RomRaider

I've come across some functions that send and receive data via SCI1 on the SH7058 and I'm wondering if they are remnant code that was used for engine testing. Has anyone come across this before / know more about it? Perhaps it could be used for an engine testing capability in RomRaider...

A summary is as follows...

Data is transmitted via DMA from RAM to SCI1. The data packets are 40 bytes long, consisting of 22 data items and a 2 byte checksum. It looks like an engine status summary. The data is:
2 bytes - Test mode designation - 0xA55A
2 bytes - A Throttle Plate Opening Angle (TPOA) value
2 bytes - duplicate of item above
2 bytes - A different TPOA value
2 bytes - Battery Voltage value
2 bytes - Another TPOA value (main)
2 bytes - Another TPOA value (sub)
2 bytes - Main accelerator sensor
2 bytes - Unknown
2 bytes - Unknown
2 bytes - Unknown
2 bytes - Unknown
1 byte - Unknown value set to 0 or 3
1 byte - 8 bit flags including ignition switch (S7), ETC motor relay (S62), cruise control status and other engine state flags
1 byte - 8 bit control flag A (each bit is set depending on status of lists of various engine switches)
1 byte - 8 bit control flag B (each bit is set depending on status of lists of various engine switches)
1 byte - 8 bit control flag C (each bit is set depending on status of lists of various engine switches)
1 byte - 8 bit flags relating to engine state and test mode
2 bytes - Average Main Target TPOA Cranking
2 bytes - Target TPOA Rolling
2 bytes - Main Accel Sensor
2 bytes - Engine Speed
2 bytes - checksum

Data is received by DMA from SCI1 into RAM. The data packets are 34 bytes long, consisting of 23 data items and a 2 byte checksum. It is harder to figure out what this data is, but it must be related to that above because it is refreshed and received in the same functions that transmit the above data. It *might* be some way of controlling the engine via the throttle. The data is:
2 bytes - Unknown
2 bytes - Unknown
2 bytes - Unknown
2 bytes - Unknown
2 bytes - Unknown
2 bytes - Unknown
2 bytes - Unknown
1 byte - Throttle Motor Voltage**
1 byte - Throttle Motor Duty**
1 byte - bitwise manipulation* of unknown value
1 byte - bitwise manipulation* of unknown value
1 byte - bitwise manipulation* of unknown value
1 byte - bitwise manipulation* of unknown value
1 byte - bitwise manipulation* of unknown value
1 byte - bitwise manipulation* of unknown value
1 byte - bitwise manipulation* of unknown value
2 bytes - Unknown
2 bytes - Test mode - 0x00, 0x55, 0x5A or 0xA5
1 byte - Temporary ECU ID byte 1
1 byte - Temporary ECU ID byte 2
1 byte - Temporary ECU ID byte 3
1 byte - Temporary ECU ID byte 4
1 byte - Temporary ECU ID byte 5
2 bytes - checksum

Notes:

* the bitwise manipulation is as follows:

A = current value of parameter
B = prior value of parameter
C = prior value of bitwise manipulation

new bitwise manipulation = C & (A ^ B) + ~(A ^ B) & B. This might be some sort of bitwise encryption or perhaps a rolling value calculation...? Let me know if anyone recognises this formula.

** These values are also reported via SSM using SSM_Get functions (P72 for Throttle Motor Voltage and P71 for Throttle Motor Duty). Oddly, Throttle Motor Voltage and Duty only come from these TX/RX functions... I'm surprised they don't also come from a sensor or pin input.

If you want to locate the SCI1 TX/RX DMA functions, search your ROM for one of the DMA registers (eg: in my ROM 0xECF4 is a good one to look for, but different DMA channels might be used in different ROMs). Should only be a couple of XRefs, both of which are functions relating to these SCI1 TX/RX functions.

Not much to go on, but the Throttle Motor values and temporary ECU IDs suggest some sort of engine control via SCI1 for testing purposes...?