Looked it up for you... With our crystal frequency the two speeds are 1,890 and 12,288. As I previously mentioned, my serial cable does not work at 12,288.
User sends $FF and IF received correctly, baud rate is 12,288.
User sends $FF at slower rate, the start bit will be much wider and FF will not be received, probably a $07 or $0F. In this case code changes baud to 1890
User sends $00 or break and it jumps to EEPROM and runs whatever is there.
-Tom
Hi,
Yesterday I wrote some code that dumps out the content of flash in bootstrap mode. To do this, it was necessary to remove both bootstrap ROM and EEPROM from the memory map. This done, the routine works and is able to dump the entire content.
Should we want to include this in other software, the output format may need to be changed. I will rely on you to tell me the format that should be returned. For now, this is what I used:
[DEVICE]
$F4
[LENGTH]
$D7
[MODE]
$06
[MESSAGE …]
$AA
Followed by $80 hex bytes
[CHECKSUM]
$xx
Code for this is below. It is downloaded into the PRU at $1810 and executed there. Since it is a reply to download and execute, the reply is mode $06. I was not sure if the reply should start with $AA or $55 because there are a total of 448 replies.
Also, I have found the enable signal for the flash VPP generator. The actual regulator is on the Eside. There is a control on the Tside and perhaps (?) there could be one on the Eside. I will do a bit of investigation today and see what I can find. Please let me know if you have changes to suggest to the format of the replies. Code is below.
-Tom
Code:ORG $0000 ; SET ORIGIN DB $F4 ; TARGET DEVICE DB $81 ; LENGTH DB $06 ; UPLOAD AND EXECUTE PROGRAM SEGMENT DB $18 ; ADDRESS H DB $10 ; ADDRESS L LDY #$2000 ; INITIAL LOCATION LESS $80 NEXT_BLOCK LDX #$1F7E ; BUFFER LDD #$06AA ; MODE:MESSAGE BYTE 1 STD $00,X ; A-OK LDAB #$80 ; SET THE BYTE COUNT CPY #$0000 ; TEST FOR COMPLETE BEQ COMPLETE ; XFER_LOOP LDAA $00,Y ; READ FLASH STAA $02,X ; SAVE TO BUFFER INY ; INCREMENT SOURCE INX ; INCREMENT DESTINATION DECB ; DECREMENT COUNT BNE XFER_LOOP ; LOOP TILL ZERO LDX #$1F7E ; BUFFER HEAD LDAB #$82 ; MESSAGE CONTENT LENGTH JSR $0008 ; D_SEND_ALDL BRA NEXT_BLOCK ; COMPLETE RTS ; DB $CD ; CHECKSUM
The read format being used
requestf4 5c 06 02 00 20 0b 20 00 fd
f4 d9 06 aa 20 00 ?\... .?.???.??.
00 f7 3d ff 14 00 00 20 00 ff 00 40 40 40 40 40 .?=?... .?.@@@@@
40 40 40 40 40 40 40 40 40 40 40 02 02 50 f2 50 @@@@@@@@@@@..P?P
40 c5 50 60 20 50 ba fe fe fe fe 80 80 08 88 05 @?P` P???????.Ђ.
0b 60 05 10 00 00 00 00 11 44 44 44 44 44 44 44 .`.......DDDDDDD
44 44 39 33 2e 25 1f 1c 17 17 44 44 44 44 44 44 DD93.%....DDDDDD
44 44 44 39 33 2e 28 22 1c 17 17 44 44 44 44 44 DDD93.("...DDDDD
44 44 4a 47 39 33 2e 28 22 1c 1c 1c 47 50 50 50 DDJG93.("...GPPP
50 50 50 50 44 3f 3f 39 33 28 22 1c 1c 47 50 5b PPPPD??93("..GP[
2e
f4 5c 06 [02 00] [20 0b] [20 00] [xx]
[02 00]=load address
[20 0b]=code bra to
[20 00]=start address of data to be read
[xx]=chks
response
f4 d9 06 aa [20 00] [data ....] [chks]
[2000] is the memory offset the data is being read.
It is f4=tside and e4=eside.
I have had a look into the issue of lighting up VPP from the ESide. Not sure why it is so complex but I will explain what I see and request a little help...
On the Eside, the small 8pin soic between the cpu and the heat spreader is the VPP regulator. Output is pin 1. VPP is connected to both flash. It runs between boards on pin 13 of the ribbon.
