MUT Commands Known?
#16
Evolving Member
Thread Starter
Has anyone found the 5 deg Timing Adjustment yet?
On my 95 ECU there was a Timing Adjust terminal you would ground.
I connected a switch to it and had a sort of Anti-Lag Button. I could get a couple extra psi with a 2-step.
It might be possible to easily code an Anti-Lag setup by taking over the Timing Adjust routine, change 5 degree to -10 and have the clutch switch turn it on.
On my 95 ECU there was a Timing Adjust terminal you would ground.
I connected a switch to it and had a sort of Anti-Lag Button. I could get a couple extra psi with a 2-step.
It might be possible to easily code an Anti-Lag setup by taking over the Timing Adjust routine, change 5 degree to -10 and have the clutch switch turn it on.
#17
IDC command to create Actuator structure:
using Alt+Q one can get
Now the mask is applied at word values by index_of_actuator_word:
corresponding code is
I would like to spread the disassembly effort, so anyone who can read this can help out
So knowing all this MUT_D8 should check if CEL bulb is OK.
Code:
auto id; id = AddStrucEx(-1,"Actuator",0); id = GetStrucIdByName("Actuator"); AddStrucMember(id,"index_of_actuator_word", 0X0, 0x000400, -1, 1); AddStrucMember(id,"reserved", 0X1, 0x000400, -1, 1); AddStrucMember(id,"bit_mask", 0X2, 0x10000400, -1, 2); return id;
Code:
00009C3C 01 FF 04 00 Command_MUT_C0:Actuator <1, h'FF, h'400> ; DATA XREF: PROCESS_MUT_REQUEST:off_253D8o 00009C40 01 FF 02 00 Command_MUT_C1:Actuator <1, h'FF, h'200> 00009C44 01 FF 00 00 Command_MUT_C2:Actuator <1, h'FF, 0> 00009C48 01 FF 00 00 Command_MUT_C3:Actuator <1, h'FF, 0> 00009C4C 01 FF 00 00 Command_MUT_C4:Actuator <1, h'FF, 0> 00009C50 01 FF 00 10 Command_MUT_C5:Actuator <1, h'FF, h'10> 00009C54 01 FF 00 00 Command_MUT_C6:Actuator <1, h'FF, 0> 00009C58 01 FF 00 04 Command_MUT_C7:Actuator <1, h'FF, 4> 00009C5C 01 FF 00 02 Command_MUT_C8:Actuator <1, h'FF, 2> 00009C60 01 FF 00 01 Command_MUT_C9:Actuator <1, h'FF, 1> 00009C64 00 FF 00 00 Command_MUT_CA:Actuator <0, h'FF, 0> 00009C68 01 FF 00 80 Command_MUT_CB:Actuator <1, h'FF, h'80> 00009C6C 00 FF 20 00 Command_MUT_CC:Actuator <0, h'FF, h'2000> 00009C70 00 FF 10 00 Command_MUT_CD:Actuator <0, h'FF, h'1000> 00009C74 00 FF 08 00 Command_MUT_CE:Actuator <0, h'FF, h'800> 00009C78 00 FF 04 00 Command_MUT_CF:Actuator <0, h'FF, h'400> 00009C7C 00 FF 02 00 Command_MUT_D0:Actuator <0, h'FF, h'200> 00009C80 00 FF 01 00 Command_MUT_D1:Actuator <0, h'FF, h'100> 00009C84 00 FF 00 82 Command_MUT_D2:Actuator <0, h'FF, h'82> 00009C88 00 FF 00 40 Command_MUT_D3:Actuator <0, h'FF, h'40> 00009C8C 00 FF 00 20 Command_MUT_D4:Actuator <0, h'FF, h'20> 00009C90 00 FF 00 10 Command_MUT_D5:Actuator <0, h'FF, h'10> 00009C94 00 FF 00 08 Command_MUT_D6:Actuator <0, h'FF, 8> 00009C98 00 FF 00 04 Command_MUT_D7:Actuator <0, h'FF, 4> 00009C9C 00 FF 00 02 Command_MUT_D8:Actuator <0, h'FF, 2>
Code:
RAM:FFFF6FE0 ?? ?? MUT_Command_Actuator_0:.res.b 2 ; DATA XREF: ROM:off_128F4o RAM:FFFF6FE2 ?? ?? MUT_Command_Actuator_1:.res.b 2 ; DATA XREF: ROM:off_128FCo
Code:
