Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by antus »

Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Ionut
Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm
cars: Opel Astra 1.7DTI Y17DT

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by Ionut »

And still didn`t found too much informations...
My ECU has the following chips unerased: d0361me, A82C250.
The last one is a Can Controller, but my car doesnt have CAN communication (is MY2002).

Also, how can i identify where maps are read? Do you have an example code sequence from other ECU?
For example i have a map at 0x39D38. i`ve searched references to it "39D38","41D38",'D38',"3DD38" and all other combination between 39D38 and 2,8,16,32,64 K offset (less and more).

Also, found this in place where you pointed me:
ROM:0000FCF6 sub_FCF6:
ROM:0000FCF6 nop
ROM:0000FCF8 movea.l #$FF88C0,a0
ROM:0000FCFE move.l #$756A0,4(a0)
ROM:0000FD06 move.l #$756AA,8(a0)
ROM:0000FD0E move.l #$756B4,$C(a0)
ROM:0000FD16 move.l #$756BE,$10(a0)
ROM:0000FD1E move.l #$756C8,$14(a0)
ROM:0000FD26 move.l #$756D2,$18(a0)
ROM:0000FD2E move.l #$756DC,$1C(a0)
ROM:0000FD36 move.l #$756E6,$20(a0)
ROM:0000FD3E move.l #$756F0,$24(a0)
ROM:0000FD46 move.l #$756FA,$28(a0)
ROM:0000FD4E move.l #$75704,$2C(a0)
ROM:0000FD56 move.l #$7570E,$30(a0)
ROM:0000FD5E move.l #$75718,$34(a0)
ROM:0000FD66 move.l #$75722,$38(a0)
ROM:0000FD6E move.l #$7572C,$3C(a0)
ROM:0000FD76 move.l #$75736,$40(a0)
ROM:0000FD7E move.l #$75740,$44(a0)
ROM:0000FD86 move.l #$7574A,$48(a0)
ROM:0000FD8E move.l #$75754,$4C(a0)
ROM:0000FD96 move.l #$7575E,$50(a0)
ROM:0000FD9E move.l #$75768,$54(a0)
ROM:0000FDA6 move.l #$75772,$58(a0)
ROM:0000FDAE move.l #$7577C,$5C(a0)
ROM:0000FDB6 move.l #$75786,$60(a0)
ROM:0000FDBE move.l #$75790,$64(a0)
ROM:0000FDC6 move.l #$7579A,$68(a0)
ROM:0000FDCE move.l #$757A4,$6C(a0)
ROM:0000FDD6 move.l #$757AE,$70(a0)
ROM:0000FDDE move.l #$757B8,$74(a0)
ROM:0000FDE6 move.l #$757C2,$78(a0)
ROM:0000FDEE move.l #$757CC,$7C(a0)
ROM:0000FDF6 move.l #$757D6,$80(a0)
ROM:0000FDFE move.l #$757E0,$84(a0)
ROM:0000FE06 move.l #$757EA,$88(a0)
ROM:0000FE0E move.l #$757F4,$8C(a0)
ROM:0000FE16 move.l #$757FE,$90(a0)
ROM:0000FE1E move.l #$75808,$94(a0)
ROM:0000FE26 move.l #$75812,$98(a0)
ROM:0000FE2E move.l #$7581C,$9C(a0)
ROM:0000FE36 move.l #$75826,$A0(a0)
ROM:0000FE3E move.l #$75830,$A4(a0)
ROM:0000FE46 move.l #$7583A,$A8(a0)
ROM:0000FE4E move.l #$75844,$AC(a0)
ROM:0000FE56 move.l #$7584E,$B0(a0)
ROM:0000FE5E move.l #$75858,$B4(a0)
ROM:0000FE66 move.l #$75862,$B8(a0)
ROM:0000FE6E move.l #$7586C,$BC(a0)
ROM:0000FE76 move.l #$75876,$C0(a0)
ROM:0000FE7E move.l #$75880,$C4(a0)
ROM:0000FE86 move.l #$7588A,$C8(a0)
ROM:0000FE8E move.l #$75894,$CC(a0)
ROM:0000FE96 move.l #$7589E,$D0(a0)
ROM:0000FE9E move.l #$758A8,$D4(a0)
ROM:0000FEA6 move.l #$758B2,$D8(a0)
ROM:0000FEAE move.l #$758BC,$DC(a0)
ROM:0000FEB6 move.l #$758C6,$E0(a0)
ROM:0000FEBE move.l #$758D0,$E4(a0)
ROM:0000FEC6 move.l #$758DA,$E8(a0)
