How to add new CAL ID to project (2Boost version 1.x) - aalesv/2boost GitHub Wiki
This manual assumes that you are familiar with ROM disassembly, RomRaider definitions editing etc.
There are two major types of ROMs for SH7055/SH7058 based ECUs that differs significantly - earlier (found on Forester S11 and Legacy B13) and later (found on Forester S13, Legacy B14, Impreza G12/G22). One of the differences is the way that ROM stores and processes cruise state variable. In earlier ROMs a bit in variable is set when cruise control is disabled and cleared when enabled. In later ROMs variable equals 1 when cruise enabled and 0 when it's disabled. That's why different code should be used for these ROMs. This is controlled by defining corresponding symbols different for earlier and later ROMs.
Disassemble ROM. Then mark up ROM, for example with XmlToIdc.exe
Create include\YOUR-CALID.h
Define CALID
symbol, it's needed by version string.
In ROM find Table_Target_Boost
address, define ORIG_TABLE_TARGET_BOOST_ADDRESS
symbol.
Find address for calc 3D table function and 2Boost mod enable switch address:
-
Jump to Table_Target_Boost address
-
Jump to xref to Table_Target_Boost address, you should see something like that:
ROM:00017D90 mov.l #loc_2150, r14 <-- Calc 3D table function address ROM:00017D92 bf/s loc_17DB0 ROM:00017D94 nop ROM:00017D96 fmov fr14, fr5 ROM:00017D98 mov.l #word_84334, r4 ROM:00017D9A jsr @r14 ; loc_2150 <-- Calc 3D table function call ROM:00017D9C fmov fr15, fr4 ROM:00017D9E fmov fr14, fr5 ROM:00017DA0 mov.l #Table_Target_Boost, r4 <-- You jumped here ROM:00017DA2 fmov.s fr0, @r13 ROM:00017DA4 jsr @r14 ; loc_2150 <-- Calc 3D table function call
- Go to line
mov.l #loc_????, r14
and then jump to data xref from. You should see something like this:
ROM:00017F8C off_17F8C: .data.l loc_2150 ; DATA XREF: sub_17D42+4E
Mod enable switch address is 0x00017F8C
, write it down - you'll need it later for making XML definitions file.
Calc 3D function address is 0x00002150
, define ORIG_CALC_3D_FUNCTION_ADDRESS
symbol.
Now find address for cruise control on/off variable:
- Go to
SsmGet_Switches_63_64_65_66_67_132_68_133
function address. You should see something like this:
ROM:0004ECE2 SsmGet_Switches_63_64_65_66_67_132_68_133: ROM:0004ECE2 ; DATA XREF: ROM:PtrSsmGet_Switches_63_64_65_66_67_132_68_133 ROM:0004ECE2 sts.l pr, @-r15 <-- You jumped here ROM:0004ECE4 mov.l #sub_254C8, r3 ROM:0004ECE6 add #unk_FFFFFFE4, r15 ROM:0004ECE8 jsr @r3 ; sub_254C8 ROM:0004ECEA nop ROM:0004ECEC mov.l #sub_1A00C, r3 ROM:0004ECEE mov r15, r1 ROM:0004ECF0 add #h'14, r1 ROM:0004ECF2 jsr @r3 ; sub_1A00C <-- You need this sub
- Jump to the second
jsr
call, in this example tosub_1A00C
. You should see something like this:
ROM:0001A00C sub_1A00C: ; CODE XREF: ROM:0004ECF2 ROM:0001A00C ; sub_58E74+E ROM:0001A00C mov.l #unk_FFFF6508, r0 <-- You jumped here ROM:0001A00E mov.b @r0, r0 ROM:0001A010 tst #h'10, r0 ROM:0001A012 movt r0 ROM:0001A014 add #-1, r0 ROM:0001A016 neg r0, r0 ROM:0001A018 cmp/eq #1, r0 ROM:0001A01A movt r0 ROM:0001A01C rts ROM:0001A01E nop
