decompile Digifant 1 68HC11A1

Bosch Motronic etc ECUs and PCMs
Post Reply
User avatar
vwnut8392
Posts: 59
Joined: Fri Feb 28, 2014 7:38 am
cars: AAN powered 83 audi 4000 quattro
1983 audi UR quattro
1992 GTI VR6

decompile Digifant 1 68HC11A1

Post by vwnut8392 »

I've been trying to learn how to decompile a digifant 1 ROM using ida pro but i just cant understand it. it seems there is a good bit of people here with a wealth of knowledge on the 6811 processor. would anyone be willing to help me with decompiling one of the stock BIN file? i have several other ones that have wild modifications done to them and i would like to know how, why and the purpose of the modifications performed in them. what im having trouble understanding is how the code from the EEPROM connects to the device on the engine itself. i know the entry points start at 0x7DF6 and end at 0x7FFE but beyond that im lost. if anyone could help me out that would be great. thanks.
Attachments
022B_93EE.ori.BIN
Stock Corrado G60 BIN
(32 KiB) Downloaded 432 times
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: decompile Digifant 1 68HC11A1

Post by antus »

Is there a second chip in the computer? If I align the bin from 0x8000->0xFFFF then that puts the reset vector at 45FD which is out of range, and all the interupt vectors point to 6E18, which is also out of range. I would expect something to be at 45FD at least, although that could then remap the bin... but quite possibly there is a second rom mapped lower with code on it which handles boot.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
vwnut8392
Posts: 59
Joined: Fri Feb 28, 2014 7:38 am
cars: AAN powered 83 audi 4000 quattro
1983 audi UR quattro
1992 GTI VR6

Re: decompile Digifant 1 68HC11A1

Post by vwnut8392 »

antus wrote:Is there a second chip in the computer? If I align the bin from 0x8000->0xFFFF then that puts the reset vector at 45FD which is out of range, and all the interupt vectors point to 6E18, which is also out of range. I would expect something to be at 45FD at least, although that could then remap the bin... but quite possibly there is a second rom mapped lower with code on it which handles boot.
Thats the only eprom in the ECU. here's schematics for the ECU and a picture of the inside along with 2 BIN files with code modifications. the the one BIN has map switching which definitely works and the other is a heavily modified file from a saab rally car. the saab was retrofit with digifant 1 and than modified to control things like the saab APC boost controller, it has a knock light output and lots of other modifications.
Image
Attachments
Saab900T16_Bosch403.BIN
Saab rally car with heavy modifications
(32 KiB) Downloaded 417 times
map switching.BIN
file with map switching
(32 KiB) Downloaded 458 times
digifant_pg_pcb2.pdf
Schematic 2
(80.39 KiB) Downloaded 515 times
digifant_pg_pcb1.pdf
Schematic 1
(110.79 KiB) Downloaded 506 times
User avatar
j_ds_au
Posts: 384
Joined: Sun Jan 25, 2015 4:21 pm
Location: Sydney

Re: decompile Digifant 1 68HC11A1

Post by j_ds_au »

If I understand the MC68HC25 datasheet correctly, given that (a) this circuit uses both /CS1 and /CS2 to enable the EPROM and (b) the mode-select byte at $7FBF is $17 (stock bin), then the EPROM is mapped to both address ranges $0800-7FFF (all the EPROM, excluding the lower addresses) and $E000-FFFF (the upper 8KB).

Joe.
User avatar
vwnut8392
Posts: 59
Joined: Fri Feb 28, 2014 7:38 am
cars: AAN powered 83 audi 4000 quattro
1983 audi UR quattro
1992 GTI VR6

Re: decompile Digifant 1 68HC11A1

Post by vwnut8392 »

j_ds_au wrote:If I understand the MC68HC25 datasheet correctly, given that (a) this circuit uses both /CS1 and /CS2 to enable the EPROM and (b) the mode-select byte at $7FBF is $17 (stock bin), then the EPROM is mapped to both address ranges $0800-7FFF (all the EPROM, excluding the lower addresses) and $E000-FFFF (the upper 8KB).

