Charlescrown wrote:Because it's a diesel you will find a fuel (otherwise known as drivers wish map) and smoke map for each gear I don't know why they do it but I bet that's the reason so many maps. You will also find maps for the start and finish of injection that may also be for each gear. My Hyundai list over 200 maps using winols. Some obviously not really maps but there are sure plenty to play with.
This is GMs first ever electronic diesel injection pump control system and it's far from perfect. AFAIK. There's only one base fueling MAP. And then the modifiers based on boost, DTC codes. Etc. Hell, they don't even use the low MAP modifier for some reason so when MAP goes below one atmosphere, it keeps dumping fuel like it has boost.
Fueling is capped at 79.69mm^3 and we never figured out any custom firmware on the OBD1 to push it further even though the mechanical spec of the pump says it could push more. FF=79.69 but the pump could possibly do 120.
I figured i'd follow up with how the original (scrambled) .BIN was read off this PCM in-case there is any curiosity.
Erikje used a HC11 programmer setup to the 40 Pin debug connector on the PCM along with it's DOS software "Prog11.exe". Connected to the UART at the correct frequency.
I'm attaching the instructions and HC11 pinout to this post.
Huh, interesting!. Would be interested to see what the HC11 programmer is reading/writing to the MCU.
Could.. technically.. use an el-cheapo arduino to monitor the rx/tx lines (Assuming thats ttl rxd and txd).. Id be interested
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Have a look at hc11 isp, maybe throw in a few keywords like moda and modb. Im assuming the isp requested each address byte sequentially but didnt read it over uart because it'd be descrambled to begin with. He sniffed the data off the edge connector with it wired up as per spec so the address bit swapping affected the data.
I guess you cant tri-state the hc11 hence needing it to drive the address pins on the bus (though i havnt read the spec).
Warning: I'm a bit of a newb when it comes to running a disassembler, but I think i'm starting to get somewhere
I think (due to some other good threads on here) that I have the control file setup correctly for DHC11 to get all the standard labels, but i'm wondering what I should do for the 2D/3D lookups I have identified already by using TunerPro's data viewing tools. Is there a syntax in the control file that I should tell it where these tables are and then I can find the functions/routines that use those lookups?
I attached a snip of my disassembly where I know there is a 3D table but it didn't identify it as one. I figure this is where I should start since it's what makes sense to me so far.
Attachments
table_in_dissasembly.JPG (133.78 KiB) Viewed 6844 times
I think the table selection is manual as there is no header to identify it. You need to setup the vector addresses and disassemble the code and revisit the control file to add labels as you figure out ram addresses and registers etc then run it again and again so it can use the labels throughout the disassembly. At some point you work purely in a text editor adding comments through the code and thats where you layout tables with a description.
antus wrote:Grab the bottom 64k and call it bank 1, and split off the bottom 32k and add 18000-1ffff and call that bank 2.
Thanks for 'leading me in the dark'!
For anyone interested, I attached the first run of disassembled code (I think?) assuming the structure quoted. This is just with HC11 config labels and the one reset vector defined in each control file.
I forgot to add the entry points so there's a bunch of blank leading up to the good stuff. I'll fix that tomorrow.
