How to add new CAL ID to project (2Boost version 3.x) - aalesv/2boost GitHub Wiki
This manual assumes that you are familiar with ROM disassembly, RomRaider definitions editing etc.
There are two major types of ROMs for SH7055/SH7058 based ECUs that differs significantly - earlier (found on Forester S11 and Legacy B13) and later (found on Forester S13, Legacy B14, Impreza G12/G22). One of the differences is the way that ROM stores and processes cruise state variable. In earlier ROMs a bit in variable is set when cruise control is disabled and cleared when enabled. In later ROMs variable equals 1 when cruise enabled and 0 when it's disabled. That's why different code should be used for these ROMs. This is controlled by defining corresponding symbols different for earlier and later ROMs.
Disassemble ROM. Then mark up ROM, for example with XmlToIdc.exe
Creating header file for earlier ROM
Creating header file for later ROM
Create include\target\YOUR-CALID.h
Define CALID
symbol, it's needed by version string.
In ROM find Table_Target_Boost
address, define ORIG_TABLE_TARGET_BOOST_ADDRESS
symbol.
Define table size. Define TARGET_BOOST_X_COUNT and TARGET_BOOST_Y_COUNT.
Find address for calc 3D table function and 2Boost mod enable switch address:
-
Jump to
Table_Target_Boost
address -
Jump to xref to
Table_Target_Boost
address, you should see something like that:
ROM:00017D90 mov.l #loc_2150, r14 <-- Calc 3D table function address ROM:00017D92 bf/s loc_17DB0 ROM:00017D94 nop ROM:00017D96 fmov fr14, fr5 ROM:00017D98 mov.l #word_84334, r4 ROM:00017D9A jsr @r14 ; loc_2150 <-- Calc 3D table function call ROM:00017D9C fmov fr15, fr4 ROM:00017D9E fmov fr14, fr5 ROM:00017DA0 mov.l #Table_Target_Boost, r4 <-- You jumped here ROM:00017DA2 fmov.s fr0, @r13 ROM:00017DA4 jsr @r14 ; loc_2150 <-- Calc 3D table function call
- Go to line
mov.l #loc_????, r14
and then jump to data xref from. You should see something like this:
ROM:00017F8C off_17F8C: .data.l loc_2150 ; DATA XREF: sub_17D42+4E
Mod enable switch address is 0x00017F8C
, write it down - you'll need it later for making XML definitions file.
Calc 3D function address is 0x00002150
, define ORIG_CALC_3D_FUNCTION_ADDRESS
symbol.
Do the same for other 3D tables (and hacks) - Initial WGDC, Max WGDC, Primary Open Loop table(s), Base Timing table(s), Intake AVCS table(s), Throttle Target Plate Position table(s), Requested Torque (Accelerator Pedal) table(s).
Do the same for 2D tables (and hacks) - Throttle Tip-in Enrichment table(s). Find calc 2d function address and define ORIG_CALC_2D_FLOAT_TO_FLOAT_FUNCTION_ADDRESS
symbol in header file.
Now find address for Enable Speed Density
switch:
-
Go to
Table_MAF_Sensor_Scaling
address, defineORIG_TABLE_MAF_ADDRESS
symbol in header file. -
Jump to xref to
Table_MAF_Sensor_Scaling
address, you should see something like that:
ROM:000082B8 sts.l pr, @-r15 ROM:000082BA mov.l #unk_FFFF5BFE, r4 ROM:000082BC mova flt_830C, r0 ROM:000082BE mov.w @r4, r4 ROM:000082C0 fmov.s @r0, fr2 ROM:000082C2 extu.w r4, r4 ROM:000082C4 mov.l #loc_209C, r3 <-- Calc 2D table function address ROM:000082C6 lds r4, fpul ROM:000082C8 mov.l #Table_MAF_Sensor_Scaling, r4 <-- You jumped here ROM:000082CA float fpul, fr3 ROM:000082CC fmov fr3, fr4 ROM:000082CE jsr @r3 <-- Calc 2D function call ROM:000082D0 fmul fr2, fr4 ROM:000082D2 mov.l #unk_FFFF5CD0, r2 ROM:000082D4 lds.l @r15+, pr ROM:000082D6 rts ROM:000082D8 fmov.s fr0, @r2
- Go to line
mov.l #loc_????, r3
and then jump to data xref from. You should see something like this:
ROM:00008314 dword_8314: .data.l loc_209C ; DATA XREF: sub_82B8+C
Enable Speed Density
switch address is 0x00008314
, write it down - you'll need it later for making XML definitions file.
