Page 3 of 10 FirstFirst 12345678910 LastLast
Results 41 to 60 of 190

Thread: Funny adventures in electrical engineering

  1. #41
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,468
    Quote Originally Posted by Sparkie View Post
    I'd recommend you nab the datasheet for the HD6301v1 from the git repository just to get a better feel for what im blabbing about.
    so that file wasnt actually there... that was rectified about 42 seconds ago. oops, sorry.

    and for those of you paying attention but not source diving or pulling down my thrice daily updates to github, be pleased to note that source disassembly is proceeding quickly, some variables have NAMES now (which mean something, others have names with suck, or just comments or nothing at all). I've more fully fleshed out the array of outputs the processor uses to control it's actuators (I found the TVIS code for instance). What I dont have right now is a complete understanding of how the processor gets data from he adc, I was expecting it to be simpler, and fully encased in the serial receive ISR, but it's not. The adc is crucial because the majority of the important sensors go there (including the load output of the mixed signal IC (all assumed)). any source diving volunteers?

  2. #42
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,468
    PROGRESS UPDATE:
    We now have a serial data interface to the PCM, and are able to read out any data from its special function registers (timers and ports really) and all of its RAM (where the good stuff is). This will help debugging as we can now assess the state of a particular RAM location which is important, but not obvious as to its contents. It can also help people tune or diagnose their cars, once we know exactly what each location does in memory.

    Technical:
    Using another microprocessor I generate the serial clock (baud*8) and serial data and push the byte into the HD6301 while its NOT talking to the ADC (ADC /CS = 1), this triggers a branch at F3EF to the debug routine at F40D. This code replies with two bytes of data, one directly at the received byte address, and one at an offset of +1. this routine can only output the bottom 256 bytes in the address space.

    Pictures, yay!:
    top trace is HD6301 rx, bottom trace is HD6301 TX, trigger is rising edge of ADC /CS, and trigger delay is -1 division. for simplicity i programmed the baud rate to be around 57600, but it could be pushed up to 250kbit/s according to the HD6301 datasheet.


    The hardware and rats nest interfacing. A live PCM inside a car would get a nice 6 way connector or maybe just the supplementry micro hidden inside the case with a serial/usb output.


    the victory. here we're pushing out the first few bytes of user ram from 0x40 to 0x47 inclusive. format is [address data@address data@address+1]
    These locations here are particularly exciting because we can match the values read out with values written to these specific locations beginning at code FC33

  3. #43
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,468
    BooYEAH! For those of you following at home, and I know that's absolutely nobody (git ratted you out), I have sucessfully hacked the code which drives the external ADC, and thus I have traced the analog inputs (Throttle position, AFM something, Air temp, Water Temp, power something and Oxygen sensor) to their respective homes in the code. This is a great justice since now I can see how these are used by the various routines (including the table lookup routine), and trace out their impacts on the code.

    As usual, I'd appreciate the assistance of anyone who judges themselves qualified to assist. Still on the docket is to find out how RPM is derived and stored and to fully flesh out how the injectors and igniter are driven. You can find this project on GIT:
    https://github.com/sparkiedk/Toyota-PCM-hacking

  4. #44
    Join Date
    Jun 2008
    Location
    v isl
    Posts
    4,649
    I'm watching, I just have no idea what the hell is going on. Interesting though.

  5. #45
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,468
    Quote Originally Posted by Dugwillis View Post
    I'm watching, I just have no idea what the hell is going on. Interesting though.
    excellent! I aim to put on a good show, and with that in mind: I present a histogram of the relative frequency of the polling of adc channels. the channel order is:
    0 - Throttle position
    1 - Air flow meter related (taken from mixed signal se056)
    2 - Air temperature
    3 - Water Temperature
    4 - Power related (likely batt voltage)
    5 - Oxygen sensor

    Click image for larger version. 

Name:	adcchannelfreq.jpg 
Views:	59 
Size:	13.5 KB 
ID:	12207

    As the plot shows the PCM is STRONGLY biased towards sampling the oxygen sensor, and in fact doing so a minimum of once per ADC select period (250Hz when the pcm is run bare on the desk, slower when it's occupied with other stuff). A normal ADC select period will consist of one measurement of a channel 0..4, then another measurment of channel 5. Clearly toyota needed to keep the sample rate up on the oxy sensor to maintain good feedback control of the engine.

  6. #46
    Join Date
    Oct 2006
    Location
    Victoria B.C.
    Posts
    1,692
    I got the part about rap songs. Seriously though, this thread makes me wish I were doing EE or even Mecha instead of plain old Mech.

    1970 KE17 Project
    1969 KE10 Slider

  7. #47
    Join Date
    Jun 2008
    Location
    Calgary AB
    Posts
    1,322
    Quote Originally Posted by Sparkie View Post
    excellent! I aim to put on a good show, and with that in mind: I present a histogram of the relative frequency of the polling of adc channels. the channel order is:
    0 - Throttle position
    1 - Air flow meter related (taken from mixed signal se056)
    2 - Air temperature
    3 - Water Temperature
    4 - Power related (likely batt voltage)
    5 - Oxygen sensor

    Click image for larger version. 

