1996 Impreza EJ15 ECU "Z1"

[b3lha]

I've recently been chatting with a guy called Alexander about his Impreza ECU. We've decided to take a look at it and see what we can discover. The main goal of the project is to find some parameter addresses that can be used with Evoscan or the VWRX software for datalogging.

This thread is to document what we are doing in the hope that it will be useful to others working on similar projects.

The ECU is an OBD1-type, ODB2 did not become standard in Europe until 2001.

[b3lha]

STEP 1

Alexander has built a cable to connect his PC to the Select Monitor connector of his car. Instructions for building this cable can be found on my website and several others.

STEP 2

Alexander has used my ecudump program to download the whole of the 64K ECU memory from 0000 to FFFF. The ROMID of this ECU was reported as 733F17.

STEP 3

Alexander has taken some photos of his ECU motherboard and identifed the CPU chip as a Hitachi HD6435328CP. (H8/500 series)

[b3lha]

STEP 4

We need some reference material. Time for some google searches. Alexander found the datasheet for the CPU. I found the disassembler and the programming manual.

I can't upload these to the forum because the maximum attachment size is too small.

[b3lha]

STEP 5

We need to discover the memory map of the ECU.

I've converted the ECU dump program to hex and written it to a text file. Now I can look at it in an ordinary text editor. On the left is the address, in the centre is the hex, and on the right is an ASCII representation of the hex (the ASCII is mostly meaningless).

At the start of memory, I see what looks like an Interrupt Vector Table. As a rule of thumb, the IVT is always at the start or end of the address space.

00000000   49 D0 49 D0 58 57 58 5D 49 D0 49 D0 49 D0 49 D0   I.I.XWX]I.I.I.I.
00000010   58 51 49 D0 49 D0 5B 7F FF FF FF FF FF FF FF FF   XQI.I.[.........

This is a list of 16bit addresses that tell the ECU which subroutine to execute when particular events occur. The first address in the table, 49D0, is most likely the reset vector, the point at which the ECU will start executing when you power it on. Several other vectors also point at 49D0, it is standard practice to point all unused vectors to the reset vector so that if anything unexpected happens, the ECU will reboot rather than crash.

Following on from that, we have what looks like program code from address 00C0 to address 5B91. You can tell it's code because it looks random.

000000C0   DE A8 1D FB BE 90 1D FB C0 91 19 A0 12 A0 10 DE   ................
000000D0   A8 A1 10 1D FB BE 90 15 FB C0 91 19 A9 13 D6 16   ................
000000E0   27 04 D6 B8 28 02 50 FF A0 81 19 AA 16 27 04 AA   '...(.P......'..
000000F0   B8 28 03 59 FF FF 19 D6 16 27 1C D6 30 25 0A A1   .(.Y.....'..0%..
00000100   A8 0C 00 80 20 A0 10 20 0C A0 14 A1 A8 0C 00 80   .... .. ........

Then we have FF bytes from 5B92 to 64FF, empty space.

At 6500, there is some data, it looks like a map of some kind. There is some kind of pattern to it.

00006500   18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18   ................
00006510   3C 3C 3C 3C 3C 3A 36 32 30 30 30 30 30 30 30 30   <<<<<:6200000000
00006520   46 44 42 3E 3E 3C 3C 3A 3A 38 38 38 38 38 36 36   FDB>><<::8888866
00006530   4E 4E 4A 4A 46 46 44 44 42 42 40 40 40 40 3E 3E   NNJJFFDDBB@@@@>>
00006540   64 60 5C 58 54 50 4E 4C 4A 4A 48 48 48 46 46 44   d`\XTPNLJJHHHFFD

There is lots of other data between here and 7FFF. Then it's back to FF characters, empty space from 8000 to FB7F.
FB80 to FFFF contains more data.

This matches exactly with the address space as described in the datasheet.
0000-7FFF is internal 32K ROM
8000-FB7F is unused.
FB80-FF7F is internal 1K RAM.
FF80-FFFF is memory-mapped I/O

Within the ROM,
0000-007F is the IVT.
00C0-5B91 is the ECU Code
6500-7FFF is the ECU Data

We now know that the parameters we are looking for are located somewhere between FB80 and FF7F.

[b3lha]

STEP 6

Now we disassemble the program code between 00C0 and 5B91.

DASMH85 -s ej15ecu.dat 00C0,5B91 > ej15ecu.txt

[b3lha]

STEP 7

The output from the disassembler was hard to read, so I've reformatted it with the address and opcodes on the left and the assembly code on the right. The way I prefer it. Then I searched through it looking for JSR and BSR instructions to identify the start of each subroutine and I split the code up so that each subroutine is in a separate file.

The next step is to try and figure out what some of these subroutines do. I really want to find the error handling routine, that flashes codes on the check engine light. If I can find the code that generates a MAF sensor error code (Code 23), for example, then I can find the MAF parameter. The same applies for some of the other parameters.

[b3lha]

I had a bit of good luck. While looking through the code of the reset vector subroutine, I discovered that there are some dynamic jumps. There is a table of addresses at 7B50. These are pointers to subroutines, although it accesses them via a JMP rather than a JSR. So I started splitting out those subroutines into separate files like I did with the others.

