RhinoPower Ltd

Bob wrote:

---

Hi James 

just wondering if you ever got around to having a last try at this?

 

Thanks

BOB

---

 Not yet but I will at some point.

Bob wrote:

---

TechSupport wrote:

---

TechSupport wrote:

---

I couldn't find any reason why my code would not execute so I swapped the emulator for an EPROM, I can now see my code on the bus so I guess the emulator didn't have sufficient drive strength. The new problem is that the code is simply being stepped through without being executed, as if the bus isn't connected. I am in an area of memory that was reading blank, more investigation to do.

Edit: Emulator works if I use a booster socket, must have had that over 10 years - first time I've needed it! Code still doesn't execute.

---

 I'm working on another board at present and I ran into the same issue - it seems that the adapter that I was using for the logic analyser was adding too much capacitance to the bus. Once I've finished this job I will try mode 0 again.

---

That’s both good and bad news.

How do you go about solving that one? 

---

The adapter that's giving the issues is the one pictured above, I have another adapter which just has pins that you have to plug on individual wires from the logic analyser, that one is well proven but fiddly to set up. I shall get some proper adapter boards made, I did a design some time back.

TechSupport wrote:

---

I couldn't find any reason why my code would not execute so I swapped the emulator for an EPROM, I can now see my code on the bus so I guess the emulator didn't have sufficient drive strength. The new problem is that the code is simply being stepped through without being executed, as if the bus isn't connected. I am in an area of memory that was reading blank, more investigation to do.

Edit: Emulator works if I use a booster socket, must have had that over 10 years - first time I've needed it! Code still doesn't execute.

---

 I'm working on another board at present and I ran into the same issue - it seems that the adapter that I was using for the logic analyser was adding too much capacitance to the bus. Once I've finished this job I will try mode 0 again.

Main ic: A12-212-602  labeled as jecs but I believe it to be Mitsubishi or nec.

second io chip (smaller chip) : A12-281001 labeled as jecs but a quick google brought up someone who had de-capped one and found it labeled nec D29501

If it we’re easy every man and his dog would be doing it 😂.

Great news that you’re still at it.

Off topic a bit,

I have been having a play with a micra k11 board and have come to the conclusion that the chip may be OTP as well, however there is external headers which i believe nistune do a board for.

How does the odd and even boards work? Is there 2 separate busses, one for odd and the other for even addressing ?

TechSupport wrote:

---

I suspect that the problem with Mode 0 is that it runs in extended multiplexed configuration and this board is configured for non-multiplexed extended operation. So I think that I've proved that Mode 0 works but I need a board like my old ROMReader board that I used on the smaller devices.

 

Edit: I'm beginning to think that Mode 0 is partially disabled - the reset vector is picked up correctly from the external memory but the code doesn't run, it looks like internal code is present on the bus and appears to run correctly. I will investigate some more tomorrow.

-- Edited by TechSupport on Tuesday 2nd of June 2020 08:04:25 PM

---

I gave Mode 0 a try a few weeks and had no success, I'm looking at it again now and I made a mistake with the configuration. I do now seem to have it running in Mode 0 but its not running correctly.
If there is already code in the area that I'm trying to run code in then it will all be corrupted.

Bob wrote:

---

 Does that mean that pin 79 is not capable of being used to put the chip into boot mode.?

Is there anything I can be testing?

---

That depends on how boot mode works, it could be a simple signal that when present causes the code to jump to a bootloader routine. This weekend I'm going to try and put the MH6311 into mode 0 and see if that works, that will be the real test to see if this is a feasible project.

Something else to play with.

I've added the E310A pinout to this thread:

https://rhinopower.activeboard.com/t43171026/analysing-and-testing-the-8v-tracker-sidekick-and-vitara-ecu/

I have a scrap board that I will hack about to see if I can pair up the remaining five sets of pins.

It’s definitely pins 56 which goes to obd2 pin 1

k line is pin 62 and goes to obd2 pin 7.

ill attach a picture below.

you will see pin 79 mentioned in the ecu pin out and that is used for putting the ecu into programming mode in evo 5/6/7 .

if you follow pin 79 circuit you will see it is missing all the components going back to both the mh63 and the e310a on the evo 4 ecu however if you take a close look at my Ralliart tuned ecu you will see all of the components are fitted to my board.

Mut protocol 

https://evoecu.logic.net/wiki/MUT_Protocol

TechSupport wrote:

---

I haven't had a lot of time to work on this over the last week. I did take a look at the EVO4 ECU (MH6371), the power pins map to the MH6311, the analogue pins look to be in the right place, the E clock is present and there is activity on the R/W pin so that all looks good. I traced out the circuitry for the crank and cam inputs and the ignition and injector drivers. I'm hoping they will map to the timer pins on the MH6311 but I haven't succeeded in getting the output compare channels to work yet, there must be enable bits somewhere but its not obvious from the code; I've been through setting registers to FFh, which normally works, but so far no success.

