Pages: [1]
Author Topic: new problem for the launch control guru's  (Read 8956 times)
vwnut8392
Sr. Member
****

Karma: +19/-7
Offline Offline

Posts: 271


« on: December 24, 2016, 12:45:19 PM »

i've been working on a friends 2001 audi TT 180hp quattro car and he asked if i could add launch control and flat shift to it and i of course said yes, thats no problem. i started with using the latest auto patcher PHP script and i keep getting is warning "FTOMN found: FTOMN ATTENTION: find multiple FTOMN offsets, will be using 0x165b5. i sort of disregarded this error because after i compared to a known functioning 512k patched file from a beetle it matches the same line of code. now i learned from the beetle 512k file that setting FTOMN to 01 makes it function properly. i tried FTOMN 00, 01 and 02 with this TT but keep pushing through to the rev limiter. i can hear the ignition interruption at 4500RPM but it just keeps revving to the limiter. the ECU in this car is 8N0906018S. i even looked at the file in IDA rather quickly and everything seems to be in place as well. this isnt a new problem to me as the beetle 512k ECU's have done this pushing through but changing FTOMN to 01 fixed the problem. anyone have any insight on this one?

i attached the output file from the launch.php script. the checksum is corrected on it as well. the .ECU file i generated is attached as well.
Logged
TijnCU
Hero Member
*****

Karma: +60/-4
Offline Offline

Posts: 690


flying brick


« Reply #1 on: December 24, 2016, 01:54:23 PM »

I have done some mods to a similar case, moving the function to another location solved the problem. I would suggest to place both function and variables all the way at the end of the file.
Btw I have not opened your files, I'm reading from my phone. And make sure you set 01 at the actual ftomn adress.
Logged

vwnut8392
Sr. Member
****

Karma: +19/-7
Offline Offline

Posts: 271


« Reply #2 on: December 24, 2016, 02:57:26 PM »

I have done some mods to a similar case, moving the function to another location solved the problem. I would suggest to place both function and variables all the way at the end of the file.
Btw I have not opened your files, I'm reading from my phone. And make sure you set 01 at the actual ftomn adress.

Thank you, i will try this. i have tried FTOMN at 00, 01 and 02 all give the same end result with it cutting spark but still hitting the rev limiter so it goes beyond 4500RPM.
Logged
vwnut8392
Sr. Member
****

Karma: +19/-7
Offline Offline

Posts: 271


« Reply #3 on: December 24, 2016, 04:27:15 PM »

so i tried moving the main code and it did not work. my revised file is attached.
Logged
TijnCU
Hero Member
*****

Karma: +60/-4
Offline Offline

Posts: 690


flying brick


« Reply #4 on: December 26, 2016, 02:37:58 AM »

If it is cutting but revs climb, most likely the ignition cut is too short.. what happens if you increase the ignition cut duration variable? Maybe the counter is not being read correctly
Logged

vwnut8392
Sr. Member
****

Karma: +19/-7
Offline Offline

Posts: 271


« Reply #5 on: December 26, 2016, 12:47:06 PM »

when i looked at the ignition cut duration in IDA it looked like it was only the time to cut spark between shifts when using no lift shift. the igniton cut duration does not seem to affect the launch control code at all.
Logged
TijnCU
Hero Member
*****

Karma: +60/-4
Offline Offline

Posts: 690


flying brick


« Reply #6 on: December 26, 2016, 01:45:15 PM »

 that is how it should be yes. Strange problem..
Logged

vwnut8392
Sr. Member
****

Karma: +19/-7
Offline Offline

Posts: 271


« Reply #7 on: December 26, 2016, 11:29:44 PM »

i think i found a true case where patching the binary from this ECU just flat out will not work.
Logged
TijnCU
Hero Member
*****

Karma: +60/-4
Offline Offline

Posts: 690


flying brick


« Reply #8 on: January 03, 2017, 01:00:28 PM »

Don't know if you are still working on this, but I just came up with another idea:

The nls function utilizes a counter in ram. It is located at 0x384FF0 by default. Maybe you can check if this ram adress is not used by some other function in your ecu? Log it with me7logger on a stock file to see if it is used or 0.
The adress is implemented in the code on line 6, 8 and 9. I am also not sure if the script adresses the variable correctly, because it writes extended segment (D7 00 38 00). You could try to replace those parts of the code with D7 40 E0 00 and the ram adress as F0 4F (if 384FF0, else any other ram adress that you chose).
Good luck  Smiley
Logged

