Jump to content
LegacyGT.com

5EAT TCU Reverse Engineering

utc_pyro

By utc_pyro
in Transmissions

 Share

Recommended Posts

ean611 Mentor

ean611

Posted
Posted
Actually I just wanted it because it was quiet, and it was rated more efficient than others - at the time.

 

Quiet is a great reason. I hate noise in my office. I just have had issues with power supplies, and yeah....it's amazing what you learn about them on my end.

Link to comment
Share on other sites
  • Replies 614
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

cipher_nemo Community Regular

cipher_nemo

Posted
Posted (edited)
I work for a computer company. If you think 5% is all you'll see, you've got another thing coming. The consumer brands you quote are all commodity vendors, and their names mean nothing. The real names are companies like Etasis, Delta and Aztek to name a few.

 

Yeah, everyone's an expert on the Interent. :rolleyes: I could tell you my long history with PCs, networks, etc., but that would just be pointless. Bottom line: ATX is a standard and PC Power & Cooling was not just another "commodity vendor". PC Power & Cooling made their own PSUs in-house. They were bought by OCZ not too long ago, but that doesn't change them to a commodity vendor. Do your research and quit arguing for the sake of arguing. A PC power supply is a good suggestion by others here as well for testing units like a TCU. Knock off the pointless forum arguing.

Edited by cipher_nemo
Link to comment
Share on other sites
subarutech77 Apprentice

subarutech77

Posted
Posted
I was looking back at this right now. Is PBASIC anything similar to a regular basic programming language? Or is this something completely different?

 

I believe so, I think Parallax tweaked BASIC for their needs and came up with PBASIC.

 

I remember taking a BASIC programming course way back when in high school, as far as remembering the syntax of it though, I'm at a loss. I realize I have A LOT of reading to do

 

Thanks

Link to comment
Share on other sites
cipher_nemo Community Regular

cipher_nemo

Posted
Posted
I believe so, I think Parallax tweaked BASIC for their needs and came up with PBASIC.

 

I remember taking a BASIC programming course way back when in high school, as far as remembering the syntax of it though, I'm at a loss. I realize I have A LOT of reading to do

 

Thanks

 

If you need some help, let me know. I'm not a basic expert, but I've had to work in Visual Basic and Visual Basic .Net in the past. My experience is more attuned to C, C++, C#, Java/Javascript, etc. But if you do run across something odd, we might be able to figure it out.

Link to comment
Share on other sites
hadvw Veteran

hadvw

Posted
Posted
If you need some help, let me know. I'm not a basic expert, but I've had to work in Visual Basic and Visual Basic .Net in the past. My experience is more attuned to C, C++, C#, Java/Javascript, etc. But if you do run across something odd, we might be able to figure it out.

 

I did my fair share of basic (TI Basic, TI Extended Basic, Atari Basic, Atari Basic XL, GFA Basic, Waterloo Structured Basic) back in the 80s and early 90s... Since then, mostly C/C++, Java, Tcl/Tk, shell and a bit of javascript. I'm sure I could figure out PBasic, if it's based on Basic..

Link to comment
Share on other sites
subarutech77 Apprentice

subarutech77

Posted
Posted
If you need some help, let me know. I'm not a basic expert, but I've had to work in Visual Basic and Visual Basic .Net in the past. My experience is more attuned to C, C++, C#, Java/Javascript, etc. But if you do run across something odd, we might be able to figure it out.

 

I did my fair share of basic (TI Basic, TI Extended Basic, Atari Basic, Atari Basic XL, GFA Basic, Waterloo Structured Basic) back in the 80s and early 90s... Since then, mostly C/C++, Java, Tcl/Tk, shell and a bit of javascript. I'm sure I could figure out PBasic, if it's based on Basic..

 

Hey yeah, great if you guys want to have a look at this and let me know what you think, that'd be great!

 

https://files.me.com/subarutech/2fhw4g - BS2 source code

 

You can find the development software here: https://www.parallax.com/tabid/441/Default.aspx

 

According to the activeboard forum where I found this code at, they only needed to read to address 0003:FFFF, I would like to read to address 0007:FFFF- does anything need to be changed in the source code to do this?

 

Another question I have is about the checksum, is the equation the same for any ROM? or are they different from ROM to ROM? or processor to processor?

Link to comment
Share on other sites
cipher_nemo Community Regular

cipher_nemo

Posted
Posted (edited)
Hey yeah, great if you guys want to have a look at this and let me know what you think, that'd be great!

 

https://files.me.com/subarutech/2fhw4g - BS2 source code

 

You can find the development software here: https://www.parallax.com/tabid/441/Default.aspx

 

According to the activeboard forum where I found this code at, they only needed to read to address 0003:FFFF, I would like to read to address 0007:FFFF- does anything need to be changed in the source code to do this?

 

Another question I have is about the checksum, is the equation the same for any ROM? or are they different from ROM to ROM? or processor to processor?

 

The command reference for their flavor of basic is here:

https://www.parallax.com/Portals/0/Downloads/docs/prod/stamps/web-BSM-v2.2.pdf

 

Well, at a quick glance the code has some typical basic style elements such as FOR NEXT loops, GOSUB and 'sub-routine-name': RETURN sections, and just simple defining and changing variables. But I have no clue what those variables represent (like AN and DN where N is some number).

 

Also, the variable "Nib", short for "Nibble" is sort of funny. :) Not sure what a "Nibble" is (other than something smaller than a "byte" which is 8 bits, hence a play on words?), but the way they're using it is just a hexadecimal value.