Find addressess for manifold pressure, engine speed and intake air temperature variables. They are located at SSM routines P7
, P8
and P11
respectively. Define P_MANIFOLD_PRESSURE_ADDRESS
, P_ENGINE_SPEED_ADDRESS
and P_IAT_ADDRESS
symbols in header file.
Find throttle angle change variable address and define P_THROTTLE_ANGLE_CHANGE_ADDRESS
symbol in header file. It's located in throttle tip-in calculation routine.
To enable Speed Density define SPEED_DENSITY
symbol:
#define SPEED_DENSITY
Now find address for cruise control on/off variable:
- Go to
SsmGet_Switches_63_64_65_66_67_132_68_133
function address. You should see something like this:
ROM:0004ECE2 SsmGet_Switches_63_64_65_66_67_132_68_133: ROM:0004ECE2 ; DATA XREF: ROM:PtrSsmGet_Switches_63_64_65_66_67_132_68_133 ROM:0004ECE2 sts.l pr, @-r15 <-- You jumped here ROM:0004ECE4 mov.l #sub_254C8, r3 ROM:0004ECE6 add #unk_FFFFFFE4, r15 ROM:0004ECE8 jsr @r3 ; sub_254C8 ROM:0004ECEA nop ROM:0004ECEC mov.l #sub_1A00C, r3 ROM:0004ECEE mov r15, r1 ROM:0004ECF0 add #h'14, r1 ROM:0004ECF2 jsr @r3 ; sub_1A00C <-- You need this sub
- Jump to the second
jsr
call, in this example tosub_1A00C
. You should see something like this:
ROM:0001A00C sub_1A00C: ; CODE XREF: ROM:0004ECF2 ROM:0001A00C ; sub_58E74+E ROM:0001A00C mov.l #unk_FFFF6508, r0 <-- You jumped here ROM:0001A00E mov.b @r0, r0 ROM:0001A010 tst #h'10, r0 ROM:0001A012 movt r0 ROM:0001A014 add #-1, r0 ROM:0001A016 neg r0, r0 ROM:0001A018 cmp/eq #1, r0 ROM:0001A01A movt r0 ROM:0001A01C rts ROM:0001A01E nop
This address 0xFFFF6508
is an address for cruise buttons flag - it contains information which of cruise buttons are pressed or unpressed. Jump to this address. Then jump to the first xref to this address. Go to the start of the subroutine. Jump to the first xref to this subroutine. You should see something like this:
ROM:000195C0 sts.l pr, @-r15 ROM:000195C2 bsr sub_1965A <-- You jumped here ROM:000195C4 nop ROM:000195C6 bsr sub_19866 ROM:000195C8 nop ROM:000195CA bsr sub_198C4 ROM:000195CC nop ROM:000195CE bra loc_199EC <-- You need this call ROM:000195D0 lds.l @r15+, pr
- Jump to the last call address. You should see something like this:
ROM:000199EC loc_199EC: ; CODE XREF: sub_195C0+E ROM:000199EC sts.l pr, @-r15 <-- You jumped here ROM:000199EE add #unk_FFFFFFF4, r15 ROM:000199F0 mov.l #unk_FFFF7E20, r3 ROM:000199F2 mov.b @r3, r0 ROM:000199F4 mov.l #sub_27FA4, r2 ROM:000199F6 jsr @r2 ; sub_27FA4 ROM:000199F8 mov.b r0, @(h'14+var_10,r15) ROM:000199FA mov.l #sub_27F8C, r3 ROM:000199FC jsr @r3 ; sub_27F8C ROM:000199FE mov.b r0, @(h'14+var_C,r15) ROM:00019A00 mov.b