RhinoPower Ltd

Members Login
Username 
 
Password 
    Remember Me  
Post Info TOPIC: 76C55 (MH6311) information


Guru

Status: Offline
Posts: 1274
Date:
RE: 76C55 (MH6311) information
Permalink  
 


Bob wrote:

Hi James 

just wondering if you ever got around to having a last try at this?

 

Thanks

BOB


 Not yet but I will at some point.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

Hi James 

just wondering if you ever got around to having a last try at this?

 

Thanks

BOB



__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

Bob wrote:
TechSupport wrote:
TechSupport wrote:

I couldn't find any reason why my code would not execute so I swapped the emulator for an EPROM, I can now see my code on the bus so I guess the emulator didn't have sufficient drive strength. The new problem is that the code is simply being stepped through without being executed, as if the bus isn't connected. I am in an area of memory that was reading blank, more investigation to do.

Edit: Emulator works if I use a booster socket, must have had that over 10 years - first time I've needed it! Code still doesn't execute.


 I'm working on another board at present and I ran into the same issue - it seems that the adapter that I was using for the logic analyser was adding too much capacitance to the bus. Once I've finished this job I will try mode 0 again.


That’s both good and bad news.

How do you go about solving that one? 


The adapter that's giving the issues is the one pictured above, I have another adapter which just has pins that you have to plug on individual wires from the logic analyser, that one is well proven but fiddly to set up. I shall get some proper adapter boards made, I did a design some time back.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

TechSupport wrote:
TechSupport wrote:

I couldn't find any reason why my code would not execute so I swapped the emulator for an EPROM, I can now see my code on the bus so I guess the emulator didn't have sufficient drive strength. The new problem is that the code is simply being stepped through without being executed, as if the bus isn't connected. I am in an area of memory that was reading blank, more investigation to do.

Edit: Emulator works if I use a booster socket, must have had that over 10 years - first time I've needed it! Code still doesn't execute.


 I'm working on another board at present and I ran into the same issue - it seems that the adapter that I was using for the logic analyser was adding too much capacitance to the bus. Once I've finished this job I will try mode 0 again.


That’s both good and bad news.

How do you go about solving that one? 



__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

TechSupport wrote:

I couldn't find any reason why my code would not execute so I swapped the emulator for an EPROM, I can now see my code on the bus so I guess the emulator didn't have sufficient drive strength. The new problem is that the code is simply being stepped through without being executed, as if the bus isn't connected. I am in an area of memory that was reading blank, more investigation to do.

Edit: Emulator works if I use a booster socket, must have had that over 10 years - first time I've needed it! Code still doesn't execute.


 I'm working on another board at present and I ran into the same issue - it seems that the adapter that I was using for the logic analyser was adding too much capacitance to the bus. Once I've finished this job I will try mode 0 again.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.



Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

I don't know anything about the JECs parts, I've never dealt with one. That other chip looks like it says NFC, that may have been a fab house, the D number could be a Denso part number.

I couldn't find any reason why my code would not execute so I swapped the emulator for an EPROM, I can now see my code on the bus so I guess the emulator didn't have sufficient drive strength. The new problem is that the code is simply being stepped through without being executed, as if the bus isn't connected. I am in an area of memory that was reading blank, more investigation to do.
I can see the internal memory contents on the bus when I execute a reset from my external memory so if all else fails that is a vulnerability that I can exploit that to read out the internal memory.

 

Edit: Emulator works if I use a booster socket, must have had that over 10 years - first time I've needed it! Code still doesn't execute.



-- Edited by TechSupport on Wednesday 3rd of June 2020 06:36:25 PM

__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

Main ic: A12-212-602  labeled as jecs but I believe it to be Mitsubishi or nec.

second io chip (smaller chip) : A12-281001 labeled as jecs but a quick google brought up someone who had de-capped one and found it labeled nec D29501



Attachments
__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

Bob wrote:

 

Off topic a bit,
I have been having a play with a micra k11 board and have come to the conclusion that the chip may be OTP as well, however there is external headers which i believe nistune do a board for.
How does the odd and even boards work? Is there 2 separate busses, one for odd and the other for even addressing ?
 