Tside PRU port A bit 7 enables the regulator through a Rube Goldberg circuit that is to say: it connects to some un-identified philips chip marked 16127472 on pin 8. The philips chip outputs an OR function of that input and the one from the ESide that connects on pin 9. The connection to pin 9 crosses the ribbon on pin 15 of the cable and is sourced by Eside PRU Port A bit 7. The philips chip outputs the ORed enable on pin 10, this is a high going enable. The enable again crosses on the ribbon cable on pin 20. Now back on the Eside ribbon pin 20 drives the base of two NPN transistors, one of which enables the 12V VPP regulator.
I believe when the two boards are properly connected by a ribbon (mine are not at the moment) both sides can enable VPP.
The explanation above is almost too muddled to post, so here is my ask: I can't test this until my connector parts arrive. Could someone try enabling VPP from the Eside? All it would take is a write to location 1800 and 1801 with bit 7 high.
If this works out we can move to integrate UnBrick.
-Tom
It looks like it will work in case the hardware links are there.
On both 94-95 and 96-97 pcms the vpp enable bit is at tside $1800 bit $80,
I checked the eside diss and 1800 $80 is not used anywhere in the code. So it is very likely that it will work. Do you think eside can sense vpp voltage.
1801 $80 is set high so it is useless to test.
Steveo should be able to make a quick code upload to eside with part of the vpp routine and modify the tside vpp to read the voltage after that to confirm.
I will also be able to test it but it have no idea when that can happen.
Edit:
I looked at some of the flash code and it looks like that the short_vpp is actually a read only vpp voltage routine. It can be used to read the vpp with it form tside.
Last edited by kur4o; 06-02-2020 at 01:14 AM.
I think it is the way I stated in the rambling explanation BUT not 100% sure because my TSide is not connected or powered. I need to get this back working.
All depends on the function of the Philips mystery chip
Yes. Although different a/d converters are used. I have re-written the routine, it works.
It needs to be high to drive the output. In my case I am not running with GM code so none of the defaults are taken care of unless I do.
Great. If you or Steveo would like my code for turn on from ESide, just ask
[/QUOTE]
Edit:
I looked at some of the flash code and it looks like that the short_vpp is actually a read only vpp voltage routine. It can be used to read the vpp with it form tside.
[/QUOTE]
For me, if the code in a PCM is trashed, best to work with one processor at a time. That way you don't rely on something that isn't solid.
Can you post the code, I will try to adapt it for 94-95 eside.Yes. Although different a/d converters are used. I have re-written the routine, it works.
I need mostly the port G config and the AD lookup for ign voltage and vpp voltage.
Code you need is below, I included both turn on and off. Port G is a factor on the Tside but not here. Analog goes straight to the processor inputs. Let me know if there is anything else that can help.
-Tom
