Code Modifications for Extended Diagnostics

The Theory

Pre-OBD2 ECUs have a diagnostic port that allows a fixed number memory addresses/functions to be read. It is possible to modify the code to allow up to 256 memory locations to be read. The example below describes how to add additional functions to the diagnostic capabilities of a 70E10 ECU (EE88 EPROM), other ECUs can be modified using the same technique.
Diagnostic requests are sent via the serial data link to addresses 0h to xxh and a Look Up Table (LUT) is used to retrieve the data from its address in the programme memory, the LUT is shown below. Each address is 16 bits so it can be seen that diagnostic address 00h is memory address 0044, address 01h is memory address 0046 etc... Each of the diagnostic addresses represent an offset value from the LUT base addresss in programme memory at 9719h. The offset value is multiplied by two inside the ECU because the memory addresses are all 16-bit. There are 31 different diagnostic addresses, although some parameters span two memory locations.

Below is the code that builds the message to be sent. Now I have already said that there are 31 locations, the hexadecimal equivalent of 31 is 1Fh. The code at address F5D2h checks that the address requested is within the valid range of addresses for the ECU. If it isn't then the requested value is substituted for 1Fh at line F5D6h. So an invalid address will always return the value from the address at the end of the table. The Y index register is used to access the table and the base address of the LUT (9719h) is loaded into this register at the line starting at address F5D9h

Making The Changes

To avoid having to recompile the entire programme it is necessary to move/copy the table to a larger area of unused memory. I chose to put the table at the beginning of the EPROM but it doesn't really matter. I then added the addresses that I wanted to be able to monitor. The programme that I use for this is Frhed, which is available as a free download. The new table is shown below. It is important to understand that the EPROM is mapped to the processor from address 8000h up. The EPROM is shown as starting at 0000h - you have to add 8000h to get the 'real' address.

The table base address at F5D9/A (75D9/A) must be changed to the new location (I have used 8000h) and the top of the table value (now 30h) at F5D3h (75D3h) and F5D7h (75D7h) must also be changed - the value will depend on how many addresses are added.

Key Words

ECU ECM engine management control suzuki geo vitara sidekick tracker DSM MH6211 MH6111 air temperature sensor repair caps ignition map 3d performance tuning diy efi water temperature manifold pressure software pcb map reprogram datalog o2 sensor lambda egr tbi mpi repair rhinopower