openecu.org

Hi,

what microcontroller sits in 03 FXT ?
full ECU name would be "UK Forester 03 - ag580 1362 A4RL100J"

any disassembly info for this one welcome

ok, its 68HC16Y5. The answer was right in front of me, actually already downloaded it with romraider

datasheet anyone?

ok, found this info
viewtopic.php?f=18&t=62&start=15

now I have entry point = 0x00220
now confused about the data addressing:
romraider says a boost table sits at 0x2b23d while the bosst table specific sequence of bytes is at image offset 0x2323D ...

ok, added 32k of FFs at offset 0x20000 now it looks better in ida

I should rename this thread as I am actually writing crash-course right now

need IDA advice: tons of variables are addressed relative to Z register like the flags bundle at Z+0x999, Z is loaded 0 so I think all Z+0x999 simply access the same location.
how do I make IDA to recognize that Z+0x.... is actually fixed RAM location ?

great, found the uP datasheets - not that hard, its on this forum

I solved problem with offset, Z => variable by writing IDC script, cool another learning experience!

ok, after hours of naming variables and functions and confirming what you can find about algorithms in RomRaider's description of tables I decided to go for Launch Control for my vehicle just to see how it is done for WRX.

So I downloaded stock rom for the specific patch available for free, applied the patch and disassembled the result. Disassembled stock ROM too and the difference is just the LC code + constants. Now I can apply this to my ROM for which there is no LC patch freely available that I know of.

Pretty sure I will not use that to actually trash my gearbox but other uses such as valet mode, custom ECU built in car security and water-temp based rev limiter seem to be easy to do. Plenty of ideas, just need to pick one and do it

for general disassembly it would be cool to have a program that could convert available XML files to IDC scripts to get automatic variable/constant/map comments