How to add new CAL ID to project (2Boost version 4.x) - aalesv/2boost GitHub Wiki
This manual assumes that you are familiar with ROM disassembly, RomRaider definitions editing etc.
There are two major types of ROMs for SH7055/SH7058 based ECUs that differs significantly - earlier (found on Forester S11 and Legacy B13) and later (found on Forester S13, Legacy B14, Impreza G12/G22). One of the differences is the way that ROM stores and processes cruise state variable. In earlier ROMs a bit in variable is set when cruise control is disabled and cleared when enabled. In later ROMs variable equals 1 when cruise enabled and 0 when it's disabled. That's why different code should be used for these ROMs. This is controlled by defining corresponding symbols different for earlier and later ROMs.
Disassemble ROM. Then mark up ROM, for example with XmlToIdc.exe or DefToIdc.exe
Creating header file for earlier ROM
Creating header file for later ROM
Create include\target\YOUR-CALID.h
Define CALID symbol, it's needed by version string.
In ROM find Table_Target_Boost address, define ORIG_TABLE_TARGET_BOOST_ADDRESS symbol.
Define table size. Define TARGET_BOOST_X_COUNT and TARGET_BOOST_Y_COUNT.
Find address for calc 3D table function and 2Boost mod enable switch address:
-
Jump to
Table_Target_Boostaddress -
Jump to xref to
Table_Target_Boostaddress, you should see something like that:
ROM:00017D90 mov.l #loc_2150, r14 <-- Calc 3D table function address ROM:00017D92 bf/s loc_17DB0 ROM:00017D94 nop ROM:00017D96 fmov fr14, fr5 ROM:00017D98 mov.l #word_84334, r4 ROM:00017D9A jsr @r14 ; loc_2150 <-- Calc 3D table function call ROM:00017D9C fmov fr15, fr4 ROM:00017D9E fmov fr14, fr5 ROM:00017DA0 mov.l #Table_Target_Boost, r4 <-- You jumped here ROM:00017DA2 fmov.s fr0, @r13 ROM:00017DA4 jsr @r14 ; loc_2150 <-- Calc 3D table function call
- Go to line
mov.l #loc_????, r14and then jump to data xref from. You should see something like this:
ROM:00017F8C off_17F8C: .data.l loc_2150 ; DATA XREF: sub_17D42+4E
Mod enable switch address is 0x00017F8C, write it down - you'll need it later for making XML definitions file.
Calc 3D function address is 0x00002150, define ORIG_CALC_3D_FUNCTION_ADDRESS symbol.
Do the same for other 3D tables (and hacks) - Initial WGDC, Max WGDC, Primary Open Loop table(s), Base Timing table(s), Intake AVCS table(s), Throttle Target Plate Position table(s), Requested Torque (Accelerator Pedal) table(s).
Do the same for 2D tables (and hacks) - Throttle Tip-in Enrichment table(s). Find calc 2d function address and define ORIG_CALC_2D_FLOAT_TO_FLOAT_FUNCTION_ADDRESS symbol in header file.
Now find address for Enable Speed Density switch:
-
Go to
Table_MAF_Sensor_Scalingaddress, defineORIG_TABLE_MAF_ADDRESSsymbol in header file. -
Jump to xref to
Table_MAF_Sensor_Scalingaddress, you should see something like that:
ROM:000082B8 sts.l pr, @-r15 ROM:000082BA mov.l #unk_FFFF5BFE, r4 ROM:000082BC mova flt_830C, r0 ROM:000082BE mov.w @r4, r4 ROM:000082C0 fmov.s @r0, fr2 ROM:000082C2 extu.w r4, r4 ROM:000082C4 mov.l #loc_209C, r3 <-- Calc 2D table function address ROM:000082C6 lds r4, fpul ROM:000082C8 mov.l #Table_MAF_Sensor_Scaling, r4 <-- You jumped here ROM:000082CA float fpul, fr3 ROM:000082CC fmov fr3, fr4 ROM:000082CE jsr @r3 <-- Calc 2D function call ROM:000082D0 fmul fr2, fr4 ROM:000082D2 mov.l #unk_FFFF5CD0, r2 ROM:000082D4 lds.l @r15+, pr ROM:000082D6 rts ROM:000082D8 fmov.s fr0, @r2
- Go to line
mov.l #loc_????, r3and then jump to data xref from. You should see something like this:
ROM:00008314 dword_8314: .data.l loc_209C ; DATA XREF: sub_82B8+C
Enable Speed Density switch address is 0x00008314, write it down - you'll need it later for making XML definitions file.
Find addressess for manifold pressure, engine speed and intake air temperature variables. They are located at SSM routines P7, P8 and P11 respectively. Define P_MANIFOLD_PRESSURE_ADDRESS, P_ENGINE_SPEED_ADDRESS and P_IAT_ADDRESS symbols in header file.
Find throttle angle change variable address and define P_THROTTLE_ANGLE_CHANGE_ADDRESS symbol in header file. It's located in throttle tip-in calculation routine.
