Title: ME7 CAN-Configuration
Post by: flamy on March 07, 2019, 03:14:25 PM
Good Evening Gents, did someone ever try to find the CAN-configuration in the binary of a ME7 (with C167)? Referenced documents: - 1.8T ME7.5 FR - http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=400.0;attach=359 (http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=400.0;attach=359)
- Infineon C167CR User's Manual - http://www.keil.com/dd/docs/datashts/infineon/c167cr_um.pdf (http://www.keil.com/dd/docs/datashts/infineon/c167cr_um.pdf)
According to FR page 1632 a 6 cylinder ECU (In my case ME7.1 K-Box RS4) should send/receive following messages: ID Name DLC
0x280 Motor 1 8
0x288 Motor 2 8
0x380 Motor 3 8
0x480 Motor 5 8
0x488 Motor 6 8
0x588 Motor 7 8
0x580 Motor Flexia 8
0x440 Getriebe 1 8
0x540 Getriebe 2 8
0x1A0 Bremse 1 8
0x2C0 Allrad 1 5
0x320 Kombi 1 8
0x420 Kombi 2 8
0x520 Kombi 3 8
0x38A GRA_neu 4
0x362 ACC 1 8
UM page 18-5 tells that the CAN address area of 256 bytes is mapped into segment 0 (dpp: 3; located at 0xC000) and uses addresses 00'EF00h trough 00'EFFFh, but I was not able to find that location. So, I tried to find a configured message object (UM page 18-18) by it's arbitration registers (UM page 18-21) based on the list of CAN-messages above: UARn: ID20...18 | ID17-13 | ID28-21
LARn: ID4...0 | 000 | ID12-5
0x280 (Motor 1)
=> 0b010 1000 0000 (standard 11-bit identifier)
=> 0b0 1010 0000 0000 0000 0000 0000 0000 (extended ro 29-bit identifier)
=> UARn: 0b000|00000|01010000 = 0x0050
=> LARn: 0b00000|000|00000000 = 0x0000
0x288 (Motor 2)
=> 0b010 1000 1000 (standard 11-bit identifier)
=> 0b0 1010 0010 0000 0000 0000 0000 0000 (extended to 29-bit identifier)
=> UARn: 0b000|00000|01010001 = 0x0051
=> LARn: 0b00000|000|00000000 = 0x0000
0x380 (Motor 3)
=> 0b011 1000 0000 (standard 11-bit identifier)
=> 0b0 1110 0000 0000 0000 0000 0000 0000 (extended to 29-bit identifier)
=> UARn: 0b000|00000|01110000 = 0x0070
=> LARn: 0b00000|000|00000000 = 0x0000
Now, I was searching for following sequences of bytes with IDA: "00 50 00 00", "00 51 00 00" and "00 70 00 00". I hoped to find those within a range of 256 bytes, but that was also not the case. First question is: What am I missing? Second question is: Is anybody able to help me respectively us to localize the CAN-configuration in a ME7 binary? Best Regards, Nils
Title: Re: ME7 CAN-Configuration
Post by: fknbrkn on March 07, 2019, 05:57:14 PM
CW_CAN_R / CW_CAN_S ?
or what?
what is the aim of your research?
