pcmhacking.net

I've been trying to learn how to decompile a digifant 1 ROM using ida pro but i just cant understand it. it seems there is a good bit of people here with a wealth of knowledge on the 6811 processor. would anyone be willing to help me with decompiling one of the stock BIN file? i have several other ones that have wild modifications done to them and i would like to know how, why and the purpose of the modifications performed in them. what im having trouble understanding is how the code from the EEPROM connects to the device on the engine itself. i know the entry points start at 0x7DF6 and end at 0x7FFE but beyond that im lost. if anyone could help me out that would be great. thanks.

Is there a second chip in the computer? If I align the bin from 0x8000->0xFFFF then that puts the reset vector at 45FD which is out of range, and all the interupt vectors point to 6E18, which is also out of range. I would expect something to be at 45FD at least, although that could then remap the bin... but quite possibly there is a second rom mapped lower with code on it which handles boot.

antus wrote:Is there a second chip in the computer? If I align the bin from 0x8000->0xFFFF then that puts the reset vector at 45FD which is out of range, and all the interupt vectors point to 6E18, which is also out of range. I would expect something to be at 45FD at least, although that could then remap the bin... but quite possibly there is a second rom mapped lower with code on it which handles boot.

Thats the only eprom in the ECU. here's schematics for the ECU and a picture of the inside along with 2 BIN files with code modifications. the the one BIN has map switching which definitely works and the other is a heavily modified file from a saab rally car. the saab was retrofit with digifant 1 and than modified to control things like the saab APC boost controller, it has a knock light output and lots of other modifications.

If I understand the MC68HC25 datasheet correctly, given that (a) this circuit uses both /CS1 and /CS2 to enable the EPROM and (b) the mode-select byte at $7FBF is $17 (stock bin), then the EPROM is mapped to both address ranges $0800-7FFF (all the EPROM, excluding the lower addresses) and $E000-FFFF (the upper 8KB).

Joe.

j_ds_au wrote:If I understand the MC68HC25 datasheet correctly, given that (a) this circuit uses both /CS1 and /CS2 to enable the EPROM and (b) the mode-select byte at $7FBF is $17 (stock bin), then the EPROM is mapped to both address ranges $0800-7FFF (all the EPROM, excluding the lower addresses) and $E000-FFFF (the upper 8KB).

Joe.

thats very interesting to me but it also doesnt make sense to me either. i dont understand how it can access data that technically doesnt exist.

i read the data sheet for the MC68HC25. i see $17 at 0x7FBF and that sort of makes sense. i see some code starting at 0x7FB0, there are 8 bits there and im going to guess they have something to do with the mode select register in the MC68HC25 maybe?

vwnut8392 wrote:

j_ds_au wrote:If I understand the MC68HC25 datasheet correctly, given that (a) this circuit uses both /CS1 and /CS2 to enable the EPROM and (b) the mode-select byte at $7FBF is $17 (stock bin), then the EPROM is mapped to both address ranges $0800-7FFF (all the EPROM, excluding the lower addresses) and $E000-FFFF (the upper 8KB).

Joe.

thats very interesting to me but it also doesnt make sense to me either. i dont understand how it can access data that technically doesnt exist.

But it does exist. Antus quoted 45FD and 6E18, both of which fall within the 0800-7FFF range.

BTW, I don't quite understand 6E18, but since the unknown opcode $41 is clearly used as "fill", this may be some trap to catch errant operation and induce a reset.

Joe.

j_ds_au wrote:

vwnut8392 wrote:

j_ds_au wrote:If I understand the MC68HC25 datasheet correctly, given that (a) this circuit uses both /CS1 and /CS2 to enable the EPROM and (b) the mode-select byte at $7FBF is $17 (stock bin), then the EPROM is mapped to both address ranges $0800-7FFF (all the EPROM, excluding the lower addresses) and $E000-FFFF (the upper 8KB).

Joe.

thats very interesting to me but it also doesnt make sense to me either. i dont understand how it can access data that technically doesnt exist.

But it does exist. Antus quoted 45FD and 6E18, both of which fall within the 0800-7FFF range.

BTW, I don't quite understand 6E18, but since the unknown opcode $41 is clearly used as "fill", this may be some trap to catch errant operation and induce a reset.

Joe.

6E18 does confuse me as well. there is a 3 timing map version of too. i think it is the earliest version of the software for this ECU. when i tried to work with it in ida pro it seemed to make a little more sense than the single map file. the files interchange and work in all ECU's regardless of ECU and weather its a manual or automatic car. i attached the 3 timing map file so you can look at it too.

I've attached tunerpro XDF's for the single timing map and 3 timing map files too so you can see the mapping others have figured out and know whats going on where. The single timing map XDF is what i normally use, i added the special group that has the map switching, accleration enrichment, and O2 delete patch to keep the car in open loop for tuning. my goal is to figure out the saab files features like the knock light output, how they added the saab APC boost box because that would be great to use with a turbo car, i would like to create a hard cut ignition launch control along with a hard spark cut rev limiter as well. some cars i have that use the map switch for a form a launch control just push through the timing retard to the rev limiter. what we did was take from the RPM we want launch control to start at and flatten the map with FF to the end of the map on the secondary ignition. i want to create patches in tunerpro that will add or remove these features at the users will. i dont plan on even trying to benefit financially from this at all either, im doing this because i want to and i think digifant 1 can be almost standalone like with enough time and work to modernize it and add features to the ECU.


The saab file i posted is very heavily modified like i said before. they have added things like it using a saab crank sensor instead of a 4 window distributor like factory, the added a full potientimeter TPS switch on top of the closed throttle and wide open throttle switch it has factory, the added a knock output light to pin 20, and the say that pin 22 on the ECU outputs to a saab APC boost control box. its extremely interesting to me and i would love to know how it all works.