Have you made any more progress on this? I asked for a CAN dump in another thread but what I did instead was wire everything together temporarily and then did a frame capture. I am going to paste the CSV data from the PCAN software that I prepended each line with "KP2" (frames captured with key in position #2), "ECM" (frames that appeared when I powered up the Denso ECM while attached to the XC90 HS-CAN and "TCM" (frames that appeared when the power was applied to the TF-80SC TCM while the previous two conditions were also true).dikidera wrote: ↑11 Aug 2023, 15:49A little late, but thanks to emulation I have found at least one function that sets the CAN IDs now, with this I have found that each "signal" is described in a 32 byte structure.
ID Obviously 0x401E020AROM:00001B1C off_1B1C: .long 0x7080F00, unk_FFFFDEF0, unk_FFFFDF28, poweron
ROM:00001B1C ! DATA XREF: ROM:00001044↑o
ROM:00001B1C ! ROM:000010A4↑o ...
ROM:00001B2C off_1B2C: .long dword_30000, 0x401E020A, 0xFBFFBFFF, 0x3FFF5FFF
0x7080F00L The first byte 0x07 is both a record identifier signifying if this is the last signal or at least a main one, not sure yet. 0x08 is the DLC, as its being put in address E498 of the CAN module. 0x07 identifier can maybe sometimes be 0x04 which does an additional step in the ID setting function.
unk_FFFFDEF0 is still unknown as well the other address and 0xFBFFBFFF, 0x3FFF5FFF and dword_30000 but hey it's start.
Then I have identified the functions I have so named CANSend_Byte, word, dword etc.
They take two arguments, an offset and the value to send.
0x1428 is a data structure offset, perhaps 24 bytes in length. It contains a few things(mostly unknown for now), one of which is the offset 1b1c, we can *maybe* infer that 1b1c is the CAN signal that will be used to transmit the message from id 0042 401E, in this case it was the Throttle Opening Angle.mov.w #0x1428, r4
jsr @r13 ! SendCANWord_sub_ACD8
Although one little tidbit is still unclear, my 80401E address is kind of missing in action but I will see.
Now, with this what we can do is dump the TCM firmware and see if a similar table exists, for e.g reading. I would expect the TCM to have the same addresses in it's signal configuration.
[KP2], CAN-ID=00224024h, Length=8, Data=3F F8 00 00 13 FF C0 00, CycleTime=14.0, Count=10283
[KP2], CAN-ID=0042406Ch, Length=8, Data=40 A8 00 00 60 00 C0 03, CycleTime=10.0, Count=15254
[ECM], CAN-ID=0062401Eh, Length=8, Data=01 14 60 00 A2 22 04 00, CycleTime=12.0, Count=3
[ECM], CAN-ID=0080401Eh, Length=8, Data=BE 00 80 00 00 0B 12 16, CycleTime=12.0, Count=3
[ECM], CAN-ID=00A20016h, Length=8, Data=07 E9 04 00 00 14 00 00, CycleTime=19.4, Count=2
[TCM], CAN-ID=00C0402Ah, Length=8, Data=5F E4 10 0A 06 F2 C7 FF, CycleTime=9.9, Count=4265
[TCM], CAN-ID=00D00022h, Length=8, Data=00 00 02 A3 00 00 E7 FF, CycleTime=9.9, Count=4265
[KP2], CAN-ID=00E24026h, Length=8, Data=00 01 E0 EC 9F 00 00 00, CycleTime=14.0, Count=10283
[ECM], CAN-ID=00F00006h, Length=8, Data=00 00 33 7F 00 00 A7 82, CycleTime=12.0, Count=3
[KP2], CAN-ID=01000020h, Length=8, Data=00 00 00 00 00 00 00 00, CycleTime=10.0, Count=14416
[ECM], CAN-ID=01400006h, Length=8, Data=00 00 00 00 C9 F7 D9 14, CycleTime=12.9, Count=3
[ECM], CAN-ID=01600012h, Length=8, Data=80 00 00 00 00 00 00 00, CycleTime=18.9, Count=2
[KP2], CAN-ID=01A2402Ah, Length=8, Data=00 AD 52 06 80 00 80 00, CycleTime=10.0, Count=14405
[KP2], CAN-ID=10004002h, Length=8, Data=80 00 00 00 C0 00 C0 00, CycleTime=14.0, Count=10283
[KP2], CAN-ID=10400020h, Length=8, Data=C1 1D 47 00 00 00 00 00, CycleTime=29.8, Count=4808
[KP2], CAN-ID=10600020h, Length=8, Data=02 FE FE 00 37 04 1D D7, CycleTime=255.4, Count=347
[KP2], CAN-ID=10800006h, Length=8, Data=00 80 00 6F 00 00 00 00, CycleTime=48.2, Count=2936
[KP2], CAN-ID=10A2407Ch, Length=8, Data=11 21 06 17 01 01 02 05, CycleTime=280.0, Count=489
[ECM], CAN-ID=10C00002h, Length=8, Data=00 00 00 00 00 00 00 00, Count=1
[KP2], CAN-ID=10E24000h, Length=8, Data=08 00 58 00 07 FA 6E 00, CycleTime=55.9, Count=2570
[TCM], CAN-ID=11000022h, Length=8, Data=03 FB DC 00 00 4B 02 F2, CycleTime=69.9, Count=609
[KP2], CAN-ID=11100024h, Length=8, Data=00 00 00 14 7E 00 80 00, CycleTime=50.0, Count=2889
[KP2], CAN-ID=11220028h, Length=8, Data=21 63 03 3C 00 00 1D 1C, CycleTime=59.9, Count=2407
[KP2], CAN-ID=11420006h, Length=8, Data=00 00 00 1F 00 00 DE 00, CycleTime=118.5, Count=1211
[KP2], CAN-ID=11600002h, Length=8, Data=F5 14 20 00 00 00 00 00, CycleTime=98.0, Count=1470
[KP2], CAN-ID=11800002h, Length=8, Data=00 00 03 01 00 00 00 00, CycleTime=98.9, Count=1470
[KP2], CAN-ID=11A00020h, Length=8, Data=00 00 00 00 C0 00 00 00, CycleTime=149.8, Count=964
[ECM], CAN-ID=11C00002h, Length=8, Data=00 00 60 00 00 00 00 0C, CycleTime=13.9, Count=2
---
Unfortunately, I cannot start and drive the vehicle in this configuration as I have all of the IO on the engine still wired to my aftermarket ECM.
Will you please help me make sense of this information? I tried to DM you but I think you must have that feature disabled.
Thank you in advance.