Delco HDRC (Y17DT DYRX, DMRW & DNLF)
Delco HDRC (Y17DT DYRX, DMRW & DNLF)
I have a car with this ecu and i wish to disassemble in order to inject new code sequence (done before in VAG ME7.5 ecu).
As far as i know the processor type is Motorola 68HC11, but what version? i`ve found a lot of versions with different memory mapping.
My flash has 256K of data. Could you tell me how is done Extended Addressing and how to calculate offsets to see what memory address is loaded.
Difference between 3 versions of software (DYRX, DMRW & DNLF) are on fueling maps and between DMRW and DYRX there are few bytes changed between address 0x0000b7 and 0x000142
Rest of the code is identical.
What tool i need to read internal 8K processor memory without desoldering? (this ECU is hybrid, so desoldering i think will wreck ECU).
Thank you,
Ionut.
As far as i know the processor type is Motorola 68HC11, but what version? i`ve found a lot of versions with different memory mapping.
My flash has 256K of data. Could you tell me how is done Extended Addressing and how to calculate offsets to see what memory address is loaded.
Difference between 3 versions of software (DYRX, DMRW & DNLF) are on fueling maps and between DMRW and DYRX there are few bytes changed between address 0x0000b7 and 0x000142
Rest of the code is identical.
What tool i need to read internal 8K processor memory without desoldering? (this ECU is hybrid, so desoldering i think will wreck ECU).
Thank you,
Ionut.
- antus
- Site Admin
- Posts: 8253
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
well i havnt seen that ecu, so I can only give you some general info. They tend to be custom variants so dont exactly line up with an off the shelf part number. Ive not seen one with 8k internal rom, so I wouldnt assume its there in your first run. The HC11 is only an 8 bit cpu so 64k address space. The 128k programs ive seen have the calibration below 32k, and swap the top 32k between engine and transmission code. Some routines (such as 2d or 3d lookup) exist just below 32k and are called from both high banks.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
In some place it say 8K memory, in other 32. I have some experience with Atmel uC and Infineon C167. Never worked with motorola.
Here is a memory mapping found on the internet: This internal memory is duplicated in flash or is just refferenced?
Here is a memory mapping found on the internet: This internal memory is duplicated in flash or is just refferenced?
- antus
- Site Admin
- Posts: 8253
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
I dont know. I would suggest reading the flash first and taking a look there. Its likely most if not all the code will be in there. The reset vectors are around FFFF which gives you the entry points. If they use bank switching you'll see the same vectors in each upper bank so can identify those. Once you've found that you can cut up the bin and assemble 64k images for each bank switched state. Then you can disasm those and take it from there. There will only be a couple of bank switches to identify as it'll swap then execute all the code in that bank before returning to common space (<32k)
this is a typical sample of the vectors:
The reset vector at FFFE and IRQ and XIRQ are your main entry points, and serial should point you to the comms code.
this is a typical sample of the vectors:
