Idiots guide to disassembly and reading opcode...

If you know what B.S. stands for you know what goes here.

Moderator: Matt

GZ@hybridka
Posts: 112
Joined: Wed May 03, 2006 5:51 pm
Location: Id, USA

Postby GZ@hybridka » Sat Oct 13, 2007 1:58 pm

I missed your post there Matt, and it seems I cant post a .sym file , ill work on it some more and post it later.

It wouldnt conform to Nistune standards, but perhaps a jump in the main loop somewhere would be faster?

Ill probably be hacking the idle control routine up a bit, could add a jump in there somewhere?

Matt
Site Admin
Posts: 8046
Joined: Sun Jan 29, 2006 1:45 am
Location: Adelaide, Australia
Contact:

Postby Matt » Sat Oct 13, 2007 3:19 pm

several hours later...

it was the second interrupt handler which is called by the CAS 1 degree signal. now all works well and I have consult RAM trace now available to me :)

i also optimised my USB consult code and fixed a bug i found in the current firmware :? the flag i set for streaming never gets cleared afterwards, not a major problem since i check the consult register counter hitting zero anyway (kinda makes the flag pointless)

if you can cut/paste the sym file i can finish up the register table for Ed

yes the ECU connector is the plug in type like with the R31/Z31 but the connectors are smaller style like R32/Z32

i dont have this on my bench so had to solder most of the input sensors to it. i dont have any switches or TPS so i have to assume the consult addresses you have provided are correct

cant get temp working right now but some of the others appear okay (as per previous screenshot). need to add DTC code also

GZ@hybridka
Posts: 112
Joined: Wed May 03, 2006 5:51 pm
Location: Id, USA

Postby GZ@hybridka » Sat Oct 13, 2007 3:20 pm

Added a few things tonight, fuel/ignition related.

Q/Alpha/Beta are different instances of Q which at times have acceleration compensation applied. I am still searching for the actual "accel increase volume" variable.

This is similar to the ka24e.

In the map-based ka24e I have initial Q (VE, taken from table/iat correct), acceleration increase volume (realtime variable), and final Q (VE.Q, used for final TP calc) all streaming via consult so I can monitor them.

;MA09 ROMLIST
byte 0xC0F0 high_fuel 256
byte 0xC0E0 tp_scale_fuel 16
byte 0xC0D0 rpm_scale_fuel 16

byte 0xC690 high_fire 256
byte 0xC460 tp_scale_fire 16
byte 0xC450 rpm_scale_fire 16

byte 0xC5C0 vq_map 128
byte 0xC00A K_required_number 2
byte 0xC01B Void_blast-off_time 1
word 0xC550 RevLimit 1
byte 0xC559 SpeedLimit 1
byte 0xC5A0 Clt_Thermistor_conv 32

byte 0xC4A0 DWell_Comp 16


byte 0xC8B0 SuperCharger_Control_1 16
byte 0xC8d0 SuperCharger_Control_2 16
byte 0xC8C0 SuperCharger_Control_3 16
byte 0xC8F0 SuperCharger_Control_4 16
byte 0xC8E0 SuperCharger_Control_5 16

byte 0xC897 SuperCharger_Control_Constant1 1
byte 0xC89A SuperCharger_Control_Constant2 1
byte 0xC898 SuperCharger_Control_Constant3 1

;MA09 RAMLIST

symbol 0x012D PrimaryTP
symbol 0x00C3 SecondaryTP

symbol 0x00D4 RPM_MSB
symbol 0x0129 RPM_8bit
symbol 0x00D6 VSS_SPEED

symbol 0x0130 MAFV10bit_MSB
symbol 0x020B MAFV10bit_MSB2
symbol 0x020D MAFV8bit

symbol 0x0136 CLT_Volt10bit_MSB
symbol 0x0116 CoolantTemp_Final
symbol 0x00D8 CLT_Volt8bit

symbol 0x0134 TPS_10bit_MSB

symbol 0x00B0 VQ_Table_MSB
symbol 0x020E VQ_Table_MSB2

symbol 0x00B2 Q/Alpha_MSB
symbol 0x0210 Q/Alpha_MSB2
symbol 0x0212 Q/Alpha_byte

symbol 0x00BF Q/AlphaBETA_MSB
symbol 0x0213 Q/AlphaBETA_MSB2
symbol 0x0215 Q/AlphaBETA_byte

