Notes on code modifications for rev4b logging/mapswitch binary * Gut EVAP diagnostic routine at 0x7CAD (0x7C33 -608). Took code executed when codeword disabled, and made it the default execution path. Appended logging routine to end of codeword-disable routine to provide log data output. Codeword-disable code runs from 7CAD to 7D25. Logging routine follows, until RET ~400 bytes later. Overall code space of original EVAP diagnostics routine: 7CAD - 8C84, about 4000 bytes. This space (and memory addresses used within) is reclaimed for enhancements. The layout is: 7D26-7EF4 Logging Routine [7CAC-7E7A -608] 7EF5-7FFF Future Use, 267 bytes [7E7B-7FFF -608, 389 bytes] 8000-85FF Alternate Maps, Low Bank 8000-80FF Alt TCV Duty Cycle Map #1 8100-81FF Alt Boost Map #1 8200-82FF Alt Boost Map #2 8300-83FF Alt Boost Map #3 8400-84FF Alt TCV Duty Cycle Map #2 8500-85FF Alt TCV Duty Cycle Map #3 8600-87BF Various small function 860D: send 1 serial byte 8619: send 2 serial bytes 8628: send 3 serial bytes 8640: LDR setpoint map switch routine. Called from 0xB247 and 0xB252 (B1CD and B1D8 in -608) 8673: Injector Constant Switcher, For CODE_5225 (51AB -608) 86B3: Injector Constant Switcher, For CODE_5447 (53CD -608) 86E4: TCV duty cycle map switch routine, for CODE_B45D (B3E3 -608) 8717: Send logging flagbyte in ASCII 8763-87BF: unused, for future enhancements [93 bytes] 87C0-87FF Additional constants and/or codewords 87C1: Injector constant, alt map #1 87C2: Injector constant, alt map #2 87C3: Injector constant, alt map #3 87C4: Serial rate 87C5: Logging Divisor 87C6: Direct ADC of rear O2 channel 8800-8A97 Pre-start listener (not fully utilized, space left for future enhancements) 8A98-8C84 Future Enhancements, 493 bytes [8A98-8C0A, 371 bytes] Memory addresses reused: FDC4: Cycle counter, pre-start listener, low byte FDC5: Cycle counter, pre-start listener, high byte FDC6: Cycle counter for logging routine. Used to slow the log output to about 15 frames/sec @ idle. Also used in pre-start listner for TPS detection FDCB: Bitwise flagbyte (persistent byte) 0: Request Logging 1: Request ACK from drive cycle logging routine 2: request streaming XRAM logging 3: Request for pre-start OBD-II -- Abandon listener routine until next drivecycle, put serial comms back to default settings 4: Persistence enable 5: XRAM dump - spit out XRAM bytes from F800-FFFF while in pre-start listener (send x to activate) -- For testing/debugging 6: Map Switch bit 1 7: Map Switch bit 2 (00=normal map addresses, 01=alt map set 1, 10 = alt map set 2, 11 = alt map set 3) FDAF: Multiple use. - DPL while doing XRAM dump in prestart listener - Set to 0x81 in knock detect routine to signal knock detect to logger FDB0: Multiple use. - DPH while doing XRAM dump in prestart listener - Cycle counter while doing XRAM streaming logging -- FDB0 * 8 = base address current 8-byte frame being output, 8*256 = 2048 = size of XRAM. * Upper bank space 1E000 - 1E6FF. This code space in the upper bank was found to be blank, containing nothing but 0x02 bytes. Used for additional fuel/ignition maps, as well as fuel/ignition map switch routines We have to use the upper bank for these, as the routines that reference these maps are in the upper bank themselves. 1E000: Subroutine, select ignition map. Called from 0x1614C in both 607/608. $ 1E040: Subroutine, Select fuel map. Called from 0x164D9 in both 607/608. + 1E080: Routine for MIL on excessive knock + 1E0F0-1E0FF: Constants/Codewords for upper bank routines + 1E0F0: XFALMIT Threshold for MIL illuminiation 1E100: Alt Ignition map #1 1E200: Alt Ignition map #2 1E300: Alt Ignition map #3 1E400: Alt fuel map #1 1E500: Alt fuel map #2 1E600: Alt fuel map #3 * Prestart inputs: d: disable logging, also clears persistence l: enable logging, non-persistent (disables persistence if set) + L: enable logging, persistent s: enable XRAM streaming logging, non-persistent (disables persistence if set) + S: enable XRAM streaming logging, persistent o: enable pre-start OBD-II + O: enable