I'm not familiar with the Nistune boards, from what I understood they just place the processor into an external memory mode. In some applications people have used two chips to get enough memory, they are usually split high memory and low memory by usng the MSBs as the chip selects but it could be done as odd/even by using the LSB as the chip selects. What processor is it? 



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

 

If it we’re easy every man and his dog would be doing it 😂.
Great news that you’re still at it.
Off topic a bit,
I have been having a play with a micra k11 board and have come to the conclusion that the chip may be OTP as well, however there is external headers which i believe nistune do a board for.
How does the odd and even boards work? Is there 2 separate busses, one for odd and the other for even addressing ?

TechSupport wrote:

I suspect that the problem with Mode 0 is that it runs in extended multiplexed configuration and this board is configured for non-multiplexed extended operation. So I think that I've proved that Mode 0 works but I need a board like my old ROMReader board that I used on the smaller devices.

 

Edit: I'm beginning to think that Mode 0 is partially disabled - the reset vector is picked up correctly from the external memory but the code doesn't run, it looks like internal code is present on the bus and appears to run correctly. I will investigate some more tomorrow.



-- Edited by TechSupport on Tuesday 2nd of June 2020 08:04:25 PM



 



__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

I suspect that the problem with Mode 0 is that it runs in extended multiplexed configuration and this board is configured for non-multiplexed extended operation. So I think that I've proved that Mode 0 works but I need a board like my old ROMReader board that I used on the smaller devices.

 

Edit: I'm beginning to think that Mode 0 is partially disabled - the reset vector is picked up correctly from the external memory but the code doesn't run, it looks like internal code is present on the bus and appears to run correctly. I will investigate some more tomorrow.



-- Edited by TechSupport on Tuesday 2nd of June 2020 08:04:25 PM

__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.



Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

I gave Mode 0 a try a few weeks and had no success, I'm looking at it again now and I made a mistake with the configuration. I do now seem to have it running in Mode 0 but its not running correctly.
If there is already code in the area that I'm trying to run code in then it will all be corrupted.



-- Edited by TechSupport on Tuesday 2nd of June 2020 05:33:22 PM

__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

TechSupport wrote:
Bob wrote:

 


 Does that mean that pin 79 is not capable of being used to put the chip into boot mode.?

Is there anything I can be testing?


 

That depends on how boot mode works, it could be a simple signal that when present causes the code to jump to a bootloader routine. This weekend I'm going to try and put the MH6311 into mode 0 and see if that works, that will be the real test to see if this is a feasible project.


Looking forward to the result regardless of the outcome as it will either put this ecu to bed or open up another one to play with. 



__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

Bob wrote:

 


 Does that mean that pin 79 is not capable of being used to put the chip into boot mode.?

Is there anything I can be testing?


 

That depends on how boot mode works, it could be a simple signal that when present causes the code to jump to a bootloader routine. This weekend I'm going to try and put the MH6311 into mode 0 and see if that works, that will be the real test to see if this is a feasible project.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

TechSupport wrote:

Pin 79 is just a 12V digital input.
Pin 62 is bi-directional comms, which you would expect for K-Line, and goes to pin68 and 67 on the processor which is known to be the serial port on the MH6311, so that's good.
Pin 56 I have as a RX line which is also connected to pin 67 on the processor.

The two 165s are cascaded and work as a serial in (from the processor), parallel out shift register to drive a bunch of digital outputs.


 Does that mean that pin 79 is not capable of being used to put the chip into boot mode.?

Is there anything I can be testing?



__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

Pin 79 is just a 12V digital input.
Pin 62 is bi-directional comms, which you would expect for K-Line, and goes to pin68 and 67 on the processor which is known to be the serial port on the MH6311, so that's good.
Pin 56 I have as a RX line which is also connected to pin 67 on the processor.

The two 165s are cascaded and work as a serial in (from the processor), parallel out shift register to drive a bunch of digital outputs.

__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

TechSupport wrote:
Bob wrote:

 


 i thought the cam and crank go through the e310a chip to be conditioned first? Or am I think of the h8 ecus?

