how-to: airflow rate in gm/s or lb/min and mpg
#16
Evolved Member
iTrader: (2)
mrfred,
I just started looking at this today to port it over to 96940011, but I think your original post is missing all of the values to put in to the patch tables??
EDIT: I just noticed you provided a download link for a patched ROM.
Eric
I just started looking at this today to port it over to 96940011, but I think your original post is missing all of the values to put in to the patch tables??
EDIT: I just noticed you provided a download link for a patched ROM.
Eric
Last edited by l2r99gst; Oct 19, 2008 at 09:30 AM.
#17
This patch is going to be more of a challenge for you to port because I am storing adjustable data in the "table" section of the ROM, so you'll need to identify some free space there (only a few lines of free space are needed there). The source code is attached to this message. It should be helpful for porting the patch. Look at the v4t source code. It would probably be good to run IDA on the patched ROM I posted as well. Let me know if you have questions.
#18
Evolved Member
iTrader: (2)
I do have one quick question from your source code. You have the following:
When I look at an original ROM at 1780C, the hex is pointing to sub 18290, not 26760 as you have in these notes. Was this a typo or am I missing something here?
As far as I can tell (I may need your help on this), the equivalent place in the 96940011 ROM is at hex address 17A68.
I think I have the rest and ready to port over. Here are my notes so far for comparing your ROM to my 96940011 ROM:
Code:
table data 96268 1780C 0002 data 0004 4 data airflowrate subroutine addr 96270 1780E 6760 data 7E80 32384 data "
As far as I can tell (I may need your help on this), the equivalent place in the 96940011 ROM is at hex address 17A68.
I think I have the rest and ready to port over. Here are my notes so far for comparing your ROM to my 96940011 ROM:
Code:
88590015 96940011 blank location to turn patch on off - early in ROM 873e 7410 0x80 for airflow rate - same early blank space 8744 7416 place in ROM to hook to patch 1780C 17A68? Patch - Part 1 (open space at end of ROM) 47E80 3FDA0 Patch - Part 2 (open space at end of ROM) 47ED0 3FDF0
#19
I do have one quick question from your source code. You have the following:
When I look at an original ROM at 1780C, the hex is pointing to sub 18290, not 26760 as you have in these notes. Was this a typo or am I missing something here?
Code:
table data 96268 1780C 0002 data 0004 4 data airflowrate subroutine addr 96270 1780E 6760 data 7E80 32384 data "
I think I have the rest and ready to port over. Here are my notes so far for comparing your ROM to my 96940011 ROM:
Code:
88590015 96940011 blank location to turn patch on off - early in ROM 873e 7410 0x80 for airflow rate - same early blank space 8744 7416 place in ROM to hook to patch 1780C 17A68? Patch - Part 1 (open space at end of ROM) 47E80 3FDA0 Patch - Part 2 (open space at end of ROM) 47ED0 3FDF0
#20
Evolved Member
iTrader: (2)
In your ROM, the subroutine that we are dealing with is 18290 and in my ROM it is 15414, as you stated. The subroutine that has the branch to this subroutine in your ROM starts at 17EE8 and in my ROM it is 149EC. The line that you used to call your subroutine is line 1780C, where in IDA it shows:
off_1780C: .data.l sub_18290
If I look at the hex view, instead of IDA view, I can see the 18290 in the actual hex, which is what you are changing in the ROM to reference your new subroutine. The problem that I am having is that I don't see this particular line in my ROM. My ROM only has the 'bsr_15414' in the IDA view, with no hex view with 15414, so I don't know how to change this branch to my new location for the new subroutine.
I can do it for the next subroutine 15456, but this isn't the one that you are using in your ROM.
Does this make sense or am I just a noob?
Thanks,
Eric
#21
Yep, I overlooked that issue. I'll need to set you up with a slightly different hook. It won't affect the airflow rate subroutine though, so if you still have anything to do there, you can keep at it. I'll try to set you up with the revised hook tomorrow evening.
#25
l2r99gst,
Here is the hook for your ROM.
