NefMoto

hello everyone, ive been recently tweaking my 2004 volvo s60r, im not sure exactly what version of me7 it runs, but its very similar to audi's using the 800BB chip, my question is i saw people working on adding some sort of launch control, seems volvo had to change alot with their files, im not asking anyone to do it for me, but maybe throw me a bone? i saw people patching some sort of code in using IDA pro? is this even possible considering the differences?

Find tsrldyn in memory, load the file to IDA, push "X" (cross reference), you will see where it is accessed.
The first hit will be the place to add a call to your custom routine.

In that routine just set tsrldyn to 0 based on some parameters. You will also need to zero FTOMN.
The code that is floating around on this forum is not the only way or the best way to do things, but it is a start.

ill see what i can come up with, thanks for the response, im still working on understanding IDA properly, i heard some part about splitting the file? is that necessary?, also im probably going to have the port the code thats floating around over?

There's no porting of the code, you just need to sub in the correct variable addresses and insert it at the right spot.
Probably a good idea to have knowledge of programming before you attempt this.

Or you can pay someone to do it.
As for loading the binary into IDA, just search, all the info has been posted on this forum.

IDA is not a magic tool or anything though.

well thanks for the help, i have been playing around with it some, i could probably pay someone to do it, but will probably only use it as a last resort, no fun if you cant do it yourself :), or try :-\, ive correctly loaded the binary into ida pro now, had to split it up, and load two segments, still having some trouble finding tsrldyn, but im going to keep cracking at it

edit: atleast if i mess it up and brick it, it can be easily revived

Yes, as long as you can rewrite in boot mode or pull the chip, you're usually safe.

Btw, maybe this will help you. Some constant addresses you can reference (TSMX, DUBZS):

thanks again, i have to run out for now ill post my findings when i get back, maybe it can be useful for someone? not much of a volvo crowd out there  :D

I haven't touched the Volvo ME7, but I'd imagine something as basic as calculating dwell time should be the same on all ME7...
Good luck.

well i got through about 4 hours worth of functions, havent quite found the right spot, i see that there is a plugin that may help this? do you possibly have it?, the downloads broken from the wiki

It should not be taking you so much time.
Even without the plugin, just press ctrl+u then p.

Takes about 10 minutes per file this way.
Also, IDA has binary search. You can see some of the bytes on my screenshot, try searching for their combinations.
Obviously without addresses, as those are going to be different.

hmm maybe i still have something loaded wrong, even when searching for similar byte's nothing ever comes up in regular text like
TSMX, DUBZS, i have a feeling im getting warmer though

edit : 33376: Can't find name (hint: use manual arg)
 :-\

You will never find any text...
TSMX etc was defined by me manually.

thats why i was getting confused :-P, ill start fiddling through it soon, do you think it would be easier to dis-assemble a file with the code already added to get used to it?, i really appreciate the help

edit : im gonna try a new method tonight, im pretty good at figuring things out, i really want to

hmm, you mind if i pm you? i dont want to clog up the forums with unrelated stuff :-\

seems ive tried most of the easy ways to find it, using me7 logger etc etc...didnt give me much info, searching sequences, theres quite a few hits in my file when searching D7 40 06, just gonna keep plugging away for now

Posting your file would be a start.
No point to PM me at the moment, I am going on a small tuning trip for about week, so you will not get any answers...

no problem, here is an unmodified bin from my car

https://www.dropbox.com/sh/sco8ey18kvzo053/8lGeqsPxqW

bump, still been having fun with this, i tore apart a few audi bin's and more and can figure it out on all of those after a while, but mine seems to be quite a bit different, the part im stuck at is finding the right spot to inject a call for another routine

This file is nothing like the VAG files, the dwell strategies are completely different.

Have you found any dwell related tables at all yet?

KFSZT? i had it marked in my winols i must have deleted it :-P, ill find it again and post it up

anyone have that plugin from andy whittaker for IDA? maybe i could get a little bit more progress with that, seems you were right, the dwell is different in this bin, soft two stage rev limit works

even just somehow turning that into a basic hard limiter would be nice

The plug in will not help you, if you do not know what you are looking for.,

Ive disassembled your file and the dwell routine is nothing like that of VAG ME7, its no where near as complex.

Ive looked through Volvo A2L's and Damos files and everything is just different.

