Code hacking

What is "Hacking"?  It the process of reverse engineering an ECM or PCM calibration, in most cases from a EPROM. The result of a "Hack" will be a software listing file that describes the calibration in adequate detail to allow you to revise the calibration in an intelligent way. (See Hacks Section)

How do you hack out a GM ECM.? I have been asked that question a lot. Since this has been about 15 years of evolution, I'll describe the process in phases in the order they occurred.

There is no need to repeat this process since so much information is available in public forms. Virtually every vehicle manufactured since 1985 is EFI equipped, so this is not a new concept.

Many sources of information are available. SAE publications were big help in the beginning, while EFI was developing. GM shop manuals for some model years went a long way in describing some features of EFI. Trade magazines are also a big help. Test Equipment manuals are also useful.
 

PHASE 1, IN THE BEGINNING:
Most people start out with a binary file and try to deal with it using a binary editor, such as Hexworkshop, one of several binary editors. This will obviously work of if your making simple changes and aren't concerned with the quality of the end result. Typical problems are the identification of the desired functions and the correct magnitude of any changes.

One major after-market chip supplier was changing spark calibrations that were effected by modifying the spark coolant temperature table. Obviously this will cause a change in the amount of spark applied but what happens as the coolant changes temperature?  I would guess they were trying various tables until they noticed a change in spark advance.

At this time in my learning process I was obviously looking at any chip I could get my hands on, especially modified chips. I could do a compare of OEM vs. after market chips. At this point you need a compare program. There is excellent software available that is designed specifically for binary comparisons.

Tables are generally easy to identify.  In most cases they have a numeric pattern that is easy to identify using pattern recognition skills. Older GM EFI systems have a three byte header at the start of 3d tables. This feature stands out when looking at the binary file. The last byte is the number of lines in each 3d block. Some of the 2d table have a line count value, or the maximum input value. This helps ID table start points.

Typical hacking at this point is a flurry of byte changing, resembling a hyper teenager with the TV remote control. At this point you should be able to think in hex, probably quoting spark advance as 39 hex, having a vague idea that this is around 10 degrees of spark. Actually its 20 degrees, (39 hex = 57 dec/(256/90) = 20). The reason for the 10 degree error is that you were unaware of a 10 degrees of spark bias, a one byte value of $1C hex.

PHASE 2, MORE GUESSING:
The next level of capability would be conversion of the hex numbers to decimal numbers so that the values can be calculated in engine units, such as Degrees Spark, RPM percent TPS etc.

PHASE 2a, ADVANCED GUESSING:
An interesting alternative approach is a combination of EPROM Emulator and a address activity monitor. This technique came out of England 5 - 6 years ago. The principal feature is the display of addresses in use by the vehicle CPU as displayed on a PC. Running the values around by varying sensor inputs with a variable resistor help ID tables. The display is limited to around 256 bytes of hex. The later versions do a 3d graph of the selected block. These systems have a price range around $2000. You may wish to look for other alternatives. At this price, existing pre-hacked software packages looks attractive.

Note:
This gets very confusing with 16 bit values, late GM, all Ford etc. (See flurry of byte changing comment)

At this point we are doing a lot of guessing, and the one-byte or one-word calibration features are impossible to ID. By now we have guessed that some of the other stuff is important, particularly if we are dealing with a modified motor, different displacement or injector size. We do know that in some cases (type 42, ECM P/N 1227747), the same ECM and code template can be used with a 2.2l to 7.4l engine TBI or PFI.

Very interesting ! Let try another round of comparing. Gee ! The fuel and spark tables are not that different, and some of the other tables are unchanged.

PHASE 3, WHEN IN DOUBT, DISASSEMBLE:
GM uses 8 bit  Motorola CPU's for all of the EFI's through model year 1995, Most all of these have removable EPROM's, a notable exception is the MY94 - 95 F and Y cars that are FLASH memory and use dual (P66) 68HC11 CPU's.

There are three major categories of CPU in use; the C3, P4 and P6. Each use different proprietary variants of the Motorola 6803/68HC11 product family. Each of these ECM/PCM's has a slightly different instruction set and different internal functional registers. The P6 family is very close to the Motorola 68HC11F1 product.

Once we have identified the microprocessor in use, we can identify and disassemble the algorithmic portion of the binary file. The advantage is that we can identify functions based on how the calibration portion of the code is used. For example, we can now identify tables by use of the Index Function (LDX) of the Motorola 68xx family CPU's used by GM. (a similar technique may be used with Ford EEC/Intel ECU's.

The most productive technique at this point is identifying the characteristics of the diagnostic data stream. This allows us to scale the critical values such as RPM, MAP Temperature, and eventually status flags, (the treasure of hacking). The diagnostic section of this site may help you along this path.

After we have identified engine variables, we can substitute the function for algorithm variables into the diagnostic data stream. For example say we find that the RPM is scaled by 25; by analyzing the diagnostic data, we can now plug in the RPM information to the appropriate RAM variables in our disassembly. Continuing on this theme MAP would be next and so on. Now we establish the axes and scale's for 2d and 3d tables.

The disassembly process gets difficult when dealing with the older C3 32K EPROM's. The ECM software is located in a 2732 EPROM and an internal Masked ROM. The EPROM is easy, all you need is an EPROM burner to read the chip, dumping it to a binary file (my favorite) or a Motorola "S" file format. Most of the 32K EPROM's start at $D000 and end at $DFFF ($ is the Motorola way of indicating a Hex value). The Masked ROM is addressed starting at $E000 and ending at $FFFF.

The good news is that the EPROM has the calibration tables and some of the Algorithm (Computational software) and the ROM has the rest of the Algorithm. This code can be read through the test connector located on the rear of the PCB, but you will need to construct some minimal hardware to make the connections. A good week-end project for the electronically gifted.

Later model ECM and PCM's (P4, P6 &P66) use larger EPROM's, (27128, 27256 and 27512). This series has the complete software in the EPROM, the 1st 1/3 is Calibration the last 2/3rds contains the Algorithm.

In all cases the Vector table is at the end ($FFFF), this makes it easy to establish the real starting address,  just subtract the EPROM size from $FFFF+1. A 2732 EPROM is  $3000 (8191 decimal):

    ($FFFF+1) - $3000)) = $D000 start address

The Motorola vector table is a boon. It is always at the end of memory and has two or three sets of functions depending on the vintage of the processor design. In the case of Motorola micro's the vector table ends at $FFFF. Inspection of these values, (a group of 16 bit address) will help identify the starting location used every time power is applied to the CPU.

PHASE 4, MORE TOOLS:
The least demanding method is to buy tools that are designed for your specific application. There are some tools such as "WinTuner" from TunerCat that have identified the important tables and have a good range of adjustments. Many of the top tuners use this tool, but you must have some idea as to the use of these features to successfully use them. In addition to a tabular format, the WinTuner program has excellent graphic features including a graph of the 2 and 3d tables as calibrated. (An example of the type $42 main spark table is shown, last few line are cut off for size reasons).

Phase 5, Tuning:
The obvious end goal is the actual tune up of your car or truck. The hacking steps can be by-passed if you invest in the appropriate software tools and use a "tuner" software package. See the Tune Up section of this site for more information.

        ECMGUY