3P's TCCS Disassembly/Analysis
- Thread starter 3p141592654
- Start date
I have some more questions. I have never used visual studio before... So how do I compile an exe of the Descrambler or do I need to? When I run it without debugging it says I have not entered enough arguments, which is true since I didn't enter any!
I assume you are compiling descramble_brute2.cpp. First load the project file descramble_brute2.vcproj, you can just dbl-click on it usually from windows explorer. Then push the build button. It sounds like you have already got this far.
Next open a command console to the folder with the exe file, and type
descramble_brute image image_size software_id
where
image - filename of ROM image
image_size - size of ROM image in hexadecimal
software_id - 16 bit Software ID in hexadecimal
Next open a command console to the folder with the exe file, and type
descramble_brute image image_size software_id
where
image - filename of ROM image
image_size - size of ROM image in hexadecimal
software_id - 16 bit Software ID in hexadecimal
I just set the "solution configurations" box near the top of the Visual studio window to "release" and recompiled. Now i finally have an exe! I probably did something wrong when i opened it up the first time. Also I'm using visual studio 2008 that we had at work. I don't know if that matters?
Should have worked fine if it was in the "debug" configuration too, except the exe will be larger with debug symbols added, and a little less optimized. Hopefully you have it working now.
I attempted to descramble scm4840.bin. It tells me 0 candidates found. I'm not sure I'm using the correct file size. The rom goes to 0x7FFF but the data starts at 0x5000. Am I to input the size of the whole file or only the non zero areas? or do i just look at explorer and convert the windows file size to hex?
Also the sw id is 1383 = 0x0567 do i enter 0x0567 or 0567?
Also the sw id is 1383 = 0x0567 do i enter 0x0567 or 0567?
You need to remove the data before 0x5000, the file should then be 0x3000 (12288 in decimal) bytes long.
If the SW ID is 1383 then that is the number in hex, so just enter is as it is.
You need to run the descrambler with:
descramble_brute scm4840.bin 3000 1383
If the SW ID is 1383 then that is the number in hex, so just enter is as it is.
You need to run the descrambler with:
descramble_brute scm4840.bin 3000 1383
Quick question Jon - the L1/L2/L3 outputs, the 3-bit signal....are they LVTTL or VDDs? I'm assuming they're TTL signals, but i have no way of confirming this. Geoff and I are trying to work out the inputs to the FPGA in the transmission controller project! 
On the GTE ECUs, the Lx outputs are straight out of a Toshiba 6335 demux chip that has no datasheet that anyone can find. It appears functionally to be essentially the same as the TD6336 IC but without the 6336 goofy ground tabs. This is a BiCMOS chip with open drain outputs that can sink 100mA and can handle up to 80V. There are 100 ohm series resistors in each signal line.
I have not checked the actual operating voltage, but it could be either 5 or 12V. The ECU can handle either. Whatever is used would need to have pullup resistors that are at least 1kohm to work with the open drain configuration.
I have not checked the actual operating voltage, but it could be either 5 or 12V. The ECU can handle either. Whatever is used would need to have pullup resistors that are at least 1kohm to work with the open drain configuration.
So the Lx outputs are parallel data derived from a serial input? The AT section of the TSRM, page 29, says Lx outputs are 0 to 12v, but another Toyota PDF i have says the following:
The dilemma is obviously, which one to believe. Would you be able to measure the output levels using that engine simulator you built, so we can find out for definite?
The dilemma is obviously, which one to believe. Would you be able to measure the output levels using that engine simulator you built, so we can find out for definite?
3p and JonS, Have you recieved my PM's? My sent folder shows to be empty. Is something wrong with the PM system?
I don't use the Lx signals on my emulator. The only way to solve this is to stick a voltmeter on the signal line and measure it.
The 6335 chip is a simple way to expand the number of digital i/o ports from the processor. The processor uses 3 ports to drive the 6335 chip, which then expands that to 8. The number of ports on the processor is limited by the total number of pins on the chip, and they needed more for this application. The 6335 chip shows up on lots of ECUs from this vintage, especially the 4 cylinder engines running the smaller 42 pin processor.
The throttle breakpoints relative to maximum are:
6.5%
12%
19%
25%
35.5%
45.5%
57%
I need to calibrate what WOT is, then I can adjust the above values to % WOT.
==========
Okay, on my car WOT reads 61% of full scale, so renormalizing the above for throttle breakpoints relative to WOT are:
11%
20%
31%
42%
58%
75%
94%
The 6335 chip is a simple way to expand the number of digital i/o ports from the processor. The processor uses 3 ports to drive the 6335 chip, which then expands that to 8. The number of ports on the processor is limited by the total number of pins on the chip, and they needed more for this application. The 6335 chip shows up on lots of ECUs from this vintage, especially the 4 cylinder engines running the smaller 42 pin processor.