symbol 0x00B8 Ign_Timing_Final
symbol 0x0043 Ign_Timing_Consult

symbol 0x00C5 Dwell_comp
symbol 0x0228 Dwell_comp2

symbol 0x013A BatteryVolt_10bit_MSB
symbol 0x016A BatteryVolt_8bit

symbol 0x0138 O2_Volt_10bit_MSB
symbol 0x022B O2_Volt_8bit



symbol 0x0071 FinalInj_Ti
symbol 0x0032 Inj.1_UPP.RAM
symbol 0x0034 Inj.2_UPP.RAM
symbol 0x003A Inj.3_UPP.RAM
symbol 0x003C Inj.4_UPP.RAM

;SuperCharger Control
symbol 0x01AA RPM_LSB_Cropped
symbol 0x0196 SuperCharger_Contr_1_Var
symbol 0x019F SuperCharger_Contr_2_Var
symbol 0x019B SuperCharger_Contr_3_Var
symbol 0x01A9 SuperCharger_Contr_4_Var
symbol 0x01A8 SuperCharger_Contr_5_Var

;

;MA09 ROUTINELIST

symbol 0xF94E 16x1_Table.GenRoutine
symbol 0xF988 16x16_Table.GenRoutine
symbol 0xFC6F 64point_16bit_Table.GenRoutine
symbol 0xF957 32x1_Table.GenRoutine


symbol 0xF879 StoreAll_TPSVariable
symbol 0xE942 VQ/Alpha/Beta.Routine

symbol 0xEEC1 TP_Calculation.Routine

symbol 0xCB79 CoolantThermistor.Routine


symbol 0xE23A VQ.Routine
symbol 0xCEF8 IgnitionTiming.Routine
symbol 0xD0B3 IgnitionDwell.Routine
symbol 0xD42D SuperCharger.Routine
symbol 0xD73C Idle_UP.Routine

Matt
Site Admin
Posts: 8046
Joined: Sun Jan 29, 2006 1:45 am
Location: Adelaide, Australia
Contact:

Postby Matt » Sat Oct 13, 2007 3:31 pm

I've updated the address file and the next version of nistune that comes out


;
; EK10 MA09ERT Variant Header
;

CPU 6301
ORG patchloc1


; usb register in PLD
rammax EQU $1000 ; this is top ram address on HD6303
usbdatareg EQU $FA00 ; This is the PLD memory mapped register (A14 hooked up) OK for MA09ERT
romend EQU $BFE0 ; This is the last ECU memory address in lower mirror below vector table
usbstatusreg EQU usbdatareg+1


; spare memory to put stuff
readbuffptr EQU $0400 ; this area must be 0x40 less than $0500
consultdata: ADR $00D4 ; RPM MSB
ADR $00D5 ; RPM LSB
ADR $FFFF ; CAS REF RPM MSB (N/A)
ADR $FFFF ; CAS REF RPM LSB (N/A)
ADR $0130 ; MAF LHS MSB
ADR $0131 ; MAF LHS LSB
ADR $FFFF ; MAF RHS MSB (N/A)
ADR $FFFF ; MAF RHS LSB (N/A)
;
ADR $00D7 ; COOLANT TEMP
ADR $022B ; LH O2 VOLTAGE
ADR $FFFF ; RH O2 VOLTAGE (N/A)
ADR $00D6 ; VEHCILE SPEED
ADR $016A ; BATTERY VOLTAGE
ADR $0134 ; TPS POSITON (N/A)
ADR $FFFF ; UNKNOWN (N/A)
ADR $FFFF ; FUEL TEMP SENSE (N/A)
;
ADR $FFFF ; UNKNOWN (N/A)
ADR $FFFF ; AIR INTAKE SENSE (N/A)
ADR $FFFF ; EXHAUST GAS TEMP (N/A)
ADR $FFFF ; DIGITAL CONTROL 1 ???
ADR $FFFF ; LHS INJECT TIME MSB
ADR $FFFF ; LHS INJECT TIME LSB
ADR $00B8 ; IGN TIMING
ADR $FFFF ; AAC VALVE
;
ADR $FFFF ; UNKNOWN (N/A) ; 0003 Z31 DTC
ADR $FFFF ; UNKNOWN (N/A) ; 0004 Z31 DTC
ADR $FFFF ; AF ALPHA LH ???
ADR $FFFF ; AF ALPHA RH (N/A)
ADR $FFFF ; AF ALPHA LH LEARN ???
ADR $FFFF ; AF ALPHA RH LEARN (N/A)
ADR $FFFF ; DIGITAL CONTROL 2 (N/A)
ADR $FFFF ; DIGITAL CONTROL 3 (N/A)
;
ADR $FFFF ; UNKNOWN (LEGACY IGNITION SW)
ADR $FFFF ; RHS INJECT TIME MSB (N/A)
ADR $FFFF ; RHS INJECT TIME LSB (N/A)
ADR $FFFF ; UNKNOWN (N/A)
ADR $FFFF ; DTC MSB (FREE)
ADR $FFFF ; DTC LSB (FREE)
ADR $012D ; TP MSB (FREE)
ADR $012E ; TP LSB (FREE)



