QR25DE Tuning

[jaf]

There's an ST L9302-AD driver and an MC33186 around that area of the circuit according to a couple of photos I had taken previously but I won't be able to open the ECM for a while to trace out what pins on the SH7055 are used.
Is the NERS software you mention possibly the same as "Nissan_J2534.exe" that I downloaded some time ago? That software accepts encrypted ROM files only (won't take a straight binary). Check your PM.

[fenugrec]

Didn't find much info about the L9302, but it could be the ignition / injector drivers. The MC33186 is an H-bridge, possibly for the throttle actuator. Let me know if you ever get around to tracing the pins on the PCB!

I didn't get your PM yet, but it may be the same thing... you've tried running it ? NERS is the 270$ software listed here:
http://www.nissan-techinfo.com/J2534.aspx

[jaf]

Try your PM now - my first attempt didn't work.
L9302 is indeed the ign and injector driver.
MC33186 is the throttle motor H-bridge controller. Datasheet readily available on the internet.

ECU came out since I have been wanting to try out a different cam timing tune with a lot more top end advance so here are the connections that I could trace:

ECU pin 5 (MOTOR1) > MC33186 pin 6,7 (OUT1)
ECU pin 4 (MOTOR2) > MC33186 pin 14,15 (OUT2
MC33186 pin 3 (IN1) > SH7055 pin 145
MC33186 pin 19 (IN2) > SH7055 pin 146
MC33186 pin 13 (DI2) > SH7055 pin 64
MC33186 pin 18 (DI1) > SH7055 pin 12

ECU pin 85 (K Line) > ??? Sorry, can't trace this one - might be under my AUD wiring and associated blob of silicone.

I expect the J2434 software runs like a charm but it only allows for downloading factory encrypted files so not much use. The encryption doesn't look particularly strong though....crack that and you have a fully functional CAN flasher!

[fenugrec]

Thanks for the tracing. Too bad for the K-line, but judging from the amount of code referencing SCI1 I think that's the serial interface that's used.

I found some code that would seem to be cam-advance table reading :
(sorry about the ugly formatting, it seems this forum doesn't support code listings... I've also pastebinned it at http://pastebin.com/ZnmpnHHU
******
loc_63C22: ; CODE XREF: sub_63BFA+1Cj
mov.l r14, @-r15
mov.w @(h'9C,pc), r2 ; [00063CC4] = h'FFFF85EA
mov.l @(h'B0,pc), r6 ; [00063CD8] = h'88FC
mov.l @(h'B0,pc), r5 ; [00063CDC] = h'88E8
mov.l @(h'B4,pc), r4 ; [00063CE0] = h'6C75
mov.w @(h'96,pc), r3 ; [00063CC6] = h'4DD4
jsr @r3 ; rd_table? ; in: r4=&table?
; r5=?
; r7=?
mov.b @r2, r7
mov.w @(h'92,pc), r2 ; [00063CC8] = h'FFFF9069
mov.w @(h'8C,pc), r3 ; [00063CC4] = h'FFFF85EA
mov.b r0, @r2
mov.l r14, @-r15
mov.l @(h'A8,pc), r6 ; [00063CE4] = h'890C
mov.l @(h'A8,pc), r5 ; [00063CE8] = h'88E0
mov.l @(h'AC,pc), r4 ; [00063CEC] = h'6CB5
mov.w @(h'82,pc), r1 ; [00063CC6] = h'4DD4
jsr @r1 ; rd_table? ; in: r4=&table?
; r5=?
; r7=?
mov.b @r3, r7
mov.w @(h'80,pc), r3 ; [00063CCA] = h'FFFF9065
mov.b r0, @r3
add #8, r15
lds.l @r15+, pr
rts
mov.l @r15+, r14
[/code]
*********
the subroutine rd_table is called from a few other places in the code with tables at 6C35, 6805, 6bb5, 6bf5 and 6935.

[jaf]

Those last 5 addresses are all 8x8 maps which I can't identify the function.
The OBDII connector is wired up for both K line and SCI Tx and SCI Rx so 2 serial interfaces will be used.

[fenugrec]

Hi,
not sure what you mean by "OBD connector for both K and SCI TX/RX" ? From the wiring diagram, the connector only has 1 pin to carry data (K), the others are power & ground. I would guess that the single K line is level-shifted from 0/12V to whatever the CPU needs. (John you probably know all of this already, I'm just clarifying for eventual readers and to make sure we agree). However to complicate matters, the CPU has the ability to control, through software, the function of each pin... so it might assign a serial module, SCI1 for instance, to that pin, and later use SCI2 for the same pin... or even an ADC or whatever.

