|
Title: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: PoleStarPete on March 23, 2023, 08:24:01 AM Finding the world of Volvo 3.0 t6 engine tuning is so closed, i'm working at making it more open.
I'm working on a 2015 3.0 T6 V60 polestar, and i hope to find help in defining the map pack as much as possible. Resources are so scarce. Below you will find a link to a google drive folder of what i have gathered together so far. So Far there is S60 t6 Ori S60 polestar Ori S60 Polestar Decat V60 Polestar Ori V60 Polestar St2 Polestar Winols Map pack (pretty limited) S80 T6 full damos, which unfortunately doesn't seem to be relevant to my Polestar tuning goals, but there it is. Denso ECM pin cracker Decoding the ECM pin over canbus is understood, its pretty easy and full code will be shared in due course. for now there is a rudimentary exe for use with a DiCE and ECM on the bench. its canbus, not bdm. easy enough to hook up. The same goes for reading / writing to the ECM by canbus. I dont need help with that. Code will be shared when i have time.....its not like writing a recipe for cookies. Developing a stage 3 (that is to say hybrid turbo) on the V60 Polestar is the main goal and i hope i can find some people with Denso skills who can contribute https://drive.google.com/drive/folders/1u8lUEzp_bT217ps74HcFhZJ7T7U9lWbJ?usp=sharing Thanks for looking PoleStarPete Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prometey1982 on March 23, 2023, 11:12:16 AM Hi,
I'm intrested in Denso tuning. How will you flash such ECUs? It should be locked by PIN or something like this. I can add flashing/reading of such ECUs to my tool which can use any j2534-1 compatible device for flashing/logging. Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: PoleStarPete on March 23, 2023, 01:33:57 PM brute force crack the pin, then you can read write fairly easily by odb2.
Read writing isnt the obstacle. map definition is the obstacle :-( for the polestar at least. Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prj on March 23, 2023, 04:03:32 PM I should try to make a SuperH module for my def generator, then could implement full logging on these...
I remember looking at some SuperH stuff on IIRC Mitsubishi and ram loads were quite weird... Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: PoleStarPete on March 24, 2023, 01:56:22 AM Let me know if thee is anything i can do to help.
Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prometey1982 on March 24, 2023, 02:01:52 AM brute force crack the pin, then you can read write fairly easily by odb2. Finding maps aren't a problem. Everything can be done by analogy. You already have defined ols.Read writing isnt the obstacle. map definition is the obstacle :-( for the polestar at least. Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: PoleStarPete on March 24, 2023, 02:05:31 AM the s80 ols does not seem usefull , but of course, this is far from my area of expertise. if you can make a useful map pack, please do :-)
Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prometey1982 on March 24, 2023, 02:50:55 AM the s80 ols does not seem usefull , but of course, this is far from my area of expertise. if you can make a useful map pack, please do :-) What about flashing? SH7*** devices should ping dedicated PIN every XXX miliseconds. Easiest way to do it is taking of Volvo SBL for such module. Or write own SBL but this task is not easy (at least for me). Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: PoleStarPete on March 24, 2023, 02:55:44 AM it sounds like you want work by DiCE, thats not really my goal as i have a hard ware solutiuon for r/w , but i'm sure it will be good to have and understanding of that for you. If you log canbus on a ECM reload in Vida you can see its not witchcraft :-) , or look at the vida log files. they are very informative.
Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prometey1982 on March 24, 2023, 03:39:00 AM it sounds like you want work by DiCE, thats not really my goal as i have a hard ware solutiuon for r/w , but i'm sure it will be good to have and understanding of that for you. If you log canbus on a ECM reload in Vida you can see its not witchcraft :-) , or look at the vida log files. they are very informative. Yes I want to reload software remotely. Logs from Vida very useful. I used it to understand Volvo's protocols. By the way in all cases you will need memory logging for propertly tuning. Logging with read memory by index isn't enough for it. My current console logger supports generic j2534 devices. I'll extend it with UDS protocol soon.Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prj on March 24, 2023, 04:11:00 AM The problem is not UDS protocol or D2 protocol, that's super easy.
