the dissasembly.

  14. #29
    Fuel Injected!
    Join Date
    Sep 2012
    Location
    Huntsville, AL
    Posts
    237
    I took a step back and realized there's still hundreds of parameters left. I started writing a script that takes in the '95 XDF, loads in all the scalars, tables and flags, then loads up the BeyondCompare output and steps through for matches. I'll include enough logic to handle little differences like individual cylinder fuel trims, which appear to be different from '95 to '96. Unless this is a waste of time...

  15. #30
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    i'd be doing some disassembly at this point.. you have a lot of input now to label some things, and track those back to identify the code responsible for them. there are lots of things you wont be able to find the way you're going at it. for example where's the switch to disable the crank sensor? that one is pretty important for 96-97 cars with huge cams.

Similar Threads

  1. XDF Creation / Editing - How To????
    By B52Bombardier1 in forum OBDII Tuning
    Replies: 5
    Last Post: 02-28-2020, 02:04 AM
  2. new to obd2
    By myburb in forum OBDII Tuning
    Replies: 0
    Last Post: 05-28-2018, 05:54 AM
  3. DHP/AVT-852-002 Rev L OBD2 programmer $250
    By SappySE107 in forum Buy - Sell - Trade - Wanted
    Replies: 2
    Last Post: 02-03-2018, 09:25 AM
  4. flashing OBD2 ECU?
    By vwnut8392 in forum OBDII Tuning
    Replies: 4
    Last Post: 11-25-2017, 01:43 AM
  5. WTB TunerCats II (OBD2)
    By XRelapse13 in forum Buy - Sell - Trade - Wanted
    Replies: 0
    Last Post: 12-16-2014, 08:26 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •