Evo Live Map 88590015 Download Ready
Dec 16, 2007, 11:54 PM
#16
Evolved Member
Dec 17, 2007, 07:25 AM
#19
Evolved Member
Thread Starter
I've done a fair bit of work with 94170008 in the past - I sent a ROM with modified comms to MalibuJack and he tested it working to read and write RAM. I would need to update the protocol in it and then apply the map switching to finish it. But I'm waiting for feedback on this one first otherwise I'll get very confused.
Dec 21, 2007, 09:14 AM
#24
Evolved Member
Thread Starter
I don't think anyone must have tried it yet.
I know it works as it is very well tested on my UK/JDM IX, the testing I need is to make sure I've transferred all the work across correctly to the US IX.
I know it works as it is very well tested on my UK/JDM IX, the testing I need is to make sure I've transferred all the work across correctly to the US IX.
Dec 21, 2007, 10:50 AM
#26
Evolved Member
I think there's only a few of us using the Evo 7 ECU, I think GTOdesign was the the most knowledgeable. I have been trying to get a handle on the disassembly require, and though I can do a few simple things, it will be ages before I can get up to speed. If anyone feels like doing the development work, I'd be happy to test it out for them.
MB
MB
Dec 21, 2007, 10:56 AM
#27
Yeh I know the evo7 ecu isn't the most popular, as most development is the 8 and 9 ecu's.
However the 7 ecu and 8 260 ecu (relabled 7 ecu) is becoming popular amoungst the evo 4/5/6 owners now.
So it would be nice if these patch's were able to be implemented into the 7 ecu's.
Tephra applied his V2 patch for me, and i've sent him a PM to see if he is able to apply the new V4 patch when he gets a chance.
Although he prob won't want to do much atm due to what happened earlier today
However the 7 ecu and 8 260 ecu (relabled 7 ecu) is becoming popular amoungst the evo 4/5/6 owners now.
So it would be nice if these patch's were able to be implemented into the 7 ecu's.
Tephra applied his V2 patch for me, and i've sent him a PM to see if he is able to apply the new V4 patch when he gets a chance.
Although he prob won't want to do much atm due to what happened earlier today
Dec 21, 2007, 01:39 PM
#28
Evolved Member
Thread Starter
Guide for the disassemblers/assemblers to the changes in 88590015:
82f4 Hi Oct Fuel map vector 1 - points to RAM fuel map
8474, 8694, 86b4 Hi Oct Timing map vector 1 (all 3 maps) - points to RAM ign map
1229d Switching variable routine - this removes unnecessary code and replaces it with a routine that checks our own map switch variable and imposes it on the ECU's original version. Without this code the ECU would just overwrite our changes and not allow map switching.
25192 MUT jump out - this hook in the MUT code...
49000 Jump out routine - ... checks for and processes our E0-E3 requests, jumps back in in 3 difference places depending on what we are processing.
82f4 Hi Oct Fuel map vector 1 - points to RAM fuel map
8474, 8694, 86b4 Hi Oct Timing map vector 1 (all 3 maps) - points to RAM ign map
1229d Switching variable routine - this removes unnecessary code and replaces it with a routine that checks our own map switch variable and imposes it on the ECU's original version. Without this code the ECU would just overwrite our changes and not allow map switching.
25192 MUT jump out - this hook in the MUT code...
49000 Jump out routine - ... checks for and processes our E0-E3 requests, jumps back in in 3 difference places depending on what we are processing.
