Title: Haldex Controllers Thinking.....
Post by: ejg3855 on September 19, 2011, 10:43:42 AM
Its my understanding that the Haldex Controllers on 04 R32's and Mk1 TT's are controlled by a magic box.
Many tuners sell a "Blue" or "Orange" box that applies torque at different rates.
Its also my understanding that the only changes from stock to blue to orange is the code that is written to the controller. This was conjured up from a thread we had on vortex.
I was wondering if anyone has toyed with this idea or the box to do any learning?
Thanks!
Title: Re: Haldex Controllers Thinking.....
Post by: Gonzo on September 19, 2011, 06:18:25 PM
A good start would be tearing apart the Haldex controllers and posting some pics if you want any development to happen.
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on September 19, 2011, 06:33:36 PM
A good start would be tearing apart the Haldex controllers and posting some pics if you want any development to happen.
yea I need to get a spare, I was more curious if anyone has done anything.
Title: Re: Haldex Controllers Thinking.....
Post by: Gonzo on September 19, 2011, 07:19:06 PM
Well I'm very interested so pics would be a good idea. From there we can see if there is any flash chips that we can identify and then proceed to read said chip and figure out what's in there :)
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on September 19, 2011, 08:55:56 PM
I have a few stock controllers, and an orange one that is on my car. I'll dig them out and post some pictures/chip numbers soon.
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on September 19, 2011, 09:10:39 PM
Found this
http://www.borgwarner.com/en/Haldex-AWD/tech/Pages/ECU.aspx
Not sure what generation it's from though
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on October 13, 2011, 09:31:36 AM
Still haven't acquired a spare controller, but just read on another forum that it is infact a flash the only difference from the Stock->Blue->Orange.
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on October 13, 2011, 11:16:35 AM
I remember looking at one recently and the board with the ic's was buried in this clear gel. Like a VW/Audi abs unit if you've ever seen those on the inside.
Title: Re: Haldex Controllers Thinking.....
Post by: Gonzo on October 14, 2011, 07:18:21 PM
Clear gel? You mean epoxy?
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on October 14, 2011, 10:08:46 PM
No more like silicon boogers ;D
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on October 17, 2011, 04:17:58 PM
Ok...here are some pictures...This is a stock controller. The one I remember seeing the gooey stuff on was a blue one (protection?). It has a can high and low along with a k-line going to it through the large plug on the left of the picture. It's address 22 to access it with VCDS though the OBD port.
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on October 20, 2011, 05:46:32 AM
Haldex Pinouts:
T8 - Socket between car and control unit
T8/1, Red = Ign.
T8/2, Black = Gnd.
T8/3, White = BLS (brake light switch)
T8/4, Blue = HBLS (hand brake light switch)
T8/5, Brown = K-line (diagnostics)
T8/7, Blue/Grey = CAN low
T8/8, Blue/Orange = CAN high
T2 - Socket between control unit and feeder pump(pwm switched voltage)
T2/1, Yellow = Pump 1
T2/2, Yellow/Black = Pump 2
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on October 20, 2011, 05:58:29 AM
So if it can be accessed through the CAN port would that mean its flashable from OBD ? or is that still unknown.
I am trying to find the chip on that board and seem to be failing.
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on October 20, 2011, 06:33:20 AM
They are physically the exact same only the software is different.
The haldex sits on the cars electronic management bus (CAN BUS? Or is that the latest one, I'm too lazy to look it up.) The software on the haldex monitors certain things on the bus broadcasted by the ecu/sensors such as brake on/of, parking brake on/off, and some other things.
My friend and I who are "in the know" were talking about it and some one took the software and either decompiled it (my friends theory) or simply edited the binary file with a hex editor (my theory.)
Either way they modified the software by doing stuff like taking out the part where it stops engaging the pump during braking, made it take lower TPS values (or TPS values period) into consideration, steering angle sensors and other things..)
How did they get the "software" you asked?
Well as I pointed out in that post I linked to above I found documentation on haldex's site (which is no longer there) which says the haldex is "powered" by a Infineon C167CS microcontroller.
With the info here:
http://www.phytec.com/pdf/datasheets/C167CS_DS.pdf
One can make a jtag cable for these microcontrollers and then use the jtag to download the binary image stored on NVRAM. You could also use the same jtag device to upload the modified version.
Also it might be possible to just dump/write contents of memory over the CAN bus, so you might not even need a jtag device to do this.
2nd page is mine!
Edit:
The datasheet I listed even has the microcontroller as accepting CAN bus lines, that is sweet!
http://www.infineon.com/dgdl/P1604811_flash_on_the_fly.pdf?location=Products.Mi%20%20crocontrollers.16-Bit.DOCUMENTS.P1604811_flash_on_the_fly.pdf&folderId=db3a304412b407950112b409d4b00386&fileId=db3a304412b407950112b409fa9503ff
Vortex Data Mining.
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on October 20, 2011, 07:40:23 AM
Nice find...My thoughts are why would companies like HPA (are there any other that offer this upgrade?) send a whole new controller without asking for a core if they could flash an existing one? I think this would bring their profits up a bit?
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on October 20, 2011, 07:41:53 AM
From Looking at the long vortex thread.
1. Its possible to read/write outside the car.
2. Can-Bus communication hasn't been worked out yet but should be capable through the OBD interface.
Title: Re: Haldex Controllers Thinking.....
Post by: thom337 on October 20, 2011, 08:58:27 AM
I would think that the CANbus attached to it would be the Powertrain CANbus...this means it is not accessible on the OBDII interface of MKIV's.
The unit is probably programmed via K-line, and the CAN-bus is only used for it to receive drivetrain/engine/wheel slip info. If you want to monitor info, you can tap into the Powertrain CANbus in the cluster connector or the connector that goes from engine bay to cabin.
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on October 20, 2011, 07:55:35 PM
What cars allow programming over can bus? Just curious.. My bet would be on the k line. I remember Tony saying a little while back if you knew the controller address, he could mod the Nefmoto flashing software to access it somehow. I think it was a discussion on auto trans ecu's..
Title: Re: Haldex Controllers Thinking.....
Post by: thom337 on October 21, 2011, 07:17:07 AM
What cars allow programming over can bus? Just curious.. My bet would be on the k line. I remember Tony saying a little while back if you knew the controller address, he could mod the Nefmoto flashing software to access it somehow. I think it was a discussion on auto trans ecu's..
Not sure on a complete list...I think MED9/EDC16 and on (MED17/EDC17...) ECUs are programmable via CANbus (general statement). I think the ME7 could be configured (dataset) to be programmed with CAN, but if you want to do it over OBD you have to wire up the port (on most MKIV's, there is no CAN wire even run to the OBD port!). After this, you would have to re-code the cluster to distribute the message properly through the CAN gateway (internal to cluster) to the powertrain CANbus. For the Haldex unit...I guess it will all depend on whether it supports read/write and if it has security access.
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on October 21, 2011, 10:28:53 AM
We could easily make a bench harness with can h/l and k line to connect at the connector in the rear of the car rather than reconfig can gateways and such..Where do we go from here?
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on October 21, 2011, 12:18:56 PM
the vortex thread got sidetracked by someone trying to get it through Can-Bus.
Apparently the hex code has been read out of the car and flashed successfully. For simplicity sake I think this is the way to go. It takes but a few seconds to pop it off and disconnect it.
I would love to support someone doing this, I don't have the skill but will contribute parts/funds for a bench setup.
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on October 21, 2011, 12:33:16 PM
I could have one made within the hour..
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on October 21, 2011, 10:11:29 PM
do you need anything?
We just need to get a library of code for the 3 versions of controllers used.
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on October 22, 2011, 11:35:01 AM
The bench harness is as far as I can go...Not sure what cable/software to use to get the bin.
Title: Re: Haldex Controllers Thinking.....
Post by: koskotas on October 27, 2011, 03:49:14 AM
I was also looking for an upgrade version ! I accidentally found a guy who manage and make his own controller :) I used it now for 4 moths and it's much better from the o.e or the blue/orange versions :)
some info from him :
"Facts from the controller:
It’s a little box, which you should install to the bottom of your trunk.
You have to connect the supply and a signal from the breaking light, if you want from the handbreak to.
You have to modify the haldex valve. Just cut 6 cables inside and connect to my Haldex controller.
You can choose between two different modes:
Street Mode:
4 wheel drive is only activated if you need it cruising and breaking --> no torque at the rear wheels accelerating --> torque at rear wheels, depending on rate of acceleration and curve you are driving nearly the same like original
Race Mode:
4 wheel drive is activated the whole time Lock grade of the haldex is just reduced down to min. 50% if you are breaking, and driving curves. But 4 wheel drive is never off.
This should bring better racing performance, or better performance for tuned cars.
ABS and ESP is limited!!!!!!!!!! "
If anyone interest for more info i can provide to them :)
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on October 27, 2011, 07:37:58 AM
Plz pm me with info, or post it up! :)
Title: Re: Haldex Controllers Thinking.....
Post by: terok on October 28, 2011, 01:54:47 AM
Also interested.
There already is one product for gen1 at 4motioncontroller.com/shop
Title: Re: Haldex Controllers Thinking.....
Post by: koskotas on November 01, 2011, 03:06:35 AM
Also interested.
There already is one product for gen1 at 4motioncontroller.com/shop
99% the one on the page you add is the new version of the one i have !
Title: Re: Haldex Controllers Thinking.....
Post by: koskotas on November 01, 2011, 03:24:54 AM
Also interested.
There already is one product for gen1 at 4motioncontroller.com/shop
99% the one on the page you add is the new version of the one i have !
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on November 02, 2011, 04:58:03 AM
The clutch packs in the Haldex will get cooked much much quicker if you are running in full locked state all the time.
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on November 02, 2011, 11:21:14 AM
^^Very true, plus no tight radius turning..
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on November 07, 2011, 06:57:44 AM
did that bench harness ever get built for this?
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on November 07, 2011, 01:30:12 PM
Ready to go!
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on November 08, 2011, 07:19:53 AM
so you can pull the raw data off the IC?
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on November 11, 2011, 01:41:34 PM
No, I just have a bench harness made. I have no idea what program to use, and whether it is read over the k line or can bus.
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on November 22, 2011, 11:56:00 AM
Thats where my knowledge lacks too, how to get the data off the chip.
Maybe someone can shine some light.
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on November 22, 2011, 11:59:37 AM
AZIZ! LIGHT! ;D
Title: Re: Haldex Controllers Thinking.....
Post by: Gonzo on November 22, 2011, 09:50:46 PM
You need to know what address to connect to and then have nefmoto try to connect there and see what the module supports.
Title: Re: Haldex Controllers Thinking.....
Post by: carlossus on November 23, 2011, 12:24:03 AM
Or try Monoscan.
Title: Re: Haldex Controllers Thinking.....
Post by: Gonzo on November 23, 2011, 10:11:26 AM
Or try Monoscan.
Great idea!
Title: Re: Haldex Controllers Thinking.....
Post by: ArgDub on November 23, 2011, 08:57:20 PM
It uses a c167 uP, right? can you reset the controller in bootmode ;)
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on November 24, 2011, 09:58:01 AM
It uses a c167 uP, right? can you reset the controller in bootmode ;)
I looked up that C167 and all the data sheets show a bunch more pins that we see. Maybe I am silly.
Title: Re: Haldex Controllers Thinking.....
Post by: ArgDub on November 24, 2011, 10:38:12 AM
I guess that pin is hard to find.. I know its a lot of work, but you can try pin by pin with a 4k7 resistor.
Title: Re: Haldex Controllers Thinking.....
Post by: Swat Cat on November 25, 2011, 12:27:12 AM
soo.... not controller.... not haldex flashing.....
Title: Re: Haldex Controllers Thinking.....
Post by: terok on December 02, 2011, 01:11:25 PM
Gen2 fairly easy to read&write outside of the car. Are there any tools available that support flashing of gen2 via CAN?
Gen1 seems a bit more tricky.
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on December 02, 2011, 05:09:12 PM
Terok. What info do you have on the gen 2 stuff?
Title: Re: Haldex Controllers Thinking.....
Post by: terok on December 03, 2011, 07:44:46 AM
Nothing special so far. Controller is suprisingly easy to open, you only need sharp knife and a screwdriver. I also have a gen1 controller, but by the look of it, it's bare die processor doesn't match the c167 bare die model.
Gen2 processor is C167CS-LM, flash 29F200BB, eeprom M95080. So quite simple to read&write in bootmode.
Needs testing whether there's possibility for CAN bootloader, since there's no K-line.
Title: Re: Haldex Controllers Thinking.....
Post by: jacob21 on December 03, 2011, 04:39:22 PM
You need to add an external serial circuit to use the bootstrap loader on Gen2, no CAN bootstrap loader is supported.
Title: Re: Haldex Controllers Thinking.....
Post by: terokoo on December 03, 2011, 06:03:51 PM
no CAN bootstrap loader is supported Yes it seems that was XC166 feature, not supported by C167. Traditional serial BSL i have set up already, that's no biggie. So disassembly is needed to figure out CAN-flashing? That would be out of my area, so to speak.
Title: Re: Haldex Controllers Thinking.....
Post by: terok on December 03, 2011, 09:03:46 PM
It also seems that i accidentally have two different usernames to this forum ::)
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on December 09, 2011, 04:35:21 PM
good discussion on vortex
http://forums.vwvortex.com/showthread.php?5514886-i-have-a-franken-haldex-idea
Title: Re: Haldex Controllers Thinking.....
Post by: TTQS on January 04, 2012, 10:35:14 AM
Guys,
I have a Haldex blue, but you're bamboozling me with all this electronics stuff. This is off topic, but I thought I'd throw in the question because clearly this thread has the eye of several people who are very knowledgeable about Haldex controllers.
I would like to be able to directly log/measure or indirectly infer/derive the torque splitting activity of the Haldex controller as it is distributes torque from front to rear when conditions change. I previously asked this question on a non-technical forum and didn't get a definitive or satisfactory answer.
Is there any way to do this via ECU parameters over OBDII do you know?
Thanks in advance.
TTQS
Title: Re: Haldex Controllers Thinking.....
Post by: pedrosousa on January 04, 2012, 10:51:16 AM
A person told me that a Spanish enterprise, changes the haldex controllers... It's located in Bilbao but I don't know the name of the enterprise.
Till now I haven't seen one good option for the blue haldex, it's the only reliable haldex controller.
Title: Re: Haldex Controllers Thinking.....
Post by: TTQS on January 04, 2012, 11:03:27 AM
I'm certainly pleased with mine, although the effect for around €700 is subtle. The owner of the local specialist I use (who supplied and fitted my blue Haldex controller) was quoted in the April 2006 edition of Audi Driver magazine as saying this:
"When you put a TT or S3 on the four-wheel rolling road, you can see that the drive is shuttling back and forth between the front and rear wheel. At steady speeds, nearly all of it goes to the front wheels. With the controller, which comes from Haldex themselves, there is a much better balance between front and rear drive, as well as the handling being improved."
TTQS
Title: Re: Haldex Controllers Thinking.....
Post by: terok on January 05, 2012, 07:05:08 PM
I would like to be able to directly log/measure or indirectly infer/derive the torque splitting activity of the Haldex controller as it is distributes torque from front to rear when conditions change. I previously asked this question on a non-technical forum and didn't get a definitive or satisfactory answer.
Is there any way to do this via ECU parameters over OBDII do you know?
Gen1 measuring blocks are quite limited (only 2 bytes over CAN), so no win over there. Propably would be possible with software like setzi's logger in ME7, but you'd need original flash for that. I don't know if anyone have successfully extracted that yet. My gen2 experiments are in a jam. BSL and CAN communications are up and running. I don't know how to proceed with CAN reading/programming tests. Cannot get the unit to respond to anything i send.
Title: Re: Haldex Controllers Thinking.....
Post by: TTQS on January 06, 2012, 02:19:04 AM
O.k. thanks, that's confirmed what I thought judging by the limited parameters available in VCDS and nothing I've yet come across in ME7 documentation.
TTQS
Title: Re: Haldex Controllers Thinking.....
Post by: ported2flow on January 10, 2012, 08:03:07 AM
hey ttqs ... do you have pictures of the blue haldex controller opened? to see the differences between an original and the blue one???
it must be possible to mod an original one...
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on January 10, 2012, 10:39:40 AM
I am 99% confident that the only differences are in the code. It be nice to get a copy of both and compare. Although without any definitions we would just be staring at code blindly.
Title: Re: Haldex Controllers Thinking.....
Post by: TTQS on January 10, 2012, 10:54:33 AM
hey ttqs ... do you have pictures of the blue haldex controller opened? to see the differences between an original and the blue one???
it must be possible to mod an original one...
Sorry, no. I never even set eyes on the thing. The garage I used supplied and fitted it for me. I would also say with some certainty that the only difference is in the code that controls its action. The main difference being the pre-X function which is only a software modification. Otherwise, it's an identical plug 'n' play unit apart from the colour. TTQS
Title: Re: Haldex Controllers Thinking.....
Post by: sn00k on January 10, 2012, 11:13:34 AM
Dont be so sure about that.. the blue controller consists also of an "upgraded valve-package" according to the haldex people themselves here in sweden.. i havent pried my blue one open, but i fitted this one myself, and the housing is a bit different, so their statement makes sense imo :)
i have the standard unit here on the shelf tho.. ready for dissection.. ;D
Title: Re: Haldex Controllers Thinking.....
Post by: Tony@NefMoto on January 10, 2012, 11:39:19 AM
Do these units have a K-line connection or only CAN?
If you can enumerate them using VAG-COM or something to find their KWP1281 or KWP2000 address, it wouldn't be very hard to try to talk to them.
Title: Re: Haldex Controllers Thinking.....
Post by: TTQS on January 10, 2012, 12:26:20 PM
Dont be so sure about that.. the blue controller consists also of an "upgraded valve-package" according to the haldex people themselves here in sweden..
O.k., thanks for clarifying that. TTQS
Title: Re: Haldex Controllers Thinking.....
Post by: ported2flow on January 10, 2012, 01:14:07 PM
I can Diagnose the Haldex Controller over Kline
I have a spare Haldex Unit Too over here
Title: Re: Haldex Controllers Thinking.....
Post by: Tony@NefMoto on January 10, 2012, 02:38:34 PM
I can Diagnose the Haldex Controller over Kline
I have a spare Haldex Unit Too over here
Do you know what protocols you can connect with? Is this just using VAG-COM and the KWP1281 protocol? Do you know what address you are connecting to? (VAG-COM lists the address) Is this on Gen1 or Gen2? PS: I know nothing about Haldex controllers....
Title: Re: Haldex Controllers Thinking.....
Post by: terok on January 11, 2012, 02:46:08 AM
Gen1 has K-line and CAN, Gen2 and above have CAN only. Address is the same 22.
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on January 11, 2012, 12:30:16 PM
Dont be so sure about that.. the blue controller consists also of an "upgraded valve-package" according to the haldex people themselves here in sweden.. i havent pried my blue one open, but i fitted this one myself, and the housing is a bit different, so their statement makes sense imo :)
i have the standard unit here on the shelf tho.. ready for dissection.. ;D
Per the pictures on the first page there is nothing other than a controller board inside the stock unit. So if they are doing hard work to the valves I would imagine its not so plug and play. I love this thread but most of it is way above me.
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on April 24, 2012, 12:18:56 PM
It seems this died, damnit I wish I was smarter.
Title: Re: Haldex Controllers Thinking.....
Post by: terok on April 24, 2012, 01:34:35 PM
I'm still slowly developing my own tools. So far i've got ID only.
Title: Re: Haldex Controllers Thinking.....
Post by: Gonzo on April 24, 2012, 01:50:52 PM
Just figure out the CPU and then just perform boot mode, if possible.
Title: Re: Haldex Controllers Thinking.....
Post by: terok on April 25, 2012, 01:33:33 AM
Gen2 boot mode is easy, in Gen1 not so easy. I'm working on OBD-solution, because opening the controller requires too much work. Not very practical to do in the parking lot.
Gen2 responds to addresses $0A (TP2.0) and $1C (KWP2000). VCDS connects with CAN-protocol TP1.6.
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on May 09, 2012, 06:09:39 AM
Could we just by pass the haldex controller and can-bus systems and drive the pump ?
I was thinking of using the output from the boost gauge and having it engage the rear end when in boost.
This would be a really basic modification as I am pondering running the system in a Mk2 Gti and dont want to carry over the ABS and all the electronics needed to run the can-bus.
T2 - Socket between control unit and feeder pump(pwm switched voltage)
T2/1, Yellow = Pump 1
T2/2, Yellow/Black = Pump 2
I am thinking of just driving those.
Title: Re: Haldex Controllers Thinking.....
Post by: terok on May 10, 2012, 05:32:36 AM
That only provides 'priming' pressure, it does not engage the clutch.
Control valve is driven by a stepper motor, so you would also need to adjust it's position.
Alternatively you could make hardware modifications and adjust clutch pressure manually, but that is not very wise.
As stated before, there are aftermarket solutions for controlling without can-bus.
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on May 10, 2012, 11:14:29 AM
That only provides 'priming' pressure, it does not engage the clutch.
Control valve is driven by a stepper motor, so you would also need to adjust it's position.
Alternatively you could make hardware modifications and adjust clutch pressure manually, but that is not very wise.
As stated before, there are aftermarket solutions for controlling without can-bus.
There is for sure but they are all to the tune of $800+ I just think that's ludicrous, I can get a ECU tune for $650 and that is alot more complex. I was hoping there could be some good ideas generated here, I think there have been. Just need to take the next step.
Title: Re: Haldex Controllers Thinking.....
Post by: 1gcrazy on June 22, 2012, 04:52:57 PM
There is for sure but they are all to the tune of $800+
I just think that's ludicrous, I can get a ECU tune for $650 and that is alot more complex.
I was hoping there could be some good ideas generated here, I think there have been. Just need to take the next step.
