|
ROM Table Discovery & Definitions
Seeing as there isn't a specific thread for this I thought I'd start one rather than tagging it in the middle of the Tactrix threads.
I decided to try WinOLS with some success, however I was wondering if those with IDA could look through and determine if these tables are of any use and what they do. It seems that WinOLS is fairly good at determining the actual tables and has a go at formulating the expressions, as well as allowing you to view them in a table or 3D format you would be familiar with. Below are the 10 largest tables that are not yet defined, on my definition at least, for ZA1JA02G. I haven't looked at the A01G but so far the 2 are the same. @Td-d @ztan I'll post the same over on Romraider to see if they can be of any assistance. Addresses: Code:
<table name="Alpha 1" storageaddress="1070B8">Code:
<table type="3D" name="Alpha 1" category="Alpha" storagetype="uint8" endian="big" sizex="19" sizey="31" userlevel="3"> |
I'll have a look in IDA.
Last tried to use WinOLS in 2006... |
Unpicking "Alpha 1":
From addresses given: Code:
ROM:00106FF0 flt_106FF0: .float 800.0, 1200.0, 1600.0, 2000.0, 2400.0, 2800.0, 3200.0, 3600.0, 4000.0, 4400.0Code:
ROM:000B2EF4 stru_B2EF4: Table_type <h'13, 0, h'1F> ; DATA XREF: sub_4FFD2+1CoCode:
ROM:0004FFD2 sub_4FFD2: ; CODE XREF: sub_4FEBE+Ep |
*Thanks, I've updated the code. I figured it would be something like that as the table looks like this:
https://dl.dropboxusercontent.com/u/...lub/Alpha1.jpg Seems to have higher numbers in the lower torque areas. As more are found I'll update the 1st post. |
Some more ;)
Addresses: Code:
<table name="Alpha 11" storageaddress="103310">Code:
<table type="3D" name="Alpha 11" category="Alpha" storagetype="uint16" endian="big" sizex="9" sizey="7" userlevel="3"> |
Rather than just picking random tables I have been overlooking the entire ROM, I found these 4 2D tables all in the same portion of the hex dump. They seem to correspond to RPM so I wonder if these are cylinder comp tables of some sort. When viewed as a chart they vary quite a bit.
Code:
<table name="Alpha 21" storageaddress="11E61C">Code:
<table type="2D" name="Alpha 21" category="Alpha" storagetype="float" endian="big" sizey="15" userlevel="3"> |
i dont know what it is but i wanna learn all about it
|
i need help here
i tried find FFF106FF0 it is same but not analyze Code:
OM:00106FF0 dword_106FF0: .data.l h'44480000, h'44960000, h'44C80000, h'44FA0000Quote:
|
Quote:
An option box will come up with data type rotations that you want included in the data carousel - check "float". Pressing "d" in IDA will change the data type. To change the line of numbers into an array, press "*" and enter the length of the array. |
So this data is available on the CANBUS:
http://www.ft86club.com/forums/showthread.php?t=91170 I want it on my Tactrix. How do we go about getting it? |
Quote:
I suspect what the oft guys did was aquired a device that performes those read functions then sniffed the can buss data requests and coppied requests into oft. |
Quote:
|
Quote:
I had a look at this briefly a couple of years ago, sniffing Techstream requests on CAN: http://www.romraider.com/forum/viewt...8475&start=296 |
Quote:
Quote:
|
Quote:
I couldn't find a Techstream parameter for IAM anywhere, so I figured that it was likely not easily available on the CAN bus. |
Quote:
|
Quote:
The OP2 is configured to send its requests to 07E0 (ECU), not 07B0 (VSC). I think to get control of that, we'd need to get a firmware rewrite from Colby. I think we would have much better CANbus access to all modules at the moment using an Arduino and CANbus shield; I haven't the time to crack it at the moment. This CANbus talk is getting a bit off topic, but if anyone can point to where the ECU interfaces with the VSC unit; and if the VSC data is put in RAM on the ECU, we can pull the data straight off the ECU with the OP2. |
Quote:
I'm eager to hear if this is in RAM in the ECU anywhere. Sent from my XT1045 using Tapatalk |
<Off topic> Examples of CAN requests to ECU using Drew Tech Canbus tools:
Engine on idle, requesting MAF data OBD Mode 01: Send: 00 00 07 e0 01 10 (mode 01, PID 10) Response: 00 00 07 e8 41 10 03 b8 (repsonse 41 (01+40), PID 10, Data 03 B8 (7.68 g/s) OBD Mode 23: Send: 00 00 07 e0 23 14 ff f8 7c 70 04 (mode 23, 14:?number of parameters + data length, RAM address FFF87C70, 04:?bytes expected) Response: 00 00 07 e8 63 41 15 e6 66 (response 63 (23+40), data 4115e666 (IEEE 754 float = 9.37 g/s) |
1 Attachment(s)
Anyone have any idea what this (FFF884F4 for A01G) may be? I was looking at how data calls are made to get 16 bit sensor data and this one came up: a voltage value gets read from the 16 bit routine and then scaled by a table (defined at 0B1FA8) which reads like a temperature scale; 100 to -40 in 10 degree increments.
Does not match with any other temperature sensors that I log. |
Not much help with yours @ztan but more of a question for those who are good at discovery.
Been trying to work out why the throttle closes under WOT and am doing some digging around. I don't suppose anyone fancies digging into the throttle angle routines. It's definitely nothing to do with requested angle, however there must be something that causes this. It seems fairly uniform between FI and NA cars too. I've tried testing Requested torque and calculated tq tables but nothing there has yet made any difference. |
Rev limit code
1 Attachment(s)
Shiv asked me to look at an RPM limit problem under boost and there is something interesting in the code worth noting:
Rev Limit A and B have their cut and resume values in different directions (see disassembly pic). No reason for the engineers to do this and Rev Limit B works without hysteresis in the stock ROM which is has 7400 as the first (resume) value and 7200 as the second (cut). A01G def: Code:
<table name="Rev Limit A" storageaddress="10C524" /> |
| All times are GMT -4. The time now is 07:32 PM. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
User Alert System provided by
Advanced User Tagging v3.3.0 (Lite) -
vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.