Name:	adcchannelfreq.jpg 
Views:	59 
Size:	13.5 KB 
ID:	12207

    As the plot shows the PCM is STRONGLY biased towards sampling the oxygen sensor, and in fact doing so a minimum of once per ADC select period (250Hz when the pcm is run bare on the desk, slower when it's occupied with other stuff). A normal ADC select period will consist of one measurement of a channel 0..4, then another measurment of channel 5. Clearly toyota needed to keep the sample rate up on the oxy sensor to maintain good feedback control of the engine.
    what programs are you using to view the ass and other code? Also its sad how out spec'd the ecu is by todays electronics... Do you plan on manipulating the code on ecu/flashing it or just gonna figure out values and put resistors to get pefer I/O? NEVERMIND I JUST READ THE REST OF THE POST. ^.^

    Quote Originally Posted by woodenturn View Post
    DK should ban such nonsense. 2 cents~ sr86 www.dorikaze.net/showthread.php?32933-Elizabeth

  8. #48
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,468
    Re-coding the ecu is the name of the game, but it isn't as easy as modern ECUs. The code is mask rom (or PROM, no real difference from our point of view), so there isn't any hope of changing it, but we CAN tell the micro to ignore all its internal code, then make an external chip (flash for instance ) to carry the original code ?anything we so desire.

    The programs I'm using are primarily IDA 6.1 for the disassembly and MATLAB r2008 for the plotting. xvi32 and willem eeprom and dasm and notepad have all been indispensible at times though.

    also, since i promised some progress now that the adc is hacked, here's the reason we drive toyota: 3D maps in the early/mid 80's
    Click image for larger version. 

Name:	3dmajik.jpg 
Views:	57 
Size:	43.6 KB 
ID:	12208

  9. #49
    Join Date
    May 2006
    Location
    Campbell River
    Posts
    3,156
    Keep up the good work.

    I like graphs.
    1JZ 1984 Celica GTS
    1UZ 1981 Corolla sedan
    ? 1972 Celica race car

  10. #50
    Join Date
    Jun 2008
    Location
    Calgary AB
    Posts
    1,322
    Quote Originally Posted by Sparkie View Post
    Re-coding the ecu is the name of the game, but it isn't as easy as modern ECUs. The code is mask rom (or PROM, no real difference from our point of view), so there isn't any hope of changing it, but we CAN tell the micro to ignore all its internal code, then make an external chip (flash for instance ) to carry the original code ?anything we so desire.
    what microcontroller do you plan to use? so the plan is to bootstrap it with the micro, and if so can it be run to a NAND flashed device or possible a VM input, possible? I am not really that familiar with hardware interoperability between new arch and old

    Quote Originally Posted by woodenturn View Post
    DK should ban such nonsense. 2 cents~ sr86 www.dorikaze.net/showthread.php?32933-Elizabeth

  11. #51
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,468
    So the current plan is the use the processor that came with the PCM: the hitachi HD6301 which has some custom hardware in it that toyota managed to weasel (more ram, possibly another input capture module). This chip is normally used in the PCM in mode 7, which is fully internal and allows one to use ports 3 and 4. currently I'm testing the chip in mode 0, which allows me to strap a flash chip on the side and execute my own code, while still having access to everything stored inside. The final product would run the chip in mode 2 or 4 with the factory/modified code on the external chip and an external CPLD providing port emulation for ports 3 and 4 and IS3 (an extension of port 3 used for IGf sensing). also included in the plans is to strap some extra ram on the side so if someone was REALLY ambitious they would have some breathing room to get real work done.

    the flash chip im already using in my test setup is the sst39sf040, wired to provide the cpu with access to 32k of flash memory. programming the flash involves popping the chip out of my test setup and pushing it into my willem programmer, but since it's flash there's no uv light to play with, unlike say a 27c256/87c257 which is what i was using earlier when i got started.

    as for the CPLD i've purchased a dev kit for the atmel AF1502, so I'll be targeting that, good scalability with the pin count and free dev tools. port emulation should be enough of an excercise with that without being too much of a pain in the backside. as a plus the CPLD is 5v compatible.

    I invite you to inspect the datasheet which covers 97% of everything going on inside the chip here:
    https://github.com/sparkiedk/Toyota-...0datasheet.pdf

  12. #52
    Join Date
    Jun 2008
    Location
    Calgary AB
    Posts
    1,322
    Quote Originally Posted by Sparkie View Post
    the flash chip im already using in my test setup is the sst39sf040, wired to provide the cpu with access to 32k of flash memory. programming the flash involves popping the chip out of my test setup and pushing it into my willem programmer, but since it's flash there's no uv light to play with, unlike say a 27c256/87c257 which is what i was using earlier when i got started.