if you want to locate where is CAN params received/transmitted, just look at the FR, find some rare variable and search cross refs in ida, one of them is CAN-bus operation, iirc mov to 0xF826 or 0xF862 or smthng like this area
long story short there is CAN header forming with ID (some kind of mov r5, 0x288h <-- yay) and message with variables next to it
Title: Re: ME7 CAN-Configuration
Post by: woj on March 08, 2019, 12:13:02 PM
My ME7.9.10 is slightly different looking at your docs (or is it, I am not really sure), its newer generation ST10 I guess, but I can see yours also has the 16 message objects. On my ECU they are configured once and for all in one initialisation function, and the IDs are given there. And its indirect too, because there is a generic init function that takes the ID as its argument and then inside it the CAN registers are set. Because of this it also took me a considerable while to find where my CAN messages I wanted to know about are. It looks something like this, the init function for one message object (channel I called it): setup_CAN_channel_0C7CC2:
flash_0C7CC2:[88,60] mov [-r0], r6
flash_0C7CC4:[F0,3D] mov r3, r13
flash_0C7CC6:[D4,20,08,00] mov r2, [r0+#$0008]
flash_0C7CCA:[D4,D0,06,00] mov r13, [r0+#$0006]
flash_0C7CCE:[F4,C0,02,00] movb rl6, [r0+#$0002]
flash_0C7CD2:[D4,A0,0A,00] mov r10, [r0+#$000A]
flash_0C7CD6:[46,FC,1F,00] cmp r12, #$001F
flash_0C7CDA:[EA,E0,7A,7D] jmpa cc_UGT, loc_0C7D7A
loc_0C7CDE:
flash_0C7CDE:[E1,42] movb rl1, #$4
loc_0C7CE0:
flash_0C7CE0:[FF,31] bset iram_word_FD62.15
flash_0C7CE2:[49,60] cmpb rl3, #0
flash_0C7CE4:[3D,12] jmpr [cc_NZ,cc_NE], loc_0C7D0A
loc_0C7CE6:
flash_0C7CE6:[F6,8E,14,EF] mov CAN1IF1M1_IF1_Mask_1, ZEROS
flash_0C7CEA:[F0,4D] mov r4, r13
flash_0C7CEC:[5C,24] shl r4, #2
flash_0C7CEE:[66,F4,FC,1F] and r4, #0b0001111111111100
flash_0C7CF2:[F6,F4,16,EF] mov CAN1IF1M2_IF1_Mask_2, r4
flash_0C7CF6:[F6,8E,18,EF] mov CAN1IF1A1_IF1_Arbitration_1, ZEROS
flash_0C7CFA:[F0,4E] mov r4, r14
flash_0C7CFC:[5C,24] shl r4, #2
flash_0C7CFE:[66,F4,FC,1F] and r4, #0b0001111111111100
flash_0C7D02:[FF,F4] bset r4.15
flash_0C7D04:[F6,F4,1A,EF] mov CAN1IF1A2_IF1_Arbitration_2, r4
flash_0C7D08:[0D,17] jmpr cc_UC, loc_0C7D38
loc_0C7D0A:
flash_0C7D0A:[49,61] cmpb rl3, #1
flash_0C7D0C:[3D,35] jmpr [cc_NZ,cc_NE], loc_0C7D78
loc_0C7D0E:
flash_0C7D0E:[F6,FD,14,EF] mov CAN1IF1M1_IF1_Mask_1, r13
flash_0C7D12:[F0,4D] mov r4, r13
flash_0C7D14:[F0,42] mov r4, r2
flash_0C7D16:[E0,05] mov r5, #$0
flash_0C7D18:[66,F4,FF,1F] and r4, #0b0001111111111111
flash_0C7D1C:[FF,F4] bset r4.15
flash_0C7D1E:[F6,F4,16,EF] mov CAN1IF1M2_IF1_Mask_2, r4
flash_0C7D22:[F6,FE,18,EF] mov CAN1IF1A1_IF1_Arbitration_1, r14
flash_0C7D26:[F0,4E] mov r4, r14
flash_0C7D28:[F0,4F] mov r4, r15
flash_0C7D2A:[E0,0B] mov r11, #$0
flash_0C7D2C:[66,F4,FF,1F] and r4, #0b0001111111111111
flash_0C7D30:[76,F4,00,C0] or r4, #0b1100000000000000
flash_0C7D34:[F6,F4,1A,EF] mov CAN1IF1A2_IF1_Arbitration_2, r4
loc_0C7D38:
flash_0C7D38:[49,C1] cmpb rl6, #1
flash_0C7D3A:[ED,1E] jmpr cc_UGT, loc_0C7D78
loc_0C7D3C:
flash_0C7D3C:[49,C1] cmpb rl6, #1
flash_0C7D3E:[3D,08] jmpr [cc_NZ,cc_NE], loc_0C7D50
loc_0C7D40:
flash_0C7D40:[E6,F4,00,40] mov r4, #$4000
flash_0C7D44:[74,F4,16,EF] or CAN1IF1M2_IF1_Mask_2, r4
flash_0C7D48:[E6,F4,00,20] mov r4, #$2000
flash_0C7D4C:[74,F4,1A,EF] or CAN1IF1A2_IF1_Arbitration_2, r4
loc_0C7D50:
flash_0C7D50:[F4,80,04,00] movb rl4, [r0+#$0004]
flash_0C7D54:[47,F8,08,00] cmpb rl4, #$08
flash_0C7D58:[ED,0F] jmpr cc_UGT, loc_0C7D78
loc_0C7D5A:
flash_0C7D5A:[66,F4,0F,00] and r4, #0b0000000000001111
flash_0C7D5E:[F6,F4,1C,EF] mov CAN1IF1MC_IF1_Message_Control, r4
flash_0C7D62:[49,C0] cmpb rl6, #0
flash_0C7D64:[3D,07] jmpr [cc_NZ,cc_NE], loc_0C7D74
loc_0C7D66:
flash_0C7D66:[F0,42] mov r4, r2
flash_0C7D68:[70,4D] or r4, r13
flash_0C7D6A:[2D,04] jmpr [cc_Z,cc_EQ], loc_0C7D74
loc_0C7D6C:
flash_0C7D6C:[E6,F4,00,10] mov r4, #$1000
flash_0C7D70:[74,F4,1C,EF] or CAN1IF1MC_IF1_Message_Control, r4
loc_0C7D74:
flash_0C7D74:[48,A1] cmp r10, #1
flash_0C7D76:[BD,05] jmpr cc_SLE, loc_0C7D82
loc_0C7D78:
flash_0C7D78:[FE,31] bclr iram_word_FD62.15
loc_0C7D7A:
flash_0C7D7A:[E7,F8,FF,00] movb rl4, #$FF
flash_0C7D7E:[EA,00,C0,7D] jmpa cc_UC, loc_0C7DC0
loc_0C7D82:
flash_0C7D82:[48,A1] cmp r10, #1
flash_0C7D84:[3D,04] jmpr [cc_NZ,cc_NE], loc_0C7D8E
loc_0C7D86:
flash_0C7D86:[E6,F4,80,00] mov r4, #$0080
flash_0C7D8A:[74,F4,1C,EF] or CAN1IF1MC_IF1_Message_Control, r4
loc_0C7D8E:
flash_0C7D8E:[E6,F4,F0,00] mov r4, #$00F0
flash_0C7D92:[F6,F4,12,EF] mov CAN1IF1CM_IF1_Command_Mask, r4
flash_0C7D96:[EC,88] push PSW
flash_0C7D98:[D1,30] atomic #4
flash_0C7D9A:[76,88,00,F0] or PSW, #0b1111000000000000
flash_0C7D9E:[62,88,18,E1] and PSW, xram1_word_E118
flash_0C7DA2:[CC,00] nop
flash_0C7DA4:[9A,31,05,F0] jnb iram_word_FD62.15, loc_0C7DB2
loc_0C7DA8:
flash_0C7DA8:[F0,1C] mov r1, r12
flash_0C7DAA:[08,11] add r1, #1
flash_0C7DAC:[F6,F1,10,EF] mov CAN1IF1CR_IF1_Command_Request, r1
flash_0C7DB0:[E1,12] movb rl1, #$1
loc_0C7DB2:
flash_0C7DB2:[FC,88] pop PSW
flash_0C7DB4:[29,21] subb rl1, #1
flash_0C7DB6:[49,20] cmpb rl1, #0
flash_0C7DB8:[EA,E0,E0,7C] jmpa cc_UGT, loc_0C7CE0
loc_0C7DBC:
flash_0C7DBC:[FE,31] bclr iram_word_FD62.15
flash_0C7DBE:[E1,08] movb rl4, #$0
loc_0C7DC0:
flash_0C7DC0:[98,60] mov r6, [r0+]
flash_0C7DC2:[DB,00] rets
And then its called like this (r14/r15 are extended CAN ID): ...
flash_0C7EB0:[E6,FE,01,A0] mov r14, #$A001
flash_0C7EB4:[E6,FF,20,00] mov r15, #$0020
flash_0C7EB8:[DA,0C,C2,7C] calls setup_CAN_channel_0C7CC2
And then (skipping details) there are several places in the code when the data is copied to/from the buffer for the given channel / message object when sending / receiving.
