Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm

Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby Ionut » Thu Jul 24, 2014 10:57 pm

I have a car with this ecu and i wish to disassemble in order to inject new code sequence (done before in VAG ME7.5 ecu).
As far as i know the processor type is Motorola 68HC11, but what version? i`ve found a lot of versions with different memory mapping.
My flash has 256K of data. Could you tell me how is done Extended Addressing and how to calculate offsets to see what memory address is loaded.

Difference between 3 versions of software (DYRX, DMRW & DNLF) are on fueling maps and between DMRW and DYRX there are few bytes changed between address 0x0000b7 and 0x000142
Rest of the code is identical.

What tool i need to read internal 8K processor memory without desoldering? (this ECU is hybrid, so desoldering i think will wreck ECU).

Thank you,
Ionut.

Site Admin
User avatar
Posts: 6163
Joined: Sat Feb 28, 2009 8:34 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby antus » Thu Jul 24, 2014 11:01 pm

well i havnt seen that ecu, so I can only give you some general info. They tend to be custom variants so dont exactly line up with an off the shelf part number. Ive not seen one with 8k internal rom, so I wouldnt assume its there in your first run. The HC11 is only an 8 bit cpu so 64k address space. The 128k programs ive seen have the calibration below 32k, and swap the top 32k between engine and transmission code. Some routines (such as 2d or 3d lookup) exist just below 32k and are called from both high banks.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby Ionut » Thu Jul 24, 2014 11:47 pm

In some place it say 8K memory, in other 32. I have some experience with Atmel uC and Infineon C167. Never worked with motorola.
Here is a memory mapping found on the internet:
img7.png
img7.png (16.22 KiB) Viewed 6798 times


This internal memory is duplicated in flash or is just refferenced?

Site Admin
User avatar
Posts: 6163
Joined: Sat Feb 28, 2009 8:34 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby antus » Fri Jul 25, 2014 12:55 am

I dont know. I would suggest reading the flash first and taking a look there. Its likely most if not all the code will be in there. The reset vectors are around FFFF which gives you the entry points. If they use bank switching you'll see the same vectors in each upper bank so can identify those. Once you've found that you can cut up the bin and assemble 64k images for each bank switched state. Then you can disasm those and take it from there. There will only be a couple of bank switches to identify as it'll swap then execute all the code in that bank before returning to common space (<32k)

this is a typical sample of the vectors:

The reset vector at FFFE and IRQ and XIRQ are your main entry points, and serial should point you to the comms code.