I have a feeling that SCI1 is the one for OBD, but there are also interrupt handlers for SCI0, SCI2 and SCI3 so I have to wonder what the others are for...

AFR maps : According to jaf the AFR maps would be at 6D25 and 6E25 (16x16 uint8?). I found a piece of code which looks a lot like another table read similar to the ones for cam advance. That code is part of the hugest piece subroutine I've encountered yet (see pic !). I pastebinned the relevant piece of code here :
http://pastebin.com/9izEY4th
so the axes for both tables could be 7D46 and 7D22 (16x uint8) . I have no way of verifying which one is which, nor if it makes any sense.

IGN maps : again according to jaf there would be three identical ignition maps, 64F5, 65F5, 66F5. This is a bit less obvious, but I'd have to say the axes are 7F7E and 7F8E, both 16 x uint8. I've found two funcs that read those tables, one of which is hard to understand. Here's from the clearer routine: http://pastebin.com/GRn7BXbc
The other obscure routine that reads 64F5 uses the same axes, it would seem.

John do these axes make sense with your analysis ?

[jaf]

OBDII socket wiring is different on the X-Trail then with 2 extra wires in SCI Rx and SCI Tx positions. This is like older OBDI Nissans but without the CLK pin which the SH7055 doesn't need as it will auto sync.
For AFR Maps, axis are now confirmed to be 7D22 = rpm and 7D46 = load. I think the ecu interpolates between the "cold" AFR table to the "warm" AFR table when the O2 sensor starts outputting a voltage and then starts trying to get transitions happening. Happens within 20 secs of startup.
Ign timing maps confirmed rpm axis is 7F8E, load axis could be 7F7E but not 100% confirmed. No idea why there are 3 identical maps? Maybe it is a 2 stage retard on knock? Does the code give any clues as to what it is doing? Older Nissans had 2 maps and fell back to a second (obviously retarded) map when knock is detected.
I'll put together a current list of what has been identified so far at this end.

[fenugrec]

Re XTrail OBD connector : that's weird, it doesn't show up on the wiring diagrams I found. One thing's for sure, I don't have those 2 extra pins on my Sentra so it won't help me p-)

AFR maps : It seems the code uses also a third AFR map at 6F25 ! How does it look compared to the two maps you originally found ?
Here's what happens in the code : AFR map#3 at 6F25 is read first, then either 6E25 or 6D25 depending on RAM variable 0xFFFFAB8A. If someone wants to take a look, this is the code starting at 475AC.

IGN maps : those are intriguing. In one of the funcs (the one that doesn't use 64f5), both 65f5 and 66f5 are read. I haven't worked out what happens after but it could be interpolating between the two on some basis that I haven't identified (octane ? temperature ?).
However, there's the other func I mentioned that reads only from 64f5. The funny thing is that it doesn't seem to be called from anywhere, ever. That's either because my disassembly isn't complete enough (very likely), or this is just remnants of a generic codebase applicable to other vehicle variants.

[jaf]

O.K, see attached definitions found so far. Some confirmation is still needed but it there's plenty to play with for now.

There may well be remnants in this code for multiple models just to confuse the issue. I have been fooled a few times. The exact same ECU does the QX5.6 V8 which would have bank1 and bank2 maps etc which may explain why there seems to be a 600rpm idle / temp target as well as a 700rpm one?
As far as I can tell, 6F25 is fuel compensation - I put a big hole in it at 1600rpm to see what it did and it sure enough it pulled fuel. I edit this one to get close to target AFRs after messing with the cam timing that throws everything out. Logging A/F Alpha hints at where more or less fuel is needed under the closed loop portion of Target AFR. Makes sense that AFR is a product of the Target AFR and Fuel Comp maps so the explanation of what is going on in code looks good.
The ignition timing methodology is still a bit of a mystery. I run heavily modified timing and just make sure all maps are the same. It still retards on knock so that works. I could alter each map in turn to see what does what but it would still be a bit indeterminate and I have a solution that works for me so reluctant to mess with it.
The map at 7090 occurs 4 times and is identical to the ones found in Tom's 350GT ROM. I would love to know what they are? I suspect ign timing related. Any clues in code?

Service manual does not show the OBDII extra wires but they are there. Our cars are Jap built so vary from USA market somewhat.

[Tom]

You could use the Address Watch function in NDSII to see what happens with that RAM variable 0xFFFFAB8A. There is a similar check on my 350gt to pick the ign map. It was pointing to one map when my knock sensor was faulty and now its using the other one once I fixed the knock sensor.