ROM:000252DE loc_252DE: ; CODE XREF: sub_2515C+17Cj ROM:000252DE 6A 13 mov r1, r10 ; Move Data ROM:000252E0 9B 70 mov.w @(h'E0,pc), r11 ; [000253C4] = h'C0 ; Move Immediate Word Data ROM:000252E2 3A B8 sub r11, r10 ; Subtract Binary ROM:000252E4 4A 08 shll2 r10 ; Shift Logical Left 2 ROM:000252E6 DB 3C mov.l @(h'F0,pc), r11 ; [000253D8] = Command_MUT_C0 ; Move Immediate Long Data ROM:000252E8 3B AC add r10, r11 ; Add binary ROM:000252EA 85 B1 mov.w @(2,r11), r0 ; Move Structure Word Data ROM:000252EC 61 03 mov r0, r1 ; Move Data ROM:000252EE DB 3A mov.l @(h'E8,pc), r11 ; [000253D8] = Command_MUT_C0 ; Move Immediate Long Data ROM:000252F0 6C 03 mov r0, r12 ; Move Data ROM:000252F2 60 A3 mov r10, r0 ; Move Data ROM:000252F4 02 BC mov.b @(r0,r11), r2 ; Move Byte Data ROM:000252F6 62 2C extu.b r2, r2 ; Extend as Unsigned (Byte) ROM:000252F8 6C CD extu.w r12, r12 ; Extend as Unsigned (Word) ROM:000252FA 2C C8 tst r12, r12 ; Test Logical ROM:000252FC 8B 01 bf loc_25302 ; Branch if False ROM:000252FE A1 3D bra loc_2557C ; Branch ROM:00025300 00 09 nop ; No Operation ROM:00025302 loc_25302: ; CODE XREF: sub_2515C+1A0j ROM:00025302 62 2D extu.w r2, r2 ; Extend as Unsigned (Word) ROM:00025304 42 00 shll r2 ; Shift Logical Left ROM:00025306 D0 38 mov.l @(h'E0,pc), r0 ; [000253E8] = MUT_Command_Actuator_0 ; Move Immediate Long Data ROM:00025308 0A 2D mov.w @(r0,r2), r10 ; Move Word Data ROM:0002530A 2A 1B or r1, r10 ; OR Logical ROM:0002530C 02 A5 mov.w r10, @(r0,r2) ; Move Word Data
So knowing all this MUT_D8 should check if CEL bulb is OK.
#18
Evolved Member
Join Date: Mar 2008
Location: Lattitude 48.38°, Longitude 17.58°, Altitude 146m = Slovakia, for common dude
Posts: 730
Likes: 0
Received 3 Likes
on
2 Posts
I know you are after VR-4,below the actuators in H8 based ECU also (23810003_EM2428_99_Galant_VR4).
Thank you for the correction, updated the above post. If you follow where the MUT_Command_Actuator_0 & 0x02 is checked, you will find MUT_9A & 0x80, but Bez has found that MUT_9A & 0x8 = CEL, so I have overlooked the 0 at the end. Sorry for the confusion.
Thank you for the correction, updated the above post. If you follow where the MUT_Command_Actuator_0 & 0x02 is checked, you will find MUT_9A & 0x80, but Bez has found that MUT_9A & 0x8 = CEL, so I have overlooked the 0 at the end. Sorry for the confusion.
Code:
00012DE4 Actuator <1, 0xFF, 0> 00012DE8 Actuator <1, 0xFF, 0> 00012DEC Actuator <1, 0xFF, 0> 00012DF0 Actuator <1, 0xFF, 0> 00012DF4 Actuator <1, 0xFF, 0> 00012DF8 Actuator <1, 0xFF, 0x10> 00012DFC Actuator <1, 0xFF, 8> 00012E00 Actuator <1, 0xFF, 4> 00012E04 Actuator <1, 0xFF, 2> 00012E08 Actuator <1, 0xFF, 1> 00012E0C Actuator <0, 0xFF, 0> 00012E10 Actuator <0, 0xFF, 0> 00012E14 Actuator <0, 0xFF, 0x2000> 00012E18 Actuator <0, 0xFF, 0x1000> 00012E1C Actuator <0, 0xFF, 0x800> 00012E20 Actuator <0, 0xFF, 0x400> 00012E24 Actuator <0, 0xFF, 0x200> 00012E28 Actuator <0, 0xFF, 0x100> 00012E2C Actuator <0, 0xFF, 0x82> 00012E30 Actuator <0, 0xFF, 0x40> 00012E34 Actuator <0, 0xFF, 0x20> 00012E38 Actuator <0, 0xFF, 0x10> 00012E3C Actuator <0, 0xFF, 8> 00012E40 Actuator <0, 0xFF, 4> 00012E44 Actuator <0, 0xFF, 2>
Last edited by acamus; Nov 4, 2009 at 10:00 PM.
#19
Evolved Member
Join Date: Mar 2008
Location: Lattitude 48.38°, Longitude 17.58°, Altitude 146m = Slovakia, for common dude
Posts: 730
Likes: 0
Received 3 Likes
on
2 Posts
Below are some that i have tested on my bench today:
CD, CE fan (hi/lo)
D5 - EGR
D7 - Purge
D8 - Fuel pump
So we have found two new. Hamish do you want to join - only two of your actuators are now missing....