You need somewhere to start from, you cant open your file in IDA and expect it to be there right in front of you.

well thanks for taking the time to look at it, but yeah i know that its not going to be defined and be right there, that is why i have been comparing to files that are known, and after not getting any progress with my file, that's when i decided to post on here, but it looks like because of that fact i may look into something else :-\ like trying to remove the throttle plate closing portion of the rev limiter, it would be nice to just have it use the fuel cut and ignore touching the throttle actuator


edit : but then again, i still have to find the correct routine for that :-\

The method used on the VAG files is possible, you just need to find one dwell map in your file and go from there. Ie use IDA to find the routine that uses that map and patch your own code into the routine.

hmm, seems i may have to use an older volvo as a test vehicle, i'm confused as to why my file is way different then 90% of the others i have seen.. maybe a different software engineer? i can find dwell in the newer and older me7 files, but mine is just not even remotely close

Are you talking about me7 file from volvo that you can locate stuff in or VAG?

volvo sorry, seems older 2000's i can find pretty much anything, 2005-2006R's ive been able to find one dwell map im pretty sure

but mine a 2004s60R, looks almost completely different as far as placement goes, its like everything is just thrown around and totally out of order which makes it hard for me to find similar maps

update, found the right place to call a redirect for custom code, my only question is, will custom code written for vw/audi work, or does it all have to be ported over

ok, what did you find? Do you have a table ID and address?

if you downloaded my file, i'm almost positive i found it at address BA798 - starting with F0 49 F7 F8 48 89 D7 40 C1 00

atleast when looking at it in IDA, it looks identical to a file with it added

please let me know if you have any input :)

edit : looks like im going to have to move a few things around in the other code, only one other question, i have to input my memory locations for RPM and vehicle speed right?, anything else?

I think you need to look at the routine at address 0x4FA66:

interesting, looks like i was wrong.... ive run into another brick wall unfortunately, this project may get the better of me, the locations i need to properly make that work, vfil, b_kuppel, and whatnot, unfortunately i cannot define properly, dang volvo's

i wish i could figure out how to find functions alot easier, i would love to just change how the two stage rpm limiter works instead of hacking in a function, having the throttle stay open when hitting the two stage rev limit would be beneficial i think, if this was a vw or audi, i would have been done by now :( lol

I don't think the marque of the car has anything to do with it.

I've been tuning VAG ECU's for most of my life and I found a dwell table in the volvo file and the routine that calls it with in 10 mins. It was the 1st time I've ever looked at a volvo file (and hopefully the last)  :)

I think you are just trying to do something that is outside of your ability.

Do you have any volvo documentation, A2L or Damos?

i have an older a2l, mine is much newer, most of the maps match up, but volvo jostled them up and threw them all over the place with mine, so its just a matter of finding them

you are correct, but then again, i have always started projects outside of my ability, like starting to tear into the computer aspects of this car, i am looking to learn, and can understand bits and pieces of the assembler code, it would be much better if the address's were identified obviously, i've identified only one so far, which was my nmot, i would like to ID more, but its kind of like shooting in the dark at the moment, i'm trying to understand how me7info identifies most memory address's for vag, maybe if i can understand that i can identify much more

i'm still going to keep giving it a try, so far i have patched the code into my bin some, by the looks of it i just need to identify memory locations, and then i should be all set

edit : as far as correct documentation, i've been reading the FR's posted on here, and one other one, it helps with the tuning aspect, but identification... not so much

edit : found this in the older a2l, doesn't match up to mine though :-\

/begin MEASUREMENT

    vfil_w
    "Filtered speed (16-bit)"
    UWORD
    vfzg_uw_b512
    1
    100
    0
    511.992

   
    FUNCTION_LIST GGVFZG GGVFZG10
    IF_DATA DIM_X      0x301216      EXTERN      WORD
    IF_DATA MCMESS
      0x301216
      EXTERN
 
/end MEASUREMENT

nmot_w being 0xF8AC?

yes

seems i missed something in that a2l, but i still dont see how it would help me here

/begin MEASUREMENT

    nmot_w
    "engine speed"
    UWORD
    nmot_uw_q0p25
    1
    100
    0
    16383.8

    
    FUNCTION_LIST BGNMOT ARMD BBGANG BGMSZS BGNG BGRLP BGSRM CAN_PREP DFFTCNV DFRZ DHFM ESUK FUEDK KHMD LDRLMX LDRPID LDRPLS LLRRM LRS MDBAS MDFAW MDFUE MDMIN MDNSTAB MDVER MDZW NMAXMD OESPEED1 SSTB SYNC70 TC1MOD TEB WFS
    IF_DATA DIM_X      0xF852      INTERN      WORD
    IF_DATA MCMESS
      0xF852 <-------------
      INTERN
 
/end MEASUREMENT

edit :  i need to read more carefully, i may be on to something

wped_w is 0x300BD2

thank you, im confused on how your figuring this? pretty sure i have the layout correct on IDA, nothing shows up really at either address

RAM:300BD1                 ds 1
RAM:300BD2                 ds 1
RAM:300BD3                 ds 1           ive got some learning to do

looks like i might be doing something wrong, my entire ram section is blank DS 1, darn it
created segment at 0081000
ive split the file, found out the address for DPP2, at 0x300000 reloaded... that must be where im wrong

vehicle speed - vfzg_w is  - 0x30182E

wow thanks..... i really do want to understand it, but here is how far ive gotten, injected the code i need to modify, variables for the code

the only thing i haven't finished is redirecting to the custom code, working on that now

I think:

b_brem - FD6C.12
b_kuppl  - FD6E.3

I think that is now all the RAM address' you need.