While doing that I found that one of them hadn't disassembled properly because some inline data at address 47B4 had thrown the assembler off course. Easy enough to fix.

Then I noticed that the inline data is 11,12,13,14,15,16,17,00,21,00,23,24,31,32,33,35,00,42,00,00,00,49,51,00.

These are the subaru check-engine error codes I was looking for. Now I know that they are at address 47B4, it's easy to find the subroutine that uses them: Func45A9. So the next step is to reverse engineer the subroutine.

[b3lha]

STEP 8

It looks to me like this Hitachi ECU encodes the errors in a similar way to the JECS ECU on my SVX. But that is just from reading the code, I haven't actually run it through a simulator or on paper to check.

I think the error codes are stored internally as bit flags in addresses FB85 through FB87.

FB85	n/a	Injector4(17)	Injector3(16)	Injector2(15)	Injector1(14)	CamSensor(13)	Starter(12)	CrankSensor(11)
FB86	PurgeSol(35)	SpeedSensor(33)	O2Sensor(32)	ThrottleSensor(31)	IdleSolenoid(24)	MAFsensor(23)	n/a	CoolantTemp(21)
FB87	n/a	IdleSW(42)	n/a	n/a	n/a	AIRsensor(49)	NeutralSW(51)	n/a

So, for example, a value of 0x41 in FB86 would indicate errors with the "SpeedSensor (code 33)" and the "Coolant Temp Sensor (code 21)"

"Old" errors are stored in FE84 through FE86 in the same way.

STEP 9

Now I'm going to start with the Throttle Sensor. I want to find the subroutine that sets and clears bit 4 (0x10) of address FB86.

grep of the files reveals:
Func4197:41C2  15FB86D4    BCLR.B #4,@H'FB86:16
Func4197:41D9  15FB86C4    BSET.B #4,@H'FB86:16

Now I open Func4197 and have a look at the code:
4197  15FC2B80    MOV:G.B @H'FC2B:16,R0
419B  400A        CMP:E.B #H'0A:8,R0
419D  2529        BCS H'41C8
419F  40F0        CMP:E.B #H'F0:8,R0
41A1  2225        BHI H'41C8
41A3  400F        CMP:E.B #H'0F:8,R0
41A5  2504        BCS H'41AB
41A7  40C8        CMP:E.B #H'C8:8,R0
41A9  2306        BLS H'41B1
41AB  15FC9713    CLR.B @H'FC97:16
41AF  2032        BRA H'41E3
41B1  15FC9781    MOV:G.B @H'FC97:16,R1
41B5  2A07        BPL H'41BE
41B7  15FC970601  MOV:G.B #H'01:8,@H'FC97:16
41BC  2025        BRA H'41E3
41BE  4101        CMP:E.B #H'01:8,R1
41C0  251D        BCS H'41DF
41C2  15FB86D4    BCLR.B #4,@H'FB86:16
41C6  201B        BRA H'41E3
41C8  15FC9781    MOV:G.B @H'FC97:16,R1
41CC  2B07        BMI H'41D5
41CE  15FC970681  MOV:G.B #H'81:8,@H'FC97:16
41D3  200E        BRA H'41E3
41D5  4182        CMP:E.B #H'82:8,R1
41D7  2506        BCS H'41DF
41D9  15FB86C4    BSET.B #4,@H'FB86:16
41DD  2004        BRA H'41E3
41DF  15FC9708    ADD:Q.B #1,@H'FC97:16
41E3  19          RTS

Looking at this, I think the TPS value is at FC2B. I also think that FC97 is a counter for the number of consecutive out-of-range readings that are allowed before the error code gets reported.

So, hopefully we just found the first parameter. I'm going to email Alexander and ask him to test it and see if it is correct.

[b3lha]

Using the same method I described in the previous posting, I have also found

MAF Sensor FBE0
Temperature FBE5
Speed FB95

[seport]

Phil, it seems that you had a hard day working on this project. I will go down to the garage and test the parameters found so far as soon as i get my daughter to sleep.

Alexander

[seport]

Phil,

Very good job, i have tried the parameters with very good results. 5 out of 6 parameters seems to me that make sense. Only the coolant temperature FBE5, did not show actual readings. I am not sure but with FBE5 address in vwrx software the value was decreasing by time (engine idling) it even went in the negative value (the .ini file was set to deg.C).
Could be that i have something wrong with the temperature sensor? This can be checked if we don't find another address.

The vehicle speed is not yet tested, since i was in the garage and was using the pc not the laptop, however the reading was correct at 0 KM/H.

Attached is a screen shot of the test.

Alexander

[b3lha]

Thanks for testing that. I think the FBE5 might be the raw voltage signal from the sensor. There must be a map to convert that to Celcius. I will look again tomorrow and see what I can find.

Phil.

[kochiro]

Just for confirmation, this is a 1.5 liter vehicle and is OBD2?

Thanks,
Jay

[seport]

Yes it is 1.5L but OBD1

[kochiro]

Thanks, mainly wanted to confirm the OBD version as 1996 was a pivotal year where some were v1 and some v2. 

Phil, could you update the first post to indicate OBD1?

Thanks,
Jay