follow ft86club on our blog, twitter or facebook.
FT86CLUB
Ft86Club
Delicious Tuning
Register Garage Members List Calendar Search Today's Posts Mark Forums Read

Go Back   Toyota GR86, 86, FR-S and Subaru BRZ Forum & Owners Community - FT86CLUB > Technical Topics > Software Tuning

Software Tuning Discuss all software tuning topics.


User Tag List

Reply
 
Thread Tools Search this Thread
Old 10-30-2024, 11:10 AM   #1
Compelica
Senior Member
 
Compelica's Avatar
 
Join Date: Apr 2019
Drives: 86 GT
Location: Malaysia
Posts: 366
Thanks: 236
Thanked 211 Times in 108 Posts
Mentioned: 2 Post(s)
Tagged: 0 Thread(s)
Gear Determination Thresholds for ZA1JK00G

Have been recently trying out Ghidra which I am attempting to define the gear determination thresholds for K00G.This is not defined in open source as far as I'm aware of.

Attaching the definition if anyone would like to test it. I am using the OFT v4.03 definition, but should work fine with a stock K00G ROM.

This is untested, so please use at your own risk.

There are three sets of values:

For A and B you should be using the same values for the internal A and B cells. Those values point to only a single function, a pointer and nowhere else. For the C and D tables those locations are not even referenced anywhere at all.

To change the value, divide the values from tables A and C by 4.1 and multiply with your intended ratio. Those values should be replicated to tables B and D as well.

Attached Files
File Type: txt OFTv4_ZA1JK00G_geardeterm.xml.txt (558.5 KB, 8 views)
__________________
DIY stuff at Compelica Works
Compelica is offline   Reply With Quote
The Following User Says Thank You to Compelica For This Useful Post:
tomm.brz (11-02-2024)
Old 10-30-2024, 09:45 PM   #2
callisto
Member
 
Join Date: Nov 2021
Drives: 2019 Subaru BRZ
Location: NA
Posts: 54
Thanks: 31
Thanked 36 Times in 21 Posts
Mentioned: 4 Post(s)
Tagged: 0 Thread(s)
I can validate this - thanks for posting it! I hadn't looked into any of this since I began. Opened up K00G and after an afternoon of study, your read looks valid.

It looks like in S10C the unused C/D tables are gone and the A/B tables are simplified to only have 5 elements instead of 10; the associated switching logic that hinged on K00G:0xFFF88D8E is removed, though the ECU still calculates and records it at S10C:0xFFF88BF2; nothing seems to refer to it anymore, though. Interestingly, the A/B and C/D tables seem to differ by almost exactly the ratio of 4.1:4.33, but I can't see what controls the switching between them.

I did some experimentation and, if you rephrase Gear Determ Thres A/B/C/D as 3D tables with sizex=2/2/1/1 sizey=5, RomRaider can display those tables more compactly without altering the address locations:

Code:
        <table type="3D" name="Gear Determination Thresholds A" category="Miscellaneous - Thresholds" storagetype="float" endian="little" sizey="5" sizex="2" userlevel="4">
            <scaling units="Rev/Mile" expression="96560.6/x" to_byte="96560.6/x" format="0.00" fineincrement="50" coarseincrement="100" />
            <table type="Static X Axis" name="Table" sizex="2">
                <data> Side 1 </data>
                <data> Side 2 </data>
            </table>
            <table type="Static Y Axis" name="Gear Thresholds" sizey="5">
                <data> Min 1st Gear / Max 2nd Gear </data>
                <data> Min 2nd Gear / Max 3rd Gear </data>
                <data> Min 3rd Gear / Max 4th Gear </data>
                <data> Min 4th Gear / Max 5th Gear </data>
                <data> Min 5th Gear / Max 6th Gear </data>
             </table>
I also noticed that, in theory, there's an RPM adjustment factor in the code (it defaults to 1.0 so Ghidra hides it in the decompiler), that lets you globally divide the RPM used in the calculation by a given factor, in both K00G and S10C, without having to edit the data tables; if you put in (new FD / stock FD) into that float, it might autoscale the tables without having to make further edits. K00G:0x5000A / K00G:0x5006A divide the RPM by float:0x104570 / float:0x104574, in case you want to experiment. (Still present in S10C!)

Also - congratulations on the Ghidra progress!!
callisto is offline   Reply With Quote
The Following User Says Thank You to callisto For This Useful Post:
Compelica (10-31-2024)
Old 10-31-2024, 12:49 PM   #3
Compelica
Senior Member
 
Compelica's Avatar
 
Join Date: Apr 2019
Drives: 86 GT
Location: Malaysia
Posts: 366
Thanks: 236
Thanked 211 Times in 108 Posts
Mentioned: 2 Post(s)
Tagged: 0 Thread(s)
Quote:
Originally Posted by callisto View Post
I can validate this - thanks for posting it! I hadn't looked into any of this since I began. Opened up K00G and after an afternoon of study, your read looks valid.

It looks like in S10C the unused C/D tables are gone and the A/B tables are simplified to only have 5 elements instead of 10; the associated switching logic that hinged on K00G:0xFFF88D8E is removed, though the ECU still calculates and records it at S10C:0xFFF88BF2; nothing seems to refer to it anymore, though. Interestingly, the A/B and C/D tables seem to differ by almost exactly the ratio of 4.1:4.33, but I can't see what controls the switching between them.

