3P's TCCS Disassembly/Analysis

[JonS]

No. MCU says:

D151803-6980
5A41A-2-8195
JAPAN 3B1833

Ah OK, sounds like the actual ROM code in the MCU is a different build ID from the image in the EPROM! Build ID 8195 maybe from a later version of the 1JZ-GE.

The MCU could actually be from a completely different ECU, as long at the MCU architecture is the same (indicated by the 5A41A) then the MCU will work fine running code from the EPROM.

 

[3p141592654]

I don't think he can read code from the MCU. It would be nice to do, as then you can compare the differences between the stock and Techtom code.

 

[bk_]

Here's some photos of a few 1JZ-GTE ECUs I have had:
http://trap.mtview.ca.us/~xk/pics/supramania/

Hmmm... and there is one (JZX90 MT #1) with 7554 as the build.

I also included photos of the chipped IMEC (JZX90 MT #3)

I've also uploaded the descrambled dump to svn tree. I cannot guarantee it is 100% OK since I did not use an EEPROM reader.

 

[bk_]

Friend of mine said the D151803 chip on the chipped JZX90 says:
line 1) 90 mark II
line 2) 1JZ.MT
line 3) NORMAL

But the 3rd line on the EEPROM is unknown. I presume it would be related to the type of tune. I know on a HKS device I had, there was a E605, and the mines one has a E613... so it would be something along those lines.

 

[bk_]

Getting an error with IDA:

Any ideas?

 

[bk_]

I performed a visual binary diff between the 1JZ-GTE JZ??? AT ROM that was posted here earlier by lom51 (post 226, page 23), versus 1JZ-GTE JZX90 MT chipped ROM.

Anyone known the dimension and column/row units of the fuel map table?

What about the ignition table? Is that on the 42-pin MCU?

I do know the ignition offset is different, since on decel inj cut I've managed to get high 40s BTDC ignition compared to high 30s/low 40s on standard ECU.

Here are the major differences:

#1: Fuel map



#2: Interrupt vector table



#3: unknown



#4: unknown



#5: unknown

 

[JonS]

Getting an error with IDA:
Any ideas?

I've just successfully imported the binary into IDA without any errors.
The IDA project file is available from here: http://www.assembla.com/spaces/3SGTE_ECU/documents/bz-tOmaFSr4lEDeJe5cbLA/download/bz-tOmaFSr4lEDeJe5cbLA if you'd like to give that a go.

 

[bk_]

I've just successfully imported the binary into IDA without any errors.
The IDA project file is available from here: http://www.assembla.com/spaces/3SGTE_ECU/documents/bz-tOmaFSr4lEDeJe5cbLA/download/bz-tOmaFSr4lEDeJe5cbLA if you'd like to give that a go.

Getting the same type of error.

 

[JonS]

Anyone known the dimension and column/row units of the fuel map table?

The map table is 18x11 and starts at 0xF957 (0x3957 in the image), no idea what the row/column units are.

seg002:F951                 .dw 0100h
seg002:F953                 .db  11h                ; 18 (0x11 + 1)
seg002:F954                 .dw 0212h
seg002:F956                 .db  0Ah                ; 11 (0x0A + 1)
seg002:F957                 .db 132, 132, 169, 188, 196, 196, 196, 196, 196, 196, 196, 196, 196, 196, 196, 196, 196, 196
seg002:F957                 .db 132, 132, 169, 188, 196, 196, 196, 196, 196, 196, 196, 196, 196, 196, 196, 196, 196, 197
seg002:F957                 .db 124, 132, 174, 182, 189, 195, 201, 196, 196, 196, 196, 196, 196, 196, 196, 196, 196, 196
seg002:F957                 .db 124, 132, 163, 167, 176, 189, 197, 196, 196, 196, 196, 196, 196, 196, 196, 196, 196, 196
seg002:F957                 .db 113, 122, 154, 157, 169, 182, 191, 188, 190, 190, 192, 179, 179, 188, 188, 188, 188, 188
seg002:F957                 .db 102, 118, 144, 150, 163, 178, 186, 181, 181, 181, 188, 177, 166, 177, 180, 177, 177, 177
seg002:F957                 .db 096, 107, 142, 146, 152, 171, 180, 171, 177, 175, 181, 175, 164, 171, 179, 175, 173, 169
seg002:F957                 .db 092, 101, 129, 142, 144, 165, 174, 160, 169, 160, 175, 171, 160, 169, 175, 171, 152, 156
seg002:F957                 .db 083, 093, 107, 137, 133, 159, 167, 152, 160, 156, 164, 156, 156, 166, 166, 162, 143, 143
seg002:F957                 .db 079, 081, 092, 122, 115, 128, 152, 143, 149, 154, 152, 137, 145, 154, 164, 156, 139, 141
seg002:F957                 .db 070, 073, 079, 102, 098, 111, 137, 124, 132, 147, 122, 120, 132, 147, 162, 139, 134, 134

---------- Post added at 12:44 PM ---------- Previous post was at 12:30 PM ----------

Getting the same type of error.

Which OS are you using? I've had no problems with XP on a couple of machines.

