RhinoPower Ltd

Members Login
Username 
 
Password 
    Remember Me  
Post Info TOPIC: 76C55 (MH6311) information
Bob


Veteran Member

Status: Offline
Posts: 53
Date:
RE: 76C55 (MH6311) information
Permalink  
 


Jane wrote:
Bob wrote:
Have to say I’m impressed with your work , what’s the Goal of your project Have you a project car that you want to add features too?

Thank you. I have a 92 Eclipse, I'm interested in pulling a masked ROM off of an MH6111, and making a couple of small changes too. That got me started on them, but at this point I'm mostly just interested in how these microprocessors work and building up the knowledge base on them. Project goal: figure stuff out, share knowledge.


Ah cool you must be in the USA if you are lucky enough to have an Eclipse ,we never got them hereno.

Im waiting on a couple of China MH6111 chips so that I can have a go at decapping them just for a look, I think Techsupport is interested in having a look at them too.



__________________


Newbie

Status: Offline
Posts: 4
Date:
Permalink  
 

Bob wrote:
Have to say I’m impressed with your work , what’s the Goal of your project Have you a project car that you want to add features too?

Thank you. I have a 92 Eclipse, I'm interested in pulling a masked ROM off of an MH6111, and making a couple of small changes too. That got me started on them, but at this point I'm mostly just interested in how these microprocessors work and building up the knowledge base on them. Project goal: figure stuff out, share knowledge.



__________________
Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

Jane wrote:
Bob wrote:

 Yes, I wrote that disassembler. I have a branch for the MH6311 that I am currently trying to run different binaries through to find undocumented instructions. Most recently I've been looking at the 95 Eclipse EPROM ECU MD312464 ROM which is MH6311 (PLCC) based, and a handful of new instructions showed up in it right away. It would be great hardware to learn about interfacing with the EPROM, if it weren't so pricy and hard to find. I do however have a 95 Eclipse EPROM TCU MD760927 which has the MH6311F (TQFP) on hand to learn from. For what I am doing right now, ECU or TCU doesn't make much of a difference, besides the actual ROM layout. I'm just looking for instructions, and lucky having a dissasembler makes building symbol files for unknown layouts fast and easy. 


 Have to say I’m impressed with your work , what’s the Goal of your project Have you a project car that you want to add features too?



__________________


Newbie

Status: Offline
Posts: 4
Date:
Permalink  
 

Bob wrote:
Hi Jane,

Is that your dissembly on GitHub that Techsupport posted a link to ?


 Yes, I wrote that disassembler. I have a branch for the MH6311 that I am currently trying to run different binaries through to find undocumented instructions. Most recently I've been looking at the 95 Eclipse EPROM ECU MD312464 ROM which is MH6311 (PLCC) based, and a handful of new instructions showed up in it right away. It would be great hardware to learn about interfacing with the EPROM, if it weren't so pricy and hard to find. I do however have a 95 Eclipse EPROM TCU MD760927 which has the MH6311F (TQFP) on hand to learn from. For what I am doing right now, ECU or TCU doesn't make much of a difference, besides the actual ROM layout. I'm just looking for instructions, and lucky having a dissasembler makes building symbol files for unknown layouts fast and easy. 



__________________
Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

Bob wrote:
steve wrote:
Jane wrote:

I found a binary for an MH6311 (1996 Hyundai Accent ECU https://tech.mirage-performance.com/ECU/MB14B.html) just to put through the disassembler for fun.


 

FYI, Based on the size of the connector and the resistors on the side that's a TCU not an ECU.


 


 I’d say that you are correct that it’s a tcu as Techsupport has pulled an eprom from a Mitsubishi fto tcu and the board looks very similar and had the MH6311 main processor.

 



-- Edited by Bob on Monday 28th of June 2021 06:26:17 PM

__________________
Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

Jane wrote:

I found a binary for an MH6311 (1996 Hyundai Accent ECU https://tech.mirage-performance.com/ECU/MB14B.html) just to put through the disassembler for fun. For one thing, the binary is 64k so it takes up the whole address space, with padding at the beginning like MH6111 images (~20480bytes of 0xFF). However unlike MH6111 ROM images which start at 0xD000 it starts at 0x0000. Second thing, it has a big vector table, 42 long. I'm used to MH6111 vector tables that are only 16 long. Otherwise, everything seems to decode no problem, doesn't seem to have any extra op codes (in this image at least.)


