openecu.org

[elevenpoint7five]

I would really like to learn more about disassembling ROMs, understanding what code does what, and eventually working on new definitions, and possibly changing the current logic used in certain ROMs to make other things work. I have a ton of free time, and I am a very quick learner, I just need someone to point me in the right direction.

I have installed IDA Pro 4.9 but I can't seem to get the 68HC16 code that Colby wrote to work, I guess figuring that out would be a good start. If someone could offer up some help there, I would appreciate it. After that, I am looking for some reading material to help me get started. I don't know much about reading hex code, but like I said, I am a fast learner.

I have personal motives for wanting to learn this, however, I would love to contribute to the community in the future once I get a grasp of all of this. I worry that making new definitions and decoding new ROMs is all falling into the hands of a select few people, and that once they lose time or interest this project might not keep up to date, and I would hate to see that.

I understand that everyone that understands this has probably gone to school for it, or works in the field. Also, that you are all probably very busy. I also understand that helping a painter by trade might not be at the top of your list of things to do, but please, consider it. I am very mechanically and technically inclined, I just need to be pointed in the right direction as this is all new to me.

Thanks

Andy

[elevenpoint7five]

Would anyone have a problem if I documented my progress here? I don't want to step on any toes, but I figure it might be useful for someone else in my similar situation. And since I have been able to finally open up a ROM and see the guts in all their glory(with some MUCH needed and appreciated help from merchgod/tea cups) I thought it might be good to post up how I did so. I'll wait a day or two and if nobody has any problem with it then I will outline the steps I have taken thus far.

Andy

[elevenpoint7five]

Well from the lack of responses, either nobody is on here, or nobody minds a little documentation! This has been a slow moving process, as expected, however, I have a friend that does this stuff for a living and he is more than willing to help me out, so hopefully I'll get farther next week. Anyway, here we go.

The first thing I did was to obtain a copy of IDA Pro 5.0. I have tried previous versions, but they don't support the HC16 chip that my car(2004 USDM WRX) has. There were some changes made and different years use different processors. Check the listings http://forums.openecu.org/viewtopic.php?f=19&t=5 to see which one you'll need to support.

Once I had IDA Pro installed, I ran the program and chose File > Open. I selected a stock 04 WRX ROM(.hex) and selected the proper processor in the first pop-up box(Motorola 6816). I left everything else set as the default settings, and on the second pop-up box I left the defaults as well. Once the file had loaded, I hit "g" on the keyboard, which opened a prompt. This allowed me to chose an entry point(thanks merchgod!) so I entered 0x220 and hit enter. Once it was done with that I hit "c" on the keyboard which "unfolded" the ROM file.

I browsed through that for a bit, only to realize that I needed to do a lot more reading before I could understand anything. So I found the software manuals at the above link and dove into those. I decided the first thing I would do is try to memorize the commands, or at least get a better idea of what they do. So I made a spreadsheet(available upon request) with everything I found in the manuals. Not that that made things easy or anything, but eventually I'm sure it will help out.

Currently, I am waiting on some help from my friend to dive into things a bit more. I'm having a hard time with the locations of things, and how to follow the logic used. I will continue to post here though until I'm told to stop in case anyone ever decides they want to do this for themselves, as I have yet to find a "How-To" guide. Hopefully, it will help someone at some point.

If anyone has any suggestions, please offer them up!

Andy

[Crusher]

Go for it. I´m interested in reading this, so keep on writing.

[subarutech77]

I am also interested in this and your progress, keep updating- Thanks

[hmanxx]

Hi,
I am also just started playing with the ROM in IDA to understand some logic out of it..however I jump straight to 32bits ECU. The learning process is tough however fun.
My steps of learning.
1) ECU HW Manual- basic of memory map, Vector base address,start up entry point
2) SW Manual- to understand the Assembly language syntax, format..
3) Binary editor- Very useful to trace 3D /2D tables,understand data structure, binary pattern search=> very effective and fast to find out the table offset. you can use this to trace certain routines in future..

4) Use existing ROM definition as a start to trace to the memory address, there will have cross reference to the subroutine that using the memory location..with this you will be able to trace to the routine that using .
5) The rest..reading and reading..

[elevenpoint7five]

I looked at some threads about the 32-bit ECU, and it didn't seem all that different than the 16-bit. Different instructions and locations, and it seems a different way to enter the ROM, however it's still pretty much the same process from what I can tell.

