Any computer science / EE majors here? Questions on OBD2 LT1 PCM architecture
11-03-2006, 05:40 PM
#1
Launching!
Thread Starter
iTrader: (2)
Join Date: Jan 2003
Location: Downtown Chicago
Posts: 265
Likes: 0
Received 0 Likes
on
0 Posts
Any computer science / EE majors here? Questions on OBD2 LT1 PCM architecture The search function is down on LS1Tech at the time that I'm writing this so I apologize if this question has been asked before.
Lately I've become interested in learning more about tuning OBD2 LT1s, which seem to be the black sheep of the GM PCMs--they're OBD2 but they were quickly shoved aside for the newer Gen III PCM architecture, and as a result the tuning software for them appears to be ancient compared to offerings like HPTuners and EFILive.
EDIT 11-09: My original dump was a T side ONLY. I found these new dumps on an old thread at the HPTuners forum.
T side E side
HPtuners forum threads (ancient, but informative):
http://www.hptuners.com/forum/showthread.php?t=43
http://www.hptuners.com/forum/showthread.php?t=50
Here's the basic layout of the T side:
[16 tables of 16x16 (assuming 32-bit word size), intermixed with constants]
[128kb of FFFFFFFF values]
[Code segment(?)]
Are there any publicly available documents that might explain what the tables define? Here's the first one:
More info from HPTuners -- Corrected 11/09:
The original info I found on DIY_EFI.org is incorrect--the PCM does NOT use the Motorola mc68332um... it's actually a MC68HC11F1.
Lately I've become interested in learning more about tuning OBD2 LT1s, which seem to be the black sheep of the GM PCMs--they're OBD2 but they were quickly shoved aside for the newer Gen III PCM architecture, and as a result the tuning software for them appears to be ancient compared to offerings like HPTuners and EFILive.
EDIT 11-09: My original dump was a T side ONLY. I found these new dumps on an old thread at the HPTuners forum.
T side E side
HPtuners forum threads (ancient, but informative):
http://www.hptuners.com/forum/showthread.php?t=43
http://www.hptuners.com/forum/showthread.php?t=50
Here's the basic layout of the T side:
[16 tables of 16x16 (assuming 32-bit word size), intermixed with constants]
[128kb of FFFFFFFF values]
[Code segment(?)]
Are there any publicly available documents that might explain what the tables define? Here's the first one:
Code:
0000 8080 1412 7373 434f 7e1f 01fc 8080 01ff 8000 2a05 1c80 0000 ffff ff00 8080
1414 2324 4006 8080 0000 4245 9999 8080 0000 7e7e 22ce 8a8a 0000 0a0a 5454 8080
0005 1E23 6464 8080 c3d7 292e 6464 0000 fefe 3235 6464 0000 ffff 434a 6969 0000
0300 1213 7373 0000 3410 1e1e 7878 8080 c00d 1016 6E64 8080 80d9 181f 6969 8080
30e1 2023 6969 5252 0800 0a0a 5454 9393 0000 0a11 5a5a 8080 0000 431e 5a5a 0000
fd79 7676 5f5a 2d2d 0000 2324 6462 0000 5050 4245 6964 0000 64a0 7e7e 786e 0000
0000 0a0a 6969 0000 7878 1e23 6969 114f 3c3c 292e 0e0a 5d5d 0073 1b1d 0828 5d5d
2828 2f32 2028 5d5d 1e14 3a43 9880 5d5d c8be 0a0a 4040 575d 8c97 1212 0505 5657
b405 1e1e 8080 5c5c 758c 8080 7880 6262 023a 8080 a005 6868 05dc 8080 3c3c 6e6e
0190 8080 504a 7474 0292 8080 0403 7a7a 7c02 8080 1010 8080 ffff 8080 c866 8080
ffff 8080 1c40 8080 0032 8080 1111 8080 2844 8080 0c0c 8080 8008 0514 3434 8080
0014 0008 0000 3200 8232 b23c 0d00 0000 0f07 8080 3900 0000 a100 8080 3900 0f00
8830 285a 1a00 2828 0e0e 1e32 5049 2828 0e0e 0000 021e 4646 0007 0000 2222 ffff
0000 1919 2030 0000 0505 0f0f 0503 5a5a 6467 0000 0754 0000 1819 0000 4333 e6e6
0f10 0000 fcfc 8080 201c 0000 ff00 8080 362f 0000 eaea 8080 3737 0000 9c7e 8080
f6ff 1919 ec26 0000 010f 0f0f 5000 fefe 1416 0505 ffff 2828 0c0d 0505 aaaa fe2c The original info I found on DIY_EFI.org is incorrect--the PCM does NOT use the Motorola mc68332um... it's actually a MC68HC11F1.
