NefMoto

Hey all,
So i figured i'd start this thread to document my journey to building multi-map switching in the MED9.

For anyone reading, I don't have this working -- not even remotely close!

This will likely seem really basic to most of you, but for me, getting to this point was a bit trying and i learned a lot getting here...

So i started by loading my flash into IDA.  This was the first hurdle.  I followed the info in the "MED9.1 Dissasembly" thread and got started.  Loaded file at 0x400000, ram at 0x700000.

I used the AutoIT script commonly used for ME7 to assist me with basically marking the whole file (up to 1c9ff0) as code.  This was a HUGE time saver.

I have a number of maps already defined, so I found LDRXN in IDA, then found references to it. There was one reference to the first LDRXN.  I actually have 6 LDRXNs defined, but it looks like only the first one is used (so that's pretty cool info to know!).

The reference to LDRXN was at 5D01C0.  This location was referenced in a function, so i found that reference.  There were two instructions pertaining to this.  One loaded high part of LDRXN reference and the second loaded low part. 

So my next goal was just a proof of concept to change these two instructions to branch instructions to point to a new function that loaded references to a different LDRXN.  since there were already 6 LDRXN maps, i decided just to load the second one instead of the first one.  I defined two functions.  One simply loaded the High part of my new LDRXN reference and the other loaded the Low part of my new LDRXN reference.  I slapped these functions in some unused space in the flash.  It took a bit of reading a messing around to formulate branch instructions using offsets, but it worked!

Anyway, i know this is really basic, but maybe it will help someone get started.

My next goal is to learn how the EEPROM is read/written.  Does anyone know what offset i should load this at?  I've tried loading it simply at 0x0, and there are a few references to data in it, but not enough that it seems right. I also tried 0x80000, but that doesn't seem right either.  Any help is greatly appreciated.

Also, it seems cruise control stalk input will likely come from CAN bus.  I think it's going to be fairly difficult to track down code for this in IDA, but i'm going to give it a shot.  I guess i first need to figure out what the CAN bus messages actually are from the cruise control stalk.  Anyone have any ideas on how to debug this?  I have a FTDI can-bus cable as well as VCDS can cable, but IDK if there's anyone to monitor the can-bus with these. 

I guess i also might need to trace the can pins from teh ECU to the processor itself -- sounds like a PITA!

So attached is my IDA file.  The functions i added (2 liners) are called JRC_LOAD_LDRXN_HIGH and JRC_LOAD_LDRXN_LOW.  I've defined a few other things with meaningful names as well.  I've also attached teh idb file from before i made any changes so you can see what i edited.

Thanks for any help/insight!

-Jordan

Just one more note ...

So i lowered the values in my newly referenced LDRXN VERY low, and sure enough, the car ran very low boost, so it worked!!

You don't need to worry about CAN messages.

The messages get processed into variables or condition bits and then utilized as needed. Find and identify them by how they are used.

This is going to be interesting, im still a novice at this but i will see what input i can provide after having a look at your file, I can also assist with any trial test down the road ..

Hi guys,

Here is my Map Switching project for MED9.1

Since there are numerous versions of the MED9.1 binary, each with its own map locations, ram variables and free space, it’s never going to be as easy as just copying and pasting the examples. Rather, the best way is to work through the example and then apply that to your own bin :) This post is best read in conjunction with these other posts on storing data in the eeprom (http://nefariousmotorsports.com/forum/index.php?topic=6159.0title=) and interacting with the cluster (http://nefariousmotorsports.com/forum/index.php?topic=6172.0title=).

Pulling it all together, we need a few things:

1)   A way for the ecu to ‘remember’ what maps are currently selected. It would be no use if we had to re-select our maps every time we switched the car off and on again! Fortunately we can store a variable representing our selection in the e2p.
2)   A way of interacting with the driver so you can select a map and get feedback about what you have chosen. I have a manual car without cruise control, so I decided to use clutch and brake pedals for choosing my maps and the rev counter to show the selection.
3)   Some maps to select between. In this example, I have just used maps that already have multiple copies. For example in my bin I have three copies of LDRXN of which only the first seems to be in use (at least, only the first has a reference to it in IDA).

