TwinTurbo.NET: Nissan 300ZX forum

TwinTurbo.NET: Nissan 300ZX forum - Re: Thanks Guys

Subject Re: Thanks Guys

Posted by zromtech on November 26, 2014 at 2:47 PM

This message has been viewed 648 times.

In Reply To Thanks Guys posted by Cjw3 on November 25, 2014 at 10:23 AM

Message Here are some details on the corrupt 46P00 NA ROM that's floating around out there in case anyone else encounters it:
The Z32 ROM is split into a 26kb code segment ($8000 to $E7FF) and 6kb data segment ($E800 to $FFFF). The corrupt part is in the code segment at addresses $8E09 to $8E0F, which is code involved with the O2 feedback system. It looks like this ROM was read over the CONSULT port and that a buffer read failed, repeating parts of the previous buffer. This resulted in a few op-codes being overwritten with corrupt data. The software used to read this ROM must not have had any error checking or checksum capabilities. Nissan actually included a great way to check for corruption via a checksum stored in the ROM. OEM ROMs *always* have correct checksums, so you can easily tell if any OEM chip has become corrupted. However, I've never seen an aftermarket chip with a proper checksum, so there is no way of knowing if those chips are corrupt without manually comparing files.

Here are the offending op-codes at ROM addresses $8E09 to $8E0F:
normal 46P00:
$27 $05 $FE $FE $EE $20 $08
corrupt 46P00:
$27 $7B $02 $53 $27 $36 $8E

Here is the disassembly including the adjacent instructions ($8E03 to $8E18)
normal 46P00:
ROM:8E03 ldx byte_FF06
ROM:8E06 tim #2, byte_53
ROM:8E09 beq loc_8E10 ; $27 $05
ROM:8E0B ldx byte_FEEE ; $FE $FEEE
ROM:8E0E bra loc_8E18 ; $20 $08
ROM:8E10
ROM:8E10
ROM:8E10 loc_8E10:
ROM:8E10 tst byte_148A
ROM:8E13 beq loc_8E18
ROM:8E15 ldx byte_FF0C
ROM:8E18
ROM:8E18 loc_8E18:

corrupt 46P00:
ROM:8E03 ldx byte_FF06
ROM:8E06 tim #2, byte_53
ROM:8E09 beq loc_8E86 ; $27 $7B
ROM:8E09 ; ---------------------------------------------------------------------------
ROM:8E0B fcb 2
ROM:8E0C fcb $53
ROM:8E0D fcb $27
ROM:8E0E fcb $36
ROM:8E0F fcb $8E
ROM:8E10 ; ---------------------------------------------------------------------------
ROM:8E10 tst byte_148A
ROM:8E13 beq loc_8E18
ROM:8E15 ldx byte_FF0C
ROM:8E18
ROM:8E18 loc_8E18:

the corrupt code:
ROM:8E09 beq loc_8E10 ; $27 $05
ROM:8E09 beq loc_8E86 ; $27 $7B <--
$27 is the opcode for 'beq' (branch if equal to zero), and $7B is 'tim' (test immediate). It looks like there is a byte missing for the 'beq' instruction, and that the previous 'tim 2, byte_53' instruction was repeated. This is causing the 'beq' instruction at address $8E09 to incorrectly branch to $8E86 instead of $8E10, resulting in the O2 system malfunction.

Follow Ups
Chipping the ECU - Cjw3 12:19:36 11/23/14
Nice job. You can also use a small pair - xpwarrior 12:45:34 11/23/14
great write-up! VTF'd (n/m) - zromtech 20:15:39 11/23/14
Very nice! (n/m) - OverZealous (CT) 21:05:46 11/23/14
Awesome Job! I was going to mention Nail Polish Remover - Red Hawk (CO) 16:07:14 11/24/14
Wow, more than I would ever tackle but nice job! (n/m) - doug8867 18:13:40 11/24/14
Great write up CJ! Glad mine was already socketed. (n/m) - SammybTT(TN) 21:24:05 11/24/14
I know who I'm contacting if I ever need an ECU socketed - spicyZ 07:52:48 11/25/14
Thanks Guys - Cjw3 10:23:39 11/25/14
Re: Thanks Guys - zromtech 14:47:37 11/26/14
I was able to find another copy of the Tuner Guide. - Cjw3 14:39:29 11/30/14
Much safer than dremel and tweezers... - Ted (92TT) 19:28:26 11/25/14
I've used that type of Iron before.. to each his own.. - Cjw3 23:06:53 11/25/14
heat gun works well to soften the conformal coating (n/m) - aliaZ 19:54:53 11/25/14

Post a
Followup You cannot reply to this message because you are not logged in.