Code: Select all
USER_VEC:FFC0 6C          RESERVFFC0:     fcb $6C ; l             ; RESERVED
USER_VEC:FFC1 05          RESERVFFC1:     fcb   5                 ; RESERVED
USER_VEC:FFC2 6C          RESERVFFC2:     fcb $6C ; l             ; RESERVED
USER_VEC:FFC3 05          RESERVFFC3:     fcb   5                 ; RESERVED
USER_VEC:FFC4 6C          RESERVFFC4:     fcb $6C ; l             ; RESERVED
USER_VEC:FFC5 05          RESERVFFC5:     fcb   5                 ; RESERVED
USER_VEC:FFC6 6C          RESERVFFC6:     fcb $6C ; l             ; RESERVED
USER_VEC:FFC7 05          RESERVFFC7:     fcb   5                 ; RESERVED
USER_VEC:FFC8 6C          RESERVFFC8:     fcb $6C ; l             ; RESERVED
USER_VEC:FFC9 05          RESERVFFC9:     fcb   5                 ; RESERVED
USER_VEC:FFCA 6C          RESERVFFCA:     fcb $6C ; l             ; RESERVED
USER_VEC:FFCB 05          RESERVFFCB:     fcb   5                 ; RESERVED
USER_VEC:FFCC 6C          RESERVFFCC:     fcb $6C ; l             ; RESERVED
USER_VEC:FFCD 05          RESERVFFCD:     fcb   5                 ; RESERVED
USER_VEC:FFCE 6C          RESERVFFCE:     fcb $6C ; l             ; RESERVED
USER_VEC:FFCF 05          RESERVFFCF:     fcb   5                 ; RESERVED
USER_VEC:FFD0 6C          RESERVFFD0:     fcb $6C ; l             ; RESERVED
USER_VEC:FFD1 05          RESERVFFD1:     fcb   5                 ; RESERVED
USER_VEC:FFD2 6C          RESERVFFD2:     fcb $6C ; l             ; RESERVED
USER_VEC:FFD3 05          RESERVFFD3:     fcb   5                 ; RESERVED
USER_VEC:FFD4 6C          RESERVFFD4:     fcb $6C ; l             ; RESERVED
USER_VEC:FFD5 05          RESERVFFD5:     fcb   5                 ; RESERVED
USER_VEC:FFD6 67 C2                       fdb SCISS               ; SCI Serial System
USER_VEC:FFD8 6C 05                       fdb SPIE                ; SPI Serial Transfer Complete
USER_VEC:FFDA 6C 05                       fdb SPIE                ; Pulse Accumulator Input Edge
USER_VEC:FFDC 6C 05                       fdb SPIE                ; Pulse Accumulator Overflow
USER_VEC:FFDE 6C 05                       fdb SPIE                ; Timer Overflow
USER_VEC:FFE0 6C 05                       fdb SPIE                ; Timer Input Capture 4 / Output Compare 5
USER_VEC:FFE2 6C 05                       fdb SPIE                ; Timer Output Compare 4
USER_VEC:FFE4 6C 05                       fdb SPIE                ; Timer Output Compare 3
USER_VEC:FFE6 74 00                       fdb OC2I                ; Timer Output Compare 2
USER_VEC:FFE8 75 99                       fdb OC1I                ; Timer Output Compare 1
USER_VEC:FFEA 74 96                       fdb IC3I                ; Timer Input Capture 3
USER_VEC:FFEC 73 E8                       fdb IC2I                ; Timer Input Capture 2
USER_VEC:FFEE 6E 7B                       fdb IC1I                ; Timer Input Capture 1
USER_VEC:FFF0 6C 05                       fdb SPIE                ; Real Time Interrupt
USER_VEC:FFF2 6E E6                       fdb IRQ                 ; IRQ
USER_VEC:FFF4 6C 02                       fdb XIRQ                ; XIRQ Pin
USER_VEC:FFF6 6B EE                       fdb SOFT                ; Software Interrupt
USER_VEC:FFF8 6B F4                       fdb OPC                 ; Illegal Opcode Trap
USER_VEC:FFFA 6B FA                       fdb NOCOP               ; COP Failure
USER_VEC:FFFC 6B FE                       fdb CME                 ; Clock Monitor Fail
USER_VEC:FFFE 6B EA                       fdb __RESET             ; Processor reset
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby Ionut » Mon Jul 28, 2014 7:18 am

Thank you,
Attached all 3 types of software. As you can see, in last part of them are some changes. Those are maps
Opel Astra 1.7 DTI Ori.zip
(290.28 KiB) Downloaded 270 times


In first 32K of flash there are differences just in one case, others are the same:
differences.png
differences.png (114.8 KiB) Viewed 6763 times


Found those lines at 0xFFFE (there i have fdb SCISS that is reset vector i think. All other lines are the same like on your example).
Reset vector definition is found at 0x217C