To enable Speed Density define SPEED_DENSITY symbol:
#define SPEED_DENSITY
Now find address for cruise control on/off variable:
- Go to
SsmGet_Switches_63_64_65_66_67_132_68_133function address. You should see something like this:
ROM:0004ECE2 SsmGet_Switches_63_64_65_66_67_132_68_133: ROM:0004ECE2 ; DATA XREF: ROM:PtrSsmGet_Switches_63_64_65_66_67_132_68_133 ROM:0004ECE2 sts.l pr, @-r15 <-- You jumped here ROM:0004ECE4 mov.l #sub_254C8, r3 ROM:0004ECE6 add #unk_FFFFFFE4, r15 ROM:0004ECE8 jsr @r3 ; sub_254C8 ROM:0004ECEA nop ROM:0004ECEC mov.l #sub_1A00C, r3 ROM:0004ECEE mov r15, r1 ROM:0004ECF0 add #h'14, r1 ROM:0004ECF2 jsr @r3 ; sub_1A00C <-- You need this sub
- Jump to the second
jsrcall, in this example tosub_1A00C. You should see something like this:
ROM:0001A00C sub_1A00C: ; CODE XREF: ROM:0004ECF2 ROM:0001A00C ; sub_58E74+E ROM:0001A00C mov.l #unk_FFFF6508, r0 <-- You jumped here ROM:0001A00E mov.b @r0, r0 ROM:0001A010 tst #h'10, r0 ROM:0001A012 movt r0 ROM:0001A014 add #-1, r0 ROM:0001A016 neg r0, r0 ROM:0001A018 cmp/eq #1, r0 ROM:0001A01A movt r0 ROM:0001A01C rts ROM:0001A01E nop
This address 0xFFFF6508 is an address for cruise buttons flag - it contains information which of cruise buttons are pressed or unpressed. Also it is address for brake pedal switch flag. Write it down, you'll need it later. Jump to this address. Then jump to the first xref to this address. Go to the start of the subroutine. Jump to the first xref to this subroutine. You should see something like this:
ROM:000195C0 sts.l pr, @-r15 ROM:000195C2 bsr sub_1965A <-- You jumped here ROM:000195C4 nop ROM:000195C6 bsr sub_19866 ROM:000195C8 nop ROM:000195CA bsr sub_198C4 ROM:000195CC nop ROM:000195CE bra loc_199EC <-- You need this call ROM:000195D0 lds.l @r15+, pr
- Jump to the last call address. You should see something like this:
ROM:000199EC loc_199EC: ; CODE XREF: sub_195C0+E ROM:000199EC sts.l pr, @-r15 <-- You jumped here ROM:000199EE add #unk_FFFFFFF4, r15 ROM:000199F0 mov.l #unk_FFFF7E20, r3 ROM:000199F2 mov.b @r3, r0 ROM:000199F4 mov.l #sub_27FA4, r2 ROM:000199F6 jsr @r2 ; sub_27FA4 ROM:000199F8 mov.b r0, @(h'14+var_10,r15) ROM:000199FA mov.l #sub_27F8C, r3 ROM:000199FC jsr @r3 ; sub_27F8C ROM:000199FE mov.b r0, @(h'14+var_C,r15) ROM:00019A00 mov.b r0, @r15 ROM:00019A02 mov.l #unk_FFFF650C, r6 ROM:00019A04 mov.l #unk_FFFF6508, r5 <-- Cruise buttons flag, Brake pedal flag ROM:00019A06 mov.l #unk_FFFF6509, r4 ROM:00019A08 mov.l #unk_FFFF650A, r0 ROM:00019A0A mov.b @r0, r0 ROM:00019A0C and #1, r0 ROM:00019A0E extu.b r0, r0 ROM:00019A10 tst r0, r0 ROM:00019A12 bf/s loc_19A24 ROM:00019A14 nop ROM:00019A16 mov.b @r4, r0 ROM:00019A18 and #h'FD, r0 ROM:00019A1A mov.b r0, @r4 ROM:00019A1C mov.b @r5, r0 ROM:00019A1E and #h'BF, r0 ROM:00019A20 bra loc_19B14 ROM:00019A22 mov.b r0, @r5 ROM:00019A24 ; --------------------------------------------------------------------------- ROM:00019A24 ROM:00019A24 loc_19A24: ; CODE XREF: sub_195C0+452 ROM:00019A24 mov.l #unk_FFFF6662, r7 <-- Cruise system on/off flag, you need this address
Note that for SH7055 this subroutine may slightly differ. So, the address for cruise system on/off flag in this example is 0xFFFF6662. Define P_CRUISE_STATE_ADDRESS symbol in header file.
