NefMoto

Hello everyone,

I'm been browsing around on this website/forum for a while now but never dared to tamper with my car... Until now.

So I'm the current owner of an Audi S3 1.8T AMK EG.

More info ECU wise:
8N0906018J
0004
360314

So, my initial strategy was as follow: keep my stock ECU as is, buy another one and start messing around with that one on the bench without immobilizing the car.
I have plenty of question on that subject but let's put that aside for the moment as I found something else on the car that worries me.

So, one of the previous owner did a poor job of tuning the car and blew the engine. It had to be redone. Previous owner assured me the car was reverted to stock during that rebuild.

Except when I compare the content of my ECU to a basefile I found on the forum. It doesn't add up.

Differences (Map name - my understanding of the map - start addres in hex):

KFKHFM (Correction map for Mass Air Flow) - 0x10C23
KFMIRL (Engine load request - rlsol) - 0x150CA
KFLF (Injection time scaling) - 0x18B20
KFLDIMX (unclear to me) - 0x1E200
KFLDRL (Map for linearization of boost pressure) - 0x1E352
KFLDHBN (Maximum pressure ratio - usefull for atmospheric pressure adaptation) - 0x1E8F2
LDRXN (Maximum load - boost pressure control) - 0x1EAD4
LDRXNZK (Maximum load if knock) - 0x1EB16
????? (No info in xdf/a2l) - from 0x1BC90 to 0x1BD59
????? (No info in xdf/a2l) - from 0x1E760 to 0x1E8DF
????? (No info in xdf/a2l) - from 0x1E932 to 0x1EAB1
????? (No info in xdf/a2l) - from 0x1EB94 to 0x1EBD2
????? (No info in xdf/a2l) - from 0x1FC46 to 0x1FC7C
????? (No info in xdf/a2l) - from 0x1FE36 to 0x1FE3C

????? (No info in xdf/a2l) - from 0x8D93A to 0x8D949
????? (No info in xdf/a2l) - from 0xFFFE0 to 0xFFFE5
Those last two might not be mapping related. I don't know enough yet to be certain.

I'll link all the files I used so you can check by yourself if you want to. This above is just a short summary.



So my questions are:
1) Is my map short definition somewhat near the truth?
2) What is all this? This thing has modification on fueling & boost but no ignition. I'm kind of lost here. Does it look legit to you?
3) Any info on the map I didn't have a definition for? Didn't find a .a2l with that info.
4) Could the differences be linked to hardware modification (sensors?). I don't think by looking at the map modified (except maybe KFKHFM) but I'm clearly not an expert.
5) Should I revert to standard mapping I found here?
6) If you took the time to read all this, THANK YOU!

Edit: No sure if this is the right section for this kind of question. But I'm a noob after all and this is not exactly a rate my tune. If I'm mistaken just let me know :D

yes, revert to stock, start from there.

There is a full hex/a2l for your binary freely available.
Look around for it, if you haven't yet.

And yes deffo go to stock first. Never modify a tuned file that was not done by yourself.

Ok thank you to both of you. I already found some definitions files but not a full one. I'll keep looking. Maybe my search criteria are a bit too strict. I've been looking for a perfect match with this specific ECU/EG code combo but maybe any a2l for a 210/225 1.8T could do the trick.

Attached.
Not a2l, but dam is good enough to locate everything for tuning.

If you want to connect ME7Logger with engine running using SLOW-0x00 mode:
0x3D73E - 3D 06 -> CC 00
0x75C2C - 3D 08 -> CC 00
0x76AFE - 3D 03 -> CC 00

Wow, thanks for this prj!

It's my non-8E 1.8T devel software file, I have done pretty much everything imaginable on it :)

Thanks. I've no way of reading .a2l/.dam at the moment. Is there any free (and legal, obv) tuner soft that can read those definition files?
If not I guess I'm stuck with TunerPro for now and I'll notepad the sh*t out of that .dam file into .xdf. This might even be helpful for other people I guess.


Honestly, you lost me there but I guess I'll figure it out as I go forward :D

Thanks!

That would be perfect if applicable to other ecus like k-box

Could you elaborate that?

So, little update:

As I mentionned earlier. I'm trying to understanding the structure of the .dam file you shared with me. So far I found table definition looking like this.

(https://i.imgur.com/X2Q3zei.png)

So what I deduced so far:
/SPZ gives main information about Table: Name, Description, TBD, Start address

/SPW gives information about Cells of the table: TBD, Cell Data Size, Min Value, Max Value

/SPX gives information about X-axis: TBD, Cell Data Size, Min Value, Max Value, TBD

/SPY gives information about Y-axis: TBD, Cell Data Size, Min Value, Max Value, TBD

/FKX : TBD (I tought it was about X-axis size but does not seem to be the case after investigating several table)
/FKY: TBD (same as FKX but for Y-axis?)
/ABL: TBD

Is there any truth to what I just wrote?
If so and if I find all those info, I'm pretty sure I can create a script to translate .dam into .xdf for the ones among us that can't afford WinOls.

