EFIDynoTuning

[CausticUrbanCoast]

Just familiar with embedded, not a tuner as I have not learned to recognize those software registers and tables yet.

For what it is worth, and because I am not sure where to put this; and in case anyone is interested what the rest of the first disassembly line from SAD likely is (this is from ICY1):

Code: Select all

0000 0000: FF FA 21 3B 00 00 FF DF  00 FF D9 BE 00 E0 5D 00

As shown and known by SAD:

Code: Select all

2000: ff                  nop                   
2001: fa                  di                     disable ints;
2002: 21,3b               sjmp  213f             goto 213f ;

2004: 00,00,ff,df,00,ff,d9,be ???
200c: 00,e0               ???   

200e: 5d,00               word     5d

Specifically how I read it is:

Code: Select all

/** This part is well known **/
FF (MCU Core Command) FE (Disable Interrupts)      --- This is also a common embedded sequence mcu command notifier
20 (ShortJump - anded with 12bit 2s address) of 13F (location/destination)   2000&013F=213F interesting hybrid 12bit command-address method- External ram address, start of initialization sequence - cpmmon mcu
00 (skip/nop) 00 (skip/nop)


/** Seems to be a pair of macros, likely ISR **/
FF (MCU Command) DF (Jump if Z flag is set from the last operation)
00 (skip/nop)

FF (MCU Command) D9 (Jump if C flag is set and Z flag is clear from the last operation)
ELSE BE (ldbse) [BC command, register 02] (load A/D word - Accessed by byte, loads word)
00 (skip/nop)
E0 (-- and jump if not zero) 5D (Check Register A2 - djnz is 8bit 2s compliment)
00 (skip/nop)

That last bit would be something like:

if status registers show NOT ((C=1) AND (!Z)) from the last operation
{read/load data from A/D registers - Load the new data}
Then
Decriment Register A2 (I am actually guessing this a basic A/D polling timeout for slow sensor aquisition - common practice)


A note on the sjmp command 20-27 [and other hybrid commands]- Without a bank switch or 16 bit need, this saves cycle time by not having to load the address and then jump, so we have 8 hardwired shortcycle-commands. Old Intel/IBM method I had forgotten about.


Initial code is usually pretty important, and I like to know what it is doing. This same sequence also seems to appear at the beginning of most BINs I have looked at.

I do find it interesting that the upper 4 bits are being used for something else called Engineering Console and Calibration Console. Perhaps this has something to do with Ford's proprietary version of the CAN interface?

[decipha]

the engineering / calibration console was fords debug and testing and tuning hardware they used to develop the tunes. It basically held the calibration constants and the pointers were directed to the console to snatch those calibration constants from an external source so it could be modified to dial in the tune. There were only rumored to be 170 or so of them ever created. I know there is one in England. I have no idea what ever happened to the others or if they even survived over the years. Regardless, the QH serves the same purpose in a much more manageable size.

[CausticUrbanCoast]

Interesting. I know that Ford has a tool similar to Nissan's consult which gives access to restricted parts of the ecu and tcu. I wonder if it is the same system you mention.

[decipha]

no that would be akin to the aice chip on the fords which isnt exactly restricted its just inaccessible since its not on the eeprom, thus why ford ecus cannot be bricked cuz unlike GM and the like they flash over hardware and not over software

this is all eec-v and obdii port related earlier ecus such as the eec iv does not have an aice chip or an obdii port