Did you see them two 74hc165a they are used in Mitsubishis k line communication on 56 and 62 they might be of interest.

i can send commands through the k line to switch on and off various things like injectors /fuel pumps/egr and purge etc, the program is call evoscan 


The E310A is a level translator, it converts the signals from 12V to 5V and from 5V to 12V. One of the inputs has two outputs, one of which is inverted, and that input is usually used for cam or crank. I have the pinout mostly defined, I will try and find that, for the 12V inputs you can just put a low frequency square wave on the ECU input and check the pins to see where the 5V output is, fro memory the threshold voltage is around 7V. The other way you need to force the processor into reset and then inject a 5V signal through a resistor and then look for the 12V output.

I had a look at 62, which I think is the K-line, I have 51 as the immobiliser pin, 56 is shown as unused? I would think they are using the shift registers to implement the serial port, there is most likely only one in the processor. Its an old trick that seems to have made a bit of a come back on some modern processors.

Is the Mitsubishi protocol described anywhere? if you know that then that makes reverse engineering the software much easier.


A lot of good info here as I’m currently working on the cam and crank on the h8 and am confused at finding the crank signal invert on 2 pins.

 



__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

Something else to play with.

 

I've added the E310A pinout to this thread:

https://rhinopower.activeboard.com/t43171026/analysing-and-testing-the-8v-tracker-sidekick-and-vitara-ecu/

I have a scrap board that I will hack about to see if I can pair up the remaining five sets of pins.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

As you follow pin 79 take a look at my board for reference and you can see all the components are fitted.



Attachments
__________________
Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

It’s definitely pins 56 which goes to obd2 pin 1

k line is pin 62 and goes to obd2 pin 7.

ill attach a picture below.

you will see pin 79 mentioned in the ecu pin out and that is used for putting the ecu into programming mode in evo 5/6/7 .

if you follow pin 79 circuit you will see it is missing all the components going back to both the mh63 and the e310a on the evo 4 ecu however if you take a close look at my Ralliart tuned ecu you will see all of the components are fitted to my board.



Attachments
__________________
Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

Mut commands.

https://evoecu.logic.net/index.php?title=MUT_Commands&diff=839&oldid=838



__________________
Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

Mut protocol 

https://evoecu.logic.net/wiki/MUT_Protocol



__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

Bob wrote:

 


 i thought the cam and crank go through the e310a chip to be conditioned first? Or am I think of the h8 ecus?

Did you see them two 74hc165a they are used in Mitsubishis k line communication on 56 and 62 they might be of interest.

i can send commands through the k line to switch on and off various things like injectors /fuel pumps/egr and purge etc, the program is call evoscan 


The E310A is a level translator, it converts the signals from 12V to 5V and from 5V to 12V. One of the inputs has two outputs, one of which is inverted, and that input is usually used for cam or crank. I have the pinout mostly defined, I will try and find that, for the 12V inputs you can just put a low frequency square wave on the ECU input and check the pins to see where the 5V output is, fro memory the threshold voltage is around 7V. The other way you need to force the processor into reset and then inject a 5V signal through a resistor and then look for the 12V output.

I had a look at 62, which I think is the K-line, I have 51 as the immobiliser pin, 56 is shown as unused? I would think they are using the shift registers to implement the serial port, there is most likely only one in the processor. Its an old trick that seems to have made a bit of a come back on some modern processors.

Is the Mitsubishi protocol described anywhere? if you know that then that makes reverse engineering the software much easier.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

TechSupport wrote:

I haven't had a lot of time to work on this over the last week. I did take a look at the EVO4 ECU (MH6371), the power pins map to the MH6311, the analogue pins look to be in the right place, the E clock is present and there is activity on the R/W pin so that all looks good. I traced out the circuitry for the crank and cam inputs and the ignition and injector drivers. I'm hoping they will map to the timer pins on the MH6311 but I haven't succeeded in getting the output compare channels to work yet, there must be enable bits somewhere but its not obvious from the code; I've been through setting registers to FFh, which normally works, but so far no success.


 i thought the cam and crank go through the e310a chip to be conditioned first? Or am I think of the h8 ecus?