Agreed. I'm EXTREMELY interested in all of this but it's all above my head like stated above. Any progress on this??
Title: Re: Haldex Controllers Thinking.....
Post by: 1gcrazy on July 24, 2012, 08:04:17 PM
No progress on this???
Title: Re: Haldex Controllers Thinking.....
Post by: Il Signor Zetec on September 13, 2012, 12:45:42 AM
Are there any maps in the motronic that can modify the haldex behaviour ? the motronic bput out can signal for haldex right ?
Title: Re: Haldex Controllers Thinking.....
Post by: matchew on September 13, 2012, 12:46:37 AM
No....
Title: Re: Haldex Controllers Thinking.....
Post by: Gonzo on September 13, 2012, 04:05:48 PM
Someone desolder the flash and read it out already.
I just don't have access to one of these. Otherwise I would have done it by now.
Title: Re: Haldex Controllers Thinking.....
Post by: 1gcrazy on September 20, 2012, 09:26:26 PM
Desolder stock or competition??
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on September 22, 2012, 07:17:30 AM
Either, both?
Title: Re: Haldex Controllers Thinking.....
Post by: NMS on September 23, 2012, 04:09:33 AM
I've been working on a 04 TT cluster, so I might have access to the car. I'll ask the customer to see if I can read it out.
Title: Re: Haldex Controllers Thinking.....
Post by: 1gcrazy on October 01, 2012, 06:28:52 PM
If someone send me their stock unit i'll do the leg work to get a readout. Very good with a soldering iron as well.
Title: Re: Haldex Controllers Thinking.....
Post by: Skibum513 on April 21, 2013, 04:39:05 AM
Kinda digging up an old thread here but trying to find a way to get more of a 50/50 split out of my tt. my brothers wrx is just much better in that regard :-[ But found some intesting stuff looks like there is a way to monitor the system and possibly create some logs to see when its engaging and stuff. I need to figure out this can bus stuff first tho. also going to look at the option of a switch or something to the stepping motor that could still use the signals to the handbrake and temp sensor to disengage when needed. But anyways here' some info someone out there might wana look over.
http://www.billswebspace.com/HALDEX.pdf
http://forums.vwvortex.com/showthread.php?1765307-Haldex-Meter/page2
Title: Re: Haldex Controllers Thinking.....
Post by: kls on August 30, 2013, 04:39:45 PM
Bringing this back from the dead. Trying to use bootmode on the Haldex without success so far. Will post my progress soon. Has anyone else got further on this or have any information?
Title: Re: Haldex Controllers Thinking.....
Post by: kls on September 08, 2013, 12:41:59 AM
So supposedly the Haldex in the R32 and gen 1 TT uses a C167 processor. It also appears to 29F400 or 29F800 flash. They are tough to verify 100% as they are both bare die units with no casing. The dies are bonded to the pc board and then fine gold connections are used from the die to the PCB. The entire both is covered in a liquid bath, kind of gel like. The bare die pictures do look identical to the pictures given in there respective datasheets.
I don't have access directly to P0L.4 but I can make contact with DQ4 on the flash chip. However grounding the pin when applying power appears to do nothing. As soon as the low signal is removed from the pin the unit boots up instantly. Does anyone have any thoughts on anything else to try to access boot mode? I'd really like to dump the flash.
Title: Re: Haldex Controllers Thinking.....
Post by: ddillenger on September 08, 2013, 01:10:06 AM
If you want to send it to me I'll desolder it and read it, then reassemble.
Title: Re: Haldex Controllers Thinking.....
Post by: terok on September 08, 2013, 05:22:29 AM
Desolder bare die flash with hair-thin wires sticking out? Really?
Gen2 has 29F200 so i'm guessing the Gen1 has that too or smaller.
Title: Re: Haldex Controllers Thinking.....
Post by: kls on September 09, 2013, 10:23:31 PM
Desolder bare die flash with hair-thin wires sticking out? Really?
Gen2 has 29F200 so i'm guessing the Gen1 has that too or smaller.
I have to agree, there is no desoldering this part. Good to know on the 29F200. If I can get any kind of response from the CPU I am sure its readable. Need some sort of response first though.
Title: Re: Haldex Controllers Thinking.....
Post by: terok on September 10, 2013, 01:51:13 AM
I have too compared photo of gen1 processor to several bare die models and it matches C167CR-LC.
When looking at the board, connectors facing upward, P0L.4 should be around lower right corner.
Propably would be pretty safe to test a few of those pins through a resistor.
Flash die seems to match to 29F200B.
Title: Re: Haldex Controllers Thinking.....
Post by: kls on September 10, 2013, 01:04:48 PM
The flash die didn't seem to match a 29F200 when I looked, the pin connections at the edge of the die looked different. I took some great macro photos of the processor and flash and can easily make out each connection.
Title: Re: Haldex Controllers Thinking.....
Post by: ddillenger on September 10, 2013, 01:09:14 PM
Pictures?
When you said 29F200B I had assumed you meant PSOP44.
Title: Re: Haldex Controllers Thinking.....
Post by: terok on September 10, 2013, 02:27:52 PM
Overview of gen1 board http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=1001.0;attach=1344;image (http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=1001.0;attach=1344;image)
kls: Care to share your photos?
Title: Re: Haldex Controllers Thinking.....
Post by: terok on September 10, 2013, 02:37:52 PM
Datasheet of 29f200b KGD with die photo. Looks the same.
Title: Re: Haldex Controllers Thinking.....
Post by: kls on September 10, 2013, 06:29:44 PM
That appears to match perfectly with the flash die picture I have.
Here are two of my shots, they show enough detail to determine where the gold bonding wires go for the important sides of the processor and flash. Keep in mind the pics are taken through the liquid goo.
Title: Re: Haldex Controllers Thinking.....
Post by: terok on September 10, 2013, 11:46:57 PM
Really nice shots.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on September 11, 2013, 03:24:03 AM
I've got Volvo haldex software bin files somewhere, probably not much help to you guys though...
It's one of my future projects to modify these but have not done any research on the matter.
Title: Re: Haldex Controllers Thinking.....
Post by: kls on September 11, 2013, 10:05:29 AM
dream3R - anything you can post may help, never know.
So we can see the connections now, so why does pulling P0L.4 appear to do nothing other then stop it from booting. I will have to experiment further however it can only be days when I have a very steady hand. Its easy to probe into the liquid but one twitch and its all over as your rip off all the bonding wires.
Title: Re: Haldex Controllers Thinking.....
Post by: jooo on September 11, 2013, 02:47:48 PM
kls:
Do we know how the rear side of the board look like? Would it be possible to reach the vias from the rear side (alls pins seems to go to vias). Then we could read the flash with flash programmer and then reverse engineer how the Communication is triggered through can-bus Connection by the siemens cpu. The top side will be difficult without the help of some very high tech Company/University with special Equipment to reach between all those tiny lines.
Title: Re: Haldex Controllers Thinking.....
Post by: kls on September 11, 2013, 03:05:56 PM
I don't think we can safely remove the board. It could be done but it means draining or sucking out the liquid gel material. If I had a dead one I'd certainly be up for it. I've replaced TSOPs and BGAs before so micro rework doesn't bother me at all, but this bare die stuff is all new to me. I also suspect we'll find very few contacts on the back side, I bet they all use internal layers.
btw the pads on the bare dies are 0.125mm center to center(yes that mm, not cm)
Title: Re: Haldex Controllers Thinking.....
Post by: ddillenger on September 11, 2013, 03:36:00 PM
I have an ABS module that uses the same type of goop and dies if anyone wants it for experimentation.
Title: Re: Haldex Controllers Thinking.....
Post by: jacob21 on September 18, 2013, 09:05:55 AM
I've got Volvo haldex software bin files somewhere, probably not much help to you guys though...
It's one of my future projects to modify these but have not done any research on the matter.
These could help, please post so we can have a look.
Title: Re: Haldex Controllers Thinking.....
Post by: terok on September 19, 2013, 02:20:21 AM
Transporter 5 gen2 controller original file.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on September 19, 2013, 07:43:40 AM
These could help, please post so we can have a look.
Sorry, just spotted this. The the Haldex (DEM) software from my car. S60R. I can flash this controller with my tools if anyone figures this out and needs a testbed.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on September 19, 2013, 07:45:25 AM
Attached properly!
Title: Re: Haldex Controllers Thinking.....
Post by: jacob21 on September 21, 2013, 06:12:33 AM
Transporter 5 gen2 controller original file.
Attached properly!
Thanks! So having a quick look, both are Gen 2 and use KWP2000 as the communications protocol. The VAG Gen1 box uses KWP1281. All K-line VAG stuff I've worked with, flashes over the KWP2000 channel, with various KWP1281 boxes providing a way to start a KWP2000 session. But with the Gen1 box I have no idea on how to start, or if one even exists, a KWP2000 session. If anyone has or can get any Gen1 file, VW (bin, sgo, ...), Volvo, etc., that might provide more insight.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on September 21, 2013, 06:34:03 AM
KLine code may be in there but Volvo flash these controller with a SBL over CAN-BUS.
They reside on the low-speed, 125KBPS network.
Can you find any 'maps' per say?
Title: Re: Haldex Controllers Thinking.....
Post by: jacob21 on September 21, 2013, 09:44:31 AM
A quick scan and the K-line stuff used in the VAG Gen1 controller is not there. The only K-line stuff appears to be a small KWP1281 function, just to read info and call a function which doesn't appear to be present, possible development stuff, not implemented in the production controllers.
If you're looking for maps, the data section is contained in the "DEM EXE.vbf-block2" file in the rar you posted. Disassembly will be needed to figure out the particular characteristics, etc., unless you have an a2l, etc. file.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on September 21, 2013, 09:46:27 AM
Cool, I know what I'll be trying to-do tonight...
IDA isn't easy though, any chance you can share a file correctly setup to give me a chance?
Title: Re: Haldex Controllers Thinking.....
Post by: jacob21 on September 21, 2013, 03:55:51 PM
Here's a bin that I believe is setup in the correct order, haven't created an ida file though.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on September 22, 2013, 02:18:08 AM
Thank you.
I cant find much but then I don't really know IDA.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on October 29, 2013, 03:11:42 AM
Anyone got any further with this. I'd really like to change my torque split.
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on November 05, 2013, 05:33:45 AM
yay guys, keep up the good work.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on December 18, 2013, 09:51:36 AM
yay guys, keep up the good work.
I've got my hands on one of these. Does anyone know the pinout for the 8 pin connector? I assume kline will be there.
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on December 30, 2013, 07:10:11 AM
Haldex Pinouts:
T8 - Socket between car and control unit
T8/1, Red = Ign.
T8/2, Black = Gnd.
T8/3, White = BLS (brake light switch)
T8/4, Blue = HBLS (hand brake light switch)
T8/5, Brown = K-line (diagnostics)
T8/7, Blue/Grey = CAN low
T8/8, Blue/Orange = CAN high
T2 - Socket between control unit and feeder pump(pwm switched voltage)
T2/1, Yellow = Pump 1
T2/2, Yellow/Black = Pump 2
here.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on December 30, 2013, 07:44:56 AM
Thanks, sorry missed that post. I'll try and bootmode the spare one I have here.
Title: Re: Haldex Controllers Thinking.....
Post by: Cracy on January 04, 2014, 04:18:35 PM
I know that is it possible reflash Haldex gen 1 because someone has done it already:
http://www.r32oc.com/topic/38571-my-mk4-r32-isnt-4-wheel-drive/#entry406432
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 12, 2014, 04:26:52 PM
I know that is it possible reflash Haldex gen 1 because someone has done it already:
http://www.r32oc.com/topic/38571-my-mk4-r32-isnt-4-wheel-drive/#entry406432
Well no joy in my boot mode experiment.
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on April 05, 2014, 01:59:23 PM
apparently United Motorsports has achieved this.
Title: Re: Haldex Controllers Thinking.....
Post by: edgy on May 21, 2014, 12:25:03 PM
Threadsurrection...
Was going through some of my car stuff today and found two Haldex controllers. One has an internal memory fault, the other is a working backup for the one in my TT.
I'm going to tear into the bad one this afternoon a little and monkey with it.
If any of the highly experienced members here want me to send them the bad unit to research and see if we cant get the eeprom and flash read, please contact me. I'm interested in getting this undertaking back off the ground and add a chapter to the DIY tuning history books.
Title: Re: Haldex Controllers Thinking.....
Post by: ported2flow on July 14, 2014, 05:35:30 AM
Hey guys
If unitedmotorsport sorted this out then we have to get it working too!!
As far as I know customers are able to flash the haldex unit at home with their loaner tool.that means the customer plugs in the cable to the obd port and flash the file via obd
I know sounds easy so it has to be for customer that doesn't have a clue about tuning.has to be easy.
Back to the bootmode stuff.since most guys in this thread said there is an cr167 infineon like ecu in the haldex unit
Didn't anyone tried to connect to the unit with minimon??
The tool was made for this..
Let's get this back....
Title: Re: Haldex Controllers Thinking.....
Post by: sn00k on July 15, 2014, 05:06:59 PM
sign me up!
i have a spare Gen 1 unit on the shelf from my audi A3..
so, we need to read one of these.. to later dissassemble the code and find the "key", so we can "login" and flash it over OBD.. and the issue at hand seem to be the FIRST readout iirc?
the rest shouldnt be much of a problem with some assistance and ASM knowledge.
i also have access to a Blue Gen 1 controller in my car, and my friend has a modified OEM unit with special code, made for a VW Bora v6 4-motion previously owned by the head of Haldex here in sweden.. (im thinking IF the Blue code dont work to flash in the stock units.. this other software probably will.. same same performance wise from what we can tell over here on the ice-tracks..)
Title: Re: Haldex Controllers Thinking.....
Post by: Tiero on July 16, 2014, 01:18:12 PM
Someone on vortex did it i'm not sure if it was through the CAN bus out of car or he was able to get the rom: http://forums.vwvortex.com/showthread.php?3959804-Haldex-flash/page5
Seems like the whole thing ended after he got the BIN file. A little odd but who knows what actually happened.
I'm trying to get my hands on one to see if I will be able to get a BIN through CAN with a dev board. If that's impossible I will take it to work and solder some wires to the board under a microscope so i can get at the rom.
How big is that board? It looks fairly large based on the components so i should be able to do it without any issues.
If anyone has a stock controller i'll buy it off you.
Title: Re: Haldex Controllers Thinking.....
Post by: Gonzo on July 16, 2014, 03:05:51 PM
Working on it ;)
Title: Re: Haldex Controllers Thinking.....
Post by: thesnowman on July 16, 2014, 06:47:23 PM
HPA are a few weeks away from the next batch of gen 1 interfaces, they are a inline piggy back system with a touch screen.
If i had a spare haldex id help.
Will keep following this
Title: Re: Haldex Controllers Thinking.....
Post by: ported2flow on July 16, 2014, 07:14:21 PM
i wonder if anyone ever tried to connect with minimon to the ecu???
Title: Re: Haldex Controllers Thinking.....
Post by: sn00k on July 22, 2014, 11:34:56 AM
a small update from Sweden..
Haldex have stopped selling the Blue Gen 1 controllers due to lack of hardware/controllers to upgrade..
BUT, they are now instead offering to update YOUR controller to the "new sport software" for ~60% of the price that a BLUE controller did cost a few weeks back when available.
(well, you dont have to buy the hardware now, which works out better for everyone)
Return time from sending in your controller untill you have it updated in hand, states about 1 week if sending within the country.
so obviously its 100% possible to flash the sport software onto ANY controller.. so basically.. one read = free Haldex controllers for anyone and everyone = more potential for further development like UM have done.
just thought id mention this :)
Title: Re: Haldex Controllers Thinking.....
Post by: ported2flow on July 22, 2014, 12:06:07 PM
sn00k this is great news!!!!
Title: Re: Haldex Controllers Thinking.....
Post by: thesnowman on July 22, 2014, 02:23:53 PM
Their new interface is only $599 usd on pre sale anyway, i have 2 on order
(https://fbcdn-sphotos-b-a.akamaihd.net/hphotos-ak-xfa1/t1.0-9/10390502_10152524882468115_8077113710216463681_n.jpg)
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on July 22, 2014, 03:47:41 PM
Is this for first gen?
Title: Re: Haldex Controllers Thinking.....
Post by: thesnowman on July 22, 2014, 04:02:47 PM
Is this for first gen?
Yep, first gen only Included in the kit will be an LCD screen, cable/harness, and a connector that will "T" the link between the Haldex unit and the CAN-Bus (there is no Haldex module included; you will still need to acquire a new or used OE unit).
This unit will allow variable manipulation of the Haldex system, the ability for the driver to choose and switch engagement control on the fly.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on July 23, 2014, 04:58:14 AM
So it's going to spoof the wheel speed, handbrake signals etc?
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on July 23, 2014, 08:30:20 AM
I was under the impression is was essentially an external map switching device..
Title: Re: Haldex Controllers Thinking.....
Post by: turboat on July 23, 2014, 10:09:49 AM
Found the vw self study haledex docs, apologies if this is a repost:
http://www.volkspage.net/technik/ssp/ssp/SSP_333.pdf
http://www.vaglinks.com/Docs/VW/Misc/VW_Haldex_AWD_SelfStudyGuide.pdf
http://www.vaglinks.com/Docs/Audi/TT/Audi_TT_Haldex_SelfStudyGuide.pdf
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on August 26, 2014, 04:18:06 PM
Well I again tried boot mode on the Volvo haldex that I have spare.
The controller works and responds to can comms. I soldered 12v, ground, canh, canl and kline and it all appears to work. I verified the 256k eeprom is connected to the correct cpu pin. Tried grounding it for 2-10 secs and no joy with minimon. As soon as ground is released the haldex ecu instaboots into normal op mode and spews out kline traffic when I diagnose it over canbus.
Any ideas?
Title: Re: Haldex Controllers Thinking.....
Post by: krazydbiker on August 26, 2014, 07:52:19 PM
do you know which version of the processor is in there?
also i saw this "The pulldown must
be strong enough to force the voltage at the P0L.4 pin during reset below the upper VIH limit of
0.2VCC + 0.9V. On the other hand, it must be weak enough to allow the P0L.4 output to drive a high
level after reset."
recommend's 8K resistor
http://alt.ife.tugraz.at/datashts/Siemens/ap160701.pdf
this may be an issue
"Note that the port pins P0L.2, P0L.3 and P0L.5 must be at high level, and stable during and at the
end of reset otherwise the BSL routine is not started. The state at the EA input pin has to be stable
during and at the end of reset, too, to avoid unexpected effects."
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on August 27, 2014, 05:30:11 AM
That's a good bit of info - thanks! I tried with a 8.2k ohm and a trusty 120 ohm resistor from my canbus kit and no joy. I see one of the first posts in this very thread gave similar results on a VAG controller, so this must be the same issue. I'll get more in-depth with the trials then, and will trace the CPU pins more and try different resistors. It's interesting as that document gives a different method for hitting boot mode than is conventional on here, (a switched 8k resistor), so need need to release it. The controller with 120r and also 8.2k r never booted in 10 secs with it held to ground on POL4. For the hell of it I also tried pin 24 on the flash as mentioned. This pin has continuity with POL4 as normal. I'll take some pics during my next tests and an electronics wizard might spot something. It's gotta work if we get the recipe right. The CPU is C167. I slightly questing the kline pin as well but I know nothing of kline (lots of CANBUS). It generates a lot of weird serial traffic on boot and goes nuts when I poke it via Volvo CAN diag commands. I captured it roughly with putty and have attached it, it makes no sense at all to me. do you know which version of the processor is in there?
also i saw this "The pulldown must
be strong enough to force the voltage at the P0L.4 pin during reset below the upper VIH limit of
0.2VCC + 0.9V. On the other hand, it must be weak enough to allow the P0L.4 output to drive a high
level after reset."
recommend's 8K resistor
http://alt.ife.tugraz.at/datashts/Siemens/ap160701.pdf
this may be an issue
"Note that the port pins P0L.2, P0L.3 and P0L.5 must be at high level, and stable during and at the
end of reset otherwise the BSL routine is not started. The state at the EA input pin has to be stable
during and at the end of reset, too, to avoid unexpected effects."
Title: Re: Haldex Controllers Thinking.....
Post by: krazydbiker on August 27, 2014, 08:47:10 AM
that is a tough one, my knowledge is not that great in that area, have you checked those other pins to make sure they are not also being held low? P0L.2 .3 .5, also since you are pretty good with CAN, is there any way to get what you would want to do done through just can commands?, a 100% lock would be ideal for drag
Title: Re: Haldex Controllers Thinking.....
Post by: Tiero on October 09, 2014, 08:37:14 AM
http://www.immo-tools.lt/site/files/failai/User%20Manual_F.pdf
The SIEMENS SIRIUS 32 section lists the same memory and chip as what's the in the haldex controller and this thing can talk to it via K-Line and CAN bus. What are the odds that one of these IMMO readers would be able to do the same with the haldex?
Title: Re: Haldex Controllers Thinking.....
Post by: IamwhoIam on October 09, 2014, 09:21:57 AM
http://www.immo-tools.lt/site/files/failai/User%20Manual_F.pdf
The SIEMENS SIRIUS 32 section lists the same memory and chip as what's the in the haldex controller and this thing can talk to it via K-Line and CAN bus. What are the odds that one of these IMMO readers would be able to do the same with the haldex?
None?
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on November 30, 2014, 04:59:46 PM
Hello,
with my arduino i made a program to detect logins by bruteforce in my test gen1. and I found only one login, the login 5207!
It allowed me to read eeprom but not the flash, but it is a good start.
I made also a programm to read the eeprom.
Here are two eeprom dump Haldex gen1 oem for infomation.
I am trying to write a program for Windows and kkl but I 'm not good programming on pc .
Title: Re:
Post by: byzan a4 on December 01, 2014, 02:40:51 AM
Nice work
Title: Re: Haldex Controllers Thinking.....