 Hi Jane,

Is that your dissembly on GitHub that Techsupport posted a link to ?



-- Edited by Bob on Monday 28th of June 2021 06:24:56 PM

__________________


Newbie

Status: Offline
Posts: 4
Date:
Permalink  
 

steve wrote:
Jane wrote:

I found a binary for an MH6311 (1996 Hyundai Accent ECU https://tech.mirage-performance.com/ECU/MB14B.html) just to put through the disassembler for fun.


 

FYI, Based on the size of the connector and the resistors on the side that's a TCU not an ECU.


 I thought that might be the case, thanks for pointing it out. I guess I'm ahead on my TCU research then.



__________________


Newbie

Status: Offline
Posts: 1
Date:
Permalink  
 

Jane wrote:

I found a binary for an MH6311 (1996 Hyundai Accent ECU https://tech.mirage-performance.com/ECU/MB14B.html) just to put through the disassembler for fun.


 

FYI, Based on the size of the connector and the resistors on the side that's a TCU not an ECU.



__________________


Newbie

Status: Offline
Posts: 4
Date:
Permalink  
 

I found a binary for an MH6311 (1996 Hyundai Accent ECU https://tech.mirage-performance.com/ECU/MB14B.html) just to put through the disassembler for fun. For one thing, the binary is 64k so it takes up the whole address space, with padding at the beginning like MH6111 images (~20480bytes of 0xFF). However unlike MH6111 ROM images which start at 0xD000 it starts at 0x0000. Second thing, it has a big vector table, 42 long. I'm used to MH6111 vector tables that are only 16 long. Otherwise, everything seems to decode no problem, doesn't seem to have any extra op codes (in this image at least.)



__________________
Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

Wow that is an in dept understanding of how the binary is functioning, the dissembler should come in handy if the eeprom can be pulled from the evo chip.

The way the table’s are set out and there functions are remarkably similar to the newer ecus, Mitsubishi did not stray to far from the mould.  



__________________


Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

We aren't the only ones playing with these old chips, I was contacted by someone else who has written a disassembler:

janehacker1.gitbook.io/dsm-ecu/disassembly-from-scratch/things-you-need


__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

TechSupport wrote:

EF89 is the firmware version, that will be burnt in as Masked ROM, possibly a bootloader. Did this chip also have a different firmware version on it? I assume that this is a 76e56?


Yes it’s the 76e56.

Where is the firmware version printed?

That die is from an evo 4 or early evo 5 ecu.

The EF89 is interesting can it be used to calculate anything or is it only for reference?



__________________


Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

EF89 is the firmware version, that will be burnt in as Masked ROM, possibly a bootloader. Did this chip also have a different firmware version on it? I assume that this is a 76e56?



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

TechSupport wrote:

That is cool, I'll have a proper look at that when I get the chance. It confirms what I've said for a long time and that is that these are Toshiba chips, the 1993 date is interesting, it means that they had EEPROM devices for quite a long time.


 Yeah it’s cool to get it confirmed, I might be able to get some high res pics if needed.

What do you think the “EF89” represents?



__________________


Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

That is cool, I'll have a proper look at that when I get the chance. It confirms what I've said for a long time and that is that these are Toshiba chips, the 1993 date is interesting, it means that they had EEPROM devices for quite a long time.

__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

Pictures are not great because I can’t download any thing from the work computers so I took a picture of the screen , but I believe its Confirmed to be ” EF89    M   1993  Toshiba .

Edit the ”M”. Could be a “H”



-- Edited by Bob on Thursday 20th of May 2021 07:45:38 PM

Attachments
__________________
Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

76e56f

small pictures of the die and the ecu part number , I should have access to a good microscope over the weekend To get a close up.



Attachments
__________________
Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

TechSupport wrote:

I haven't tried it again. I have cleared all my outstanding projects but I'm working away at present, I should be back in a week or two but I don't have a project timescale for the rest of that work. I am minded to have another look at this when I get back.


 Oh projects tell me about itno, im up to my eye ball’s in trying to figure out tunerpro xdfs and checksums ,coming from learning on flashable ecus has spoiled me.....

There is absolutely no panic on this the only reason I ask is that I never new it was possible to read information off the internal bus of a chip like you have done especially a chip that no one has ever been able to crack.