New address file
#
#
# NISSAN EK10 MA09ERT MAP ADDRESS (E)
#
# (C)2006 NISTUNE DEVELOPMENTS
#
# Variable,Start-Address [X,Y,Map size,value,Map-name] <= OPTIONAL

#UNIT NAME
TYPE_UNIT,EK10(MA09ERT),*,*,*

#ECU has 8000+4000 offset

#ENGINE SPECIFIC PARAMETERS
CYLINDER=4
ENGINECC=930
INJECTORCC=255

#ECU SPECIFIC PARAMETERS
NTLOOKUPID=38

#HIGH/LOW octane Fuel map.
HIGH_FUEL,&H00F0,16,16,256,1,High octane Fuel map
TP_SCALE_FUEL,&H00E0,16,1,16,1,TP scale (Fuel)
RPM_SCALE_FUEL,&H00D0,16,1,16,50,RPM scale (Fuel)

#HIGH/LOW octane Ignition time map.
HIGH_FIRE,&H0690,16,16,256,1,High octane Ignition time
TP_SCALE_FIRE,&H0460,16,1,16,1,TP scale (Ignition time)
RPM_SCALE_FIRE,&H0450,16,1,16,50,RPM scale (Ignition time)

#K required number
K_DATA,&H000A,2,1,2,1,K required number

#Void blast-off time
IGN_TIME,&H001B,1,1,1,1,Void blast-off time

#Feedback control
#FB_SWITCH,&H0038,1,1,1,1,Feedback control

#VQ map
VQ_MAP,&H05C0,16,1,128,1,VQ map

#TTP MAX/MIN
#TTP_MAX,&H03A0,16,1,16,1,TTP MAX
#TTP_MIN,&H0390,16,1,16,1,TTP MIN

#TP Limit
#AF_LIMIT,&H02F0,16,1,16,1,TP Limit

#Rev.Limit
REV1_LIMIT,&H0550,2,1,2,12.5,Rev. Limit 1

#Speed Limit
SPEED1_LIMIT,&H0559,2,1,1,2,Speed Limit 1

#Additional maps
TEMP_CONV,&H05A0,16,2,32,1,Temperature of the water revision

DWELL_TIME,&H04A0,16,1,16,1,Dwell Time
DWELL_DUTY,&H04B0,16,1,16,1,Dwell duty

#Super charger
SUPERCHARGER_CONTROL_CONSTANT1,&H0196,1,1,1,1,Control1
SUPERCHARGER_CONTROL_CONSTANT2,&H019F,1,1,1,1,Control2
SUPERCHARGER_CONTROL_CONSTANT3,&H019B,1,1,1,1,Control3
SUPERCHARGER_CONTROL_CONSTANT3,&H01A9,1,1,1,1,Control4
SUPERCHARGER_CONTROL_CONSTANT5,&H01A8,1,1,1,1,Control5