TijnCU
Hero Member
*****

Karma: +60/-4
Offline Offline

Posts: 690


flying brick


« Reply #9 on: January 08, 2017, 07:09:47 AM »

I have to correct my statement above, after studying the code, the counter is only working for single interruption of NLS. If you have the file loaded in ida you can look for  tsrldyn and hook in the function there? The only possibility the code is partially working, is if the ecu places a new coil opening time in tsrldyn after it jumps out of the function or if you are not setting dwell low enough in some other way.
« Last Edit: January 08, 2017, 03:11:30 PM by TijnCU » Logged

vwnut8392
Sr. Member
****

Karma: +19/-7
Offline Offline

Posts: 271


« Reply #10 on: January 08, 2017, 09:19:40 PM »

I have to correct my statement above, after studying the code, the counter is only working for single interruption of NLS. If you have the file loaded in ida you can look for  tsrldyn and hook in the function there? The only possibility the code is partially working, is if the ecu places a new coil opening time in tsrldyn after it jumps out of the function or if you are not setting dwell low enough in some other way.

I did try FTOMN at 00, 01 and 02. it doesnt make any sense to me as to why it will not work with this ECU as it looks like everything is in all the right places in IDA.
Logged
TijnCU
Hero Member
*****

Karma: +60/-4
Offline Offline

Posts: 690


flying brick


« Reply #11 on: January 09, 2017, 02:12:27 AM »

Log szrl_w to find out what your dwell is. Maybe you have kftsdyn interfering? if you have the file open in ida, you can check the path around tsrldyn. This also helps to confirm your ftomn adress.
Logged

TijnCU
Hero Member
*****

Karma: +60/-4
Offline Offline

Posts: 690


flying brick


« Reply #12 on: January 09, 2017, 06:53:58 AM »