The throttle breakpoints relative to maximum are:
6.5%
12%
19%
25%
35.5%
45.5%
57%
I need to calibrate what WOT is, then I can adjust the above values to % WOT.
==========
Okay, on my car WOT reads 61% of full scale, so renormalizing the above for throttle breakpoints relative to WOT are:
11%
20%
31%
42%
58%
75%
94%
Last edited:
Have you guys ever heard of or used WinLOS? It has a find map function in the Free Demo version. i'm still playing with it but it seems to work.
http://www.evc.de/en/download/down_winols.asp
Todd
http://www.evc.de/en/download/down_winols.asp
Todd
Yup, and tunerpro as well. If you are looking for just map finders, then these are okay. Won't help you much on understanding what the maps do unless you have other information though.
Okay - one other question for you - the AFM input, Ks - what frequency range is the ECU expecting?
The max frequency is clamped at 3333Hz. The minimum frequency is 10.9Hz. Note that these values exceed what are "normal" values. For example, fuel cut will occur before you reach 3333Hz. There is not a hard frequency for fuel cut because of compensation for altitude and also some calibration corrections to the AFM frequency when computing air flow.
The AFM frequency is heavily averaged, the exact amount of averaging varies depending on whether the operating conditions are likely to result in "stable" air flow or not.
The AFM frequency is heavily averaged, the exact amount of averaging varies depending on whether the operating conditions are likely to result in "stable" air flow or not.
Okay - on an operational basis - is the ECU using a 'lookup table' of the inputted AFM value vs the throttle position to calculate load?
Secondly, have you measured the voltage of the signal input, and is it a DC sine or square wave?
Secondly, have you measured the voltage of the signal input, and is it a DC sine or square wave?
Not really. The load (volumetric efficiency) is calculated from rpm and mass air flow.
Mass air flow is computed form the AFM signal, air temp, and altitude. There are some 1D maps used in this calculation.
The basic calculation goes as follows:
1) compute average pulse length of AFM over 4ms. Roll value into a running average AFM pulse length (KSavg) with a variable length window. Window is longer if the engine conditions are stable (throttle steady, rpm not changing fast), otherwise use a smaller window.
2) In main loop, scale KSavg by altitude factor (call it KSxHAC). Sea level results in a 50% scaling, higher altitudes results in higher scaling (I live at 800ft and see about 54% scaling value typically.
3) Compute a minimum value for KSxHAC if the throttle is snapped shut resulting in a big VE drop. I'm not really clear on what this is doing, but it likely is to fix trailing throttle issues with too much fuel in the intake.
4) Compute VE = ((KV_Corr*2+1)*214Bh) / (KSxHAC * RPM). Note that KV_Corr is a scaling value that corrects for nonlinearities of AFM frequency vs actual air flow. KV_Corr is 50% for mid flow values, and is lower at min and max air flows. KV_Corr is computed from a simple map.
5) A sanity check is performed on load VE. VE cannot exceed specified values in a simple map if rpm < 1750.
6) So, if anyone is still paying attention, you might be wondering what happened to the intake air temp correction! Its actually not used except for some maps such as ignition timing. There, the basic load value above is scaled by a simple map versus intake air temperature (74% at 40C to 182% at -30C). Temperatures outside that range remain at the end point values.
I have not measured the AFM signals external to the ECU. KS is a square waves inside the ECU.
Mass air flow is computed form the AFM signal, air temp, and altitude. There are some 1D maps used in this calculation.
The basic calculation goes as follows:
1) compute average pulse length of AFM over 4ms. Roll value into a running average AFM pulse length (KSavg) with a variable length window. Window is longer if the engine conditions are stable (throttle steady, rpm not changing fast), otherwise use a smaller window.
2) In main loop, scale KSavg by altitude factor (call it KSxHAC). Sea level results in a 50% scaling, higher altitudes results in higher scaling (I live at 800ft and see about 54% scaling value typically.
3) Compute a minimum value for KSxHAC if the throttle is snapped shut resulting in a big VE drop. I'm not really clear on what this is doing, but it likely is to fix trailing throttle issues with too much fuel in the intake.
4) Compute VE = ((KV_Corr*2+1)*214Bh) / (KSxHAC * RPM). Note that KV_Corr is a scaling value that corrects for nonlinearities of AFM frequency vs actual air flow. KV_Corr is 50% for mid flow values, and is lower at min and max air flows. KV_Corr is computed from a simple map.
5) A sanity check is performed on load VE. VE cannot exceed specified values in a simple map if rpm < 1750.
6) So, if anyone is still paying attention, you might be wondering what happened to the intake air temp correction! Its actually not used except for some maps such as ignition timing. There, the basic load value above is scaled by a simple map versus intake air temperature (74% at 40C to 182% at -30C). Temperatures outside that range remain at the end point values.
I have not measured the AFM signals external to the ECU. KS is a square waves inside the ECU.