The reset vector at FFFE and IRQ and XIRQ are your main entry points, and serial should point you to the comms code.
Code: Select all
USER_VEC:FFC0 6C RESERVFFC0: fcb $6C ; l ; RESERVED
USER_VEC:FFC1 05 RESERVFFC1: fcb 5 ; RESERVED
USER_VEC:FFC2 6C RESERVFFC2: fcb $6C ; l ; RESERVED
USER_VEC:FFC3 05 RESERVFFC3: fcb 5 ; RESERVED
USER_VEC:FFC4 6C RESERVFFC4: fcb $6C ; l ; RESERVED
USER_VEC:FFC5 05 RESERVFFC5: fcb 5 ; RESERVED
USER_VEC:FFC6 6C RESERVFFC6: fcb $6C ; l ; RESERVED
USER_VEC:FFC7 05 RESERVFFC7: fcb 5 ; RESERVED
USER_VEC:FFC8 6C RESERVFFC8: fcb $6C ; l ; RESERVED
USER_VEC:FFC9 05 RESERVFFC9: fcb 5 ; RESERVED
USER_VEC:FFCA 6C RESERVFFCA: fcb $6C ; l ; RESERVED
USER_VEC:FFCB 05 RESERVFFCB: fcb 5 ; RESERVED
USER_VEC:FFCC 6C RESERVFFCC: fcb $6C ; l ; RESERVED
USER_VEC:FFCD 05 RESERVFFCD: fcb 5 ; RESERVED
USER_VEC:FFCE 6C RESERVFFCE: fcb $6C ; l ; RESERVED
USER_VEC:FFCF 05 RESERVFFCF: fcb 5 ; RESERVED
USER_VEC:FFD0 6C RESERVFFD0: fcb $6C ; l ; RESERVED
USER_VEC:FFD1 05 RESERVFFD1: fcb 5 ; RESERVED
USER_VEC:FFD2 6C RESERVFFD2: fcb $6C ; l ; RESERVED
USER_VEC:FFD3 05 RESERVFFD3: fcb 5 ; RESERVED
USER_VEC:FFD4 6C RESERVFFD4: fcb $6C ; l ; RESERVED
USER_VEC:FFD5 05 RESERVFFD5: fcb 5 ; RESERVED
USER_VEC:FFD6 67 C2 fdb SCISS ; SCI Serial System
USER_VEC:FFD8 6C 05 fdb SPIE ; SPI Serial Transfer Complete
USER_VEC:FFDA 6C 05 fdb SPIE ; Pulse Accumulator Input Edge
USER_VEC:FFDC 6C 05 fdb SPIE ; Pulse Accumulator Overflow
USER_VEC:FFDE 6C 05 fdb SPIE ; Timer Overflow
USER_VEC:FFE0 6C 05 fdb SPIE ; Timer Input Capture 4 / Output Compare 5
USER_VEC:FFE2 6C 05 fdb SPIE ; Timer Output Compare 4
USER_VEC:FFE4 6C 05 fdb SPIE ; Timer Output Compare 3
USER_VEC:FFE6 74 00 fdb OC2I ; Timer Output Compare 2
USER_VEC:FFE8 75 99 fdb OC1I ; Timer Output Compare 1
USER_VEC:FFEA 74 96 fdb IC3I ; Timer Input Capture 3
USER_VEC:FFEC 73 E8 fdb IC2I ; Timer Input Capture 2
USER_VEC:FFEE 6E 7B fdb IC1I ; Timer Input Capture 1
USER_VEC:FFF0 6C 05 fdb SPIE ; Real Time Interrupt
USER_VEC:FFF2 6E E6 fdb IRQ ; IRQ
USER_VEC:FFF4 6C 02 fdb XIRQ ; XIRQ Pin
USER_VEC:FFF6 6B EE fdb SOFT ; Software Interrupt
USER_VEC:FFF8 6B F4 fdb OPC ; Illegal Opcode Trap
USER_VEC:FFFA 6B FA fdb NOCOP ; COP Failure
USER_VEC:FFFC 6B FE fdb CME ; Clock Monitor Fail
USER_VEC:FFFE 6B EA fdb __RESET ; Processor reset
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
Thank you,
Attached all 3 types of software. As you can see, in last part of them are some changes. Those are maps In first 32K of flash there are differences just in one case, others are the same: Found those lines at 0xFFFE (there i have fdb SCISS that is reset vector i think. All other lines are the same like on your example).
Reset vector definition is found at 0x217C
Thank you again.
Attached all 3 types of software. As you can see, in last part of them are some changes. Those are maps In first 32K of flash there are differences just in one case, others are the same: Found those lines at 0xFFFE (there i have fdb SCISS that is reset vector i think. All other lines are the same like on your example).
Reset vector definition is found at 0x217C
Code: Select all
USER_VEC:FFC0 ; ===========================================================================
USER_VEC:FFC0
USER_VEC:FFC0 ; Segment type: Pure data
USER_VEC:FFC0 ; segment USER_VEC
USER_VEC:FFC0 org $FFC0
