NefMoto

So it is time to give a little bit back to the community.

Since i own an Audi TT 3.2 i decided some months ago to completely define the mpc and flash and not only just some parts.
As you all know there is no FR for this ecu/sw out public so i used parts of the me7.X and parts of the med9.1 FR to slowly define my project.

Attached you will find a complete map pack(genuine ols only) the mpc and flash of this ecu which fits the map pack directly and my progress till now but not the actual ida poject(for various "development" reasons).

I will right down however what you will need to import this to ida and make your own project. The file enums.txt and names.txt has my progress until today and you can use it to define lots of variables.In case anyone finds a mistake post it here so i can replace or correct it as cross referencing to both FRs could cause conflicts and misinterpretation.

The following ida import data are correct but i am sure i am missing something vital as some memory address calls are not displayed as they should.

IDA info :

import mpc file
Proc type : SGS-Thomson ST10 [st10]
Ram : 0x380000 with size 0x20000
do not split into 64kb segments
Select ST10F276
load additional binary file
-----------------------------
Enter Load segment : 0x80000
 Loading offset : 0x80000
 File offset in bytes : 0x0
 Number of bytes : 0x0
-----------------------------
Click Edit -> Segments -> Create segment
 Enter Segment name: RAM2
 Start Address: 0xF0000
 End Address: 0x10FFFF
 Base: 0x0
 Choose 16-bit segment
Click Edit -> Segments -> Set default segment register value

Dpps:

dpp0 0x23F
dpp1 and enter 0x3C
dpp2 and enter 0xE0



Future posts will include more enumerated bytes and more address names for this particular ecu.

Here is also an official Memory layout for the st10f275 me7.1.1

Nice work! Respect for the amount of you put into this!


Verzonden vanaf mijn iPhone met Tapatalk

Nice work!

Have you already started your turbobuild with this car?

Parts are coming in as we speak :)

Some pdf's for people that start looking into these, the def file should work in any ols I think, if I remember right I used an old CD def file and the CE file from the VW bit here with this one;

http://nefariousmotorsports.com/forum/index.php?topic=5336.0

I can't remember when I did it but generally anything in German is usually done quickly so probably duplicates/possibly wrong offsets etc - check it all as you go through it.

https://app.box.com/s/lisaln0zijixfcc2id4lnxnkb179t7uh

Great work as usual!!!!   ;D  ;D  ;D

Edited to not detract from op

You can start your own thread about this as this info is general and not specific to this ecu.If you pile up random data from random ecus you can only confuse and disorient the thread.

Here is some more. Some fixed and some new in total of over 2000+ addresses defined.

Attached again fixes and new stuff...

Since i am doing that for all the known reasons ... Customs code - turbo etc... i wrote and tested the als nls for this to a friends turbo car and here are the results..

* code is on mpc
* Variables on Flash so you can alter through obd.
* Cksum is disabled on the mpc

So now there will be a total of 5 people that can tune this ecu for FI now? :D Well done man, thats massive! Do you have a build thread anywhere?

I like that you are working on it yourself also :)

I have so many requests for this stuff, and then I have development stuff like twin turbo R8 with DL800 box...
You can guess which gets priority :(

I try to monitor this thread a little, if you get in some dead end, I can try to chime in.

Thank you PRJ, your knowledge is what gives me motivation for such things and i understand your work load as we all have some. I will keep posting too on my further disassembly..I still have lots of things to double check and add.

Thank You Nick .

No i don`t have a personal build thread but i will make one in the future.The car is from a member in this forum so he can jump in the conversation if he likes.

It is my car and it is making huge flames  ;D
GT innovations done great work on this ECU, as a ST10 ME7 isn't the easiest to add code!

Additions and Fixes.

Does the code have to be on mpc or can you branch out to flash?

At the moment it is on Mpc and will stay there for various reasons..They main one is that i don`t know to handle everything correctly when i am outside of mpc memory addressing scheme as i am sure i am missing some critical info about addressing space. I can see some calls on my ida project that are not correctly translated however i do not care about that at the moment.

I see...

Are you using tsrldyn for cutting ignition?

I'm interested in making some code for ME7.5.20/30 which come with ST10Fxx. I wonder how different this ECU is from those.