Code: Select all
USER_VEC:FFC0 ; ===========================================================================
USER_VEC:FFC0
USER_VEC:FFC0 ; Segment type: Pure data
USER_VEC:FFC0                 ; segment USER_VEC
USER_VEC:FFC0                 org $FFC0
USER_VEC:FFC0 RESERVFFC0:     fcb   0                 ; RESERVED
USER_VEC:FFC1 RESERVFFC1:     fcb   7                 ; RESERVED
USER_VEC:FFC2 RESERVFFC2:     fcb $5A ; Z             ; RESERVED
USER_VEC:FFC3 RESERVFFC3:     fcb $10                 ; RESERVED
USER_VEC:FFC4 RESERVFFC4:     fcb   1                 ; RESERVED
USER_VEC:FFC5 RESERVFFC5:     fcb $64 ; d             ; RESERVED
USER_VEC:FFC6 RESERVFFC6:     fcb $21 ; !             ; RESERVED
USER_VEC:FFC7 RESERVFFC7:     fcb $7C ; |             ; RESERVED
USER_VEC:FFC8 RESERVFFC8:     fcb   0                 ; RESERVED
USER_VEC:FFC9 RESERVFFC9:     fcb   7                 ; RESERVED
USER_VEC:FFCA RESERVFFCA:     fcb $5A ; Z             ; RESERVED
USER_VEC:FFCB RESERVFFCB:     fcb $1A                 ; RESERVED
USER_VEC:FFCC RESERVFFCC:     fcb   1                 ; RESERVED
USER_VEC:FFCD RESERVFFCD:     fcb $68 ; h             ; RESERVED
USER_VEC:FFCE RESERVFFCE:     fcb $21 ; !             ; RESERVED
USER_VEC:FFCF RESERVFFCF:     fcb $7C ; |             ; RESERVED
USER_VEC:FFD0 RESERVFFD0:     fcb   0                 ; RESERVED
USER_VEC:FFD1 RESERVFFD1:     fcb   7                 ; RESERVED
USER_VEC:FFD2 RESERVFFD2:     fcb $5A ; Z             ; RESERVED
USER_VEC:FFD3 RESERVFFD3:     fcb $24 ; $             ; RESERVED
USER_VEC:FFD4 RESERVFFD4:     fcb   1                 ; RESERVED
USER_VEC:FFD5 RESERVFFD5:     fcb $6C ; l             ; RESERVED
USER_VEC:FFD6                 fdb SCISS               ; SCI Serial System
USER_VEC:FFD8                 fdb SPIE                ; SPI Serial Transfer Complete
USER_VEC:FFDA                 fdb PAII                ; Pulse Accumulator Input Edge
USER_VEC:FFDC                 fdb PAOVI               ; Pulse Accumulator Overflow
USER_VEC:FFDE                 fdb SCISS               ; Timer Overflow
USER_VEC:FFE0                 fdb SPIE                ; Timer Input Capture 4 / Output Compare 5
USER_VEC:FFE2                 fdb OC4I                ; Timer Output Compare 4
USER_VEC:FFE4                 fdb OC3I                ; Timer Output Compare 3
USER_VEC:FFE6                 fdb SCISS               ; Timer Output Compare 2
USER_VEC:FFE8                 fdb SPIE                ; Timer Output Compare 1
USER_VEC:FFEA                 fdb IC3I                ; Timer Input Capture 3
USER_VEC:FFEC                 fdb IC2I                ; Timer Input Capture 2
USER_VEC:FFEE                 fdb SCISS               ; Timer Input Capture 1
USER_VEC:FFF0                 fdb SPIE                ; Real Time Interrupt
USER_VEC:FFF2                 fdb IRQ                 ; IRQ
USER_VEC:FFF4                 fdb XIRQ                ; XIRQ Pin
USER_VEC:FFF6                 fdb SCISS               ; Software Interrupt
USER_VEC:FFF8                 fdb SPIE                ; Illegal Opcode Trap
USER_VEC:FFFA                 fdb NOCOP               ; COP Failure
USER_VEC:FFFC                 fdb CME                 ; Clock Monitor Fail
USER_VEC:FFFE off_FFFE:       fdb SCISS               ; DATA XREF: RAM:0010w
USER_VEC:FFFE                                         ; RAM:loc_13w ...