 

In essence, the code defines a bunch of A and D "Nib" variables, a checksum byte, pauses for 5 seconds (waiting for something externally??), defines some more variables, then runs through the "Nibbles" one by one and displays the hexadecimal results of an equation (using the DEBUG command). The "Get32" subroutine they've defined determines if they're syncing low or syncing high. I have no idea what syncing low or high means? Is this about syncing to a gear above or below?

 

In other words, the code you linked is pretty easy to read, but it's out of context since I have no idea what the variables mean, let alone each hex value. I have a feeling that learning the hexadecimal values are the key to completely understanding this.

Edited by cipher_nemo
Link to comment
Share on other sites
hadvw Veteran

hadvw

Posted
Posted

Also, the variable "Nib", short for "Nibble" is sort of funny. :) Not sure what a "Nibble" is (other than something smaller than a "byte" which is 8 bits, hence a play on words?), but the way they're using it is just a hexadecimal value.

 

 

You are correct: a nibble is half a byte (i.e. 4 bits). Often useful for embedded/control systems where you only have a few bits to set/unset..

Link to comment
Share on other sites
cipher_nemo Community Regular

cipher_nemo

Posted
Posted
You are correct: a nibble is half a byte (i.e. 4 bits). Often useful for embedded/control systems where you only have a few bits to set/unset..

 

Good to know, thanks. :) I don't do anything with embedded systems on a daily basis, including the TCU, so quite a bit of terminology there is going to throw me for a loop.

Link to comment
Share on other sites
subarutech77 Apprentice

subarutech77

Posted
Posted

I've figured out how to change the address that I want to end at in the program. This is a snippet from the original code found on the ECU Hacking site.

 

' addr  0000:0000 - 003F:FFFF
'

A28=0
A24=0

FOR A20 = 0 TO 3
 FOR A16 = $0 TO $F
   FOR A12 = $0 TO $F
     FOR A8 = $0 TO $F
       FOR A4 = $0 TO $F

It needs to be changed to this to read to 0007:FFFF

 

' addr  0000:0000 - 007F:FFFF      '2/26/11 changed comment to reflect ending address change
'

A28=0
A24=0

FOR A20 = 0 TO 7                   '2/26/11 changed 3 to 7 as I want to read to 0007:FFFF
 FOR A16 = $0 TO $F
   FOR A12 = $0 TO $F
     FOR A8 = $0 TO $F
       FOR A4 = $0 TO $F

Confirmed by this thread:

 

http://ecuhacking.activeboard.com/forum.spark?aBID=99460&p=3&topicID=22449760

 

The checksum part of the code, from what I can gather, is only for the file that the hexdump is outputted into, s-mot I believe(.s19 extension). It is only used to verify that the transmission has no errors, and is not actually part of the rom.

 

I've had the BasicStamp set-up running, and have had some repeatable results... What are the odds that the ROM has a big chunk of FF's at the beginning of the ROM? Slim to none?

 

Also, when it does seem to be running correctly, it takes a really, really long time for it to output to the hyperterminal. In the thread referenced above, they quote 90min for reading to H'3FFFF and 2 1/2 hrs to read to H'5FFFF. I had it running 6hrs straight and it only made it to 0000:09C0. Here's a link: https://files.me.com/subarutech/6eiyqi

 

S214 is the header of the line, then there are 32 characters which are supposed to be the ROM, and then the last 2 digits are the checksum that the program uses for communication verification.

 

I've checked my wiring from the 7055 pins to the breadboard of the basicstamp board and they all seem good. However, my workspace is also the kitchen table, so everything has to be taken down every night, or morning before my son can get to it. And I've had to re-solder a few of the wires attaching to the TCM AUD ports(they are really small) a few times, but they ohm out ok from the pins of the 7055 to the other end of the wire.

 

I also ended up using a car battery to power the TCM, it holds a rock steady 12.44V while connected. Either the AUD ports or the BasicStamp board seem to be really sensitive to voltage fluctuations and make the output all garbled. I'm thinking of trying to borrow a scope and see if the signals are getting to where they are supposed to be going.

Link to comment
Share on other sites
hadvw Veteran

hadvw

Posted
Posted
For a 7055, none. The bytes 0x000 - 0x3FF contain the Exception Processing Vector Table Addresses.

 

Wouldn't/Couldn't 0xFFFF be, in essence, a NOP (i.e. no exception handler installed for this exception)?

Link to comment
Share on other sites
dschultz Community Regular

dschultz

Posted
Posted
Wouldn't/Couldn't 0xFFFF be, in essence, a NOP (i.e. no exception handler installed for this exception)?

Possibly, but not for the first 30 odd vector addresses as these are for resets, interrupts, comm ports, etc. processing.

Link to comment
Share on other sites
  • 4 weeks later...
ClimberDHexMods Grand Master

ClimberDHexMods

Posted
Posted

TCU logic is not very intuitive. Kind of like how many parts of ECU logic are not very intuitive. I will be trying to identify how it does work as best I can so I can replicate it. The dirt is in the details. If I get anything good I'll post up.

 

Best luck to all who support this mission of writing to stock TCUs.

[CENTER][B][I] Front Limited Slip Racing Differentials for the 5EAT now available for $1895 shipped, please inquire for details! [/I][/B][/CENTER]
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


×
×
  • Create New...

Important Information

Terms of Use

  I accept