RhinoPower Ltd

Bob wrote:

---

 Does that mean that pin 79 is not capable of being used to put the chip into boot mode.?

Is there anything I can be testing?

---

That depends on how boot mode works, it could be a simple signal that when present causes the code to jump to a bootloader routine. This weekend I'm going to try and put the MH6311 into mode 0 and see if that works, that will be the real test to see if this is a feasible project.

Something else to play with.

I've added the E310A pinout to this thread:

https://rhinopower.activeboard.com/t43171026/analysing-and-testing-the-8v-tracker-sidekick-and-vitara-ecu/

I have a scrap board that I will hack about to see if I can pair up the remaining five sets of pins.

It’s definitely pins 56 which goes to obd2 pin 1

k line is pin 62 and goes to obd2 pin 7.

ill attach a picture below.

you will see pin 79 mentioned in the ecu pin out and that is used for putting the ecu into programming mode in evo 5/6/7 .

if you follow pin 79 circuit you will see it is missing all the components going back to both the mh63 and the e310a on the evo 4 ecu however if you take a close look at my Ralliart tuned ecu you will see all of the components are fitted to my board.

Mut protocol 

https://evoecu.logic.net/wiki/MUT_Protocol

TechSupport wrote:

---

I haven't had a lot of time to work on this over the last week. I did take a look at the EVO4 ECU (MH6371), the power pins map to the MH6311, the analogue pins look to be in the right place, the E clock is present and there is activity on the R/W pin so that all looks good. I traced out the circuitry for the crank and cam inputs and the ignition and injector drivers. I'm hoping they will map to the timer pins on the MH6311 but I haven't succeeded in getting the output compare channels to work yet, there must be enable bits somewhere but its not obvious from the code; I've been through setting registers to FFh, which normally works, but so far no success.

---

 i thought the cam and crank go through the e310a chip to be conditioned first? Or am I think of the h8 ecus?

Did you see them two 74hc165a they are used in Mitsubishis k line communication on 56 and 62 they might be of interest.

i can send commands through the k line to switch on and off various things like injectors /fuel pumps/egr and purge etc, the program is call evoscan 

You would need to write to a page select bit/register to switch between pages, there is no such operation in any of the source code that I've looked at. It can be achieved manually with external memory and external address select lines but there is no need because all the code fits within the 64k 16-bit address range - on the pre-OBD2 ECUs it fits well within an 8K space.

Bob wrote:

---

A lot of time gone into that I can see.

 

I wonder is this space used depending on what mode the chip is in or does code get copied from page one to page two like in the H8 chip set;

(; some random , maybe external addresses - there is no data from 2000h to 2FFFh L201B

L2402

L26B7

L2BBD)

 

---

The memory isn't paged, its a straight 64k linear address space; it could be an error in the disassembly or an external interface.
I'm trying to build up a reasonable understanding of how the chip works to create a basic datasheet for reference. When I get the other ECU the plan is to pull the processor from it and swap it onto this board and see what can be done with it. Hopefully, if it can be read, the memopry map will be similar. Before that I will attempt to pull the internal code from this chip.

A lot of time gone into that I can see.

I wonder is this space used depending on what mode the chip is in or does code get copied from page one to page two like in the H8 chip set;

(; some random , maybe external addresses - there is no data from 2000h to 2FFFh L201B

L2402

L26B7

L2BBD)

Bob wrote:

---

 

You must have quite a bit of experience to be able to figure out how to go about setting up a rig like that, Do you do much of that type of work for a day job ?

Also how come you use eprom and not eeprom chips ?

---

 Back in the old days we had to write assembly code and debug with a logic analyser, I did a fair bit. I quite enjoy playing with these old chips, they are so simple. An Aurix, which is typically used in a modern ECU has around 1000 registers just for the timer module! At least with the LA you can do real time code tracing and code mods so its still superior to an Arduino!

The original boards were EPROMs, I did use the old 27SF EEPROMS a few years back but you can only get poor quality counterfeits these days from places like AliExpress, sometimes they work but for how long is anyone's guess. I have in the past modified a board to take a 28HC256 EEPROM but they are expensive now. Its cheap to use the emulator and then just burn a 27C EPROM when you're done.

The MH6311 is a bit of a surprise, I didn't find any timers, there must be some but they can't be free-running timers like in the other chips. Looking at the code there may be another port, it would have to be on the port expander, its got 100-pins so there is plenty of space.