Nothing to elaborate, look what I patched and patch the same in K.

Ok thanks. It will make logging easier.

Bump! Info anyone?

Is it possible to do this in 512kb ecu?

I've searched in S3 1024 file and found "3D 06", if I search the same in my 512kb ecu the value is different

I'm not experienced like others here but I'm 90% sure that 512ecu is always narrowband o2. And 1024ecu is always Wideband.   They are very much not interchangeable. 

If one has things you need then what I do is copy the table data over manually one at a time.

You have no clue what you're on about.

Of course it's possible. You will have to locate the same code. If you don't know how to disassemble the two files and compare, then you are not going to have any chance.
Also this topic was about AMK.

I've attached a screenshot showing what I did (searched in the 512kb bin what is the most similar possible nearest chacacters that have in 1024KB ecu at the addresses you pointed), but i'm really not sure how to properly do the disassemble you mentioned. I'm just a hobbyist not pro a tuner.

I've randonly found your post thats why I'm replying here, this mod caugh my attenttion bcs is something that will help me logging with VisualME7logger. by the way its an awesome program!

edit: following that logic I've mentioned I found:

Do not attempt this without double checking with disassembly. You gonna change some random thing and brick the ecu or something.

Too late, I've tested in my ECU, no bricks but also no connection with engine running.  :-X :-X

Is there any place where I can learn to dissassemble the bin?

If you need to ask a such question, you will never be capable of it. This is not something you do through a tutorial.

You need to:
1. Reverse the current binary
2. Look at the function that is being patched in the binary and what is being done, understand why.
3. Transfer the same modification to your binary.

I can tell you already now that the functions in 512k and 1024k are different code wise.

I have more than 20 years experience reversing. I do not see that you will get anywhere within a few years of seriously attempting this without a strong IT background, if you even have the brain to do it.
Specifically stuff like comms or flashing related code is much more difficult to go through than standard ASW logic, as it also requires knowing the comms standards inside and out, so you have any understanding of what you are looking at.

I have asked about disassembly and started my search in forum and google, got some interesting things (like Andy Whittaker tutorial and script => https://andywhittaker.com/ecu/disassembling-a-bosch-me755-with-ida-pro/ ) but yeah, it is a lot more complex than I imagined when I asked

I did what I did because the way you said seem like it was easy to do (search same thing in 512kb file and replace with "CC 00", and bingo!)  but its fine if I'm not able to get this solution to my 512kb ecu, good to learn. I still interested in what you have discovered and shared. Thank you anyway!

Im sorry to Highjack this post, but does any one know where i can find these Values on a 032HJ ecu from a MK4 ?

0x3D73E - 3D 06 -> CC 00
0x75C2C - 3D 08 -> CC 00
0x76AFE - 3D 03 -> CC 00

I searched the whole file and they are not there so its def a diferent memory adress

Use VehiCAL logger it is free for VAG ME7 C167 and has an automatic built-in patcher for this, that does it for you on any binary.

From my understanding ( i might be wrong) it doesnt work with a cheap blue KKL cable .. mine is an FT232RL chip.

ill give it a try anyway

Tactrix J2534 clones cost about the same as a KKL cable these days on Aliexpress. About 10 EUR incl. shipping.
How much cheaper do you need?

It costs less than driving 100km lol.

Noted, I will order one for myself than, reason i said that is because when i do a google search it comes up with cables in the 500-900 euro range.

Thank you for your help

I am not sure what you searched for but even an original Tactrix OpenPort cable is around 180 EUR:
https://ecutools.eu/chip-tuning/openport-20/ (https://ecutools.eu/chip-tuning/openport-20/)

I thought about making a J2534 driver for KKL cables, but once I realized that J2534 clones have come down to 10 EUR in price I abandoned that idea.
J2534 is a good idea regardless, if you move on to newer ECU's you can still use the cable for logging and flashing.

My cable arrived today, got a Tactrix Openport 2.0 Rev E for about 26€ off amazon, its transparent body, black board, golden pins ( the better quallity one) as i read a compare between this one and the green board one, already tested it with Vehical and it works, just did an init to check compatibillity but it works, thank you prj both for your sugestion, and for making me7 protocol free, really appreciate it, merry christhmas and happy new year.

Already patched my file,  ill be doing the config tomorrow and log my car properly

Sent from my SM-N9860 using Tapatalk