This address 0xFFFF6508
is an address for cruise buttons flag - it contains information which of cruise buttons are pressed or unpressed. Jump to this address. Then jump to the first xref to this address. Go to the start of the subroutine. Jump to the first xref to this subroutine. You should see something like this:
ROM:000195C0 sts.l pr, @-r15 ROM:000195C2 bsr sub_1965A <-- You jumped here ROM:000195C4 nop ROM:000195C6 bsr sub_19866 ROM:000195C8 nop ROM:000195CA bsr sub_198C4 ROM:000195CC nop ROM:000195CE bra loc_199EC <-- You need this call ROM:000195D0 lds.l @r15+, pr
- Jump to the last call address. You should see something like this:
ROM:000199EC loc_199EC: ; CODE XREF: sub_195C0+E ROM:000199EC sts.l pr, @-r15 <-- You jumped here ROM:000199EE add #unk_FFFFFFF4, r15 ROM:000199F0 mov.l #unk_FFFF7E20, r3 ROM:000199F2 mov.b @r3, r0 ROM:000199F4 mov.l #sub_27FA4, r2 ROM:000199F6 jsr @r2 ; sub_27FA4 ROM:000199F8 mov.b r0, @(h'14+var_10,r15) ROM:000199FA mov.l #sub_27F8C, r3 ROM:000199FC jsr @r3 ; sub_27F8C ROM:000199FE mov.b r0, @(h'14+var_C,r15) ROM:00019A00 mov.b r0, @r15 ROM:00019A02 mov.l #unk_FFFF650C, r6 ROM:00019A04 mov.l #unk_FFFF6508, r5 <-- Cruise buttons flag ROM:00019A06 mov.l #unk_FFFF6509, r4 ROM:00019A08 mov.l #unk_FFFF650A, r0 ROM:00019A0A mov.b @r0, r0 ROM:00019A0C and #1, r0 ROM:00019A0E extu.b r0, r0 ROM:00019A10 tst r0, r0 ROM:00019A12 bf/s loc_19A24 ROM:00019A14 nop ROM:00019A16 mov.b @r4, r0 ROM:00019A18 and #h'FD, r0 ROM:00019A1A mov.b r0, @r4 ROM:00019A1C mov.b @r5, r0 ROM:00019A1E and #h'BF, r0 ROM:00019A20 bra loc_19B14 ROM:00019A22 mov.b r0, @r5 ROM:00019A24 ; --------------------------------------------------------------------------- ROM:00019A24 ROM:00019A24 loc_19A24: ; CODE XREF: sub_195C0+452 ROM:00019A24 mov.l #unk_FFFF6662, r7 <-- Cruise system on/off flag, you need this address
Note that for SH7055 this subroutine may slightly differ. So, the address for cruise system on/off flag in this example is 0xFFFF6662
. Define P_CRUISE_STATE_ADDRESS
symbol in header file.
Earlier ROMs set a bit when cruise is disabled and clear it when cruise is enabled so use this definition
#define P_CRUISE_STATE_MASK_CRUISE_DISABLED ((unsigned char)8)
Now you need to define ROM_HOLE
symbol for ROM hole address (unused space in ROM) and RAM_HOLE
symbol for RAM hole address (unused space in RAM). You need to examine disassembled ROM and find ROM and RAM regions without xrefs to them. Keep in mind that 2Boost mod takes about 1Kb. Also keep in mind that SH7055 CPU has less RAM and ROM than SH7058.
Define TBL_TARGET_BOOST2_X_AXIS
symbol. Copy numbers from Target Boost
table Throttle Plate Opening Angle
header column in Raw Value mode.
Define TBL_TARGET_BOOST2_Y_AXIS
symbol. Copy numbers from Target Boost
table Engine Speed
header row.
Define table size. Define TARGET_BOOST_X_COUNT and TARGET_BOOST_Y_COUNT corresponding to numbers count above.
Create include\YOUR-CALID.h
Define CALID
symbol, it's needed by version string.
In ROM find Table_Target_Boost
address, define ORIG_TABLE_TARGET_BOOST_ADDRESS
symbol.
Find address for calc 3D table function and 2Boost mod enable switch address:
-
Jump to Table_Target_Boost address
-
Jump to xref to Table_Target_Boost address, you should see something like that:
ROM:00013F50 mov.l #Table_Target_Boost_, r4 <-- You jumped here ROM:00013F52 mov.l #sub_BE8F8, r2 <-- Calc 3D table function address ROM:00013F54 jsr @r2 ; sub_BE8F8 <-- Calc 3D table function call ROM:00013F56 nop
- Go to line
mov.l #sub_????, r2
and then jump to data xref from. You should see something like this:
ROM:00014024 off_14024: .data.l sub_BE8F8 ; DATA XREF: sub_13F24+2E
Mod enable switch address is 0x00014024
, write it down - you'll need it later for making XML definitions file.
Calc 3D function address is 0x000BE8F8
, define ORIG_CALC_3D_FUNCTION_ADDRESS
symbol.
Now find address for cruise control on/off variable:
- Go to
SsmGet_Switches_63_64_65_66_67_132_68_133
function address. You should see something like this:
ROM:0005396E mov.l r12, @-r15 <-- You jumped here ROM:00053970 mov.l r13, @-r15 ROM:00053972 mov.l r14, @-r15 ROM:00053974 add #byte_FFFFFFFC, r15 ROM:00053976 mov.l #unk_FFFF67F3, r6 ROM:00053978 mov.b @r6, r0 ROM:0005397A mov.l #unk_FFFF620D, r5 ROM:0005397C mov.b @r5, r5 ROM:0005397E mov.l #unk_FFFF620A, r4 <-- Coast button address ROM:00053980 mov.b @r4, r4 ROM:00053982 mov.l #unk_FFFF620B, r1 <-- Resume button flag address ROM:00053984 mov.b @r1, r1 ROM:00053986 mov.l #unk_FFFF620C, r7 <-- Brake flag address ROM:00053988 mov.b @r7, r7 ROM:0005398A mov.l #unk_FFFF6210, r2 <-- * ROM:0005398C mov.b @r2, r13 ROM:0005398E mov.l #unk_FFFF6209, r2 <-- Cruise button flag address ROM:00053990 mov.b @r2, r14
Take a look at address marked with star - 0xFFFF6210
. Usually cruise on/off flag locates two bytes further, in this example at 0xFFFF6212
.
There is also a usual way to find cruise on/off flag address. Address 0xFFFF6209
is an address for cruise buttons flag - it contains information if cruise button is pressed or not. Jump to this address. Then jump to the first xref to this address. Go to the start of the subroutine. Jump to the first xref to this subroutine. You should see something like this:
ROM:00018878 sts.l pr, @-r15 ROM:0001887A bsr sub_188DC <-- You jumped here ROM:0001887C nop ROM:0001887E bsr sub_189C8 ROM:00018880 nop ROM:00018882 bsr sub_18A08 ROM:00018884 nop ROM:00018886 bra loc_18AC0 <-- You need this call ROM:00018888 lds.l @r15+, pr
- Jump to the last call address. You should see something like this:
ROM:00018AC0 loc_18AC0: ; CODE XREF: sub_18878 ROM:00018AC0 stc.l gbr, @-r15 <-- You jumped here ROM:00018AC2 mov.l #byte_FFFF620F, r0 <-- GBR base address ROM:00018AC4 ldc r0, gbr ROM:00018AC6 add #byte_FFFFFFE8, r15 ROM:00018AC8 mov.l #byte_FFFF88D0, r6 ROM:00018ACA mov.b @r6, r2 ROM:00018ACC mov.l #dword_FFFF23DC, r6 ROM:00018ACE mov.b @r6, r6 ROM:00018AD0 mov.l #dword_FFFF2398, r5 ROM:00018AD2 mov.b @r5, r5 ROM:00018AD4 mov.l #dword_FFFF6408, r1 ROM:00018AD6 mov.b @r1, r1 ROM:00018AD8 mov.b @(h'B,gbr), r0 ROM:00018ADA