Thank you again.

Site Admin
User avatar
Posts: 6163
Joined: Sat Feb 28, 2009 8:34 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby antus » Mon Jul 28, 2014 4:10 pm

That cant be the right vectors for that bin, because the serial subsystem jumps to the same place as the reset vector. Unless in the hardware the serial is not handled via the processors UART, and thus they consider a serial interupt and error condition.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby Ionut » Mon Jul 28, 2014 8:51 pm

So maybe selected wrong processor type in IDA? (There are a lot of 68HC11 versions and my processor has no label on it, is hybrid inside ECU).

Site Admin
User avatar
Posts: 6163
Joined: Sat Feb 28, 2009 8:34 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby antus » Mon Jul 28, 2014 11:13 pm

I took another look, and I dont think thats HC11 code. A reset vector of FFFF cant be right. Try Motorola 68K. Im not sure where the vectors are but the code looks a lot more correct.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby Ionut » Tue Jul 29, 2014 7:11 am

If selecting 68K as processor type no segments are defined.
Tested with 6812 and user vectors are odd.
Motorola 6805 creates segments, but looks odd, nothing like your example.
With 6808 looks almost the same like 6811
Code: Select all
USER_VEC:FFCC ; Segment type: Pure data
USER_VEC:FFCC                 ; segment USER_VEC
USER_VEC:FFCC                 org $FFCC
USER_VEC:FFCC                 fdb TIMA5               ; "TIMA Channel 5"
USER_VEC:FFCE                 fdb TIMA4               ; "TIMA Channel 4"
USER_VEC:FFD0                 fdb DDRD                ; "ADC Conversion Complete"
USER_VEC:FFD2                 fdb KBRD                ; "Keyboard"
USER_VEC:FFD4                 fdb SCI_T               ; "SCI Module Transmit"
USER_VEC:FFD6                 fdb TIMA4               ; "SCI Module Receive"
USER_VEC:FFD8                 fdb DDRD                ; "SCI Module Error"
USER_VEC:FFDA                 fdb CAN_T               ; "CAN Module Transmit"
USER_VEC:FFDC                 fdb CAN_R               ; "CAN Module Receive"
USER_VEC:FFDE                 fdb TIMA4               ; "CAN Module Error"
USER_VEC:FFE0                 fdb DDRD                ; "CAN Module Wakeup"
USER_VEC:FFE2                 fdb SPI_T               ; "SPI Module Transmit"
USER_VEC:FFE4                 fdb SPI_R               ; "SPI Module Receive"
USER_VEC:FFE6                 fdb TIMA4               ; "TIMB Overflow"
USER_VEC:FFE8                 fdb DDRD                ; "TIMB Channel 1"
USER_VEC:FFEA                 fdb TIMB_CH0            ; "TIMB Channel 0"
USER_VEC:FFEC                 fdb TIMA                ; "TIMA Overflow"
USER_VEC:FFEE                 fdb TIMA4               ; "TIMA Channel 3"
USER_VEC:FFF0                 fdb DDRD                ; "TIMA Channel 2"
USER_VEC:FFF2                 fdb TIMA_CH1            ; "TIMA Channel 1"
USER_VEC:FFF4                 fdb TIMA_CH0            ; "TIMA Channel 0"
USER_VEC:FFF6                 fdb TIMA4               ; "TIM"
USER_VEC:FFF8                 fdb DDRD                ; "PLL Module"
USER_VEC:FFFA                 fdb IRQ                 ; "IRQ"
USER_VEC:FFFC                 fdb SWI                 ; "SWI"
USER_VEC:FFFE                 fdb TIMA4               ; Processor reset
USER_VEC:FFFE ; end of 'USER_VEC'
USER_VEC:FFFE