Code:************************************************* * APPLY VPP 12 VOLT: VPPH ************************************************* SET_VPPH LDAA #$00 ; START A/D CONVERTER CH0 STAA CPU_ADCTL ; ASLD ; TIME DELAY TO A/D COMPLETE MUL ; MUL ; MUL ; LDAA CPU_ADR1 ; ESIDE PCM IGNITION VOLTAGE STAA @IGN_VOLTAGE ; IGNITION VOLTAGE FOR REPLY CMPA #$66 ; 10.2 VOLTS BCS VPPH_ERR_IVOOR ; IGNITION UNDER VOLTAGE CMPA #$A1 ; 16.1 VOLTS BLS VPPH_IVIR ; IGNITION VOLTAGE IN RANGE VPPH_ERR_IVOOR LDD #$0602 ; MODE 6 MESSAGE: IGNITION VOLTAGE OUT OF RANGE BRA VPPH_SEND_MSG ; SEND MESSAGE VPPH_IVIR LDAA PRU_PA ; PRU PORT A ORAA #$80 ; TURN ON VPP STAA PRU_PA ; UPDATE AND WAIT FOR VPP TO SETTLE JSR @D_RESET_COP ; RESET COP TIMERS JSR @D_D10MS_DELAY ; 10MS DELAY JSR @D_RESET_COP ; RESET COP TIMERS JSR @D_D10MS_DELAY ; 10MS DELAY LDAA #$01 ; START A/D CONVERTER CH1 STAA CPU_ADCTL ; ASLD ; TIME DELAY TO A/D COMPLETE MUL ; MUL ; MUL ; LDAA CPU_ADR1 ; READ VPP VOLTAGE STAA @VPP_VOLTAGE ; VPP VOLTAGE FOR REPLY CMPA #$BC ; 10.5 VOLTS BCS VPPH_ERR_PVOOR ; VPP UNDER VOLTAGE CMPA #$E9 ; 13.0 VOLTS BLS VPPH_PVIR ; VPP IN RANGE VPPH_ERR_PVOOR LDAA PRU_PA ; VPP UNDER/OVER VOLTAGE ANDA #$7F ; TURN OFF VPP STAA PRU_PA ; UPDATE LDD #$0603 ; MODE 6 MESSAGE: VPP 12V OUT OF RANGE BRA VPPH_SEND_MSG ; SEND MESSAGE VPPH_PVIR LDD #$06AA ; MODE 6 MESSAGE: APPLY VPP 12V SUCCESS VPPH_SEND_MSG PSHX ; MAKE ROOM FOR MESSAGE CONTENT ON STACK PSHX ; TSX ; MESSAGE POINTER TO IX STD $00,X ; SET MESSAGE CONTENT LDAA @IGN_VOLTAGE ; LDAB @VPP_VOLTAGE ; STD $02,X ; LDAB #$04 ; MESSAGE PAYLOAD 4 BYTES JSR @D_SEND_ALDL ; SEND MESSAGE PULX ; RESTORE STACK POSITION PULX ; RTS ; DONE ************************************************* * REMOVE VPP 12 VOLT: VPPL ************************************************* SET_VPPL LDAA PRU_PA ; PRU PORT A ANDA #$7F ; TURN OFF VPP STAA PRU_PA ; UPDATE LDAA #$00 ; START A/D CONVERTER CH0 STAA CPU_ADCTL ; ASLD ; TIME DELAY TO A/D COMPLETE MUL ; MUL ; MUL ; LDAA CPU_ADR1 ; ESIDE PCM IGNITION VOLTAGE STAA @IGN_VOLTAGE ; IGNITION VOLTAGE FOR REPLY LDAA #$C8 ; WAIT LOOP 200MS JSR N_X_1MS_DELAY ; LDAA #$01 ; START A/D CONVERTER CH1 STAA CPU_ADCTL ; ASLD ; TIME DELAY TO A/D COMPLETE MUL ; MUL ; MUL ; LDAA CPU_ADR1 ; READ VPP VOLTAGE STAA @VPP_VOLTAGE ; VPP VOLTAGE FOR REPLY CMPA #$5A ; 9 VOLTS BLS VPPL_PVIR ; VPP IN RANGE LDD #$0604 ; MODE 6 MESSAGE: VPP OPERATIONAL OUT OF RANGE BRA VPPL_SEND_MSG ; VPP OUT OF RANGE VPPL_PVIR LDD #$06AA ; MODE 6 MESSAGE: REMOVE VPP 12V SUCCESS VPPL_SEND_MSG PSHX ; MAKE ROOM FOR MESSAGE CONTENT ON STACK PSHX ; TSX ; MESSAGE POINTER TO IX STD $00,X ; SET MESSAGE CONTENT LDAA @IGN_VOLTAGE ; LDAB @VPP_VOLTAGE ; STD $02,X ; SET MESSAGE CONTENT LDAB #$04 ; MESSAGE PAYLOAD 4 BYTES JSR @D_SEND_ALDL ; SEND MESSAGE PULX ; RESTORE STACK POSITION PULX ; RTS ; DONE
It will be hard for me to get to that format. My loader takes: [DEVICE ID] [LENGTH] [MODE] [MESSAGE …] [CHECKSUM]
In the case of mode $06 (that is all I look for/process) the first two bytes of [Message ...] are taken to be the load address and the execute address. I think the loader plus the support for re-flash take up almost the whole internal ram. Perhaps we could use a reply with message starting with $55 to show more messages will follow. Last to have $AA. My intent here is to dump the whole flash to enable someone to see if it is corrupt. Another thought is to just dump the binary with an appended checksum thus bypassing all the GM format. Thoughts? I have about 16 bytes that remain before I need to start removing stuff.
-Tom
That is great. I feel confident it will work at the end.
The channel 0 matches the ign lookup on eside and channel 1 is stored once but never used, so it is likely the vpp circuit there.
I will mod the tside vpp to work at eside and will give it a try later.
Here is modded vpp for eside. Someone willing to upload to eside and report results.
Bookmarks