r0, @r15 ROM:00019A02 mov.l #unk_FFFF650C, r6 ROM:00019A04 mov.l #unk_FFFF6508, r5 <-- Cruise buttons flag ROM:00019A06 mov.l #unk_FFFF6509, r4 ROM:00019A08 mov.l #unk_FFFF650A, r0 ROM:00019A0A mov.b @r0, r0 ROM:00019A0C and #1, r0 ROM:00019A0E extu.b r0, r0 ROM:00019A10 tst r0, r0 ROM:00019A12 bf/s loc_19A24 ROM:00019A14 nop ROM:00019A16 mov.b @r4, r0 ROM:00019A18 and #h'FD, r0 ROM:00019A1A mov.b r0, @r4 ROM:00019A1C mov.b @r5, r0 ROM:00019A1E and #h'BF, r0 ROM:00019A20 bra loc_19B14 ROM:00019A22 mov.b r0, @r5 ROM:00019A24 ; --------------------------------------------------------------------------- ROM:00019A24 ROM:00019A24 loc_19A24: ; CODE XREF: sub_195C0+452 ROM:00019A24 mov.l #unk_FFFF6662, r7 <-- Cruise system on/off flag, you need this address
Note that for SH7055 this subroutine may slightly differ. So, the address for cruise system on/off flag in this example is 0xFFFF6662
. Define P_CRUISE_STATE_ADDRESS
symbol in header file.
Earlier ROMs set a bit when cruise is disabled and clear it when cruise is enabled so use this definition
#define P_CRUISE_STATE_MASK_CRUISE_DISABLED ((unsigned char)8)
Now find the address for cruise cancel button state:
- Go to
SsmGet_Switches_148_149_x_150_151_152_153_154
function address. You should see something like this:
ROM:0004E5F6 SsmGet_Switches_148_149_x_150_151_152_153_154: ROM:0004E5F6 ; DATA XREF: ROM:PtrSsmGet_Switches_148_149_x_150_151_152_153_154o ROM:0004E5F6 sts.l pr, @-r15 <-- You jumped here ROM:0004E5F8 mov.l #sub_18DA0, r3 ROM:0004E5FA add #unk_FFFFFFF4, r15 ROM:0004E5FC jsr @r3 ; sub_18DA0 ROM:0004E5FE nop ROM:0004E600 mov.l #sub_18DAC, r3 ROM:0004E602 jsr @r3 ; sub_18DAC ROM:0004E604 mov.b r0, @(4,r15) ROM:0004E606 mov.l #sub_1A098, r3 ROM:0004E608 jsr @r3 ; sub_1A098 <-- You need this sub ROM:0004E60A mov.b r0, @r15
- Jump to the third
jsr
call, in this example tosub_1A098
. You should see something like this:
ROM:0001A098 mov.l #h'FFFF650B, r0 <-- Cruise Cancel button flag ROM:0001A09A mov.b @r0, r0 ROM:0001A09C tst #h'40, r0 ROM:0001A09E movt r0 ROM:0001A0A0 add #-1, r0 ROM:0001A0A2 neg r0, r0 ROM:0001A0A4 cmp/eq #1, r0 ROM:0001A0A6 movt r0 ROM:0001A0A8 rts ROM:0001A0AA nop
Note that for SH7055 this subroutine may slightly differ. So, the address for cruise cancel button flag in this example is 0xFFFF650B
. Define P_CRUISE_CANCEL_SWITCH_ADDRESS
symbol in header file.
Define P_CRUISE_CANCEL_SWITCH_MASK
symbol:
#define P_CRUISE_CANCEL_SWITCH_MASK (0x40)
Find address for accelerator pedal angle variable. It's located at SSM routine P30
. Define P_ACCELERATOR_PEDAL_ANGLE_ADDRESS
symbol in header file.