Last edited by acamus; Oct 5, 2009 at 09:49 PM.
#20
Evolving Member
Thread Starter
Acamus the code you posted above for the H8, is it like a jump table?
The MUT command are in sequential order and the data is addresses to the MUT Command routines?
Sorry, I don't understand whats going on there. Could you explain.
All the H8s I have looked at have a Case statement:
If 0xCA Then
Else If 0xCB Then
Else If 0xCB Then
etc...
(Sorry if my Pseudo Code is bad)
I'll try to test C3 for 5 Deg BTDC, tomorrow when I have some daylight.
Thanks much for finding the other Commands.
The MUT command are in sequential order and the data is addresses to the MUT Command routines?
Sorry, I don't understand whats going on there. Could you explain.
All the H8s I have looked at have a Case statement:
If 0xCA Then
Else If 0xCB Then
Else If 0xCB Then
etc...
(Sorry if my Pseudo Code is bad)
I'll try to test C3 for 5 Deg BTDC, tomorrow when I have some daylight.
Thanks much for finding the other Commands.
#21
Evolved Member
Join Date: Mar 2008
Location: Lattitude 48.38°, Longitude 17.58°, Altitude 146m = Slovakia, for common dude
Posts: 730
Likes: 0
Received 3 Likes
on
2 Posts
It is a table of bits corresponding to actuator commands.
e.g. when D8 is received the last actuator structure from the table is taken, i.e.
Command_MUT_D8:Actuator <0, h'FF, 2>
now the index_of_actuator_word is 0 so bitmask 0x2 is applied on MUT_Command_Actuator_0 i.e.
or MUT_Command_Actuator_0, 0x02 (or r1, r10)
if you search occurrences of where MUT_Command_Actuator_0 & 0x02 is checked you will find actual places where the command is executed.
I hope I have expressed it understandably.
e.g. when D8 is received the last actuator structure from the table is taken, i.e.
Command_MUT_D8:Actuator <0, h'FF, 2>
now the index_of_actuator_word is 0 so bitmask 0x2 is applied on MUT_Command_Actuator_0 i.e.
or MUT_Command_Actuator_0, 0x02 (or r1, r10)
if you search occurrences of where MUT_Command_Actuator_0 & 0x02 is checked you will find actual places where the command is executed.
I hope I have expressed it understandably.
Last edited by acamus; Aug 12, 2009 at 02:44 AM.
#22
Evolving Member
Thread Starter
Thanks,
I think the previous Case routine I mentioned earlier is for MUT over OBD2.
My H8 has 3 protocols: MUT, OBD2, and MUT over OBD2.
This is from my 20550011 98 GST Eclipse ROM.
The first entry is Command C0 and the last is D8.
The first byte determines which Actuator to write to, my case 0=F620 and 1=F622.
And the last two bytes are the bit mask for that command.
Correct??
Thanks very much for finding this, I would never have found it on my own.
I think the previous Case routine I mentioned earlier is for MUT over OBD2.
My H8 has 3 protocols: MUT, OBD2, and MUT over OBD2.
Code:
seg000:3BC8 01 FF 00 00 ActuatorBitMsk: .long 0x1FF0000
seg000:3BCC 01 FF 00 00 .long 0x1FF0000
seg000:3BD0 01 FF 00 00 .long 0x1FF0000
seg000:3BD4 01 FF 00 00 .long 0x1FF0000
seg000:3BD8 01 FF 00 00 .long 0x1FF0000
seg000:3BDC 01 FF 00 10 .long 0x1FF0010
seg000:3BE0 01 FF 00 00 .long 0x1FF0000
seg000:3BE4 01 FF 00 04 .long 0x1FF0004
seg000:3BE8 01 FF 00 02 .long 0x1FF0002
seg000:3BEC 01 FF 00 01 .long 0x1FF0001
seg000:3BF0 00 FF 00 00 .long 0xFF0000
seg000:3BF4 00 FF 00 00 .long 0xFF0000
seg000:3BF8 00 FF 20 00 .long 0xFF2000
seg000:3BFC 00 FF 10 00 .long 0xFF1000
seg000:3C00 00 FF 08 00 .long 0xFF0800
seg000:3C04 00 FF 04 00 .long 0xFF0400
seg000:3C08 00 FF 02 00 .long 0xFF0200
seg000:3C0C 00 FF 01 00 .long 0xFF0100
seg000:3C10 00 FF 00 82 .long 0xFF0082
seg000:3C14 00 FF 00 40 .long 0xFF0040
seg000:3C18 00 FF 00 20 .long 0xFF0020
seg000:3C1C 00 FF 00 10 .long 0xFF0010
seg000:3C20 00 FF 00 08 .long 0xFF0008
seg000:3C24 00 FF 00 04 .long 0xFF0004
seg000:3C28 00 FF 00 02 .long 0xFF0002
The first entry is Command C0 and the last is D8.
