Jump to content
Registrations ×
Ultimate Subaru Message Board

Announcements

Registrations

EA82 ECU experimenting

DaveT

By DaveT,
in Old Gen.: 80's GL/DL/XT/Loyales...

 Share

Recommended Posts

DaveT Elite Master of the Subaru

DaveT

Posted
Posted

This is a thread to track whatever we discover regarding  ECU internal wiring / code / experimenting.

Dark color coating the external metal box.  From an EA82 4x4 Wagon. 

ECU is labeled:

 

22611 AA100

MECF-001

5Y14

 

The UV erasable EPROM is a Hitachi HN482764G.

8K x 8 28pin Ceramic DIP

 

The CPU is a Hitachi HD6301V1P

1MHz 8 bit 5V CPU I have the data sheet. Includes the Op codes.
Object code compatible with 6801 family.

 

 

Link to comment
Share on other sites
  • Replies 101
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

DaveT
DaveT

Wow! I'll download and check out those programs tomorrow. I don't see any connections on the ECU other than the external harness connectors, no secret ports. I can also read & burn & erase t

DaveT
DaveT

Why do this?  Well, who knows what we may find?  We can adjust and modify pretty much every other part, why not this one?   Part of me always reads "no user serviceable parts inside" as a challenge,

skishop69
skishop69

In regards to the post you made in the other thread, I believe the intent here is to gain access to allow tuning. If that is the case, the things we should be able to change are as follows (and this i

Posted Images

skishop69 Subaru Master

skishop69

Posted
Posted (edited)

Ok, so in regards to my post in the other thread.... Great! You were able to read the ROM! We still need someone who knows or can deconstruct the coding for the processor so we know which parts of that hexadecimal log can be safely altered. Without that coding, we have no way of knowing how to alter the log.

 

PM me so you can send me the BIN and I'll try plugging it into a tuning program to see what happens. Maybe we'll get lucky, but I'm not holding my breath.

Edited by skishop69
Link to comment
Share on other sites
MR_Loyale Subaru Master

MR_Loyale

Posted
Posted (edited)

Been a while since I worked with 6800 opcodes and operands. I have worked with 68HC11 protoboards so if this bears any resemblance it may be possible. I will give it a look.

 

If this is a Motorola 6800 based instruction set the data is in big endian format. Still looking at the manual.

Edited by MR_Loyale
Link to comment
Share on other sites
MR_Loyale Subaru Master

MR_Loyale

Posted
Posted (edited)

So looking at this, I am thinking that the CPU instruction set is based upon the Motorola 6800. If this is true, there should be assembler/editor programs. Hitachi may have licensed this and produced their own chips.

 

Here is my reasoning for thinking this, please sanity check this out:

 

From the HD6301V1P datasheet, go to scanned page 63 (23 in your pdf reader) and look at table 8 where the opcodes are listed.

 

Then open this link for the Motorola instruction set

 

http://www.lucidtechnologies.info/6803_instr.pdf

 

I do a quick comparison of the accumulator A  ADD instruction (ADDA) and it appears to me that they have the same hex designation in all the five addressing modes.  Can someone else independently confirm?

 

Update: Came across this wikispace on the 6800 and it also lists a Hitachi 6301 controller version.  I think Hitachi licensed the 6800 architecture and adapted it for industrial and hardened environments. They also added 6 extra instructions including a sleep (slp).

 

https://chessprogramming.wikispaces.com/6800

Edited by MR_Loyale
Link to comment
Share on other sites
MR_Loyale Subaru Master

MR_Loyale

Posted
Posted (edited)

This is a thread to track whatever we discover regarding  ECU internal wiring / code / experimenting.

Dark color coating the external metal box.  From an EA82 4x4 Wagon. 

ECU is labeled:

 

22611 AA100

MECF-001

5Y14

 

The UV erasable EPROM is a Hitachi HN482764G.

8K x 8 28pin Ceramic DIP

 

The CPU is a Hitachi HD6301V1P

1MHz 8 bit 5V CPU I have the data sheet. Includes the Op codes.

Object code compatible with 6801 family.

 

 

Can you give me some more info on the txt output format of your reader? How many bytes to the right of the colon are the address indicators? Or is it assumed from address 0000? This is a critical detail.