SUPERCHARGER_CONTROL_TABLE1,&H08B0,16,1,16,1,Table1
SUPERCHARGER_CONTROL_TABLE2,&H08C0,16,1,16,1,Table2
SUPERCHARGER_CONTROL_TABLE3,&H08D0,16,1,16,1,Table3
SUPERCHARGER_CONTROL_TABLE4,&H08E0,16,1,16,1,Table4
SUPERCHARGER_CONTROL_TABLE5,&H08F0,16,1,16,1,Table5

Matt
Site Admin
Posts: 8046
Joined: Sun Jan 29, 2006 1:45 am
Location: Adelaide, Australia
Contact:

Postby Matt » Sat Oct 13, 2007 3:51 pm

gabe - note that some of the addresses in the header file are different to the ones you found. this is because they are the 'consult compatible' data types which get passed out

Also found DTC codes are 0097/0098

Matt
Site Admin
Posts: 8046
Joined: Sun Jan 29, 2006 1:45 am
Location: Adelaide, Australia
Contact:

Postby Matt » Sat Oct 13, 2007 3:56 pm

shit... they're like some of those Z31

// Z31 (RAM addresses 0001/0002/0003/0004)
const DWORD LZCONSULT_DTCXREF_CAS = 0x80000000; //11
const DWORD LZCONSULT_DTCXREF_AFM = 0x40000000; //12
const DWORD LZCONSULT_DTCXREF_TEMP = 0x20000000; //13
const DWORD LZCONSULT_DTCXREF_SPEED = 0x10000000; //14
const DWORD LZCONSULT_DTCXREF_IGN = 0x00800000; //21
const DWORD LZCONSULT_DTCXREF_FUEL_PUMP = 0x00400000; //22
const DWORD LZCONSULT_DTCXREF_TPS_IDLE = 0x00200000; //23
const DWORD LZCONSULT_DTCXREF_NEUTRAL = 0x00100000; //24
const DWORD LZCONSULT_DTCXREF_AIR_COND = 0x00008000; //31
const DWORD LZCONSULT_DTCXREF_START = 0x00004000; //32
const DWORD LZCONSULT_DTCXREF_O2_SENSOR = 0x00002000; //33
const DWORD LZCONSULT_DTCXREF_KNOCK_SENSOR = 0x00001000; //34
const DWORD LZCONSULT_DTCXREF_AIR_INTAKE_TEMP=0x00000080; //41
const DWORD LZCONSULT_DTCXREF_FUEL_TEMP = 0x00000040; //42
const DWORD LZCONSULT_DTCXREF_TPS = 0x00000020; //43
const DWORD LZCONSULT_DTCXREF_OK = 0x00000010; //44

uses 0097/0098/0099/009A

GZ@hybridka
Posts: 112
Joined: Wed May 03, 2006 5:51 pm
Location: Id, USA

Postby GZ@hybridka » Sat Oct 13, 2007 3:58 pm

The code doesnt seem to use an 8 bit TPS adc count, that one provided is the msb of the 10 bit count, so it will only go as high as &H3F

EDIT: I mean as word it will only as high as &H03FF, the MSB for this wont be appropriate for display, not unless you split it across two bytes.

&H0043 might be a better variable for the timing advance, &H00B8 is the main variable and is the same, but the alternate clone version that I labeled consult is the one that is used in the ka24e for the consult specifically, for whatever reason.
Last edited by GZ@hybridka on Sat Oct 13, 2007 4:08 pm, edited 1 time in total.

Matt
Site Admin
Posts: 8046
Joined: Sun Jan 29, 2006 1:45 am
Location: Adelaide, Australia
Contact:

Postby Matt » Sat Oct 13, 2007 4:07 pm

unless you guys find any more items, i'm almost ready to ship the board off to Ed

things still remaining are injection and switches...

Ed will need to test speed and TPS since i dont have those hooked up here

Matt
Site Admin
Posts: 8046
Joined: Sun Jan 29, 2006 1:45 am
Location: Adelaide, Australia
Contact:

Postby Matt » Sat Oct 13, 2007 4:12 pm

tell me how C2F0/C2E0 look for TTPMIN/MAX

TTP_MAX,&H02E0,16,1,16,1,TTP MAX
TTP_MIN,&H02F0,16,1,16,1,TTP MIN

GZ@hybridka
Posts: 112
Joined: Wed May 03, 2006 5:51 pm
Location: Id, USA

Postby GZ@hybridka » Sat Oct 13, 2007 4:54 pm

They look valid, I wasnt so sure at first though. Ram byte 0045 confirms.

