Custom P04 OS... going off the deep end

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Custom P04 OS... going off the deep end

Post by DWS »

Ok, I've had this idea for a little bit now. I have no plans to make it fancy in any way, but I want to learn this stuff a bit more deeper. I'm stripping the code down to the bare min bases (flashing via BDM so don't need OBD2 etc code). Right now, the target is to read crank sensor signal from ignition module, and respond back the correct signal to generate spark, no advancement/timing math, no fuel, temps etc. Basically a dummy box that creates the right signals for only spark like an old school atv CDI box, or even older a points system.

Anyway, clearly I'm no expert yet so I'll 100% need help along the way. Vehicle I'm targeting is a 2000 Malibu with the 3100 which has a 7x crank sensor and is a waste spark system and the ignition module is the bypass type (it does spark while cranking, computer does spark after that for advancement). I've back tracked the ram addresses as far as possible but I ran into a brick wall that is a ram address being read, but never set anywhere that I can find.

I'm using Ghidra with the cpu32 language added, it still seems to miss a few commands here and there, but for the most part it works well.

Anyway Here some snippets of code working backwards (from rpm down to the source it's created from). I don't quite understand what exactly that hard coded value represents but more on that later.

Image

RPM_Time_Maybe was just a guess that it must be some sort of time measurement. This var seems to just be a value holder of the RPM_Time_Source_Maybe var, there is a different point in the code it sets it to 0.

Image

And finally the raw math behind it and what I suspect is a time value since last pulse that I called RPM_Crank_Pulse_Time

Image

That last value has all references as read only, and searching for the hex address gives me no more results to look into, just code that reads the value unless something disassembled wrong.

For the math, I'm trying to wrap my head around what it all boils down to. I assume it's all measured in us instead of ms.

Anyway, the math. CONST_8 just has 8 stored in it.
(((8 * 329) / 5) * RPM_Crank_Pulse_Time * 5) / 329

Simplified it should be
(2632 * RPM_Crank_Pulse_Time ) / 329

And shuffling the math around a bit becomes

RPM_Crank_Pulse_Time * 8

So ultimately that value gets passed to the rpm calc line.

$66d019 / (RPM_Crank_Pulse_Time * 8)
6737945 / (RPM_Crank_Pulse_Time * 8)

That's the point that's not making any sense to me. It has a 7x sensor but it's *8 on a v6. 3 spark events per rev so maybe it's a reference to their 24x (8*3 = 24) setup? Making sense of the math would help me name the vars more correctly and have a better idea what's going on. The original RPM address I used ultimate patcher to find from the auto detected settings and just looked for one against rpm.

For the ultimate source, here's all the references to it. No writes which is weird.
Image

Here's the hex address searched. The bottom two might be where my problem is at. I don't have IDA Pro, so maybe it's disassembled wrong there.

Image
Last edited by DWS on Wed Dec 01, 2021 6:16 pm, edited 1 time in total.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: Custom OS... going off the deep end

Post by DWS »

For the actual project, the base line goal is the pcm to control spark only for the carb guys in the derby community. Basically cut all of the "fat" out of the PCM and make it a really basic device. Spark advancement purely based on rpm, exactly how an ATV CDI box works. Clearly I'll need code to read the crank sensor, convert the value to rpm, and output the correct signal pattern to control the ignition timing. Should be a 2d map for the "tune" for rpm vs spark advancement and that's basically it. In my head the concept is simple, but actually executing on it clearly is another story.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Custom OS... going off the deep end

Post by kur4o »

You are completely mising the hardware part of the pcm and how it works.

There is alot more than the cpu, actually there is more than one and they share the same ram space so interchanging data is easy.

Actually most of the A/D conversions is done by the TPU.

To get you some ideas how to accomplish the goal.

Leave everthing as is or you will have big troubles figuring why it don`t work.

Since the crank signal is top priority interrupt signal for the pcm and the spark is output no matter what, the pcm will function enough only with crank signal, and nothing else connected. Now you need to find the address where the final spark is stored and shared with tpu. Right before the value is changed you can interrupt and change code with 2d table and save the value from your table as final spark.

You wil also need to figure the dwell routine and load some predefined value there too, since there is no tps or ect signals to get it done correctly or you can make another 2d table with custom values.
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: Custom OS... going off the deep end

Post by DWS »

Good info, I'm fairly new to the hardware side of things, but programming I'm alright with.

I need to read up more about interrupts since I don't 100% understand them fully, best I can describe them is it pauses code and runs dedicated code then resumes once it clears the interrupt. At least that's what I think effectively happens.

I haven't worked with anything with more than one cpu, but it's good to know the ram is shared. Where does the TPU get the code it runs, I would assume from the flash chip unless it has it's own memory internally or something. The one guy I've been working with on and off mentioned a slave cpu for the E40's if I remember right (P11 is similar but with out slave cpu). He was able to read the memory off the slave. If the P04 is a similar setup, I'd think I'd want to read that memory then so I can get an idea of the whole image of what's going on.

