Quote Originally Posted by RobertISaar View Post
up to 1FFF is RAM and "RAM"... I want to say a few auxiliary chips are addressed in that range in addition to some of the internal functions of the 6811F1 itself.

what you see in a pulled BIN in the earliest sections of RAM is likely whatever the flash tool has uploaded to the PCM as a download routine, that's why it looks like code.
you hit the nail on the head; i just wasn't seeing it.

so it seems like since all the bins on the internets are pulled using tunercat's winflash tool; and they have data in all of those sections; although an $EE bin file itself could be all 0x00 in that area....this also means theoretically that most bins on the internet have tunercat's bin read program still stuck in their first bytes, but with any volatile memory in a different state. i have compared most of my bins and found they're mostly identical in that area.

i find it suprising none of the programmers of these tools just 0x00 those areas? since lt1edit's read bins have identical code as bins from tunercat's tools, i can only assume that download routine was taken directly from a gm tool and probably is not original code.

so, all the flash read/write code is stored on the TECH tool and sent to the ecm with mode 6 then executed. i really need to get the entire flash routine now and pick it apart a bit.

one thing that bugs me is what's with the string tables in the data section of all EE bin files? i can theorize that the tech tool reads those just for convenience during flashes so it has the messages to display; but it still seems im missing something.

the F1 does have some onboard EEPROM, exact address is code dependant, but I would expect to see it in the E00 range.
yep! 0x0E00 seems to be the onboard memory, there's the vin number there on t-side.. e-side has one too but it's all 0xFF. 256 bytes i assume? this may be a cool spot to store stuff that's saved between flashes, or for a quick flash of some kind; perhaps store a table there to be reflashed in short without having to reflash the entire bin; as i'm sure this can be programmed independantly in the same way that vin changing tools work. i think i remember kur4o mentioning this before too.

I guess 12v is applied via a relay and is commanded from main processor.
I check board schematics and on the two flash chips this pin is connected to same locations and points to pin 1 on m36av chip on eside.
That is why there is some relay engaged in the code and points to 1803 and 1806 addresses.
I am still digging in the board so expect more updates.
awesome! is the relay perhaps for erase?

im going to get the whole flash routine and start to disassemble it.