The definition for the ECUFlash xml file:
----------
<table name="Airflow Rate Patch Hook" category="Airflow Rate Meas" address="14A04" type="3D" level="1" scaling="Hex16">
<table name="Code" type="Static X Axis" elements="1">
<data>Hex16</data>
</table>
<table name="Address" type="Static Y Axis" elements="10">
<data>14A04</data>
<data>14A06</data>
<data>14A08</data>
<data>14A0A</data>
<data>14A0C</data>
<data>14A0E</data>
<data>14A10</data>
<data>14A12</data>
<data>14A14</data>
<data>14A16</data>
</table>
</table>
--------
Hook code for the ROM:
--------
D003
400B
0009
D44E
B523
0009
A002
0009
0003
FDA0
-------
Here is the hook for your ROM.
The definition for the ECUFlash xml file:
----------
<table name="Airflow Rate Patch Hook" category="Airflow Rate Meas" address="14A04" type="3D" level="1" scaling="Hex16">
<table name="Code" type="Static X Axis" elements="1">
<data>Hex16</data>
</table>
<table name="Address" type="Static Y Axis" elements="10">
<data>14A04</data>
<data>14A06</data>
<data>14A08</data>
<data>14A0A</data>
<data>14A0C</data>
<data>14A0E</data>
<data>14A10</data>
<data>14A12</data>
<data>14A14</data>
<data>14A16</data>
</table>
</table>
--------
Hook code for the ROM:
--------
D003
400B
0009
D44E
B523
0009
A002
0009
0003
FDA0
-------
#27
Evolved Member
iTrader: (2)
EDIT: Edited 10/23 after a few corrections that were needed after working with mrfred. I had to use different RAM variable addresses in a couple places. So, this should be OK to go as it is here now. I will hopefully test this weekend of coming week for the final OK.
ECUFlash 96940011.xml additions:
ROM changes in ECUFlash:
Pre-patch
Post-patch
Below are the changes in text if you can't read the values in the screenshots.
Airflow Rate Calc On/Off
1
MUT46 (Read 2-byte airflow rate high byte)
8ae0
MUT47 (Read 2-byte airflow rate low byte)
8ae1
MUT48 (Read 1-byte airflow rate)
8ae3
0x80 for Airflow Rate
128
Airflow Rate Patch Hook
D003
400B
0009
D44E
B523
0009
A002
0009
0003
FDA0
Airflow Rate Patch Part 1
4F22
2FE6
6EF3
DD1D
6DD1
DA1B
2AD1
DA11
6AA0
2AA8
891A
DA10
6AA1
DB10
6BB1
2BAE
041A
D50F
6551
254E
041A
D50E
6551
DA0E
4A0B
0009
6403
DA0D
4A0B
0009
DA0C
2A01
4009
4009
4009
4001
DA0A
2A01
6EF6
4F26
Airflow Rate Patch Part 2
000B
0009
0000
7410
FFFF
8ACE
FFFF
8ACC
FFFF
89F6
FFFF
8AC4
0000
0780
0000
086A
FFFF
8AE0
FFFF
8AE2
FFFF
8B02
0000
7414
ECUFlash 96940011.xml additions:
Code:
<table name="Airflow Rate Calc On/Off" category="Airflow Rate Meas" address="7410" type="1D" level="1" scaling="uint8"/> <table name="MUT46 (Read 2-byte airflow rate high byte)" category="Airflow Rate Meas" address="3f42e" type="1D" level="1" scaling="Hex16"/> <table name="MUT47 (Read 2-byte airflow rate low byte)" category="Airflow Rate Meas" address="3f432" type="1D" level="1" scaling="Hex16"/> <table name="MUT48 (Read 1-byte airflow rate)" category="Airflow Rate Meas" address="3f436" type="1D" level="1" scaling="Hex16"/> <table name="0x80 for Airflow Rate" category="Airflow Rate Meas" address="7414" type="1D" level="1" scaling="uint16"/> <table name="Airflow Rate Patch Hook" category="Airflow Rate Meas" address="14A04" type="3D" level="1" scaling="Hex16"> <table