It's just as easy (or hard) as any other ME7, frankly. :)
MPC area is at 0x0 (with the exception of IRAM & SFRs), flash is at 0x800000.

EDIT: also, you don't really have to disable MPC checksums. They are stored in the flash and can be fixed either manually or by that "free" OLS floating around. Didn't try it with VAG ST10, but works like a charm with Porsche. Load flash and MPC as 2 separate elements of the same project, then run cks plugin.

But you're definitely on a right track! :)

Initially i was trying to load flash at 0x800000 and ida was not translating the address bytes correctly and in such a case i can not rename those addresses appropriately. Then i switched to 0x80000 and everything was fine.As for mpc checksums i would prefere to not interfere at all what i understood from this is that you don`t need to put the ecu on TEST mode if you are running the mpc cksum off patch.

Giving that St10f27x has not Direct documentation what so over it is harder to match all things as on me7.5 or other well documented ecus. Tkmwl is way off at some points... As i said before it looks like a hybrid me7/me9 ecu.

i haven`t checked yet 7.5.20/30 but if the tsrldyn algo is the same as me7.5 then yes you can use it as i do here.On an NASP car do not expect any big flames or crazy bang sound but it does the job on FI projects.

As far as I can tell only the TT have things like no MLHFM, mk5 R32, A3 3.2 8P all have it from what I've seen so far, wondered why that was as it looks like older TT's had some of these changes too but A3 matches mk5 Golf so don't think it's an ST10 only thing, seems to be TT?

The biggest issue I have is finding ram variables.

I can easily find nmot_w and rl_w but the rest isn't so easy. I think that's half the battle with these ECUs

You have MSHFMU which is actually not described on all or most of the a2l files out there.But if you check some other engines like
s4 v8 you will find it.It is just not called MLHFM but it looks like one only sorter.If you took like 5 seconds to look at my definitions you would have seen it...Have defined it myself using another damos from a v8 engine.

Then someone will say there is no MLMIN or MLMAX and/or other maps/limits.. Look below at the attached image..
There are tons of maps and things that are not defined from most a2ls and i am really curious in what they all do so...

There is a point in the code checking the first byte of the MSHFMU(MLMIN) and the last byte of MSHFMU(MLMAX) like a hardcoded check without any kind of actual declaration in any document or a2l.

i have posted all this things and if anyone likes to understand he only needs to put the names and the enums i have posted to a freshly made ida project using the loading details i published on the first page.

Anyway there are too many things and i am still trying to work on those so i can have a good FI solution in the future.

address mlmin 0x8fe490
address mlmax 0x8fe592

No it is not, once you load the file properly most ram variables are obvious. However which ram variables are you talking about?

i have plenty of stuff on st10fx memory addressing scheme on me7.5.10/20/30

Yeah I went through such changes a while back in the definition files area regarding Jim's TT mk2 3.2T, covered it then, I generally used Porsche files if I remember right, just trying to rescue data at mo to help out;

(https://farm5.staticflickr.com/4356/36468714354_0fd87ee0be_b.jpg) (https://flic.kr/p/XyBGe9)997 TT Defining (https://flic.kr/p/XyBGe9) by Rick B (https://www.flickr.com/photos/146155164@N03/), on Flickr

I think the mk1 TT DAMOS file knocking about has it too doesn't it? The MLHFM map is way off which I think I assumed it used an MSHFMU map too, hence mentioning the TT based changes only regardless of ST10 or not? Didn't have much call to investigate further though at the time.

I'll be honest... I haven't spent a lot of time on it. I need to understand the memory scheme a bit better

Took a look at your binary and I can assure you that flash resides at 0x800000.
Let me give you one more hint - you can't directly use a KTAG readout for the MPC. Data has to be shifted a bit. Take a look at Porsche 997TT A2L&hex, it's public and has a very similar data arrangement. Or you can read MPC with flashit or minimon, then it'll come out at correct addresses.

I knew about the 0x800000 because at first i loaded a hex(from an a2l) file which is already set as it should. You can see it on the output windows while you are importing it on ida.What i didn`t knew is that ktag is actually reading differently then minimon or flashit. Will check how much this should be shifted while i am importing the binary.