Post by: aef on December 01, 2014, 04:45:00 AM
very nice :)
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 02, 2014, 04:38:29 AM
Hello
I made a software to read eeprom of Haldex with a kkl.
There are still some bugs but it works.
tested on xp 32 and seven 64.
It work only with kkl on COM1
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 02, 2014, 05:42:23 AM
Another version, you can change the port com with command line
haldexreader.exe COM?
By defaut, it work with COM1.
Title: Re: Haldex Controllers Thinking.....
Post by: RBPE on December 02, 2014, 12:26:14 PM
Where there's a will there's a way! ;D
Title: Re: Haldex Controllers Thinking.....
Post by: edgy on December 03, 2014, 05:10:28 PM
Awesome!!!
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 04, 2014, 12:53:41 PM
Here a dump of haldex race and a tool for write eeprom (not the flash for information). i write an oem haldex with the dump of race haldex but no difference :-[
Title: Re: Haldex Controllers Thinking.....
Post by: ported2flow on December 06, 2014, 09:20:33 PM
Nice work john!!!!
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 07, 2014, 03:26:54 AM
I opened the Haldex.
I think that it is composed of
a C167CR
a 29f100 flash
and EEPROM 4kb serie ( 24C04 or 93C66 ) (my dump file, 512 Bytes)
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 07, 2014, 03:29:08 AM
The microcontroller is a C167CR the pin boot mode is 72.
Title: Re: Haldex Controllers Thinking.....
Post by: ddillenger on December 07, 2014, 03:33:27 AM
Have you been able to boot it yet?
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 07, 2014, 03:45:40 AM
I think the flash is 29f100 .
i see that it composed of
1 sector of 16 KByte
2 sector of 8 KByte
1 sector of 32 KByte
and 1 sector of 64 KByte.
On the example of 29f400 I have defined the data pin 4 which is probably connected to the pin POL4 (boot mode) of the C167 .
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 07, 2014, 03:52:28 AM
Have you been able to boot it yet?
I do not Understand your question. Excuse me, My English is very bad (I'm french!).
Title: Re: Haldex Controllers Thinking.....
Post by: ddillenger on December 07, 2014, 04:08:14 AM
I was asking if you were able to boomode read or write the flash yet :)
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 07, 2014, 04:22:34 AM
In a few days , I miss equipment.
Title: Re: Haldex Controllers Thinking.....
Post by: ported2flow on December 07, 2014, 01:59:48 PM
I have successfully tested the program you wrote
Been able to read the eeprom
I'll post it up
Title: Re: Haldex Controllers Thinking.....
Post by: ported2flow on December 07, 2014, 08:51:01 PM
I checked the eeprom dumps
Adress 0x000 to 0x060 approx.
Is for fault code storage
So I don't understand what you tried john.write the haldex
Race eeprom to the oem ecu and it had no effect?
The eeprom doesn't hold so much information as far as I
understood
At the end of the file there are some numbers any ideas what those are for?I don't think it's a software rev.
Title: Re: Haldex Controllers Thinking.....
Post by: ported2flow on December 07, 2014, 09:05:01 PM
0x10c could be checksum related just guessing?
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 08, 2014, 05:04:02 AM
The area from 0x00 to 0x57 concerns faults codes. the area is divided into 4-byte group. the 4th byte is the checksum, the checksum formula is 0xFF - 1 byte - byte 2nd - 3rd byte
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 08, 2014, 05:37:30 AM
Yes, write the haldex Race eeprom to the oem haldex has no effect.
I tried to connect in boot mode but it is not possible with kkl. The kline is not related to rxd an txd pin in c167 (unlike edc15 or me7).
It would be possible by connecting the tx, rx pin and pol.4 with probe (too hard without equipment).
Title: Re: Haldex Controllers Thinking.....
Post by: ported2flow on December 08, 2014, 07:54:47 AM
Okay I see...
Bootmode would be a nice option just in case a flash goes wrong
But it must be possible to read the flash...
That's the way um/hpa do it too..hm
Title: Re:
Post by: dream3R on December 09, 2014, 01:51:08 PM
Surely you'll need the maps not the eeprom for race version? Good work
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on December 09, 2014, 03:05:38 PM
this is fantastic. i need a haldex flash for my 4 motion tiguan.
Title: Re: Haldex Controllers Thinking.....
Post by: Lyonz on December 10, 2014, 02:59:25 PM
Très bon taff John...
Title: Re: Haldex Controllers Thinking.....
Post by: ported2flow on January 05, 2015, 02:48:10 PM
any news?
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on January 08, 2015, 12:02:14 PM
no news, I have not found any other ideas to read the flash!
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on February 01, 2015, 01:44:53 PM
good progress guys, my knowledge of what you are doing is minimal but I appreciate the efforts made by the community. Again if there is anything I can do (knowing very little) let me know.
Title: Re: Haldex Controllers Thinking.....
Post by: ejg3855 on February 01, 2015, 01:46:33 PM
i would consider buying a hpa unit if that would help us in this venture.
Title: haldex controller problem
Post by: crackerx on November 23, 2015, 02:48:25 AM
hello and thx everyone for potential help
i have audi tt 1.8t year 2002 224hp
my haldex controller, unit code on vcds is 02D900554B
error 65535 INTERNAL CONTROL MODULE ERROR 00-00
and
01314-Engine Control Module communication-intermittent
eeprom could be damaged? hardware of software problem?
may ai try to rewrite the eeprom with "haldexeepromwrite" software posted?
many thanks
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on November 30, 2015, 06:24:22 PM
Use KWP to read?
Title: Re: Haldex Controllers Thinking.....
Post by: crackerx on December 03, 2015, 07:17:28 AM
Use KWP to read?
i read and scan the car with VCDS
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on December 03, 2015, 01:32:30 PM
Attach the log and we can find out :)
Title: Re: Haldex Controllers Thinking.....
Post by: DT on December 07, 2015, 06:23:06 AM
no news, I have not found any other ideas to read the flash!
John, did you connect directly to rxd/txd and p0l.4? Similar topic with information. http://nefariousmotorsports.com/forum/index.php?topic=1429 I would be really happy to only read flash. I would have tested it myself if I had a controller that I did not have to be careful with.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on December 07, 2015, 08:44:08 AM
I think the flash is 29f100 .
On the example of 29f400 I have defined the data pin 4 which is probably connected to the pin POL4 (boot mode) of the C167 .
If it is a 29F100 your white dot is marking DQ5 not DQ4 and would probably not induce boot mode! edit: mentioned earlier in thread, it looks like a 29f200 and if so, the white dot is correct for p0l.4 bootpin
Title: Re: Haldex Controllers Thinking.....
Post by: DT on December 07, 2015, 03:07:33 PM
txd0 rxd0
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 16, 2015, 05:45:41 AM
It s a good idee to connect directly to rxd txd and p0l.4. But my haldex controler was sold!
At the time, in my edc15, i connect minimon and flashit to rxd and txd via a ftdi (photos)
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 16, 2015, 02:24:25 PM
Maybe i was wrong and it's a 29f200.
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 16, 2015, 02:43:48 PM
No in fact its really a 29f100!
Title: Re: Haldex Controllers Thinking.....
Post by: DT on December 16, 2015, 02:58:16 PM
I don't follow. Why would you identify it as 29f100?
Check pdf attached to reply #92 in this thread http://nefariousmotorsports.com/forum/index.php?topic=1001.msg45712#msg45712
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 16, 2015, 03:13:14 PM
With the sector.
29f100 contains 5 sectors (16kb 8kb 8kb 32kb 64kb)
29f200 contains 7 sectors (16kb 8kb 8kb 32kb 64kb 64kb 64kb)
29f400 contains 11 sectors (16kb 8kb 8kb 32kb 7*64kb)
In the bare die view, you can see the differents sectors.
For example :
http://www.abcelectronique.com/composants/telechargement_datasheet.php?id=101841&part-number=AAM29F100B-120DGC
And
http://www.abcelectronique.com/composants/telechargement_datasheet.php?id=101843&part-number=AAM29F200AB-120DGC
Title: Re: Haldex Controllers Thinking.....
Post by: DT on December 16, 2015, 03:15:50 PM
you really should look at 29f200b instead of the 29f200a
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 16, 2015, 03:18:58 PM
so I do not know!!
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 16, 2015, 03:23:57 PM
when we read the haldex with minimon we will know!
Title: Re: Haldex Controllers Thinking.....
Post by: DT on December 16, 2015, 03:37:10 PM
when we read the haldex with minimon we will know!
For sure, I have a Haldex gen1 ecu now but fortunately it's a fully functioning unit and I'ld rather not damage it if I can avoid.
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 16, 2015, 03:46:02 PM
right now I developed the jfis ( personal color fis display) and I learn KWP2000 and 1281 via can (can TP1.6 and TP2.0 can ). Maybe it's possible to read the flash via can!
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on December 17, 2015, 04:15:22 AM
Nice Thread, you are very close to read this Controller.
If you want i can write a little guide how to read this controllers (in christmas holidays).
About flash sizes: there exist both variants, 29F100 and F200.
In the meantime a small christmas present as attachment. full readout,flash & eeprom. ;)
best regards
Tom
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 17, 2015, 04:55:35 AM
Wow amaizing!
Read via kline or can?
I manage to read the controler via kline with the kwp1281 eeprom read command after enter security mod with login 5207 (only this login work) but read flash and ram doesnt work.
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on December 17, 2015, 04:59:36 AM
via Kline.
5207 is the only login in Software, but unfortunately this login is only for engineering mode to alter the eeprom values.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on December 17, 2015, 05:01:19 AM
finally :)
Big thank you for the file. I think there will be some IDA work for me this weekend.
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on December 17, 2015, 05:11:48 AM
finally :)
Big thank you for the file. I think there will be some IDA work for me this weekend.
No Problem :) , you'll have fun with IDA - this software is perfect and "mostly" simple to disassemble :D
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 17, 2015, 05:36:36 AM
Thank you very much. I do not have time to disassemble for now , I must finish my jfis.
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on December 17, 2015, 05:47:18 AM
nice project! stm32?
Title: Re: Haldex Controllers Thinking.....
Post by: DT on December 17, 2015, 05:49:48 AM
via Kline.
Did you also find out how to write flash with Kline?
Title: Re: Haldex Controllers Thinking.....
Post by: DT on December 17, 2015, 05:51:27 AM
Thank you very much. I do not have time to disassemble for now , I must finish my jfis.
Really nice John
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 17, 2015, 05:53:22 AM
No, atmel sam3x
Title: Re: Haldex Controllers Thinking.....
Post by: aef on December 17, 2015, 06:10:31 AM
i love the winter months... ;D
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 17, 2015, 06:40:39 AM
Jfis
Title: Re: Haldex Controllers Thinking.....
Post by: aef on December 17, 2015, 06:48:39 AM
Would recommend to create a own topic for jfis. Looks nice :)
Back to topic: which tool to read haldex via kline?
Title: Re: Haldex Controllers Thinking.....
Post by: DT on December 18, 2015, 05:14:41 PM
less than 30min to fully disassemble in IDA. :)
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on December 18, 2015, 06:00:43 PM
So simple!!
Title: Re: Haldex Controllers Thinking.....
Post by: aef on December 19, 2015, 04:02:40 AM
So as i said before i like the winter months were all the nerds sit infront of their computers.
Thumbs up to all the new users for the informations on the last pages of this thread. :o
Just a little summary:
@ccyberwing is able to read the flash via kline and will hopefully share how he did this
@john9357 was able to read and write the eeprom with the login of 5207 ans his command line tools
@DT and john already disassembled the whole flash in IDA
Looks like john has a spare "race" haldex and once he was able to read it one can compare the stock and race flash?
Hopefully there is a way to write to the flash too.
(http://forum.projectcarsgame.com/attachment.php?attachmentid=216415&d=1440706564&thumb=1)
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on December 19, 2015, 08:54:59 AM
Great work, guys. I haven't seen much progress on this thread for some time, kind of lost hope. I have an orange controller we could read (mounted in the car). Let me know how I can do it, and I'll post it up. If the controller needs to be removed to read it, I won't be able to do this for a couple of weeks. I could do a read over the next couple of days though if I can read it in the car.
Title: Re: Haldex Controllers Thinking.....
Post by: sonique on December 28, 2015, 07:13:42 PM
Nice Thread, you are very close to read this Controller.
If you want i can write a little guide how to read this controllers (in christmas holidays).
About flash sizes: there exist both variants, 29F100 and F200.
In the meantime a small christmas present as attachment. full readout,flash & eeprom. ;)
best regards
Tom
yes plz write little guide ;) thanks
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on December 30, 2015, 07:48:14 PM
Good progress guys. It will be possible to write via kline I'm sure. At least the calibration blocks...
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on December 30, 2015, 07:53:22 PM
less than 30min to fully disassemble in IDA. :)
Slow pc lol? Did you get all of the registers setup? The code is weird I think compared to bosch c167. The SBL for Volvo is one gigantic function. Meh. Does it follow kwp?
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 05, 2016, 08:58:28 PM
ROMEN=0 in syscon (1204h) indicate that internal ROM i disabled
BUSCON0 #48eh
BTYP=10 16bit demultiplexed
P0H.4-3 (SALSEL) is probably 11 at startup/reset , hence 256Kb (default without pull-downs)
From what I can see from absolute addressing the flash file is located at 0x0 to 0x20000
flash gets hidden by cpu at following locations. A feature of c16x.
0x0e000 - 0x0e7ff
and
0x0ef00 - 0x0ffff
but in the file these only contain ff.
I might miss something but there are some things I cannot understand.
My problem is that there are also absolute addressing to a handful addresses that does not contain code but rather data or ascii and since DPP doesn't affect absolute addressing I am stuck.
example: (perfectly ok code, and not data that could be interpreted as code)
ROM:8000 ; =============== S U B R O U T I N E =======================================
ROM:8000
ROM:8000
ROM:8000 sub_8000: ; CODE XREF: ROM:8048�P
ROM:8000 ; ROM:8148�P ...
ROM:8000 movb byte_E152, ZEROS
ROM:8004 movb rl4, #8
ROM:8006 movb byte_E153, rl4
ROM:800A mov word_E154, ZEROS
ROM:800E mov word_E156, ZEROS F6 8E 56 E1
ROM:8012 mov word_E158, ZEROS F6 8E 58 E1
ROM:8016 mov word_E15A, ZEROS F6 8E 5A E1
ROM:801A mov word_E15C, ZEROS F6 8E 5C E1
ROM:801E mov r12, #6054h E6 FC 54 60
ROM:8022 calls 0, loc_6E8C DA 00 8C 6E
ROM:8026 calls 0, unk_6D94 DA 00 94 6D
ROM:802A calls 0, unk_6FAE DA 00 AE 6F
ROM:802E rets DB 00
ROM:802E ; End of function sub_8000
I've not had time to look for specific functions like communication yet.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 05, 2016, 11:13:05 PM
ROMEN=0 in syscon (1204h) indicate that internal ROM i disabled
BUSCON0 #48eh
BTYP=10 16bit demultiplexed
P0H.4-3 (SALSEL) is probably 11 at startup/reset , hence 256Kb (default without pull-downs)
From what I can see from absolute addressing the flash file is located at 0x0 to 0x20000
flash gets hidden by cpu at following locations. A feature of c16x.
0x0e000 - 0x0e7ff
and
0x0ef00 - 0x0ffff
but in the file these only contain ff.
I might miss something but there are some things I cannot understand.
My problem is that there are also absolute addressing to a handful addresses that does not contain code but rather data or ascii and since DPP doesn't affect absolute addressing I am stuck.
example: (perfectly ok code, and not data that could be interpreted as code)
ROM:8000 ; =============== S U B R O U T I N E =======================================
ROM:8000
ROM:8000
ROM:8000 sub_8000: ; CODE XREF: ROM:8048�P
ROM:8000 ; ROM:8148�P ...
ROM:8000 movb byte_E152, ZEROS
ROM:8004 movb rl4, #8
ROM:8006 movb byte_E153, rl4
ROM:800A mov word_E154, ZEROS
ROM:800E mov word_E156, ZEROS F6 8E 56 E1
ROM:8012 mov word_E158, ZEROS F6 8E 58 E1
ROM:8016 mov word_E15A, ZEROS F6 8E 5A E1
ROM:801A mov word_E15C, ZEROS F6 8E 5C E1
ROM:801E mov r12, #6054h E6 FC 54 60
ROM:8022 calls 0, loc_6E8C DA 00 8C 6E
ROM:8026 calls 0, unk_6D94 DA 00 94 6D
ROM:802A calls 0, unk_6FAE DA 00 AE 6F
ROM:802E rets DB 00
ROM:802E ; End of function sub_8000
I've not had time to look for specific functions like communication yet.
That's interesting. Did you find the Dpp settings? To me it looks like the segment DPP is wrong.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 05, 2016, 11:20:46 PM
Dpp's lol 0, 1, 2 + 3 IDA default as well so easy.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 06, 2016, 12:30:28 AM
byte 8000h is added to a register in the STUTRAP_handler, how odd, it's definitely code though?
Also MEM_EXT:8F98 location calls a function, look it's ASCII lol
edit I don't think 0x8000 is a function it's a struct/table.........................
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on January 06, 2016, 09:34:19 AM
i find the different id use for can : seg009:0006 ; sub_12766+40�P
seg009:0006 calls 1, sub_10356
seg009:000A mov r12, #6000h
seg009:000E calls 1, sub_14314
seg009:0012 calls 1, sub_1442A
seg009:0016 mov r12, #1
seg009:0018 mov r13, #280h ; id can motor1
seg009:001C calls 1, sub_1463C
seg009:0020 mov r12, #2
seg009:0022 mov r13, #288h ; id can motor2
seg009:0026 calls 1, sub_1463C
seg009:002A mov r12, #3
seg009:002C mov r13, #480h ; id can motor3
seg009:0030 calls 1, sub_1463C
seg009:0034 mov r12, #7
seg009:0036 mov r13, #320h ; id can instrument
seg009:003A calls 1, sub_1463C
seg009:003E mov r12, #4
seg009:0040 mov r13, #1A0h ; id can abs1
seg009:0044 calls 1, sub_1463C
seg009:0048 mov r12, #5
seg009:004A mov r13, #4A0h ; id can abs2
seg009:004E calls 1, sub_1463C
seg009:0052 mov r12, #6
seg009:0054 mov r13, #2A0h ; id can abs3
seg009:0058 calls 1, sub_1463C
seg009:005C mov r12, #8
seg009:005E mov r13, #6C0h ; id can ?
seg009:0062 calls 1, sub_1463C
seg009:0066 mov r12, #0Ah
seg009:0068 mov r13, #6C1h ; id can ?
seg009:006C calls 1, sub_1463C
seg009:0070 mov r12, #0Eh
seg009:0072 mov r13, #2C0h ; id can allroad
seg009:0076 calls 1, sub_1463C
seg009:007A mov r12, #0Bh
seg009:007C mov r13, #6C2h ; id can ?
seg009:0080 calls 1, sub_1463C
seg009:0084 mov r12, #0Ch
seg009:0086 mov r13, #6C3h ; id can ?
seg009:008A calls 1, sub_1463C
seg009:008E mov r12, #0Dh
seg009:0090 mov r13, #6C4h ; id can ?
seg009:0094 calls 1, sub_1463C
seg009:0098 calls 1, sub_143E8
seg009:009C rets
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 06, 2016, 11:39:14 AM
byte 8000h is added to a register in the STUTRAP_handler, how odd, it's definitely code though?
Also MEM_EXT:8F98 location calls a function, look it's ASCII lol
edit I don't think 0x8000 is a function it's a struct/table.........................
Sure it's code, everything looks legit, subroutines start with push a couple of registers to stack then pops them back at end. The "only" thing that are a problem are all calls from within 0x8000-0xb800 to 0x6000-0x7fff. CALLS either to ascii data or to middle of subroutines or even loc_xxxx+1 or +2 (corrupt) Could it be that the cpu has 32k internal rom that is used first and then later disabled. The trap code is strange. Moving a word from 8000, 8000+1 and 8000+2 would not make sense. Or is that only delay code instead of nop's since the following calls to 142b4 make no sense either and does not use r12. It really look like the code between 0x8000 and 0xb800 is does not fit seg009:415A STUTRAP_handler: ; CODE XREF: ROM:STUTRAP�J
seg009:415A mov word_F9F2, r0
seg009:415E scxt CP, #0F9F2h
seg009:4162 mov r12, sub_8000
seg009:4166 calls 1, sub_142B4
seg009:416A reti
seg009:416C ; ---------------------------------------------------------------------------
seg009:416C
seg009:416C STOTRAP_handler: ; CODE XREF: ROM:STOTRAP�J
seg009:416C mov SP, #0FC00h
seg009:4170 mov word_F9F2, r0
seg009:4174 scxt CP, #0F9F2h
seg009:4178 mov r12, sub_8000+1
seg009:417C calls 1, sub_142B4
seg009:4180 reti
seg009:4182 ; ---------------------------------------------------------------------------
seg009:4182
seg009:4182 BTRAP_handler: ; CODE XREF: ROM:BTRAP�J
seg009:4182 mov word_F9F2, r0
seg009:4186 scxt CP, #0F9F2h
seg009:418A mov r12, sub_8000+2
seg009:418E calls 1, sub_142B4
seg009:4192 reti
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 06, 2016, 12:04:32 PM
you guys should work on gen2 controllers. might be a bit more familiar. ;)
ive been saving this for a looooong time. might have a few more kicking about as well. :)
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 06, 2016, 01:30:13 PM
you guys should work on gen2 controllers. might be a bit more familiar. ;)
ive been saving this for a looooong time. might have a few more kicking about as well. :)
Nice
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 06, 2016, 01:31:33 PM
Sure it's code, everything looks legit, subroutines start with push a couple of registers to stack then pops them back at end. The "only" thing that are a problem are all calls from within 0x8000-0xb800 to 0x6000-0x7fff. CALLS either to ascii data or to middle of subroutines or even loc_xxxx+1 or +2 (corrupt) Could it be that the cpu has 32k internal rom that is used first and then later disabled. The trap code is strange. Moving a word from 8000, 8000+1 and 8000+2 would not make sense. Or is that only delay code instead of nop's since the following calls to 142b4 make no sense either and does not use r12. It really look like the code between 0x8000 and 0xb800 is does not fit seg009:415A STUTRAP_handler: ; CODE XREF: ROM:STUTRAP�J
seg009:415A mov word_F9F2, r0
seg009:415E scxt CP, #0F9F2h
seg009:4162 mov r12, sub_8000
seg009:4166 calls 1, sub_142B4
seg009:416A reti
seg009:416C ; ---------------------------------------------------------------------------
seg009:416C
seg009:416C STOTRAP_handler: ; CODE XREF: ROM:STOTRAP�J
seg009:416C mov SP, #0FC00h
seg009:4170 mov word_F9F2, r0
seg009:4174 scxt CP, #0F9F2h
seg009:4178 mov r12, sub_8000+1
seg009:417C calls 1, sub_142B4
seg009:4180 reti
seg009:4182 ; ---------------------------------------------------------------------------
seg009:4182
seg009:4182 BTRAP_handler: ; CODE XREF: ROM:BTRAP�J
seg009:4182 mov word_F9F2, r0
seg009:4186 scxt CP, #0F9F2h
seg009:418A mov r12, sub_8000+2
seg009:418E calls 1, sub_142B4
seg009:4192 reti It's odd I know but look at the hex it looks like reference table to call functions.