Earlier ROMs set a bit when cruise is disabled and clear it when cruise is enabled so use this definition
#define P_CRUISE_STATE_MASK_CRUISE_DISABLED ((unsigned char)8)
Now find the address for cruise cancel button state:
- Go to
SsmGet_Switches_148_149_x_150_151_152_153_154function address. You should see something like this:
ROM:0004E5F6 SsmGet_Switches_148_149_x_150_151_152_153_154: ROM:0004E5F6 ; DATA XREF: ROM:PtrSsmGet_Switches_148_149_x_150_151_152_153_154o ROM:0004E5F6 sts.l pr, @-r15 <-- You jumped here ROM:0004E5F8 mov.l #sub_18DA0, r3 ROM:0004E5FA add #unk_FFFFFFF4, r15 ROM:0004E5FC jsr @r3 ; sub_18DA0 ROM:0004E5FE nop ROM:0004E600 mov.l #sub_18DAC, r3 ROM:0004E602 jsr @r3 ; sub_18DAC ROM:0004E604 mov.b r0, @(4,r15) ROM:0004E606 mov.l #sub_1A098, r3 ROM:0004E608 jsr @r3 ; sub_1A098 <-- You need this sub ROM:0004E60A mov.b r0, @r15
- Jump to the third
jsrcall, in this example tosub_1A098. You should see something like this:
ROM:0001A098 mov.l #h'FFFF650B, r0 <-- Cruise Cancel button flag ROM:0001A09A mov.b @r0, r0 ROM:0001A09C tst #h'40, r0 ROM:0001A09E movt r0 ROM:0001A0A0 add #-1, r0 ROM:0001A0A2 neg r0, r0 ROM:0001A0A4 cmp/eq #1, r0 ROM:0001A0A6 movt r0 ROM:0001A0A8 rts ROM:0001A0AA nop
Note that for SH7055 this subroutine may slightly differ. So, the address for cruise cancel button flag in this example is 0xFFFF650B. Define P_CRUISE_CANCEL_SWITCH_ADDRESS symbol in header file.
Define P_CRUISE_CANCEL_SWITCH_MASK symbol:
#define P_CRUISE_CANCEL_SWITCH_MASK (0x40)
Find address for accelerator pedal angle variable. It's located at SSM routine P30. Define P_ACCELERATOR_PEDAL_ANGLE_ADDRESS symbol in header file.
Define P_BRAKE_PEDAL_SWITCH_ADDRESS with address of brake switch you found earlier.
Earlier ROMs set a bit when brake pedal is pressed, so use this definition:
#define P_BRAKE_PEDAL_SWITCH_MASK 8
Find adresses for CEL flash hacks. Go to 0xFFFFF746 address. This is CPU I/O port address. Then go to last xref to this address. You should see something like this:
ROM:0007CC4C sub_7CC4C: ; CODE XREF: sub_7C612+Ap ROM:0007CC4C ROM:0007CC4C var_14 = -h'14 ROM:0007CC4C ROM:0007CC4C mov.l r14, @-r15 ROM:0007CC4E mov.l r13, @-r15 ROM:0007CC50 mov.l r12, @-r15 ROM:0007CC52 sts.l pr, @-r15 ROM:0007CC54 mov.l #sub_4AE4, r12 ROM:0007CC56 add #unk_FFFFFFF8, r15 ROM:0007CC58 mov.w #PDDR_W, r13 <-- You jumped here ROM:0007CC5A mov.w #h'80, r14 ; 'А' ROM:0007CC5C mov.l #unk_FFFF8D3E, r3 <-- CEL flash status variable ROM:0007CC5E mov.b @r3, r0 ROM:0007CC60 extu.b r0, r0 ROM:0007CC62 cmp/eq #1, r0 ROM:0007CC64 bf/s loc_7CC7E ROM:0007CC66 nop ROM:0007CC68 mov.w #h'E0, r5 ; 'р' ROM:0007CC6A mov r15, r4 ROM:0007CC6C mov.l #loc_2088, r1 ROM:0007CC6E jsr @r1 ; loc_2088 ROM:0007CC70 add #4, r4 ROM:0007CC72 mov #1, r6 ROM:0007CC74 mov r14, r5 ROM:0007CC76 jsr @r12 ; sub_4AE4 ROM:0007CC78 mov r13, r4 ROM:0007CC7A bra loc_7CC90
This is CEL trigger routine.
Define P_CEL_LIGHT_STATUS_OEM_ADDRESS with address of CEL flash status variable.
Go to xref from CEL flash status variable. Write down that address you jumped at, you'll need it later to make definitions to define storageaddress of CEL Flash Hack #2.