In order to view the code execution you have to have the processor running in external mode, the TCU that I am using has an EPROM stock. I am using an Intronix Logicport LA, you need 24 channels for address and data plus a few spares for logging pin changes or serial port data. Its been very reliably, I used it an awful lot for 10 years or so.
I made a crude adapter from veroboard as a temporary solution (also about 10 years ago!) - individual probes are too time consuming to set up.

I also have a Moates Ostrich 2 emulator again, which I have used lot for 27C256 emulation, it should work with the 512 so I need to get that running so I can do real time code changes which will speed things up considerably.

The DSM TCU:

A screen capture of the Logicport software and the test software listing:

I would not expect you to be out of pocket mate. 
I have an evo 4 one here that I don’t care about that I’ll send you if that’s the road you want to go down, or if you have already bought the evo 5 ecu then just sent me your PayPal or the like and I’ll reimburse you in full.

Things to be aware of is that only very early evo 5 had the metal case ecu it then changed to the plastic case ecu which was the h8 based processor.

That link to the colt ecu looks identical to an evo4/early evo5 ecu, as they were all maf based cars.

Thanks for your work so far it is greatly appreciated.

TechSupport wrote:

I found an EVO5 ECU that should have the MH6371 processor and it was cheap so I don't mind if I accidently wreck it. It should be identical to this one: 

https://forum.carlabimmo.com/viewtopic.php?t=14895

I've been looking at how the registers are initialised and used, some are already known and tested, there are some differences between this device and the other devices. I don't have a code tag so I'll put it in a quote:

;;------------------- Registers -------------------------------------
; In all other devices user RAM starts at 40h
; thise looks the same - 40 is not directly initialised;
P1DDR equ 0x00
P2DDR equ 0x01
PORT1 equ 0x02
PORT2 equ 0x03
P3DDR equ 0x04
P4DDR equ 0x05
PORT3 equ 0x06
PORT4 equ 0x07
;
; 8 to E are TMR1 in all other devices
L0008 equ 0x08  ; T1CSR1
L0009 equ 0x09  ; TMR1H
L000A equ 0x0A  ; TMR1L
L000B equ 0x0B  ; T1OCR1H
L000C equ 0x0C  ; OCR1L
L000D equ 0x0D  ; ICR1H
L000E equ 0x0E  ; ICR1L
;
; F is P3 CSR in all other devices
L000F equ 0x0F
;
SCIRMC equ 0x10
SCSR equ 0x11
RXD  equ 0x12
TXD  equ 0x13
; 14 is RAMCR in all other disassembled
;
L0014
;
P5DDR equ 0x15
PORT5 equ 0x16
;
; MH6211 18 to 1E is timer1/2
L0017    ; initialised to 0x0E
L0018    ; initialised to 0x0E
L0019    ; 8-bit, initialised to 0x0E
L001A    ; 8-bit, initialised to 0x0E
;
; 1F,20,21 are connected - from line C2D0,
; in MH6211 1F and 20 are PORT6 and
; 20,21 are unused in EE88 code
;
L001F    ; 8-bit, initialised to 0x00 or 0x01 - bitfield
L0020    ; only bit5 is read
L0021    ; 8-bit write, 8/16-bit read
;
L0023    ; timer for SCI?
L0024    ; 8-bit, written to 3F in SCI code
;
; 26,27 are both read at start of interrupt vector 2
L0026    ; 8-bit, r/w could be RTI CR
L0027
;    ; 8-bit, r/w could be RTI
; 29,30 is TMR2 in MH6211
L0028    ; init as double #$2800
L0029    ; 8-bit written twice to 00h
L002A    ; 8-bit written twice to 00h (not in same place as L0029)
L002B    ; 8-bit written 00 or 1F
L002C    ; 8-bit written to 00 or FF
;
; possible DDR init P6DDR, P7DDR?
L002D    ; 16-bit written once in DDR routine as #$C123
; possible port init PORT6, PORT7?
L002F    ; init as double in Port routine - 8-bit bitfield
L0030    ; 8-bit bitfield
;
L0031    ; 8-bit bitfield init as 01
L0032    ; init as 00, no further r/w
L0033    ; init as 11, no further r/w
L0034    ; written as 16-bit 8001 or 0001, written as 8-bit from maths
;
ADCCR1 equ 0x38
ADCCR2 equ 0x39
ADCRES equ 0x3D
;
L003E    ; init as 22, no further r/w

so the easy things to look for next are the two possible ports at 2F and 30 and also to look at the possible timer locations, looking for continually incrementing values.

wow that is great to see progress being made .

i am amazed that you can essentially write some code to make the ports identify themselves.