The code to select which map is current is in fact the most straightforward of this whole example. All the hard work is already done and described in my other posts about the ram mirror (http://nefariousmotorsports.com/forum/index.php?topic=6159.0title=) and cluster interaction (http://nefariousmotorsports.com/forum/index.php?topic=6172.0title=). My work on the cluster interaction meant that I had a handy variable that I could check against and jump to a specific location based thereupon. You’ll need the information in those posts to make sense of this post.

Just like in the other posts, in order to patch in my changes I needed an entry point into the code. In this case, just before the code reads the location of LDRXN, I insert a jump to my new routine. The new routine then compares what my map count variable is set to and jumps back again with a suitable location for LDRXN. This is all there is to it – depending on the value of byte_7FABF7 I jump to one of three places. In each of those places I load up an address and then jump back to the main program. The code below corresponds to LDRXN. If you wanted additional maps (e.g. LAMFA), then simply repeat the code below for the extra maps you require.


Worth noting here is that the address I load up (e.g. off_5CEF48) is not the direct address of the LDRXN map. In fact it’s an address that in turn contains the address of the LDRXN map. So 5CEF48 actually points at 5CED28 which is the first LDRXN map. Why it’s like that, I don’t know. Fortunately IDA sorts it all out.


Q&A

What bin is all this based upon?
MED9.1
Audi S3 8P MY2007 UK spec
8P0907115H
0261S02342
387951

How do I change maps?
The maps are changed like this. Without starting the car, switch on the ignition. Press the brake pedal and keep it pressed. Now press and release the clutch pedal. Every time you press the clutch pedal, the rev counter needle will flick 1000 rpm -> 2000 rpm -> 3000 rpm -> 4000 rpm -> 1000 rpm. That represents what you’ve chosen (1 to 4).

What map am I currently on?
I was running out of pedals here, so you can’t really just view your active selection. View and change are combined. Every time you press that clutch pedal, you move to the next map and the rpm needle shows you what’s active. Pressing the pedal will change you to the next selection, but since there are only four selections at the moment you’ll be fine ;)

I get an oil pressure alarm?
Don’t be alarmed if you get an oil pressure alarm whilst the engine is off. The cluster thinks the engine is running since it sees rpm, but it isn’t getting a corresponding oil pressure signal. Once you’ve chosen your map, you can switch the ignition off and back on again to clear any false alarms that popped up. Any genuine alarms will be persistent and should be investigated!

My variable counts from 1 to 4 but there are only three LDRXN maps?
That’s right. Right now 3 and 4 both select the third LDRXN map. Code it how you want e.g. 4 might choose the same LDRXN as 3 but have a different LAMFA map instead. It’s your map switching routine :)

How do I get the RAM dumps to figure out the RAM locations?
Hmm, that’s a good one. I used a ram logger based on an Arduino, but you need some hardware and software for that (which I made myself). The best suggestion I’ve got is disassemble my bin that I’ve posted plus the internal and external RAM dumps I’ve posted and line up the cross references against your own bin. Also, if there is a popular bin that a lot of people use, I could load that into my bench ecu and dump the ram contents on your behalf.

How do you know what general purpose registers are free?
Read a bit ahead in the code. If you see something like this
ROM:0047C878                 lis       r10, ((off_5CEF4C+0x10000)@h)
It means that the contents of r10 are being loaded with a new value. Therefore it’s safe enough to use r10 since the original code is going to load a new value into r10 anyway. Just make sure the original code doesn’t check r10 between you using it and the original code loading a new value in it!

What ram is free?
Check in IDA for cross references. I picked a value towards the end of the external ram that had no references to it in IDA.

Could you do this with the CCS buttons instead?
Of course! To find the variables that contain the CCS buttons, try this. CCS buttons are Measuring Block 67-2. Work through this post (http://nefariousmotorsports.com/forum/index.php?topic=5941.0title=) on Measuring Blocks and you’ll end up with the memory and ram locations.

What should I look for/at in IDA?
I’ve attached my IDA project containing all these patches. I’ve also included my bin (both stock and patched). This is where I’ve patched:

004F 7B60 - jump from original code to new cluster interaction code at 0047 C750
0047 C750 - new cluster interaction code
0051 9790 - jump from original code to new LDRXN address code at 0047 C850
0047 C850 - new LDRXN address code

What else is in the bin?
There are a few other patches in there as well at 0047 C650. They relate to measuring blocks though and aren’t necessary here. Some of the maps have been changed as well in my attempts at a mild stage 1 tune. I really suggest you don’t copy them though, since I’m better at the software than I am at the tuning!!