Do any of the other IDA projects on the 3S_ECU or 7M TCCS assembla workspaces generate the same error?

 

[bk_]

Which OS are you using? I've had no problems with XP on a couple of machines.

Do any of the other IDA projects on the 3S_ECU or 7M TCCS assembla workspaces generate the same error?

Tried it on two machines, one Win XP Pro SP2, the other Win XP Home. Both same error. Tried on other project files, same thing.

What version of IDA are you using?

md5sum of the files:

$ md5sum d8x.cfg d8x.w32
e082f56bf0cefec39ce367f1c9964c7b  d8x.cfg
37d0da9b6cf09f7676ac509306d8bc43  d8x.w32
$ ls -la 
-rw-r--r-- 1 user 1002   5739 Jan 19  2010 d8x.cfg
-rw-r--r-- 1 user 1002   6022 Jan 19  2010 d8x.cfg.5a72
-rw-r--r-- 1 user 1002   5739 Jan 19  2010 d8x.cfg.7433
-rw-r--r-- 1 user 1002 266332 May  2  2010 d8x.w32
-rw-r--r-- 1 user 1002      0 Apr 25  2010 v40

 

[JonS]

Tried it on two machines, one Win XP Pro SP2, the other Win XP Home. Both same error. Tried on other project files, same thing.
What version of IDA are you using?

IDA Freeware Version 4.9

$ md5sum ida*.*
284615d4ec0f73b550c5cb3cf283f1da *ida.hlp
d5ea24a661e5c828ae27fa647c806fef *ida.int
a0f932975cce726494ca4ca4dda745a0 *ida.wll
b9e783bde7163a5e74a7805e1b101023 *idafreeware.pdf
64f080c1d37fedb69e36c2b28b575936 *idag.exe
d4b6e7c9522a80003a11195452b36763 *idahelp.chm
$ ls -l ida*.*
-rwx------+ 1 user users 554535 Mar 19  2007 ida.hlp
-rwx------+ 1 user users 712704 Mar 19  2007 ida.int
-rwx------+ 1 user users 1033728 Nov  1  2007 ida.wll
-rwx------+ 1 user users 159082 Oct 31  2007 idafreeware.pdf
-rwx------+ 1 user users 2292736 Oct 31  2007 idag.exe
-rwx------+ 1 user users 409484 Feb 19  2007 idahelp.chm

I was actually using a older version of the d8x plug-in and config, but I've just upgraded to the latest versions without introducing any problems.

 

[bk_]

OK. works now, using 4.9, and not opening the idb file directly.

 

[3p141592654]

Yes, it only works on the freeware version. The plugin is linked to ida.lib, which is version dependent.

 

[3p141592654]

The data just before the interrupt table appears to be Kanji unicode. No one has been able to figure out what it means though. Techtom adds it to all their ROMs. Check out post #218 for more details.

I performed a visual binary diff between the 1JZ-GTE JZ??? AT ROM that was posted here earlier by lom51 (post 226, page 23), versus 1JZ-GTE JZX90 MT chipped ROM.


#2: Interrupt vector table

 

[3p141592654]

Interesting collection of ECUs. The JZZ30 looks to be a newer two chip ECU, while the others are the older single chip style.

Here's some photos of a few 1JZ-GTE ECUs I have had:
http://trap.mtview.ca.us/~xk/pics/supramania/...

 

[JonS]

Interesting collection of ECUs. The JZZ30 looks to be a newer two chip ECU, while the others are the older single chip style.

The 7433 marking on the Denso MCUs in the JZZ30 ECU would seem to indicate that they're the early version of the MCU that only have 12KB of ROM and run at 12MHz.

Maybe one of the MCUs is the A/T controller?

 

[3p141592654]

Good point Jon, the 7433 would not have the interchip communication. That processor would seem overkill for the A/T though? Also note the SDIP42 package for what looks to be the knock sensor MCU.

 

[bk_]

The data just before the interrupt table appears to be Kanji unicode. No one has been able to figure out what it means though. Techtom adds it to all their ROMs. Check out post #218 for more details.

And here's our answer:

How did I decode it? dumped the binary to a file, fired up notepad++, set encoding to japanese -> Shift-JIS.

 

[3p141592654]

Fantastic, finally an answer! Although I'm not sure I really know what "Reading by Techtom" is supposed to mean. Never heard of shift-JIS before either, I guess I lead a sheltered life.

 

[bk_]

The table I did discover is in fact the IGNITION table, not the INJECTION table.

I'm not sure how to interpret the numbers. Jeremy Ross's calculation (if you reverse engineer his excel spreadsheet at http://www.jmrhzu.btinternet.co.uk/mk1_ECU/MK1A_IGN.xls ) is based on IGN = VAL*4/17... which doesn't seem right, especially on a microcontroller from 20 years ago.

If I compare the converted (divided by 4) ROM values to default and modified 1JZ-GTE maps on the Apexi PowerFC, the ROM values seem to be quite advance, even the stock ones. So I am not really sure about this.

Anyway... Here are the graphs.

JZZ30 1JZ-GTE AT: OE

JZX90 1JZ-GTE MT: chipped