---

 i thought the cam and crank go through the e310a chip to be conditioned first? Or am I think of the h8 ecus?

Did you see them two 74hc165a they are used in Mitsubishis k line communication on 56 and 62 they might be of interest.

i can send commands through the k line to switch on and off various things like injectors /fuel pumps/egr and purge etc, the program is call evoscan 

You would need to write to a page select bit/register to switch between pages, there is no such operation in any of the source code that I've looked at. It can be achieved manually with external memory and external address select lines but there is no need because all the code fits within the 64k 16-bit address range - on the pre-OBD2 ECUs it fits well within an 8K space.

Bob wrote:

---

A lot of time gone into that I can see.

 

I wonder is this space used depending on what mode the chip is in or does code get copied from page one to page two like in the H8 chip set;

(; some random , maybe external addresses - there is no data from 2000h to 2FFFh L201B

L2402

L26B7

L2BBD)

 

---

The memory isn't paged, its a straight 64k linear address space; it could be an error in the disassembly or an external interface.
I'm trying to build up a reasonable understanding of how the chip works to create a basic datasheet for reference. When I get the other ECU the plan is to pull the processor from it and swap it onto this board and see what can be done with it. Hopefully, if it can be read, the memopry map will be similar. Before that I will attempt to pull the internal code from this chip.

A lot of time gone into that I can see.

I wonder is this space used depending on what mode the chip is in or does code get copied from page one to page two like in the H8 chip set;

(; some random , maybe external addresses - there is no data from 2000h to 2FFFh L201B

L2402

L26B7

L2BBD)

Bob wrote:

---

 

You must have quite a bit of experience to be able to figure out how to go about setting up a rig like that, Do you do much of that type of work for a day job ?

Also how come you use eprom and not eeprom chips ?

---

 Back in the old days we had to write assembly code and debug with a logic analyser, I did a fair bit. I quite enjoy playing with these old chips, they are so simple. An Aurix, which is typically used in a modern ECU has around 1000 registers just for the timer module! At least with the LA you can do real time code tracing and code mods so its still superior to an Arduino!

The original boards were EPROMs, I did use the old 27SF EEPROMS a few years back but you can only get poor quality counterfeits these days from places like AliExpress, sometimes they work but for how long is anyone's guess. I have in the past modified a board to take a 28HC256 EEPROM but they are expensive now. Its cheap to use the emulator and then just burn a 27C EPROM when you're done.

The MH6311 is a bit of a surprise, I didn't find any timers, there must be some but they can't be free-running timers like in the other chips. Looking at the code there may be another port, it would have to be on the port expander, its got 100-pins so there is plenty of space.

In order to view the code execution you have to have the processor running in external mode, the TCU that I am using has an EPROM stock. I am using an Intronix Logicport LA, you need 24 channels for address and data plus a few spares for logging pin changes or serial port data. Its been very reliably, I used it an awful lot for 10 years or so.
I made a crude adapter from veroboard as a temporary solution (also about 10 years ago!) - individual probes are too time consuming to set up.

I also have a Moates Ostrich 2 emulator again, which I have used lot for 27C256 emulation, it should work with the 512 so I need to get that running so I can do real time code changes which will speed things up considerably.

The DSM TCU:

A screen capture of the Logicport software and the test software listing:

I would not expect you to be out of pocket mate. 
I have an evo 4 one here that I don’t care about that I’ll send you if that’s the road you want to go down, or if you have already bought the evo 5 ecu then just sent me your PayPal or the like and I’ll reimburse you in full.

Things to be aware of is that only very early evo 5 had the metal case ecu it then changed to the plastic case ecu which was the h8 based processor.

That link to the colt ecu looks identical to an evo4/early evo5 ecu, as they were all maf based cars.

Thanks for your work so far it is greatly appreciated.