Now you need to define ROM_HOLE
symbol for ROM hole address (unused space in ROM) and RAM_HOLE
symbol for RAM hole address (unused space in RAM). You need to examine disassembled ROM and find ROM and RAM regions without xrefs to them. Keep in mind that 2Boost mod takes several Kbytes. Also keep in mind that SH7055 CPU has less RAM and ROM than SH7058.
Put RAM_HOLE definition in CALID.h file, for example:
#define RAM_HOLE (0xFFFF9900)
Put ROM_HOLE definition in include\target\CALID.txt
(this file will be included by linker), for example:
ROM_HOLE = 0x0008F000;
Create include\target\YOUR-CALID.h
Define CALID
symbol, it's needed by version string.
In ROM find Table_Target_Boost
address, define ORIG_TABLE_TARGET_BOOST_ADDRESS
symbol.
Define table size. Define TARGET_BOOST_X_COUNT and TARGET_BOOST_Y_COUNT corresponding to numbers count above.
Find address for calc 3D table function and 2Boost mod enable switch address:
-
Jump to Table_Target_Boost address
-
Jump to xref to Table_Target_Boost address, you should see something like that:
ROM:00013F50 mov.l #Table_Target_Boost_, r4 <-- You jumped here ROM:00013F52 mov.l #sub_BE8F8, r2 <-- Calc 3D table function address ROM:00013F54 jsr @r2 ; sub_BE8F8 <-- Calc 3D table function call ROM:00013F56 nop
- Go to line
mov.l #sub_????, r2
and then jump to data xref from. You should see something like this:
ROM:00014024 off_14024: .data.l sub_BE8F8 ; DATA XREF: sub_13F24+2E
Mod enable switch address is 0x00014024
, write it down - you'll need it later for making XML definitions file.
Calc 3D function address is 0x000BE8F8
, define ORIG_CALC_3D_FUNCTION_ADDRESS
symbol.
Do the same for other tables - Initial WGDC, Max WGDC, Primary Open Loop table(s), Base Timing table(s), Intake AVCS table(s), Exhaust AVCS table(s) (if exist), Throttle Target Plate Position table(s) (only for non-Si-Drive ROMS because Si-Drive ROMs already have Requested Torque (Accelerator Pedal) tables for each Si-Drive mode, and throttle position can be set up with help of those tables).
Do the same for 2D tables (and hacks) - Throttle Tip-in Enrichment table(s). Find calc 2d function address and define ORIG_CALC_2D_FLOAT_TO_FLOAT_FUNCTION_ADDRESS
symbol in header file.
Now find address for Enable Speed Density
switch:
-
Go to
Table_MAF_Sensor_Scaling
address, defineORIG_TABLE_MAF_ADDRESS
symbol in header file. -
Jump to xref to
Table_MAF_Sensor_Scaling
address, you should see something like that:
ROM:0000498C sts.l pr, @-r15 ROM:0000498E mov.l #word_FFFF4042, r4 ROM:00004990 mova h'49E0, r0 ROM:00004992 mov.w @r4, r4 ROM:00004994 fmov.s @r0, fr2 ROM:00004996 extu.w r4, r4 ROM:00004998 mov.l #sub_BE844, r3 <-- Calc 2D table function address ROM:0000499A lds r4, fpul ROM:0000499C mov.l #Table_MAF_Sensor_Scaling, r4 ROM:0000499E float fpul, fr3 ROM:000049A0 fmov fr3, fr4 ROM:000049A2 jsr @r3 ; sub_BE844 <-- Calc 2D function call ROM:000049A4 fmul fr2, fr4 ROM:000049A6 mov.l #dword_FFFF40B4, r2 ROM:000049A8 lds.l @r15+, pr ROM:000049AA rts ROM:000049AC fmov.s fr0, @r2
- Go to line
mov.l #sub_????, r3
and then jump to data xref from. You should see something like this:
ROM:000049E8 off_49E8: .data.l sub_BE844 ; DATA XREF: sub_498C+C
Enable Speed Density
switch address is 0x000049E8
, write it down - you'll need it later for making XML definitions file.