    I invite you to inspect the datasheet which covers 97% of everything going on inside the chip here:
    https://github.com/sparkiedk/Toyota-...0datasheet.pdf
    Was the 27c256 12v or something? is the uv light erase only a 5v thing?

    I will and I'll read the whole github project after this term ends.

    Quote Originally Posted by woodenturn View Post
    DK should ban such nonsense. 2 cents~ sr86 www.dorikaze.net/showthread.php?32933-Elizabeth

  13. #53
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,468
    Quote Originally Posted by LastLatvian View Post
    Was the 27c256 12v or something? is the uv light erase only a 5v thing?
    for read operations, the 27c256 eprom is 5V, however to set any bits back to 1 (erased state) it requires substantial UVC exposure (usually in a box with a UVC light normally referred to as an "eprom eraser") then to program any of those bits to a 0, the programming voltage Vpp must be applied, and this programming voltage is usually 12V.

    if this process sounds like a bit of a pain in the behind, you're right. 15 minutes in the eprom eraser waiting to clear to the chip so you can change 1 byte of code to make everything awesome is really lame - though once i fixed a dodge injected RX-7 by flipping one bit to 0 (trashing a branch_sometimes instruction to a branch_never) and that didnt require erasing.

  14. #54
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,468
    What seems painfully obvious to me now was a complete enigma until two days ago: the persistent references in the code to memory locations $18, $1b and $1d, which are marked as reserved on the official hitachi datasheet. Of course, we already know toyota managed to weasel an extra 64 bytes of ram when they got the processor, so additional peripherals cant be out of the question either. Turns out the additional registers addres a second input capture/output compare module, which interfaces with pin p1-0 and p1-1. the interrupts associated with these pins work fully and are muxed with the capture hardware already known.

    definitions in the disassembly and schematic have been updated to reflect this change, and as a side note: now we understand how injector #20 is turned on and off.

  15. #55
    Join Date
    May 2006
    Location
    Campbell River
    Posts
    3,156
    Muxed... hahaha. It's a word.
    1JZ 1984 Celica GTS
    1UZ 1981 Corolla sedan
    ? 1972 Celica race car

  16. #56
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,468
    I had never thought about "muxed" in any way other than "multiplexed", you've given me a new perspective on life, and for this I thank you.

    and in other news, that article by Jeremy Ross: Lifting the lid on the MKI MR2 ECU has been found, in a directory on my desktop labeled "crap" which hasn't been looked into since I was in grad school from the look of it. Anyways, the article is in the REPO now, hit the "raw" button if you're interested in a treatment of injection systems thats far more catered towards the final product than the very specific means of getting there - it's helpful, but not enough to make significant differences in our own disassembly.

    https://github.com/sparkiedk/Toyota-...my%20Ross).pdf

  17. #57
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,468
    more happy updates, I found the rev limiter.
    the rev limiter is sort of unique in a way: it allows you to exceed the set rpm for 6 main loop cycles (no idea about the timing here) until cutting fuel... gives the system a little bit of hysteresis i suppose, but not in the conventional way.

    anyways, the computer does this:
    Code:
    loc_F431:				; CODE XREF: sub_F420+Dj
    		ldx	deltaNE		; outcomp
    		cpx	#4054		; exactly 7400rpm, set to 3332 for 9003	RPM
    		bcs	loc_F43A	; increment unk_97, increment unk_98
    		stab	SatCount_97	; set unk_97 to	$79
    more plainly posted: if the difference between similar edges of the NE pulse is less than 4054us, dont reset satcount_97. satcount_97 is subsequently incremented and in the input capture interrupt several variables are or'ed together and the MSB is used to mask the fueling calculations: any msb of three variables (of which satcount_97 is one) causes no fuel to be delivered.

    so anyways, as the comment says, reduce the 4054 to 3332 and boom! 9003 RPM limiter
    Last edited by Sparkie; 12-08-2013 at 01:45 PM. Reason: verbosalyze!

  18. #58
    Join Date
    Jan 2010
    Location
    Calgary AB
    Posts
    452
    No idea what is going on but it's cool and I'm excited!
    ★彡SUPPORT YOUR LOCAL NIGHT TERRORS夜の恐怖
    www.facebook.com/themnightterrors
    http://www.themnightterrors.bigcartel.com/

  19. #59
    Join Date
    Apr 2009
    Location
    Worst Case Ontario
    Posts
    1,691
    Quote Originally Posted by Sparkie View Post
    so anyways, as the comment says, reduce the 4054 to 3332 and boom! 9003 RPM limiter


    Sent from my Banana-phone using Tapatalk 2
    I hate Corollas but I don't think I can do better with anything else

  20. #60
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,468
    I'm glad someone understands my choice of rev limiter.

    also, this discovery implies that overclocking should work to raise the rev limit.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •