Notes on code modifications for rev4 logging/mapswitch binary * Gut EVAP diagnostic routine at 0x7CAD (0x7C33 -608). Took code executed when codeword disabled, and made it the default execution path. Appended logging routine to end of codeword-disable routine to provide log data output. Codeword-disable code runs from 7CAD to 7D25. Logging routine follows, until RET ~400 bytes later. Overall code space of original EVAP diagnostics routine: 7CAD - 8C84, about 4000 bytes. This space (and memory addresses used within) is reclaimed for enhancements. The layout is: 7D26-7EF4 Logging Routine [7CAC-7E7A -608] 7EF5-7FFF Future Use, 267 bytes [7E7B-7FFF -608, 389 bytes] 8000-85FF Alternate Maps, Low Bank 8000-80FF Alt TCV Duty Cycle Map #1 8100-81FF Alt Boost Map #1 8200-82FF Alt Boost Map #2 8300-83FF Alt Boost Map #3 8400-84FF Alt TCV Duty Cycle Map #2 8500-85FF Alt TCV Duty Cycle Map #3 8600-87BF Various small function 860D: send 1 serial byte 8619: send 2 serial bytes 8628: send 3 serial bytes 8640: LDR setpoint map switch routine. Called from 0xB247 and 0xB252 (B1CD and B1D8 in -608) 8673: Injector Constant Switcher, For CODE_5225 (51AB -608) 86B3: Injector Constant Switcher, For CODE_5447 (53CD -608) 86E4: TCV duty cycle map switch routine, for CODE_B45D (B3E3 -608) 8717: Send logging flagbyte in ASCII 8763-87BF: unused, for future enhancements [93 bytes] 87C0-87FF Additional constants and/or codewords 87C1: Injector constant, alt map #1 87C2: Injector constant, alt map #2 87C3: Injector constant, alt map #3 8800-8A97 Pre-start listener (not fully utilized, space left for future enhancements) 8A98-8C84 Future Enhancements, 493 bytes [8A98-8C0A, 371 bytes] Memory addresses reused: FDC4: Cycle counter, pre-start listener, low byte FDC5: Cycle counter, pre-start listener, high byte FDC6: Cycle counter for logging routine. Used to slow the log output to about 15 frames/sec @ idle. Also used in pre-start listner for TPS detection FDAE: Bitwise flagbyte 0: Request Logging 1: Request ACK from drive cycle logging routine 2: request streaming XRAM logging 3: Request for pre-start OBD-II -- Abandon listener routine until next drivecycle, put serial comms back to default settings 4: Persistent disable - WIP 5: XRAM dump - spit out XRAM bytes from F800-FFFF while in pre-start listener (send x to activate) -- For testing/debugging 6: Map Switch bit 1 7: Map Switch bit 2 (00=normal map addresses, 01=alt map set 1, 10 = alt map set 2, 11 = alt map set 3) FDAF: Multiple use. - DPL while doing XRAM dump in prestart listener - Set to 0x81 in knock detect routine to signal knock detect to logger FDB0: Multiple use. - DPH while doing XRAM dump in prestart listener - Cycle counter while doing XRAM streaming logging -- FDB0 * 8 = base address current 8-byte frame being output, 8*256 = 2048 = size of XRAM. Prestart inputs: l: enable logging d: disable logging s: enable XRAM streaming logging o: enable pre-start OBD-II x: XRAM dump (spits out F800-FFFF immediately) p: dump port SFRs (spits out port SFRs P0-P7 immediately) 1: activate alternate map set 1 2: activate alternate map set 2 3: activate alternate map set 3 TPS: Cycles between stock maps, alt map 1, alt map 2, and alt map 3. MIL on for stock maps, off for set 1, even blink for set 2, uneven blink for set 3. In XRAM streaming logging mode, XRAM contents from F800 to FFFF are dumped in 8-byte frames while engine is running. Output format is: <0x2B> <0xB2> <0x22> <0xBB> 8-byte frames come out at about 20 per second, resulting in the entire XRAM contents being dumped every 10-15 seconds. This was implemented for ECU program exploration/debug purposes * Change lcall address at 0x3C69 (0x3BEF -608) [this is within the pre-start loop] from 0x68A1 to 0x8800 This is how the prestart listener is called. Moved small amount of existing code in 0x68A1 subroutine into top of 0x8900 subroutine. 3C69|3BEF lcall code_8800 was: 3C69|3BEF lcall code_68A1 * Upper bank space 1E000 - 1E6FF. This code space in the upper bank was found to be blank, containing nothing but 0x02 bytes. Used for additional fuel/ignition maps, as well as fuel/ignition map switch routines 1E000: Subroutine, select ignition map. Called from 0x1614C in both 607/608. 1E080: Subroutine, Select fuel map. Called from 0x164D9 in both 607/608. 1E100: Alt Ignition map #1 1E200: Alt Ignition map #2 1E300: Alt Ignition map #3 1E400: Alt fuel map #1 1E500: Alt fuel map #2 1E600: Alt fuel map #3 * Knock detect KLOPJN flagbit hack At 1CC48 in orignal 607 binary, bit RAM_2C.5 is checked, and if set, a routine between 1CC4B and 1CC66 (1CC1E - 1CC39 -608) is run. RAM_2C.5 is defined as KRFLG1.5 segment-synchronous output VS20 Segment-synchronous output spits out ignition information per firing "segment" (cylinder) for the VS20 diagnostic system. At 1CC68 (1CC3B -608) , at the completion of this routine, RAM_20.2 (KLOPJN, knock yes/no) is cleared. We don't want this to happen, because we want to log that flagbit. To avoid losing KLOPJN, 1CC48-1CC66 (1CC1B-1CC39) is modifed. Instead of the VS20 segment output routine, re-used EVAP diag XRAM byte 0xFDAF is updated to indicate the contents of KLOPJN. The logging routine grabs the byte, and sets bit 7 of byte 18 (value "BITS" in the .ADX) if KLOPJN indicated knock, and clears the byte. There is also a check on KLOPJN at 1CD0D (1CCE0 -608). This now lcalls 1CC53 (1CC26 -608) which sets FDAF in case there is another path to that piece of code -- The upper bank is a horrible mess of jumps my debugger can't follow very well, so playing it safe there.