Find addressess for manifold pressure, engine speed and intake air temperature variables. They are located at SSM routines P7
, P8
and P11
respectively. Define P_MANIFOLD_PRESSURE_ADDRESS
, P_ENGINE_SPEED_ADDRESS
and P_IAT_ADDRESS
symbols in header file.
Find throttle angle change variable address and define P_THROTTLE_ANGLE_CHANGE_ADDRESS
symbol in header file. It's located in throttle tip-in calculation routine.
To enable Speed Density define SPEED_DENSITY
symbol:
#define SPEED_DENSITY
Now find address for cruise control on/off variable:
- Go to
SsmGet_Switches_63_64_65_66_67_132_68_133
function address. You should see something like this:
ROM:0005396E mov.l r12, @-r15 <-- You jumped here ROM:00053970 mov.l r13, @-r15 ROM:00053972 mov.l r14, @-r15 ROM:00053974 add #byte_FFFFFFFC, r15 ROM:00053976 mov.l #unk_FFFF67F3, r6 ROM:00053978 mov.b @r6, r0 ROM:0005397A mov.l #unk_FFFF620D, r5 ROM:0005397C mov.b @r5, r5 ROM:0005397E mov.l #unk_FFFF620A, r4 <-- Coast button address ROM:00053980 mov.b @r4, r4 ROM:00053982 mov.l #unk_FFFF620B, r1 <-- Resume button flag address ROM:00053984 mov.b @r1, r1 ROM:00053986 mov.l #unk_FFFF620C, r7 <-- Brake flag address ROM:00053988 mov.b @r7, r7 ROM:0005398A mov.l #unk_FFFF6210, r2 <-- * ROM:0005398C mov.b @r2, r13 ROM:0005398E mov.l #unk_FFFF6209, r2 <-- Cruise button flag address ROM:00053990 mov.b @r2, r14
Take a look at address marked with star - 0xFFFF6210
. Usually cruise on/off flag locates two bytes further, in this example at 0xFFFF6212
.
There is also a usual way to find cruise on/off flag address. Address 0xFFFF6209
is an address for cruise buttons flag - it contains information if cruise button is pressed or not. Jump to this address. Then jump to the first xref to this address. Go to the start of the subroutine. Jump to the first xref to this subroutine. You should see something like this:
ROM:00018878 sts.l pr, @-r15 ROM:0001887A bsr sub_188DC <-- You jumped here ROM:0001887C nop ROM:0001887E bsr sub_189C8 ROM:00018880 nop ROM:00018882 bsr sub_18A08 ROM:00018884 nop ROM:00018886 bra loc_18AC0 <-- You need this call ROM:00018888 lds.l @r15+, pr
- Jump to the last call address. You should see something like this:
ROM:00018AC0 loc_18AC0: ; CODE XREF: sub_18878 ROM:00018AC0 stc.l gbr, @-r15 <-- You jumped here ROM:00018AC2 mov.l #byte_FFFF620F, r0 <-- GBR base address ROM:00018AC4 ldc r0, gbr ROM:00018AC6 add #byte_FFFFFFE8, r15 ROM:00018AC8 mov.l #byte_FFFF88D0, r6 ROM:00018ACA mov.b @r6, r2 ROM:00018ACC mov.l #dword_FFFF23DC, r6 ROM:00018ACE mov.b @r6, r6 ROM:00018AD0 mov.l #dword_FFFF2398, r5 ROM:00018AD2 mov.b @r5, r5 ROM:00018AD4 mov.l #dword_FFFF6408, r1 ROM:00018AD6 mov.b @r1, r1 