The problem are the ram cell locations on each software across different architectures. I have support for ST10/C167, PowerPC ISA, PowerPC VLE and TriCore now for automatically locating variables from a similar-ish A2L. I guess I need to make a module for SuperH now. This is the first step to making useful RAM logger. Comms protocols are the last step after you already have the data. Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prometey1982 on March 24, 2023, 04:15:18 AM The problem is not UDS protocol or D2 protocol, that's super easy. But your solution isn't free.The problem are the ram cell locations on each software across different architectures. I have support for ST10/C167, PowerPC ISA, PowerPC VLE and TriCore now for automatically locating variables from a similar-ish A2L. I guess I need to make a module for SuperH now. This is the first step to making useful RAM logger. Comms protocols are the last step after you already have the data. Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prj on March 24, 2023, 05:26:27 AM But your solution isn't free. Of course it's not free. The A2L data isn't either. The generation software took a year of development.Full time jobs seldom are free :P You can make UDS stack, then if somebody wants they can search for variables in IDA (and they need to get a similar a2l before that). This limits the real usage of the software to <0.1% of possible users however. Everybody else is fucked because no solution exists for them. Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: PoleStarPete on March 24, 2023, 08:41:02 AM t6 a2l are floating around i'm sure, polestar, not so much. however we know hilton does it with his ram logger on poelstars . the logs contain headings such as Sfi_LnrAFCmp_bank1, Scm_AccPWM_Pts (and many many more) so that gives some clues.
Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prj on March 24, 2023, 01:10:29 PM t6 a2l are floating around i'm sure, polestar, not so much. It does not need to be an exact match to automatically find most RAM variables needed for tuning.IDK about how different the cal is on those, I've never worked on one. Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prometey1982 on March 25, 2023, 01:31:27 AM t6 a2l are floating around i'm sure, polestar, not so much. however we know hilton does it with his ram logger on poelstars . the logs contain headings such as Sfi_LnrAFCmp_bank1, Scm_AccPWM_Pts (and many many more) so that gives some clues. From Denso A2L:Scm_AccPWM_Pts "Acc. pedal PWM position" Sfi_LnrAFCmp_bank1 "Linear A/F compensation" But again. If you can dissasembly something with existing A2L then other similar binaries (including polestar) can be analyzed by analogy. PS thanks for response generation algorithm for Denso. Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: PoleStarPete on March 25, 2023, 04:37:19 AM sounds like progress!
Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prj on March 25, 2023, 04:42:55 AM From Denso A2L: Scm_AccPWM_Pts "Acc. pedal PWM position" Sfi_LnrAFCmp_bank1 "Linear A/F compensation" But again. If you can dissasembly something with existing A2L then other similar binaries (including polestar) can be analyzed by analogy. PS thanks for response generation algorithm for Denso. It's much simpler than that. Code: <DataIdentifier Name="Accelerator position PWM signal" ID="D9A8" Size="2"> And Code: <DataIdentifier Name="Linear AF feedback compensation" ID="D936" Size="4"> It is contained in the DSA files Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: PoleStarPete on March 25, 2023, 05:09:01 AM I'll put a Hilton log file into the google drive, it has all the important fields for tunning.
Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prometey1982 on March 25, 2023, 06:29:13 AM It's much simpler than that. Where can I find DSA files?It is contained in the DSA files Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prj on March 25, 2023, 10:51:10 AM Where can I find DSA files? If you find out, I would love to know as well. I only have one for Denso.Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: PoleStarPete on April 01, 2023, 01:18:09 AM I've added some more none polestar stuff.
S60 RD 3.0 T6 Ori and Stage 2+ and Map pack Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: Kess2emak on April 02, 2023, 01:38:43 PM I've added some more none polestar stuff. S60 RD 3.0 T6 Ori and Stage 2+ and Map pack Thanks a lot for that! I've been working on P3 stuff a little bit (not as far so you guys). I'm from Canada and found a guy from Belgium that says he has been tuning P3 T6s (3.0L) and Polestars (3.0L) for a couple years now. Shared with me some dyno sheets and looks very clean tbh. One thing I was curious about is what program are people using to send him their BIN. I know a bunch of people have access to what Hilton give them when they go through him but I personally have never done business with him and have yet to find a tool for that to help me expand my work. I'm far from being a professional tuner but what I do great is addons and additions features on OEM ECUs (custom codes here and there). Someone willing to share where they get theirs? Much appreciated :) Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: PoleStarPete on April 04, 2023, 02:26:48 AM I use a "home made" hardware solution to read write directly by odb2. its essentially an MCU and a can transceiver. Once you have logged an ECM reload with Vida you literally have everything you need to know about how to interact with the ECM. Of course these odb2 methods use the pin code where as bench readers like auto tuner, kess and the like dont need the pin, but removing the ECM is a massive PITA.
Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: dikidera on April 06, 2023, 12:01:33 PM What a treasure trove of information regarding Denso. These newer cars, do they still use Renesas' SH architecture or newer stuff? And if yes, do you happen to know which architecture it features?
Additionally I was wondering if anyone knows what Volvo mean by Ga and Gn and Ne in their DHA database. For instance "Area number by Ga" or "Mass airflow based on Gn". Then there is also "Stored Scm_Gn" and "Stored Scm_Ne". Something is meant by Gn,Ga,Ne and Scm but so far I have no clue. Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: Kess2emak on April 10, 2023, 01:37:06 AM I use a "home made" hardware solution to read write directly by odb2. its essentially an MCU and a can transceiver. Once you have logged an ECM reload with Vida you literally have everything you need to know about how to interact with the ECM. Of course these odb2 methods use the pin code where as bench readers like auto tuner, kess and the like dont need the pin, but removing the ECM is a massive PITA. Gotcha! That is what I figured. Any ideas if these bench readers would have all the maps properly defined or would there be any limitations? I have an auto tuner kit so I could test it out if it is worth the work of removing that ECU... Thanks for the information Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prj on April 10, 2023, 02:15:01 AM Any ideas if these bench readers would have all the maps properly defined or would there be any limitations? Slow down.A flash tool reads and writes an ECU, it does nothing else. The input and output is a binary file. What is inside there has nothing to do with the flash tool, no flash tool knows anything about maps in there. It only knows how to read and write the file to the ECU. Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: Kess2emak on April 10, 2023, 01:27:58 PM Slow down. A flash tool reads and writes an ECU, it does nothing else. The input and output is a binary file. What is inside there has nothing to do with the flash tool, no flash tool knows anything about maps in there. It only knows how to read and write the file to the ECU. I was asking because there is a guy claiming to say that it can do everything. He is doing his S60s with a tuner from europe and while he is in the states. I found that a bit weird cause otherwise every one would be doing this. Again, thanks for the reply Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prj on April 11, 2023, 12:19:43 AM I was asking because there is a guy claiming to say that it can do everything. He is doing his S60s with a tuner from europe and while he is in the states. I found that a bit weird cause otherwise every one would be doing this. Yea so they read the file, send it to the tuner, the tuner sends tune back, hopefully they log and repeat the process a couple times.Again, thanks for the reply Working remote, you know? Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: dikidera on April 20, 2023, 12:45:55 AM For writing your own SBLs, you can use this as a reference https://github.com/fenugrec/npkern
I do not know how the maps and main ECU code are organized, if they are separate again or not, however if they are, what I found that helps is stitching together all of it in a single idb in IDA,Ghidra. This helps immensely in data referencing. If something like DHA did exist for P3 it would have been the best outcome. Having 100+ memory addresses already named helped a lot. It may not be relevant, but I am attaching my most up-to-date P2 Denso idb. Additionally I have a question. I have identified a few maps which I believe are related to the fueling. After many many hours I have determined that these values are Lambda values with a factor of 0.000030518. However I naively expected a single map to affect the final lambda value, in reality, to a single map value, there were many additions, multiplications, substractions. Of course these values were then added to various other values, which themselves were computed similarly, to get a Final Target Lambda. How the Lambda gets computed to injection time is still unknown to me. However I began to question something and that is if the car operates in open loop which is during acceleration, which means at that point, the car must use separate maps for this. If I was looking to things related to Lambda and thus the oxygen sensors feedback, this means I was looking at closed loop maps, and not open loop maps? Maybe this is about as much can be done statically without logging real-time data. Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: PoleStarPete on April 29, 2023, 02:12:38 AM there is defiantly DHA for p3, getting it is the hard part :-(
I've got some dha databases for some of the common platform fords of the correct era. might be useful . i'll add it to the Google drive. I have also added a can log of an ecm reload by Vida. https://drive.google.com/file/d/1rho2kS1vriuaOxVd_zI-F7GZx7b2HmOy/view?usp=share_link Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prj on April 29, 2023, 03:11:27 AM It's for SDA not DHA now.