I hope it helps and motivates you to create your own map switching routine :) 

Post up how you get on and I’ll help as best I can.

Let me be the first to say that this is EPIC...

We could fake an canbus oilpressure message in the same part of the code changing nmot_c ?

Thank you very much! I cant believe my eyes, so rare and useful info!

I would like to add that if anybody want to use CC bit into RAM (lets say the 1 bit), you need recheck the byte, cause VCDS shows smth like 00000011 (looks like the 1 bit = 1), but actually this is 0000001100 (1 bit = 0).

Well you beat me to it... By a lot!! I figured this was where you were going with your last couple posts. Really excellent work. This is likely one of the most valuable things in this forum. Someone should sticky this or something.

ram dump from 386852

E2P starts around (0x7F8000+0x2B90) = 0x7FAB90
CANBUS buffers start around (0x7F8000 + 0xC4EC = 0x8044EC

Enjoy :)

It's like watching the golden age of ME7 unfold all over again!

:)

ram dump from 523981

E2P starts around (0x7F8000+0x2960) = 0x7FA960
CANBUS buffers start around (0x7F8000 + 0xCC70) = 0x804C70

I had a quick look but I think the oil pressure swiitch is wired directly to the cluster. Thus the message is not generated in the egine ecu and so we can't overide it there. Need to check my wiring diagrams. A nicety to tidy up later ;)


Ah, understood. I'd like to have a go with CCS myself. Been meaning to retrofit it so this might spur me on.
Thanks Jordan  ;D

I've dumped the ram from your bin and posted it in the thread. Now get cracking and start coding!

lol


Thanks Daz! The forum has helped me so much and I wanted to help as well.

ram dump from 510588

E2P starts around (0x7F8000+0x2B9C) = 0x7FAB9C
CANBUS buffers start around (0x7F8000 + 0xC9A0) = 0x8049A0

ram dump from 387951

E2P starts around (0x7F8000+0x2ADC) = 0x7FAADC
CANBUS buffers start around (0x7F8000 + 0xC404) = 0x804404

Hi Basano, first of all really compliments for your job!!

For me it's just too difficult setting IDA pro.

But now i'm trying to upload my ecu.bin in your file map_switching.idb, so i could use your setting, is this correct?

I would like to understand how it WORKS!!

Here's a tricky one.

If I substitute the RPM values in the CAN message buffer for CAN id 0x280, it doesn't work for the Audi A6.  
The needle doesn't move at all - BUT - I get an low oilpressure warning, so obviously it detects the RPM  ???

If I log that id on the bench (with the same binary), it indeed sends the new RPM info correctly.

Same code - with only variable references substituted - works for an Audi S3 - both in the cluster and on the bench..

Any ideas, people?

did you solve this problem friend, works your Mapswitching in the A6 ?

Rgds Toby

I m looking for a RAM dump
8P0907115
0261S02041
387577
thx in advance

I'll help if I can, looking at med9 as a possibility of my next project.  Purely as a hobby.

I'm just trying to figure out where it is?

Do we need a obd2 flash tool and logger I guess :) ?


Basano - sent you a hangout thing

a very useful logger and flasher is the qvaser can-king.
interface is cheap and has a useful software.

I found can hacker and an arudino good as well (cheap)

hey guys, who can help me to work on a Mapswitching Project
for Golf MK6 R20 with DSG.

Need Mapswitch over Cruisecontrol or ESP Button ;-)

rgds  ;D

First of all sorry for kicking this old topic, I've been playing around with IDA but i'm missing a RAM dump. Is somebody able to explain to me how to get a RAM dump or maybe somebody can make a RAM dump of my file? I can share my file if anybody is able to make a dump, my file is 501852.

pm me the ori and I'll see if I can help buddy.

Thank you!! PM is send :-)

Cool send me your ecu number please mate, it's in dev 1-2  weeks appox.

Of course! Sent by pm.

Jordan,

Which version of IDA are you using? I tried to load yours IDB files with IDA 6.1 and I cant get them to work. Thanks in advance.

hi
anybody has ram dump to 501227
thx in advance

deleted

Hi all! I want someone to implement the Map Switching code ( like Basano did it here) in my file. The car has a DSG gearbox, which is why I would like to use the cruise control buttons. I will pay, I don't ask for free.