Return back to CEL trigger routine and go to its start. Then go to xref to this routine. You shoukd see something like:
ROM:0007C612 sub_7C612: ; CODE XREF: sub_1453C+DC ROM:0007C612 ; DATA XREF: sub_1453C+DA ROM:0007C612 sts.l pr, @-r15 ROM:0007C614 bsr sub_7C63E ROM:0007C616 nop ROM:0007C618 bsr sub_7C840 ROM:0007C61A nop ROM:0007C61C bsr sub_7CC4C <-- You jumped here ROM:0007C61E nop ROM:0007C620 mov.l #unk_FFFF8D38, r4 ROM:0007C622 mov.w @r4, r2 ROM:0007C624 extu.w r2, r2 ROM:0007C626 cmp/pl r2 ROM:0007C628 bf/s loc_7C632 ROM:0007C62A nop ROM:0007C62C mov.w @r4, r2 ROM:0007C62E add #-1, r2 ROM:0007C630 mov.w r2, @r4 ROM:0007C632 ROM:0007C632 loc_7C632: ; CODE XREF: sub_7C612+16j ROM:0007C632 mov.l #unk_FFFF8D3F, r1 ROM:0007C634 mov.l #unk_FFFF8D40, r0 ROM:0007C636 mov.b @r1, r3 ROM:0007C638 lds.l @r15+, pr ROM:0007C63A rts ROM:0007C63C mov.b r3, @r0
Go to start of routine. Define ORIG_CEL_TRIGGER_OUTER_FUNCTION_ADDRESS symbol. Then again go to xref to. You should see something like:
ROM:00014610 mov.l #sub_589EC, r2 ROM:00014612 jsr @r2 ; sub_589EC ROM:00014614 nop ROM:00014616 mov.l #sub_7C612, r3 ROM:00014618 jsr @r3 ; sub_7C612 <-- You jumped here ROM:0001461A nop ROM:0001461C mov.l #sub_7DC9E, r2 ROM:0001461E jsr @r2 ; sub_7DC9E ROM:00014620 nop
Go one string up and go to xref from. Write down that address you jumped at, you'll need it later to define storageaddress of CEL Flash Hack #1.
Now you need to define ROM_HOLE symbol for ROM hole address (unused space in ROM) and RAM_HOLE symbol for RAM hole address (unused space in RAM). You need to examine disassembled ROM and find ROM and RAM regions without xrefs to them. Keep in mind that 2Boost mod takes several Kbytes. Also keep in mind that SH7055 CPU has less RAM and ROM than SH7058.
Put RAM_HOLE definition in CALID.h file, for example:
#define RAM_HOLE (0xFFFF9900)
Put ROM_HOLE definition in include\target\CALID.txt (this file will be included by linker), for example:
ROM_HOLE = 0x0008F000;
Create include\target\YOUR-CALID.h
Define CALID symbol, it's needed by version string.
In ROM find Table_Target_Boost address, define ORIG_TABLE_TARGET_BOOST_ADDRESS symbol.
Define table size. Define TARGET_BOOST_X_COUNT and TARGET_BOOST_Y_COUNT corresponding to numbers count above.
Find address for calc 3D table function and 2Boost mod enable switch address:
-
Jump to Table_Target_Boost address
-
Jump to xref to Table_Target_Boost address, you should see something like that:
ROM:00013F50 mov.l #Table_Target_Boost_, r4 <-- You jumped here ROM:00013F52 mov.l #sub_BE8F8, r2 <-- Calc 3D table function address ROM:00013F54 jsr @r2 ; sub_BE8F8 <-- Calc 3D table function call ROM:00013F56 nop
- Go to line
mov.l #sub_????, r2and then jump to data xref from. You should see something like this:
ROM:00014024 off_14024: .data.l sub_BE8F8 ; DATA XREF: sub_13F24+2E
Mod enable switch address is 0x00014024, write it down - you'll need it later for making XML definitions file.
Calc 3D function address is 0x000BE8F8, define ORIG_CALC_3D_FUNCTION_ADDRESS symbol.
Do the same for other tables - Initial WGDC, Max WGDC, Primary Open Loop table(s), Base Timing table(s), Intake AVCS table(s), Exhaust AVCS table(s) (if exist), Throttle Target Plate Position table(s) (only for non-Si-Drive ROMS because Si-Drive ROMs already have Requested Torque (Accelerator Pedal) tables for each Si-Drive mode, and throttle position can be set up with help of those tables).
Do the same for 2D tables (and hacks) - Throttle Tip-in Enrichment table(s). Find calc 2d function address and define ORIG_CALC_2D_FLOAT_TO_FLOAT_FUNCTION_ADDRESS symbol in header file.
Now find address for Enable Speed Density switch:
-
Go to
Table_MAF_Sensor_Scalingaddress, defineORIG_TABLE_MAF_ADDRESSsymbol in header file. -
Jump to xref to
Table_MAF_Sensor_Scalingaddress, you should see something like that:
ROM:0000498C sts.l pr, @-r15 ROM:0000498E mov.l #word_FFFF4042, r4 ROM:00004990 mova h'49E0, r0 ROM:00004992 mov.w @r4, r4 ROM:00004994 fmov.s @r0, fr2 ROM:00004996 extu.w r4, r4 ROM:00004998 mov.l #sub_BE844, r3 <-- Calc 2D table function address ROM:0000499A lds r4, fpul ROM:0000499C mov.l #Table_MAF_Sensor_Scaling, r4 ROM:0000499E float fpul, fr3 ROM:000049A0 fmov fr3, fr4 ROM:000049A2 jsr @r3 ; sub_BE844 <-- Calc 2D function call ROM:000049A4 fmul fr2, fr4 ROM:000049A6 mov.l #dword_FFFF40B4, r2 ROM:000049A8 lds.l @r15+, pr ROM:000049AA rts ROM:000049AC fmov.s fr0, @r2
- Go to line
mov.l #sub_????, r3and then jump to data xref from. You should see something like this:
ROM:000049E8 off_49E8: .data.l sub_BE844 ; DATA XREF: sub_498C+C
Enable Speed Density switch address is 0x000049E8, write it down - you'll need it later for making XML definitions file.
Find addressess for manifold pressure, engine speed and intake air temperature variables. They are located at SSM routines P7, P8 and P11 respectively. Define P_MANIFOLD_PRESSURE_ADDRESS, P_ENGINE_SPEED_ADDRESS and P_IAT_ADDRESS symbols in header file.
Find throttle angle change variable address and define P_THROTTLE_ANGLE_CHANGE_ADDRESS symbol in header file. It's located in throttle tip-in calculation routine.
To enable Speed Density define SPEED_DENSITY symbol:
#define SPEED_DENSITY
Now find address for cruise control on/off variable:
- Go to
SsmGet_Switches_63_64_65_66_67_132_68_133function address. You should see something like this:
ROM:0005396E mov.l r12, @-r15 <-- You jumped here ROM:00053970 mov.l r13, @-r15 ROM:00053972 mov.l r14, @-r15 ROM:00053974 add #byte_FFFFFFFC, r15 ROM:00053976 mov.l #unk_FFFF67F3, r6 ROM:00053978 mov.b @r6, r0 ROM:0005397A mov.l #unk_FFFF620D, r5 ROM:0005397C mov.b @r5, r5 ROM:0005397E mov.l #unk_FFFF620A, r4 <-- Coast button address ROM:00053980 mov.b @r4, r4 ROM:00053982 mov.l #unk_FFFF620B, r1 <-- Resume button flag address ROM:00053984 mov.b @r1, r1 ROM:00053986 mov.l #unk_FFFF620C, r7 <-- Brake flag address ROM:00053988 mov.b @r7, r7 ROM:0005398A mov.l #unk_FFFF6210, r2 <-- * ROM:0005398C mov.b @r2, r13 ROM:0005398E mov.l #unk_FFFF6209, r2 <-- Cruise button flag address ROM:00053990 mov.b @r2, r14
Write down Brake flag address, you'll need it later.
Take a look at address marked with star - 0xFFFF6210. Usually cruise on/off flag locates two bytes further, in this example at 0xFFFF6212.
There is also a usual way to find cruise on/off flag address. Address 0xFFFF6209 is an address for cruise buttons flag - it contains information if cruise button is pressed or not. Jump to this address. Then jump to the first xref to this address. Go to the start of the subroutine. Jump to the first xref to this subroutine. You should see something like this:
ROM:00018878 sts.l pr, @-r15 ROM:0001887A bsr sub_188DC <-- You jumped here ROM:0001887C nop ROM:0001887E bsr sub_189C8 ROM:00018880 nop ROM:00018882 bsr sub_18A08 ROM:00018884 nop ROM:00018886 bra loc_18AC0 <-- You need this call ROM:00018888 lds.l @r15+, pr
- Jump to the last call address. You should see something like this:
ROM:00018AC0 loc_18AC0: ; CODE XREF: sub_18878 ROM:00018AC0 stc.l gbr, @-r15 <-- You jumped here ROM:00018AC2 mov.l #byte_FFFF620F, r0 <-- GBR base address ROM:00018AC4 ldc r0, gbr ROM:00018AC6 add #byte_FFFFFFE8, r15 ROM:00018AC8 mov.l #byte_FFFF88D0, r6 ROM:00018ACA mov.b @r6, r2 ROM:00018ACC mov.l #dword_FFFF23DC, r6 ROM:00018ACE mov.b @r6, r6 ROM:00018AD0 mov.l #dword_FFFF2398, r5 ROM:00018AD2 mov.b @r5, r5 ROM:00018AD4 mov.l #dword_FFFF6408, r1 ROM:00018AD6 mov.b @r1, r1 ROM:00018AD8 mov.b @(h'B,gbr), r0 ROM:00018ADA tst r0, r0 ROM:00018ADC bt loc_18B5C ROM:00018ADE mov.l #byte_FFFF63B0, r7 ROM:00018AE0 mov.b @r7, r0 ROM:00018AE2 cmp/eq #1, r0 ROM:00018AE4 bt loc_18B52 ROM:00018AE6 mov.l #byte_FFFF63AF, r7 ROM:00018AE8 mov.b @r7, r0 ROM:00018AEA cmp/eq #1, r0 ROM:00018AEC bt loc_18B52 ROM:00018AEE extu.b r1, r7 ROM:00018AF0 mov r7, r0 ROM:00018AF2 cmp/eq #1, r0 ROM:00018AF4 bt loc_18B52 ROM:00018AF6 extu.b r6, r0 ROM:00018AF8 cmp/eq #1, r0 ROM:00018AFA bt loc_18B52 ROM:00018AFC extu.b r5, r0 ROM:00018AFE cmp/eq #1, r0 ROM:00018B00 bt loc_18B52 ROM:00018B02 mov.b @(h'2D,gbr), r0 ROM:00018B04 mov.l r0, @r15 ROM:00018B06 extu.b r0, r0 ROM:00018B08 cmp/eq #1, r0 ROM:00018B0A bf loc_18B10 ROM:00018B0C tst r7, r7 ROM:00018B0E bt loc_18B5C ROM:00018B10 ROM:00018B10 loc_18B10: ; CODE XREF: sub_18878+292 ROM:00018B10 tst r2, r2 ROM:00018B12 bf loc_18B5C ROM:00018B14 mov.l #dword_FFFF640C, r6 ROM:00018B16 mov.b @r6, r0 ROM:00018B18 cmp/eq #1, r0 ROM:00018B1A bt loc_18B5C ROM:00018B1C mov.b @(h'2C,gbr), r0 ROM:00018B1E tst r0, r0 ROM:00018B20 bf/s loc_18B64 ROM:00018B22 mov.l r0, @(h'20+var_1C,r15) ROM:00018B24 mov.b @(2,gbr), r0 ROM:00018B26 mov.l r0, @(h'20+var_18,r15) ROM:00018B28 extu.b r0, r0 ROM:00018B2A cmp/eq #1, r0 ROM:00018B2C bf loc_18B64 ROM:00018B2E mov.b @(h'2E,gbr), r0 ROM:00018B30 mov.l r0, @(h'20+var_14,r15) ROM:00018B32 extu.b r0, r0 ROM:00018B34 cmp/eq #1, r0 ROM:00018B36 bf loc_18B64 ROM:00018B38 mov.b @(h'2F,gbr), r0 ROM:00018B3A mov.l r0, @(h'20+var_10,r15) ROM:00018B3C extu.b r0, r0 ROM:00018B3E cmp/eq #1, r0 ROM:00018B40 bf loc_18B64 ROM:00018B42 mov.b @(3,gbr), r0 <-- Cruise on/off flag address ROM:00018B44 mov.l r0, @(h'20+var_C,r15) ROM:00018B46 extu.b r0, r0 ROM:00018B48 cmp/eq #1, r0 ROM:00018B4A bt/s loc_18B5C ROM:00018B4C mov #1, r0 ROM:00018B4E bra loc_18B5E ROM:00018B50 nop ROM:00018B52 ; --------------------------------------------------------------------------- ROM:00018B52 ROM:00018B52 loc_18B52: ; CODE XREF: sub_18878+26C ROM:00018B52 ; sub_18878+274 ROM:00018B52 mov #0, r0 ROM:00018B54 mov.b r0, @(3,gbr) <-- Cruise on/off flag address ROM:00018B56 mov #1, r0 ROM:00018B58 bra loc_18B64 ROM:00018B5A mov.b r0, @(0,gbr) ROM:00018B5C ; --------------------------------------------------------------------------- ROM:00018B5C ROM:00018B5C loc_18B5C: ; CODE XREF: sub_18878+264 ROM:00018B5C ; sub_18878+296 ROM:00018B5C mov #0, r0 ROM:00018B5E ROM:00018B5E loc_18B5E: ; CODE XREF: sub_18878+2D6 ROM:00018B5E mov.b r0, @(3,gbr) <-- Cruise on/off flag address ROM:00018B60 mov #0, r0 ROM:00018B62 mov.b r0, @(0,gbr) ROM:00018B64 ROM:00018B64 loc_18B64: ; CODE XREF: sub_18878+2A8 ROM:00018B64 ; sub_18878+2B4 ROM:00018B64 mov.b @(2,gbr), r0 ROM:00018B66 mov.b r0, @(h'2C,gbr) ROM:00018B68 mov r1, r0 ROM:00018B6A mov.b r0, @(h'2D,gbr) ROM:00018B6C add #h'18, r15 ROM:00018B6E rts ROM:00018B70 ldc.l @r15+, gbr
To calculate cruise on/off flag address add corresponding offset to GBR. In this example 0xFFFF620F + 0x3 = 0xFFFF6212. So cruise on/off flag address is 0xFFFF6212. Define P_CRUISE_STATE_ADDRESS symbol in header file
Later ROMs set 1 when cruise is enabled and 0 when cruise is disabled so use this definition
#define P_CRUISE_STATE_MASK_CRUISE_ENABLED ((unsigned char)1)
If ROM supports Si-Drive, find address for Si-Drive switch state.
- Go to
SsmGet_SIDrive_Mode_P114function address. You should see something like this:
ROM:0005350C SsmGet_SIDrive_Mode_P114: ; DATA XREF: ROM:PtrSsmGet_SIDrive_Mode_P114 ROM:0005350C mov.l #unk_FFFF611E, r2 ROM:0005350E rts ROM:00053510 mov.b @r2, r0
Si-Drive switch address is 0xFFFF611E, define P_SI_DRVIE_STATE_ADDRESS symbol.
Now find the address for cruise cancel button state:
- Go to
SsmGet_Switches_148_149_x_150_151_152_153_154function address. You should see something like this:
ROM:00053384 SsmGet_Switches_148_149_x_150_151_152_153_154: ROM:00053384 mov.l r9, @-r15 ROM:00053386 mov.l r12, @-r15 ROM:00053388 mov.l r13, @-r15 ROM:0005338A mov.l r14, @-r15 ROM:0005338C add #byte_FFFFFFFC, r15 ROM:0005338E mov.l #byte_FFFF5FE8, r6 ROM:00053390 mov.b @r6, r0 ROM:00053392 mov.l #word_FFFF5FEA, r5 ROM:00053394 mov.b @r5, r5 ROM:00053396 mov.l #byte_FFFF9BFE, r4 ROM:00053398 mov.b @r4, r4 ROM:0005339A mov.l #byte_FFFF621E, r1 <-- Address of the Cruise Cancel button state ROM:0005339C mov.b @r1, r13 <-- Put the value of the Cruise Cancel button state to r13 ROM:0005339E mov.l #byte_FFFF888A, r1 ROM:000533A0 mov.b @r1, r1 ROM:000533A2 mov.l #byte_FFFF88C3, r7 ROM:000533A4 mov.b @r7, r7 ROM:000533A6 mov.l #byte_FFFF621F, r9 ... ROM:00053404 ROM:00053404 loc_53404: ROM:00053404 mov.b r0, @r15 ROM:00053406 extu.b r13, r0 <-- Value of the Cruise Cancel button state ROM:00053408 cmp/eq #1, r0 ROM:0005340A mov.b @r15, r0 ROM:0005340C bf/s loc_53412 ROM:0005340E and #h'FE, r0 <-- Zero bit manipulation, S154 - the Cruise Cancel button state ROM:00053410 or #1, r0 ROM:00053412 ROM:00053412 loc_53412: ROM:00053412 mov.b r0, @r15 ROM:00053414 mov.b @r15, r2 ROM:00053416 extu.b r2, r0 ROM:00053418 add #4, r15 ROM:0005341A mov.l @r15+, r14 ROM:0005341C mov.l @r15+, r13 ROM:0005341E mov.l @r15+, r12 ROM:00053420 rts ROM:00053422 mov.l @r15+, r9
So, the address for cruise cancel button flag in this example is 0xFFFF621E. Define P_CRUISE_CANCEL_SWITCH_ADDRESS symbol in header file.
Define P_CRUISE_CANCEL_SWITCH_MASK symbol:
#define P_CRUISE_CANCEL_SWITCH_MASK (1)
Find address for accelerator pedal angle variable. It's located at SSM routine P30. Define P_ACCELERATOR_PEDAL_ANGLE_ADDRESS symbol in header file.
Define P_BRAKE_PEDAL_SWITCH_ADDRESS with address of brake switch you found earlier.
Later ROMs set 1 when brake pedal is pressed and 0 when brake pedal is released so use this definition:
#define P_BRAKE_PEDAL_SWITCH_MASK 1
Find adresses for CEL flash hacks. Go to 0xFFFFF754 address. This is CPU I/O port address. Then go to last xref to this address. You should see something like this:
ROM:0007A9F8 sub_7A9F8: ; CODE XREF: pCelTrigger_Outer+A ROM:0007A9F8 ROM:0007A9F8 var_C = -h'C ROM:0007A9F8 ROM:0007A9F8 mov.l r14, @-r15 ROM:0007A9FA sts.l pr, @-r15 ROM:0007A9FC add #byte_FFFFFFF8, r15 ROM:0007A9FE mov.l #unk_FFFF9996, r6 <-- CEL flash status variable ROM:0007AA00 mov.b @r6, r0 ROM:0007AA02 mov.w #PEDR_W, r14 <-- You jumped here ROM:0007AA04 cmp/eq #1, r0 ROM:0007AA06 bf loc_7AA24
This is CEL trigger routine.
Define P_CEL_LIGHT_STATUS_OEM_ADDRESS with address of CEL flash status variable.
Go to xref from CEL flash status variable. Write down that address you jumped at, you'll need it later to make definitions to define storageaddress of CEL Flash Hack #2.