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on January 06, 2016, 03:29:07 PM
There are many maps on haldex gen1 and gen2!
the processor on gen2 : c167 too
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 06, 2016, 03:38:28 PM
There are many maps on haldex gen1 and gen2!
the processor on gen2 : c167 too
gen2 is 200bb flash.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 06, 2016, 04:30:36 PM
It's odd I know but look at the hex it looks like reference table to call functions.
No! I can't see how you would choose ref table over code.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 06, 2016, 04:44:47 PM
No! I can't see how you would choose ref table over code.
Boot function moves a byte from there and there are a few others two. Then in hex I noticed the bottom of what I thought was a table/scruct happened to contain memory references to a function position in the flash. I don't check them all but from the bottom up it seemed to match. This and a hardware reset function loads bytes too iirc. This I thought may explain the unreferenced function. It was only ten mins I looked, I'll post some screens tomorrow. I've seen code like this before in me7 diag. The odd thing is the function is almost perfect if not perfect so may just be a coincidence. Food for thought....
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 06, 2016, 05:12:21 PM
Look @ MEM_EXT:A718
MEM_EXT:A718 calls 0, byte_6AC8 this cannot be a function if you look at the hex.
Title: Re: Haldex Controllers Thinking.....
Post by: vagenwerk on January 06, 2016, 05:16:11 PM
you guys should work on gen2 controllers. might be a bit more familiar. ;)
ive been saving this for a looooong time. might have a few more kicking about as well. :)
what tool did You use to readout this from haldex ?
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 06, 2016, 05:21:53 PM
Look @ MEM_EXT:A718
MEM_EXT:A718 calls 0, byte_6AC8 this cannot be a function if you look at the hex.
of course not but the sub that calls 0x06AC8 is a legit coded function. sub_A70A: ; CODE XREF: MEM_EXT:88FA�P
MEM_EXT:A70A mov [-r0], r9
MEM_EXT:A70C mov [-r0], r8
MEM_EXT:A70E mov [-r0], r7
MEM_EXT:A710 sub r0, #2
MEM_EXT:A712 mov r12, #182h
MEM_EXT:A716 mov r13, r0
MEM_EXT:A718 calls 0, unk_6AC8
MEM_EXT:A71C cmp r4, #0
MEM_EXT:A71E jmpr cc_Z, loc_A726
MEM_EXT:A720 mov r4, #0FFFFh
MEM_EXT:A724 jmpr cc_UC, loc_A77A
MEM_EXT:A726 ; ---------------------------------------------------------------------------
MEM_EXT:A726
MEM_EXT:A726 loc_A726: ; CODE XREF: sub_A70A+14�j
MEM_EXT:A726 movb rl4, [r0]
MEM_EXT:A728 cmpb rl4, #0
MEM_EXT:A72A jmpr cc_SGE, loc_A750
MEM_EXT:A72C movbs r9, rl4
MEM_EXT:A72E neg r9
MEM_EXT:A730 mov r4, r9
MEM_EXT:A732 mov r5, #0
MEM_EXT:A734 mov r10, #0ADD7h
MEM_EXT:A738 mov r11, #0
MEM_EXT:A73A calls 0, sub_B5CC
MEM_EXT:A73E mov r7, r4
MEM_EXT:A740 mov r8, r5
MEM_EXT:A742 mov r4, r5
MEM_EXT:A744 mov r5, ZEROS
MEM_EXT:A748 neg r4
MEM_EXT:A74A mov word_E2E0, r4
MEM_EXT:A74E jmpr cc_UC, loc_A770
MEM_EXT:A750 ; ---------------------------------------------------------------------------
MEM_EXT:A750
MEM_EXT:A750 loc_A750: ; CODE XREF: sub_A70A+20�j
MEM_EXT:A750 movb rl4, [r0]
MEM_EXT:A752 movbs r9, rl4
MEM_EXT:A754 mov r4, r9
MEM_EXT:A756 mov r5, #0
MEM_EXT:A758 mov r10, #0ADD7h
MEM_EXT:A75C mov r11, #0
MEM_EXT:A75E calls 0, sub_B5CC
MEM_EXT:A762 mov r7, r4
MEM_EXT:A764 mov r8, r5
MEM_EXT:A766 mov r4, r5
MEM_EXT:A768 mov r5, ZEROS
MEM_EXT:A76C mov word_E2E0, r4
MEM_EXT:A770
MEM_EXT:A770 loc_A770: ; CODE XREF: sub_A70A+44�j
MEM_EXT:A770 mov r4, #0FFD4h
MEM_EXT:A774 mov word_E2EC, r4
MEM_EXT:A778 mov r4, #0
MEM_EXT:A77A
MEM_EXT:A77A loc_A77A: ; CODE XREF: sub_A70A+1A�j
MEM_EXT:A77A add r0, #2
MEM_EXT:A77C mov r7, [r0+]
MEM_EXT:A77E mov r8, [r0+]
MEM_EXT:A780 mov r9, [r0+]
MEM_EXT:A782 rets
MEM_EXT:A782 ; End of function sub_A70A
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 06, 2016, 06:33:06 PM
what tool did You use to readout this from haldex ?
well its psop44, sooo.....
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 07, 2016, 07:25:07 PM
I'm must be reading assembly from hex lol sad.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 07, 2016, 10:32:53 PM
of course not but the sub that calls 0x06AC8 is a legit coded function. sub_A70A: ; CODE XREF: MEM_EXT:88FA�P
MEM_EXT:A70A mov [-r0], r9
MEM_EXT:A70C mov [-r0], r8
MEM_EXT:A70E mov [-r0], r7
MEM_EXT:A710 sub r0, #2
MEM_EXT:A712 mov r12, #182h
MEM_EXT:A716 mov r13, r0
MEM_EXT:A718 calls 0, unk_6AC8
MEM_EXT:A71C cmp r4, #0
MEM_EXT:A71E jmpr cc_Z, loc_A726
MEM_EXT:A720 mov r4, #0FFFFh
MEM_EXT:A724 jmpr cc_UC, loc_A77A
MEM_EXT:A726 ; ---------------------------------------------------------------------------
MEM_EXT:A726
MEM_EXT:A726 loc_A726: ; CODE XREF: sub_A70A+14�j
MEM_EXT:A726 movb rl4, [r0]
MEM_EXT:A728 cmpb rl4, #0
MEM_EXT:A72A jmpr cc_SGE, loc_A750
MEM_EXT:A72C movbs r9, rl4
MEM_EXT:A72E neg r9
MEM_EXT:A730 mov r4, r9
MEM_EXT:A732 mov r5, #0
MEM_EXT:A734 mov r10, #0ADD7h
MEM_EXT:A738 mov r11, #0
MEM_EXT:A73A calls 0, sub_B5CC
MEM_EXT:A73E mov r7, r4
MEM_EXT:A740 mov r8, r5
MEM_EXT:A742 mov r4, r5
MEM_EXT:A744 mov r5, ZEROS
MEM_EXT:A748 neg r4
MEM_EXT:A74A mov word_E2E0, r4
MEM_EXT:A74E jmpr cc_UC, loc_A770
MEM_EXT:A750 ; ---------------------------------------------------------------------------
MEM_EXT:A750
MEM_EXT:A750 loc_A750: ; CODE XREF: sub_A70A+20�j
MEM_EXT:A750 movb rl4, [r0]
MEM_EXT:A752 movbs r9, rl4
MEM_EXT:A754 mov r4, r9
MEM_EXT:A756 mov r5, #0
MEM_EXT:A758 mov r10, #0ADD7h
MEM_EXT:A75C mov r11, #0
MEM_EXT:A75E calls 0, sub_B5CC
MEM_EXT:A762 mov r7, r4
MEM_EXT:A764 mov r8, r5
MEM_EXT:A766 mov r4, r5
MEM_EXT:A768 mov r5, ZEROS
MEM_EXT:A76C mov word_E2E0, r4
MEM_EXT:A770
MEM_EXT:A770 loc_A770: ; CODE XREF: sub_A70A+44�j
MEM_EXT:A770 mov r4, #0FFD4h
MEM_EXT:A774 mov word_E2EC, r4
MEM_EXT:A778 mov r4, #0
MEM_EXT:A77A
MEM_EXT:A77A loc_A77A: ; CODE XREF: sub_A70A+1A�j
MEM_EXT:A77A add r0, #2
MEM_EXT:A77C mov r7, [r0+]
MEM_EXT:A77E mov r8, [r0+]
MEM_EXT:A780 mov r9, [r0+]
MEM_EXT:A782 rets
MEM_EXT:A782 ; End of function sub_A70A That's beside my point, decompiled iDA said byte was a function.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 08, 2016, 03:19:16 AM
That's beside my point, decompiled iDA said byte was a function.
Well it's not IDA that claims it is a function, IDA only try to present it as a function since there is a legit call to the byte. IDA can't know that there is ASCII on the destination of the calls. AutoIT scripts or even Perl scripts often result in much that is not correct too. I'm wondering if the layout of read from the ECU is bad or if there is an internal ROM in the C167 that is used at lower 32k in certain situations. But sure it could be my lack of knowledge of C167 code too. :-\
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on January 08, 2016, 04:55:30 AM
The proc is a c167cr-lm (in the dump 417f we can see that). the c167cr-lm is romless version.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 08, 2016, 05:03:48 AM
The proc is a c167cr-lm (in the dump 1733D we can see that). the c167cr-lm is romless version.
Ok, nice to know but that means there is something else that indicate code that jmp to asciidata and to numerous places not correctly aligned into subroutines or even calls to middle of opcodes
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 08, 2016, 06:53:29 AM
that helped, 1733d was a JMPR from what I could see in instruction set manual (no IDA available where I'm at)
Yeah I've seen the ASCII cr-lm but had forgot it.
john9357:
Do you stumble upon the same CALLS to faulty locations when you work with the file?
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 08, 2016, 08:21:46 AM
needs decompiled again with right proc selected imo, I'll do it in 5 minutes later when I am home. Makes sense now.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 08, 2016, 08:26:49 AM
Well it's not IDA that claims it is a function, IDA only try to present it as a function since there is a legit call to the byte. IDA can't know that there is ASCII on the destination of the calls.
AutoIT scripts or even Perl scripts often result in much that is not correct too.
I'm wondering if the layout of read from the ECU is bad or if there is an internal ROM in the C167 that is used at lower 32k in certain situations.
But sure it could be my lack of knowledge of C167 code too. :-\
IDA assumes with a calls the destination is a function I guess.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 08, 2016, 02:49:25 PM
Can't find that proc in my iDA version.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 08, 2016, 03:07:54 PM
Can't find that proc in my iDA version.
Would not help, i can't see any important differences in -lm from the c167cr-sr available in IDA. You can edit an IDA file to get specific settings for this cpu but even if we were to change memory mapping of segments and such it would not help since the mapping is done in 64kb segments which I would assume to include destination of mapping. And I've already checked various alternative places for the address where ascii is. Not helping.
Title: Re: Haldex Controllers Thinking.....
Post by: fknbrkn on January 08, 2016, 03:10:23 PM
we`ve now testing a little ecu tweak which is sending some altered data into can-bus. (see pic)
and there is a noticeful difference (ive used this only in one map in my multimap routine, so its 2-click switching between normal operation and this tweak)
rear wheels moving faster than front lol
btw there is wheel speeds from ABS can-data available in ecu :)
more testing is needed to collect some data and optimal settings
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 08, 2016, 03:15:08 PM
Would not help, i can't see any important differences in -lm from the c167cr-sr available in IDA. You can edit an IDA file to get specific settings for this cpu but even if we were to change memory mapping of segments and such it would not help since the mapping is done in 64kb segments which I would assume to include destination of mapping.
And I've already checked various alternative places for the address where ascii is. Not helping.
Sorry I must have misunderstood your earlier reply.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 08, 2016, 03:33:24 PM
we`ve now testing a little ecu tweak which is sending some altered data into can-bus. (see pic)
and there is a noticeful difference (ive used this only in one map in my multimap routine, so its 2-click switching between normal operation and this tweak)
rear wheels moving faster than front lol
btw there is wheel speeds from ABS can-data available in ecu :)
more testing is needed to collect some data and optimal settings
I thought about piggibacking the Haldex with help of the ME7 last year, shouldn't be too hard. But I dropped the idea since it might be a bad idea in dangerous situations. (think ESP and such)
Title: Re: Haldex Controllers Thinking.....
Post by: fknbrkn on January 08, 2016, 03:53:04 PM
I thought about piggibacking the Haldex with help of the ME7 last year, shouldn't be too hard. But I dropped the idea since it might be a bad idea in dangerous situations. (think ESP and such)
yes. thats why i wrote custom routine to use it only in one of maps in multimap routine also with changed KLDMASRL. supasport mode )) we drove it allday (-12c and wet/snowy roads) and has no negative intervention from ESP system. but not tested it yet in really bad situations :)
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 08, 2016, 04:49:43 PM
yes. thats why i wrote custom routine to use it only in one of maps in multimap routine also with changed KLDMASRL. supasport mode ))
we drove it allday (-12c and wet/snowy roads) and has no negative intervention from ESP system. but not tested it yet in really bad situations :)
Well the problem is not when you are out playing, the problem might be at 120km/h in heavy highway traffic when you go from high load to brake or such. But sure it could work well.
Title: Re: Haldex Controllers Thinking.....
Post by: aef on January 09, 2016, 04:50:29 AM
Mechanically there is no way the rear wheels would spin faster as the front wheels. There is no gearbox thing in the haldex.
The only situation i could imagine is your abs/esp/eds is breaking your front wheels.
Title: Re: Haldex Controllers Thinking.....
Post by: fknbrkn on January 09, 2016, 06:33:51 AM
Mechanically there is no way the rear wheels would spin faster as the front wheels. There is no gearbox thing in the haldex.
The only situation i could imagine is your abs/esp/eds is breaking your front wheels.
nope i accidentally swapped front-rear wheels variables :D such a fool
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 09, 2016, 07:31:41 AM
Mechanically there is no way the rear wheels would spin faster as the front wheels. There is no gearbox thing in the haldex.
The only situation i could imagine is your abs/esp/eds is breaking your front wheels.
Lets not bring that discussion up again, it's 15 years old. ;D Besides your assumption about brakes is just as dumb. :-) Rear axle cannot spin faster only transfer more torque than front. I thought fukenbroken was experimenting with and injecting new can wheel speed data trying to fool haldex lock point. Back to topic (since this is about reading/writing haldex ECU): Where is ccyberwing?
Title: Re: Haldex Controllers Thinking.....
Post by: fknbrkn on January 09, 2016, 09:17:41 AM
Lets not bring that discussion up again, it's 15 years old. ;D Besides your assumption about brakes is just as dumb. :-) Rear axle cannot spin faster only transfer more torque than front.
I thought fukenbroken was experimenting with and injecting new can wheel speed data trying to fool haldex lock point.
Back to topic (since this is about reading/writing haldex ECU): Where is ccyberwing?
pmed him at christmas weekend still no answer
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on January 11, 2016, 03:23:28 AM
sorry for the delay but i am still not back home. i get back on this weekend, so i can post some pictures of how to read this controller.
It's meant to be read in boot mode. by k-line.
regards
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 11, 2016, 03:32:24 AM
sorry for the delay but i am still not back home. i get back on this weekend, so i can post some pictures of how to read this controller.
It's meant to be read in boot mode. by k-line.
regards
bclr, bset P2_14?
Title: Re: Haldex Controllers Thinking.....
Post by: wannabee900 on January 13, 2016, 04:50:24 AM
Anyone who has managed to enter boot mode on Gen1 yet (except for ccyberwing)? Verified by the fact that you cannot connect by vcds without reboot
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 13, 2016, 07:29:06 PM
YES! ;D
The entry code to what seems to be flashfile download routines wasn't too hard to find.
It is probably not possible to read with help of flashcode and that makes sense, why would VAG/Haldex need to read the ECU. I've not tried to write yet since I'm not experienced with OBD communication and I'm not sure how to attack this with my VCDS cable or Galetto clone cable. I would like an OBD terminal program where the ECU ASCII based menu system for flash write would work. Would an elm327 cable which have AT command set help me or do I need to do a bit of programming myself?
When searching for something useful, everything I find is nice solutions for working with CAN.
It's fairly quiet here, surely there are others who found the same?
Now we only need to get ccyberwings boot mode instructions. We are almost done. :D
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 13, 2016, 09:30:39 PM
YES! ;D
The entry code to what seems to be flashfile download routines wasn't too hard to find.
It is probably not possible to read with help of flashcode and that makes sense, why would VAG/Haldex need to read the ECU. I've not tried to write yet since I'm not experienced with OBD communication and I'm not sure how to attack this with my VCDS cable or Galetto clone cable. I would like an OBD terminal program where the ECU ASCII based menu system for flash write would work. Would an elm327 cable which have AT command set help me or do I need to do a bit of programming myself?
When searching for something useful, everything I find is nice solutions for working with CAN.
It's fairly quiet here, surely there are others who found the same?
Now we only need to get ccyberwings boot mode instructions. We are almost done. :D
I might be able to help, can comms or?
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 14, 2016, 12:59:35 AM
I might be able to help, can comms or?
By the looks of it the whole process is done with the k-line, hence why i would like to have a terminal for k-line.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 14, 2016, 06:28:12 AM
You can write something for the vagcom cable in dumb mode I guess, I haven't got any ready-to-go kline code though.
http://www.ftdichip.com/Support/SoftwareExamples/CodeExamples.htm
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 14, 2016, 06:43:43 AM
http://nefariousmotorsports.com/forum/index.php?topic=95.msg289#msg289
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 14, 2016, 07:59:08 AM
Thank you but it's not the read memory commands and such I'm looking for. I only want some kind of software that can connect to haldex ecu and let me send hex data and see hex/ascii reply from ecu.
I'm not very interessted in creating my own terminal program. ;D
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 14, 2016, 08:15:40 AM
Thank you but it's not the read memory commands and such I'm looking for. I only want some kind of software that can connect to haldex ecu and let me send hex data and see hex/ascii reply from ecu.
I'm not very interessted in creating my own terminal program. ;D
Terminal is easy to code but unsure how you'd send large data via it. If you find some base KWP2000 code in C or C# I'll whip something up for you. I've done a LOT of work with CAN but next to zero with kline. It's a a pity It's not can as I have exactly that but for CAN with Arudinio
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 14, 2016, 08:28:37 AM
Is this boot mode work? You'll need a loader too like what minimon uses but expanded I guess.
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 14, 2016, 09:27:39 AM
heres another.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 14, 2016, 05:09:52 PM
Is this boot mode work? You'll need a loader too like what minimon uses but expanded I guess.
No, IDA research about k-line comm . Though I have most of bootmode figured out, like custom bootstrap loader. But waiting for ccyberwing to reveal how to trigger the damn thing.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 15, 2016, 06:13:59 AM
I bought an ELM327 yesterday and tried to connect to Haldex ECU on bench. +12v, GND and K-Line connected. Did not work!
VCDS cable with VCDS software works fine with this connection.
I used putty and ELM AT commands but could only reach the ELM with the AT commands, not through to the Haldex ecu.
different combinations of the following
atz
atst ff
atsp3
atiia1
0100 (gives NO DATA or BUS INIT... ERROR after slow connect)
also tried atsh <header>
Never got the "BUS INIT... OK" that is needed.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 15, 2016, 09:35:34 PM
5 baud init rings a bell
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on January 16, 2016, 07:16:36 AM
Finally i made a picture, how to read the haldex controller via bootmode and kline (yes, i love paint 8) )
I know there are more versions of this controller in the field, please send me an hires picture and i will
make the modifications necessary to connect via bootmode.
I hope my picture is not too confusing :D :D :D
regards
https://dropmefiles.com/krMDu
Title: Re: Haldex Controllers Thinking.....
Post by: fknbrkn on January 16, 2016, 07:35:02 AM
https://dropmefiles.com/
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on January 16, 2016, 07:37:22 AM
https://dropmefiles.com/
nice, thanks! - updated the upper post
Title: Re: Haldex Controllers Thinking.....
Post by: fknbrkn on January 16, 2016, 07:51:01 AM
nice, thanks! - updated the upper post
wow thats make a sense do you have a pinout for that +12v/kline/gnd port? which software you are using? is it possible to write flash back?
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 16, 2016, 07:53:59 AM
Incredible. Thank you!