Edited by MR_Loyale
Link to comment
Share on other sites
MR_Loyale Subaru Master

MR_Loyale

Posted
Posted (edited)

This is a thread to track whatever we discover regarding  ECU internal wiring / code / experimenting.

Dark color coating the external metal box.  From an EA82 4x4 Wagon. 

ECU is labeled:

 

22611 AA100

MECF-001

5Y14

 

The UV erasable EPROM is a Hitachi HN482764G.

8K x 8 28pin Ceramic DIP

 

The CPU is a Hitachi HD6301V1P

1MHz 8 bit 5V CPU I have the data sheet. Includes the Op codes.

Object code compatible with 6801 family.

 

 

What is the packaging of the HD6301V1P? Dual inline or square?  Are there any other RAM or ROM chips? We may need to do some tracing on the address bus to the ROM chip to see where in the address space the ROM lives. I suspect it is in the lower 8K as the 6800 starts program execution at address 0000.

 

EDIT: Actually our processor gets it's starting address from the RES vector at the end of the memory map ($FFFE and $FFFF).

Edited by MR_Loyale
Link to comment
Share on other sites
MR_Loyale Subaru Master

MR_Loyale

Posted
Posted (edited)

We should be able to identify subroutines by searching for JSR (jump subroutine $90) opcodes and their endpoints with the RST ($38)opcodes. This would help in delineating code regions from data regions.

 

EDIT: The disassembler claims it can do this for us.

Edited by MR_Loyale
Link to comment
Share on other sites
DaveT Elite Master of the Subaru

DaveT

Posted
  • Author
Posted

Other ICs - Hitachi HD46520P  40pin DIP, right alongside of the processor. 

 

NEC D449C-1  24pin DIP along side of the EPROM.

 

So far, I haven't been able to find any information on these 2.

 

The 6301 history ideas above make sense to me.
 

In the text HEX file, The leading :20 is ignored.  using the first line as reference, the address is the next group of numbers, the 00 [first data byte] is 7F.  Looks like 32 bytes per line.

Link to comment
Share on other sites
MR_Loyale Subaru Master

MR_Loyale

Posted
Posted (edited)

Looking at some documents from Hitachi regarding the processor, it apparently could be ordered with onboad eprom masked in at time of manufacture.  So some of the actual coding may be onboard the processor chip itself, It would make sense though that any sort of car model specific stuff would be on an external UV erasable chip in case a bug was found, new regulations happened , recall etc. 

 

Are there possibly any ports that may be a diagnostic port (possibly an RS232 used for QC)?

Edited by MR_Loyale
Link to comment
Share on other sites
skishop69 Subaru Master

skishop69

Posted
Posted

So looking at this, I am thinking that the CPU instruction set is based upon the Motorola 6800. If this is true, there should be assembler/editor programs. Hitachi may have licensed this and produced their own chips.

 

Here is my reasoning for thinking this, please sanity check this out:

 

From the HD6301V1P datasheet, go to scanned page 63 (23 in your pdf reader) and look at table 8 where the opcodes are listed.

 

Then open this link for the Motorola instruction set

 

http://www.lucidtechnologies.info/6803_instr.pdf

 

I do a quick comparison of the accumulator A  ADD instruction (ADDA) and it appears to me that they have the same hex designation in all the five addressing modes.  Can someone else independently confirm?

 

Update: Came across this wikispace on the 6800 and it also lists a Hitachi 6301 controller version.  I think Hitachi licensed the 6800 architecture and adapted it for industrial and hardened environments. They also added 6 extra instructions including a sleep (slp).

 

https://chessprogramming.wikispaces.com/6800

Oh my brain hurts. I'm way past rusty. For what it's worth, it does appear the hex designation is the same. That's about as much help as I'm going to be for that portion. lol As for the address space, 000F seems to stick in my brain, but that would be in regards to whatever PROM GM was using back then and I can't check that until Tuesday which is when I'm going to try and plug the BIN into a tuning program just for gits and shiggles.

Link to comment
Share on other sites
MR_Loyale Subaru Master

MR_Loyale

Posted
Posted (edited)

Other ICs - Hitachi HD46520P  40pin DIP, right alongside of the processor. 

 

NEC D449C-1  24pin DIP along side of the EPROM.

 

So far, I haven't been able to find any information on these 2.