USER_VEC:FFC0 RESERVFFC0: fcb 0 ; RESERVED
USER_VEC:FFC1 RESERVFFC1: fcb 7 ; RESERVED
USER_VEC:FFC2 RESERVFFC2: fcb $5A ; Z ; RESERVED
USER_VEC:FFC3 RESERVFFC3: fcb $10 ; RESERVED
USER_VEC:FFC4 RESERVFFC4: fcb 1 ; RESERVED
USER_VEC:FFC5 RESERVFFC5: fcb $64 ; d ; RESERVED
USER_VEC:FFC6 RESERVFFC6: fcb $21 ; ! ; RESERVED
USER_VEC:FFC7 RESERVFFC7: fcb $7C ; | ; RESERVED
USER_VEC:FFC8 RESERVFFC8: fcb 0 ; RESERVED
USER_VEC:FFC9 RESERVFFC9: fcb 7 ; RESERVED
USER_VEC:FFCA RESERVFFCA: fcb $5A ; Z ; RESERVED
USER_VEC:FFCB RESERVFFCB: fcb $1A ; RESERVED
USER_VEC:FFCC RESERVFFCC: fcb 1 ; RESERVED
USER_VEC:FFCD RESERVFFCD: fcb $68 ; h ; RESERVED
USER_VEC:FFCE RESERVFFCE: fcb $21 ; ! ; RESERVED
USER_VEC:FFCF RESERVFFCF: fcb $7C ; | ; RESERVED
USER_VEC:FFD0 RESERVFFD0: fcb 0 ; RESERVED
USER_VEC:FFD1 RESERVFFD1: fcb 7 ; RESERVED
USER_VEC:FFD2 RESERVFFD2: fcb $5A ; Z ; RESERVED
USER_VEC:FFD3 RESERVFFD3: fcb $24 ; $ ; RESERVED
USER_VEC:FFD4 RESERVFFD4: fcb 1 ; RESERVED
USER_VEC:FFD5 RESERVFFD5: fcb $6C ; l ; RESERVED
USER_VEC:FFD6 fdb SCISS ; SCI Serial System
USER_VEC:FFD8 fdb SPIE ; SPI Serial Transfer Complete
USER_VEC:FFDA fdb PAII ; Pulse Accumulator Input Edge
USER_VEC:FFDC fdb PAOVI ; Pulse Accumulator Overflow
USER_VEC:FFDE fdb SCISS ; Timer Overflow
USER_VEC:FFE0 fdb SPIE ; Timer Input Capture 4 / Output Compare 5
USER_VEC:FFE2 fdb OC4I ; Timer Output Compare 4
USER_VEC:FFE4 fdb OC3I ; Timer Output Compare 3
USER_VEC:FFE6 fdb SCISS ; Timer Output Compare 2
USER_VEC:FFE8 fdb SPIE ; Timer Output Compare 1
USER_VEC:FFEA fdb IC3I ; Timer Input Capture 3
USER_VEC:FFEC fdb IC2I ; Timer Input Capture 2
USER_VEC:FFEE fdb SCISS ; Timer Input Capture 1
USER_VEC:FFF0 fdb SPIE ; Real Time Interrupt
USER_VEC:FFF2 fdb IRQ ; IRQ
USER_VEC:FFF4 fdb XIRQ ; XIRQ Pin
USER_VEC:FFF6 fdb SCISS ; Software Interrupt
USER_VEC:FFF8 fdb SPIE ; Illegal Opcode Trap
USER_VEC:FFFA fdb NOCOP ; COP Failure
USER_VEC:FFFC fdb CME ; Clock Monitor Fail
USER_VEC:FFFE off_FFFE: fdb SCISS ; DATA XREF: RAM:0010w
USER_VEC:FFFE ; RAM:loc_13w ...
- antus
- Site Admin
- Posts: 8253
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
That cant be the right vectors for that bin, because the serial subsystem jumps to the same place as the reset vector. Unless in the hardware the serial is not handled via the processors UART, and thus they consider a serial interupt and error condition.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
So maybe selected wrong processor type in IDA? (There are a lot of 68HC11 versions and my processor has no label on it, is hybrid inside ECU).
- antus
- Site Admin
- Posts: 8253
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
I took another look, and I dont think thats HC11 code. A reset vector of FFFF cant be right. Try Motorola 68K. Im not sure where the vectors are but the code looks a lot more correct.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
If selecting 68K as processor type no segments are defined.
Tested with 6812 and user vectors are odd.
Motorola 6805 creates segments, but looks odd, nothing like your example.
With 6808 looks almost the same like 6811
on HCS12 user_vector is like this:
Seems like all 68 family has reset vector at 0xFFFE and user vector starts at 0xFFC0 / 0xFFD0
Tested with 6812 and user vectors are odd.
Motorola 6805 creates segments, but looks odd, nothing like your example.