Though more than expected that needs to be connected and therefore much more difficult to achieve. Do you have a live picture of how you did it?
Is there no need to control direction of kline? In flash code it looks like P2_14 must be set or cleared to controle receive or transmit.
Or is that what you've somehow done with the connection of mcu and transciever?
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on January 16, 2016, 07:58:05 AM
use the original power plug from the haldex controller. (you need the capacitor in the plug)
black 8 pin connector from haldex:
Pin 1 = +12V
Pin 2 = Ground
Pin 5 = K-Line
i use an self written application for boot mode and modified flash drivers.
but minimon should work too, but i havent tried.
yes, possible to flash back - tried many times ;D ;D
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 16, 2016, 08:02:33 AM
without Haldex cable
I've only done vcds through these pins and need to test to attach a correct capacitor.
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on January 16, 2016, 08:07:16 AM
Incredible. Thank you!
Though more than expected that needs to be connected and therefore much more difficult to achieve. Do you have a live picture of how you did it?
Is there no need to control direction of kline? In flash code it looks like P2_14 must be set or cleared to controle receive or transmit.
Or is that what you've somehow done with the connection of mcu and transciever?
no problem, i am happy if i can help :) and i think nefmoto is a nice community. i was most surprised about the pol0.4 connection, why its on the header. i can make a picture in action, i soldered wires on the hybrid - a bit fuzzy, but its possible. later i used test pins (spring loaded needles) to connect. hmm, could be - i havent analysed this part of software yet. the connection is there because i haven't found any route between asc0.txd and the input of the k-line transceiver.
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on January 16, 2016, 08:08:35 AM
without Haldex cable
I've only done vcds through these pins and need to test to attach a correct capacitor.
you need only some µF. about 100µF to 470µF should do.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 16, 2016, 08:11:08 AM
ok, well then I don't even have to look for the cable. I've got many standard caps like that.
I find it a bit confusing that they've made the P0L.4 available at connector if it's not supposed to be possible to work without connections directly at circuit board.
(suprised just like you :-) )
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 16, 2016, 08:18:36 AM
hmm, could be - i havent analysed this part of software yet.
the connection is there because i haven't found any route between asc0.txd and the input of the k-line transceiver.
Well there is connection since all communication go through S0TBUF and S0RBUF (hance ASC0) but they also have the P2_14 connected to the transciever to control in/out from the transciever. They do a bclr P2_14 before every load of TBUF and a bset p2_14 directly after Transmit interrupt to be ready to receive again.
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on January 16, 2016, 08:22:28 AM
Well there is connection since all communication go through S0TBUF and S0RBUF (hance ASC0) but they also have the P2_14 connected to the transciever to control in/out from the transciever.
They do a bclr P2_14 before every load of TBUF and a bset p2_14 directly after Transmit interrupt to be ready to receive again.
ahh, that makes sense - its not the mcu txd - its the transceiver CS ... lol
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 16, 2016, 08:24:45 AM
Haha, yes txd could ofcourse control the CS :-)
The problem is that I don't know for sure if receive status of transciever is default. It probably is and then it is possible to inject the 32bit load code at correct time after reset without boot mode confirmation sent from ecu. I have modified the minimonK code to control P2_14 when executed.
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on January 16, 2016, 08:28:04 AM
Haha, yes txd could ofcourse control the CS :-)
The problem is that I don't know for sure if receive status of transciever is default. It probably is and then it is possible to inject the 32bit load code at correct time after reset without boot mode confirmation sent from ecu. I have modified the minimonK code to control P2_14 when executed.
Yes, default is receive - confirmed. would be good - so we only need to figure out how to disable the reset watchdog
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 16, 2016, 08:30:17 AM
hmm, the #¤%% reset that is mentioned to exist earlier in thread also for Gen2.
what I believe would work for communication is
send 0 to ecu after reset (with 0.4) is finished and then wait a sec for the C5 (which you hopefully can't receive), then send the 32byte loader which executes automatically when received by ecu.
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on January 16, 2016, 08:36:09 AM
hmm, the #¤%% reset that is mentioned to exist earlier in thread also for Gen2.
what I believe would work for communication is
send 0 to ecu after reset (with 0.4) is finished and then wait a sec for the C5 (which you hopefully can't receive), then send the 32byte loader which executes automatically when received by ecu.
i think this should work - but we can only wait for about 100ms because the watchdog resets every ~800ms (or tie the reset up to 5V) i read this controller with 125kbaud, so speed shouldnt be any problem
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 16, 2016, 08:45:58 AM
i think this should work - but we can only wait for about 100ms because the watchdog resets every ~800ms (or tie the reset up to 5V)
i read this controller with 125kbaud, so speed shouldnt be any problem
The P0L0.4 at header seems less confusing now. :-) no need to wait for 1 sec the 0 could be sent a few μs after reset is done, then we can send the 32byte code 1ms later since C5 is sent by cpu 2.5μs after it receives 0.
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on January 16, 2016, 08:50:17 AM
The P0L0.4 at header seems less confusing now. :-) no need to wait for 1 sec
the 0 could be sent a few μs after reset is done, then we can send the 32byte code 1ms later since C5 is sent by cpu 2.5μs after it receives 0.
yes, i think so too ;) ;) ;) nice - "only" have to sort this reset watchdog out - as far as i can see it could be controlled by the sbc chip (i'll find out)
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 16, 2016, 08:52:59 AM
yes, i think so too ;) ;) ;)
nice - "only" have to sort this reset watchdog out - as far as i can see it could be controlled by the sbc chip (i'll find out)
If you take a look at where it is connected to I will see in the flash what their code do to disable it. Then we can do the same thing in code after loaded 32bytes(which will not take 800ms) I'll take a shower now, do you have the connections for me when I'm back at keyboard? :)
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on January 16, 2016, 08:56:48 AM
If you take a look at where it is connected to I will see in the flash what their code do to disable it. Then we can do the same thing in code after loaded 32bytes(which will not take 800ms) I'll take a shower now, do you have the connections for me when I'm back at keyboard? :)
i think so. ;D 8)
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on January 16, 2016, 09:37:56 AM
;D ;D ;D
ha ... now i know how it works :D ... you wont belive ..
you remember we have the header with pol0.4 on it , lets say pin1 ... and pin3 and pin4 are the gnd and the temp sensor ...
and .... pin 2 is the watchdog control :D :D
https://dropmefiles.com/4L53o
so you have to look about some timer that generates 20Hz on an special pin to prevent the watchdog triggering... Ha!
(should be pretty close at 20Hz, 15Hz triggers the dog and 25 Hz too)
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 16, 2016, 10:30:38 AM
;D ;D ;D
ha ... now i know how it works :D ... you wont belive ..
you remember we have the header with pol0.4 on it , lets say pin1 ... and pin3 and pin4 are the gnd and the temp sensor ...
and .... pin 2 is the watchdog control :D :D
https://dropmefiles.com/4L53o
so you have to look about some timer that generates 20Hz on an special pin to prevent the the watchdog triggering... Ha!
(should be pretty close at 20Hz, 15Hz triggers the dog and 25 Hz too)
:-) I think I've seen a couple of timers in code but I believe I assumed atleast one of them where for baudrate control. It would have been super easy to find if we knew where mentioned sbc chip are connected on c167. simple circuit that could be put inline with the "flashcable" in a few inches of shrink tube for easy 20hz but for sure it's nicer to find what they do in code. http://www.electroschematics.com/6527/simple-square-wave-generator-with-7400/ I hit a deer the other day and need to visit the garage now for 1 hour to see if I can fix the Xenon headlight. Will check code after that.
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on January 16, 2016, 10:42:09 AM
Its somewhere on the inner Pins - i don't want to destroy the Controller.
Its a simple reset/watchdog ic with 6pin
Ok, and I'll go for diner now.
good luck!
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 21, 2016, 01:29:57 PM
Its a simple reset/watchdog ic with 6pin i only see the 1 6pin IC on the gen2 board. i removed it and held ground via 1k resistor to P0L.4 and c167 booted as normal. vcds connected via canbus OK. here is high res image of gen2 controller: http://www.filedropper.com/img0157
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 21, 2016, 02:02:46 PM
i only see the 1 6pin IC on the gen2 board. i removed it and held ground via 1k resistor to P0L.4 and c167 booted as normal. vcds connected via canbus OK.
here is high res image of gen2 controller: http://www.filedropper.com/img0157
Can you please check where it is connected to c167? On gen1 I think it is the ic right beside the P0L.4 connector Btw, what model of 6pin IC?
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 21, 2016, 04:35:27 PM
i cant tell what it says on top, "Dx2" it looks like. where "x" is unknown.
i think you may be one to something though. that IC is connected directly to P0L.4 through a resistor and capacitor.
the straight blue line from point > point is 0/ohm resistance.
high res image: http://www.filedropper.com/p0l4
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 21, 2016, 04:59:08 PM
i cant tell what it says on top, "Dx2" it looks like. where "x" is unknown.
i think you may be one to something though. that IC is connected directly to P0L.4 through a resistor and capacitor.
the straight blue line from point > point is 0/ohm resistance.
high res image: http://www.filedropper.com/p0l4
No direct connection to c167 from any of 6pin if you do a beep test with multimeter? I'm sorry to ask but could you please try to trace all 6 pins and report? It's not possible to do this on the gen1 but I think gen1 and gen2 are almost similar hardware wise except for the on die in Gen1. Thank you.
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 21, 2016, 05:16:19 PM
2 blue dots.
3 red dots.
blue is obviously direct to pin and both red are direct to single pin.
others didnt appear connected.
edit: wait, sorry. missed a pin. blue is connected twice as well.
http://www.filedropper.com/dots_1
as far as im concerned, knowing what little i know, gen1 and gen2 are damn near identical. hardware and software. gen2 is just in a cleaner package.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 21, 2016, 06:20:01 PM
2 blue dots.
3 red dots.
blue is obviously direct to pin and both red are direct to single pin.
others didnt appear connected.
edit: wait, sorry. missed a pin. blue is connected twice as well.
http://www.filedropper.com/dots_1
as far as im concerned, knowing what little i know, gen1 and gen2 are damn near identical. hardware and software. gen2 is just in a cleaner package.
Thank you, I will look into this tomorrow.
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 21, 2016, 07:08:34 PM
ive been holding on to these controllers for a while.
i have 2 gen2 and 2 gen4.
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on January 21, 2016, 07:17:57 PM
ive been holding on to these controllers for a while.
You can set them down on the table for a bit. Your hands must be killing you.
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 22, 2016, 11:30:39 PM
with resistor marked in orange still attached to board, vcds connects no matter if ground wire (1k resistor) connected or not.
video is with resistor removed.
i assume this is bootmode.
http://youtu.be/AgrpIf2hlV0
high res image: http://www.filedropper.com/2ee
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 23, 2016, 09:17:35 AM
with resistor marked in orange still attached to board, vcds connects no matter if ground wire (1k resistor) connected or not.
video is with resistor removed.
i assume this is bootmode.
http://youtu.be/AgrpIf2hlV0
high res image: http://www.filedropper.com/2ee
Thanks for taking the time dude. Get minimon cracked out ;)
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 23, 2016, 12:38:09 PM
connected to haldex via TTL converter + 1k boot pin, resistor still removed from circuit.
Tx/Rx in green and yellow.
minimon screenshot attached.
no c167cs-lm option in minimon so using all default c167cr options.
serial connection: http://www.filedropper.com/serial_5
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 23, 2016, 01:06:39 PM
ok, so after a few attempts of powering on/off and trying to connect with minimon, 1 time it completely connected and another it would lose connection and attempt to reconnect during loading but said connection lost in the end.
technically, i guess it works. sort of.
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 23, 2016, 01:10:55 PM
bootmode connected. :) edit: this seems to be easily repeated with p0l.4 connected directly to ground, no 1k ohm. k-line does not seem to be connected to pin 5 on haldex connector. no type of reply from minimon with a kkl cable. boot log: *Loader file Prepare
*Minimon file Prepare
*send Byte 0+ Loader + MinimonCore
*RECEIVE - MC-Identifier: D5
*RECEIVE - LoaderACK 01 received
*RECEIVE - Minimon ACK 03 received
*Minimon successfully launched
*Reset: BUSCON0=0680
*Reset: SYSCON=0400
*Reset Configuration: External Bus enabled
*Reset Configuration: 16 Bit demultiplexed Bus
*Reset Configuration: WR# and BHE# retain their normal function (P0H.0=0)
*Reset Configuration: On chip watchdog timer is disabled (RD#=0)
*Reset Configuration: Lengthened ALE signal
*Initialisation: Write to SYSCON
*ERROR: Minimon Acknowledge not Received
*Initialisation: Write to BUSCON0
*Initialisation: Write to BUSCON1
*Initialisation: Write to ADDRSEL1
*Initialisation: Write to BUSCON2
*Initialisation: Write to ADDRSEL2
*Initialisation: Write to BUSCON3
*Initialisation: Write to ADDRSEL3
*Initialisation: Write to BUSCON4
*Initialisation: Write to ADDRSEL4
*Initialisation: Enable X-Peripherals via SYSCON
*Initialisation: Call EINIT Command
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 23, 2016, 02:55:28 PM
Try a 120r instead, nice work guys props.
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 23, 2016, 05:27:59 PM
st10f272m gen4, bootmode!! *Loader file Prepare
*Minimon file Prepare
*send Byte 0+ Loader + MinimonCore
*RECEIVE - MC-Identifier: D5
*RECEIVE - LoaderACK 01 received
*RECEIVE - Minimon ACK 03 received
*Minimon successfully launched
*Reset: BUSCON0=0280
*Reset: SYSCON=0600
*Reset Configuration: External Bus disabled
*Reset Configuration: 16 Bit demultiplexed Bus
*Reset Configuration: WR# and BHE# retain their normal function (P0H.0=0)
*Reset Configuration: On chip watchdog timer is disabled (RD#=0)
*Reset Configuration: Lengthened ALE signal
*Initialisation: Write to SYSCON
03 *ERROR: Minimon Acknowledge not Received
*Initialisation: Write to BUSCON0
*Initialisation: Write to BUSCON1
*Initialisation: Write to ADDRSEL1
*Initialisation: Write to BUSCON2
*Initialisation: Write to ADDRSEL2
*Initialisation: Write to BUSCON3
*Initialisation: Write to ADDRSEL3
*Initialisation: Write to BUSCON4
*Initialisation: Write to ADDRSEL4
*Initialisation: Enable X-Peripherals via SYSCON
*Initialisation: Call EINIT Command
Title: Re: Haldex Controllers Thinking.....
Post by: vwaudiguy on January 23, 2016, 05:33:23 PM
st10f272m gen4, bootmode!! *Loader file Prepare
*Minimon file Prepare
*send Byte 0+ Loader + MinimonCore
*RECEIVE - MC-Identifier: D5
*RECEIVE - LoaderACK 01 received
*RECEIVE - Minimon ACK 03 received
*Minimon successfully launched
*Reset: BUSCON0=0280
*Reset: SYSCON=0600
*Reset Configuration: External Bus disabled
*Reset Configuration: 16 Bit demultiplexed Bus
*Reset Configuration: WR# and BHE# retain their normal function (P0H.0=0)
*Reset Configuration: On chip watchdog timer is disabled (RD#=0)
*Reset Configuration: Lengthened ALE signal
*Initialisation: Write to SYSCON
03 *ERROR: Minimon Acknowledge not Received
*Initialisation: Write to BUSCON0
*Initialisation: Write to BUSCON1
*Initialisation: Write to ADDRSEL1
*Initialisation: Write to BUSCON2
*Initialisation: Write to ADDRSEL2
*Initialisation: Write to BUSCON3
*Initialisation: Write to ADDRSEL3
*Initialisation: Write to BUSCON4
*Initialisation: Write to ADDRSEL4
*Initialisation: Enable X-Peripherals via SYSCON
*Initialisation: Call EINIT Command
w00t!
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 23, 2016, 08:21:10 PM
does anyone know of any software that will read/write st10 cpu?
i tried st10flasher 2.4b, but it says the 0xD5 ID is wrong even though it seems to be correct for minimon, the 1 time it actually ID'd correct. normally says BSL mode failed to start.
cpu has on board 256kb. k-line doesnt seem to be connected on this controller either.
id like to test by running a k-line jumper as described in ccyberwing's diagram but not which pins to jump.
Title: Re: Haldex Controllers Thinking.....
Post by: ddillenger on January 23, 2016, 08:23:39 PM
does anyone know of any software that will read/write st10 cpu?
i tried st10flasher 2.4b, but it says the 0xD5 ID is wrong even though it seems to be correct for minimon, the 1 time it actually ID'd correct. normally says BSL mode failed to start.
cpu has on board 256kb. k-line doesnt seem to be connected on this controller either.
id like to test by running a k-line jumper as described in ccyberwing's diagram but not which pins to jump.
I'll send you my IO terminal.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 23, 2016, 10:10:44 PM
Re resistors and pol4 iirc you need really yo use one or or could be bye bye.
It's all about circuit impedance and ohms law and also Kirchhoffs Law iirc1 blah.
Uoto you though.
Some datasheet say 10k sone 8k those laws are the reason.
For that I'd use a 120r
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 24, 2016, 10:11:01 AM
it seems to be a much more repeatable bootmode with only ground connected.
gen4 diagram. tx/rx are on backside.
http://www.filedropper.com/bootgen4
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 24, 2016, 10:46:29 AM
it seems to be a much more repeatable bootmode with only ground connected.
gen4 diagram. tx/rx are on backside.
http://www.filedropper.com/bootgen4
Of course as there is no voltage drop across the resistor as there isn't one. I'll give my Volvo Gen2 one a try when I find it lol
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 24, 2016, 05:35:23 PM
i have volvo gen2 here as well along with land rover gen4.
volvo doesnt seem to have watchdog wired. neither does the LR, both are missing the 8 pin IC.
also, dont see a k-line transceiver on any of them. the canbus transceiver is there though.
so bootmode may only be possible via TTL. or maybe i just missed it.
im assuming P3.9, pin 76 is k-line Tx. id have to remove the c167 from one of the boards to check underneath but i dont find any type of connection to it anywhere on the board.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 24, 2016, 09:24:26 PM
i have volvo gen2 here as well along with land rover gen4.
volvo doesnt seem to have watchdog wired. neither does the LR, both are missing the 8 pin IC.
also, dont see a k-line transceiver on any of them. the canbus transceiver is there though.
so bootmode may only be possible via TTL. or maybe i just missed it.
im assuming P3.9, pin 76 is k-line Tx. id have to remove the c167 from one of the boards to check underneath but i dont find any type of connection to it anywhere on the board.
Yes I remember the kline is missing on Volvo, it was some time ago though. They accept a bootloader over can for flash though. Sure it was a C167 CR too?
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 24, 2016, 10:28:55 PM
Yes I remember the kline is missing on Volvo, it was some time ago though. They accept a bootloader over can for flash though. Sure it was a C167 CR too?
gen2 volvo is c167cs-lm, same as the vw and gen4 LR is st10f272. no M like on the golf r gen4. BL via CAN would be the way to go for sure.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 25, 2016, 02:02:15 AM
I've not made much progress, need to work more on my minimon driver for gen1. I get what seems to be boot mode but end up in normal mode, probably after software fault causing soft-reset which does not care about p0L.4 held low.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 25, 2016, 10:54:48 AM
disable the watchdog with the first instruction ;)
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 25, 2016, 11:46:32 AM
disable the watchdog with the first instruction ;)
Well, the watchdog is not my problem.
Title: Re: Haldex Controllers Thinking.....
Post by: nyet on January 25, 2016, 11:54:42 AM
software fault causing soft-reset which does not care about p0L.4 held low.
That would likely be the watchdog
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 25, 2016, 12:41:20 PM
That would likely be the watchdog
It's the first instruction in the Volvo loader so I thought it might help you :)
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 25, 2016, 12:43:13 PM
That would likely be the watchdog
Well I keep the watchdog under control with 20Hz signal feed to the unit since I've not found in code how and if it is the CPU that generate the watchdog signal. Besides it does not happen after the 800ms that ccyberwing discovered but rather later in process.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 25, 2016, 12:44:12 PM
It's the first instruction in the Volvo loader so I thought it might help you :)
Hmm, have to look into that. You mentioned that before I think, but I didn't look at it then.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 25, 2016, 12:53:14 PM
It's the first instruction in the Volvo loader so I thought it might help you :)
edit: stupid post by me but still I don't think it got anything to do with this since it is an internal wdt
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 25, 2016, 03:40:19 PM
The first instruction is:
diswdt
then it look like it's reading can buffers not looked it much.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 25, 2016, 03:44:56 PM
That would likely be the watchdog
My thoughts to hence the post also some stuff here http://www.infineon.com/dgdl/ap1601210_Bootstrap_Loader_IDB.pdf?fileId=db3a304318a6cd680118cb945a2140bc http://embedded.ifmo.ru/embedded_old/UK/KIUS/C167/CHAP17.PDF More important perhaps http://embedded.ifmo.ru/embedded_old/UK/KIUS/C167/CHAP12.PDF To allow recovery from software or hardware failure, the 80C166 provides a Watchdog Timer. If the
software fails to service this timer before an overflow occurs, an internal reset sequence will be
initiated. This internal reset will also pull the RSTOUT pin low, which also resets the peripheral
hardware, which might be the cause for the malfunction. When the watchdog timer is enabled and
the software has been designed to service it regularly before it overflows, the watchdog timer will
supervise the program execution, as it only will overflow if the program does not progress properly.
The watchdog timer will also time out, if a software error was due to hardware related failures. This
prevents the controller from malfunctioning for longer than a user-specified time.
The watchdog timer provides two registers: a read-only timer register that contains the current
count, and a control register for initialization.
It's serviced by the OS?
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 25, 2016, 04:14:12 PM
from chap17.pdf
The watchdog reset cannot occur while the C167 is in bootstrap loader mode!