I did some experimentation and, if you rephrase Gear Determ Thres A/B/C/D as 3D tables with sizex=2/2/1/1 sizey=5, RomRaider can display those tables more compactly without altering the address locations:

Code:
        <table type="3D" name="Gear Determination Thresholds A" category="Miscellaneous - Thresholds" storagetype="float" endian="little" sizey="5" sizex="2" userlevel="4">
            <scaling units="Rev/Mile" expression="96560.6/x" to_byte="96560.6/x" format="0.00" fineincrement="50" coarseincrement="100" />
            <table type="Static X Axis" name="Table" sizex="2">
                <data> Side 1 </data>
                <data> Side 2 </data>
            </table>
            <table type="Static Y Axis" name="Gear Thresholds" sizey="5">
                <data> Min 1st Gear / Max 2nd Gear </data>
                <data> Min 2nd Gear / Max 3rd Gear </data>
                <data> Min 3rd Gear / Max 4th Gear </data>
                <data> Min 4th Gear / Max 5th Gear </data>
                <data> Min 5th Gear / Max 6th Gear </data>
             </table>
I also noticed that, in theory, there's an RPM adjustment factor in the code (it defaults to 1.0 so Ghidra hides it in the decompiler), that lets you globally divide the RPM used in the calculation by a given factor, in both K00G and S10C, without having to edit the data tables; if you put in (new FD / stock FD) into that float, it might autoscale the tables without having to make further edits. K00G:0x5000A / K00G:0x5006A divide the RPM by float:0x104570 / float:0x104574, in case you want to experiment. (Still present in S10C!)

Also - congratulations on the Ghidra progress!!
Thanks on the 3D table tip - wasn't aware that it could be done that way

On the ratio adjustment, that's a great idea as well though I still can't figure out on why there would be two ratio sets but then again, I suppose that's all from an RE standpoint which can be done - which is to infer.

Regarding Ghidra - thanks, and to you as well I'm honestly quite surprised how seemingly fast people pick up what the function(s) are trying to do and/or achieve... or I must be going round the long way. I got lucky that this example is simple in particular (the ratio values are the same in A01G so all I had to do was search for it in K00G) but I'm having trouble with several other use cases where I have no lead or hint to start from.

My next case I'm working on is a bit more open - in A01G, I'm trying to find if there is a value in RAM that indicates when tip-in fuel enrichment is active. What I'm doing right now is manually remapping backwards regions of the ROM/RAM from the definitions and the logcfg files to give me a better idea on what is being referenced in the decompiler, but there are still quite a number of RAM addresses to figure out from if any are doing what I'm looking for.

Any hints on getting more done and faster in Ghidra would certainly be appreciated!
__________________
DIY stuff at Compelica Works
Compelica is offline   Reply With Quote
Old 10-31-2024, 01:50 PM   #4
callisto
Member
 
Join Date: Nov 2021
Drives: 2019 Subaru BRZ
Location: NA
Posts: 54
Thanks: 31
Thanked 36 Times in 21 Posts
Mentioned: 4 Post(s)
Tagged: 0 Thread(s)
You’re taking the route I did and I haven’t found better yet. The original crew knew how to find the OBD hooks in Subaru code, I think? But I’ve made no progress finding those yet in order to have a second way.
callisto is offline   Reply With Quote
Old 10-31-2024, 03:05 PM   #5
Compelica
Senior Member
 
Compelica's Avatar
 
Join Date: Apr 2019
Drives: 86 GT
Location: Malaysia
Posts: 366
Thanks: 236
Thanked 211 Times in 108 Posts
Mentioned: 2 Post(s)
Tagged: 0 Thread(s)
Quote:
Originally Posted by callisto View Post
You’re taking the route I did and I haven’t found better yet. The original crew knew how to find the OBD hooks in Subaru code, I think? But I’ve made no progress finding those yet in order to have a second way.
What I understand is that there are Mode21 PIDs (OBD2 PIDs but specifically used by Toyota/Subaru) which requests a byte value (or several) in which that reference can be used find where that value is located in RAM. So instead of going around deducing the RAM address for oil temperature you can use the oil temperature PID to point you there.
__________________
DIY stuff at Compelica Works
Compelica is offline   Reply With Quote
Old 10-31-2024, 03:11 PM   #6
callisto
Member
 
Join Date: Nov 2021
Drives: 2019 Subaru BRZ
Location: NA
Posts: 54
Thanks: 31
Thanked 36 Times in 21 Posts
Mentioned: 4 Post(s)
Tagged: 0 Thread(s)
Yeah. The part I want to find is where it handles Mode 21 requests. But I have to learn a lot more about OBD protocol, I suspect. It’s a multi-year quest for sure.
callisto is offline   Reply With Quote
 
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ZA1JK00G or ZA1JK00C ricrod Software Tuning 1 12-31-2018 02:03 AM
Loud Hum/Grinding Noise + Vibration in 5-15mph gear range, in gear and rolling neutrl jakebrz Issues | Warranty | Recalls / TSB 14 06-06-2016 07:28 PM


All times are GMT -4. The time now is 10:06 PM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
User Alert System provided by Advanced User Tagging v3.3.0 (Lite) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.

Garage vBulletin Plugins by Drive Thru Online, Inc.