For the dwell, I didn't think about that, but making a 2d table for that seems to make sense to me. Should be able to base it on existing tables I'd think. Same with the ignition timing, use the stock base table to start with.

The TPU kind of puts a monkey wrench in my idea lol.

I haven't done the math yet, but I suspect an arduino could do the same job I'm after, but I figured flashing existing hardware would be easier than developing and building new hardware. All of the supporting hardware already exists on the PCM and is high quality etc.

I figured once I had the base line code worked out, I could change the math for different engines, or change how the sensors are read if the crank sensor is different, etc, so that TPU I'll need control over or I'll be limiting myself quite alot working with this PCM :(.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: Custom OS... going off the deep end

Post by DWS »

Been thinking what's the best way to "test" this concept w\o buying the carb intake and such. I think the simplest route is to have a stock tune pcm run the fuel side of things (fuel pump etc) and piggy back off the crank sensor and only have the ignition control module control pins wired to the piggy backed pcm to control the spark. As long as the control pin is +5v it should be proof the pcm is running the engine with no other sensors except crank. I have 3 of these computers on hand, so should be easy enough to rig something up for testing. I'm waiting on connectors in the mail to build stand alone harnesses for these engines, so I'll have everything needed to hook this up.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
Cincinnatus
Posts: 305
Joined: Fri Jul 30, 2021 5:49 pm
cars: 97 Corvette
92 Camaro
2005 Silverado
2001 Savana 2500
1998 c3500hd
1998 tahoe

Re: Custom OS... going off the deep end

Post by Cincinnatus »

What is the tpu? Curious how you read/write a p04 with a bdm? What is a bdm exactly, and where on PCM do you connect it? I have several p04, but only have hptuners that will read them. My nano can't read a bin from p04, and hptuners failed to disable vats on at least 2 3800sc p04s so we only use gtp pcms that have no vats. Would love to run 3800sc with rwd 4l60, but have never found a way to do it.
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: Custom OS... going off the deep end

Post by DWS »

I'll be honest, I had someone else help me a lot with the BDM stuff, but once I understood the basics I continued forward. HP Tuners uses OBD2 to read and flash the PCM, the way you get to that point is to read the flash memory either directly by pulling the chip and reading it with an external device, or you use an BDM (JTAG, etc) to use the CPU in debug mode to request data off the flash chip. BDM stands for Background Debug Mode. Here's a simplified version of what's needed.

The actual BDM (this is the one I use) - http://www.usbjtag.com/jtagnt/ulinknt.php

Figure out cpu type, and get the spec sheet, P04 has a MC68332 Motorola CPU. Spec sheet has the pinout. The pins you need for BDM is as follows:

Ground
BERR
Freeze
Reset
DS Clock
DSO
DSI

Once you trace those pins (very tiny) to points you can solder a wire to (I use 30 gauge and solder to a 10 pin header that I plug the BDM into), then with the ulink software using the right settings you can read the flash. Writing is an extra step, if AMD, it's open and easy to write, Intel it's in a read only mode. I haven't personally wrote to the Intel chip on a P04 yet, but my orig 3100 PCM has that chip. On other PCM's I've had to provide +12v to 1-2 pins and is all based on the spec sheet for the flash chip.

To put it shortly, it's a lot more involved way to read/write to the PCM, not a plug and play feature. Since it takes over the CPU, even a "bricked" PCM should be able to be recovered with this setup.

I don't know for sure what TPU stands for as kur4o is the first I've seen it used, but in the spec sheet of the CPU it does mention a slave cpu mode and the guy helping me out used that term for the 2nd cpu on the board on a different PCM (same family of cpu).

Back at the end of my high school days, I used to install mod chips in xbox orig and ps2's, so I built up my soldering skill pretty quick. If it's your first time, you'll want some practice before you do it on something you care about at all. A cheap Chinese solder rework station which has a soldering iron with temp control and several tips would be a massive upgrade over the generic ones with no temp control, I won't touch those anymore besides the tips not lasting long at all.

Of course once you read the flash chip, you have the raw data from the flash which is the bin file. Editing etc is done the same way as any other PCM that you can be a bin file for. Universal patcher detects a lot of stuff for the 3100/3400/3800 PCM's, the one I'm using is actually a 3800 SC one which had the AMD flash chip so quick and easy flashes once the pin header is soldered to the board.

The devs for PCMHammer are working on the P04 to flash over OBD2, if they can get a technique to work and be reliable it will make life a lot easier for P04 owners. My original idea was the wipe all the flash and have just the bare min setup info and my own main loop for timing and spark only.The slave cpu kind of shoots me in the foot on that idea though. I don't like reusing GM's code for copyright reasons.

