H8 ECU Definition Information Thread

[2kgteclass]

The rom being studied is the one posted by kobalt82 on logicgates ecuflash thread in this forum.

Finally we can read our H8 roms. Unfortunately now we are faced with the enormous task of dissassembling and enterpreting the machine code. This is unfortunately the only way to know for sure that we are editing the right data, or even to know that we are actually editing data and not machine code instructions.

I have the disassembler for the H8, the file name is dasmh85.exe and it can be downloaded from many web sites online, just search for the filename on google if you are interested in seeing what machine code looks like. The problem with this is that the disassembler is a console app that outputs the machine code ten lines at a time and there may be millions of lines of code. I have attempted to use a few console logging apps to make it easier to condense into one stream of instructions which would be much easier to read, but at the moment I am trying to do it by copy and pasting it out of the console window about 300 lines at a time. This could take a week or two to complete, if anyone knows of an easier way, let me know.

Some things I have noticed so far from looking at the hex file in a hex editor-

The fuel maps(offsets 000017a3-00001856,0000185f-00001915)seem to be coded as words just like in the sh7 series roms{deleted erronious information here, that was the sh7 4cyl that i was looking at which only had 140 elements on the map,v6 has 180 on sh7 also}. Further disection of the actual code will lead to the axis labels which will tell us if the h8s maps support boost

The timing maps(offsets 00001c25-00001d09,00001d11,1df4) also seem to be coded as words just like the sh7

The open loop load maps are at offsets 0000193c and 0000194c

The accelleration enrichment map is at 00001ac6

injector latency map
00001a2e

MAF scaling
00001704

MAF Smoothing
0000171e

MAF Size
0000080c

MAF Filtering
00000808

Min Temp For Closed Loop
00000888

RPM Limit
0000156a



As I said, I will be working on this for a while as im sure will other people, nothing will happen overnight, but eventually the h8 will be flashable just like the others.

I am actually noticing that the same data is used for most of these and they are stored using the same data types.

[NC[Spyder]GT]

When you say "console" are you talking about the "C Prompt" thingy? If so, you may be able to edit that program's # of lines by right clicking it and adjusting the properties. I think you can edit it so it stores more than 300 lines... that may help speed things up. Repping you for actually going out and getting this shit started yourself! Hell, even if it never works at least you took the initiative and tried.

[alaska3g]

that is freakin awesome news man. good work and please keep us updating. now i can probly save the money i was saving for an ecu swap!!!

[2kgteclass]

Bump,

Kobalts rom id is md365883 at address x0237

however ecuflash gives an invalid address error when i try to set it because it seems ecuflash is looking for the id to be in the fxxx range. Anyone have an old copy of softice i could use to overide the check on the address in ecuflash's def wizard? I might just have to build the def in notepad, hopefully ecuflash wont screen it that way.

[LogicGate]

Send you PM. I have been to busy to dissassemble the code, but I will start doing so today. I would give you more e-rep but it doesn't let me

[2kgteclass]

The md365883 number is actually his ecu part number, the corresponding rom ids on mitsubishitechinfo.com's list of ecus with prescribed factory reflashes start with either 218 or 261. In the sh roms the rom internal id is stored as hex. it looks decimal due to the lack of alpha digits but it is stored verbose as hex with the last digit being preceded by a 0. ie the rom id 9095003 is actually stored as h90 95 00 03.

His internal rom id is probably 218121 at offset 020e then recoded as 21810021 at offset 021a. Ecuflash still refuses to accept this as a viable address.

[2kgteclass]

Quote:

Originally Posted by 2kgteclass

Bump,

Kobalts rom id is md365883 at address x0237

however ecuflash gives an invalid address error when i try to set it because it seems ecuflash is looking for the id to be in the fxxx range. Anyone have an old copy of softice i could use to overide the check on the address in ecuflash's def wizard? I might just have to build the def in notepad, hopefully ecuflash wont screen it that way.

nix that idea, edited the xml file in notepad and ecuflash says the rom is of the wrong size.

[LogicGate]

Being going through the code for an hour, there must be an easier faster way, because this is killing me. I'm having problems disassembling the code in IDA Pro, starting to give me a headache.

Edited:
I can find the data, but I can't determine what scalings

[2kgteclass]

tell me about it, now we know why it took colby so long to even release the read routines.

