So, below the factory entry to the LASH diagnosis procedure. xram2_byte_0F030E.6 checked at 045696 is a RAM copy of the CDLASH flag. When not set it jumps almost to the exit of the procedure, no set_DTC is ever called. The jump has to be redirected to a place where a clean DTC is registered (here 0466B2), but it is not as simple as just changing the jump address. The DTC setting code needs to have the current DTC status word (xram_word_F35FE) at [r0], which is not yet there when the jump call at 04569A is made. Lucikly, the code at 0456B4..0456BA is a NOP and this 8 byte space can be utilised to fix this.
sub_04567C:
flash_04567C:[88,90] mov [-r0], r9
flash_04567E:[88,80] mov [-r0], r8
flash_045680:[88,70] mov [-r0], r7
flash_045682:[88,60] mov [-r0], r6
flash_045684:[28,02] sub r0, #2
flash_045686:[4A,2F,FC,9F] bmov r12.15, iram_word_FD5E.9
flash_04568A:[D7,40,2C,00] extp #0x2C, #1
flash_04568E:[F3,FC,80,03] movb rl6, data_byte_0B0380
flash_045692:[F3,F2,0E,83] movb rl1, xram2_byte_0F030E
flash_045696:[8A,F1,02,60] jb r1.6, loc_04569E
loc_04569A:
flash_04569A:[EA,00,40,67] jmpa cc_UC, loc_046740
loc_04569E:
flash_04569E:[F3,F4,41,84] movb rl2, xram2_byte_0F0441
flash_0456A2:[8A,F2,02,70] jb r2.7, loc_0456AA
loc_0456A6:
flash_0456A6:[6F,88] bset PSW.USR0
flash_0456A8:[0D,01] jmpr cc_UC, loc_0456AC
loc_0456AA:
flash_0456AA:[6E,88] bclr PSW.USR0
loc_0456AC:
flash_0456AC:[3A,88,F8,6C] bmovn r8.12, PSW.USR0
flash_0456B0:[84,00,FE,B5] mov [r0], xram2_word_0F35FE
flash_0456B4:[F2,F9,1C,FF] mov r9, ZEROS
flash_0456B8:[48,90] cmp r9, #0
flash_0456BA:[3D,02] jmpr [cc_NZ,cc_NE], loc_0456C0
loc_0456BC:
flash_0456BC:[9A,F6,09,20] jnb r6.2, loc_0456D2
loc_0456C0:
[...]
loc_046740:
flash_046740:[F3,FC,3F,84] movb rl6, xram2_byte_0F043F
flash_046744:[9A,F6,05,00] jnb r6.0, loc_046752
loc_046748:
flash_046748:[E7,FE,10,00] movb rl7, #0x10
flash_04674C:[75,FE,3F,84] orb xram2_byte_0F043F, rl7
flash_046750:[0D,04] jmpr cc_UC, loc_04675A
loc_046752:
flash_046752:[E7,FC,EF,00] movb rl6, #0xEF
flash_046756:[65,FC,3F,84] andb xram2_byte_0F043F, rl6
loc_04675A:
flash_04675A:[08,02] add r0, #2
flash_04675C:[98,60] mov r6, [r0+]
flash_04675E:[98,70] mov r7, [r0+]
flash_046760:[98,80] mov r8, [r0+]
flash_046762:[98,90] mov r9, [r0+]
flash_046764:[DB,00] rets
The fixed version is (with 2 bytes to spare):
sub_04567C:
flash_04567C:[88,90] mov [-r0], r9
flash_04567E:[88,80] mov [-r0], r8
flash_045680:[88,70] mov [-r0], r7
flash_045682:[88,60] mov [-r0], r6
flash_045684:[28,02] sub r0, #2
flash_045686:[4A,2F,FC,9F] bmov r12.15, iram_word_FD5E.9
flash_04568A:[D7,40,2C,00] extp #0x2C, #1