Did you see them two 74hc165a they are used in Mitsubishis k line communication on 56 and 62 they might be of interest.

i can send commands through the k line to switch on and off various things like injectors /fuel pumps/egr and purge etc, the program is call evoscan 



__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

I haven't had a lot of time to work on this over the last week. I did take a look at the EVO4 ECU (MH6371), the power pins map to the MH6311, the analogue pins look to be in the right place, the E clock is present and there is activity on the R/W pin so that all looks good. I traced out the circuitry for the crank and cam inputs and the ignition and injector drivers. I'm hoping they will map to the timer pins on the MH6311 but I haven't succeeded in getting the output compare channels to work yet, there must be enable bits somewhere but its not obvious from the code; I've been through setting registers to FFh, which normally works, but so far no success.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.



Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

You would need to write to a page select bit/register to switch between pages, there is no such operation in any of the source code that I've looked at. It can be achieved manually with external memory and external address select lines but there is no need because all the code fits within the 64k 16-bit address range - on the pre-OBD2 ECUs it fits well within an 8K space.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

Looking at the code how would you know if it was paged or not is there a giveaway or a tell tale?



__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

Bob wrote:

A lot of time gone into that I can see.

 

I wonder is this space used depending on what mode the chip is in or does code get copied from page one to page two like in the H8 chip set;

(; some random , maybe external addresses - there is no data from 2000h to 2FFFh L201B

L2402

L26B7

L2BBD)

 


The memory isn't paged, its a straight 64k linear address space; it could be an error in the disassembly or an external interface.
I'm trying to build up a reasonable understanding of how the chip works to create a basic datasheet for reference. When I get the other ECU the plan is to pull the processor from it and swap it onto this board and see what can be done with it. Hopefully, if it can be read, the memopry map will be similar. Before that I will attempt to pull the internal code from this chip.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

Also I’d like to ask what is the next step once you have identified as much as possible, like are you looking for something in particular at the moment or going for a complete map?



__________________
Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

A lot of time gone into that I can see.

 

I wonder is this space used depending on what mode the chip is in or does code get copied from page one to page two like in the H8 chip set;

(; some random , maybe external addresses - there is no data from 2000h to 2FFFh L201B

L2402

L26B7

L2BBD)

 



__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

I did some more hunting through the code - found a timer module, nowhere near the normal registers, my first thought was that it was external but it clearly maps to the interrupt vectors. This is my summary of the registers, looks like one 16-bit timer with at least eight output compares and at least five input captures:

; Timer module - internal or external ?????
; suspect external in 100-pin port expander
;
L080F  ; OC? - add a number and store
L0810  ; init then all in intvec9 OC? - add a number store here
L0811  ; init then all in intvec8 - fetched and stored, also load 113 add 323 store here
L0812  ; init then all in intvec10
L0813  ; init then load, add store here, also intvec6
L0814  ; init then load, add store here, also intvec5
L0815  ; init then intvec4, load 815 add 1FE0, store 815
L0816  ; init then load, add and store , controls PORT3 bits, also intvec3
L081F  ; written twice to 00h
L0820  ; written twice to E0h
L0821  ; 16-bit write twice to 00h
L0823  ; 16-bit write twice to 00h
L0825  ; 16-bit write twice to 00h
L0827  ; 16-bit write twice to 00h
L082D  ; 16-bit timer
L082E  ; read once in init and overwritten
L082F  ; read once in init and overwritten 
L0830  ; read once in init and overwritten
L0831  ; read once in init and overwritten 
L0833  ; 16-bit read in intvec15 and stored L000A bit0 selects interrupt??
L0834  ; 16-bit read in intvec16 and stored, L000A bit1 selects interrupt??
L0835  ; 16-bit read in intvec13 and stored, L000A bit2 selects interrupt??
L0837  ; 16-bit read in intvec12 and stored, L000A bit3 is toggled = edge??
L0839  ; 16-bit read in intvec11 and stored, L000A bit4 is toggled = edge??
L083A  ; read once in init
;

 

Edit:

L082D confirmed as a free-running 16-bit timer.

I've started to compile a register map available here: http://www.rhinopower.org/76xxx/docs/76C55_Register_Map.txt

 



-- Edited by TechSupport on Tuesday 21st of April 2020 08:36:52 PM

__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.



Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

Bob wrote:

 

You must have quite a bit of experience to be able to figure out how to go about setting up a rig like that, Do you do much of that type of work for a day job ?