New things attached here again   ;)

So after some tests with the LC code i can report that by using the correct registers you should have a good functioning Launch control using TSRLDYN without affecting the rest of the code or disturbing the stack.

Further more the stock coils don`t give a F$)K if you use FTOMN 0.2 0.1 or 0 and on Turbo applications you have the appropriate flame and banging Effect... On the NA engine things are different and when stock catalyst is installed it is acting like a normal Limiter if you just use TSRLDYN even with the schubabschaltung deactivated the pops are not something spectacular or loud as it is on an Turbo application so i will have to do something about this too.

Right now i am using a simple version that jumps right off ub checks for B_br and Vfil_w and Nmot_W to activate the lc and i will add the no lift shift by using B_gsch (not sure if it will work though) since we have a DSG car.. Has someone used B_gsch ?

Will do some more tests and report.

Hints for those that will try to do it themselves..

1.Use correct registers to store your variables as i stated above to avoid having a dead ecu after 1-2 days
2.Use "extp    #23Fh, #1" to access your flash (Depends on where you have free space for variables)
3.Use B_br (b_brems) on dsg or B_kuppl for manual.
4.If the car is Dsg set your Lc from the dsg 500+rpm higher than your custom code

So work kept me busy but i did a lot of progress on that project as well.

Here is the code that someone can use for a simple launch control function bug free on st10f27x.

Loc_LC
      jnb     word_FD5E.B_brems, loc_exit  (use b_brems if it is dsg b_kuppl for clutch)
      mov     r7, vfil_w
      extp    #23Fh, #1
      mov     r9, word_XxXFlash-addressXxX ; speed check
      cmp     r7, r9
      jmpr    cc_NC, loc_Exit
      mov     r7, NMOT_W
      extp    #23Fh, #1
      mov     r9, word_XxXFlash-addressXxX ; rpm check
      cmp     r7, r9
      jmpr    cc_ULE, loc_Exit
      movb    tsrldyn, ZEROS
      jmpr    cc_UC, loc_Exit
loc_exit:                             
                                       
      movbz   r12, UB
      jmpa    cc_UC, loc_return




In addition i am attaching all the latest work i did on this ida project so everything you need to build something from scratch is in there.There could be mistakes in the definitions as i said before because an FR does not exist in this ecu however i will keep fixing and updating it until it is 100% defined.

Currently i am testing something a bit better with more options but time is not enough to do everything at once :)

More good news for my personal project.

First of all i now have no need to define the complete file as i found somewhere on my pile a matching a2l for my binary.
After i studied a bit i found the correct addressing scheme as there is always inside A2l Files.

Basically you can not use ktag boot reads directly as they are missing some "padding" areas.

  /begin MEMORY_SEGMENT Pst0 "" RESERVED FLASH INTERN 0x0 0x8000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x0 /*mapping_adr:*/0x0 /*length:*/0x8000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst18000 "" RESERVED FLASH INTERN 0x18000 0x8000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x18000 /*mapping_adr:*/0x18000 /*length:*/0x8000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst20000 "" RESERVED FLASH INTERN 0x20000 0xB0000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x20000 /*mapping_adr:*/0x20000 /*length:*/0xB0000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst800000 "" CODE EPROM EXTERN 0x800000 0xE0000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x800000 /*mapping_adr:*/0x800000 /*length:*/0xE0000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Dst8E0000 "" DATA EPROM EXTERN 0x8E0000 0x20000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x8E0000 /*mapping_adr:*/0x8E0000 /*length:*/0x20000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT ExtRam380000 "" VARIABLES RAM EXTERN 0x380000 0x6000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x380000 /*mapping_adr:*/0x380000 /*length:*/0x6000 /end IF_DATA
    /begin IF_DATA ASAP1B_MCMESS ADDRESS_MAPPING /*orig_adr:*/0x380000 /*mapping_adr:*/0x388000 /*length:*/0x6000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT ExtRam386000 "" VARIABLES RAM EXTERN 0x386000 0x2000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x386000 /*mapping_adr:*/0x386000 /*length:*/0x2000 /end IF_DATA
    /begin IF_DATA ASAP1B_MCMESS ADDRESS_MAPPING /*orig_adr:*/0x386000 /*mapping_adr:*/0x386000 /*length:*/0x2000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT ExtRam388000 "" VARIABLES RAM EXTERN 0x388000 0x200 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x388000 /*mapping_adr:*/0x388000 /*length:*/0x200 /end IF_DATA
    /begin IF_DATA ASAP1B_MCMESS ADDRESS_MAPPING /*orig_adr:*/0x388000 /*mapping_adr:*/0x388000 /*length:*/0x200 /end IF_DATA
    /end MEMORY_SEGMENT