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on January 25, 2016, 05:30:00 PM
im no programmer or disassembler, so im really reaching here, but does anyone have any idea how to disable the chksum check in these files?
if you do, i may have something to trade for the info.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 25, 2016, 05:44:23 PM
it's normally in he CPU boot secton, checks a code byte then misses it, sometime 2, data and cals.
PM me an IDB link and I'll look siemens toolset code is hard tho lol
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 25, 2016, 05:54:47 PM
from chap17.pdf
The watchdog reset cannot occur while the C167 is in bootstrap loader mode!
I was referring to the can loader that I have, good spot, those seem to be a good source ;) IMHO it says that because you should have disabled it, it wont do it itself lol.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 26, 2016, 01:50:38 AM
Still, that concerns the internal wdt and the ~20Hz to an external ic is another matter.
I might have had a bad connection because now I have stable bootmode situation as long as I leave the 20Hz injection in place. When I remove it I can connect with VCDS again.
Something with my minimon code regarding K-line transciever is faulty.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 27, 2016, 04:45:37 AM
Still, that concerns the internal wdt and the ~20Hz to an external ic is another matter.
I might have had a bad connection because now I have stable bootmode situation as long as I leave the 20Hz injection in place. When I remove it I can connect with VCDS again.
Something with my minimon code regarding K-line transciever is faulty.
Keep at it, well done :) so several watchdogs, I'll skim the datasheet and see if I can help at all.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 27, 2016, 05:11:28 AM
Oscillator Watchdog (OWD)?
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 28, 2016, 07:01:36 AM
Found another timer now which seems to output correct freq.
But I still have the problem that I cannot get my code to execute in boot mode.
It feels similar to what happens when power is incorrectly applied to ME7 in boot mode, it is boot mode but you cannot connect. (eg. with minimon or ME7eeprom)
But on the Haldex Ecu there is not power+ignition it's only power.
My boot code works on a plain ME7 ecu, there is nothing wrong with it codewise but I cannot get it to execute in the Haldex.
Anyone?
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 28, 2016, 02:22:54 PM
Code starting point being correct would be one idea.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 28, 2016, 02:32:27 PM
Code starting point being correct would be one idea.
nope unfortunately not it's position independent code
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 28, 2016, 03:05:03 PM
nope unfortunately not
it's position independent code
But it dependent on the CPU rom I was thinking perhaps....
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 28, 2016, 03:52:55 PM
Finally, I'm getting somewhere :)
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 28, 2016, 03:56:14 PM
What's working then?
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 28, 2016, 08:36:27 PM
Damn, I'm tired, I need to get some sleep.
Communication with Haldex gen1 works now, without touching the circuit board. ;D
But I'm not sure about memory layout, will have to continue tomorrow.
Title: Re: Haldex Controllers Thinking.....
Post by: nyet on January 28, 2016, 08:41:58 PM
Grats! That is BIG news.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 28, 2016, 08:52:52 PM
Damn, I'm tired, I need to get some sleep.
Communication with Haldex gen1 works now, without touching the circuit board. ;D
But I'm not sure about memory layout, will have to continue tomorrow.
So I was right 0xc0000 plus a page or two?
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 28, 2016, 09:18:13 PM
So I was right 0xc0000 plus a page or two?
It can be read from more than one address. I used another but I see now that 0xC0000 also works. I had to make a correct read before sleep. :P btw there is also a statement earlier in thread that does not seem correct about addressing and memory.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 28, 2016, 10:19:01 PM
It can be read from more than one address. I used another but I see now that 0xC0000 also works. I had to make a correct read before sleep. :P
btw there is also a statement earlier in thread that does not seem correct about addressing and memory.
Statement by me? Surely you must rely on datasheet but remember PBL will be OE :) I've noticed by some 0xC2000 in some vag code recently, not haldex though but it caught me out.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 29, 2016, 01:37:04 AM
Statement by me? Surely you must rely on datasheet but remember PBL will be OE :)
I've noticed by some 0xC2000 in some vag code recently, not haldex though but it caught me out.
Not by you ;) (I think)
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 29, 2016, 11:51:35 AM
Not by you ;) (I think)
Cool best quote it and correct it for the integrity of the thread then? :)
Title: Re: Haldex Controllers Thinking.....
Post by: nyet on January 29, 2016, 03:35:12 PM
Cool best quote it and correct it for the integrity of the thread then? :)
Let me know what post it is and I will edit it.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 29, 2016, 06:54:42 PM
Well, I said: Does not seem correct.
It's Johns statement that it is a c167cr-lm without boot rom. Either I don't yet get the addressing of FLASH or there is a 128kb rom in cpu. Because I can get a second 128kb rom at 0x0 that also have the usual trap/int jump table at start.
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 29, 2016, 07:04:40 PM
Well, I said: Does not seem correct.
It's Johns statement that it is a c167cr-lm without boot rom. Either I don't yet get the addressing of FLASH or there is a 128kb rom in cpu. Because I can get a second 128kb rom at 0x0 that also have the usual trap/int jump table at start.
I had a peak and it does say romless, weird... http://www.infineon.com/cms/en/product/microcontroller/legacy-products-c500-c166-xc166-audo1-family/c166-registered-family/c167cr%E2%81%84sr/channel.html?channel=ff80808112ab681d0112ab6b32eb0767 C167CR-LM Version with PLL, 2 KByte XRAM, CAN module • C167CR-4RM Version with PLL, 2 KByte XRAM, 32 KByte ROM, CAN module • C167CR-16RM Version with PLL, 2 KByte XRAM, 128 KByte ROM, CAN module • C167SR-LM Version with PLL, 2 KByte XRAM Note: Accesses to the internal ROM area on ROMless devices will produce unpredictable results. http://www.infineon.com/dgdl/c167cr_um_v3.2_2003_05.pdf?fileId=db3a304412b407950112b41d8c0f3058
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 29, 2016, 07:07:26 PM
More important is that the 0006 flash from ccyberwing does not seem correct. But that file has been invaluable anyway for my work. Thank you Tom!
I can see that a correctly read flash is perfect in IDA without jmp/calls to ASCII tables. :)
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on January 29, 2016, 07:13:52 PM
Interesting:
Figure 14-1 Bootstrap Loader Sequence
The Bootstrap Loader may be used to load the complete application software into
ROMless systems, it may load temporary software into complete systems for testing or
calibration, it may also be used to load a programming routine for Flash devices.
The BSL mechanism may be used for standard system startup as well as only for special
occasions like system maintenance (firmware update) or end-of-line programming or testing.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 29, 2016, 07:15:21 PM
It could be that the second 128kb might be second half of 256kb flash in a later version of the ecu. But strange that it is addressed like it is and that it even exist.
attached first 32kb of mentioned from a late version of ecu which hold a 29f200b and that is probably where this binary is from
edit:
I see now that this is not to be found in the earlier versions of ECU. There are a picture or two in thread of that early version with only a 29f100.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 29, 2016, 07:38:11 PM
old ecu with 29f100 flash and C167SR-LC
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on January 30, 2016, 02:53:45 AM
right - this is the ecu where i read my first 29f100 file :)
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 30, 2016, 08:02:31 PM
Probably the checksum check. Who is quick to explain this? ; =============== S U B R O U T I N E =======================================
ROM:46DA
ROM:46DA
ROM:46DA sub_46DA: ; CODE XREF: sub_4738+34�p
ROM:46DA mov [-r0], r9
ROM:46DC mov [-r0], r8
ROM:46DE mov [-r0], r7
ROM:46E0 mov [-r0], r6
ROM:46E2 mov r8, #0
ROM:46E4 mov r9, #0
ROM:46E6 mov r6, #418Ch
ROM:46EA mov r1, r12
ROM:46EC shl r1, #2
ROM:46EE sub r1, r12
ROM:46F0 shl r1, #2
ROM:46F2 add r6, r1
ROM:46F4 mov r14, [r6]
ROM:46F6 mov r15, [r6+2]
ROM:46FA mov r4, [r1+4194h]
ROM:46FE mov r5, [r1+4196h]
ROM:4702 mov r7, r4
ROM:4704 mov r4, [r6]
ROM:4706 mov r5, [r6+2]
ROM:470A sub r7, r4
ROM:470C mov r13, #0
ROM:470E jmpr cc_UC, loc_4726
ROM:4710 ; ---------------------------------------------------------------------------
ROM:4710
ROM:4710 loc_4710: ; CODE XREF: sub_46DA+4E�j
ROM:4710 mov r4, r14
ROM:4712 mov r5, r15
ROM:4714 calls 0, sub_48F4
ROM:4718 mov DPP0, #0
ROM:471C add r8, r10
ROM:471E addc r9, r11
ROM:4720 add r13, #4
ROM:4722 add r14, #4
ROM:4724 addc r15, #0
ROM:4726
ROM:4726 loc_4726: ; CODE XREF: sub_46DA+34�j
ROM:4726 cmp r13, r7
ROM:4728 jmpr cc_C, loc_4710
ROM:472A mov r4, r8
ROM:472C mov r5, r9
ROM:472E mov r6, [r0+]
ROM:4730 mov r7, [r0+]
ROM:4732 mov r8, [r0+]
ROM:4734 mov r9, [r0+]
ROM:4736 ret
ROM:4736 ; End of function sub_46DA
ROM:4736
ROM:4738
ROM:4738 ; =============== S U B R O U T I N E =======================================
ROM:4738
ROM:4738
ROM:4738 sub_4738: ; CODE XREF: ROM:43A2�p
ROM:4738 mov [-r0], r9
ROM:473A mov [-r0], r8
ROM:473C mov [-r0], r7
ROM:473E mov r9, #0
ROM:4740
ROM:4740 loc_4740: ; CODE XREF: sub_4738+48�j
ROM:4740 movb rl4, [r9+0F768h]
ROM:4744 movbs r4, rl4
ROM:4746 cmp r4, #0FFFFh
ROM:474A jmpr cc_NZ, loc_477C
ROM:474C mov r4, r9
ROM:474E shl r4, #2
ROM:4750 sub r4, r9
ROM:4752 shl r4, #2
ROM:4754 mov r10, r4
ROM:4756 mov r4, [r10+4194h]
ROM:475A mov r5, [r10+4196h]
ROM:475E calls 0, sub_48F4
ROM:4762 mov DPP0, #0
ROM:4766 mov r7, r10
ROM:4768 mov r8, r11
ROM:476A mov r12, r9
ROM:476C callr sub_46DA
ROM:476E sub r4, r7
ROM:4770 subc r5, r8
ROM:4772 jmpr cc_Z, loc_477C
ROM:4774 mov r4, #0FFFFh
ROM:4778 sub r4, r9
ROM:477A jmpr cc_UC, loc_4784
ROM:477C ; ---------------------------------------------------------------------------
ROM:477C
ROM:477C loc_477C: ; CODE XREF: sub_4738+12�j
ROM:477C ; sub_4738+3A�j
ROM:477C add r9, #1
ROM:477E cmp r9, #5
ROM:4780 jmpr cc_C, loc_4740
ROM:4782 mov r4, #0
ROM:4784
ROM:4784 loc_4784: ; CODE XREF: sub_4738+42�j
ROM:4784 mov r7, [r0+]
ROM:4786 mov r8, [r0+]
ROM:4788 mov r9, [r0+]
ROM:478A ret
ROM:478A ; End of function sub_4738
ROM:478A
ROM:478C
ROM:478C ; =============== S U B R O U T I N E =======================================
ROM:478C
ROM:478C
ROM:478C sub_478C: ; CODE XREF: sub_47E6+52�p
ROM:478C ; sub_47E6+A2�p
ROM:478C mov [-r0], r9
ROM:478E mov [-r0], r6
ROM:4790 mov r9, r12
ROM:4792 mov r6, #0F768h
ROM:4796 add r6, r9
ROM:4798 movb rl4, [r6]
ROM:479A movbs r4, rl4
ROM:479C cmp r4, #0FFFFh
ROM:47A0 jmpr cc_NZ, loc_47A6
ROM:47A2 mov r4, #0
ROM:47A4 jmpr cc_UC, loc_47E0
ROM:47A6 ; ---------------------------------------------------------------------------
ROM:47A6
ROM:47A6 loc_47A6: ; CODE XREF: sub_478C+14�j
ROM:47A6 movb rl4, [r6]
ROM:47A8 cmpb rl4, #1
ROM:47AA jmpr cc_NZ, loc_47B2
ROM:47AC mov r4, #0FFFAh
ROM:47B0 jmpr cc_UC, loc_47E0
ROM:47B2 ; ---------------------------------------------------------------------------
ROM:47B2
ROM:47B2 loc_47B2: ; CODE XREF: sub_478C+1E�j
ROM:47B2 mov r4, r9
ROM:47B4 shl r4, #2
ROM:47B6 sub r4, r9
ROM:47B8 shl r4, #2
ROM:47BA mov r12, [r4+418Ch]
ROM:47BE mov r13, [r4+418Eh]
ROM:47C2 mov r4, word_F76E
ROM:47C6 mov r5, word_F770
ROM:47CA calls 0, sub_48EE
ROM:47CE cmp r4, #0
ROM:47D0 jmpr cc_Z, loc_47D8
ROM:47D2 mov r4, #0FFFBh
ROM:47D6 jmpr cc_UC, loc_47E0
ROM:47D8 ; ---------------------------------------------------------------------------
ROM:47D8
ROM:47D8 loc_47D8: ; CODE XREF: sub_478C+44�j
ROM:47D8 movb rl4, #0FFh
ROM:47DC movb [r6], rl4
ROM:47DE mov r4, #0
ROM:47E0
ROM:47E0 loc_47E0: ; CODE XREF: sub_478C+18�j
ROM:47E0 ; sub_478C+24�j ...
ROM:47E0 mov r6, [r0+]
ROM:47E2 mov r9, [r0+]
ROM:47E4 ret
ROM:47E4 ; End of function sub_478C
ROM:47E4
ROM:47E6
Continued in next post
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 30, 2016, 08:03:43 PM
ROM:47E6
ROM:47E6 ; =============== S U B R O U T I N E =======================================
ROM:47E6
ROM:47E6
ROM:47E6 sub_47E6: ; CODE XREF: ROM:42FA�p
ROM:47E6 mov [-r0], r13
ROM:47E8 mov [-r0], r12
ROM:47EA mov [-r0], r9
ROM:47EC mov [-r0], r8
ROM:47EE mov [-r0], r7
ROM:47F0 mov [-r0], r6
ROM:47F2 mov r6, r14
ROM:47F4 mov r7, r15
ROM:47F6 mov r9, #0
ROM:47F8
ROM:47F8 loc_47F8: ; CODE XREF: sub_47E6+B2�j
ROM:47F8 mov r4, r9
ROM:47FA shl r4, #2
ROM:47FC sub r4, r9
ROM:47FE shl r4, #2
ROM:4800 mov r10, [r4+418Ch]
ROM:4804 mov r11, [r4+418Eh]
ROM:4808 mov r4, [r0+8]
ROM:480C mov r5, [r0+0Ah]
ROM:4810 sub r4, r10
ROM:4812 subc r5, r11
ROM:4814 jmpr cc_C, loc_4894
ROM:4816 mov r4, #4190h
ROM:481A mov r5, r9
ROM:481C shl r5, #2
ROM:481E sub r5, r9
ROM:4820 shl r5, #2
ROM:4822 add r4, r5
ROM:4824 mov r10, [r4+]
ROM:4826 mov r11, [r4]
ROM:4828 mov r4, [r0+8]
ROM:482C mov r5, [r0+0Ah]
ROM:4830 sub r4, r10
ROM:4832 subc r5, r11
ROM:4834 jmpr cc_NC, loc_4894
ROM:4836 mov r12, r9
ROM:4838 callr sub_478C
ROM:483A mov r8, r4
ROM:483C cmp r4, #0
ROM:483E jmpr cc_Z, loc_4844
ROM:4840 mov r4, r8
ROM:4842 jmpr cc_UC, loc_489E
ROM:4844 ; ---------------------------------------------------------------------------
ROM:4844
ROM:4844 loc_4844: ; CODE XREF: sub_47E6+58�j
ROM:4844 mov r4, r9
ROM:4846 shl r4, #2
ROM:4848 sub r4, r9
ROM:484A shl r4, #2
ROM:484C mov r10, [r4+4190h]
ROM:4850 mov r11, [r4+4192h]
ROM:4854 sub r10, r6
ROM:4856 subc r11, r7
ROM:4858 jmpr cc_ULE, loc_485E
ROM:485A mov r4, #0
ROM:485C jmpr cc_UC, loc_489E
ROM:485E ; ---------------------------------------------------------------------------
ROM:485E
ROM:485E loc_485E: ; CODE XREF: sub_47E6+72�j
ROM:485E add r9, #1
ROM:4860 jmpr cc_UC, loc_4890
ROM:4862 ; ---------------------------------------------------------------------------
ROM:4862
ROM:4862 loc_4862: ; CODE XREF: sub_47E6+AC�j
ROM:4862 mov r1, r9
ROM:4864 shl r1, #2
ROM:4866 sub r1, r9
ROM:4868 shl r1, #2
ROM:486A mov r4, [r1+418Ch]
ROM:486E mov r5, [r1+418Eh]
ROM:4872 sub r4, r6
ROM:4874 subc r5, r7
ROM:4876 jmpr cc_UGT, loc_488E
ROM:4878 mov r4, [r1+4190h]
ROM:487C mov r5, [r1+4192h]
ROM:4880 sub r4, r6
ROM:4882 subc r5, r7
ROM:4884 jmpr cc_ULE, loc_488E
ROM:4886 mov r12, r9
ROM:4888 calla cc_UC, sub_478C
ROM:488C jmpr cc_UC, loc_489E
ROM:488E ; ---------------------------------------------------------------------------
ROM:488E
ROM:488E loc_488E: ; CODE XREF: sub_47E6+90�j
ROM:488E ; sub_47E6+9E�j
ROM:488E add r9, #1
ROM:4890
ROM:4890 loc_4890: ; CODE XREF: sub_47E6+7A�j
ROM:4890 cmp r9, #5
ROM:4892 jmpr cc_C, loc_4862
ROM:4894
ROM:4894 loc_4894: ; CODE XREF: sub_47E6+2E�j
ROM:4894 ; sub_47E6+4E�j
ROM:4894 add r9, #1
ROM:4896 cmp r9, #5
ROM:4898 jmpr cc_C, loc_47F8
ROM:489A mov r4, #0FFFCh
ROM:489E
ROM:489E loc_489E: ; CODE XREF: sub_47E6+5C�j
ROM:489E ; sub_47E6+76�j ...
ROM:489E mov r6, [r0+]
ROM:48A0 mov r7, [r0+]
ROM:48A2 mov r8, [r0+]
ROM:48A4 mov r9, [r0+]
ROM:48A6 add r0, #4
ROM:48A8 ret
ROM:48A8 ; End of function sub_47E6
ROM:48A8
ROM:48AA
ROM:48AA ; =============== S U B R O U T I N E =======================================
ROM:48AA
ROM:48AA
ROM:48AA sub_48AA: ; CODE XREF: ROM:4248�p
ROM:48AA mov r12, #0
ROM:48AC
ROM:48AC loc_48AC: ; CODE XREF: sub_48AA+40�j
ROM:48AC mov r13, r12
ROM:48AE shl r13, #2
ROM:48B0 sub r13, r12
ROM:48B2 shl r13, #2
ROM:48B4 mov r4, [r13+418Ch]
ROM:48B8 mov r5, [r13+418Eh]
ROM:48BC sub r4, word_41C8
ROM:48C0 subc r5, word_41CA
ROM:48C4 jmpr cc_UGT, loc_48E0
ROM:48C6 mov r4, [r13+4190h]
ROM:48CA mov r5, [r13+4192h]
ROM:48CE sub r4, word_41C8
ROM:48D2 subc r5, word_41CA
ROM:48D6 jmpr cc_ULE, loc_48E0
ROM:48D8 movb rl4, #1
ROM:48DA movb [r12+0F768h], rl4
ROM:48DE jmpr cc_UC, loc_48E6
ROM:48E0 ; ---------------------------------------------------------------------------
ROM:48E0
ROM:48E0 loc_48E0: ; CODE XREF: sub_48AA+1A�j
ROM:48E0 ; sub_48AA+2C�j
ROM:48E0 movb rl4, #0
ROM:48E2 movb [r12+0F768h], rl4
ROM:48E6
ROM:48E6 loc_48E6: ; CODE XREF: sub_48AA+34�j
ROM:48E6 add r12, #1
ROM:48E8 cmp r12, #5
ROM:48EA jmpr cc_C, loc_48AC
ROM:48EC ret
ROM:48EC ; End of function sub_48AA
ROM:48EC
ROM:48EE
ROM:48EE ; =============== S U B R O U T I N E =======================================
ROM:48EE
ROM:48EE
ROM:48EE sub_48EE: ; CODE XREF: ROM:434E�P
ROM:48EE ; ROM:43DC�P ...
ROM:48EE push r5
ROM:48F0 push r4
ROM:48F2 rets
ROM:48F2 ; End of function sub_48EE
ROM:48F2
ROM:48F4
ROM:48F4 ; =============== S U B R O U T I N E =======================================
ROM:48F4
ROM:48F4
ROM:48F4 sub_48F4: ; CODE XREF: sub_46DA+3A�P
ROM:48F4 ; sub_4738+26�P
ROM:48F4 exts r5, #1
ROM:48F6 mov r10, [r4]
ROM:48F8 add r4, #2
ROM:48FA addc r5, #0
ROM:48FC exts r5, #1
ROM:48FE mov r11, [r4]
ROM:4900 rets
ROM:4900 ; End of function sub_48F4
Title: Re: Haldex Controllers Thinking.....