Some interesting things to note about the H8/539F.

The
The PROM mode memory map runs from 0000-1ffff.
The MCU mode memory map runs from 0000-2ffff.

When we read the ROM, we get the information from H10000-h2ffff.

The information in h0000-h3fff is identical to h10000-h13fff.

The information from h3fff-hffff is not readable in prom mode.

This means when we see an op code targeting that region, it really targets a memory location that is not in the file that we read.

This also means that when we see an op code that targets h1ffff, it really targets hffff in our file.

See Hardware Manual P.509(P.523 in pdf file) Table 18-4

[_OBX_3g_]

This is crazy man. More rep for you. Glad to see you trying this.

[LogicGate]

So far I know we share the same code as the Eclipse GSX so there is a possibility that we might be able to use the GSX code in the 2000 RS/GS cars. Also what hardware manual are you talking about?

[2kgteclass]

Quote:

Originally Posted by LogicGate

So far I know we share the same code as the Eclipse GSX so there is a possibility that we might be able to use the GSX code in the 2000 RS/GS cars. Also what hardware manual are you talking about?

Good point, I mean the Hitachi h8/500 hardware manual available on openecu.org. If I make a reference to the Programming Manual, it too is available on openecu.org.

[Outlawtm2]

Awsome to see this finally coming together. Bump and e-rep to you for hard work. Been waitin' for this for a while. Can't wait to be able to flash!

[2kgteclass]

does anyone know what mode the H/8 operates in on the eclipse ecu?

I know it is a maximum mode. Im almost positive it is mode 7 judging by the size of the rom. If someone has a high res closeup of the board, and specifically the area immediately around the CPU I might be able to see what mode its installed in. This is a serious issue as if the chip is permanently installed in mode 7, it would not be flashable. There might be an IC designed to trigger PROM mode hooked up to the MDx pins. Im working on an all software emulator so we can better trace through the disassembled machine code. The emulator will be able to simulate operation of the rom execution all the way through, then by tracing to the pins of the ECU through the board we can see what subroutines produce output at which pins, if possible I would like to make it so the emulator could simulate the other components on the ECU's board right down to the pins on the connectors. If anyone has any h8 ecus laying around that they could donate to the cause, having one that my car doesnt depend on would definitely help this situation as I could test it directly.

[MattS00]

Would/could I damage my ECU, by taking it apart and taking a picture? If other people wouldn't mind going in with me I would donate some money to get you a Fed Spec GT 5spd ECU. There are some on car-parts.com that are around $75. The programming is really out of my leage. Everything you guys has posted might as well have been jibberish. Also, I don't even know where to start looking to even get the vocabulary down.

[skinnyGT]

glad to see you guys going forth with this and to be honest i couldn't understand any of the stuff you talking about so no help from this guy.

[2kgteclass]

Quote:

Originally Posted by fasteclipse00

Would/could I damage my ECU, by taking it apart and taking a picture?

You could if you arnt really carefull taking it apart and putting it back together, but I was hoping someone had one that they already swapped out that they dont need. Dont go putting your car in danger for it. The picture might help with some stuff, but for what I want to do I will definitely need a lab rat eventually. If it comes down to it I will open mine up and take a picture.

Quote:

Originally Posted by fasteclipse00

If other people wouldn't mind going in with me I would donate some money to get you a Fed Spec GT 5spd ECU. There are some on car-parts.com that are around $75.

Again, I was really hoping someone would have one sitting on a shelf, it doesnt even have to work. I just need to be able to trace each pin on the ecu board connector to the cpu and read the numbers off the other chips on the board so I can get their datasheets and find out what they do.

Quote:

Originally Posted by fasteclipse00

The programming is really out of my leage. Everything you guys has posted might as well have been jibberish. Also, I don't even know where to start looking to even get the vocabulary down.

Unless you have some limited experience with microcomputing and digital electronics, its a whole other world of information to learn.

If you do have any experience I would love to have some help on this project, It will most likely be written in the Eclipse Java API because it is platform independent for the most part and is available for free on Eclipse.org. My programming is a bit rusty so I will probably struggle a bit with coding at first. Once you get past the whole 1s and 0s thing, simulation of a microprocessor, especially once we find out what mode it is operating in will be a pretty simple endeavor.