Anyway, progress over the past few days has been awesome! I have figured out what some of the words* and bytes* are and where they are used. I've also found most, if not all, of the knock control logic. I've defined the target boost, base timing, knock correction advance max, and primary open loop fueling tables. It's just a matter of time until I have all the tables defined and labeled in my file, which I can make available to anyone at anytime via e-mail, just let me know.

I'm slowly learning the commands used and what they do. Having the data sheets in front of me helps, as I can search for a command and have a page in front of me that describes everything that particular command can do, and what it can be used with. Also, the spreadsheet I created(also available) is nice for quick references. Creating it also helped me memorize a lot of the commands.

I did get hung up for a bit when trying to lay out the tables' X axis and Y axis. I couldn't figure out why nothing made sense, then I realized that there had to be a conversion factor. I figured out that the conversion factor for RPM is (X * 50) where X is equal to the decimal equivalent of the hex code in whatever space you're trying to define. The conversion factor for throttle % is (X / 1.666666666666666667) where X is equal to the decimal equivalent of the hex code in whatever space you're trying to define. I'm still working out load, as OL fueling and timing are the next tables I'm working on. More on that next update.

Also, I need to give credit where credit is due. A friend of mine works with very similar processors for a living and has been helping me out quite a bit in understanding some of the logic used. I REALLY appreciate it! Thanks Alan!

Andy

[enthusiast]

Thanks for posting your process. I am starting as well and you save me some time. Can you post your spreadsheet?

[elevenpoint7five]

Anyone that is interested in any of my files, either explain to me how to post attachments, or give me your email address

Andy

[enthusiast]

When you post a new reply at the bottom you should see the Upload attachment tab below the window you are typing in.

Click on the upload attachment at the bottom (right beside options).
Click in the box next to the browse button.
Select the file you want to upload from your computer
Click "Add the file"
File Comment is optional

[alinious]

Anyone that is interested in any of my files, either explain to me how to post attachments, or give me your email address

Andy

Hi Andy,

To post an attachment, select the "Upload Attachment" tab (directly to the right of the "Options" tab) below the "Save", "Preview", and "Submit" buttons.

I've attached a file that explains bitwise logic types that may be encountered in an assembly language program; in fact, bitwise logic is used in the Subaru ECU firmware.

Also, it contains an example of bit masking using AND bitwise logic, which is also used in the Subaru ECU firmware.

Cheers,

Alan

[elevenpoint7five]

Alan,

Thanks! Here I thought I was being cool and making a spreadsheet with your bitwise logic included on a different sheet and then you post it before me haha! Don't worry I would have given you credit

Andy

04 WRX.xls

(41.5 KiB) Downloaded 695 times

[Rhinoman]

I have been playing with a 68HC916 based ECU. I have been using a package called XTOOLS, its an old DOS based package but works OK using the command editor under XP. The package is a little less than $50 for a license so its a lot cheaper than IDAPro, it also includes an assembler so code can be modified and rebuilt.
There is a chap in Greece (Psyche) who posts on TLzone.net who has written a windows ap.p for the PD BDM interface.

[DreamWalker]

Andy, hi!
Can you send me all about this:
"Anyway, progress over the past few days has been awesome! I have figured out what some of the words* and bytes* are and where they are used. I've also found most, if not all, of the knock control logic. I've defined the target boost, base timing, knock correction advance max, and primary open loop fueling tables. It's just a matter of time until I have all the tables defined and labeled in my file, which I can make available to anyone at anytime via e-mail, just let me know.
"

[elevenpoint7five]

DreamWalker:

I'm not sure I understand what you are asking. Did you want the file? Or are you asking me to explain something?

Sorry I haven't updated in a while. I finally got laid off(seasonal work, I expect it every year) so I'll have much more time to be doing this.

I ran into an issue when trying to load the Group-N ROM into IDA Pro. None of the offsets matched up with what was in the definition files. I got a hold of Merchgod and he said to insert a space of 0x8000 at the offset 0x20000 using a hex editor. I haven't been able to get that to work yet unfortunately, but when I do I'll be sure to explain how. Unless someone else would like to explain it

The definition files are based off of a 192kb ROM, which is what the '04 ROM I have is. However, the Group-N ROM is 160kb. I think this is where the space comes in. So I added a space and changed the file size in a hex editor, saved it, loaded it in IDA Pro, and it was still the same. It's like IDA Pro is just seeing the space as useless, and removing it. :stumped:

Andy