Also how come you use eprom and not eeprom chips ?


 Back in the old days we had to write assembly code and debug with a logic analyser, I did a fair bit. I quite enjoy playing with these old chips, they are so simple. An Aurix, which is typically used in a modern ECU has around 1000 registers just for the timer module! At least with the LA you can do real time code tracing and code mods so its still superior to an Arduino!

The original boards were EPROMs, I did use the old 27SF EEPROMS a few years back but you can only get poor quality counterfeits these days from places like AliExpress, sometimes they work but for how long is anyone's guess. I have in the past modified a board to take a 28HC256 EEPROM but they are expensive now. Its cheap to use the emulator and then just burn a 27C EPROM when you're done.

 

The MH6311 is a bit of a surprise, I didn't find any timers, there must be some but they can't be free-running timers like in the other chips. Looking at the code there may be another port, it would have to be on the port expander, its got 100-pins so there is plenty of space.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

That looks like fantastic work.

You must have quite a bit of experience to be able to figure out how to go about setting up a rig like that, Do you do much of that type of work for a day job ?

Also how come you use eprom and not eeprom chips ?



__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

In order to view the code execution you have to have the processor running in external mode, the TCU that I am using has an EPROM stock. I am using an Intronix Logicport LA, you need 24 channels for address and data plus a few spares for logging pin changes or serial port data. Its been very reliably, I used it an awful lot for 10 years or so.
I made a crude adapter from veroboard as a temporary solution (also about 10 years ago!) - individual probes are too time consuming to set up.

I also have a Moates Ostrich 2 emulator again, which I have used lot for 27C256 emulation, it should work with the 512 so I need to get that running so I can do real time code changes which will speed things up considerably.

The DSM TCU:

 MD759132 PCB

A screen capture of the Logicport software and the test software listing:

Logicport software



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

So let me get this right.

If a pin is set to read as an input you can actually access the data on the internal upper and lower buses?

Does this hold true for all ic’s ?

what kind of logic analyser are you using, as I seen then on eBay for as little as 50 quid?

 

TechSupport wrote:

Its usually on the sticker on the front, the non-flash OTP devices can still be read, if the flash version supports mode 0 then it will be possible to read it n the same way.
I have a logic analyser on the bus, for input pins the code just reads the ports and copies them to RAM locations, on a read the data is exposed on the bus, then I just inject a signal onto the pin to cause it to change state; for output pins I just toggle the output and then look for the pin.
I will look for the higher order ports next, the code is different to that on the MH6211 so they may not be in the same locations.


 



__________________
Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

I would not expect you to be out of pocket mate. 
I have an evo 4 one here that I don’t care about that I’ll send you if that’s the road you want to go down, or if you have already bought the evo 5 ecu then just sent me your PayPal or the like and I’ll reimburse you in full.
Things to be aware of is that only very early evo 5 had the metal case ecu it then changed to the plastic case ecu which was the h8 based processor.
That link to the colt ecu looks identical to an evo4/early evo5 ecu, as they were all maf based cars.
Thanks for your work so far it is greatly appreciated.

 

TechSupport wrote:


I found an EVO5 ECU that should have the MH6371 processor and it was cheap so I don't mind if I accidently wreck it. It should be identical to this one: 

https://forum.carlabimmo.com/viewtopic.php?t=14895

 


 



__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

I found an EVO5 ECU that should have the MH6371 processor and it was cheap so I don't mind if I accidently wreck it. It should be identical to this one: 

https://forum.carlabimmo.com/viewtopic.php?t=14895

 



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.



Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

I've been looking at how the registers are initialised and used, some are already known and tested, there are some differences between this device and the other devices. I don't have a code tag so I'll put it in a quote:

;;------------------- Registers -------------------------------------
; In all other devices user RAM starts at 40h
; thise looks the same - 40 is not directly initialised;
P1DDR equ 0x00
P2DDR equ 0x01
PORT1 equ 0x02
PORT2 equ 0x03
P3DDR equ 0x04
P4DDR equ 0x05
PORT3 equ 0x06
PORT4 equ 0x07
;
; 8 to E are TMR1 in all other devices
L0008 equ 0x08  ; T1CSR1
L0009 equ 0x09  ; TMR1H
L000A equ 0x0A  ; TMR1L
L000B equ 0x0B  ; T1OCR1H
L000C equ 0x0C  ; OCR1L
L000D equ 0x0D  ; ICR1H
L000E equ 0x0E  ; ICR1L
;
; F is P3 CSR in all other devices
L000F equ 0x0F
;
SCIRMC equ 0x10
SCSR equ 0x11
RXD  equ 0x12
TXD  equ 0x13
; 14 is RAMCR in all other disassembled
;
L0014
;
P5DDR equ 0x15
PORT5 equ 0x16
;
; MH6211 18 to 1E is timer1/2
L0017    ; initialised to 0x0E
L0018    ; initialised to 0x0E
L0019    ; 8-bit, initialised to 0x0E
L001A    ; 8-bit, initialised to 0x0E
;
; 1F,20,21 are connected - from line C2D0,
; in MH6211 1F and 20 are PORT6 and
; 20,21 are unused in EE88 code
;
L001F    ; 8-bit, initialised to 0x00 or 0x01 - bitfield
L0020    ; only bit5 is read
L0021    ; 8-bit write, 8/16-bit read
;
L0023    ; timer for SCI?
L0024    ; 8-bit, written to 3F in SCI code
;
; 26,27 are both read at start of interrupt vector 2
L0026    ; 8-bit, r/w could be RTI CR
L0027
;    ; 8-bit, r/w could be RTI
; 29,30 is TMR2 in MH6211
L0028    ; init as double #$2800
L0029    ; 8-bit written twice to 00h
L002A    ; 8-bit written twice to 00h (not in same place as L0029)
L002B    ; 8-bit written 00 or 1F
L002C    ; 8-bit written to 00 or FF
;
; possible DDR init P6DDR, P7DDR?
L002D    ; 16-bit written once in DDR routine as #$C123
; possible port init PORT6, PORT7?
L002F    ; init as double in Port routine - 8-bit bitfield
L0030    ; 8-bit bitfield
;
L0031    ; 8-bit bitfield init as 01
L0032    ; init as 00, no further r/w
L0033    ; init as 11, no further r/w
L0034    ; written as 16-bit 8001 or 0001, written as 8-bit from maths
;
ADCCR1 equ 0x38
ADCCR2 equ 0x39
ADCRES equ 0x3D
;
L003E    ; init as 22, no further r/w

so the easy things to look for next are the two possible ports at 2F and 30 and also to look at the possible timer locations, looking for continually incrementing values.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.



Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

Its usually on the sticker on the front, the non-flash OTP devices can still be read, if the flash version supports mode 0 then it will be possible to read it n the same way.
I have a logic analyser on the bus, for input pins the code just reads the ports and copies them to RAM locations, on a read the data is exposed on the bus, then I just inject a signal onto the pin to cause it to change state; for output pins I just toggle the output and then look for the pin.
I will look for the higher order ports next, the code is different to that on the MH6211 so they may not be in the same locations.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

wow that is great to see progress being made .

i am amazed that you can essentially write some code to make the ports identify themselves.

In regards to the number on the case are you taking about the sticker on the side or the case part number on the front.

If the chip is one time programmable is it still possible to dump the contents of the chip without killing it?

 

on another note I’ve been doing a little ecu work myself tracking down the cam and crank subs on a h8 based ecu and dissembling I’ve attached a picture of the setup using an arduino to feed cam and crank sensors. (Keeping busy when off work in the current state of affairs.)

 



Attachments
__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

I've determined most of the Port5 pins now.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.



Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

I've sniffed out eight analogue channels now, I wrote some code to scan through the ADC channels and send the channel number and result out through the serial port; the code needs to be a little different to the smaller chips, this appears to be because there are an extra couple of channels. Selecting the upper two channels needs a further code mod which I will try at another time.
I now have the watchdog reset pin on the processor set to an input and I'm injecting a signal from an external signal generator to keep the MA7815 happy. The earlier E528A just needed kicking before the watchdog timed out, the MA7815 is a windowed watchdog and has to be kicked between 20ms and 535us. Its a reasonable window but until I got it working properly I didn't know how long an ADC read would take. It was also very difficult to debug while it was continually resetting.



-- Edited by TechSupport on Wednesday 15th of April 2020 06:07:44 PM

__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.



Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

There just isn't a datasheet, the 6301 covers the basic, unextended instruction set, modes and architecture. that was why I started creating a datasheet from my old notes. I've found a few issues with it but I'm updating it as I go now.
What numbers do you have on the cases? usually Mitsubishi mark the labels with an M, T or E for Masked ROM, One Time Programmable or EPROM. On the picture of your ECU I can see that you have a T marked on the connector, which would usually indicate OTP.

__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

Ah I see so as long as a main chip has code to look at external memory address it can be manipulated.

What ic do you think may be closest to the 76c55 that has an available datasheet?


TechSupport wrote:

Test mode on the 68HC11 is quite different. On the 68/63/76 series mode0 runs in extended mode but allows access to internal memory, The reset vectors are fetched from the external memory during power on reset, that allows you to jump to your own code, memory reads are no different to normal programme execution.


 



__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

Test mode on the 68HC11 is quite different. On the 68/63/76 series mode0 runs in extended mode but allows access to internal memory, The reset vectors are fetched from the external memory during power on reset, that allows you to jump to your own code, memory reads are no different to normal programme execution.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

I’ve been searching for a toshiba 100 pin micro controller with pin outs similar to the 76c55 to try find a describition of the eeprom read function but to no avail.

i did however come across the manual for the m68hc11 and have a question on it.

The m68hc manual talks about the special test mode that you describe but also says that if the security bit is set that it will erase the entire rom and ram before a read out, my question is how do you avoid this when your dumping the entire memory?



__________________
Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

3 of them have the part number MD336610

The Ralliart ecu has a slightly different part number RA336610C1



__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

What part numbers are your ECUs?

__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

The ”enable flash read” is a guess based on 4 ecus With the same board running the same engine.

Only one of the 4 ecus Which was mapped by Ralliart has components connecting chip pin 38 to the 4 plug header pin 79.

That pin 79 on the 4 plug header is used on the Next generation h8 based board and the later again sh board To enable flash Flash read.



-- Edited by Bob on Tuesday 31st of March 2020 07:37:26 PM

__________________


Guru

Status: Offline
Posts: 1274
Date:
Permalink  
 

You have a pin labelled 'Enable Flash read' - where did you get that information from? If the chip numbering follows standard Toshiba practice then your chip should be an EEPROM device so there should be a way to read/write it directly. It may be that for this chip mode0  is not supported.

I don't believe that there is any way to modify the contents of the E310A, I have some notes on it somewhere but from memory it just buffers the CAS/crank signals and also outputs an inverted version.

I'm updating the datasheet as I go because I'm using it as a reference, along with other code, there is some data that didn't get added to it before.



__________________

1984 Suzuki SJ413K pick up, 1.6 16V Baleno engine
2000 Suzuki Vitara 1.6 8V, many mods
2004 Suzuki Ignis 1.5VVT 4Grip
2006 Suzuki Jimny 1.3VVT JLX+
and many more.

Bob


Veteran Member

Status: Offline
Posts: 42
Date:
Permalink  
 

The rx/tx pin as I have labeled goes to X2. 74hc165 chips that then goes out too pin 7 on the obd2 plug, I think they are also toggled by a transistor to pin 1 on the obd1 plug.

ill attach the 74hc165 chip pdf that I found.

out of interest does the e310a have changeable code to allow for the use of different cam and crank signals?


TechSupport wrote:

Is that pin-out for the 76C55? the RX/TX pin looks to be in the wrong place but it may be a switch for OBD1/OBD2. Analogue inputs look right, on my board those lines go through some custom chips, I'll put a resistor box on the inputs and see what arrives at the processor.
E310A is primarily a level translator between 12V and 5V for digital inputs, it also does some signal conditioning for cam/crank.



-- Edited by TechSupport on Monday 30th of March 2020 07:23:13 PM


 



Attachments
__________________
1 2  >  Last»  | Page of 2  sorted by
 
Quick Reply

Please log in to post quick replies.



Create your own FREE Forum
Report Abuse
Powered by ActiveBoard