With 6808 looks almost the same like 6811
Code: Select all
USER_VEC:FFCC ; Segment type: Pure data
USER_VEC:FFCC ; segment USER_VEC
USER_VEC:FFCC org $FFCC
USER_VEC:FFCC fdb TIMA5 ; "TIMA Channel 5"
USER_VEC:FFCE fdb TIMA4 ; "TIMA Channel 4"
USER_VEC:FFD0 fdb DDRD ; "ADC Conversion Complete"
USER_VEC:FFD2 fdb KBRD ; "Keyboard"
USER_VEC:FFD4 fdb SCI_T ; "SCI Module Transmit"
USER_VEC:FFD6 fdb TIMA4 ; "SCI Module Receive"
USER_VEC:FFD8 fdb DDRD ; "SCI Module Error"
USER_VEC:FFDA fdb CAN_T ; "CAN Module Transmit"
USER_VEC:FFDC fdb CAN_R ; "CAN Module Receive"
USER_VEC:FFDE fdb TIMA4 ; "CAN Module Error"
USER_VEC:FFE0 fdb DDRD ; "CAN Module Wakeup"
USER_VEC:FFE2 fdb SPI_T ; "SPI Module Transmit"
USER_VEC:FFE4 fdb SPI_R ; "SPI Module Receive"
USER_VEC:FFE6 fdb TIMA4 ; "TIMB Overflow"
USER_VEC:FFE8 fdb DDRD ; "TIMB Channel 1"
USER_VEC:FFEA fdb TIMB_CH0 ; "TIMB Channel 0"
USER_VEC:FFEC fdb TIMA ; "TIMA Overflow"
USER_VEC:FFEE fdb TIMA4 ; "TIMA Channel 3"
USER_VEC:FFF0 fdb DDRD ; "TIMA Channel 2"
USER_VEC:FFF2 fdb TIMA_CH1 ; "TIMA Channel 1"
USER_VEC:FFF4 fdb TIMA_CH0 ; "TIMA Channel 0"
USER_VEC:FFF6 fdb TIMA4 ; "TIM"
USER_VEC:FFF8 fdb DDRD ; "PLL Module"
USER_VEC:FFFA fdb IRQ ; "IRQ"
USER_VEC:FFFC fdb SWI ; "SWI"
USER_VEC:FFFE fdb TIMA4 ; Processor reset
USER_VEC:FFFE ; end of 'USER_VEC'
USER_VEC:FFFE
Code: Select all
USER_VEC:FFB8 fdb RESERVED0007 ; FLASH
USER_VEC:FFBA fdb EECTL_ ; EEPROM
USER_VEC:FFBC fcb 1
USER_VEC:FFBD fcb $60 ; `
USER_VEC:FFBE fdb PTPIF_PTPIE ; SPI1
USER_VEC:FFC0 fdb RESERVED0007 ; IIC Bus
USER_VEC:FFC2 fcb $5A ; Z
USER_VEC:FFC3 fcb $10
USER_VEC:FFC4 fdb CRGINT_SCMIE ; CRG Self Clock Mode
USER_VEC:FFC6 fdb PTPIF_PTPIE ; CRG PLL lock
USER_VEC:FFC8 fdb RESERVED0007 ; Pulse Accumulator B Overflow
USER_VEC:FFCA fdb MCCTL_MCZI ; Modulus Down Counter underflow
USER_VEC:FFCC fdb PTHIF_PTHIE ; Port H
USER_VEC:FFCE fdb PTPIF_PTPIE ; Port J
USER_VEC:FFD0 fdb RESERVED0007 ; ATD1
USER_VEC:FFD2 fdb ATD0CTL2_ ; ATD0
USER_VEC:FFD4 fdb SC1CR2_ ; SCI1
USER_VEC:FFD6 fdb PTPIF_PTPIE ; SCI0
USER_VEC:FFD8 fdb RESERVED0007 ; SPI0
USER_VEC:FFDA fdb PACTL_PAI ; Pulse accumulator input edge
USER_VEC:FFDC fdb PACTL_PAOVI ; Pulse accumulator A overflow
USER_VEC:FFDE fdb PTPIF_PTPIE ; Enhanced Capture Timer overflow
USER_VEC:FFE0 fdb RESERVED0007 ; Enhanced Capture Timer channel 7
USER_VEC:FFE2 fdb TIE_C6I ; Enhanced Capture Timer channel 6
USER_VEC:FFE4 fdb TIE_C5I ; Enhanced Capture Timer channel 5
USER_VEC:FFE6 fdb PTPIF_PTPIE ; Enhanced Capture Timer channel 4
USER_VEC:FFE8 fdb RESERVED0007 ; Enhanced Capture Timer channel 3
USER_VEC:FFEA fdb TIE_C2I ; Enhanced Capture Timer channel 2
USER_VEC:FFEC fdb TIE_C1I ; Enhanced Capture Timer channel 1
USER_VEC:FFEE fdb PTPIF_PTPIE ; Enhanced Capture Timer channel 0
USER_VEC:FFF0 fdb RESERVED0007 ; Real Time Interrupt
USER_VEC:FFF2 fdb IRQCR_IRQEN ; IRQ
USER_VEC:FFF4 fdb XIRQ_ ; XIRQ
USER_VEC:FFF6 fdb PTPIF_PTPIE ; SWI
USER_VEC:FFF8 fcb 0
USER_VEC:FFF9 fcb 7
USER_VEC:FFFA fdb COP_ ; COP rate select
USER_VEC:FFFC fdb PLLCTL_ ; Clock Monitor fail reset
USER_VEC:FFFE fdb PTPIF_PTPIE ; Power-on reset
USER_VEC:FFFE
- antus
- Site Admin
- Posts: 8253
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
Not all. The later delphi generation are 68k but the vectors are at 0x00000. This definatly looks like 68k but as you say the vectors are not automatic.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396