32-bit Disassembly in IDA

elevenpoint7five · **Posted:** Mon Jan 04, 2010 10:55 pm

So are you saying that what I found is not the SSM LUT? It seems to match up with the few parameters that XMLtoIDC was able to name as well as some of the values used in the logic, i.e. ECT via the "SSM LUT" that I found is used in the ECT compensations for things. I tried following everything else that made any sort of sense and this is the only result I am getting that looks anything like an SSM LUT. It is entirely possible that the ROM is not opened up correctly as I can't seem to consistently open them up. It seems like every time I open one it opens differently.

Andy

hmanxx · **Joined:** Wed Jul 12, 2006 3:01 pm **Posts:** 154

The SSM function will use the table you listed but that is not the exact SSM LUT(Look up table).

The ECUID routine location is 51B4C and the first routine is at 51B40, pointing cursor to DATA XREF:586AC,will bring you to see the SSM look up table..do a memory search of your ECUID reference routine address..also bring you to the cross reference table
Post your screen shoot like below so that i can guide you through.

And reference function zone

Code:

ROM:00051B40 ; =============== S U B R O U T I N E =======================================
ROM:00051B40
ROM:00051B40
ROM:00051B40 sub_51B40:                              ; DATA XREF: ROM:off_586ACo
ROM:00051B40                 mov.l   @(h'110,pc), r2 ; [00051C54] = unk_FFFF884F
ROM:00051B42                 rts
ROM:00051B44                 mov.b   @r2, r0
ROM:00051B44 ; End of function sub_51B40
ROM:00051B44
ROM:00051B46
ROM:00051B46 ; =============== S U B R O U T I N E =======================================
ROM:00051B46
ROM:00051B46
ROM:00051B46 sub_51B46:                              ; DATA XREF: ROM:000586B0o
ROM:00051B46                 mov.l   @(h'110,pc), r2 ; [00051C58] = byte_D391C
ROM:00051B48                 rts
ROM:00051B4A                 mov.b   @r2, r0
ROM:00051B4A ; End of function sub_51B46
ROM:00051B4A
ROM:00051B4C ; ---------------------------------------------------------------------------
ROM:00051B4C
ROM:00051B4C loc_51B4C:                              ; DATA XREF: ROM:000586B4o
ROM:00051B4C                 mov.l   @(h'10C,pc), r2 ; [00051C5C] = byte_D391D
ROM:00051B4E                 rts
ROM:00051B50                 mov.b   @r2, r0
ROM:00051B52
ROM:00051B52 ; =============== S U B R O U T I N E =======================================
ROM:00051B52
ROM:00051B52
ROM:00051B52 sub_51B52:                              ; DATA XREF: ROM:000586B8o
ROM:00051B52                 mov.l   @(h'10C,pc), r2 ; [00051C60] = byte_D391E
ROM:00051B54                 rts
ROM:00051B56                 mov.b   @r2, r0
ROM:00051B56 ; End of function sub_51B52
ROM:00051B56
ROM:00051B58
ROM:00051B58 ; =============== S U B R O U T I N E =======================================
ROM:00051B58
ROM:00051B58
ROM:00051B58 sub_51B58:                              ; DATA XREF: ROM:000586BCo
ROM:00051B58                 mov.l   @(h'108,pc), r2 ; [00051C64] = byte_D391F
ROM:00051B5A                 rts
ROM:00051B5C                 mov.b   @r2, r0
ROM:00051B5C ; End of function sub_51B58
ROM:00051B5C
ROM:00051B5E
ROM:00051B5E ; =============== S U B R O U T I N E =======================================
ROM:00051B5E
ROM:00051B5E
ROM:00051B5E sub_51B5E:                              ; DATA XREF: ROM:000586C0o
ROM:00051B5E                 mov.l   @(h'108,pc), r2 ; [00051C68] = byte_D3920
ROM:00051B60                 rts
ROM:00051B62                 mov.b   @r2, r0
ROM:00051B62 ; End of function sub_51B5E
ROM:00051B62
ROM:00051B64
ROM:00051B64 ; =============== S U B R O U T I N E =======================================
ROM:00051B64
ROM:00051B64
ROM:00051B64 sub_51B64:                              ; DATA XREF: ROM:000586C8o
ROM:00051B64                 mov.l   @(h'104,pc), r2 ; [00051C6C] = unk_FFFF9AA7
ROM:00051B66                 rts
ROM:00051B68                 mov.b   @r2, r0
ROM:00051B68 ; End of function sub_51B64
ROM:00051B68
ROM:00051B68 ; ---------------------------------------------------------------------------
ROM:00051B6A word_51B6A:     .data.w h'AA55          ; DATA XREF: sub_519BC+1Cr
ROM:00051B6C word_51B6C:     .data.w h'4055          ; DATA XREF: sub_519FEr
ROM:00051B6E
ROM:00051B6E ; =============== S U B R O U T I N E =======================================
ROM:00051B6E
ROM:00051B6E
ROM:00051B6E sub_51B6E:                              ; DATA XREF: ROM:000586CCo
ROM:00051B6E                 sts.l   pr, @-r15
ROM:00051B70                 mov.l   @(h'FC,pc), r2 ; [00051C70] = unk_FFFF413C
ROM:00051B72                 fmov.s  @r2, fr4
ROM:00051B74                 mov.l   @(h'FC,pc), r2 ; [00051C74] = sub_BE4DC
ROM:00051B76                 mova    @(h'100,pc), r0 ; [00051C78] = h'C2200000
ROM:00051B78                 fmov.s  @r0, fr6
ROM:00051B7A                 jsr     @r2 ; sub_BE4DC ; Scaling Function:(fr4-fr6)/fr5->fr4,
ROM:00051B7A                                         ; fr4+@r0->Rounding down to r4->r0
ROM:00051B7C                 fldi1   fr5
ROM:00051B7E                 lds.l   @r15+, pr
ROM:00051B80                 rts
ROM:00051B82                 extu.b  r0, r0
ROM:00051B82 ; End of function sub_51B6E
ROM:00051B82
ROM:00051B84
ROM:00051B84 ; =============== S U B R O U T I N E =======================================
ROM:00051B84
ROM:00051B84
ROM:00051B84 sub_51B84:                              ; DATA XREF: ROM:000586D0o
ROM:00051B84                 sts.l   pr, @-r15
ROM:00051B86                 mov.l   @(h'F4,pc), r2 ; [00051C7C] = unk_FFFF7214
ROM:00051B88                 fmov.s  @r2, fr4
ROM:00051B8A                 fldi1   fr6
ROM:00051B8C                 fneg    fr6
ROM:00051B8E                 fadd    fr6, fr4
ROM:00051B90                 mov.l   @(h'E0,pc), r2 ; [00051C74] = sub_BE4DC
ROM:00051B92                 mova    @(h'EC,pc), r0 ; [00051C80] = h'3C000000
ROM:00051B94                 jsr     @r2 ; sub_BE4DC ; Scaling Function:(fr4-fr6)/fr5->fr4,
ROM:00051B94                                         ; fr4+@r0->Rounding down to r4->r0
ROM:00051B96                 fmov.s  @r0, fr5
ROM:00051B98                 lds.l   @r15+, pr
ROM:00051B9A                 rts
ROM:00051B9C                 extu.b  r0, r0
ROM:00051B9C ; End of function sub_51B84