My goals for this ecu simulator are-

GUI- should graphically show states of each pin on the ecu and cpu, should show contents of each register and indicate when each map is referenced. Should keep track of cpu usage stats to determine the potential for adding functionality and optimization of code.

H8 disassembled code should be traceable forewards and back. must be able to set breakpoints and jump into and out of subroutines. should have some type of text driven scripting for input simulation, this is so we can feed it all the variables that the car normally would(ie. TPS, Airflow, O2, RPM) and see what the code does with it.

This project is a bit beyond the scope of just getting the flash to work. It will undoubtably help with that too, but once completed, I am pretty sure that there are unused pins on the ecu harness that could be utilized for some purpose. For instance, we could conceivably have the ecu trigger a methanol injector, or nitrous, or both. I would like to have my ecu use wideband o2s as primarys instead of narrow band. Or possibly use wideband o2s during open loop and actually run closed loop on the wideband instead of open. We could make the ecu run subinjectors or even monitor egts and adjust timing accordingly. The possibilities are limited only by the ammount of unused potential of this cpu and the effort put forth by people who can put that potential to good use.

One problem I run into all the time is with my headers. Stock the primary o2s are about 3" away from the exhaust ports, this provides nearly instant reactions to closed loop adjustments. So when bank one goes lean, almost instantly the o2 goes lean and the ecu can adjust, when it adjusts, almost instantly the o2 goes rich and the ecu pulls some fuel to bring it lean again. With my headers, the o2 sensors are about 3 feet away from the exhaust ports and the volume of gas that must be displaced before the o2 sees the change is huge in comparison. I estimate that the ecu adjusts 12 times before the o2 sensor sees the first adjustment. This causes a pretty wide swing in AFR because the computer is way overcompensating. Somewhere in the rom there is a subroutine for closed loop operation that could be modified to slow down the adjustments so that the swing isnt so wide.

[MattS00]

Do you have a 2000 Cali spec with an H8 processor?

[2kgteclass]

Yes, my car is 2000 GT cali mt., but any h8 driven mitsubishi ecu will do for my simulation.

BTW...

Here is the rom file for the kobalts car and the definition file as far as I have gotten on it. The fuel maps work as well as timing, accel enrichment, rev limit, maf size, injector scaling, and open loop trigger maps.

[Kai]

Quote:

Originally Posted by 2kgteclass

Yes, my car is 2000 GT cali mt., but any h8 driven mitsubishi ecu will do for my simulation.

BTW...

Here is the rom file for the kobalts car and the definition file as far as I have gotten on it. The fuel maps work as well as timing, accel enrichment, rev limit, maf size, injector scaling, and open loop trigger maps.

If you was only in detroit i would let you see my ecu Only if you promised to put it back lol. Any way good luck on this man hope you guys figure it out.

[LogicGate]

Got it, the scalings look good. Let me know what you used as a template for the scalings. It looks the similar as the the scalings from evo7base. Currently trying to get the GSX, VR4 Roms, and other info to see if we can use the code here.

[alaska3g]

so any word yet on h8 tuneability? just curious. really hoping this becomes possible real soon!

[2kgteclass]

no word yet, i still have yet to see a cali spec v6 rom from a 2000 ecu. Mine wont read, others are having similar problems, I emailed cboles and he had me send him a log but he never got back to me.

[MattS00]

Quote:

Originally Posted by 2kgteclass

no word yet, i still have yet to see a cali spec v6 rom from a 2000 ecu. Mine wont read, others are having similar problems, I emailed cboles and he had me send him a log but he never got back to me.

Are you still looking for an ECU to take apart? I haven't been able to find any really good deals on a H8 based ecu, and I really don't have the money to donate the $80 or so that it would cost to get you an ECU to take apart. If other board members were to help split the cost, I would be more than happy to help the cause.

[2kgteclass]

havent found one yet and it is kinda expensive for an experiment, but what would really help out right now is finding someone who can read a cali spec h8 rom. All i have seen is fed specs. ECUFlash will not talk to my h8 and i have been in contact with cboles trying to straighten it out, but i havent heard anything back yet after sending him a log from a special version of the software that logs the communication. Hopefully i hear back soon.


anyone out there have a cali spec h8 rom for me?

