NefMoto

Hello, does somebody knows or can point to way to enable/modify/or put ECU values into its can-messages ?
.. like Boost (vag can-id 0x555) which is available not in all turbo MED9x

thanks

yes, they are stored in ram locations
so any tweaks available here

There is a function read the FR it's called embassies iirc

hey
did you have any success in adding boost pressure 0x555 to canbus??

regards

Same question again:

I like to activate Motor_07 and Motor_05 message on CAN-bus of a MK1 Audi TT with ME7.5

Taking a look into FR, the activation should be done by CW_CAN_S, witch should be a 16bit binery value.
A2L tells differend, CW-CAN_S are 4 times awailible but only in 8bit size..
But all CW_CAN_S values are set to 0xff, so at the end, all CAN-values are enabled.
But why are they not on CAN-bus ?

So I Need to tweak E2 to activiate Motor_05 and Motor_07 too ?

Could this be done by coding ?

Anyone ever worked on this and can give advice ?

BR

there is no way to add this by coding

:(

any other idea to active the Motor_07 message ?

In FR, there seems also a value SY_CAN_Config responcible for different kind of CAN Messages. But I cannot find SY_CAN_Config in A2L ..

No more idea yet, CW_CAN_S should be the right value, but this seems not to work, or got the wrong address in A2L

SY_CAN_Config is a compile-time option, can't be changed in a "ready" binary.
CW_CAN_S won't do that either. You have to research the format of said CAN frame (FR should have this info), then disassemble the binary to find where CAN communication is, then manually add the code for filling out and sending said message. Not an easy task, but totally doable.

Thanks, this is the info I was missing and I don´t want do read  :(

An new compilation is not a task of mine, so no Motor_07 message availibe on my ECU..

Good to know for someone else, who has the same idea and  is looking for that info

there is 2 or 3 unused bytes in ecu outgoing can-bus messages
any value can be added here if you good with ida things :)

I never worked on this yet..

IDA-things normaly needs new compilation and if you need to re-compile, you can also active Motor_07 ID AFAIK.
As long as it needs to have a new complilation for that function, I am out so fare :(


btw and a bit OT.:
I know for other SW, if you re-compile, you will get new addresses and a new *.A2L.
If someone chance the ME7 Software with some additional code, I expact the same, and original A2L or Damos wil not work..
Am I true with this ?

You either:
a) Have source code for ME7, which I doubt
or
b) Couldn't hack your way out of a paper bag and need to do some serious reading.

Ehmm yes, that is what I worte :(

can confirm to this ?

ida is not compiler but dissasembler

and again you cant compile whole binary if you havent sources for that

with ida you can understand how the ecu handles can-bus data, write some code in asm, compile it and change/add it in your file thru hex editor

Thanks again for your explanation  :)

Ok, if I unterstand you right, you just wirte your own code, compile and add the code in hex via editor to the original code. (so, you A2L will not change in this case, good to know !)

But I also need to twique the original code, to jump into the new code and jump back to original, witch will be also done in hex-editor, base on the research of IDA?!

At the end,
if you allready have your own code or twique the original code to use unused space in e.g. Motor_06, Byte 6 (0x488), I can take over this hex-code via hex-editor in my APP software ?
I think CAN-haendler will be the same in all software...

I want to send custom values on CAN 280, so Is enought only to change here variables with one I want ( I don't care about conversion factor)
This to me look like CAN-bus data, am I on right trace?

Yes
You can movb 0xF812, yourVariable instead of mdverlc for example

actually, i had a similar challenge. You can find informations here:
http://nefariousmotorsports.com/forum/index.php?;topic=21150.0

It was only modifying a value which already exists. adding another one
is a little bit different task, but very similar.

Just activate some message that is not used, for sure not all are enabled (CW_CAN_S).

After that put whatever you want there.

But every ME7 bin I open have CW_CAN_S is set to FF

Thank you all for your help

Here it is some free space to send custom CAN-bus adata on 1.8T with 8E0 AL software

BYTE_F847 and BYTE_F848  are not used

you can inject up to 255 variables there using those two as id and data bytes
its pretty simple routine

256 ;)

Sample rate will be pretty bad though.