Post by: DT on January 30, 2016, 08:04:43 PM
0x418A
ROM:418A db 5
ROM:418B db 0
ROM:418C db 0
ROM:418D db 0
ROM:418E db 0
ROM:418F db 0
ROM:4190 db 0
ROM:4191 db 40h ; @
ROM:4192 db 0
ROM:4193 db 0
ROM:4194 dw 3FFCh
ROM:4196 db 0
ROM:4197 db 0
ROM:4198 db 0
ROM:4199 db 40h ; @
ROM:419A db 0
ROM:419B db 0
ROM:419C db 0
ROM:419D db 60h ; `
ROM:419E db 0
ROM:419F db 0
ROM:41A0 dw 5FFCh
ROM:41A2 db 0
ROM:41A3 db 0
ROM:41A4 db 0
ROM:41A5 db 60h ; `
ROM:41A6 db 0
ROM:41A7 db 0
ROM:41A8 db 0
ROM:41A9 db 80h ; Ç
ROM:41AA db 0
ROM:41AB db 0
ROM:41AC dw 7FFCh
ROM:41AE db 0
ROM:41AF db 0
ROM:41B0 db 0
ROM:41B1 db 80h ; Ç
ROM:41B2 db 0
ROM:41B3 db 0
ROM:41B4 db 0
ROM:41B5 db 0
ROM:41B6 db 1
ROM:41B7 db 0
ROM:41B8 dw 0DDFCh
ROM:41BA db 0
ROM:41BB db 0
ROM:41BC db 0
ROM:41BD db 0
ROM:41BE db 1
ROM:41BF db 0
ROM:41C0 db 0
ROM:41C1 db 0
ROM:41C2 db 2
ROM:41C3 db 0
ROM:41C4 dw 0FFFCh
ROM:41C6 db 1
ROM:41C7 db 0
0x3FFC
ROM:3FFC dw 1A3h
ROM:3FFE dw 88C5h
0x5FFC
ROM:5FFC dw 9987h
ROM:5FFE dw 709Ah
0x7FFC
ROM:7FFC dw 94DBh
ROM:7FFE dw 2623h
0xDFFC
MEM_EXT:DDFC dw E881h
0x1FFFC
seg009:FFFC dw 0D8F6h
seg009:FFFE dw 9EF4h
Title: Re: Haldex Controllers Thinking.....
Post by: ccyberwing on January 31, 2016, 05:35:47 AM
Here is the bootloader checksum check from my 29f100 file. Just replace the Z jmpr against a NC jmpr. seg009:41C2 sub_141C2: ; CODE XREF: sub_12766�P
seg009:41C2 mov [-r0], r9
seg009:41C4 mov [-r0], r8
seg009:41C6 sub r0, #2
seg009:41C8 mov r4, #4000h
seg009:41CC mov r8, r4
seg009:41CE mov r9, r8
seg009:41D0 shr r9, #14
seg009:41D2 shl r9, #1
seg009:41D4 mov r9, [r9+0FE00h]
seg009:41D8 bmov r8.14, r9.0
seg009:41DC bmov r8.15, r9.1
seg009:41E0 shr r9, #2
seg009:41E2 movb byte_E7C2, ZEROS
seg009:41E6 calls 1, sub_14A30
seg009:41EA mov r4, word_E7C4
seg009:41EE mov r5, word_E7C6
seg009:41F2 sub r4, #5678h
seg009:41F6 subc r5, #1234h
seg009:41FA jmpr cc_Z, [glow=red,2,300]CHECKSUM_OK[/glow]
seg009:41FC calls 1, sub_16BB6
seg009:4200 mov [r0], r4
seg009:4202 cmp r4, #0
seg009:4204 jmpr cc_Z, loc_1420A
seg009:4206 calls 1, sub_142B4
Title: Re: Haldex Controllers Thinking.....
Post by: Swat Cat on February 03, 2016, 01:33:46 AM
so i guess after reading all the pages , gen 1 tuning is still in development?
Title: Re: Haldex Controllers Thinking.....
Post by: prj on February 03, 2016, 03:33:16 AM
UC...
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on February 06, 2016, 04:07:08 PM
ROM:47E6
ROM:47E6 ; =============== S U B R O U T I N E =======================================
ROM:47E6
ROM:47E6
ROM:47E6 sub_47E6: ; CODE XREF: ROM:42FA�p
ROM:47E6 mov [-r0], r13
ROM:47E8 mov [-r0], r12
ROM:47EA mov [-r0], r9
ROM:47EC mov [-r0], r8
ROM:47EE mov [-r0], r7
ROM:47F0 mov [-r0], r6
ROM:47F2 mov r6, r14
ROM:47F4 mov r7, r15
ROM:47F6 mov r9, #0
ROM:47F8
ROM:47F8 loc_47F8: ; CODE XREF: sub_47E6+B2�j
ROM:47F8 mov r4, r9
ROM:47FA shl r4, #2
ROM:47FC sub r4, r9
ROM:47FE shl r4, #2
ROM:4800 mov r10, [r4+418Ch]
ROM:4804 mov r11, [r4+418Eh]
ROM:4808 mov r4, [r0+8]
ROM:480C mov r5, [r0+0Ah]
ROM:4810 sub r4, r10
ROM:4812 subc r5, r11
ROM:4814 jmpr cc_C, loc_4894
ROM:4816 mov r4, #4190h
ROM:481A mov r5, r9
ROM:481C shl r5, #2
ROM:481E sub r5, r9
ROM:4820 shl r5, #2
ROM:4822 add r4, r5
ROM:4824 mov r10, [r4+]
ROM:4826 mov r11, [r4]
ROM:4828 mov r4, [r0+8]
ROM:482C mov r5, [r0+0Ah]
ROM:4830 sub r4, r10
ROM:4832 subc r5, r11
ROM:4834 jmpr cc_NC, loc_4894
ROM:4836 mov r12, r9
ROM:4838 callr sub_478C
ROM:483A mov r8, r4
ROM:483C cmp r4, #0
ROM:483E jmpr cc_Z, loc_4844
ROM:4840 mov r4, r8
ROM:4842 jmpr cc_UC, loc_489E
ROM:4844 ; ---------------------------------------------------------------------------
ROM:4844
ROM:4844 loc_4844: ; CODE XREF: sub_47E6+58�j
ROM:4844 mov r4, r9
ROM:4846 shl r4, #2
ROM:4848 sub r4, r9
ROM:484A shl r4, #2
ROM:484C mov r10, [r4+4190h]
ROM:4850 mov r11, [r4+4192h]
ROM:4854 sub r10, r6
ROM:4856 subc r11, r7
ROM:4858 jmpr cc_ULE, loc_485E
ROM:485A mov r4, #0
ROM:485C jmpr cc_UC, loc_489E
ROM:485E ; ---------------------------------------------------------------------------
ROM:485E
ROM:485E loc_485E: ; CODE XREF: sub_47E6+72�j
ROM:485E add r9, #1
ROM:4860 jmpr cc_UC, loc_4890
ROM:4862 ; ---------------------------------------------------------------------------
ROM:4862
ROM:4862 loc_4862: ; CODE XREF: sub_47E6+AC�j
ROM:4862 mov r1, r9
ROM:4864 shl r1, #2
ROM:4866 sub r1, r9
ROM:4868 shl r1, #2
ROM:486A mov r4, [r1+418Ch]
ROM:486E mov r5, [r1+418Eh]
ROM:4872 sub r4, r6
ROM:4874 subc r5, r7
ROM:4876 jmpr cc_UGT, loc_488E
ROM:4878 mov r4, [r1+4190h]
ROM:487C mov r5, [r1+4192h]
ROM:4880 sub r4, r6
ROM:4882 subc r5, r7
ROM:4884 jmpr cc_ULE, loc_488E
ROM:4886 mov r12, r9
ROM:4888 calla cc_UC, sub_478C
ROM:488C jmpr cc_UC, loc_489E
ROM:488E ; ---------------------------------------------------------------------------
ROM:488E
ROM:488E loc_488E: ; CODE XREF: sub_47E6+90�j
ROM:488E ; sub_47E6+9E�j
ROM:488E add r9, #1
ROM:4890
ROM:4890 loc_4890: ; CODE XREF: sub_47E6+7A�j
ROM:4890 cmp r9, #5
ROM:4892 jmpr cc_C, loc_4862
ROM:4894
ROM:4894 loc_4894: ; CODE XREF: sub_47E6+2E�j
ROM:4894 ; sub_47E6+4E�j
ROM:4894 add r9, #1
ROM:4896 cmp r9, #5
ROM:4898 jmpr cc_C, loc_47F8
ROM:489A mov r4, #0FFFCh
ROM:489E
ROM:489E loc_489E: ; CODE XREF: sub_47E6+5C�j
ROM:489E ; sub_47E6+76�j ...
ROM:489E mov r6, [r0+]
ROM:48A0 mov r7, [r0+]
ROM:48A2 mov r8, [r0+]
ROM:48A4 mov r9, [r0+]
ROM:48A6 add r0, #4
ROM:48A8 ret
ROM:48A8 ; End of function sub_47E6
ROM:48A8
ROM:48AA
ROM:48AA ; =============== S U B R O U T I N E =======================================
ROM:48AA
ROM:48AA
ROM:48AA sub_48AA: ; CODE XREF: ROM:4248�p
ROM:48AA mov r12, #0
ROM:48AC
ROM:48AC loc_48AC: ; CODE XREF: sub_48AA+40�j
ROM:48AC mov r13, r12
ROM:48AE shl r13, #2
ROM:48B0 sub r13, r12
ROM:48B2 shl r13, #2
ROM:48B4 mov r4, [r13+418Ch]
ROM:48B8 mov r5, [r13+418Eh]
ROM:48BC sub r4, word_41C8
ROM:48C0 subc r5, word_41CA
ROM:48C4 jmpr cc_UGT, loc_48E0
ROM:48C6 mov r4, [r13+4190h]
ROM:48CA mov r5, [r13+4192h]
ROM:48CE sub r4, word_41C8
ROM:48D2 subc r5, word_41CA
ROM:48D6 jmpr cc_ULE, loc_48E0
ROM:48D8 movb rl4, #1
ROM:48DA movb [r12+0F768h], rl4
ROM:48DE jmpr cc_UC, loc_48E6
ROM:48E0 ; ---------------------------------------------------------------------------
ROM:48E0
ROM:48E0 loc_48E0: ; CODE XREF: sub_48AA+1A�j
ROM:48E0 ; sub_48AA+2C�j
ROM:48E0 movb rl4, #0
ROM:48E2 movb [r12+0F768h], rl4
ROM:48E6
ROM:48E6 loc_48E6: ; CODE XREF: sub_48AA+34�j
ROM:48E6 add r12, #1
ROM:48E8 cmp r12, #5
ROM:48EA jmpr cc_C, loc_48AC
ROM:48EC ret
ROM:48EC ; End of function sub_48AA
ROM:48EC
ROM:48EE
ROM:48EE ; =============== S U B R O U T I N E =======================================
ROM:48EE
ROM:48EE
ROM:48EE sub_48EE: ; CODE XREF: ROM:434E�P
ROM:48EE ; ROM:43DC�P ...
ROM:48EE push r5
ROM:48F0 push r4
ROM:48F2 rets
ROM:48F2 ; End of function sub_48EE
ROM:48F2
ROM:48F4
ROM:48F4 ; =============== S U B R O U T I N E =======================================
ROM:48F4
ROM:48F4
ROM:48F4 sub_48F4: ; CODE XREF: sub_46DA+3A�P
ROM:48F4 ; sub_4738+26�P
ROM:48F4 exts r5, #1
ROM:48F6 mov r10, [r4]
ROM:48F8 add r4, #2
ROM:48FA addc r5, #0
ROM:48FC exts r5, #1
ROM:48FE mov r11, [r4]
ROM:4900 rets
ROM:4900 ; End of function sub_48F4
I'd love to see the IDB for that checksum bit out of pure curiosity, might also be able to get you a non code patch, there might be different checksum for code block for example.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on February 10, 2016, 11:13:42 AM
I'd love to see the IDB for that checksum bit out of pure curiosity, might also be able to get you a non code patch, there might be different checksum for code block for example.
I'll pm you something to look at. I guess these more thorough checks that I posted might only run when flashing over obd without boot mode. I've not checked yet myself. To be able to flash over obd without boot mode we need a haldexchksum.exe and I was hoping that someone with eyes for chksum code easily could see what is needed to correct a flash.bin
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on February 10, 2016, 11:36:33 AM
I'll pm you something to look at.
I guess these more thorough checks that I posted might only run when flashing over obd without boot mode. I've not checked yet myself.
To be able to flash over obd without boot mode we need a haldexchksum.exe and I was hoping that someone with eyes for chksum code easily could see what is needed to correct a flash.bin
Cool tell me IDB version too lol.
Title: Re: Haldex Controllers Thinking.....
Post by: john9357 on March 01, 2016, 12:34:18 AM
All picture in Filedropper are down :'(
Title: Re: Haldex Controllers Thinking.....
Post by: dream3R on March 13, 2016, 06:40:21 PM
I loaded a Volvo VBF into EVC and it obvious the maps section.
Anyway, IDB I'm legit so can't help hacked ones sorry.
.
Title: Re: Haldex Controllers Thinking.....
Post by: edgy on August 08, 2016, 06:06:50 PM
End of October, 2016, all we have to do is ask Haldex AB for the magic word to access the controller... I have a feeling they may bounce the responsibility back and forth between themselves and VAG, but we'll have full access in short order.
Title: Re: Haldex Controllers Thinking.....
Post by: DT on August 09, 2016, 12:12:41 AM
End of October, 2016, all we have to do is ask Haldex AB for the magic word to access the controller... I have a feeling they may bounce the responsibility back and forth between themselves and VAG, but we'll have full access in short order.
? My work has been on hold since February.
Title: Re: Haldex Controllers Thinking.....
Post by: gman86 on August 09, 2016, 02:53:05 AM
End of October, 2016, all we have to do is ask Haldex AB for the magic word to access the controller... I have a feeling they may bounce the responsibility back and forth between themselves and VAG, but we'll have full access in short order.
??? ???
Title: Re: Haldex Controllers Thinking.....
Post by: fknbrkn on August 09, 2016, 05:41:42 AM
http://corporate.haldex.com/en/media/press-releases/2016/statement-by-the-board-of-directors-of-haldex-in-relation-to-the-public-cash-offer-by-zf
Title: Re: Haldex Controllers Thinking.....
Post by: gman86 on August 09, 2016, 06:16:36 AM
http://corporate.haldex.com/en/media/press-releases/2016/statement-by-the-board-of-directors-of-haldex-in-relation-to-the-public-cash-offer-by-zf
So ZF are buying Haldex. How does that mean there will be access to the controllers?
Title: Re: Haldex Controllers Thinking.....
Post by: fknbrkn on August 09, 2016, 09:36:38 AM
So ZF are buying Haldex. How does that mean there will be access to the controllers?
good question for edgy idk
Title: Re: Haldex Controllers Thinking.....
Post by: markpowell35 on August 10, 2016, 02:35:36 AM
Hi guys i found this pdf online, it goes into some detail about the hardware & software in the Haldex ECU it maybe useless i'm not sure.
Also is there a working method to do this off the car, i'm not too fussed about doing it over OBD at the moment, if there is would someone kindly post a how to (alot of the pics in this thread are missing now - connection info etc)
Many Thanks :)
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on August 12, 2016, 10:50:59 AM
:) *Loader file Prepare
*Minimon file Prepare
*send Byte 0+ Loader + MinimonCore
*RECEIVE - MC-Identifier: C5
*RECEIVE - LoaderACK 01 received
*RECEIVE - Minimon ACK 03 received
*Minimon successfully launched
*Reset: BUSCON0=0680
*Reset: SYSCON=0410
*Reset Configuration: External Bus enabled
*Reset Configuration: 16 Bit demultiplexed Bus
*Reset Configuration: WR# and BHE# retain their normal function (P0H.0=0)
*Reset Configuration: On chip watchdog timer is enabled (RD#=1)
*Reset Configuration: Lengthened ALE signal
*Initialisation: Write to SYSCON
*Initialisation: Write to BUSCON0
*Initialisation: Write to BUSCON1
*Initialisation: Write to ADDRSEL1
*Initialisation: Write to BUSCON2
*Initialisation: Write to ADDRSEL2
*Initialisation: Write to BUSCON3
*Initialisation: Write to ADDRSEL3
*Initialisation: Write to BUSCON4
*Initialisation: Write to ADDRSEL4
*Initialisation: Enable X-Peripherals via SYSCON
Title: Re: Haldex Controllers Thinking.....
Post by: DT on August 12, 2016, 12:18:49 PM
Nice.
Have you been able to write to ecu yet? I did not manage to find correct minimon settings to write.
Is the blue controller based upon software LSC ECC 0011?
Title: Re: Haldex Controllers Thinking.....
Post by: pedrogbranco on August 13, 2016, 02:12:22 AM
anyone seen this?
https://www.youtube.com/watch?v=1-lz5sdRTm8 (https://www.youtube.com/watch?v=1-lz5sdRTm8)
piggyback system like HPA but phone controller would be nice
Title: Re: Haldex Controllers Thinking.....
Post by: DT on August 13, 2016, 02:33:15 AM
Offtopic and crap
Perhaps someone with standalone in a really light car could have some use for it, but if they somehow managed to do percentage control of regulating valve with piggyback it will burn the haldex clutch pack quickly. Some part of it could be fake too since I doubt haldex ecu are reading any can packets with percentage of requested torque transfer.
Title: Re: Haldex Controllers Thinking.....
Post by: pedrogbranco on August 14, 2016, 09:14:41 AM
Here are more details of it and similar units
http://dutchbuild.com/index.php/en/dutchbuild/haldex-controller (http://dutchbuild.com/index.php/en/dutchbuild/haldex-controller)
http://www.haldex-performance.de/de/haldexsteuerung/haldexsteuerung-mk3-professionell-6bar (http://www.haldex-performance.de/de/haldexsteuerung/haldexsteuerung-mk3-professionell-6bar)
[url]https://www.google.pt/url?sa=t&source=web&rct=j&url=http://m.youtube.com/watch%3Fv%3DIOBxhX8Hkmo&ved=0ahUKEwiRkvOUpsHOAhXHCcAKHUgcDe8QtwIIGjAA&usg=AFQjCNE3VD8MWu1CNA9FcNZlySE2_7SNtw /url]
Title: Re: Haldex Controllers Thinking.....
Post by: pedrogbranco on August 14, 2016, 09:15:41 AM
Here are more details of it and similar units
http://dutchbuild.com/index.php/en/dutchbuild/haldex-controller (http://dutchbuild.com/index.php/en/dutchbuild/haldex-controller)
http://www.haldex-performance.de/de/haldexsteuerung/haldexsteuerung-mk3-professionell-6bar (http://www.haldex-performance.de/de/haldexsteuerung/haldexsteuerung-mk3-professionell-6bar)
[url]https://www.google.pt/url?sa=t&source=web&rct=j&url=http://m.youtube.com/watch%3Fv%3DIOBxhX8Hkmo&ved=0ahUKEwiRkvOUpsHOAhXHCcAKHUgcDe8QtwIIGjAA&usg=AFQjCNE3VD8MWu1CNA9FcNZlySE2_7SNtw /url]
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on August 14, 2016, 09:18:20 AM
again? who cares. that has nothing at all to do with what is going on here.
Title: Re: Haldex Controllers Thinking.....
Post by: pedrogbranco on August 14, 2016, 10:29:52 AM
just sharing knowledge on what people are doing to make more use of these units. the aim here is to be able to read and write the haldex ecu.
speaking on read/write. my current unit has an issue (dtc on abs stating no communication with haldex and constant tac tac noise for haldex). i have constant 50:50. this is no issue as i have another haldex assembly and diff to replace. Note: my car is 1999 a3 quattro. i dont even have haldex fuse like other gen1 cars have. i can donate the unit once i replace it if it helps someone here
Title: Re: Haldex Controllers Thinking.....
Post by: threepot on January 21, 2019, 01:49:13 PM
I have spent far too much time messing with Gen 2 and 4 Haldex controllers over the last few years.
The info on this thread really got me off the ground regarding dumping them.
I have dumps of pretty much every Gen 2 and Gen 4 unit ever made, if you need files just ask.
But my question to anyone that might be able to help, is what is the security login pin code for a Gen 2 Haldex unit e.g. 1k0907554?
Does anybody know?
Title: Re: Haldex Controllers Thinking.....
Post by: pedrogbranco on February 23, 2019, 09:51:32 AM
just sharing knowledge on what people are doing to make more use of these units. the aim here is to be able to read and write the haldex ecu.
speaking on read/write. my current unit has an issue (dtc on abs stating no communication with haldex and constant tac tac noise for haldex). i have constant 50:50. this is no issue as i have another haldex assembly and diff to replace. Note: my car is 1999 a3 quattro. i dont even have haldex fuse like other gen1 cars have. i can donate the unit once i replace it if it helps someone here
https://www.youtube.com/watch?v=jIyYq5igFn8 (https://www.youtube.com/watch?v=jIyYq5igFn8)
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on July 17, 2019, 08:44:07 PM
don't get me wrong, i am 100% guessing. however, i am able, to a point, to control the haldex pump V and pwm.
this results in different behavior from the haldex controller as seen in the logs.
i really do not know why the calibration adjustments result in the way they do. i do not think the map being modified is = pump V exactly.
Title: Re: Haldex Controllers Thinking.....
Post by: Praga on March 12, 2020, 01:11:40 PM
don't get me wrong, i am 100% guessing. however, i am able, to a point, to control the haldex pump V and pwm.
this results in different behavior from the haldex controller as seen in the logs.
i really do not know why the calibration adjustments result in the way they do. i do not think the map being modified is = pump V exactly.
You still testing this ?
Title: Re: Haldex Controllers Thinking.....
Post by: Praga on March 15, 2020, 12:38:47 PM
you guys should work on gen2 controllers. might be a bit more familiar. ;)
ive been saving this for a looooong time. might have a few more kicking about as well. :)
Anyone else trying to find maps on this file ?
Title: Re: Haldex Controllers Thinking.....