tst r0, r0 ROM:00018ADC bt loc_18B5C ROM:00018ADE mov.l #byte_FFFF63B0, r7 ROM:00018AE0 mov.b @r7, r0 ROM:00018AE2 cmp/eq #1, r0 ROM:00018AE4 bt loc_18B52 ROM:00018AE6 mov.l #byte_FFFF63AF, r7 ROM:00018AE8 mov.b @r7, r0 ROM:00018AEA cmp/eq #1, r0 ROM:00018AEC bt loc_18B52 ROM:00018AEE extu.b r1, r7 ROM:00018AF0 mov r7, r0 ROM:00018AF2 cmp/eq #1, r0 ROM:00018AF4 bt loc_18B52 ROM:00018AF6 extu.b r6, r0 ROM:00018AF8 cmp/eq #1, r0 ROM:00018AFA bt loc_18B52 ROM:00018AFC extu.b r5, r0 ROM:00018AFE cmp/eq #1, r0 ROM:00018B00 bt loc_18B52 ROM:00018B02 mov.b @(h'2D,gbr), r0 ROM:00018B04 mov.l r0, @r15 ROM:00018B06 extu.b r0, r0 ROM:00018B08 cmp/eq #1, r0 ROM:00018B0A bf loc_18B10 ROM:00018B0C tst r7, r7 ROM:00018B0E bt loc_18B5C ROM:00018B10 ROM:00018B10 loc_18B10: ; CODE XREF: sub_18878+292 ROM:00018B10 tst r2, r2 ROM:00018B12 bf loc_18B5C ROM:00018B14 mov.l #dword_FFFF640C, r6 ROM:00018B16 mov.b @r6, r0 ROM:00018B18 cmp/eq #1, r0 ROM:00018B1A bt loc_18B5C ROM:00018B1C mov.b @(h'2C,gbr), r0 ROM:00018B1E tst r0, r0 ROM:00018B20 bf/s loc_18B64 ROM:00018B22 mov.l r0, @(h'20+var_1C,r15) ROM:00018B24 mov.b @(2,gbr), r0 ROM:00018B26 mov.l r0, @(h'20+var_18,r15) ROM:00018B28 extu.b r0, r0 ROM:00018B2A cmp/eq #1, r0 ROM:00018B2C bf loc_18B64 ROM:00018B2E mov.b @(h'2E,gbr), r0 ROM:00018B30 mov.l r0, @(h'20+var_14,r15) ROM:00018B32 extu.b r0, r0 ROM:00018B34 cmp/eq #1, r0 ROM:00018B36 bf loc_18B64 ROM:00018B38 mov.b @(h'2F,gbr), r0 ROM:00018B3A mov.l r0, @(h'20+var_10,r15) ROM:00018B3C extu.b r0, r0 ROM:00018B3E cmp/eq #1, r0 ROM:00018B40 bf loc_18B64 ROM:00018B42 mov.b @(3,gbr), r0 <-- Cruise on/off flag address ROM:00018B44 mov.l r0, @(h'20+var_C,r15) ROM:00018B46 extu.b r0, r0 ROM:00018B48 cmp/eq #1, r0 ROM:00018B4A bt/s loc_18B5C ROM:00018B4C mov #1, r0 ROM:00018B4E bra loc_18B5E ROM:00018B50 nop ROM:00018B52 ; --------------------------------------------------------------------------- ROM:00018B52 ROM:00018B52 loc_18B52: ; CODE XREF: sub_18878+26C ROM:00018B52 ; sub_18878+274 ROM:00018B52 mov #0, r0 ROM:00018B54 mov.b r0, @(3,gbr) <-- Cruise on/off flag address ROM:00018B56 mov #1, r0 ROM:00018B58 bra loc_18B64 ROM:00018B5A mov.b r0, @(0,gbr) ROM:00018B5C ; --------------------------------------------------------------------------- ROM:00018B5C ROM:00018B5C loc_18B5C: ; CODE XREF: sub_18878+264 ROM:00018B5C ; sub_18878+296 ROM:00018B5C mov #0, r0 ROM:00018B5E ROM:00018B5E loc_18B5E: ; CODE XREF: sub_18878+2D6 ROM:00018B5E mov.b r0, @(3,gbr) <-- Cruise on/off flag address ROM:00018B60 mov #0, r0 ROM:00018B62 mov.b r0, @(0,gbr) ROM:00018B64 ROM:00018B64 loc_18B64: ; CODE XREF: sub_18878+2A8 ROM:00018B64 ; sub_18878+2B4 ROM:00018B64 mov.b @(2,gbr), r0 ROM:00018B66 mov.b r0, @(h'2C,gbr) ROM:00018B68 mov r1, r0 ROM:00018B6A mov.b r0, @(h'2D,gbr) ROM:00018B6C add #h'18, r15 ROM:00018B6E rts ROM:00018B70 ldc.l @r15+, gbr
To calculate cruise on/off flag address add corresponding offset to GBR. In this example 0xFFFF620F + 0x3 = 0xFFFF6212
. So cruise on/off flag address is 0xFFFF6212