Title: Re: ME7 CAN-Configuration
Post by: phila_dot on March 19, 2019, 10:35:01 AM
mov r12, #0
mov r13, #280h
mov r14, #1
mov r15, #8 Parameters passed to the function - each ID is offset from EF10 exactly as outlined in the FR. r12 - offset r13 - ID r14 - rx/tx r15 - bytes
Title: Re: ME7 CAN-Configuration
Post by: flamy on March 29, 2019, 03:29:48 PM
Hi, what is the aim of your research? Trying to figure out, how it is possible to send some useful variables to the CAN. mov r12, #0
mov r13, #280h
mov r14, #1
mov r15, #8 Parameters passed to the function - each ID is offset from EF10 exactly as outlined in the FR. r12 - offset r13 - ID r14 - rx/tx r15 - bytes Thanks a lot for your hint! Found the patterns for: - TX: sub_828AAA:
mov r12, #0
mov r13, #280h
mov r14, #1
mov r15, #8
calls 83h, sub_836CBE
mov r12, #1
mov r13, #288h
mov r14, #1
mov r15, #8
calls 83h, sub_836CBE
mov r12, #2
mov r13, #380h
mov r14, #1
mov r15, #8
calls 83h, sub_836CBE
mov r12, #4
mov r13, #488h
mov r14, #1
mov r15, #8
calls 83h, sub_836CBE
-RX: loc_828AF2:
mov r12, #0Dh
mov r13, #10h
mov r14, #1
mov r15, #6
calls 83h, sub_836CBE
mov r12, #21Fh
mov r13, #6
mov r14, #1EFCh
calls 83h, loc_836D18+2
mov r12, #5
mov r13, #440h
mov r14, #0
mov r15, #8
calls 83h, sub_836CBE
mov r12, #8
mov r13, #1A0h
mov r14, #0
mov r15, #8
calls 83h, sub_836CBE
mov r12, #6
mov r13, #540h
mov r14, #0
mov r15, #8
calls 83h, sub_836CBE
mov r12, #7
mov r13, #420h
mov r14, #0
mov r15, #8
calls 83h, sub_836CBE
mov r12, #9
mov r13, #5E0h
mov r14, #0
mov r15, #8
calls 83h, sub_836CBE
mov r12, #0Ah
mov r13, #2C0h
mov r14, #0
mov r15, #8
calls 83h, sub_836CBE
mov r12, #0Bh
mov r13, #590h
mov r14, #0
mov r15, #8
calls 83h, sub_836CBE
Means: MOB ID Name DLC DIR
0 0x280 Motor 1 8 TX
1 0x288 Motor 2 8 TX
2 0x380 Motor 3 8 TX
3 ----- --- - --
4 0x488 Motor 6 8 TX
5 0x440 Getriebe 1 8 RX
6 0x540 Getriebe 2 8 RX
7 0x420 Kombi 2 8 RX
8 0x1A0 Bremse 1 8 RX
9 ----- --- - --
A 0x2C0 Allrad 1 8 RX
B 0x590 Niveau 1 8 RX
C ----- --- - --
D 0x010 ??? 6 RX
E ----- --- - --
Kind Regards
Title: Re: ME7 CAN-Configuration
Post by: jochen_145 on March 31, 2019, 05:16:53 AM
MOB ID Name DLC DIR
0 0x280 Motor 1 8 TX
1 0x288 Motor 2 8 TX
2 0x380 Motor 3 8 TX
3 ----- --- - --
4 0x488 Motor 6 8 TX
5 0x440 Getriebe 1 8 RX
6 0x540 Getriebe 2 8 RX
7 0x420 Kombi 2 8 RX
8 0x1A0 Bremse 1 8 RX
9 ----- --- - --
A 0x2C0 Allrad 1 8 RX
B 0x590 Niveau 1 8 RX
C ----- --- - --
D 0x010 ??? 6 RX
E ----- --- - --
0x010 is used for IMMO request of kombi. ;) Do you think, you are able to enable mMotor7 (0x588) message. AFAIK are all CAN message only activable via hardcoding software
Title: Re: ME7 CAN-Configuration
Post by: fknbrkn on March 31, 2019, 10:06:41 AM
No you cannot change 588 wo tons of useless work
There are few unused bytes in existing msgs and you can use them as sub-protocol using first byte as id and second as data and looping them
|