Cheers BOB.



__________________


Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

I haven't tried it again. I have cleared all my outstanding projects but I'm working away at present, I should be back in a week or two but I don't have a project timescale for the rest of that work. I am minded to have another look at this when I get back.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

Hi James,I hope you are well.

I was going through my collection of ecus the other day and came across the evo 4 ecu and wondered if you got around to trying your second booster adapter on this ecu as you had got so far with all the ports.



__________________


Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

Bob wrote:

Hi James 

just wondering if you ever got around to having a last try at this?

 

Thanks

BOB


 Not yet but I will at some point.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

Hi James 

just wondering if you ever got around to having a last try at this?

 

Thanks

BOB



__________________


Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

Bob wrote:
TechSupport wrote:
TechSupport wrote:

I couldn't find any reason why my code would not execute so I swapped the emulator for an EPROM, I can now see my code on the bus so I guess the emulator didn't have sufficient drive strength. The new problem is that the code is simply being stepped through without being executed, as if the bus isn't connected. I am in an area of memory that was reading blank, more investigation to do.

Edit: Emulator works if I use a booster socket, must have had that over 10 years - first time I've needed it! Code still doesn't execute.


 I'm working on another board at present and I ran into the same issue - it seems that the adapter that I was using for the logic analyser was adding too much capacitance to the bus. Once I've finished this job I will try mode 0 again.


That’s both good and bad news.

How do you go about solving that one? 


The adapter that's giving the issues is the one pictured above, I have another adapter which just has pins that you have to plug on individual wires from the logic analyser, that one is well proven but fiddly to set up. I shall get some proper adapter boards made, I did a design some time back.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

TechSupport wrote:
TechSupport wrote:

I couldn't find any reason why my code would not execute so I swapped the emulator for an EPROM, I can now see my code on the bus so I guess the emulator didn't have sufficient drive strength. The new problem is that the code is simply being stepped through without being executed, as if the bus isn't connected. I am in an area of memory that was reading blank, more investigation to do.

Edit: Emulator works if I use a booster socket, must have had that over 10 years - first time I've needed it! Code still doesn't execute.


 I'm working on another board at present and I ran into the same issue - it seems that the adapter that I was using for the logic analyser was adding too much capacitance to the bus. Once I've finished this job I will try mode 0 again.


That’s both good and bad news.

How do you go about solving that one? 



__________________


Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

TechSupport wrote:

I couldn't find any reason why my code would not execute so I swapped the emulator for an EPROM, I can now see my code on the bus so I guess the emulator didn't have sufficient drive strength. The new problem is that the code is simply being stepped through without being executed, as if the bus isn't connected. I am in an area of memory that was reading blank, more investigation to do.

Edit: Emulator works if I use a booster socket, must have had that over 10 years - first time I've needed it! Code still doesn't execute.


 I'm working on another board at present and I ran into the same issue - it seems that the adapter that I was using for the logic analyser was adding too much capacitance to the bus. Once I've finished this job I will try mode 0 again.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.



Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

I don't know anything about the JECs parts, I've never dealt with one. That other chip looks like it says NFC, that may have been a fab house, the D number could be a Denso part number.

I couldn't find any reason why my code would not execute so I swapped the emulator for an EPROM, I can now see my code on the bus so I guess the emulator didn't have sufficient drive strength. The new problem is that the code is simply being stepped through without being executed, as if the bus isn't connected. I am in an area of memory that was reading blank, more investigation to do.
I can see the internal memory contents on the bus when I execute a reset from my external memory so if all else fails that is a vulnerability that I can exploit that to read out the internal memory.

 

Edit: Emulator works if I use a booster socket, must have had that over 10 years - first time I've needed it! Code still doesn't execute.



-- Edited by TechSupport on Wednesday 3rd of June 2020 06:36:25 PM

__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

Main ic: A12-212-602  labeled as jecs but I believe it to be Mitsubishi or nec.

second io chip (smaller chip) : A12-281001 labeled as jecs but a quick google brought up someone who had de-capped one and found it labeled nec D29501



Attachments
__________________


Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

Bob wrote:

 

Off topic a bit,
I have been having a play with a micra k11 board and have come to the conclusion that the chip may be OTP as well, however there is external headers which i believe nistune do a board for.
How does the odd and even boards work? Is there 2 separate busses, one for odd and the other for even addressing ?
 