Code:

ROM:000586AC off_586AC:      .data.l sub_51B40       ; DATA XREF: ROM:off_53FD0o
ROM:000586AC                                         ; ROM:off_761E8o ...
ROM:000586AC                                         ; Suspect SSM Look up table
ROM:000586B0                 .data.l sub_51B46       ; reference function to first byte of ECUID
ROM:000586B4                 .data.l loc_51B4C
ROM:000586B8                 .data.l sub_51B52
ROM:000586BC                 .data.l sub_51B58       ; 4
ROM:000586C0                 .data.l sub_51B5E
ROM:000586C4                 .data.l sub_51B34
ROM:000586C8                 .data.l sub_51B64
ROM:000586CC                 .data.l sub_51B6E       ; 8=> ECT, Routine processing ECT
ROM:000586D0                 .data.l sub_51B84
ROM:000586D4                 .data.l sub_51B9E
ROM:000586D8                 .data.l sub_51BB6
ROM:000586DC                 .data.l sub_51BCC       ; 12
ROM:000586E0                 .data.l sub_51C88
ROM:000586E4                 .data.l sub_51C9E
ROM:000586E8                 .data.l sub_51CBE
ROM:000586EC                 .data.l sub_51CD4       ; 16
ROM:000586F0                 .data.l sub_51CE8
ROM:000586F4                 .data.l sub_51D00
ROM:000586F8                 .data.l sub_51D16
ROM:000586FC                 .data.l sub_51D36
ROM:00058700                 .data.l sub_51D4C
ROM:00058704                 .data.l sub_51D62
ROM:00058708                 .data.l sub_51D66
ROM:0005870C                 .data.l sub_51D6A
ROM:00058710                 .data.l sub_51D8A
ROM:00058714                 .data.l sub_51DA0
ROM:00058718                 .data.l sub_51DA4
ROM:0005871C                 .data.l sub_51DA8
ROM:00058720                 .data.l sub_51DBE
ROM:00058724                 .data.l sub_51B3A
ROM:00058728                 .data.l sub_51B3A
ROM:0005872C                 .data.l sub_51DE2
ROM:00058730                 .data.l sub_51DF8
ROM:00058734                 .data.l sub_51B3A
ROM:00058738                 .data.l sub_51E10
ROM:0005873C                 .data.l sub_51E26
ROM:00058740                 .data.l sub_51B3A
ROM:00058744                 .data.l sub_51B3A
ROM:00058748                 .data.l sub_51B3A
ROM:0005874C                 .data.l sub_51E44
ROM:00058750                 .data.l sub_51E62
ROM:00058754                 .data.l sub_51E78
ROM:00058758                 .data.l sub_51B3A

Sasha_A80 · **Posted:** Wed Jan 13, 2010 12:53 am

SSM LUT

0x60 - ECU reset
0x6F - Ignition Timing Adjustment
0x70 - Idle RPM adjustment
0x71 - Idle RPM with Air Conditioner

What is there at 0xE8 ?