Last edited by trax; 11-09-2006 at 10:31 AM.
11-03-2006, 06:39 PM
#2
From the .org site you referenced, I found this site. If your hex dump truly starts at 0x0000, the following pages should tell you the info that you are looking for:
http://www.diy-efi.org/gmecm/papers/prog_101.html
The FFFFs are normally put at the end of a section, either the executable or the data section. Since there is no way of knowing how much the code will grow, you define a particular size and put FFFFs in the portion that remains unused. (A completely unused EEPROM starts out all FFFFs.)
I agree on the CPU, since it is the only one mentioned anywhere.
I am interested in how you managed to get a hex dump out of the ECM.
http://www.diy-efi.org/gmecm/papers/prog_101.html
The FFFFs are normally put at the end of a section, either the executable or the data section. Since there is no way of knowing how much the code will grow, you define a particular size and put FFFFs in the portion that remains unused. (A completely unused EEPROM starts out all FFFFs.)
I agree on the CPU, since it is the only one mentioned anywhere.
I am interested in how you managed to get a hex dump out of the ECM.
11-04-2006, 11:25 AM
#3
Launching!
Thread Starter
iTrader: (2)
Join Date: Jan 2003
Location: Downtown Chicago
Posts: 265
Likes: 0
Received 0 Likes
on
0 Posts
The hex dump came from Brent Franker's site. The link is down, but I was able to download it by viewing an archive.org backup.
Does anyone have a dump that they can contribute for reference? Maybe a manual car only has 15 tables like the older ECMs?
Thanks
Does anyone have a dump that they can contribute for reference? Maybe a manual car only has 15 tables like the older ECMs?
Thanks
11-04-2006, 01:06 PM
#4
Launching!
Thread Starter
iTrader: (2)
Join Date: Jan 2003
Location: Downtown Chicago
Posts: 265
Likes: 0
Received 0 Likes
on
0 Posts
Did some disassembling today with the following parameters:
RAM start: 0x00000000
RAM size: 0x00010000
ROM start: 0x00018000
ROM size: 0x00007FFC
I'll have to look up more information on what an offset size does.
Here's the first few lines of disassembled code. I don't think it's working quite right at the moment because IDA seems to be finding a ton of random values intermixed with the ROM segment... this is radically different than the other '96 V6 car dump that I've seen, and substantially smaller in size. Any chance that this is a bad dump?
RAM start: 0x00000000
RAM size: 0x00010000
ROM start: 0x00018000
ROM size: 0x00007FFC
I'll have to look up more information on what an offset size does.
Here's the first few lines of disassembled code. I don't think it's working quite right at the moment because IDA seems to be finding a ton of random values intermixed with the ROM segment... this is radically different than the other '96 V6 car dump that I've seen, and substantially smaller in size. Any chance that this is a bad dump?
Code:
ROM:00018000 ; --------------------------------------------------------------------------- ROM:00018000 ; --------------------------------------------------------------------------- ROM:00018000 ROM:00018000 ; Segment type: Pure code ROM:00018000 ; segment "ROM" ROM:00018000 cmp.b (sp)+,d3 ROM:00018002 sub.b (a5),d6 ROM:00018004 addi.l #-$48FC487B,a3 ROM:0001800A move.w $32E1(a4),(a5)+ ROM:0001800A ; --------------------------------------------------------------------------- ROM:0001800E dc.b $F1 ; ± ROM:0001800F dc.b $42 ; B ROM:00018010 ; --------------------------------------------------------------------------- ROM:00018010 move.b d3,d0 ROM:00018012 move.b (a4)+,(a2) ROM:00018014 sbcd d1,d5 ROM:00018016 move.l (a6),$138B(a3) ROM:0001801A move.l d3,-(a2) ROM:0001801C bset d0,-(a6) ROM:0001801C ; --------------------------------------------------------------------------- ROM:0001801E dc.b $FD ; ² ROM:0001801F dc.b $CE ; + ROM:00018020 ; --------------------------------------------------------------------------- ROM:00018020 move.l sp,d1 ROM:00018020 ; --------------------------------------------------------------------------- ROM:00018022 dc.b $F1 ; ± ROM:00018023 dc.b $27 ; ' ROM:00018024 ; --------------------------------------------------------------------------- ROM:00018024 move.b (a4)+,$13E6(a1) ROM:00018028 move.l (a0)+,-(a2) ROM:0001802A asr.b #6,d0 ROM:0001802C move.b d0,$5A(a1,d4.w*2) ROM:00018030 bclr d6,d6 ROM:00018032 move.l ($18CE0379).l,d0 ROM:00018032 ; ---------------------------------------------------------------------------
Last edited by trax; 11-04-2006 at 01:33 PM.