on HCS12 user_vector is like this:
Code: Select all
USER_VEC:FFB8                 fdb RESERVED0007        ; FLASH
USER_VEC:FFBA                 fdb EECTL_              ; EEPROM
USER_VEC:FFBC                 fcb   1
USER_VEC:FFBD                 fcb $60 ; `
USER_VEC:FFBE                 fdb PTPIF_PTPIE         ; SPI1
USER_VEC:FFC0                 fdb RESERVED0007        ; IIC Bus
USER_VEC:FFC2                 fcb $5A ; Z
USER_VEC:FFC3                 fcb $10
USER_VEC:FFC4                 fdb CRGINT_SCMIE        ; CRG Self Clock Mode
USER_VEC:FFC6                 fdb PTPIF_PTPIE         ; CRG PLL lock
USER_VEC:FFC8                 fdb RESERVED0007        ; Pulse Accumulator B Overflow
USER_VEC:FFCA                 fdb MCCTL_MCZI          ; Modulus Down Counter underflow
USER_VEC:FFCC                 fdb PTHIF_PTHIE         ; Port H
USER_VEC:FFCE                 fdb PTPIF_PTPIE         ; Port J
USER_VEC:FFD0                 fdb RESERVED0007        ; ATD1
USER_VEC:FFD2                 fdb ATD0CTL2_           ; ATD0
USER_VEC:FFD4                 fdb SC1CR2_             ; SCI1
USER_VEC:FFD6                 fdb PTPIF_PTPIE         ; SCI0
USER_VEC:FFD8                 fdb RESERVED0007        ; SPI0
USER_VEC:FFDA                 fdb PACTL_PAI           ; Pulse accumulator input edge
USER_VEC:FFDC                 fdb PACTL_PAOVI         ; Pulse accumulator A overflow
USER_VEC:FFDE                 fdb PTPIF_PTPIE         ; Enhanced Capture Timer overflow
USER_VEC:FFE0                 fdb RESERVED0007        ; Enhanced Capture Timer channel 7
USER_VEC:FFE2                 fdb TIE_C6I             ; Enhanced Capture Timer channel 6
USER_VEC:FFE4                 fdb TIE_C5I             ; Enhanced Capture Timer channel 5
USER_VEC:FFE6                 fdb PTPIF_PTPIE         ; Enhanced Capture Timer channel 4
USER_VEC:FFE8                 fdb RESERVED0007        ; Enhanced Capture Timer channel 3
USER_VEC:FFEA                 fdb TIE_C2I             ; Enhanced Capture Timer channel 2
USER_VEC:FFEC                 fdb TIE_C1I             ; Enhanced Capture Timer channel 1
USER_VEC:FFEE                 fdb PTPIF_PTPIE         ; Enhanced Capture Timer channel 0
USER_VEC:FFF0                 fdb RESERVED0007        ; Real Time Interrupt
USER_VEC:FFF2                 fdb IRQCR_IRQEN         ; IRQ
USER_VEC:FFF4                 fdb XIRQ_               ; XIRQ
USER_VEC:FFF6                 fdb PTPIF_PTPIE         ; SWI
USER_VEC:FFF8                 fcb   0
USER_VEC:FFF9                 fcb   7
USER_VEC:FFFA                 fdb COP_                ; COP rate select
USER_VEC:FFFC                 fdb PLLCTL_             ; Clock Monitor fail reset
USER_VEC:FFFE                 fdb PTPIF_PTPIE         ; Power-on reset
USER_VEC:FFFE


Seems like all 68 family has reset vector at 0xFFFE and user vector starts at 0xFFC0 / 0xFFD0

Site Admin
User avatar
Posts: 6163
Joined: Sat Feb 28, 2009 8:34 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby antus » Tue Jul 29, 2014 8:06 am

Not all. The later delphi generation are 68k but the vectors are at 0x00000. This definatly looks like 68k but as you say the vectors are not automatic.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Next

Return to Disassembly and Reassembly

Who is online

Users browsing this forum: No registered users and 0 guests