[PharmEcis]

This is absolutely fantastic news. The crown jewel of all this is the possibility of finally having a V6 ECU that understands boost. We need to find a ROM from a 99 VR4 as it has IDENTICAL pinouts as the 2000 FedSpec ECU.

For the RS/GS guys you have the EVO.

For us GT guys... Well we've been waiting and waiting and now finally I think I see some light at the end of the tunnel!

[LogicGate]

Quote:

Originally Posted by PharmEcis

This is absolutely fantastic news. The crown jewel of all this is the possibility of finally having a V6 ECU that understands boost. We need to find a ROM from a 99 VR4 as it has IDENTICAL pinouts as the 2000 FedSpec ECU.

For the RS/GS guys you have the EVO.

For us GT guys... Well we've been waiting and waiting and now finally I think I see some light at the end of the tunnel!

I didn't know that was true. I have been searching and trying to dig out an VR4 rom but no dice so far. There are many questions still I have in my head of whether it will still work, because of differences in the platforms. Any how is good to know the pin outputs are the same.

[LogicGate]

Quote:

Originally Posted by 2kgteclass

havent found one yet and it is kinda expensive for an experiment, but what would really help out right now is finding someone who can read a cali spec h8 rom. All i have seen is fed specs. ECUFlash will not talk to my h8 and i have been in contact with cboles trying to straighten it out, but i havent heard anything back yet after sending him a log from a special version of the software that logs the communication. Hopefully i hear back soon.


anyone out there have a cali spec h8 rom for me?

I have a member of our local club that has an cali spec h8 ecu. But I was not able to download the rom at all. I was not able to determine exactly the cause of the problem. Will check with him again to see if we can attempt a different approach in hopes to get further data for this project. Let me know exactly what you would need.

[PharmEcis]

Being able to reflash a VR4 rom onto the 3G ECU would be... Amazing. It should run just fine. The differences are minimal and the only thing that could be a hinder is the ignition system as the cam sensors are different along w/ the coilpack vs distributor system. Everything else is pretty much identical.

[Kai]

any new word on this?

[Kenneth]

I have a spare h8 ecu from a JDM Legnum VR-4 with the V6 6A13 twin turbo engine. I actually have 2 ECUs, one from a 1997 model and one from a 2002 model.

I am a programmer by trade and am currently teaching myself micro processing and digital electronics, so I could be of use

Problem is that I live in New Zealand so I cant just post the ECU :P

[2kgteclass]

i havent had any time to work on this lately.

kenneth, out of curiosity can you read the rom off your car?

[Kenneth]

Quote:

Originally Posted by 2kgteclass

i havent had any time to work on this lately.

kenneth, out of curiosity can you read the rom off your car?

I haven't had any success with mine, but I know of others who have... Though I believe they have only got the ROM from 1997 - 1998 ECUs.

I guess you want a copy of the ROM? I'll try remember to upload it when I am at home (just got to work!)

[Kenneth]

As I cannot upload attachments, you will need to PM me your email address. I also have some ecuEdit definitions for the ROM.

[Kobalt82]

I are suck at base programming so I have no jewels of info here; just want to subscribe and say thanks for working your asses off! erep all around!

FYI, I tried flashing my ecu (even though it says we cant) and, surprisingly, it didn't work. lol I just got a couple of cannot write errors.

Dammit, I want this to work so bad! I am putting down some serious power now (on 10psi w/ meth injection) and I'd love for my ecu to stop getting scurred. *sigh* emanage will have to do for now

[MattS00]

2000 Fed Spec ECU pictures

[Kobalt82]

I didn't realize I killed the thread with my last post :O)

Nice pics mang! Has there been any progress gentlemen? I'll start paypaling you fools to get this going again if I have to!

[Danger DANJ]

So, did everyone give up on the H8 ECUs?

[Kobalt82]

Yeah, I think so. I guess it is easier to swap than make this work.

[MattS00]

Apparently ecutek has been able to reflash the evo 5 and 6. They use the same or very similar processor. I wonder if an ecutek dealer could/would be able to define and tune an H8 eclipse processor?

[jkautz]

I emailed an Ecutek dealer in the Atlanta area and was told it probably wouldn't work. Has anyone else tried?

[Krazed~Otaku]

guess 2000 guys are outta luck huh

[Kobalt82]

Quote:

Originally Posted by Kobalt82

I are suck at base programming so I have no jewels of info here; just want to subscribe and say thanks for working your asses off! erep all around!

