RomRaider

Recently I have doing some work learning to disassemble the 16bit ecu's, specifically the ROM files from an 04WRX and the "new" speed density ROM. I have a few questions for those of you that are familiar with this process.

I'm trying to find the SSM look-up table, and learn to understand it, but I am having trouble doing so. I read the thread about it for the 32bit ecu's, but it must be different for the 16bit ones. Can anyone shed some light on this?

Something else I am stuck with right now is the sub routines that read the tables/maps that the user can edit and that the ecu uses to determine many things. First off, I'm not sure how they work exactly. More importantly, I can't seem to figure out how to determine where the value decided on to use from the Z axis is stored and then later used after it rts's.

Thanks in advance for any help!

Andy

Find the reference to the first byte of the ECU id. That is index 0x1 (zero-based index) of the SSM look-up table. The SSM.pdf document shows you the index for each SSM parameter (for example, ECT is 0x8). SSM LUT start + (0x4*parameter index). For example, if the SSM start was 0x2D300, then the RAM address for ECT (for SSM logging) is at 0x2D320. Search for this address and you will find the function involved (including the pre-conversion RAM add. which is what you want).

for the 2d/3d map function return value:
You have to go through the function and see how the result is stored, which is dependent on the map type byte. Each branch in the main function is a bit check of the map type byte. Follow that for the map type byte in question. Spend some time on this -> make sure you understand how the stack pointer works (read the software manual). This is an important thing to learn as you will get nowhere in some of the routines if you do not understand this concept.

OK, so in the ROM I'm working on, 0x2B163 seems to be where the ecuid is located, that would make 0x2B162 the start of the SSM LUT, correct? If so, then for ECT I use 0x2B162 + (0x4*0x8) = 0x2B182, correct? Then should one be able to log that value as current ECT without an expression applied to convert it to a usable number?


Thanks. This is definitely something I need to spend more time on.

For anyone that is interested, I have been sort of documenting my progress over here, so if you're looking to start this, read http://forums.openecu.org/viewtopic.php?f=54&t=4362 that first as it will get you started.

Andy

No, find the xref to the first byte of the ecu id. Then that loc. - 0x4 is your SSM LUT start.

The idea is not to log the address in the SSM LUT (which would be pointless), but to find the related function to determine the underlying RAM address for ECT, RPM, etc.

I followed the xref that was 4 lines above the 1st byte of the ecu id and it got me nowhere. I also searched for an xref that called the location of the ecu id, again, nothing. I don't know why I am not understanding...

search for 0x2B163, with respect to your example

Right, that's the ecu id. Should I follow the xref just above it? Or is that the actual table?

Ran into a humdinger today.

Logic calls for table value, loads RPMS and Throttle Voltage and then calls for jsr 3d table. When you reference the table its labeled as 0x11 - which according to everything I've found is reference for a 2D table.

The only thing to note is prior to the jsr it xgde <<<---Should I make a note of that?!

-jerod

no, search for that address

the map type byte is not necessarily exclusive to either 2d or 3d maps. Follow the bit checks in each map function and you can determine all the possible map type bytes (some aren't used)

Bill will the parameter multiplier always be 4????

Ie your ect- 0x8*0x4? Or is 4 variable based on the parameter?

Also is the ssm start going to be a straight address or an x-ref itself?

always 0x4
The SSM start will be the start of a look-up table of addresses, that, for the 16-bit ECU, represent where the SSM parameter is stored in RAM.

Using 0x200BC as the SSM LUT start point, I can use your calculation and input 0xF for RPM and I get to what I know to be Current_RPM. Other than that though, nothing works. I have tried searching for each value returned from the equation to see if it is set to something, and I am not getting good results at all. I must be doing something wrong. Any idea what?

what rom id?

A4TJ1X00. But I'll take an example from any 16bit one. As soon as I see it once, I'm sure I'll understand it.