03 FXT ECU

03 FXT ECU

Postby deLux » Wed Sep 23, 2009 4:04 pm

Hi,

what microcontroller sits in 03 FXT ?
full ECU name would be "UK Forester 03 - ag580 1362 A4RL100J"

any disassembly info for this one welcome
deLux
 
Posts: 15
Joined: Mon Apr 21, 2008 3:34 am

Re: 03 FXT ECU

Postby deLux » Wed Sep 23, 2009 5:09 pm

ok, its 68HC16Y5. The answer was right in front of me, actually already downloaded it with romraider :D

datasheet anyone?
deLux
 
Posts: 15
Joined: Mon Apr 21, 2008 3:34 am

Re: 03 FXT ECU

Postby deLux » Wed Sep 23, 2009 6:43 pm

ok, found this info
viewtopic.php?f=18&t=62&start=15

now I have entry point = 0x00220
now confused about the data addressing:
romraider says a boost table sits at 0x2b23d while the bosst table specific sequence of bytes is at image offset 0x2323D ...
deLux
 
Posts: 15
Joined: Mon Apr 21, 2008 3:34 am

Re: 03 FXT ECU

Postby deLux » Wed Sep 23, 2009 7:29 pm

ok, added 32k of FFs at offset 0x20000 now it looks better in ida

I should rename this thread as I am actually writing crash-course right now :lol:
deLux
 
Posts: 15
Joined: Mon Apr 21, 2008 3:34 am

Re: 03 FXT ECU

Postby deLux » Thu Sep 24, 2009 10:29 am

need IDA advice: tons of variables are addressed relative to Z register like the flags bundle at Z+0x999, Z is loaded 0 so I think all Z+0x999 simply access the same location.
how do I make IDA to recognize that Z+0x.... is actually fixed RAM location ?
deLux
 
Posts: 15
Joined: Mon Apr 21, 2008 3:34 am

Re: 03 FXT ECU

Postby deLux » Thu Sep 24, 2009 11:40 am

great, found the uP datasheets - not that hard, its on this forum :P

I solved problem with offset, Z => variable by writing IDC script, cool another learning experience!
deLux
 
Posts: 15
Joined: Mon Apr 21, 2008 3:34 am

Re: 03 FXT ECU

Postby deLux » Sat Sep 26, 2009 8:20 am

ok, after hours of naming variables and functions and confirming what you can find about algorithms in RomRaider's description of tables I decided to go for Launch Control for my vehicle just to see how it is done for WRX.

So I downloaded stock rom for the specific patch available for free, applied the patch and disassembled the result. Disassembled stock ROM too and the difference is just the LC code + constants. Now I can apply this to my ROM for which there is no LC patch freely available that I know of.

Pretty sure I will not use that to actually trash my gearbox :roll: but other uses such as valet mode, custom ECU built in car security and water-temp based rev limiter seem to be easy to do. Plenty of ideas, just need to pick one and do it :D

:idea: for general disassembly it would be cool to have a program that could convert available XML files to IDC scripts to get automatic variable/constant/map comments
deLux
 
Posts: 15
Joined: Mon Apr 21, 2008 3:34 am


Return to Subaru (all models)

Who is online

Users browsing this forum: No registered users and 9 guests

cron