To recap:

-I build a wideband logging functionality into the $a1 code.
-Mars wanted me to build him the same for his $8F/TGP code.
-I say sure, I'll do it in exchange for a '7730 ECM (which I needed at the time)
-lots of work and assembly programming later, I get it done, and send it to him.
-He starts distributing my code:



(Which I don't particularly care that he does... But I can't help but feel taken advantage of)

Latest discussion was here, he said he was going to pick one up... That was the last I heard, from April 12th, which was his last login here. His last login on the other forums was today, so it appears on the surface that he's avoiding me.

But why? It's a $20 ECM.

I assure you that is not the case. Mars is a personal friend of mine and a very straight-up person to deal with. Infact he sent me a fan without asking for any payment, not even shipping because he trusts me for the money when I see him at the JCO bash in June.

yeah I hope he just forgot...

im sure that he has just been busy.

Yeah, I don't come on here very often anymore.

Sorry about that. To be 100% honest with you, I forgot I still have a car, and anything about cars for the last month, since I bought a new toy.

I'll just paypal you some money, that alright? You'll have your money today, and that will be done.

Also, Ryan, about redistributing the code, I didn't think you would care, guess I should have asked. (my mentality was that if you helped me, you'd help anyone).

Oh well that kinda sucks that I pissed you off now, cause I was hoping for further help on stuff, but whatever.

Have a good weekend.

No sense in making anyone else listen to this crap, just PM me.

It's all good... I thought you just ran off with my work or something... PM sent.

I want to thank you Ryan. I learned a few interesting things today with the help of a tool I made, called the "HAXBOX". And some of the information I found in the TGP dissassembly, as well as your WBO2 patch.
The info I found is pretty helpful to us hacking nerds. I mean that in the nicest way of course


Info on my so called "haxbox" can be found in this thread. (I'm too lazy to make a new one on this forum about this little invention)


For data logging I purchaced a licence to use EFI live V4, and found it to be of extreemly good use for hacking.

Ok, so what did I figure out... most of the analog inputs. The ECM aparantly has 16 possible analog inputs, of witch I've nailed 10.

There is a routine in all GM ECM's that has to turn the hardware's analog inputs into ram variables, and I found that routine, and toyed around with it quite a bit tonight. Since I figured out that there was something like 16 inputs, first I took a good look around the ram addresses for a group of 16 that are not used, and I found them at 01A0-01AF (this is on a Quad 4 HO W41 ECM and chip) so I put those addresses into the ALDL stream to be sent out. Then I wrote a routine, and stuck it somewhere where I had some room on the chip. The routine called up each of the inputs, one at a time and stored them as ram variables, then of course the ECM would send them all to the ALDL, and I configured EFI live to report them raw. Then I'd plug each input to my potentiometers on my haxbox, vary them one at a time to determine witch variable is what.

On the 1228707 ECM, the results?...
0 A/C Pressure Sensor 0-5V Pin F-14
1 Battery Voltage (internal source?)
2 O2 sensor voltage 0-1V Pin E-14
3 MAP Sensor 0-5V Pin F-15
4 CTS Sensor (temp) Pin E-16
5 TPS Sensor 0-5V Pin F-13
6 Spare (temp) E-10
7 ? Stays at 255
8 MAT Sensor (temp) Pin F-16
9 Spare 0-5V Pin A-3
A Spare (temp) Pin F-12
B ? Stays at 128
C ? Stays at 68
D ? Stays at 172
E ? Stays at 255
F ? Stays at 37

So, the only useful spare I found for WBO2, was 9, Pin A-3 witch is designated as "TPS2"

And by doing this routine, all the hard work is done! ALL the analog inputs are sent out

The routine I wrote was simple, mostly based on yours, though I didn't understand some of what yours was doing.
First I picked a spot in the program to redirect from, I picked A350 where the input routine is called each computer runthrough, and put a JMP to a big open spot on the chip instead: 92A2. There, I wrote this:

86 00 LDAA 00 (00 = 0, 10 = 1, 20 = 2...)
BD A4 EF JSR A4EF (Input routine)
B7 01 A0 STAA 01A0 (store as ram variable 01A0)
4F CLRA (clear register A)

Then it repeats with new numbers

86 10 LDAA 10 (00 = 0, 10 = 1, 20 = 2...)
BD A4 EF JSR A4EF (Input routine)
B7 01 A1 STAA 01A1 (store as ram variable 01A1)
4F CLRA (clear register A)

it does this 16 times.

At the end of the routine I put:

86 30 LDAA 30 (witch was what I overwrote when I put the jump)
7E A3 52 JMP A352 (goes back to where it was jumped from)

So it replaces the stuff I removed to stick the jump to my routine, then it continues on like normal. This routine can very easily be used on ANY OBD1 GM ECM. Pretty neat I think. This routine could be simpler if I took the time to set it up right with incrementals.

I can't see your pics without registering, but from your description, it sounds like you built a computer test bench. That's a good thing to have for seeing if modifications work.

Now, I assume you've disassembled your modified binary to verify it's contents? Putting a JSR in place of a LDAA might erase the command after it as well, since the JSR will take up 3 bytes instead of 2.

It's interesting that you were able to find so much unused RAM. Usually there isn't anything. Be sure to watch out for double bytes being stored - You might think you have a free slot, but you'd be modifying the MSB or LSB of a word.

Good luck... and welcome to the madness.

I did dissassemble it, but I havn't labled much.

Origionally the program loaded LDAA 30, then JSR to the input routine, All I did to divert the program is change the JSR to a JMP, gave it a new address, and when my section was complete, reloaded LDAA 30, then JSR the input routine then JMP back to just after my diverting JMP. Byte for byte it didn't screw anything up. I made sure of that.

It was a bit of a pain to find the block of ram address. I found a cool way of doing it. I did my dissassembly using Excel, so I sorted it by mnemonics, then by address called, looked for STAA/STAB and found a group of ram variables that didn't have any STAA pointing to them. So they never get written. I verified that they don't get used by sending them to the ALDL, and they all showed up as Zero. I didn't look for any more after that. I suppose there is still the remote chance that the computer uses them for something, but so many consecutive unset ram addresses... Makes it interesting.

I can use my so called haxbox, or testbench device to work with almost any normal 3 plug ECM. Including the 1227730, 7749 8707... and Im sure a few other ones out there share practically the same pinout. But yea, hacking, and program modifying without it would be just that much more difficult.

It took me 5 or 6 tries just to get the ECM not to turn the fan light on. You know you screwed up when that output comes on.

heh... yeah. I've hit limp mode several times. 90% of the time it's because I forgot to update the checksum after making a change.

L8008 = AA

Checksum solved.

Yeah, I know that trick, but I don't want to eliminate the benefits of the checksum... I have had bad burns on occasion, and wouldn't want that to cause me to chase my tail or worse, damage something. (my test bench is my car)