 

The 6301 history ideas above make sense to me.

 

In the text HEX file, The leading :20 is ignored.  using the first line as reference, the address is the next group of numbers, the 00 [first data byte] is 7F.  Looks like 32 bytes per line.

 

 

I think the Hitachi HD46520P  40pin DIP is an A/D converter based upon searches for this I was directed to the spec sheets for the HD46508 which may be a substitute or one in the same family of "Analog Acquisition Units" as they call them:

 

http://kazus.ru/datasheets/pdf-data/3211033/HITACHI/HD46508A-2.html

 

Possibly this is used to digitize sensor inputs such as the TPS and CTS. Some following of the board traces to where they emerge to a connector may give a clue as we can identify the wires coming from both and their connector to the ECU box.

Edited by MR_Loyale
Link to comment
Share on other sites
ANIM_Hooneru Advanced Member

ANIM_Hooneru

Posted
Posted (edited)

Hey fellas,

What an interesting topic! Its way above my understanding level, but i'm going to be following anyway.

 

MR_Loyale, in regards to a RS232 port, I stumbled upon an interesting site the other day when I was doing some Subaru Select Monitor research for my EJ22 swap. The site is here. http://www.alcyone.org.uk/ssm/protocol.html

Also check out the headings "How to build a PC adaptor" and "Eavesdroping"

 

That site covers how to make an RS232 connector to use a PC as a SSM, I would imagine with a bit of creativity and a donor harness you could rig it up to get into an ECU outside of a car, or alternatively find the SSM Plug on the vehicle and use that.

I have a 1986 Leone Turbo Auto (Australian edition of course) that I can whip the ECU out of to check out as well. Would be nice to get an archive of numbers and all that.

Edited by ANIM_Hooneru
Link to comment
Share on other sites
MR_Loyale Subaru Master

MR_Loyale

Posted
Posted (edited)

Found a nice hex editor here:

 

http://www.handshake.de/user/chmaas/delphi/download/xvi32.zip

 

 

I have opened the bin file and I can see areas that are most likely data storage areas for settings of some sort as they have repeating values that would not be opcodes and operands simply due to their repetition.  If we all use the same hex editor with rows arranged in a similar way we can discuss values at addresses using the same point of reference.

 

Here is what it looks like:

 

hexeditbin.jpg

 

It shows an address for the first byte of the row in the first column. Next are 16 columns showing hex values for each byte. Finally an ASCII representation is shown in the right 16 columns. If there are any human readable strings, they will show up in the ASCII area (maybe Subaru or Leone or something).

Edited by MR_Loyale
Link to comment
Share on other sites
MR_Loyale Subaru Master

MR_Loyale

Posted
Posted (edited)

Here is another useful tool, a 6800 family disassembler. The disassembler takes as input a binary code/data image
file (typically a ROM image) and generates either an assembler source file or a listing file.

 

Here is a link:

 

http://myweb.tiscali.co.uk/pclare/DASMx/

 

Reading through the instructions, it does claim to do Hitachi 6301. This is a command line tool folks, no fancy GUI for you!  I will see if I can get a listing out of this, It also claims to be able to do code threading (eg identify regions of code rather than data).

Edited by MR_Loyale
Link to comment
Share on other sites
MR_Loyale Subaru Master

MR_Loyale

Posted
Posted

Hey fellas,

What an interesting topic! Its way above my understanding level, but i'm going to be following anyway.

 

MR_Loyale, in regards to a RS232 port, I stumbled upon an interesting site the other day when I was doing some Subaru Select Monitor research for my EJ22 swap. The site is here. http://www.alcyone.org.uk/ssm/protocol.html

Also check out the headings "How to build a PC adaptor" and "Eavesdroping"

 

That site covers how to make an RS232 connector to use a PC as a SSM, I would imagine with a bit of creativity and a donor harness you could rig it up to get into an ECU outside of a car, or alternatively find the SSM Plug on the vehicle and use that.

 

I have a 1986 Leone Turbo Auto (Australian edition of course) that I can whip the ECU out of to check out as well. Would be nice to get an archive of numbers and all that.

 

 

If I ever do EJ stuff, that is the site I will start at. Those ECU's are in a different league compared to these old school ECU's  What was the precursor to Subaru SSM?

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...