ROM:0000FECE move.l #$758E4,$EC(a0)
ROM:0000FED6 move.l #$758EE,$F0(a0)
ROM:0000FEDE move.l #$758F8,$F4(a0)
ROM:0000FEE6 move.l #$75902,$F8(a0)
ROM:0000FEEE move.l #$7590C,$FC(a0)
ROM:0000FEF6 move.l #$75916,$100(a0)
ROM:0000FEFE move.l #$75920,$104(a0)
ROM:0000FF06 move.l #$7592A,$108(a0)
ROM:0000FF0E move.l #$75934,$10C(a0)
ROM:0000FF16 move.l #$7593E,$110(a0)
ROM:0000FF1E move.l #$75948,$114(a0)
ROM:0000FF26 move.l #$75952,$118(a0)
ROM:0000FF2E move.l #$7595C,$11C(a0)
ROM:0000FF36 move.l #$75966,$120(a0)
ROM:0000FF3E move.l #$75970,$124(a0)
ROM:0000FF46 move.l #$7597A,$128(a0)
ROM:0000FF4E move.l #$75984,$12C(a0)
ROM:0000FF56 move.l #$7598E,$130(a0)
ROM:0000FF5E move.l #$75998,$134(a0)
ROM:0000FF66 move.l #$759A2,$138(a0)
ROM:0000FF6E move.l #$759AC,$13C(a0)
ROM:0000FF76 move.l #$759B6,$140(a0)
ROM:0000FF7E move.l #$759C0,$144(a0)
ROM:0000FF86 move.l #$759CA,$148(a0)
ROM:0000FF8E move.l #$759D4,$14C(a0)
ROM:0000FF96 move.l #$759DE,$150(a0)
ROM:0000FF9E move.l #$759E8,$154(a0)
ROM:0000FFA6 move.l #$759F2,$158(a0)
ROM:0000FFAE move.l #$759FC,$15C(a0)
ROM:0000FFB6 move.l #$75A06,$160(a0)
ROM:0000FFBE move.l #$75A10,$164(a0)
ROM:0000FFC6 move.l #$75A1A,$168(a0)
ROM:0000FFCE move.l #$75A24,$16C(a0)
ROM:0000FFD6 move.l #$75A2E,$170(a0)
ROM:0000FFDE move.l #$75A38,$174(a0)
ROM:0000FFE6 move.l #$75A42,$178(a0)
ROM:0000FFEE move.l #$75A4C,$17C(a0)
ROM:0000FFF6 move.l #$75A56,$180(a0)
ROM:0000FFFE move.l #$75A60,$184(a0)
ROM:00010006 move.l #$75A6A,$188(a0)
ROM:0001000E move.l #$75A74,$18C(a0)
ROM:00010016 move.l #$75A7E,$190(a0)
ROM:0001001E move.l #$75A88,$194(a0)
ROM:00010026 move.l #$75A92,$198(a0)
ROM:0001002E move.l #$75A9C,$19C(a0)
ROM:00010036 move.l #$75AA6,$1A0(a0)
ROM:0001003E move.l #$75AB0,$1A4(a0)
ROM:00010046 move.l #$75ABA,$1A8(a0)
ROM:0001004E move.l #$75AC4,$1AC(a0)
ROM:00010056 move.l #$75ACE,$1B0(a0)
ROM:0001005E move.l #$75AD8,$1B4(a0)
ROM:00010066 move.l #$75AE2,$1B8(a0)
ROM:0001006E move.l #$75AEC,$1BC(a0)
ROM:00010076 move.l #$75AF6,$1C0(a0)
ROM:0001007E move.l #$75B00,$1C4(a0)
ROM:00010086 move.l #$75B0A,$1C8(a0)
ROM:0001008E move.l #$75B14,$1CC(a0)
ROM:00010096 move.l #$75B1E,$1D0(a0)
ROM:0001009E move.l #$75B28,$1D4(a0)
ROM:000100A6 move.l #$75B32,$204(a0)
ROM:000100AE move.l #$75B3C,$208(a0)
ROM:000100B6 move.l #$75B46,$1D8(a0)
ROM:000100BE move.l #$75B50,$1DC(a0)
ROM:000100C6 move.l #$75B5A,$1E0(a0)
ROM:000100CE move.l #$75B64,$1E4(a0)
ROM:000100D6 move.l #$75B6E,$1E8(a0)
ROM:000100DE move.l #$75B78,$1EC(a0)
ROM:000100E6 move.l #$75B82,$1F0(a0)
ROM:000100EE move.l #$75B8C,$1F4(a0)
ROM:000100F6 move.l #$75B96,$1F8(a0)
ROM:000100FE move.l #$75BA0,$1FC(a0)
ROM:00010106 move.l #$75BAA,$200(a0)
ROM:0001010E rts
Seems that somehow addresses are offset by 256K
For example 75BAA - 40000 means 35BAA. There is one of DTC definition. And it seems that all those are DTC definitions offset by 40000
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by antus »