Joe.

thats very interesting to me but it also doesnt make sense to me either. i dont understand how it can access data that technically doesnt exist.
User avatar
vwnut8392
Posts: 59
Joined: Fri Feb 28, 2014 7:38 am
cars: AAN powered 83 audi 4000 quattro
1983 audi UR quattro
1992 GTI VR6

Re: decompile Digifant 1 68HC11A1

Post by vwnut8392 »

i read the data sheet for the MC68HC25. i see $17 at 0x7FBF and that sort of makes sense. i see some code starting at 0x7FB0, there are 8 bits there and im going to guess they have something to do with the mode select register in the MC68HC25 maybe?
User avatar
j_ds_au
Posts: 384
Joined: Sun Jan 25, 2015 4:21 pm
Location: Sydney

Re: decompile Digifant 1 68HC11A1

Post by j_ds_au »

vwnut8392 wrote:
j_ds_au wrote:If I understand the MC68HC25 datasheet correctly, given that (a) this circuit uses both /CS1 and /CS2 to enable the EPROM and (b) the mode-select byte at $7FBF is $17 (stock bin), then the EPROM is mapped to both address ranges $0800-7FFF (all the EPROM, excluding the lower addresses) and $E000-FFFF (the upper 8KB).

Joe.

thats very interesting to me but it also doesnt make sense to me either. i dont understand how it can access data that technically doesnt exist.
But it does exist. Antus quoted 45FD and 6E18, both of which fall within the 0800-7FFF range.

BTW, I don't quite understand 6E18, but since the unknown opcode $41 is clearly used as "fill", this may be some trap to catch errant operation and induce a reset.

Joe.
User avatar
vwnut8392
Posts: 59
Joined: Fri Feb 28, 2014 7:38 am
cars: AAN powered 83 audi 4000 quattro
1983 audi UR quattro
1992 GTI VR6

Re: decompile Digifant 1 68HC11A1

Post by vwnut8392 »

j_ds_au wrote:
vwnut8392 wrote:
j_ds_au wrote:If I understand the MC68HC25 datasheet correctly, given that (a) this circuit uses both /CS1 and /CS2 to enable the EPROM and (b) the mode-select byte at $7FBF is $17 (stock bin), then the EPROM is mapped to both address ranges $0800-7FFF (all the EPROM, excluding the lower addresses) and $E000-FFFF (the upper 8KB).

Joe.

thats very interesting to me but it also doesnt make sense to me either. i dont understand how it can access data that technically doesnt exist.
But it does exist. Antus quoted 45FD and 6E18, both of which fall within the 0800-7FFF range.

BTW, I don't quite understand 6E18, but since the unknown opcode $41 is clearly used as "fill", this may be some trap to catch errant operation and induce a reset.

Joe.
6E18 does confuse me as well. there is a 3 timing map version of too. i think it is the earliest version of the software for this ECU. when i tried to work with it in ida pro it seemed to make a little more sense than the single map file. the files interchange and work in all ECU's regardless of ECU and weather its a manual or automatic car. i attached the 3 timing map file so you can look at it too.

I've attached tunerpro XDF's for the single timing map and 3 timing map files too so you can see the mapping others have figured out and know whats going on where. The single timing map XDF is what i normally use, i added the special group that has the map switching, accleration enrichment, and O2 delete patch to keep the car in open loop for tuning. my goal is to figure out the saab files features like the knock light output, how they added the saab APC boost box because that would be great to use with a turbo car, i would like to create a hard cut ignition launch control along with a hard spark cut rev limiter as well. some cars i have that use the map switch for a form a launch control just push through the timing retard to the rev limiter. what we did was take from the RPM we want launch control to start at and flatten the map with FF to the end of the map on the secondary ignition. i want to create patches in tunerpro that will add or remove these features at the users will. i dont plan on even trying to benefit financially from this at all either, im doing this because i want to and i think digifant 1 can be almost standalone like with enough time and work to modernize it and add features to the ECU.


The saab file i posted is very heavily modified like i said before. they have added things like it using a saab crank sensor instead of a 4 window distributor like factory, the added a full potientimeter TPS switch on top of the closed throttle and wide open throttle switch it has factory, the added a knock output light to pin 20, and the say that pin 22 on the ECU outputs to a saab APC boost control box. its extremely interesting to me and i would love to know how it all works.
Attachments
G60 Single Timing Map01.xdf
Single timing map XDF
(122.14 KiB) Downloaded 437 times
TunerPro RT v5 - G60 3 Ignition Map (Marc G60T 2014).xdf
3 timing map tuner pro XDF
(72.86 KiB) Downloaded 436 times
Stock G60 Three ignition maps.bin
Digifant 1 3 timing map stock file
(32 KiB) Downloaded 435 times
Post Reply