Right, lets find some more parameters.
Picking an easy one again: Atmospheric Pressure
First we find the subroutine that sets the atmospheric pressure sensor error bit: bit 4 (0x10) of 0x4041.
H:\SVX\Brett>findstr 0x4041 Sub-* | findstr seb | findstr 10
Sub-9F32.txt:009F73 0C414010 seb #0x10, 0x4041
Then we have a look at Sub-9F32. It looks very similar to the TPS subroutine we looked at before:
009F32 3C4A80020F bbc #0x02, 0x804a, 0x9f46 ; Call target from 9CFF
009F37 78 sei
009F38 2C30420808 bbs #0x08, 0x4230, 0x9f45
009F3D AD3342 lda al, 0x4233
009F40 CDC688 cmp al, 0x88c6
009F43 B002 bcs 0x9f47
009F45 58 cli ; Branch target from 9F38
009F46 60 rts ; Branch target from 9F32
In the first section of code we have some preconditions that must be met before the sensor is tested. BBC means Branch if Bit Clear. The instruction at 9F32 checks bit 1 (0x02) of 0x804A. If that bit is a zero then the program jumps to 9F46 which is an RTS instruction (exit from the subroutine). Address 804A is in the ROM, it is a constant, set when the ECU chip is programmed. It is probably a switch that specifies whether this ECU is fitted with an atmospheric pressure sensor. Let's have a look at 0x804A:
00008040 80 00 32 00 68 03 9C 02 80 01
01 30 09 8D 30 00
The value of 804A is 01. That's 000000
01 in binary. The value of bit 1 IS zero. Therefore this subroutine will ALWAYS exit immediately without ever testing the sensor or setting the error code.
We can conclude that this ECU probably doesn't have an atmospheric pressure sensor, despite having the CE code in its error table. If it does have one then it doesn't test it, so presumably it doesn't use it.
Subaru probably use the same ECU program in several different markets. In some markets (USA) they fit an atmospheric pressure sensor and switch on bit 1 of 804A. In other markets (NZ, Japan), they omit the sensor and turn the switch off.
Not much point continuing to look for this parameter, but Just for the hell of it, let's see if we can find out what the address would be if the ECU supported it. The rest of the first block are more preconditions that must be met to get us into the second block where the test is done. I've added some comments for you.
009F47 58 cli ; Branch target from 9F43
009F48 AE3142 ldx 0x4231 ; Get sensor reading
009F4B EC1E8C cpx 0x8c1e ; compare to lower limit
009F4E 9005 bcc 0x9f55 ; if less goto 9f55
009F50 EC208C cpx 0x8c20 ; compare to upper limit
009F53 9011 bcc 0x9f66 ; if less goto 9f66
009F55 A25342 ldx #0x4253 ; Branch target from 9F4E
009F58 20DFA3 jsr 0xa3df ; Add 1 to counter at X
009F5B CD228C cmp al, 0x8c22 ; Compare counter to threshold
009F5E 900E bcc 0x9f6e ; if lower goto 9f6e
009F60 0C514204 seb #0x04, 0x4251 ; set bit 2 of 4251
009F64 8008 bra 0x9f6e ; goto 9f6e
We recognise the call to 0xA3DF from the TPS subroutine. This means "add 1 to counter at X". We should comment that with grepwin: Search for "(^.*0xA3DF.*$)" and replace with "\1 ; Add 1 to counter at X". Also, rename the file Sub-A3DF.txt to Sub-A3DF-Add-1-to-counter-at-X.txt
Presumably it works in the same way at the TPS: The counter at 0x4253 is counting the number of bad results from the pressure sensor. When it passes the threshold at 0x8c22, the error flag will be set. It's a pretty safe assumption that the atmospheric pressure is at 0x4231 and the acceptable limits are at 8c1e and 8c20.
009F66 9C534200 ldm #0x00, 0x4253 ; reset counter to zero ; Branch target from 9F53
009F6A 1C514204 clb #0x04, 0x4251 ; clear bit 2 of 4251
009F6E 3C51420705 bbc #0x07, 0x4251, 0x9f78 ; Branch target from 9F5E, Branch target from 9F64
009F73 0C414010 seb #0x10, 0x4041 ; set Atmos error flag
009F77 60 rts
009F78 1C414010 clb #0x10, 0x4041 ; clear Atmos error flag ; Branch target from 9F6E
009F7C 60 rts
I think this needs a little explantion. If we get a bad reading and the error count is greater than the threshold, it sets bit 2 of 4251. On the other hand, if we get a good reading, it clears the error counter and bit 2 of 4251.
But the line that decides whether the Atmos error flag gets set or cleared is at 9F6E.
009F6E 3C51420705 bbc #0x07, 0x4251, 0x9f78
Branch if Bits Clear #0x07 of 0x4251.
The 0x07 in binary is 00000111. So, if bits 0,1 and 2 of 4251 are zero then it will goto 9f78, which clears the atmos error flag. But If any of the bits are one then it will continue to 9f73 and set the atmos error flag. We know that bit 2 gets set by the code at 9f60 as I described earlier, but there is nothing here to set bits 0 or 1. There is probably something elsewhere in the ECU that sets these bits.
I'm not going to investigate that at present because we found what we came here for. We know that this ECU doesn't use the Atmospheric Pressure Sensor and we know that if it did then the 16-bit value would be at 4231.
Let's see if there is an 8 bit equivalent to 4231.
H:\SVX\Brett>findstr 0x4231 Sub*
Sub-E3B9.txt:00E3D3 8D3142 sta ax, 0x4231
Sub-E3B9.txt:00E4EC 6D3142 adc ax, 0x4231
Sub-E3B9.txt:00E4F3 8D3142 sta ax, 0x4231
Sub-E3B9.txt:00E4F9 890D3142 mpy 0x4231
Sub-9F32.txt:009F48 AE3142 ldx 0x4231
Sub-E3B9 contains a store instruction for address 4231 (actually it contains two!).
00E3B9 342008FC bbc #0x08, dp + 0x20, 0xe3b9 ; Call target from DCEA, Read from A/D control register, Branch target from E3B9
00E3BD 2C4A800216 bbs #0x02, 0x804a, 0xe3d8
00E3C2 D8 clm ; m:0 x:0
00E3C3 A522 lda ax, dp + 0x22 ; Read from A/D successive approximation register
00E3C5 3C4A800C0008 bbc #0x000c, 0x804a, 0xe3d3
00E3CB 3C3880FF0002 bbc #0x00ff, 0x8038, 0xe3d3
00E3D1 8087 bra 0xe35a
00E3D3 8D3142 sta ax, 0x4231 ; Branch target from E3C5, Branch target from E3CB
00E3D6 F8 sem ; m:1 x:0
00E3D7 60 rts
At E3BD it checks whether bit 1 of 804A is set, a similar check to the one at the start of Sub-9F32-Test-Atmos. In the case of your ECU, the bit is zero, so it continues and reads the A/D converter. Then it checks bits 2 and 3 (0x0c=00001100) of 804A. These bits are also zero in your ECU so it goes to E3D3 and stores the value that it read from the ADC in 4231 then it exits (rts). Your ECU reads the ADC for the atmos sensor and it stores the voltage at 4231. We do not even know for sure whether there is a pressure sensor connected to the ADC. But we know from the findstr above that the value 4231 is not used anywhere else in the ECU.
Just to continue the exercise, IF the ECU did have a pressure sensor, what would be the 8 bit equivalent to 4231 for datalogging? Further down the code we see this:
0E4E9 A522 lda ax, dp + 0x22 ; Read from A/D successive approximation register
00E4EB 18 clc ; Branch target from E4F1
00E4EC 6D3142 adc ax, 0x4231
00E4EF 6A ror ax
00E4F0 CA dex
00E4F1 D0F8 bne 0xe4eb
00E4F3 8D3142 sta ax, 0x4231 ; Branch target from E4DF
This reads the voltage from the ADC, adds it to the stored value and divides by two (ror ax). It is taking the average of the current reading and the previous reading to reduce the effect of any minor fluctuations. Then we see this:
00E4F6 A9F401 lda ax, #0x01f4
00E4F9 890D3142 mpy 0x4231
00E4FD 42C90001 cmp bx, #0x0100
00E501 B017 bcs 0xe51a
00E503 8D1A40 sta ax, 0x401a
00E506 F8 sem ; m:1 x:0
00E507 428D1C40 sta bl, 0x401c
00E50B D8 clm ; m:0 x:0
00E50C AD1B40 lda ax, 0x401b
00E50F 38 sec
00E510 E92C01 sbc ax, #0x012c
00E513 B008 bcs 0xe51d
00E515 A90000 lda ax, #0x0000
00E518 8003 bra 0xe51d
00E51A A9FFFF lda ax, #0xffff ; Branch target from E501
00E51D 8D0242 sta ax, 0x4202 ; Branch target from E513, Branch target from E518
00E520 4A lsr ax
00E521 4A lsr ax
00E522 4A lsr ax
00E523 C90001 cmp ax, #0x0100
00E526 9003 bcc 0xe52b
00E528 A9FFFF lda ax, #0xffff
00E52B F8 sem ; m:1 x:0, Branch target from E526
00E52C 8D3D42 sta al, 0x423d
00E52F 8D1544 sta al, 0x4415
This appears to be applying some kind of formula to the voltage read from the sensor. Multiply by 500 (=0x1f4), Subtract 300 (=0x12c). Presumably converting the sensor voltage into psi, bar, mmHg, Pa or some other unit of pressure. This gets stored as a 16bit value at 4202. Then that gets divided by 8 (three lsr instructions) and stored as an 8bit value at 423d and 4415. The Select Monitor would query one of these addresses to get the atmospheric pressure if this ECU supported it.
So that's everything related to the atmospheric pressure reading. Not supported by this particular ECU, but on a very similar ECU, you might find:
16 bit atmospheric pressure sensor voltage at 4231
16 bit pressure at 4202
8 bit pressure at 4415
We might as well rename Sub-9F32.txt to Sub-9F32-Test-Atmos.txt and comment the call to it with grepwin:
"(^.*0x9F32.*$)" to "\1 ; Test Atmospheric Pressure Sensor".
We could do the same with Sub-E3B9 to something like "Read-Atmos".