The first byte determines which Actuator to write to, my case 0=F620 and 1=F622.
And the last two bytes are the bit mask for that command.
Correct??
Thanks very much for finding this, I would never have found it on my own.
#24
Evolved Member
iTrader: (2)
I didn't see an update to this posted anywhere, but here's what I worked out today:
C3 - SAS (for BISS adjustment)
D9 - Fix timing to 5 degrees BTDC
I've started a list collecting what we have here in this thread over on the wiki, in case anyone else has additional commands to share, or wants to expand/correct the existing definitions.
C3 - SAS (for BISS adjustment)
D9 - Fix timing to 5 degrees BTDC
I've started a list collecting what we have here in this thread over on the wiki, in case anyone else has additional commands to share, or wants to expand/correct the existing definitions.
#25
Evolving Member
Thread Starter
In my H8 DSM ecu and cars without ETACS:
FE: Returns High Byte of Logger ID [EB]40
FF: Returns Low Byte of Logger ID EB[40]
Newer Cars with ETACS:
Return the Immobilizer and Init Codes, if ETACS is validated.
Otherwise it returns the Logger ID.
(I think. I thought a saw some old screen shots of EvoScan that had the Evo ecu displaying the Logger ID, and thats what I got from Acamus's post.)
The Calibration ID seems to return ID flipped around, maybe someone can confirm this.
EC: Cal ID Byte 3
ED: Cal ID Byte 2
EE: Cal ID Byte 1
EF: Cal ID Byte 0
F3: clears the Actuator BitFlags, think this is sent after Actuator commands to put things back to normal. Should be confirmed by someone in case I'm mistaken.
CA & CB: Test two words, but Returns FF no matter what.
C4 & C6: Does a Logical OR to OBD_Faults, but only under some conditions. Not sure what they are doing yet.
F7: Returns FF.
F8: Might reset the 5-baud Init. Like "End Transmission" it resets the comms and you have to resend the Init. But I could be way off on this one.
Any of the commands that return FF, might do something in other ecus.
Edit:
Logic, did you confirm D9 works for Timing Adjustment? I tried to trace it out quick, but it got passed between four BitFlag Words before I got lost.
FE: Returns High Byte of Logger ID [EB]40
FF: Returns Low Byte of Logger ID EB[40]
Newer Cars with ETACS:
Return the Immobilizer and Init Codes, if ETACS is validated.
Otherwise it returns the Logger ID.
(I think. I thought a saw some old screen shots of EvoScan that had the Evo ecu displaying the Logger ID, and thats what I got from Acamus's post.)
The Calibration ID seems to return ID flipped around, maybe someone can confirm this.
EC: Cal ID Byte 3
ED: Cal ID Byte 2
EE: Cal ID Byte 1
EF: Cal ID Byte 0
F3: clears the Actuator BitFlags, think this is sent after Actuator commands to put things back to normal. Should be confirmed by someone in case I'm mistaken.
CA & CB: Test two words, but Returns FF no matter what.
C4 & C6: Does a Logical OR to OBD_Faults, but only under some conditions. Not sure what they are doing yet.
F7: Returns FF.
F8: Might reset the 5-baud Init. Like "End Transmission" it resets the comms and you have to resend the Init. But I could be way off on this one.
Any of the commands that return FF, might do something in other ecus.
Edit:
Logic, did you confirm D9 works for Timing Adjustment? I tried to trace it out quick, but it got passed between four BitFlag Words before I got lost.
Last edited by Ceddy; Oct 5, 2009 at 07:39 PM.
#26
Evolved Member
iTrader: (2)
Actually, your summary jives pretty well with what I'd observed on the SH ECUs.
CA and CB are basically no-ops.
EC through EF address the cal ID.
I didn't dig too far through FE and FF although I ended up getting back EB40 when testing manually with EvoScan.
F3 is a nice find, if it works; my way of "fixing" things has generally been to disconnect; things appear to go back to normal after MUT comms complete.
CA and CB are basically no-ops.
EC through EF address the cal ID.
I didn't dig too far through FE and FF although I ended up getting back EB40 when testing manually with EvoScan.
F3 is a nice find, if it works; my way of "fixing" things has generally been to disconnect; things appear to go back to normal after MUT comms complete.
#30
Evolved Member
iTrader: (2)
The live-mapping stuff can do that, actually, if you really want it. I've been meaning to suggest to Eric or ziad that a button for "zap fuel trims" be added.
(What I'd really like to see added would be a new MUT command that does nothing but zero RAM and force a reboot.)
(What I'd really like to see added would be a new MUT command that does nothing but zero RAM and force a reboot.)