Sorry I cant be much help here. I'd suggest turning on opcode display options->general->disassembly->number of opcode bytes and set to 8. Sometimes having the raw data visible can help. From what you say this might point to the load address of the bin being 0x40000.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Ionut
Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm
cars: Opel Astra 1.7DTI Y17DT

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by Ionut »

It seems that all addresses starting with $7 points to 0x3xxxx. All those values points to DTC table if substract 0x40000. Other ones points to some rpm axis, but nothing points to map. Just one points to EGR map start
Ionut
Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm
cars: Opel Astra 1.7DTI Y17DT

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by Ionut »

After few days of brainstorming i`ve figured out how it actually address maps.
References are to signature bytes (Map Address - (X axis length + Y axis length) * 2 - 0x2 + 0x40000). For example N75 map is located at 0x3D8B0. Map is 21x26 size, so 21 + 26 * 2 in hex means 5E. 0x3D8B0 - 0x5E - 0x2 + 0x40000 = 0x7D850

Now all software has more logic than anytime. I need to figure out where are set the registers and how connects ECU pins to software.

Thank you antus for precious informations gived.
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by antus »

Im glad you were able to use it. Also thanks for posting your findings back here.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Ionut
Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm
cars: Opel Astra 1.7DTI Y17DT

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by Ionut »

Yup... firstly all was a mess, but if offset is right and you know how to calculate all is piece of cake. Now i`m trying to get deeper in code dissasemble in order to bypass the immobiliser.

Here is a short list of findings:
1. Boost Target
Boost target is calculated by 3 maps and few bytes.
First loaded is boost target, located at 0x3D3D2
Then value is filtered by 20x1 map located at 0x3D2EA. X axis is a temperature
After this is the last filter, 11x1 map located at 0x3D32A

2. N75
N75 control is done by a main map located at 0x3D8B0.
After few byte compare (~40) with registers, in some cases enters in a correction map located just before main turbo target map, at 0x3D358. There is no other N75 correction map.

3. Start Of Injection
SOI calculations starts with a basic SOI correction located at 0x3CA22 then value is added to values from basic injection timing located at 0x3C50E. In some cases (a byte different from a register other map is used). That map is located at 0x3C42A (6x10), temperature dependant.

4. Driver Wish
Contrary to expectations, actually, driver wish works backwards on this ECU. First corrections are applied, then is added driver request.
Here we have first a basic injection by temperature located at 0x3689E. Original map has same values all the map.
Then 0x3ACEA ads IQ by temperature (original all values are 0). After that comes real driver wish, located at 0x38A0C.

Another question... could be this related to IMMO?
immo.png
immo.png (24.16 KiB) Viewed 6693 times
Is just after initialization and before calling a number of subroutines:
2014-12-15_0005.png
2014-12-15_0005.png (14.14 KiB) Viewed 6693 times
slewinson
Posts: 224
Joined: Wed Oct 08, 2014 11:08 am
cars: Barina SB C14SE
Lexus RX350
VW Golf Mk5 TDI DSG

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by slewinson »

First code snippet looks like memory initialisation / clearing to me.

Simon
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by antus »

When the car is immobilised what happens? The delco/delphis we do know mostly will start then stall after 4 seconds after not receiving vats ok from the bcm. Does this car have a bcm?

I dont reckon that looks like VATS on other delco/delphi, but it may not be being that its not ALDL or VPW (the two I know the best). Generally they'd be handled in one of those JSR subs, also inside a comms handler to accept the VATS OK from the BCM, and there would be several things set - a memory status byte or word, a flag at least. And that flag would be tested around the injector code to skip the injection if VATS is failed.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Ionut
Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm
cars: Opel Astra 1.7DTI Y17DT

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by Ionut »

My car doesn`t have a BCM.
Has this kind of Imobiliser in car:
immo astra g.jpg
immo astra g.jpg (22.96 KiB) Viewed 6603 times
Car starts without right key, but shutdowns in few seconds and check engine light is blinking.
K line goes from ECU to IMMO and then to OBD port if this matters.
Post Reply