flash_04568E:[F3,FC,80,03] movb rl6, data_byte_0B0380
flash_045692:[F3,F2,0E,83] movb rl1, xram2_byte_0F030E
flash_045696:[8A,F1,02,60] jb r1.6, loc_04569E
loc_04569A:
flash_04569A:[0D,0A] jmpr cc_UC, loc_0456B0
flash_04569C:[CC,00] db 0xCC, 0x00
loc_04569E:
flash_04569E:[F3,F4,41,84] movb rl2, xram2_byte_0F0441
flash_0456A2:[8A,F2,02,70] jb r2.7, loc_0456AA
loc_0456A6:
flash_0456A6:[6F,88] bset PSW.USR0
flash_0456A8:[0D,01] jmpr cc_UC, loc_0456AC
loc_0456AA:
flash_0456AA:[6E,88] bclr PSW.USR0
loc_0456AC:
flash_0456AC:[3A,88,F8,6C] bmovn r8.12, PSW.USR0
loc_0456B0:
flash_0456B0:[84,00,FE,B5] mov [r0], xram2_word_0F35FE
flash_0456B4:[8A,F1,02,60] jb r1.6, loc_0456BC
loc_0456B8:
flash_0456B8:[EA,00,B2,66] jmpa cc_UC, loc_0466B2
loc_0456BC:
flash_0456BC:[9A,F6,09,20] jnb r6.2, loc_0456D2
loc_0456C0:
[...]
loc_0466B2:
flash_0466B2:[A8,80] mov r8, [r0]
flash_0466B4:[66,F8,FE,FF] and r8, #0b1111111111111110
flash_0466B8:[B8,80] mov [r0], r8
flash_0466BA:[A8,90] mov r9, [r0]
flash_0466BC:[66,F9,FF,F0] and r9, #0b1111000011111111
flash_0466C0:[B8,90] mov [r0], r9
flash_0466C2:[0D,30] jmpr cc_UC, loc_046724
[...]
loc_046724:
flash_046724:[A8,80] mov r8, [r0]
flash_046726:[78,82] or r8, #0b00000010
flash_046728:[B8,80] mov [r0], r8
flash_04672A:[A8,90] mov r9, [r0]
flash_04672C:[76,F9,00,20] or r9, #0b0010000000000000
flash_046730:[B8,90] mov [r0], r9
flash_046732:[A8,80] mov r8, [r0]
flash_046734:[88,80] mov [-r0], r8
flash_046736:[E6,FC,33,00] mov r12, #0x0033
flash_04673A:[DA,03,E8,20] calls set_DTC_0320E8
flash_04673E:[08,02] add r0, #2
[...]
The actual patch to do this is very short:
org $4569A
jmpr cc_UC, $456B0
nop
org $456B4
jb r1.6, $456BC
jmpa cc_UC, $466B2
For completeness, this is the entry to this procedure in the Abarth bin:
sub_042CA8:
flash_042CA8:[88,90] mov [-r0], r9
flash_042CAA:[88,80] mov [-r0], r8
flash_042CAC:[88,70] mov [-r0], r7
flash_042CAE:[88,60] mov [-r0], r6
flash_042CB0:[28,02] sub r0, #2
flash_042CB2:[4A,30,FC,EF] bmov r12.15, iram_word_FD60.14
flash_042CB6:[D7,40,2C,00] extp #0x2C, #1
flash_042CBA:[F3,FC,8A,05] movb rl6, data_byte_0B058A
flash_042CBE:[F3,F2,0E,83] movb rl1, xram2_byte_0F030E
flash_042CC2:[8A,F1,04,60] jb r1.6, loc_042CCE
loc_042CC6:
flash_042CC6:[84,00,44,BB] mov [r0], xram2_word_0F3B44
flash_042CCA:[EA,00,E2,3C] jmpa cc_UC, loc_043CE2
loc_042CCE:
where 043CE2 is what 0466B2 is above in the other bin. And that is what I guess was intended from the start.
Onto the next thing, which I am not sure what it will be... Have to finally mount my AFR setup, which is the whole reason for this exercise.