I'm not familiar with the Nistune boards, from what I understood they just place the processor into an external memory mode. In some applications people have used two chips to get enough memory, they are usually split high memory and low memory by usng the MSBs as the chip selects but it could be done as odd/even by using the LSB as the chip selects. What processor is it? 



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

 

If it we’re easy every man and his dog would be doing it 😂.
Great news that you’re still at it.
Off topic a bit,
I have been having a play with a micra k11 board and have come to the conclusion that the chip may be OTP as well, however there is external headers which i believe nistune do a board for.
How does the odd and even boards work? Is there 2 separate busses, one for odd and the other for even addressing ?

TechSupport wrote:

I suspect that the problem with Mode 0 is that it runs in extended multiplexed configuration and this board is configured for non-multiplexed extended operation. So I think that I've proved that Mode 0 works but I need a board like my old ROMReader board that I used on the smaller devices.

 

Edit: I'm beginning to think that Mode 0 is partially disabled - the reset vector is picked up correctly from the external memory but the code doesn't run, it looks like internal code is present on the bus and appears to run correctly. I will investigate some more tomorrow.



-- Edited by TechSupport on Tuesday 2nd of June 2020 08:04:25 PM



 



__________________


Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

I suspect that the problem with Mode 0 is that it runs in extended multiplexed configuration and this board is configured for non-multiplexed extended operation. So I think that I've proved that Mode 0 works but I need a board like my old ROMReader board that I used on the smaller devices.

 

Edit: I'm beginning to think that Mode 0 is partially disabled - the reset vector is picked up correctly from the external memory but the code doesn't run, it looks like internal code is present on the bus and appears to run correctly. I will investigate some more tomorrow.



-- Edited by TechSupport on Tuesday 2nd of June 2020 08:04:25 PM

__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.



Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

I gave Mode 0 a try a few weeks and had no success, I'm looking at it again now and I made a mistake with the configuration. I do now seem to have it running in Mode 0 but its not running correctly.
If there is already code in the area that I'm trying to run code in then it will all be corrupted.



-- Edited by TechSupport on Tuesday 2nd of June 2020 05:33:22 PM

__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

TechSupport wrote:
Bob wrote:

 


 Does that mean that pin 79 is not capable of being used to put the chip into boot mode.?

Is there anything I can be testing?


 

That depends on how boot mode works, it could be a simple signal that when present causes the code to jump to a bootloader routine. This weekend I'm going to try and put the MH6311 into mode 0 and see if that works, that will be the real test to see if this is a feasible project.


Looking forward to the result regardless of the outcome as it will either put this ecu to bed or open up another one to play with. 



__________________


Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

Bob wrote:

 


 Does that mean that pin 79 is not capable of being used to put the chip into boot mode.?

Is there anything I can be testing?


 

That depends on how boot mode works, it could be a simple signal that when present causes the code to jump to a bootloader routine. This weekend I'm going to try and put the MH6311 into mode 0 and see if that works, that will be the real test to see if this is a feasible project.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

TechSupport wrote:

Pin 79 is just a 12V digital input.
Pin 62 is bi-directional comms, which you would expect for K-Line, and goes to pin68 and 67 on the processor which is known to be the serial port on the MH6311, so that's good.
Pin 56 I have as a RX line which is also connected to pin 67 on the processor.

The two 165s are cascaded and work as a serial in (from the processor), parallel out shift register to drive a bunch of digital outputs.


 Does that mean that pin 79 is not capable of being used to put the chip into boot mode.?

Is there anything I can be testing?



__________________


Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

Pin 79 is just a 12V digital input.
Pin 62 is bi-directional comms, which you would expect for K-Line, and goes to pin68 and 67 on the processor which is known to be the serial port on the MH6311, so that's good.
Pin 56 I have as a RX line which is also connected to pin 67 on the processor.

The two 165s are cascaded and work as a serial in (from the processor), parallel out shift register to drive a bunch of digital outputs.

__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

TechSupport wrote:
Bob wrote:

 


 i thought the cam and crank go through the e310a chip to be conditioned first? Or am I think of the h8 ecus?