FYI, I tried flashing my ecu (even though it says we cant) and, surprisingly, it didn't work. lol I just got a couple of cannot write errors.

Dammit, I want this to work so bad! I am putting down some serious power now (on 10psi w/ meth injection) and I'd love for my ecu to stop getting scurred. *sigh* emanage will have to do for now

Here's my log for trying to flash to ecu. I only edited the injector size.

Code:

[16:47:42.127] Version 1.38.2080

[16:47:42.137] 11 memory models read.

[16:47:42.137] scanning for metadata models in C:/Program Files/OpenECU/EcuFlash/rommetadata

[16:47:43.479] 265 ROM metadata models scanned.

[16:47:43.479] checksum module "subarudbw" loaded.

[16:47:43.489] flashing tool "wrx02" loaded.

[16:47:43.489] flashing tool "wrx04" loaded.

[16:47:43.489] flashing tool "sti04" loaded.

[16:47:43.489] flashing tool "sti05" loaded.

[16:47:43.489] flashing tool "mitsukernel" loaded.

[16:47:43.489] flashing tool "mitsukernelocp" loaded.

[16:47:43.489] flashing tool "shbootmode" loaded.

[16:47:43.639] flashing tool "shaudmode" loaded.

[16:47:43.639] flashing tool "subarucan" loaded.

[16:48:09.045] 131072 byte image read.

[16:48:25.299] Using interface OpenPort 1.3 Universal TX25LxbT0d87f6c9235423d50251775381d874ea179212ec

[16:48:34.202] sending init sequence 2

[16:48:34.222] got 0x11 response

[16:48:34.222] sending init sequence 3

[16:48:34.602] entering bootloader

[16:48:34.602] sending kernel size (1531)

[16:48:34.632] sending kernel load address (0x0000F000)

[16:48:34.662] uploading kernel

[16:48:34.923] verifying kernel checksum response

[16:48:34.933] kernel valid

[16:48:35.143] kernel get version

[16:48:35.163] kernel debug:

[16:48:35.163] [B0] F2 A8 F0 36 F5 01 00 07 05 FB F0 00 B8 80

[16:48:35.173] kernel version is : OpenEcu Mitsubishi H8/539F Kernel V0.13

[16:48:35.173] reading kernel comm buffer size

[16:48:35.183] comm buffer size set to 256

[16:48:35.183] reading kernel flash buffer size

[16:48:35.193] flash buffer size set to 1024

[16:48:35.203] kernel read area: addr: 0000FEE0 len: 0001

[16:48:35.223] kernel read area: addr: 0000FEE2 len: 0001

[16:48:35.243] kernel read area: addr: 0000FEE3 len: 0001

[16:48:35.253] kernel read area: addr: 0000FF15 len: 0001

[16:48:35.273] flmcr: 80 ebr1: 00 ebr2: 00 ramcr: b8

[16:48:35.283] Flashing image to ECU memory...

[16:48:35.684] comparing ECU flash memory pages to image file

[16:48:35.684] seg start len ecu CRC32 img CRC32 same?