ROM:00018AD8 mov.b @(h'B,gbr), r0 ROM:00018ADA tst r0, r0 ROM:00018ADC bt loc_18B5C ROM:00018ADE mov.l #byte_FFFF63B0, r7 ROM:00018AE0 mov.b @r7, r0 ROM:00018AE2 cmp/eq #1, r0 ROM:00018AE4 bt loc_18B52 ROM:00018AE6 mov.l #byte_FFFF63AF, r7 ROM:00018AE8 mov.b @r7, r0 ROM:00018AEA cmp/eq #1, r0 ROM:00018AEC bt loc_18B52 ROM:00018AEE extu.b r1, r7 ROM:00018AF0 mov r7, r0 ROM:00018AF2 cmp/eq #1, r0 ROM:00018AF4 bt loc_18B52 ROM:00018AF6 extu.b r6, r0 ROM:00018AF8 cmp/eq #1, r0 ROM:00018AFA bt loc_18B52 ROM:00018AFC extu.b r5, r0 ROM:00018AFE cmp/eq #1, r0 ROM:00018B00 bt loc_18B52 ROM:00018B02 mov.b @(h'2D,gbr), r0 ROM:00018B04 mov.l r0, @r15 ROM:00018B06 extu.b r0, r0 ROM:00018B08 cmp/eq #1, r0 ROM:00018B0A bf loc_18B10 ROM:00018B0C tst r7, r7 ROM:00018B0E bt loc_18B5C ROM:00018B10 ROM:00018B10 loc_18B10: ; CODE XREF: sub_18878+292 ROM:00018B10 tst r2, r2 ROM:00018B12 bf loc_18B5C ROM:00018B14 mov.l #dword_FFFF640C, r6 ROM:00018B16 mov.b @r6, r0 ROM:00018B18 cmp/eq #1, r0 ROM:00018B1A bt loc_18B5C ROM:00018B1C mov.b @(h'2C,gbr), r0 ROM:00018B1E tst r0, r0 ROM:00018B20 bf/s loc_18B64 ROM:00018B22 mov.l r0, @(h'20+var_1C,r15) ROM:00018B24 mov.b @(2,gbr), r0 ROM:00018B26 mov.l r0, @(h'20+var_18,r15) ROM:00018B28 extu.b r0, r0 ROM:00018B2A cmp/eq #1, r0 ROM:00018B2C bf loc_18B64 ROM:00018B2E mov.b @(h'2E,gbr), r0 ROM:00018B30 mov.l r0, @(h'20+var_14,r15) ROM:00018B32 extu.b r0, r0 ROM:00018B34 cmp/eq #1, r0 ROM:00018B36 bf loc_18B64 ROM:00018B38 mov.b @(h'2F,gbr), r0 ROM:00018B3A mov.l r0, @(h'20+var_10,r15) ROM:00018B3C extu.b r0, r0 ROM:00018B3E cmp/eq #1, r0 ROM:00018B40 bf loc_18B64 ROM:00018B42 mov.b @(3,gbr), r0 <-- Cruise on/off flag address ROM:00018B44 mov.l r0, @(h'20+var_C,r15) ROM:00018B46 extu.b r0, r0 ROM:00018B48 cmp/eq #1, r0 ROM:00018B4A bt/s loc_18B5C ROM:00018B4C mov #1, r0 ROM:00018B4E bra loc_18B5E ROM:00018B50 nop ROM:00018B52 ; --------------------------------------------------------------------------- ROM:00018B52 ROM:00018B52 loc_18B52: ; CODE XREF: sub_18878+26C ROM:00018B52 ; sub_18878+274 ROM:00018B52 mov #0, r0 ROM:00018B54 mov.b r0, @(3,gbr) <-- Cruise on/off flag address ROM:00018B56 mov #1, r0 ROM:00018B58 bra loc_18B64 ROM:00018B5A mov.b r0, @(0,gbr) ROM:00018B5C ; --------------------------------------------------------------------------- ROM:00018B5C ROM:00018B5C loc_18B5C: ; CODE XREF: sub_18878+264 ROM:00018B5C ; sub_18878+296 ROM:00018B5C mov #0, r0 ROM:00018B5E ROM:00018B5E loc_18B5E: ; CODE XREF: sub_18878+2D6 ROM:00018B5E mov.b r0, @(3,gbr) <-- Cruise on/off flag address ROM:00018B60 mov #0, r0 ROM:00018B62 mov.b r0, @(0,gbr) ROM:00018B64 ROM:00018B64 loc_18B64: ; CODE XREF: sub_18878+2A8 ROM:00018B64 ; sub_18878+2B4 ROM:00018B64 mov.b @(2,gbr), r0 ROM:00018B66 mov.b r0, @(h'2C,gbr) ROM:00018B68 mov r1, r0 ROM:00018B6A mov.b r0, @(h'2D,gbr) ROM:00018B6C add #h'18, r15 ROM:00018B6E rts ROM:00018B70 ldc.l @r15+, gbr