Return back to CEL trigger routine and go to its start. Then go to xref to this routine. You shoukd see something like:
ROM:0007A7AA sub_7A7AA: ; CODE XREF: ROM:0004245A ROM:0007A7AA ; DATA XREF: ROM:00042458 ROM:0007A7AA sts.l pr, @-r15 ROM:0007A7AC bsr sub_7A7D0 ROM:0007A7AE nop ROM:0007A7B0 bsr sub_7A8B0 ROM:0007A7B2 nop ROM:0007A7B4 bsr sub_7A9F8 <-- You jumped here ROM:0007A7B6 nop ROM:0007A7B8 mov.l #byte_FFFF9994, r5 ROM:0007A7BA mov.w @r5, r2 ROM:0007A7BC extu.w r2, r6 ROM:0007A7BE ROM:0007A7BE loc_7A7BE: ; DATA XREF: ROM:0007A76A ROM:0007A7BE cmp/pl r6 ROM:0007A7C0 bf loc_7A7C8 ROM:0007A7C2 mov.w @r5, r2 ROM:0007A7C4 add #byte_FFFFFFFF, r2 ROM:0007A7C6 mov.w r2, @r5 ROM:0007A7C8 ROM:0007A7C8 loc_7A7C8: ; CODE XREF: pCelTrigger_Outer+16 ROM:0007A7C8 mov.b @(3,r5), r0 ROM:0007A7CA lds.l @r15+, pr ROM:0007A7CC rts ROM:0007A7CE mov.b r0, @(4,r5)
Go to start of routine. Define ORIG_CEL_TRIGGER_OUTER_FUNCTION_ADDRESS symbol. Then again go to xref to. You should see something like:
ROM:00042452 mov.l #sub_5D698, r2 ROM:00042454 jsr @r2 ; sub_5D698 ROM:00042456 nop ROM:00042458 mov.l #sub_7A7AA, r2 ROM:0004245A jsr @r2 ; sub_7A7AA <-- You jumped here ROM:0004245C nop ROM:0004245E mov.l #sub_7BA70, r2 ROM:00042460 jsr @r2 ; sub_7BA70 ROM:00042462 nop
Go one string up and go to xref from. Write down that address you jumped at, you'll need it later to define storageaddress of CEL Flash Hack #1.
Now you need to define ROM_HOLE symbol for ROM hole address (unused space in ROM) and RAM_HOLE symbol for RAM hole address (unused space in RAM). You need to examine disassembled ROM and find ROM and RAM regions without xrefs to them. Keep in mind that 2Boost mod takes several Kbytes.
Put RAM_HOLE definition in CALID.h file, for example:
#define RAM_HOLE (0xFFFFA900)
Put ROM_HOLE definition in include\target\CALID.txt (this file will be included by linker), for example:
ROM_HOLE = 0x0008F000;
Build ROM as described in How to build section. Take a look at the addresses of objects, you'll need them when creating defs.
First create base definitions file for your CAL ID.
-
Copy regular defs for your CAL ID to
RR_2BOOST.xmlfile. Do not copy32BITBASEpart. -
Set
baseto2BOOST BASE, eq<rom base="2BOOST BASE"> -
Rename
xmlidfrom<xmlid>CALID</xmlid>to<xmlid>2Boost CALID</xmlid>. -
Delete
internalidaddressandinternalidstringtags.
Then create definitions for your CAL ID.
-
Make a copy of base definitions for your CAL ID you just created
-
Set
baseto2Boost CALID, for example<rom base="2BOOST A8DH100P"> -
Rename
xmlidto<xmlid>2Boost CALID MAJOR_VERSION</xmlid>, where MAJOR_VERSION is major version number, for example0002for 2Boost ver 2.x -
Set
internalidaddresstag to address of_VERSIONobject -
Set
internalidstringtag identical toxmlidtag -
Delete all tables from this definition
-
Add
Map Switch Inputtable. Getstorageaddressfrom build script output. -
Add
Boost Target Hacktable definition. Setstorageaddresstag to mod enable switch address you wrote down in the "Creating header file" step. Setdatafor enable state equal to address of entry point (it prints during mod build process). Setdatafor disable state equal to calc 3D function address. -
Add tables named "Target Boost map 1" and "Target Boost map 2" if you have 512Kb ROM and "Target Boost map 1 " and "Target Boost map 2 " (with space at end) if you have 1Mb non-Si-Drive ROM and "Target Boost map SI-DRIVE Intelligent", "Target Boost map SI-DRIVE Sport" and "Target Boost map SI-DRIVE Sport Sharp" if your ROM supports Si-Drive. Use addresses from build script output. Specify correct table size.
-
Do the same with the rest of the tables. Set correct entry points for different types of hack - 2D, 3D, Mass Airflow and CEL Flash.
-
CEL Flash Hack #2substitutes variable, so do like you do with subroutines, but with the variable address.
Test your defs.
-
Open patched ROM, open
Boost Target Hacktable. Switch should be in disabled state. If it's not, something went wrong and you should checkBoost Target Hacktable def. -
Open Target Boost map tables. Check that it is displayed correctly.
-
Do the same with the rest of the tables.
Build test ROM for your CAL ID with make tests CALID='CALID' DOPATCH=-yes command. Test subroutine is located after tables structures at the end of the patch. Debug vars are located after mod RAM variables. Run test subroutine and and test patched ROM with HEW simulator, simsh or whatever you prefer. Ensure that program calls 2Boost patch and successfully returns or else you'll brick your ECU.
More detail instructions are beyond the scope of this manual.
Add cruise on/off and Si-Drive flags address you found earlier to logger defs.
Mod variables addresses start at RAM_HOLE address you defined earlier. Add them to logger defs.