Dec 21, 2007, 01:46 PM
#29
Evolved Member
Thread Starter
Here is the code that goes at 49000:
Code:
extu.w r1,r1 mov.l (flag),r10 mov.w @r10,r0 extu.w r0,r0 cmp/eq #1,r0 bt flag1 nop cmp/eq #2,r0 bt flag2 nop bra avoid nop flag1: mov.l (storeadrlong),r11 mov #4,r2 mov.l (counter),r10 mov.w @r10,r0 extu.w r0,r0 mov r0,r8 mov.b r1,@(r0,r11) add #1,r0 cmp/eq r2,r0 bf skip1 nop mov #0,r0 mov.l (flag),r11 mov.w r0,@r11 skip1: mov.w r0,@r10 bra brret nop flag2: mov.l (storeadrlong),r11 mov.l @r11,r11 mov.b r1,@r11 mov r1,r8 mov.l (storeadrlong),r10 mov.l @r10,r0 add #1,r0 mov.l r0,@r10 mov #0,r0 mov.l (flag),r11 mov.w r0,@r11 bra brret nop avoid: mov.w (E0),r2 cmp/eq r2,r1 bt brE0 nop mov.w (E1),r2 cmp/eq r2,r1 bt brE1 nop mov.w (E2),r2 cmp/eq r2,r1 bt brE2 nop mov.w (E3),r2 cmp/eq r2,r1 bt brE3 nop mov.w (BF),r2 cmp/hi r2,r1 bt brBF nop shll2 r1 mov.l (retMUT),r10 jmp @r10 nop brE0: mov #1,r0 bra flagcounterset nop brE1: mov.l (storeadrlong),r0 mov.l @r0,r0 mov.b @r0,r8 extu.b r8,r8 mov.l (storeadrlong),r10 mov.l @r10,r0 add #1,r0 mov.l r0,@r10 bra brret nop brE2: mov #2,r0 bra flagcounterset nop brE3: mov.l (ROMhioctfuel),r10 mov.l (RAMhioctfuel),r11 mov #0,r0 mov.w (Lengthhioctfuel),r8 bsr bre3loop nop mov.l (ROMhioctign2),r10 mov.l (RAMhioctign2),r11 mov #0,r0 mov.w (Lengthhioctign2),r8 bsr bre3loop nop bra brret nop bre3loop: mov.w @(r0,r10),r2 mov.w r2,@(r0,r11) add #2,r0 cmp/eq r8,r0 bf bre3loop nop rts nop flagcounterset: mov.l (flag),r10 mov.w r0,@r10 mov #0,r0 mov.l (counter),r10 mov.w r0,@r10 mov r1,r8 bra brret nop brBF: mov.l (retgtBF),r10 jmp @r10 nop brret: mov.l (retret),r10 jmp @r10 nop .align 4 retMUT: .long 0x2519c retgtBF: .long 0x251a8 retret: .long 0x2567a flag: .long 0xFFFF8100 counter: .long 0xFFFF8102 storeadrlong: .long 0xFFFF8104 mapselect: .long 0xFFFF810A ROMhioctfuel: .long 0x00002dB2 RAMhioctfuel: .long 0xFFFF81B2 ROMhioctign2: .long 0x00005518 RAMhioctign2: .long 0xFFFF8318 Lengthhioctfuel: .word 0x138 Lengthhioctign2: .word 0x1b0 E0: .word 0xE0 E1: .word 0xE1 E2: .word 0xE2 E3: .word 0xE3 BF: .word 0xBF
Dec 21, 2007, 01:54 PM
#30
Evolved Member
Thread Starter
Explanation of the variables:
retMUT - return back to normal MUT processing routine
retgtBF - return to MUT processing if request ID is > 0xBF
retret - return after our MUT custom routines
flag - flag to marshall the multibyte requests into addresses
counter - counter for above
storeadrlong - where we store our addresses that we've read by MUT
mapselect - our variable to map switch
ROMhioctfuel - address of ROM hi oct fuel
RAMhioctfuel - address of RAM hi oct fuel
ROMhioctign2 - address of ROM hi oct ign 2
RAMhioctign2 - address of RAM hi oct ign 2
Lengthhioctfuel - length of the fuel map to be copied
Lengthhioctign2 - ditto hi oct ign 2
Note that the addresses that go in the logger for mapselect and the RAM maps are different because of byte vs word and the headers for the maps.
E0 aa bb cc dd - define 4 byte (long) address to work on with E1 or E2
E1 - read address defined by E0, then autoincrement it, so repeated E1 will read a block
E2 xx - write xx to address defined by E0, also incremented
E3 - copy ROM maps to RAM (must be done before map set 1 can be selected because the map switching routine checks for valid header info on the RAM fuel map).
Questions welcomed.
retMUT - return back to normal MUT processing routine
retgtBF - return to MUT processing if request ID is > 0xBF
retret - return after our MUT custom routines
flag - flag to marshall the multibyte requests into addresses
counter - counter for above
storeadrlong - where we store our addresses that we've read by MUT
mapselect - our variable to map switch
ROMhioctfuel - address of ROM hi oct fuel
RAMhioctfuel - address of RAM hi oct fuel
ROMhioctign2 - address of ROM hi oct ign 2
RAMhioctign2 - address of RAM hi oct ign 2
Lengthhioctfuel - length of the fuel map to be copied
Lengthhioctign2 - ditto hi oct ign 2
Note that the addresses that go in the logger for mapselect and the RAM maps are different because of byte vs word and the headers for the maps.
E0 aa bb cc dd - define 4 byte (long) address to work on with E1 or E2
E1 - read address defined by E0, then autoincrement it, so repeated E1 will read a block
E2 xx - write xx to address defined by E0, also incremented
E3 - copy ROM maps to RAM (must be done before map set 1 can be selected because the map switching routine checks for valid header info on the RAM fuel map).
Questions welcomed.