Has anybody traced this function call? It looks like this is the last SSM position where something can be writen and read.

I am looking for a backdoor for realtime tuning..

What is going on with alternative SSM init string?

topic5672.html

fujiillin · **Joined:** Wed Feb 13, 2008 3:00 am **Posts:** 153

If I have some time later tonight I'll look at it and see what I can find

fujiillin · **Joined:** Wed Feb 13, 2008 3:00 am **Posts:** 153

Well, I was able to find routines at those addresses, all surrounded by null routines, so I believe I've found what you're speaking of.

I didn't look very hard, but I couldn't trace any of them to anything. All the references pointed to other routines, mostly with unknowns. I did see some of the RAM spots used by these routines get stored in an address passed through the stack, so I'll look through that later.

How did you find that these were reset, timing adj, idle adj, etc?

As for the alternate init, I'm working backwards through the SSM routines to find the commands (A0, A8, B0, B8, BF, and will try 9F)

*edit* :lol:

I was about to quit, getting distracted... right before I closed IDA I ran though a couple more references and found all the commands including 9F. Will trace through them later.

Sasha_A80 · **Posted:** Wed Jan 13, 2010 12:55 pm

fujiillin wrote:

How did you find that these were reset, timing adj, idle adj, etc?

I just know those...
E8 is the only applicable "etc." All others are assigned\or not allowed.
Moreover no extended parameters could be read from an obsolete SH7055 based ecu.
Probably something may be writen down into RAM but I have no idea how this may be verified without reading.

I am looking for the ability for realtime adjustments. Ignition on-the-fly correction is almost done. Target air fuel ratio corrections are wanted badly.

32 bit ecu is able to provide EngineLoad\EngineSpeed sampling and IgnitionCorrection for about 30- 40 ms period thru SSM protocol. On the bench. Who knows what the future holds.

fujiillin · **Joined:** Wed Feb 13, 2008 3:00 am **Posts:** 153

Cool, I found everything, just need to analyze some more, I kinda got sidetracked as I started looking into the serial controller, then baud rates for ssm...

Priority right now for me is SD, but I'll keep this stuff on the list.

Also, I just got adobe captivate, so I'll make some videos

hmanxx · **Joined:** Wed Jul 12, 2006 3:01 pm **Posts:** 154

Sasha_A80 wrote:

SSM LUT

0x60 - ECU reset
0x6F - Ignition Timing Adjustment
0x70 - Idle RPM adjustment
0x71 - Idle RPM with Air Conditioner

What is there at 0xE8 ?

Has any traced this function call? It looks like this is the last SSM position where something can be writen and read.

I am looking for a backdoor for realtime tuning..

What is going on with alternative SSM init string?

topic5672.html

are you refering to SSM Index (actual relative address is 4 x index)? or relative address offset direct ?

I have been struggling to understand the deceleration to idle routines..too many of them..and too many conditions...this idle rpm adjustment comes in handy.

More importantly ,I am trying to trace routine that handle Flywheel deceleration..i believe this is the culprit that causing engine stall( not able to enter idling control fast enough after deceleration factor change due to flywheel weight change).

Sasha_A80 · **Posted:** Fri Jan 15, 2010 7:53 am

Unfortunately I know next to nothing how the apprpriate function is called when standard SSM parameters are to be read\writen.

I know for sure that SSM parameters 0x000060, 0x00006F, 0x000070, 0x000071 are stored in backup RAM and are used at IgnitionOn condition as described above.

Merchgod stated that 0x00006F - IgnitionCorrection maybe applied and will be used by ECU at any time. I have check this for IgnitionCorrection, IdleSpeedCorrection at idle. This definately works.

Would some approach may be applied to create additive corrections for other tables it will be possible to provide realtime tuning. Turn around time SSM (read\apply correction\write)command for 32 bit ecu starts from 25-30 ms and may allow realtime tuning to be done.

So I would like to know what this undocumented SSM parameter 0x0000E8 does. If this is useless than ecu mods will be the only approach for realtime tuning. Unfortunately not all ecu's are currently flashable.

As to engine decelaration stalling with a lightweight flywheel. You just need to rise idle RPM (upto 100-150 RPM) AND RPM threshold (upto 200-400 RPM) where fuel injection is restored under deceleration. There is no black magic behind.

RomRaider

32-bit Disassembly in IDA

Who is online