NefMoto

In the M box the original code copies the working pressure-ratio value to R9 (F0 94), then loads the byte ceiling from RAM[0x8B36] into RL4 (C2 F4 36 8B), then the next instruction (1B 94) is the saturation compare/branch that clamps the value if it exceeds the ceiling.
The patched code instead loads the ceiling byte into RL9 (a throwaway register) and replaces the saturation compare. Net effect: the working value R4 passes through unclamped.
The RAM address itself (36 8B = 0x8B36) doesn't change. It just gets routed to a different register so the clamp never actually fires.

You can't just write the same bytes at the same offset to a 1.8T bin — totally different code lives there. You have to find the equivalent routine.
Finding it on a 1.8T file
The patch site has a very specific byte signature: the saturation idiom F0 94 C2 F4 ?? ?? 1B 94 where ?? ?? is the little-endian RAM address of the ceiling byte. Search any ME7.5 1.8T bin for that pattern.
On my 032HS file this returned 4 matches:
Offset 0x065070, RAM addr 0x9F2F
Offset 0x06509C, RAM addr 0x9F30
Offset 0x0650C8, RAM addr 0x9F31
Offset 0x073CAE, RAM addr 0x8A49
The S4 file has exactly the same 4-instance pattern: three sites clustered close together (a run of consecutive multi-clamp operations on different variables), and one lone site further away in the binary. The lone site is the HBN ceiling. On S4 that's 0x7030C; on my 032HS it's 0x073CAE.
Two more sanity checks that confirmed the match before I flashed:

The byte sequence immediately after the patch site (F2 F9 0E FE) is byte-identical between the S4 reference and my 1.8T file — same downstream instruction, compiled the same way.
The three cluster sites in both files share an identical 24-byte continuation (F0 94 C2 F4 ?? ?? 1B 94 F2 F9 0E FE 7C 79 46 F9 FF 00 FD 03 E7 F8 FF 00), confirming they're the same multi-clamp template — and the lone site diverges in both files, because it's a different function.

If your 1.8T bin shows the same 3-cluster-plus-1-lone structure, the lone offset is your patch site. If it doesn't, post your bin and I (or someone else) can take a look.
The patch for my 032HS bin
Patch site: 0x073CAE. RAM ceiling address: 0x8A49 (different from S4's 0x8B36 — different ECUs, different RAM layouts; this is expected).
Apply the same transform Axis published, substituting the RAM address from your own bin:
Original (offset 0x073CAE): F0 94 C2 F4 49 8A 1B 94
Patched  (offset 0x073CAE): C2 F9 49 8A 5C 19 1B 49

Per-byte changes:
  0x073CAE: F0 -> C2
  0x073CAF: 94 -> F9
  0x073CB0: C2 -> 49
  0x073CB1: F4 -> 8A
  0x073CB2: 49 -> 5C
  0x073CB3: 8A -> 19
  0x073CB4: 1B -> 1B  (unchanged)
  0x073CB5: 94 -> 49
The RAM address bytes shift left by two positions (they move from offsets +4/+5 to +2/+3) and 5C 19 replaces what used to be the compare-target.
Porting to other 1.8T box codes
For any other 1.8T ME7.5 file:

You should get 4 matches.
Identify the lone offset (the one not clustered with two others within ~100 bytes).
Read the byte at offsets +4 and +5 of that lone site — that's your RAM ceiling address (little-endian). Call those bytes LO and HI.
Write at the lone offset: C2 F9 LO HI 5C 19 1B 49
Fix checksums (see below) and flash.

Verify the +8 byte (immediately after the 8-byte patch) is F2 in your bin. If it's not, something's structurally different in your file and the porting assumption needs a closer look.