You have 2 choices here for loading the files to IDA. Either reconstructing the mpc file by padding the areas that are empty or load the binary with offsets.I cross referenced a hex file that i loaded earlier so i can be sure that whatever i do maches that.I always like to reconstruct things so what i did is the following :

Separate the first 32 kb from the mpc (ktag read) pad until 0x18000 and add the rest of the file from 0x18000 and up

ram2(0xf0000)should be added as i stated in the first post and also ram(0x38000)

finally add the flash file with 0x800000 offset and the dpp`s from my first post and you are done.

Now every call or memory address will line up perfectly.

Attached you will find a VIRGIN ida import (Defining has not been done to it)

Thanks to you I figured it all out.

For ME7.5.30 (and potentially other ECU's that only have iROM and no xROM), read ECU with MPPS (real one). At 0x8000 offset add a padding of 10000. Then load into IDA with all the same settings listed here, except that ROM should be 0x0 and length will be whatever the size of your file is.

Happy to help and good to know :) it was not that hard at the end.I have been testing my retardation algo lately and the only thing left is to make the bang effect on gear shifts on a dsg car cause manuals work fine.Both ignition cut and ignition retard works perfect.The boost on the lc with ignition retard though comes much better.

Once that is done i will add a wkrma indicator as well and move onto med17.

Here is the video in proper quality 

https://www.youtube.com/watch?v=bAks3zVOTR4

Thank you for answering my (in retrospect) stupid questions.


I tried doing this with regular automatic with 1.8T ME7 and I couldn't find a variable that would tell me when the ECU is shifting.

Let me know if you find one.

Tried B_gsch without success...have 2 more in mind that i will test if i succeed i will post it here aswell.

I actually remember trying B_gsch and no dice

Do the bang if gearbox requests less than 100%? And don't limit revs with bang only cut some ignitions? This may work also at launch when gearbox controls rpm. At least my old dsg may not do the launch if gearbox don't control rpm.

I do not exactly understand what you are talking about but i will figure out a way...

I think he means do ignition cut if you get torque intervention from TCU

There are 4 at least conditions that Could Fit this function.I will try to keep things simple for starters.

Seems like B_gfen did the job but the duration is too small to produce something with ignition retardation so ignition cut should be used.

Drat. Looks like B_gfen isn't available on most binaries.

Guess I'll have to dig a bit deeper

Another option is triggering BBSAWE on shift

MED9 has an option to dump fuel on shift. One just needs to recreate that. I get nice pops with negative timing and BBSAWE with MED9

cwsawe
ENSAKHG
TVSAG
and KFTVSA are enough for that but still Ignition cut will function better on the short period of time that the dsg requires to shift gears.

Well it works fine as i had another error on my check routine when i was testing that so B_gsch is the way to go in a DSG car.
The duration is enough for the ignition cut..

Good to know. It didn't work when I tried this on a MK4 1.8T but who knows.

Some final tips since my LC and NLS works perfect with ignition Retardation on Dsg and Manual.

Use 160ms of Delay for the retard on NLS(for dsg)
B_gsch is Perfect for activating NLS
-48 Degrees will do the trick for both lc and nls

Blue flame on Gearshifts with catalyst and stock exhaust system.

So i found some time to do a decent video in the code i am running right now..

https://www.youtube.com/watch?v=DUcXId0OJKo

Can anyone perform LC and ALS on the Audi A3 8P 3.2?
How much is it?

Yes for the right price....

Is it enough to read OBD?

Best to read processor too...

Else you can't really correct checksum.

That is Boot Mode?

Yes it is boot mode. Ktag will do that fine in your ecu.

Hello maybe you can help me, it is possible in that ECU to activate analogue RPM output on PIN 37?

Nefmoto = DIY

use an arduino and get signal from wiring harness and convert it to analogue..

