Custom P04 OS... going off the deep end
Posted: Thu Nov 18, 2021 8:32 am
Ok, I've had this idea for a little bit now. I have no plans to make it fancy in any way, but I want to learn this stuff a bit more deeper. I'm stripping the code down to the bare min bases (flashing via BDM so don't need OBD2 etc code). Right now, the target is to read crank sensor signal from ignition module, and respond back the correct signal to generate spark, no advancement/timing math, no fuel, temps etc. Basically a dummy box that creates the right signals for only spark like an old school atv CDI box, or even older a points system.
Anyway, clearly I'm no expert yet so I'll 100% need help along the way. Vehicle I'm targeting is a 2000 Malibu with the 3100 which has a 7x crank sensor and is a waste spark system and the ignition module is the bypass type (it does spark while cranking, computer does spark after that for advancement). I've back tracked the ram addresses as far as possible but I ran into a brick wall that is a ram address being read, but never set anywhere that I can find.
I'm using Ghidra with the cpu32 language added, it still seems to miss a few commands here and there, but for the most part it works well.
Anyway Here some snippets of code working backwards (from rpm down to the source it's created from). I don't quite understand what exactly that hard coded value represents but more on that later.
RPM_Time_Maybe was just a guess that it must be some sort of time measurement. This var seems to just be a value holder of the RPM_Time_Source_Maybe var, there is a different point in the code it sets it to 0.
And finally the raw math behind it and what I suspect is a time value since last pulse that I called RPM_Crank_Pulse_Time
That last value has all references as read only, and searching for the hex address gives me no more results to look into, just code that reads the value unless something disassembled wrong.
For the math, I'm trying to wrap my head around what it all boils down to. I assume it's all measured in us instead of ms.
Anyway, the math. CONST_8 just has 8 stored in it.
(((8 * 329) / 5) * RPM_Crank_Pulse_Time * 5) / 329
Simplified it should be
(2632 * RPM_Crank_Pulse_Time ) / 329
And shuffling the math around a bit becomes
RPM_Crank_Pulse_Time * 8
So ultimately that value gets passed to the rpm calc line.
$66d019 / (RPM_Crank_Pulse_Time * 8)
6737945 / (RPM_Crank_Pulse_Time * 8)
That's the point that's not making any sense to me. It has a 7x sensor but it's *8 on a v6. 3 spark events per rev so maybe it's a reference to their 24x (8*3 = 24) setup? Making sense of the math would help me name the vars more correctly and have a better idea what's going on. The original RPM address I used ultimate patcher to find from the auto detected settings and just looked for one against rpm.
For the ultimate source, here's all the references to it. No writes which is weird.
Here's the hex address searched. The bottom two might be where my problem is at. I don't have IDA Pro, so maybe it's disassembled wrong there.
Anyway, clearly I'm no expert yet so I'll 100% need help along the way. Vehicle I'm targeting is a 2000 Malibu with the 3100 which has a 7x crank sensor and is a waste spark system and the ignition module is the bypass type (it does spark while cranking, computer does spark after that for advancement). I've back tracked the ram addresses as far as possible but I ran into a brick wall that is a ram address being read, but never set anywhere that I can find.
I'm using Ghidra with the cpu32 language added, it still seems to miss a few commands here and there, but for the most part it works well.
Anyway Here some snippets of code working backwards (from rpm down to the source it's created from). I don't quite understand what exactly that hard coded value represents but more on that later.
RPM_Time_Maybe was just a guess that it must be some sort of time measurement. This var seems to just be a value holder of the RPM_Time_Source_Maybe var, there is a different point in the code it sets it to 0.
And finally the raw math behind it and what I suspect is a time value since last pulse that I called RPM_Crank_Pulse_Time
That last value has all references as read only, and searching for the hex address gives me no more results to look into, just code that reads the value unless something disassembled wrong.
For the math, I'm trying to wrap my head around what it all boils down to. I assume it's all measured in us instead of ms.
Anyway, the math. CONST_8 just has 8 stored in it.
(((8 * 329) / 5) * RPM_Crank_Pulse_Time * 5) / 329
Simplified it should be
(2632 * RPM_Crank_Pulse_Time ) / 329
And shuffling the math around a bit becomes
RPM_Crank_Pulse_Time * 8
So ultimately that value gets passed to the rpm calc line.
$66d019 / (RPM_Crank_Pulse_Time * 8)
6737945 / (RPM_Crank_Pulse_Time * 8)
That's the point that's not making any sense to me. It has a 7x sensor but it's *8 on a v6. 3 spark events per rev so maybe it's a reference to their 24x (8*3 = 24) setup? Making sense of the math would help me name the vars more correctly and have a better idea what's going on. The original RPM address I used ultimate patcher to find from the auto detected settings and just looked for one against rpm.
For the ultimate source, here's all the references to it. No writes which is weird.
Here's the hex address searched. The bottom two might be where my problem is at. I don't have IDA Pro, so maybe it's disassembled wrong there.