pre-start OBD-II, persistent (disables pre-start listener, must remove all power to ECU to log again -- use this when getting car smogged) x: XRAM dump (spits out F800-FFFF immediately) p: dump port SFRs (spits out port SFRs P0-P7 immediately) + 0: clear all flagbits 1: activate alternate map set 1 2: activate alternate map set 2 3: activate alternate map set 3 TPS: Cycles between stock maps, alt map 1, alt map 2, and alt map 3. MIL on for stock maps, off for set 1, even blink for set 2, uneven blink for set 3. * In XRAM streaming logging mode, XRAM contents from F800 to FFFF are dumped in 16-byte frames while engine is running. Output format is: <0x2B> <0xB2> ... <0x22> <0xBB> 22 byte (2 header bytes, 2 DPTR bytes, 16 data bytes, 2 footer bytes) frames come out at about 20 per second, resulting in the entire XRAM contents being dumped every 5-10 seconds. This was implemented for ECU program exploration/debug purposes + * XRAM Persistence Hack: Prevent byte FDCB from being cleared by nop'ing out 3858-385B [607] [37DE-37E1 -608]. This byte is now used for the logging routine flagbyte, which includes map select bits. * Change lcall address at 0x3C69 (0x3BEF -608) [this is within the pre-start loop] from 0x68A1 to 0x8800 This is how the prestart listener is called. Moved small amount of existing code in 0x68A1 subroutine into top of 0x8900 subroutine. 3C69|3BEF lcall code_8800 was: 3C69|3BEF lcall code_68A1 * Knock detect KLOPJN flagbit hack At 1CC48 in orignal 607 binary, bit RAM_2C.5 is checked, and if set, a routine between 1CC4B and 1CC66 (1CC1E - 1CC39 -608) is run. RAM_2C.5 is defined as KRFLG1.5 segment-synchronous output VS20 Segment-synchronous output spits out ignition information per firing "segment" (cylinder) for the VS20 diagnostic system. At 1CC68 (1CC3B -608) , at the completion of this routine, RAM_20.2 (KLOPJN, knock yes/no) is cleared. We don't want this to happen, because we want to log that flagbit. To avoid losing KLOPJN, 1CC48-1CC66 (1CC1B-1CC39) is modifed. Instead of the VS20 segment output routine, re-used EVAP diag XRAM byte 0xFDAF is updated to indicate the contents of KLOPJN. The logging routine grabs the byte, and sets bit 7 of byte 18 (value "BITS" in the .ADX) if KLOPJN indicated knock, and clears the byte. There is also a check on KLOPJN at 1CD0D (1CCE0 -608). This now lcalls 1CC53 (1CC26 -608) which sets FDAF in case there is another path to that piece of code -- The upper bank is a horrible mess of jumps my debugger can't follow very well, so playing it safe there. + * MIL On Excessive Knock Hack: Logic at 15E31 and 15E6B (same in 607 and 608) handles grabbing the RAM_26.4 MIL bit and setting P3.5. We replace the 3 bytes at those addresses with 12 E0 80 to call function at 1E080, which checks the current XFALMIT value again the threshold at codebyte 1E0F0. If XFALMIT is greater than the value of the codebyte, the opposite value of RAM_26.4 is stuffed in carry. In the factory binary, RAM_26.4 is inverse -- 0 indicates MIL on, 1 indicates MIL off. This is why the code appears backwards. This causes the MIL to light while XFALMIT > codebyte if it was not previously lit, or to turn off if already lit for a DTC. + * KR Knock Counter From 1CE8E to 1CEBA [607] or 1CE61 - 1CE8D [608] some code runs if RAM_2A.3 or RAM_2C.5 (McMess diagnostics bits) are set. This code is within the capture/compare timer overflow interrupt routine, directly after the routine which detects knock by comparing sensor voltages to reference volages. We zero these out and re-use EVAP diagnostic byte 0xFDCA to count the number of times knock was detected. We then log that value each logging cycle, and clear it -- So the log shows the number of knock detects between log items. - RC5 vs RC4 code tweaks * Updated *listener and *logging routine * Relocate 1E080 to 1E040 * MIL hacks at *15E31 and *15E6B * XRAM Persistnce of FDCB, NOP *3858-385B [607], *37DE-37E1 [608] * New codebytes as defined in XDF -- set * KR counter hack in compare timer overflow interrupt