It is impossible to activate that output?

Nothing is impossible but not in my schedule to work on that at the moment...Use the info i posted here to do it yourself or use an arduino to conver the signal.

I know this is old, but wanted to bump it so I can refer back to this. ME7.5 1.8T TIPTronic with DSG swap hoping to do this.

Thanks for all the great info!

You need to compare software from dsg and manual gearbox from r32 ex. CA and CB and check different like gearbox coding, clutch pedal coding and other limiters.

When importing the flash,

is the offset 80000 or 800000?

Also, should create segments and/or code segments be selected?

Thank you.

80 00 00, but if asked paragraphs it is 80 00 0.
I dont create segments automatically. When loaded I manually create them by looking at a2l file and knowing the code segment and the data segment. You might find small sections in the code that decompiles wrong because some places are small chunks of data. Might be crc, not sure myself.

Forgot to mention that there are no clear instructions on how the MPC checksums are to be corrected should you ever modify that code.

WinOLS corrects the checksum in the MPC when loaded with the Flash.

My A2L looks like this

 /begin MEMORY_SEGMENT Pst0 "" RESERVED FLASH INTERN 0x0 0x8000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x0 /*mapping_adr:*/0x0 /*length:*/0x8000 /end IF_DATA
       
        /* AsapMLCFm - KWP2000 */
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst18000 "" RESERVED FLASH INTERN 0x18000 0xB8000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x18000 /*mapping_adr:*/0x18000 /*length:*/0xB8000 /end IF_DATA
       
        /* AsapMLCFm - KWP2000 */
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst800000 "" CODE EPROM EXTERN 0x800000 0xE0000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x800000 /*mapping_adr:*/0x800000 /*length:*/0xE0000 /end IF_DATA
       
        /* AsapMLCFm - KWP2000 */
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Dst8E0000 "" DATA EPROM EXTERN 0x8E0000 0x20000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x8E0000 /*mapping_adr:*/0x8E0000 /*length:*/0x20000 /end IF_DATA
       
        /* AsapMLCFm - KWP2000 */
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT ExtRam380000 "" VARIABLES RAM EXTERN 0x380000 0x8000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x380000 /*mapping_adr:*/0x380000 /*length:*/0x8000 /end IF_DATA
       
        /* AsapMLXFm - KWP2000 */
    /end MEMORY_SEGMENT



So i'm trying to work out what to use for loading segment and loading offset for the 1mb flash.

The a2l is not an exact match but close enough to find maps in my image, and now i would like to find some RAM variables too.

If you got a damos/ A2L for the project which tells you the segments exactly, then do not disassemble the data(maps) segments as it will give you a bunch of bullshit if you go to xref certain things or etc. and it will just confuse you.

The version I have, 1.5, looks like it does something but still shows that there are 77 checksums when in reality the st10 has over 100. Tried all sorts of ways of importing the elements but I dont trust it, something is sus.
 Its great just for the flash.

There is no issue with the genuine version...

In addition to what PRJ Said... if you try using the free version your gonna have a bad time with that ECU. already did that....

Load flash at 80 00 00. If you load as additional file drop a zero when asked paragraphs, zero offset

It looks like the 1mb flash has code and data.  So does it make sense to load the 1mb flash in two parts?

The first part as a code segment at 0x800000 with length 0xE000, and then the second part as a non code segment, i.e. map data at 0x8E0000  with length 0x20000?

You load it once, make segments manually.

Ok Segments defined,

Do the DPP's need defining for the code in the flash?

https://ibb.co/0JFYYgH

I think i have my files loaded in IDA.

I used prj's script to process the Code areas.

If I look for a single value map, for example KRKTE, then i can see X-Refs to it. So far so good.

But if i search for a 2d map, then i can't see any X-REF's.  I guess maps work differently?

Indirect addressing i guess, can anybody give me any hints?  Thanks,

Unfortunaly many maps are called using registers that are assigned the address in the code.
Lots of subroutines are also called indirectly using values from ram locations so they look like nothing calls them in the code.

no, those tables are in flash (at least in previous me7.1.1)

Hello! if it’s not a secret, can you describe in more detail which cards to change and by how much to get such an effect on the DSG