TechSupport wrote:

I found an EVO5 ECU that should have the MH6371 processor and it was cheap so I don't mind if I accidently wreck it. It should be identical to this one: 

https://forum.carlabimmo.com/viewtopic.php?t=14895

I've been looking at how the registers are initialised and used, some are already known and tested, there are some differences between this device and the other devices. I don't have a code tag so I'll put it in a quote:

;;------------------- Registers -------------------------------------
; In all other devices user RAM starts at 40h
; thise looks the same - 40 is not directly initialised;
P1DDR equ 0x00
P2DDR equ 0x01
PORT1 equ 0x02
PORT2 equ 0x03
P3DDR equ 0x04
P4DDR equ 0x05
PORT3 equ 0x06
PORT4 equ 0x07
;
; 8 to E are TMR1 in all other devices
L0008 equ 0x08  ; T1CSR1
L0009 equ 0x09  ; TMR1H
L000A equ 0x0A  ; TMR1L
L000B equ 0x0B  ; T1OCR1H
L000C equ 0x0C  ; OCR1L
L000D equ 0x0D  ; ICR1H
L000E equ 0x0E  ; ICR1L
;
; F is P3 CSR in all other devices
L000F equ 0x0F
;
SCIRMC equ 0x10
SCSR equ 0x11
RXD  equ 0x12
TXD  equ 0x13
; 14 is RAMCR in all other disassembled
;
L0014
;
P5DDR equ 0x15
PORT5 equ 0x16
;
; MH6211 18 to 1E is timer1/2
L0017    ; initialised to 0x0E
L0018    ; initialised to 0x0E
L0019    ; 8-bit, initialised to 0x0E
L001A    ; 8-bit, initialised to 0x0E
;
; 1F,20,21 are connected - from line C2D0,
; in MH6211 1F and 20 are PORT6 and
; 20,21 are unused in EE88 code
;
L001F    ; 8-bit, initialised to 0x00 or 0x01 - bitfield
L0020    ; only bit5 is read
L0021    ; 8-bit write, 8/16-bit read
;
L0023    ; timer for SCI?
L0024    ; 8-bit, written to 3F in SCI code
;
; 26,27 are both read at start of interrupt vector 2
L0026    ; 8-bit, r/w could be RTI CR
L0027
;    ; 8-bit, r/w could be RTI
; 29,30 is TMR2 in MH6211
L0028    ; init as double #$2800
L0029    ; 8-bit written twice to 00h
L002A    ; 8-bit written twice to 00h (not in same place as L0029)
L002B    ; 8-bit written 00 or 1F
L002C    ; 8-bit written to 00 or FF
;
; possible DDR init P6DDR, P7DDR?
L002D    ; 16-bit written once in DDR routine as #$C123
; possible port init PORT6, PORT7?
L002F    ; init as double in Port routine - 8-bit bitfield
L0030    ; 8-bit bitfield
;
L0031    ; 8-bit bitfield init as 01
L0032    ; init as 00, no further r/w
L0033    ; init as 11, no further r/w
L0034    ; written as 16-bit 8001 or 0001, written as 8-bit from maths
;
ADCCR1 equ 0x38
ADCCR2 equ 0x39
ADCRES equ 0x3D
;
L003E    ; init as 22, no further r/w

so the easy things to look for next are the two possible ports at 2F and 30 and also to look at the possible timer locations, looking for continually incrementing values.

wow that is great to see progress being made .

i am amazed that you can essentially write some code to make the ports identify themselves.

In regards to the number on the case are you taking about the sticker on the side or the case part number on the front.

If the chip is one time programmable is it still possible to dump the contents of the chip without killing it?

on another note I’ve been doing a little ecu work myself tracking down the cam and crank subs on a h8 based ecu and dissembling I’ve attached a picture of the setup using an arduino to feed cam and crank sensors. (Keeping busy when off work in the current state of affairs.)

I've sniffed out eight analogue channels now, I wrote some code to scan through the ADC channels and send the channel number and result out through the serial port; the code needs to be a little different to the smaller chips, this appears to be because there are an extra couple of channels. Selecting the upper two channels needs a further code mod which I will try at another time.
I now have the watchdog reset pin on the processor set to an input and I'm injecting a signal from an external signal generator to keep the MA7815 happy. The earlier E528A just needed kicking before the watchdog timed out, the MA7815 is a windowed watchdog and has to be kicked between 20ms and 535us. Its a reasonable window but until I got it working properly I didn't know how long an ADC read would take. It was also very difficult to debug while it was continually resetting.

Ah I see so as long as a main chip has code to look at external memory address it can be manipulated.

What ic do you think may be closest to the 76c55 that has an available datasheet?

TechSupport wrote:

---

Test mode on the 68HC11 is quite different. On the 68/63/76 series mode0 runs in extended mode but allows access to internal memory, The reset vectors are fetched from the external memory during power on reset, that allows you to jump to your own code, memory reads are no different to normal programme execution.

---

I’ve been searching for a toshiba 100 pin micro controller with pin outs similar to the 76c55 to try find a describition of the eeprom read function but to no avail.

i did however come across the manual for the m68hc11 and have a question on it.

The m68hc manual talks about the special test mode that you describe but also says that if the security bit is set that it will erase the entire rom and ram before a read out, my question is how do you avoid this when your dumping the entire memory?