As you can imagine, there is no standard way to integrate a new function into different ECUs.
As a very highlevel description, the following steps have to be done to integrate a new function
into a binary:
1) Produce disassembled code of the image.
   - Need a disassembler for C167 to do this.
   - Useful if you have a disassembly of a similar image with symbol names inside for comparison.

2) Find the addresses of all global variables in the image that are needed in the new function.
   - This is done normally by looking into the disassembled code and roughly "knowing"
     which things/patterns to look for or comparing code of a reference image.
   - These variable addresses vary with each image version, same as it is with map addresses.

3) Find unused parameter space in flash, if configurable parameters are needed in the function.
   - some smaller areas are still found to be unused, best is to verify in the
     disassembled code if the selected space is really not accessed by regular code.

4) Find unused RAM space, if local variables are needed in the function.
   - also here, some areas are still found to be unused, best is to verify in the
     disassembled code if the selected space is really not accessed by regular code.

5) Find a free space in the flash to store the new function.
   - after end of regular code there is normally enough unused space found in the flash.

6) Find the point where to link-in the new function in the image.
   - This is done by searching again in the disassembled code.

7) Finally, write the new function in assembler, assemble the code of the new function
   with the correct addresses of global variables, parameters, and local variables.
   - Need an assembler for C167 to do this.
   - Be careful: don't disturb the stack, don't change registers which are used by the orig code.
   - If you write position independent code, you don't have to care at which address
     the code gets stored.

8 ) Store the assembled function at the selected address in the flash, and link it in
   at the selected point by replacing the existing instruction by a call to your function.
   - The new function should perform the replaced instruction as last instruction.

9) Test the image.
   - If you made a fault, the ecu will start the application at first, but then reboot repeatedly
     -> time for bootmode flashing  .

All of the above steps besides the final testing can also be done by tool (kind of
self-installing-patch). Such a tool needs to be created specifically for each use case.
Makes sense only if you want to implement the same/similar function to many different images.

Thank you Setzi. This is a little above my skill set at the moment, but it gives me an idea of what to look into.

I have been reading through almost every post on this forum, so interesting all the information thats on it, this is by far one of the ones that completely stumps me, so i would like to understand it, im kind of new here, i actually started digging into volvo me7 computers, and have gotten pretty far with it by learning most of me7's internal workings from this site, but the one thing i have left is trying to implement some sort of code like this post shows, proving to be a little bit over my head at the moment, im not sure if im selecting the right processer when loading in IDA pro

Pop and push the Register on/off the stack.

Thanks guys. So, to be safe I should [-r0] all Registies used in a new function at the beginning and then [+r0] then back at the end?

Does this sound unreasonable? 

how to determine what memory adresses are unused? i have dissasembled binary and see many unused RAM space (#38), but when i log a few adresses (without conversion) which im planned to use with my own routine i see a strange freezed values in it like a 57990 or 63078.

and second question - i have used ALS routine`s calls() function but where i can make my own link? 

put the hex code in a binary file and import it to specific offset works well

I tried this and it worked great. Thank you.



To expand on the original topic, can we discuss deleting unused functions to reclaim space and repurposing that space for new, custom functions? I've done it with SLS and am currently deleting DSLSLRS.

My concern is identifying if deleted function was called or was part of the main runtime loop and how to handle either case with new functions. i.e. if a want to write a called function in the place of a runtime loop function that gets ran all the time.