11-05-2006, 06:03 AM
#6
64 Kb of RAM sounds correct.
32 Kb of ROM sounds correct as well. (From experience with other embedded systems, not with the LT1 PCM.)
You will have to know the values in the parameters mentioned, such as the pointers and the addresses referenced, in order to know what happens when they do the compare and the subtraction (as an example).
Is there any way that you can step through the code while it is running?
Assembly code is the most difficult code to debug because of this. Of course, it is also the most compact and the fastest, due to less overhead.
Best of luck.
32 Kb of ROM sounds correct as well. (From experience with other embedded systems, not with the LT1 PCM.)
You will have to know the values in the parameters mentioned, such as the pointers and the addresses referenced, in order to know what happens when they do the compare and the subtraction (as an example).
Is there any way that you can step through the code while it is running?
Assembly code is the most difficult code to debug because of this. Of course, it is also the most compact and the fastest, due to less overhead.
Best of luck.
Trending Topics
10-04-2007, 06:06 PM
#8
Launching!
Thread Starter
iTrader: (2)
Join Date: Jan 2003
Location: Downtown Chicago
Posts: 265
Likes: 0
Received 0 Likes
on
0 Posts
1 year bump! 
So I'm looking through my SAE J2190 spec, and there are two commands/modes, $3B and $3C, that allow you to read and write data from arbitrary data blocks:
So that brings me to the million-dollar question. How can I find out where the blocks start and end? I'm guessing that the locations are going to be different than in the files that I mentioned in post #4.
Any tips?
Thanks!
So I'm looking through my SAE J2190 spec, and there are two commands/modes, $3B and $3C, that allow you to read and write data from arbitrary data blocks:
Originally Posted by J2190
5.26 Mode $3C -- Read Data Block
Functional Description -- The purpose of this mode is to provide a means for the external test device to read the contents of a data block. The data block numbers and associated memory locations need to be known by the on-board device. This mode does not allow off-board test equipment to read any memory locations other than for those data blocks predefined in the on-board device.
Functional Description -- The purpose of this mode is to provide a means for the external test device to read the contents of a data block. The data block numbers and associated memory locations need to be known by the on-board device. This mode does not allow off-board test equipment to read any memory locations other than for those data blocks predefined in the on-board device.
Any tips?
Thanks!
10-04-2007, 11:28 PM
#11
I don't understand what the deal is?
If you have the proper bin file pulled from a chip burner and you have the memory addresses you could just edit the file with a hex editor and re-burn the EEPROM.
The list of memory locations has been provided... so why are you trying to decompile the OS?
If you have the proper bin file pulled from a chip burner and you have the memory addresses you could just edit the file with a hex editor and re-burn the EEPROM.
The list of memory locations has been provided... so why are you trying to decompile the OS?
10-05-2007, 06:40 PM
#13
Bah. You are correct. The LT1's memory can be flashed from within. I linked a datasheet containing the information needed for rewriting it.
Can you get me up to speed? How do all the chips communicate? Serial? IIC? Are they all connected to the same buss? Do you have to use the 68HC11's to communicate with the flash?
I am just asking if you send data down the line from your PC to the PCM if you can address each chip indiviually! When I glanced at the data sheet it looked like you might have to use the HC11's to do a programming sequence.
http://pdf1.alldatasheet.com/datashe...EL/28F512.html
Can you get me up to speed? How do all the chips communicate? Serial? IIC? Are they all connected to the same buss? Do you have to use the 68HC11's to communicate with the flash?
I am just asking if you send data down the line from your PC to the PCM if you can address each chip indiviually! When I glanced at the data sheet it looked like you might have to use the HC11's to do a programming sequence.
http://pdf1.alldatasheet.com/datashe...EL/28F512.html