Did you see them two 74hc165a they are used in Mitsubishis k line communication on 56 and 62 they might be of interest.

i can send commands through the k line to switch on and off various things like injectors /fuel pumps/egr and purge etc, the program is call evoscan 


The E310A is a level translator, it converts the signals from 12V to 5V and from 5V to 12V. One of the inputs has two outputs, one of which is inverted, and that input is usually used for cam or crank. I have the pinout mostly defined, I will try and find that, for the 12V inputs you can just put a low frequency square wave on the ECU input and check the pins to see where the 5V output is, fro memory the threshold voltage is around 7V. The other way you need to force the processor into reset and then inject a 5V signal through a resistor and then look for the 12V output.

I had a look at 62, which I think is the K-line, I have 51 as the immobiliser pin, 56 is shown as unused? I would think they are using the shift registers to implement the serial port, there is most likely only one in the processor. Its an old trick that seems to have made a bit of a come back on some modern processors.

Is the Mitsubishi protocol described anywhere? if you know that then that makes reverse engineering the software much easier.


A lot of good info here as I’m currently working on the cam and crank on the h8 and am confused at finding the crank signal invert on 2 pins.

 



__________________


Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

Something else to play with.

 

I've added the E310A pinout to this thread:

https://rhinopower.activeboard.com/t43171026/analysing-and-testing-the-8v-tracker-sidekick-and-vitara-ecu/

I have a scrap board that I will hack about to see if I can pair up the remaining five sets of pins.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

As you follow pin 79 take a look at my board for reference and you can see all the components are fitted.



Attachments
__________________
Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

It’s definitely pins 56 which goes to obd2 pin 1

k line is pin 62 and goes to obd2 pin 7.

ill attach a picture below.

you will see pin 79 mentioned in the ecu pin out and that is used for putting the ecu into programming mode in evo 5/6/7 .

if you follow pin 79 circuit you will see it is missing all the components going back to both the mh63 and the e310a on the evo 4 ecu however if you take a close look at my Ralliart tuned ecu you will see all of the components are fitted to my board.



Attachments
__________________
Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

Mut commands.

https://evoecu.logic.net/index.php?title=MUT_Commands&diff=839&oldid=838



__________________
Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

Mut protocol 

https://evoecu.logic.net/wiki/MUT_Protocol



__________________


Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

Bob wrote:

 


 i thought the cam and crank go through the e310a chip to be conditioned first? Or am I think of the h8 ecus?

Did you see them two 74hc165a they are used in Mitsubishis k line communication on 56 and 62 they might be of interest.

i can send commands through the k line to switch on and off various things like injectors /fuel pumps/egr and purge etc, the program is call evoscan 


The E310A is a level translator, it converts the signals from 12V to 5V and from 5V to 12V. One of the inputs has two outputs, one of which is inverted, and that input is usually used for cam or crank. I have the pinout mostly defined, I will try and find that, for the 12V inputs you can just put a low frequency square wave on the ECU input and check the pins to see where the 5V output is, fro memory the threshold voltage is around 7V. The other way you need to force the processor into reset and then inject a 5V signal through a resistor and then look for the 12V output.

I had a look at 62, which I think is the K-line, I have 51 as the immobiliser pin, 56 is shown as unused? I would think they are using the shift registers to implement the serial port, there is most likely only one in the processor. Its an old trick that seems to have made a bit of a come back on some modern processors.

Is the Mitsubishi protocol described anywhere? if you know that then that makes reverse engineering the software much easier.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

TechSupport wrote:

I haven't had a lot of time to work on this over the last week. I did take a look at the EVO4 ECU (MH6371), the power pins map to the MH6311, the analogue pins look to be in the right place, the E clock is present and there is activity on the R/W pin so that all looks good. I traced out the circuitry for the crank and cam inputs and the ignition and injector drivers. I'm hoping they will map to the timer pins on the MH6311 but I haven't succeeded in getting the output compare channels to work yet, there must be enable bits somewhere but its not obvious from the code; I've been through setting registers to FFh, which normally works, but so far no success.


 i thought the cam and crank go through the e310a chip to be conditioned first? Or am I think of the h8 ecus?