They are coolant temp based, not RPM

Fusion Ed
Posts: 281
Joined: Fri May 04, 2007 4:13 am
Location: Chertsey Surrey
Contact:

Postby Fusion Ed » Sat Oct 13, 2007 9:16 pm

It gets better and better!!!

Sorry not posted sooner, Nistune forums have been timing out so I was unable to view the site.

TTPMin/MAX Vs water follows to me. Also if this related I'm not really sure, When I used to have boost cuts they were always appeared to be against the temp of engine, once the car had warmed up they would go away.

I shall post a bit more later, now off to my new unit!!, Tomorrow I plan to give some of this a shot once I get the EMUs back. :) so if I can help then with anything let me know.

Ed

GZ@hybridka
Posts: 112
Joined: Wed May 03, 2006 5:51 pm
Location: Id, USA

Postby GZ@hybridka » Sun Oct 14, 2007 10:07 am

Basically what I would want to try first is to skip the idle routine entirely.

If that doesnt work, rework the beginning of the routine to set some of the idle control bits/bytes to static values, and then return from the routine.

If it doesnt work first try, fiddle with the bit settings a little more until the rest of the code is satisfied and operates properly (aside from idle control).

Once the idle control is patched out, wipe the rest of the original idle routine and use it for new custom routine(s). This can include a simplified idle control, or you could use the pin for something else.

Do you happen to have a wiring diagram for this ecu? I am interested in seeing the full list of available sensors. Using the same hardware, the ka24e has a couple extra ADC channels available (IAT, EGR TEMP). If we can find an unused ADC channel, a new thermistor table routine can be added (coolant thermistor clone) to provide IAT temperature.

But again, that would require some space within original program loop, the idle control has some crosshairs pointed on it for sure.

Fusion Ed
Posts: 281
Joined: Fri May 04, 2007 4:13 am
Location: Chertsey Surrey
Contact:

Postby Fusion Ed » Sun Oct 14, 2007 11:53 pm

How about 02 sensor input? Can that be used? This car does not need to pass strict emissions laws here, ecu pinout information is here :

http://www.fusion-motorsport.co.uk/cpu/ECCS%20March%20ST.jpg

Also some pins from the above diagram dont do anything, but are connected in the ecu pin 1 and 2 for example, which seem to be close to A-D inputs.

GZ@hybridka
Posts: 112
Joined: Wed May 03, 2006 5:51 pm
Location: Id, USA

Postby GZ@hybridka » Mon Oct 15, 2007 2:29 pm

I would rather not sacrifice the o2 sensor ADC channel to do this, but yes it could be done that way. This wouldnt be very easy though as the o2 value is probably used in a variety of different locations for closed loop fuel control and the patching would be extensive. Also it would be counter-productive in regards to enhancing the ECU function.

Here is the ka24e EGR sensor thermistor circuit. This circuit is identical to the other thermistor circuits (CLT,IAT) , and should be the same with your ecu (at least for coolant sensor)

You can either trace back the circuits of your unused harness connector pins to find a similar circuit leading to the ADC (hd46508), or you can trace back pin 39, 40, and 41 of the hd46508 and see what youve got.

I dont have nor have I heard of a proper datasheet for the Hitachi HD46508cpa-2, so you will have to reference the ecu board silk screen to find the pin orientation.

This is a dirty little drawing of the circuit I made long ago for the ka24e when I was trying to figure out the EGR sensor. Most (all non-california) models using the ecu did not use the egr sensor, but they all have the circuit.
Attachments
KA24EEGT.JPG
Ka24e thermistor circuit
KA24EEGT.JPG (20.26 KiB) Viewed 5215 times

Matt
Site Admin
Posts: 8046
Joined: Sun Jan 29, 2006 1:45 am
Location: Adelaide, Australia
Contact:

Postby Matt » Mon Oct 15, 2007 6:42 pm

i have the datasheet at home for the HD46508 but not sure about the CPA2 extension


Return to “B.S.”

Who is online

Users browsing this forum: No registered users and 2 guests