To recap:
b_brem - FD6C.12
b_kuppl  - FD6E.3
nmot_w - F8AC
wped_w - 0x300BD2
vfzg_w  - 0x30182E

Dwell routine: 0x4FA66

Ive just done the hardest part of it for you, the rest is now up to you

Edit: My spelling sucks.

i cant thank you enough, seriously? honestly, i dont mind working, i have been since i made this post, someday i would really like to understand how you got those

im going to put a calls to the address i picked D7000

im going to overwite the part of the function that is originally   calls   4, sub_41876 to calls   8Dh, 7000h ; 8D7000h

EDIT : upon further review, this is totally different then the other 6 files stock and modified, huh?

there is some odd differences in the volvo code ive noticed, D7 is calls on vag? but on mine its DA?

im getting there, just trying to figure out which one is which, put in all my new locations, my brain is shot, maybe ill wait till tomorrow

http://www.keil.com/dd/docs/datashts/infineon/c166ism.pdf

so cool, but so complicated, im going to take a break till tomorrow, i have gotten pretty far, codes in, redirects in, variables are in, next part is inputting the memory locations into the code, i really appreciate the help, i could have not gotten this far without that, i had been working on that one part for hours

edit - do i need tsrldyn?

Why did you chose to call your routine from there?

to be honest kind of a shot in the dark, i just noticed in the other files i examined, they had it call out to the other routine right away, after thinking about it, im deleting a routine in the process by doing that so that might not be the right way to go

still really confused on how you got those memory locations, i know this is far over my head, but i try to understand as much as i can

You can find those memory locations even automatically using an offset/pattern search.

But manually - you take a base file where you have figured out a certain function and that it accesses certain ram variables you need.
You take the raw hex of that function and mask all the specific locations and addresses.

You then match that pattern with the offsets masked to the mystery binary. If the function is present in the mystery binary you will get the locations.

This is also how you write code injection into programs, that survives multiple patches, etc (this tells a bit about my background) ;)

That is what is going to brick your ECU.


I took a file where I knew all the ram locations. found routines that used the ram locations. Then searched for similar routines/maps in your file, this then gave me the ram locations in your file. It is the most obvious thing to do, there is no magic about it.

matchew, thanks for the help, i know ill probably brick it :-P, but seeing as i have to flash through boot mode anyways, i guess its not the worst thing that can happen, i have another idea as to where i can put the call, ill post it up later on

prj i think i understand what your saying, ill have to give it a shot after work

Back up 95040 as well before you flash anything.

already have :-\, i wish argdub's tool worked on mine, but i had to use an eeprom reader and clamp it, the reason ive already had to do it was i managed to fry my original ECU, apparently wool socks were not a good thing to wear when touching a circuit board

btw: is there any special reason to tweak only the ign dwell and not the injection?

Best way is to retard timing heavily and cut spark sequentially so that some fuel is dumped into the exhaust manifold, where it explodes due to retarded timing and quickly spins up the turbo.

but is it important for NLS (0,1-0,2 Sek.)?

it can be useful for anti lag like in rally cars when going off throttle in corners but I speak about only shifting.

Well the problem is, cutting fuel is not as quick.
Think about it - fuel injectors basically spray all the time, especially at higher loads.

So if you want to cut everything you always will have to wait for some amount, worst case 2 revolutions, or otherwise you can melt the engine.
Whereas with spark cut, you can just cut all power instantly.

ok, good point!

but let me think:
6000 rpm are 100 Hz, waiting for 2 revs=20ms is not that big deal.
melting engine would mean, you expect too lean combustions from fuel at intake walls and remaining spray?

well i finally got some time, pretty much all set i think, but i'm stuck at tsrdlyn, i was able to figure out how matchew found the others, but as i'm not sure where tsrldyn is used, pretty sure its needed?

Yes, remaining spray, etc...
You must finish doing what you are doing with each injector and then not inject for the next cycle.
Whereas with cutting spark, you just cut spark and don't worry about it.

I like spark cut for no lift shift and fuel cut with high timing retard for launch control.

This is how I have implemented it on M2.3.2