Anyway, from what I've seen, 3100 and 3400's security setup is exactly the same for the 3800. I ultimately got tired of testing things, so I just set all of the security related settings to $00 and cleared the DTC's that relate and it worked on my 3100 (BCM delete).

Hopefully that clears up what this process is a bit, like I said, it's pretty involved. Once things are figured out, the 7 solder points for me is fairly easy to do and eventually a jig/template could be built with pogo pins to make the process faster and no soldering involved, just popping off the cover and bolting down the jig, connect bdm and read/write (I make it sound simpler than it is, the jig is a lot of work to build).



Anyway, on topic. I've poked a little more at the bin using known setting addresses and working out some ram addresses and guessing what they do. I did find a couple spark timing related ones that I suspect are pretty key but haven't dug super deep into them yet. I watched a video on youtube which oddly covered interrupts pretty well. I've been programming about 22 years on and off and have touched assembly/java bytecode a bit so this video made pretty good sense to me. I'm sure each cpu is a bit different on how that exact timer setup works, but never knew how that worked exactly in code. I figured it was part of a main loop and it checked system time until it got to or past the target time (100ms for example), his example is very close to my thinking, but using his "ticks" 10ms counter method.

I tend to take on more projects than I have time for, but I'll be hitting this once in a while. Being able to see what exactly the slave cpu is doing would be a massive help though I think for my ultimate goals and to better understand everything etc.

[youtube]https://www.youtube.com/watch?v=g_koa00MBLg[/youtube]
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Custom OS... going off the deep end

Post by kur4o »

Tpu stands for time processing unit or something close.

It is very likely that is built-in in the main cpu with its own firmware. Some versions have the ability to be externally configured by the main cpu via shared ram.

It is one of the very big unknows yet about the gm pcms.

It off loads the heavy A/D conversions from main cpu and also controls various output D/A conversions. It also can configure other on board chips.

I am really interested in finding some specific area in this units.
The pcm shares the same chip that controls spark with ls1 pcms. The chip is also wired to external connector, so by hardware part it is fully capable to control individual coils. What is unknown if the main code can handle it and how the configuration is done. For example the ls1 pcm can control singal channel spark output for a distributor and Coil on plug system with 8 individual cois.

As for the slave chips on newer units. It is a second processor with memory that is responsible for handling of the pedal inputs. Usually the communication there is by spi or some other com channel. Like 2 pcms in one box.

The interrupt vectors are at the very start of the flash chip but no one have a list of them yet and what they do how are triggere, since it is some non regular production cpu.

The cpu calculates spark degree and dwell and writes the data to the shared memory with TPU, tpu than does all the heavy precise time calculations and triggers the spark at the correct applying the needed dwell offset. Injection works similarly by EOIT target.
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: Custom OS... going off the deep end

Post by DWS »

That's really interesting. I'll try my best to figure out what they do. I see a TON of the interrupts reference the same memory location. If I can work out enough internal vars, maybe the interrupts will make enough sense to use them correctly. I'm still wrapping my head around everything, but it seems to make sense. Having the TPU internal in the cpu makes a lot more sense too, I was looking for another cpu on the board and didn't see one lol.

Anyway, it sounds like the P04 could be a solid v8 PCM if someone wrote the right code for it. It would be a very common and cheap PCM option with the ability people are looking for, so that's for sure pretty neat. If I locate the setup info for the ignition coil and such, I'll post or pm you what I find.

Since the ram is shared, I wonder if there's a block of memory the main CPU doesn't address that happens to hold the TPU code. It would be interesting to do a full ram dump to see what's in memory and where. I would doubt the TPU would be hard coded with everything unless it's a common chip just copy/pasted into the cpu design simply speaking.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Custom OS... going off the deep end

Post by kur4o »

In the dissasembly you will find the reset vector at $00000004

It is the entry point when the cpu crashes or is rebooted.

Usually the first thing to do here is configure cpu ram tpu and some other stuff.

The first subroutine is some chip initializaton routine that preconfgires all registers options and so on with some calibarion data.

If you get a better knowledge on that part than it will be easy to find the entry points for main data, and other timer configured interrupts.

The code flow is really hard to guess and takes lots of time. On older pcms the main routines interrupts were tied to low res signal and less important code was driven by some timer interrupt. Gm might keep it simple and use similar strategy here.

I have made a dump with all the unknown ram regions but the data is some repeating pattern meaning there is some special procedure to read and write to shared memory and not that easy to make a dump of it.

I have an avt script that will allow you to read big chunks of ram, but you need an avt-852 cable to use it.

The bad news is the tpu might be set up for specific low res signal and will not work with other engines` signal unless we found way to recode it.
Post Reply