Nice idea  ;D will try that
Is it possible to send DTC over CAN, to make them like on BMW 0-255
Or to ask better question, is DTC stored somewhere in flash?
From my founding  ME7 use B_xxx to set some error flag  than store that in EEPROM?
Soo first method will be to send error flags to CAN
Second will be to read eeprom data where dtc are saved and send them over can

1 for handshake  ::)
10 vars was fine to catch a realtime, 255 would be not for sure


you can reinvent protocols if a beating a dead horse is your fav

26 vars is also fine (thanks fknbrkn) in ColorMFA

I don't want to reivent protocol for DTC, I only want to send them via CAN BUS. I am okay to send them in Pxxx form. Only I don't know how to read them in ASM, where are they stored

ROM:854B7E A8 50                             mov     r5, [r0]
ROM:854B80 1A F5 20 20                       bfldh   r5, #DTCBit_H5, #DTCBit_H5
ROM:854B84 B8 50                             mov     [r0], r5
ROM:854B86 0D 10                             jmpr    cc_UC, loc_854BA8
ROM:854B88                   ; ---------------------------------------------------------------------------
ROM:854B88
ROM:854B88                   loc_854B88:                             ; CODE XREF: DFPM_DLSU_DiagnoseLambdaSondeBeforeKAT_sub_85448A+6DAj
ROM:854B88 F2 F4 40 9C                       mov     r4, word_381C40
ROM:854B8C 9A F4 0C E0                       jnb     r4.14, loc_854BA8
ROM:854B90 A8 50                             mov     r5, [r0]
ROM:854B92 0A F5 01 01                       bfldl   r5, #DTCBit_L0, #DTCBit_L0
ROM:854B96 B8 50                             mov     [r0], r5
ROM:854B98 A8 20                             mov     r2, [r0]
ROM:854B9A 0A F2 02 02                       bfldl   r2, #DTCBit_L1, #DTCBit_L1
ROM:854B9E B8 20                             mov     [r0], r2
ROM:854BA0 A8 50                             mov     r5, [r0]
ROM:854BA2 1A F5 20 20                       bfldh   r5, #DTCBit_H5, #DTCBit_H5
ROM:854BA6 B8 50                             mov     [r0], r5
ROM:854BA8
ROM:854BA8                   loc_854BA8:                             ; CODE XREF: DFPM_DLSU_DiagnoseLambdaSondeBeforeKAT_sub_85448A+58j
ROM:854BA8                                                           ; DFPM_DLSU_DiagnoseLambdaSondeBeforeKAT_sub_85448A+6FCj ...
ROM:854BA8 A8 40                             mov     r4, [r0]
ROM:854BAA 88 40                             mov     [-r0], r4
ROM:854BAC E6 FC 65 00                       mov     r12, #65h ; 'e' ; errorNo. #65h
ROM:854BAC                                                           ; 65+<START_CLAAAA>81083F=8108A4
ROM:854BAC                                                           ; CLALATV (P1176, P0133, P0130)
ROM:854BB0 DA 84 DC 66                       calls   84h, SetDTCME75_8466dc ; Sets the Diagnostic Trouble Code
ROM:854BB0                                                           ; r12 = ErrorCode
ROM:854BB4 08 04                             add     r0, #4
ROM:854BB6 98 60                             mov     r6, [r0+]
ROM:854BB8 98 70                             mov     r7, [r0+]
ROM:854BBA 98 90                             mov     r9, [r0+]
ROM:854BBC DB 00                             rets
ROM:854BBC                   ; End of function DFPM_DLSU_DiagnoseLambdaSondeBeforeKAT_sub_85448A
ROM:854BBC

there is a DTC table that is referenced in code with an offset for each DTC, like in the example above. Try to id this code in your file!
This was discussed in Nefmoto, you just need to find it!


edit:
this
http://nefariousmotorsports.com/forum/index.php?topic=10018.0