To calculate cruise on/off flag address add corresponding offset to GBR. In this example 0xFFFF620F + 0x3 = 0xFFFF6212
. So cruise on/off flag address is 0xFFFF6212
. Define P_CRUISE_STATE_ADDRESS
symbol in header file
Later ROMs set 1 when cruise is enabled and 0 when cruise is disabled so use this definition
#define P_CRUISE_STATE_MASK_CRUISE_ENABLED ((unsigned char)1)
If ROM supports Si-Drive, find address for Si-Drive switch state.
- Go to
SsmGet_SIDrive_Mode_P114
function address. You should see something like this:
ROM:0005350C SsmGet_SIDrive_Mode_P114: ; DATA XREF: ROM:PtrSsmGet_SIDrive_Mode_P114 ROM:0005350C mov.l #unk_FFFF611E, r2 ROM:0005350E rts ROM:00053510 mov.b @r2, r0
Si-Drive switch address is 0xFFFF611E
, define P_SI_DRVIE_STATE_ADDRESS
symbol.
Now find the address for cruise cancel button state:
- Go to
SsmGet_Switches_148_149_x_150_151_152_153_154
function address. You should see something like this:
ROM:00053384 SsmGet_Switches_148_149_x_150_151_152_153_154: ROM:00053384 mov.l r9, @-r15 ROM:00053386 mov.l r12, @-r15 ROM:00053388 mov.l r13, @-r15 ROM:0005338A mov.l r14, @-r15 ROM:0005338C add #byte_FFFFFFFC, r15 ROM:0005338E mov.l #byte_FFFF5FE8, r6 ROM:00053390 mov.b @r6, r0 ROM:00053392 mov.l #word_FFFF5FEA, r5 ROM:00053394 mov.b @r5, r5 ROM:00053396 mov.l #byte_FFFF9BFE, r4 ROM:00053398 mov.b @r4, r4 ROM:0005339A mov.l #byte_FFFF621E, r1 <-- Address of the Cruise Cancel button state ROM:0005339C mov.b @r1, r13 <-- Put the value of the Cruise Cancel button state to r13 ROM:0005339E mov.l #byte_FFFF888A, r1 ROM:000533A0 mov.b @r1, r1 ROM:000533A2 mov.l #byte_FFFF88C3, r7 ROM:000533A4 mov.b @r7, r7 ROM:000533A6 mov.l #byte_FFFF621F, r9 ... ROM:00053404 ROM:00053404 loc_53404: ROM:00053404 mov.b r0, @r15 ROM:00053406 extu.b r13, r0 <-- Value of the Cruise Cancel button state ROM:00053408 cmp/eq #1, r0 ROM:0005340A mov.b @r15, r0 ROM:0005340C bf/s loc_53412 ROM:0005340E and #h'FE, r0 <-- Zero bit manipulation, S154 - the Cruise Cancel button state ROM:00053410 or #1, r0 ROM:00053412 ROM:00053412 loc_53412: ROM:00053412 mov.b r0, @r15 ROM:00053414 mov.b @r15, r2 ROM:00053416 extu.b r2, r0 ROM:00053418 add #4, r15 ROM:0005341A mov.l @r15+, r14 ROM:0005341C mov.l @r15+, r13 ROM:0005341E mov.l @r15+, r12 ROM:00053420 rts ROM:00053422 mov.l @r15+, r9
So, the address for cruise cancel button flag in this example is 0xFFFF621E
. Define P_CRUISE_CANCEL_SWITCH_ADDRESS
symbol in header file.