Here is a part of code from my own ecu:
Code:
seg010:F1B0 loc_9F1B0:                              ; CODE XREF: sub_9F0CA+E0j
seg010:F1B0                 mov     r9, r5
seg010:F1B2                 mov     r12, #25A9h          ;this is KFTSRL, coil dwell time map
seg010:F1B6                 mov     r13, #206h
seg010:F1BA                 movbz   r14, nmot
seg010:F1BE                 movbz   r15, rl
seg010:F1C2                 calls   82h, sub_825E9E        
seg010:F1C6                 movb    byte_380B95, rl4
seg010:F1CA                 movbz   r4, rl4
seg010:F1CC                 mulu    r4, r9
seg010:F1CE                 mov     r5, word_FE0C
seg010:F1D2                 mov     r4, word_FE0E
seg010:F1D6                 mov     r2, r5
seg010:F1D8                 shr     r4, #12
seg010:F1DA                 shr     r5, #12
seg010:F1DC                 shl     r2, #4
seg010:F1DE                 or      r4, r2
seg010:F1E0                 mov     r9, r4
seg010:F1E2
seg010:F1E2 loc_9F1E2:                              ; CODE XREF: sub_9F0CA+A4j
seg010:F1E2                                         ; sub_9F0CA+BEj
seg010:F1E2                 extp    #206h, #1
seg010:F1E6                 movbz   r4, byte_81A61B      ; this is TSMX, where the maximum dwell time is checked.
seg010:F1EA                 cmp     r9, r4
seg010:F1EC                 jmpr    cc_ULE, loc_9F1FC    ; if current dwell time is less than TSMX, use KFTSRL value for tsrldyn
seg010:F1EE                 extp    #206h, #1
seg010:F1F2                 movb    rl4, byte_81A61B
seg010:F1F6                 movb    tsrldyn, rl4              ;if not, use TSMX as value for tsrldyn.
seg010:F1FA                 jmpr    cc_UC, loc_9F202
seg010:F1FC ; ---------------------------------------------------------------------------
seg010:F1FC
seg010:F1FC loc_9F1FC:                              ; CODE XREF: sub_9F0CA+122j
seg010:F1FC                 mov     r4, r9
seg010:F1FE                 movb    tsrldyn, rl4        ;tsrldyn value from KFTSRL
seg010:F202
seg010:F202 loc_9F202:                              ; CODE XREF: sub_9F0CA+130j
seg010:F202                 movb    rl4, byte_380998  ;this is where the launch function is hooked in!!
seg010:F206                 extp    #206h, #1
seg010:F20A                 addb    rl4, byte_81A47E
seg010:F20E                 jmpr    cc_NC, loc_9F214
seg010:F210                 movb    rl4, #0FFh
seg010:F214
seg010:F214 loc_9F214:                              ; CODE XREF: sub_9F0CA+144j
seg010:F214                 movb    byte_380B98, rl4
seg010:F218                 mov     r12, #24CEh     ; KFSZDUB Axis start
seg010:F21C                 mov     r13, #206h
seg010:F220                 movbz   r14, rl4
seg010:F222                 movbz   r15, tsrldyn
seg010:F226                 calls   82h, sub_825E9E
seg010:F22A                 movb    byte_380B93, rl4
seg010:F22E                 movbz   r4, nmot
seg010:F232                 mov     [-r0], r4
seg010:F234                 mov     r4, ngfil_w
seg010:F238                 mov     [-r0], r4
seg010:F23A                 mov     r4, #38DCh      ; KFTSDYN data
seg010:F23E                 mov     r5, #209h
seg010:F242                 mov     [-r0], r5
seg010:F244                 mov     [-r0], r4
seg010:F246                 mov     r4, #38D4h      ; KFTSDYN X axis
seg010:F24A                 mov     r5, #209h
seg010:F24E                 mov     [-r0], r5
seg010:F250                 mov     [-r0], r4
seg010:F252                 extp    #209h, #1
seg010:F256                 movbz   r12, byte_8278CC ; axis length X
seg010:F25A                 mov     r13, #38CEh     ; KFTSDYN Y axis
seg010:F25E                 mov     r14, #209h
seg010:F262                 extp    #209h, #1
seg010:F266                 movbz   r15, byte_8278CD ; axis length Y
seg010:F26A                 calls   82h, sub_8266A2
seg010:F26E                 add     r0, #0Ch
seg010:F272                 shr     r4, #8
seg010:F274                 movb    byte_380B92, rl4
seg010:F278                 movbz   r4, rl4
seg010:F27A                 movbz   r5, byte_380B93
seg010:F27E                 mulu    r5, r4
seg010:F280                 jmpr    cc_V, loc_9F288
seg010:F282                 mov     r2, word_FE0E
seg010:F286                 jmpr    cc_UC, loc_9F28C
seg010:F288 ; ---------------------------------------------------------------------------
seg010:F288
seg010:F288 loc_9F288:                              ; CODE XREF: sub_9F0CA+1B6j
seg010:F288                 mov     r2, #0FFFFh
seg010:F28C
seg010:F28C loc_9F28C:                              ; CODE XREF: sub_9F0CA+1BCj
seg010:F28C                 mov     r9, r2
seg010:F28E                 movbz   r4, tsrldyn
seg010:F292                 mulu    r4, r9
seg010:F294                 mov     r5, word_FE0C
seg010:F298                 mov     r4, word_FE0E
seg010:F29C                 mov     r2, r5
seg010:F29E                 shr     r4, #10
seg010:F2A0                 shr     r5, #10
seg010:F2A2                 shl     r2, #6
seg010:F2A4                 or      r4, r2
seg010:F2A6                 mov     r9, r4
seg010:F2A8                 extp    #206h, #1
seg010:F2AC                 movbz   r4, byte_81A495    ; this is FTOMN
seg010:F2B0                 cmp     r9, r4                    ;dwell time is checked against FTOMN, if larger it will stay in r9
seg010:F2B2                 jmpr    cc_NC, loc_9F2BC
seg010:F2B4                 extp    #206h, #1
seg010:F2B8                 movbz   r9, byte_81A495     ; again FTOMN, if dwell was smaller ftomn will be the new output in r9


Maybe this helps you locate the maps that can possibly influence your dwell time!
« Last Edit: January 09, 2017, 08:29:34 AM by TijnCU » Logged

Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.019 seconds with 17 queries. (Pretty URLs adds 0s, 0q)