In regards to the number on the case are you taking about the sticker on the side or the case part number on the front.

If the chip is one time programmable is it still possible to dump the contents of the chip without killing it?

on another note I’ve been doing a little ecu work myself tracking down the cam and crank subs on a h8 based ecu and dissembling I’ve attached a picture of the setup using an arduino to feed cam and crank sensors. (Keeping busy when off work in the current state of affairs.)

I've sniffed out eight analogue channels now, I wrote some code to scan through the ADC channels and send the channel number and result out through the serial port; the code needs to be a little different to the smaller chips, this appears to be because there are an extra couple of channels. Selecting the upper two channels needs a further code mod which I will try at another time.
I now have the watchdog reset pin on the processor set to an input and I'm injecting a signal from an external signal generator to keep the MA7815 happy. The earlier E528A just needed kicking before the watchdog timed out, the MA7815 is a windowed watchdog and has to be kicked between 20ms and 535us. Its a reasonable window but until I got it working properly I didn't know how long an ADC read would take. It was also very difficult to debug while it was continually resetting.

Ah I see so as long as a main chip has code to look at external memory address it can be manipulated.

What ic do you think may be closest to the 76c55 that has an available datasheet?

TechSupport wrote:

---

Test mode on the 68HC11 is quite different. On the 68/63/76 series mode0 runs in extended mode but allows access to internal memory, The reset vectors are fetched from the external memory during power on reset, that allows you to jump to your own code, memory reads are no different to normal programme execution.

---

I’ve been searching for a toshiba 100 pin micro controller with pin outs similar to the 76c55 to try find a describition of the eeprom read function but to no avail.

i did however come across the manual for the m68hc11 and have a question on it.

The m68hc manual talks about the special test mode that you describe but also says that if the security bit is set that it will erase the entire rom and ram before a read out, my question is how do you avoid this when your dumping the entire memory?

You have a pin labelled 'Enable Flash read' - where did you get that information from? If the chip numbering follows standard Toshiba practice then your chip should be an EEPROM device so there should be a way to read/write it directly. It may be that for this chip mode0  is not supported.

I don't believe that there is any way to modify the contents of the E310A, I have some notes on it somewhere but from memory it just buffers the CAS/crank signals and also outputs an inverted version.

I'm updating the datasheet as I go because I'm using it as a reference, along with other code, there is some data that didn't get added to it before.

Is that pin-out for the 76C55? the RX/TX pin looks to be in the wrong place but it may be a switch for OBD1/OBD2. Analogue inputs look right, on my board those lines go through some custom chips, I'll put a resistor box on the inputs and see what arrives at the processor.
E310A is primarily a level translator between 12V and 5V for digital inputs, it also does some signal conditioning for cam/crank.

Bob wrote:

---

Is there anything I can be doing to help?

 

---

 If you could trace out a couple of the analogue inputs and find out what pins they are connected to that would be useful, I don't have a pinout for the TCU that I have.

I have made a little more progress, I have located the pins for PORT1, tomorrow I will try and find PORT2. My emulator is not working correctly so progress is slow because I have to erase and burn an EPROM each time I need to modify the code.

Bob wrote:

---

What kind of code do you run on an unknown chip? 

---

Its not entirely unknown, its from the same family as the smaller chips and it was determined years back that they used a superset of the 6301 instruction set. I have compared the code with that from an earlier processor and can I see some similarities (and differences) in the architecture. At the moment the plan is to copy the existing configuration settings and then toggle each of the outputs in turn and see what pin changes. I'm also trying to send data out of the serial port.

The hybrid on your board, is that also a 7815?

I've been able to run some code on the board but, as I suspected, the watchdog timer is causing issues. The watchdog timer is part of a hybrid circuit MA7815which looks to be very similar in operation to the EA528A fitted to many Suzuki ECUs. I've just published the timing diagram for that on this thread: 

https://rhinopower.activeboard.com/t30468381/33920-70e10-vitara-16-8v-tbi-1999/

I will instrument the TCU tomorrow and try to sniff out the port pin that resets the watchdog.

The RAM is internal, EPROM is external. This particular ECU has a 27C512 EPROM so the complete 64k address space can be utilised, once we get inside the chip we will see how much ROM it has.