[16:48:35.684] kernel CRC32 area: addr: 00010000 len: 00003000

[16:48:36.044] FB16 00010000 00003000 D88F1BF3 3A362E6F NO

[16:48:36.054] kernel CRC32 area: addr: 00013000 len: 00000200

[16:48:36.084] FB01 00013000 00000200 3CF229E2 3CF229E2 YES

[16:48:36.084] kernel CRC32 area: addr: 00013200 len: 00000200

[16:48:36.114] FB02 00013200 00000200 9BD8328A 9BD8328A YES

[16:48:36.114] kernel CRC32 area: addr: 00013400 len: 00000200

[16:48:36.144] FB03 00013400 00000200 A33856F8 A33856F8 YES

[16:48:36.144] kernel CRC32 area: addr: 00013600 len: 00000200

[16:48:36.164] FB04 00013600 00000200 6B1E3B21 6B1E3B21 YES

[16:48:36.164] kernel CRC32 area: addr: 00013800 len: 00000200

[16:48:36.184] FB05 00013800 00000200 98D66559 98D66559 YES

[16:48:36.184] kernel CRC32 area: addr: 00013A00 len: 00000200

[16:48:36.214] FB06 00013A00 00000200 FFB3998C FFB3998C YES

[16:48:36.214] kernel CRC32 area: addr: 00013C00 len: 00000200

[16:48:36.244] FB07 00013C00 00000200 73713B5F 73713B5F YES

[16:48:36.244] kernel CRC32 area: addr: 00013E00 len: 00000200

[16:48:36.265] FB08 00013E00 00000200 1F0DB32E 1F0DB32E YES

[16:48:36.265] kernel CRC32 area: addr: 00014000 len: 00004000

[16:48:36.735] FB15 00014000 00004000 4010C904 4010C904 YES

[16:48:36.755] kernel CRC32 area: addr: 00018000 len: 00004000

[16:48:37.276] FB14 00018000 00004000 214DB6A2 214DB6A2 YES

[16:48:37.296] kernel CRC32 area: addr: 0001C000 len: 00004000

[16:48:37.787] FB13 0001C000 00004000 8EBA4341 8EBA4341 YES

[16:48:37.807] kernel CRC32 area: addr: 00020000 len: 00004000

[16:48:38.297] FB12 00020000 00004000 BCE0C189 BCE0C189 YES

[16:48:38.317] kernel CRC32 area: addr: 00024000 len: 00004000

[16:48:38.788] FB11 00024000 00004000 EAE3641B EAE3641B YES

[16:48:38.808] kernel CRC32 area: addr: 00028000 len: 00004000

[16:48:39.279] FB10 00028000 00004000 189731C8 189731C8 YES

[16:48:39.299] kernel CRC32 area: addr: 0002C000 len: 00004000

[16:48:39.790] FB09 0002C000 00004000 D6B6153B D6B6153B YES

[16:48:39.810] kernel flash enable

[16:48:39.840] kernel blank flash page: addr: 00010000

[16:48:39.850] kernel debug:

[16:48:39.850] [B0] F4 45 F0 62 FF 05 F8 29 00 00 F0 00 B8 80

[16:48:39.850] kernel error: programming failure

[16:48:39.850] WARNING: failed to erase page at 00010000!

[16:48:39.850] kernel flash disable

[16:48:39.860] interface close

[_Madman_]

Quote:

Originally Posted by 2kgteclass

does anyone know what mode the H/8 operates in on the eclipse ecu?

I know it is a maximum mode. Im almost positive it is mode 7 judging by the size of the rom. If someone has a high res closeup of the board, and specifically the area immediately around the CPU I might be able to see what mode its installed in. This is a serious issue as if the chip is permanently installed in mode 7, it would not be flashable.

Why are you saying that chip in mode 7 is not flashable?

Here is the quote from H8/539F specification:
"When pin settings are made for mode 2, 4, or 7 and 12 V is applied to the VPP pin, flash memory can be programmed or erased. See section 18, “Flash Memory” for details."

[_Madman_]

One more thing I noticed, from specification:
"Before executing the downloaded user program, the H8/539F branches to the boot program area in RAM (H'EE80 to H'F37F), then checks whether the flash memory already contains any programmed data. If so, all bocks are erased."

From the log above I see:
[16:48:34.602] sending kernel size (1531)
[16:48:34.632] sending kernel load address (0x0000F000)

And there is one more note in the spec: "RAM Area Allocation in Boot Mode: In boot mode, the 1280 bytes from H'EE80 to H'F37F are reserved for use by the boot program. The user program is transferred into the area from H'F380 to H'FE7F (2.75 kbytes). The boot program area is used during the transition to execution of the user program transferred into RAM."

Wouldn't that mean that kernel will be located at addresses [0xF000-0x10530], therefore overwriting bunch of stuff, including data at page1 and boot area? IIRC spec warns that during flashing you can only write to flashable area, not read/write as the execution of kernel data requires. Even if kernel size is in decimal it starts in boot area and reaches outside of the allowed boot area address up to 0xF5FB.

So, maybe the kernel needs to be loaded at address 0xF380, not at 0xF000...

Does anyone know how to reach EcuFlash developer?

[Kobalt82]

Quote:

Originally Posted by _Madman_

Does anyone know how to reach EcuFlash developer?

You can reach his sales girl (amanda@tactrix.com) and then she can send it to him.