Did you see them two 74hc165a they are used in Mitsubishis k line communication on 56 and 62 they might be of interest.

i can send commands through the k line to switch on and off various things like injectors /fuel pumps/egr and purge etc, the program is call evoscan 



__________________


Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

I haven't had a lot of time to work on this over the last week. I did take a look at the EVO4 ECU (MH6371), the power pins map to the MH6311, the analogue pins look to be in the right place, the E clock is present and there is activity on the R/W pin so that all looks good. I traced out the circuitry for the crank and cam inputs and the ignition and injector drivers. I'm hoping they will map to the timer pins on the MH6311 but I haven't succeeded in getting the output compare channels to work yet, there must be enable bits somewhere but its not obvious from the code; I've been through setting registers to FFh, which normally works, but so far no success.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.



Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

You would need to write to a page select bit/register to switch between pages, there is no such operation in any of the source code that I've looked at. It can be achieved manually with external memory and external address select lines but there is no need because all the code fits within the 64k 16-bit address range - on the pre-OBD2 ECUs it fits well within an 8K space.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

Looking at the code how would you know if it was paged or not is there a giveaway or a tell tale?



__________________


Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

Bob wrote:

A lot of time gone into that I can see.

 

I wonder is this space used depending on what mode the chip is in or does code get copied from page one to page two like in the H8 chip set;

(; some random , maybe external addresses - there is no data from 2000h to 2FFFh L201B

L2402

L26B7

L2BBD)

 


The memory isn't paged, its a straight 64k linear address space; it could be an error in the disassembly or an external interface.
I'm trying to build up a reasonable understanding of how the chip works to create a basic datasheet for reference. When I get the other ECU the plan is to pull the processor from it and swap it onto this board and see what can be done with it. Hopefully, if it can be read, the memopry map will be similar. Before that I will attempt to pull the internal code from this chip.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

Also I’d like to ask what is the next step once you have identified as much as possible, like are you looking for something in particular at the moment or going for a complete map?



__________________
Bob


Veteran Member

Status: Offline
Posts: 53
Date:
Permalink  
 

A lot of time gone into that I can see.

 

I wonder is this space used depending on what mode the chip is in or does code get copied from page one to page two like in the H8 chip set;

(; some random , maybe external addresses - there is no data from 2000h to 2FFFh L201B

L2402

L26B7

L2BBD)

 



__________________


Guru

Status: Offline
Posts: 1300
Date:
Permalink  
 

I did some more hunting through the code - found a timer module, nowhere near the normal registers, my first thought was that it was external but it clearly maps to the interrupt vectors. This is my summary of the registers, looks like one 16-bit timer with at least eight output compares and at least five input captures:

; Timer module - internal or external ?????
; suspect external in 100-pin port expander
;
L080F  ; OC? - add a number and store
L0810  ; init then all in intvec9 OC? - add a number store here
L0811  ; init then all in intvec8 - fetched and stored, also load 113 add 323 store here
L0812  ; init then all in intvec10
L0813  ; init then load, add store here, also intvec6
L0814  ; init then load, add store here, also intvec5
L0815  ; init then intvec4, load 815 add 1FE0, store 815
L0816  ; init then load, add and store , controls PORT3 bits, also intvec3
L081F  ; written twice to 00h
L0820  ; written twice to E0h
L0821  ; 16-bit write twice to 00h
L0823  ; 16-bit write twice to 00h
L0825  ; 16-bit write twice to 00h
L0827  ; 16-bit write twice to 00h
L082D  ; 16-bit timer
L082E  ; read once in init and overwritten
L082F  ; read once in init and overwritten 
L0830  ; read once in init and overwritten
L0831  ; read once in init and overwritten 
L0833  ; 16-bit read in intvec15 and stored L000A bit0 selects interrupt??
L0834  ; 16-bit read in intvec16 and stored, L000A bit1 selects interrupt??
L0835  ; 16-bit read in intvec13 and stored, L000A bit2 selects interrupt??
L0837  ; 16-bit read in intvec12 and stored, L000A bit3 is toggled = edge??
L0839  ; 16-bit read in intvec11 and stored, L000A bit4 is toggled = edge??
L083A  ; read once in init
;

 

Edit:

L082D confirmed as a free-running 16-bit timer.

I've started to compile a register map available here: http://www.rhinopower.org/76xxx/docs/76C55_Register_Map.txt

 



-- Edited by TechSupport on Tuesday 21st of April 2020 08:36:52 PM

__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

1 2  >  Last»  | Page of 2  sorted by
 
Quick Reply

Please log in to post quick replies.



Create your own FREE Forum
Report Abuse
Powered by ActiveBoard