Post by: Praga on March 18, 2020, 02:03:40 AM
Anyone else trying to find maps on this file ?
Found some interesting text on this Gen 2 file. Not sure what it refers to.
Title: Re: Haldex Controllers Thinking.....
Post by: crystal_imprezav on March 18, 2020, 11:09:08 AM
On the Gen5 controller the checksum is just an Add16. In order to read/write the newer controllers you need to write a loader or vr_read. I can help if someone wants to upload a G5 full read so I can solve the seed/key.
Title: Re: Haldex Controllers Thinking.....
Post by: Praga on March 19, 2020, 07:35:23 AM
On the Gen5 controller the checksum is just an Add16. In order to read/write the newer controllers you need to write a loader or vr_read. I can help if someone wants to upload a G5 full read so I can solve the seed/key.
You have a Gen 4 or Gen 5 read ?
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on March 19, 2020, 08:15:05 AM
You have a Gen 4 or Gen 5 read ?
gen4 is split into two separate files for a full read. the BL and then the rest of the data is split by a chunk of ram address ranges.
Title: Re: Haldex Controllers Thinking.....
Post by: Praga on March 19, 2020, 08:27:28 AM
gen4 is split into two separate files for a full read.
the BL and then the rest of the data is split by a chunk of ram address ranges.
Please post what you have. Interested to see how much different it is from Gen 2
Title: Re: Haldex Controllers Thinking.....
Post by: threepot on March 25, 2020, 11:43:40 AM
Here is a few dumps for gen 4 VAG units, I have every flash of every Gen 2 to 4 Haldex unit ever made for VAG, Landrover, Ford, Volvo.
I am not a software type guy, or a remapper, but I do know the actual PCB and hardware inside and out, I have drawn it all out.
Don't know if I can really be of any use in any of this, but I keep an eye on this thread as finding people who tinker with haldex controllers is pretty niche.
I dump them as one long file, and I dump them from the BDM pins on the board.
0-8000 is the first part of the flash/boot loader
then 8000 - 18000 is the "hole" - e.g. the memory
then 18000 onward is the actual flash
When I write the file back, I write the first 0-8000 first, then the 18000 onward section.
I have just discovered the security login pin for the Gen 2 and Gen 4 units today, using a brute force method, it has taken a good few days getting 2 tries every 3.5 seconds.
Title: Re: Haldex Controllers Thinking.....
Post by: threepot on March 25, 2020, 01:17:59 PM
On the Gen5 controller the checksum is just an Add16. In order to read/write the newer controllers you need to write a loader or vr_read. I can help if someone wants to upload a G5 full read so I can solve the seed/key.
I can't help with a Gen 5 read, as I have not done one yet, but very interested in making it happen. And knowledge that may push this forward is very much appreciated from anyone.
Title: Re: Haldex Controllers Thinking.....
Post by: aef on March 26, 2020, 01:29:50 AM
nice!
What is your background/job when you have all of the files?
Title: Re: Haldex Controllers Thinking.....
Post by: Praga on March 26, 2020, 01:21:47 PM
I can't help with a Gen 5 read, as I have not done one yet, but very interested in making it happen. And knowledge that may push this forward is very much appreciated from anyone.
So far I have worked out these points for the JTAG interface.
(https://i.ibb.co/pbJs5GX/Jteg-Boot-Pins-for-Gen-5-Haldex.jpg) (https://ibb.co/YPpKwYj)
And bought a mini wiggler, because it was all I found when researching trying to read and write XC2734 but things have got in the way and it is still in its box :( During this lock down I will try and get this freed from its box and maybe working.
(https://i.ibb.co/pwqVSzR/Whats-App-Image-2020-03-25-at-19-21-51.jpg) (https://ibb.co/zxd9zR7)
Excellent. I am keen to start reading/writing to Gen 4 soon. Everything has stopped with the Lockdown...
But I have plenty to test / dump / break so open to ideas.
(https://i.ibb.co/T2Mx0f3/Whats-App-Image-2020-03-25-at-19-20-47.jpg) (https://ibb.co/V9YcC14)
Title: Re: Haldex Controllers Thinking.....
Post by: RBPE on March 26, 2020, 01:54:58 PM
nice!
What is your background/job when you have all of the files?
Burglar/recently covid carrying ex Haldex worker - delete as applicable! ;)
Title: Re: Haldex Controllers Thinking.....
Post by: threepot on March 26, 2020, 04:31:00 PM
:D I'm not admitting anything guv!
But I did stay up till 4am last night - not coughing to death - just trying to get that damn miniwiggler to wiggle just right for me.
Without success though, it will not detect the XC2734, I'm doing something wrong somewhere.
Got the software all running Ok, i'm just missing something on the board connections. I have no idea what I'm doing with JTAG.
To be fair, I never know what I'm doing, but enough late nights tends to prevail in success and an education at the same time.
Anyone have any half clues?
Title: Re: Haldex Controllers Thinking.....
Post by: aef on March 27, 2020, 03:01:03 AM
Why dont you access the pins direct @ the chip? Is it too small for needles?
Pin5 is your orange pin according to data sheet for example.
Title: Re: Haldex Controllers Thinking.....
Post by: threepot on March 27, 2020, 08:25:54 AM
I tried via DAP
DAP0 - Pin 37 or Pin 53
DAP1 - Pin 5 or Pin 55
All using
RESET = Pin 62 PORST
VCC = 5v
GND = GND
Anyone have any input?
Title: Re: Haldex Controllers Thinking.....
Post by: threepot on March 27, 2020, 10:24:58 AM
Think I might have found some good meat to cook with.....
Title: Re: Haldex Controllers Thinking.....
Post by: threepot on March 27, 2020, 01:08:22 PM
As Dave Jones would say "We're in like Flynn" !!
Oh my, the miniwiggler has connected and detected the XC2000 Family device.
Title: Re: Haldex Controllers Thinking.....
Post by: threepot on March 27, 2020, 01:27:22 PM
Here is the flash from an 0cq907554d Gen 5 Haldex Controller ;D
Title: Re: Haldex Controllers Thinking.....
Post by: threepot on March 27, 2020, 02:37:11 PM
And a 0ay907554f flash.
I tried to write the data from one onto the other, but I did something stupid!
I erased it first, ready to rewrite it. Then rebooted it.
But the JTAG Debug mode runs from the flash. If you erase it you can no longer connect to it because the boot loader has just been erased.
That's bricked one then! Lesson No 1, do not erase the bootloader :D
These Gen 5 Haldex controllers are also the same as the Golf GTi "VAQ" E-diff controller. I will dump one of those next.
Title: Re: Haldex Controllers Thinking.....
Post by: Praga on March 28, 2020, 06:06:08 AM
Here is the flash from an 0cq907554d Gen 5 Haldex Controller ;D
Well done !! Can you use the wiggler to write ?
Title: Re: Haldex Controllers Thinking.....
Post by: aef on March 28, 2020, 07:34:15 AM
what did you change on the connections to make it work?
Title: Re: Haldex Controllers Thinking.....
Post by: threepot on March 28, 2020, 03:00:40 PM
Tonight I have successfully wrote the flash from one unit onto another, by selectively erasing just the c10000 to c4FFFF section which is the actual flash data, while the JTAG bootloader lives at C00000 to C0FFFF which must not be erase. I have had some problems with Intel .Hex files, and its memory address line tags. Infineon Memtool really is not a user friendly program at all!!
Attached is the flash from a Golf GTi controller for the VAQ front E-diff, this time without the JTAG bootloader at the start. It is just the C10000 to C4FFFF.
If someone could get into this stuff, there is a serious market for a Gen 5 Haldex remap.
What would be ideal, is if someone could figure out how to do the CAN reflashing over OBD2, because doing them on the board is quite involve, and the infineon memtool will only write a flash of a .hex file, which must have all the memory address line values correct. It is not as simple as converting a .bin to a .hex file.
Title: Re: Haldex Controllers Thinking.....
Post by: Praga on March 29, 2020, 08:26:32 AM
I looked at the E-VAQ file. Anyone can tell me more about Tasking VX-166 ?
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on March 29, 2020, 08:52:38 AM
What would be ideal, is if someone could figure out how to do the CAN reflashing over OBD2, because doing them on the board is quite involve, and the infineon memtool will only write a flash of a .hex file, which must have all the memory address line values correct. It is not as simple as converting a .bin to a .hex file.
someone already has. gen5 obd flashing has been available for about 1 year now.
Title: Re: Haldex Controllers Thinking.....
Post by: threepot on March 30, 2020, 05:26:14 AM
Hi k0mpresd, hope you are good, thanks again for the support a while back.
I've found 1 company that do it, but it is £600, and they need the car to do it. And there is only 1 distributor in the UK right down south.
It is priced too strong to be popular. People expect a dyno engine remap for less than that, which has a significant impact.
If it was 1/2 the price, and available mail order, it would sell 30 times as much. It's a no brainier really.
I noticed your post earlier about trying to tweak the pump PMW, and your label file shows its a Gen 5.
This must mean you are dumping and writing them? How? By OBD or via bootmode?
I have access to a 4wd rolling road, so I could do some actual testing if required.
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on March 30, 2020, 06:02:52 AM
This must mean you are dumping and writing them? How? By OBD or via bootmode?
flashed via obd. :)
Title: Re: Haldex Controllers Thinking.....
Post by: threepot on March 30, 2020, 06:34:51 AM
Are you using an off the shelf tool or something you've made yourself?
Title: Re: Haldex Controllers Thinking.....
Post by: Praga on March 31, 2020, 05:11:59 AM
Are you using an off the shelf tool or something you've made yourself?
I know someone working on a Gen 5 tool. But its not ready for release yet. I agree that the OBD solution for Gen 5 Haldex tune is too expensive...
Title: Re: Haldex Controllers Thinking.....
Post by: k0mpresd on March 31, 2020, 07:51:37 AM
Are you using an off the shelf tool or something you've made yourself?
not sure i would consider it off the shelf but it is a tool that can be purchased.
Title: Re: Haldex Controllers Thinking.....
Post by: Praga on March 31, 2020, 10:08:28 AM
not sure i would consider it off the shelf but it is a tool that can be purchased.
Do tell...
Title: Re: Haldex Controllers Thinking.....
Post by: threepot on March 31, 2020, 10:10:05 AM
Do these guys sell it?
http://reflecttuning.com/
Title: Re: Haldex Controllers Thinking.....
Post by: lefedor on April 09, 2021, 05:59:12 AM
it seems to be a much more repeatable bootmode with only ground connected.
gen4 diagram. tx/rx are on backside.
http://www.filedropper.com/bootgen4
Hello, can't open link, can You please re-share?
Title: Re: Haldex Controllers Thinking.....
Post by: LogitechFX on November 05, 2021, 11:13:03 AM
Hey!
Did you manage to read 4Gen via CAN bus?
Can anyone have a firmware from Skoda Yeti 0br907554a?
Title: Re: Haldex Controllers Thinking.....
Post by: lefedor on December 02, 2021, 03:22:59 AM
Hello. I want be part of the Gen4/Gen5 readers club ).
Gen5 readout: 0AY907554-F upgraded to -M.
Title: Re: Haldex Controllers Thinking.....
Post by: d3irb on December 22, 2021, 02:49:08 PM
On the Gen5 controller the checksum is just an Add16. In order to read/write the newer controllers you need to write a loader or vr_read. I can help if someone wants to upload a G5 full read so I can solve the seed/key.
Just saw this post and wanted to comment, in this case by doing things blind you are making things hard for yourself because all of this is already in FRF/ODX :) Flashing these Gen5 modules over OBD is trivial, there is no protection whatsoever (no signatures, no encryption, nothing), and it's bog standard UDS flashing. Convert the FRF to ODX and it's all right there - seed/key is just SA2 which is in the ODX, and the OEM flash driver / loader is in the ODX as well (DRIVER). There is also a CRC32 sent over UDS but it's bog standard. If you want to do full read over OBD you could write your own custom Driver to do so as well as is done for DSG OBD read. The hard part is blindly finding maps, which I am working through but am interested in if anyone else has made progress. I am working forwards from the UDS handlers -> named RAM variables -> methods -> maps, but I know other folks are better at things like blind eyeballing calibrations instead of trying to reverse them.
Title: Re: Haldex Controllers Thinking.....
Post by: lefedor on December 22, 2021, 04:06:21 PM
Full readout c00000 -> c4ffff from gen5 Volvo 2-pin ecu 314-31-022.
Title: Re: Haldex Controllers Thinking.....
Post by: lefedor on December 23, 2021, 05:01:53 AM
Hey!
Did you manage to read 4Gen via CAN bus?
Can anyone have a firmware from Skoda Yeti 0br907554a?
I happen to have it.
Title: Re: Haldex Controllers Thinking.....
Post by: lefedor on December 25, 2021, 10:40:50 AM
Another Haldex controller for Volvo. Gen5.
Modern one, 07/17, CPU ins different from regular version.
Title: Re: Haldex Controllers Thinking.....
Post by: jeroenveer on January 09, 2022, 05:07:32 AM
Just saw this post and wanted to comment, in this case by doing things blind you are making things hard for yourself because all of this is already in FRF/ODX :)
Flashing these Gen5 modules over OBD is trivial, there is no protection whatsoever (no signatures, no encryption, nothing), and it's bog standard UDS flashing. Convert the FRF to ODX and it's all right there - seed/key is just SA2 which is in the ODX, and the OEM flash driver / loader is in the ODX as well (DRIVER). There is also a CRC32 sent over UDS but it's bog standard. If you want to do full read over OBD you could write your own custom Driver to do so as well as is done for DSG OBD read.
The hard part is blindly finding maps, which I am working through but am interested in if anyone else has made progress. I am working forwards from the UDS handlers -> named RAM variables -> methods -> maps, but I know other folks are better at things like blind eyeballing calibrations instead of trying to reverse them.
I have made a custom flash driver for the Gen5 that can read/write full flash in CAN BSL mode. Inserted it into the ODX with correct CRC32. It upload correctly and CRC reports OK as well, but after that it does not seem to run the code. It replies to the UDS flash upload command with a UDS reply from controller so it is still running but not the flash driver. reply is conditions not met and reboots controller after 5 seconds. Is there any other check on the flash driver that might prevent it from running?
Title: Re: Haldex Controllers Thinking.....
Post by: Norwegian1.8T on January 20, 2022, 01:58:44 PM
Did anyone ever get to read/write to Gen 1 haldex trough ODB?
I've read trough this thread multiple times but cant seem to get my head around it.
Some pictures and so on are missing due to broken links.
I see that @DT has done some fantastic work! What was the end resault?
Title: Re: Haldex Controllers Thinking.....
Post by: Teitek on August 29, 2022, 04:54:21 AM
I have made a custom flash driver for the Gen5 that can read/write full flash in CAN BSL mode.
Inserted it into the ODX with correct CRC32. It upload correctly and CRC reports OK as well, but after that it does not seem to run the code.
It replies to the UDS flash upload command with a UDS reply from controller so it is still running but not the flash driver. reply is conditions not met and reboots controller after 5 seconds.
Is there any other check on the flash driver that might prevent it from running?
Hi Has the modified block checksum been fixed?
Title: Re: Haldex Controllers Thinking.....
Post by: DT on August 30, 2022, 05:03:35 PM
I see that @DT has done some fantastic work! What was the end resault?
Well, really soon it's time to forget about other Gen1 products like Blue, Agent(???) Orange, HPA Touchmotion or similar. There will be a new superior product available. ;D
Title: Re: Haldex Controllers Thinking.....
Post by: Norwegian1.8T on August 31, 2022, 03:16:41 AM
Well, really soon it's time to forget about other Gen1 products like Blue, Agent(???) Orange, HPA Touchmotion or similar. There will be a new superior product available. ;D
Wow! That sounds awsome! Let me know if there is anyhting you need help with, testing, developing etc :D
Title: Re: Haldex Controllers Thinking.....
Post by: prj on August 31, 2022, 04:35:14 AM
IIRC there is a checksum on at least the calibration in Gen5 and if you get that wrong, you have a brick in a reset loop...
Title: Re: Haldex Controllers Thinking.....
Post by: d3irb on August 31, 2022, 08:03:55 AM
IIRC there is a checksum on at least the calibration in Gen5 and if you get that wrong, you have a brick in a reset loop...
Second this, there's a checksum on each block and it will brick if you get it wrong on the flashed ones, it is quite annoying actually. This is probably the issue with your driver block also.
Title: Re: Haldex Controllers Thinking.....
Post by: crazypete on October 11, 2022, 07:16:30 AM
Hello guys,
I just wanted to ask if there is any progress made in terms of 1 Gen Haldex.
The last update in this topic was from DT who said he is working on something great, but they it died completely.
Would love to hear some feedback. Thank you.
Title: Re: Haldex Controllers Thinking.....
Post by: wachu on October 11, 2022, 11:40:38 AM
most likely they will not share their knowledge because as stated before they want to commercialise it, which i totally understand but it still makes me sad as there are no other alternatives. there was a openhaldex initiative but it was abandoned some time ago. it seems like unitedmotorsport is still the only option, however they charge 600$ for it and you have to ship the controller to them.
i am pretty sure even if some folks from this forum will finally release their product they will be charging similar price which for me is astronomical to be honest (i am from Poland so for 600$ you buy a whole car, not a reflash service which will be barely perceptible xD)
Title: Re: Haldex Controllers Thinking.....
Post by: Sandstorm3k on October 11, 2022, 12:56:37 PM
Hello guys,
I just wanted to ask if there is any progress made in terms of 1 Gen Haldex.
The last update in this topic was from DT who said he is working on something great, but they it died completely.
Would love to hear some feedback. Thank you.
Openhaldex looks cool
Title: Re: Haldex Controllers Thinking.....
Post by: d3irb on September 03, 2023, 12:30:25 PM
Forgot to bump this thread with progress, don't worry, we didn't go commercial just yet ::) :
Haldex Gen5 flashing is available in https://github.com/bri3d/VW_Flash , including checksums. Thanks to ConnorHowell for taking it across the finish line.
This hasn't been extensively tested besides to tamper with some obvious values (module identifier etc.) in the app software to confirm that changes are taking and some random bytes in Calibration to confirm it doesn't brick.
It's probably worth having a miniwiggler on hand in case of issues still. I certainly wouldn't recommend all of the mind virus commercial tuners out there steal this for customer cars yet. Full flash dumps and miniwiggler pinouts have already been posted by others in this thread.
The next step is to reverse the firmware to find maps. There are a lot of obvious maps by shape in the calibration area, so there are options. One solution would be to work by guess-and-check by editing obvious maps and datalogging. Alternatively, someone who likes C167 (aka, not me, I hate it a lot) could go in through disassembly of the UDS localIdentifier routines, name RAM variables, and work backwards (ie - old school control module reversing the real way).
Title: Re: Haldex Controllers Thinking.....
Post by: terminator on September 04, 2023, 04:54:21 AM
DTCs can also be useful for naming subroutines.
Title: Re: Haldex Controllers Thinking.....
Post by: prj on September 04, 2023, 07:14:30 AM
As I said before, if you make the tiniest mistake, the controller is bricked and de-bricking it is much more difficult than other stuff for which there are commercial tools.
This should be as a big red warning on the vw_flash stuff.
If S18 and DQ250 you can worst case ship off somewhere to get fixed, then with the Haldex you are going to need to get another controller and you will need some kind of tool to flash FRF into it to the version it was before.
I recommend getting a spare if you want to mess with it.
Title: Re: Haldex Controllers Thinking.....
Post by: lefedor on September 06, 2023, 12:28:47 PM
Another Haldex controller for Volvo. Gen5.
Modern one, 07/17, CPU ins different from regular version.
Firmware sample Volvo/SPC CPU, haldex gen 5 '2017 #31380867 The board have only CPU, none eeprom module, so it should be internal, raw reading haven't show typical eeprom content, so it probably in encrypted container inside _block_ area.
Title: Re: Haldex Controllers Thinking.....
Post by: Danielsvamp on November 08, 2023, 04:09:06 AM
I'm really interested in gen 4 reading and writing, preferably over obd. I've read the whole thread and didn't gather that much info about the gen 4 overall. I understand the physical functionality, which many people do, nothing secret about that. Still, the software/electronics seem alien for some reason ??? Nothing like the engine's control module.
I've seen people try to work with the gen 4 through stflasher or st10flasher software, haven't seen any great accomplishments though. There has to be ways of doing this, there's no question about it. There probably are many people sitting on this information, although probably not willing to share for nothing (much understandable). Many people also seem to have dumps from the controller and have no problem sharing, probably because they don't have a clue what to do with them.
A user here named Shauno posted a long time ago about the gen 4 with a picture of the controller's insides.
http://nefariousmotorsports.com/forum/index.php?topic=7307.0
Info and documents about his exact st microcontroller (no idea if all controllers have the same insides):
https://www.st.com/en/automotive-microcontrollers/st10f272m.html#documentation
I also posted in that thread and d3irb has some pretty interesting information. (need to learn more about it before I can say anything else)
I have a complete gen 4 rear end, if needed I could provide information about it.
If nothing comes up I'll probably end up controlling the pump and valve manually. Not that it in practice would be easier, but I know where to start at least.
Title: Re: Haldex Controllers Thinking.....
Post by: lefedor on December 28, 2023, 02:24:42 PM
Hello, this is sample of Gen5 BMW Haldex ECU, SPC5604 CPU for anyone wants take a look at it.
3310-9692605-01
2004967
1035501487
1035289093
Board similar to to Volvo's SPC-based one with own CAN modem subsystem and little variations in components.
Title: Re: Haldex Controllers Thinking.....
Post by: prometey1982 on January 26, 2024, 03:34:18 AM
Did anybody reverse haldex 3 flash? I'm trying to do it now but there are no clues inside. Here is my current IDB with disassembled Volvo S60R haldex bin from current thread https://cloud.mail.ru/public/WcXN/B6ZFomyVi
Update: marked some memory variables from diagnostic.
|