RomRaider

The vast majority of what went into the getting-started thread was things I learned from other people. Since those things worked for me, I figured they would work for anyone. This is a thread for things that I'm finding on my own... if other people can get the same results, them, then I'll add the important parts to the getting-started thread.

I'll start with the SSM write vector. After finding the SSM read vector, I looked at each of the subroutines until I found the last of the simple read routines:



...followed by the first simple write routine:



The pointer to the first write routine is also XREF'd from some code that's closely related to the SSM read code, so I figure that's the start of the SSM write vector. Most of the write vector is pointers to a subroutine that just does an "rts" but there are three interesting function pointers at offsets 0x6F, 0x70, and 0x71.

Sasha_A80 said to expect functions to set a timing offset and idle speeds at those locations. I have only verified the timing offset so far (0x6F).

There's also a group of interesting subroutines at offset 0x80-0x89. Most of them are simple write routines, a couple of them contain some non-trivial logic, and I have no idea what any of them are for. At least, not yet.

The variable written to by the 0x6F handler is used in four places:
1) A routine that initializes it (along with the SSM-writeable idle variables and a few other things)
2) A routine that reads the variable, limits it with upper and lower bounds, and stores the result in another variable
3) A routine that reads the variable via an SSM read request
4) The SSM write routine, of course

The variable that gets the bounded version of the timing delta specified by SSM is only used in two places - the code that sets it (described above) and the code that adds it (along with several other things) to the total ignition timing.

A a couple of the other things being added to the total ignition timing are already documented. MRP compensation is in there, and so is a variable that I later found holds the sum of FLKC, FBKC, and ignition advance (already scaled by IAM). There are also a few as-yet-undocumented ignition compensations, which I am still investigating.

If other folks can find the SSM write vector this way, I'll add it to the 'getting started' thread. Maybe the ignition compensations too.

JDM 2003 Forester AG572-1355 I am trying has SSM_Write_LUT just after SSM_Read_LUT.
h'160 SSM bytes (h'580 offset from SSM_Read_LUT location).

A newer version ROM may have another SSM table length.

Alternatively, you may try "Alternative ECU init command" 9F instead of BF, get "Alternative ECUID" and find those ID in the SSM read dump. Those 5 bytes are the end of SSM_Read_LUT and provide you with the SSM table length. Just after that last address SSM ReadSingle (B8) and SSM ReadMemory (B0) commands return 'FF's.

viewtopic.php?f=7&t=5672

Do you think you've found the per-gear ignition timing compensation tables yet?

No, but I haven't looked for that specifically. I was just following XREFs to the compensations that I did find, and trying to figure out where they were coming from. Mostly without luck though, I just ran into code that was messing with variables and/or tables that were not defined.

However I was thinking it would be interesting to see what code looks at the 'gear position' parameter so maybe I will soon?

Have you seen that in another ROM, or are you wondering if they exist at all?

Bill mentioned that he had found them, I believe due to the discussions in this thread.



Right now, I'm focusing on finding out how the KCA Additive A/B work because from what I've seen, they don't work how I expected them to, based on the descriptions in the ECU defs.