. Define P_CRUISE_STATE_ADDRESS
symbol in header file
Later ROMs set 1 when cruise is enabled and 0 when cruise is disabled so use this definition
#define P_CRUISE_STATE_MASK_CRUISE_ENABLED ((unsigned char)1)
Now you need to define ROM_HOLE
symbol for ROM hole address (unused space in ROM) and RAM_HOLE
symbol for RAM hole address (unused space in RAM). You need to examine disassembled ROM and find ROM and RAM regions without xrefs to them. Keep in mind that 2Boost mod takes about 1Kb.
Define TBL_TARGET_BOOST2_X_AXIS
symbol. Copy numbers from Target Boost
table Throttle Plate Opening Angle
header column in Raw Value mode.
Define TBL_TARGET_BOOST2_Y_AXIS
symbol. Copy numbers from Target Boost
table Engine Speed
header row.
Define table size. Define TARGET_BOOST_X_COUNT and TARGET_BOOST_Y_COUNT corresponding to numbers count above.
Build ROM as described in How to build section. Take a look at the addresses of objects, you'll need them when creating defs.
First create base definitions file for your CAL ID.
-
Copy regular defs for your CAL ID to
RR_2BOOST.xml
file. Do not copy32BITBASE
part. -
Only if you are using definitions file from 2Boost version 2 and later set
base
to2BOOST BASE
, eq<rom base="2BOOST BASE">
. Skip this step if you are using definition file from 2Boost version 1.x -
Rename
xmlid
from<xmlid>CALID</xmlid>
to<xmlid>2Boost CALID</xmlid>
. -
Delete
internalidaddress
andinternalidstring
tags.
Then create definitions for your CAL ID.
-
Make a copy of base definitions for your CAL ID you just created
-
Set
base
to2Boost CALID
, for example<rom base="2Boost A8DH100P">
-
Rename
xmlid
to<xmlid>2Boost CALID MAJOR_VERSION</xmlid>
, where MAJOR_VERSION is major version number, for example0001
for 2Boost ver 1.x -
Set
internalidaddress
tag to address of_VERSION
object -
Set
internalidstring
tag identical toxmlid
tag -
Delete all tables from this definition
-
Add
Boost Hack
table definition. Setstorageaddress
tag to mod enable switch address you wrote down in the "Creating header file" step. Setdata
for enable state equal to ROM Hole address. Setdata
for disable state equal to calc 3D function address. -
Add table named "Target Boost map 2" if you have 512Kb ROM and "Target Boost map 2 " (with space at end) if you have 1Mb ROM. Use addresses from build script output. Specify correct table size.
Test your defs.
-
Open patched ROM, open
Boost Hack
table. Switch should be in disabled state. If it's not, something went wrong and you should checkBoost Hack
table def. -
Open Target Boost map 2 table. Check that it is displayed correctly.
Enable Boost Hack
switch and test patched ROM with HEW simulator, simsh or whatever you prefer. Ensure that program calls 2Boost patch and successfully returns or else you'll brick your ECU.
More detail instructions are beyond the scope of this manual.
Add cruise on/off flag address you found earlier to logger defs.
Mod variables addresses start at RAM_HOLE
address you defined earlier. Add them to logger defs.