I've only seen one file for a 2016, and I don't have any contacts where to get anything else. Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: PoleStarPete on April 29, 2023, 03:12:40 AM ive added all the dha / sda stuff i have
https://drive.google.com/file/d/1IlaN9Lp_Ne4GhKn1fmaz7BGOO0CPbIZl/view?usp=share_link Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: dikidera on April 30, 2023, 11:26:57 PM I never said that such software doesn't exist, but that it isn't readily available for us.
When I first started, without DHA, I had to manually probe the ECU PCB, attach an oscilloscope, to map what each pin does and then later try to correlate my measurements with the logic in the code. Then later on when rkam gave me a list of variables and memory addresses, even with over 100+ named variables, there were pieces of code, logic, which I don't fully understand. Which is why I could only name my variables "Related_to_<X>" and add question marks on possible behaviour. I wonder if in such cases, it's better to write a whole system SH<x> emulator. I have done some basic boilerplating by adding a new build option for SH2 rather than the SH4 in QEMU. My next step was removing the MMU, but I still couldn't quite figure out the QEMU API. The idea was to get SH2 code executing and fixing whatever snags I hit until for instance we get to the streaming CAN data part and then finally a fully emulated ECU of a running car. Of course QEMU is not cycle accurate and I am not sure if this will be a problem or not. Hope someone has more information on this. In any case I have done nothing beyond just adding a different build option for SH2. The CPU model needs to be changed to implement various interrupts, exceptions etc. I am juggling so many things right now from fixing my entire car to family issues that I simply do not have time. So far, with just basic emulation with GhidraEmu I have managed to further my knowledge of the Denso internals. I managed to find an opaque CAN interface which is where it was all indirectly used, along with the dynamically constructed data at address FFFF7448. Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prometey1982 on May 15, 2023, 06:17:41 AM Generate key for Denso T6 ECM reversed from Pete's PIN application:
Code: unsigned int __cdecl GenerateKey(unsigned __int8 *PinArray, unsigned __int8 *SeedArray, _BYTE *KeyArray) Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prometey1982 on December 23, 2023, 02:24:02 AM Algorithm described below is standard algo for Volvo P3 platform. It used for CEM and ECM ME9. Looks like other modules also use it. Tool from PoleStarPete can find PIN for ME9.
Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prometey1982 on December 23, 2023, 03:08:52 AM Slightly modified P3 hash function from vtl
Code: uint32_t p3_hash(uint8_t pin[5], uint8_t seed[3]) Code: // Then you can you this code to send response to ECM: Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: dikidera on December 24, 2023, 09:09:53 AM If I had a P3 car I could have contributed more with a fat IDB, it would be most difficult without a DHA, but this has never stopped me into sinking hundreds even thousands of hours into reverse engineering a project.
Title: Re: Volvo 3.0 T6 Denso tunning files Including Polestar (P3 Platform) Post by: prometey1982 on December 25, 2023, 02:06:35 PM ME9 is not simple as Denso T6 ECM. ME9 has 5 digit PIN code. For example here one my firmware for ME9:
Code: ROM:000029C0 pin_29C0: .byte 0x70, 8, 0, 0x82, 0x47 So it's not easy to find key by bruteforce. I found some analysis of CEM PIN code from SPA platform https://v-spa.net/forum/viewtopic.php?p=245#p245 maybe ME9 ECM has similar limitations on PIN. |