Define P_CRUISE_CANCEL_SWITCH_MASK
symbol:
#define P_CRUISE_CANCEL_SWITCH_MASK (1)
Find address for accelerator pedal angle variable. It's located at SSM routine P30
. Define P_ACCELERATOR_PEDAL_ANGLE_ADDRESS
symbol in header file.
Now you need to define ROM_HOLE
symbol for ROM hole address (unused space in ROM) and RAM_HOLE
symbol for RAM hole address (unused space in RAM). You need to examine disassembled ROM and find ROM and RAM regions without xrefs to them. Keep in mind that 2Boost mod takes several Kbytes.
Put RAM_HOLE definition in CALID.h file, for example:
#define RAM_HOLE (0xFFFFA900)
Put ROM_HOLE definition in include\target\CALID.txt
(this file will be included by linker), for example:
ROM_HOLE = 0x0008F000;
Build ROM as described in How to build section. Take a look at the addresses of objects, you'll need them when creating defs.
First create base definitions file for your CAL ID.
-
Copy regular defs for your CAL ID to
RR_2BOOST.xml
file. Do not copy32BITBASE
part. -
Set
base
to2BOOST BASE
, eq<rom base="2BOOST BASE">
-
Rename
xmlid
from<xmlid>CALID</xmlid>
to<xmlid>2Boost CALID</xmlid>
. -
Delete
internalidaddress
andinternalidstring
tags.
Then create definitions for your CAL ID.
-
Make a copy of base definitions for your CAL ID you just created
-
Set
base
to2Boost CALID
, for example<rom base="2BOOST A8DH100P">
-
Rename
xmlid
to<xmlid>2Boost CALID MAJOR_VERSION</xmlid>
, where MAJOR_VERSION is major version number, for example0002
for 2Boost ver 2.x -
Set
internalidaddress
tag to address of_VERSION
object -
Set
internalidstring
tag identical toxmlid
tag -
Delete all tables from this definition
-
Add
Map Switch Input
table. Getstorageaddress
from build script output. -
Add
Boost Target Hack
table definition. Setstorageaddress
tag to mod enable switch address you wrote down in the "Creating header file" step. Setdata
for enable state equal to ROM Hole address. Setdata
for disable state equal to calc 3D function address. -
Add tables named "Target Boost map 1" and "Target Boost map 2" if you have 512Kb ROM and "Target Boost map 1 " and "Target Boost map 2 " (with space at end) if you have 1Mb non-Si-Drive ROM and "Target Boost map SI-DRIVE Intelligent", "Target Boost map SI-DRIVE Sport" and "Target Boost map SI-DRIVE Sport Sharp" if your ROM supports Si-Drive. Use addresses from build script output. Specify correct table size.
-
Do the same with the rest of the tables. Set correct entry points for different types of hack - 2D, 3D, Mass Airflow.
Test your defs.
-
Open patched ROM, open
Boost Target Hack
table. Switch should be in disabled state. If it's not, something went wrong and you should checkBoost Target Hack
table def. -
Open Target Boost map tables. Check that it is displayed correctly.
-
Do the same with the rest of the tables.
Build test ROM for your CAL ID with make tests CALID='CALID' DOPATCH=-yes
command. Test subroutine is located after tables structures at the end of the patch. Debug vars are located after mod RAM variables. Run test subroutine and and test patched ROM with HEW simulator, simsh or whatever you prefer. Ensure that program calls 2Boost patch and successfully returns or else you'll brick your ECU.
More detail instructions are beyond the scope of this manual.
Add cruise on/off and Si-Drive flags address you found earlier to logger defs.
Mod variables addresses start at RAM_HOLE
address you defined earlier. Add them to logger defs.