name="Code" type="Static X Axis" elements="1"> <data>Hex16</data> </table> <table name="Address" type="Static Y Axis" elements="10"> <data>14A04</data> <data>14A06</data> <data>14A08</data> <data>14A0A</data> <data>14A0C</data> <data>14A0E</data> <data>14A10</data> <data>14A12</data> <data>14A14</data> <data>14A16</data> </table> </table> <table name="Airflow Rate Patch Part 1" category="Airflow Rate Meas" address="3fda0" type="3D" level="1" scaling="Hex16"> <table name="Code" type="Static X Axis" elements="1" scaling="Hex16"> <data>Hex16</data> </table> <table name="Address" type="Static Y Axis" elements="40"> <data>3FDA0</data> <data>3FDA2</data> <data>3FDA4</data> <data>3FDA6</data> <data>3FDA8</data> <data>3FDAA</data> <data>3FDAC</data> <data>3FDAE</data> <data>3FDB0</data> <data>3FDB2</data> <data>3FDB4</data> <data>3FDB6</data> <data>3FDB8</data> <data>3FDBA</data> <data>3FDBC</data> <data>3FDBE</data> <data>3FDC0</data> <data>3FDC2</data> <data>3FDC4</data> <data>3FDC6</data> <data>3FDC8</data> <data>3FDCA</data> <data>3FDCC</data> <data>3FDCE</data> <data>3FDD0</data> <data>3FDD2</data> <data>3FDD4</data> <data>3FDD6</data> <data>3FDD8</data> <data>3FDDA</data> <data>3FDDC</data> <data>3FDDE</data> <data>3FDE0</data> <data>3FDE2</data> <data>3FDE4</data> <data>3FDE6</data> <data>3FDE8</data> <data>3FDEA</data> <data>3FDEC</data> <data>3FDEE</data> </table> </table> <table name="Airflow Rate Patch Part 2" category="Airflow Rate Meas" address="3fdf0" type="3D" level="1" scaling="Hex16"> <table name="Code" type="Static X Axis" elements="1"> <data>Hex16</data> </table> <table name="Address" type="Static Y Axis" elements="24"> <data>3FDF0</data> <data>3FDF2</data> <data>3FDF4</data> <data>3FDF6</data> <data>3FDF8</data> <data>3FDFA</data> <data>3FDFC</data> <data>3FDFE</data> <data>3FE00</data> <data>3FE02</data> <data>3FE04</data> <data>3FE06</data> <data>3FE08</data> <data>3FE0A</data> <data>3FE0C</data> <data>3FE0E</data> <data>3FE00</data> <data>3FE02</data> <data>3FE04</data> <data>3FE06</data> <data>3FE08</data> <data>3FE0A</data> <data>3FE0C</data> <data>3FE0E</data> </table> </table>
Pre-patch
Post-patch
Below are the changes in text if you can't read the values in the screenshots.
Airflow Rate Calc On/Off
1
MUT46 (Read 2-byte airflow rate high byte)
8ae0
MUT47 (Read 2-byte airflow rate low byte)
8ae1
MUT48 (Read 1-byte airflow rate)
8ae3
0x80 for Airflow Rate
128
Airflow Rate Patch Hook
D003
400B
0009
D44E
B523
0009
A002
0009
0003
FDA0
Airflow Rate Patch Part 1
4F22
2FE6
6EF3
DD1D
6DD1
DA1B
2AD1
DA11
6AA0
2AA8
891A
DA10
6AA1
DB10
6BB1
2BAE
041A
D50F
6551
254E
041A
D50E
6551
DA0E
4A0B
0009
6403
DA0D
4A0B
0009
DA0C
2A01
4009
4009
4009
4001
DA0A
2A01
6EF6
4F26
Airflow Rate Patch Part 2
000B
0009
0000
7410
FFFF
8ACE
FFFF
8ACC
FFFF
89F6
FFFF
8AC4
0000
0780
0000
086A
FFFF
8AE0
FFFF
8AE2
FFFF
8B02
0000
7414
Last edited by l2r99gst; Oct 23, 2008 at 03:52 PM.
#29
Change the address for "0x80 for Airflow Rate Patch" from 0x7416 to 0x7414. You'll need to do it in the ECUFlash entry and also in the code (last line of the code). After that, apply the patch to a ROM, and send it to me. I'll PM you with my email address in a few minutes.