Pages: 1 [2]
Author Topic: Portable ME7 logging project  (Read 4173 times)
elRey
Hero Member
*****

Karma: +20/-0
Offline Offline

Posts: 530


« Reply #15 on: May 03, 2017, 05:42:30 PM »

C also can run on ESP32 another alternative to RPi Zero W.
Logged
360trev
Full Member
***

Karma: +19/-1
Offline Offline

Posts: 121


« Reply #16 on: November 30, 2018, 02:44:39 PM »

OK... I've spent the past few months exhaustively reverse engineering and working out how everything works.

I don't really know how far people have got before on this because most of this effort goes on behind closed doors and then is rarely shared.

I've even written my own custom Siemens C16x/ST10 Disassembler in C which an earlier stripped down version of is included in the github repo's for my Swiss Army Knife tool. The way I wrote the tool I discovered to my surprise it seems to 'just work' on even 1Mb roms from the Ferrari F430 and Maserati 4200's for all the checksumming functionality. Tested and works right out of the box. I'm guessing it works on many others too. Finds 60 odd checksum regions on the bigger 1Mb files!

Anyway I've now identified majority of the functions and labelled over 6,200 variables and maps in my ME7.3 Ferrari 360 ROM. That includes internal ram and external ram region variables as well as values, value blocks, strings, maps, fixed maps, group maps, curves, fixed curves and group curves. So you could say my disassembly is about as complete a job as anyone else I know has done or disclosed...

For the test case rom I generated this on;

*This* rom file below..
https://github.com/360trev/ME7RomTool_Ferrari/raw/master/Release/LEFT_Eddie_2004_360Spider_EU.bin

(which maps directly back to the Ferrari 360 which maps back to FRE07E0.PDF function and datasheet on here somewhere) you get the following;

// EXTERNAL MEM 0x38xxxx range:  Num of entries = 2903
// INTERNAL RAM 0xExxx-0xFxxx range: Num of entries = 274

// EXTERNAL FLASH (Values) range: Num of entries = 1843
// EXTERNAL FLASH (Value_Blocks) range: Num of entries = 682
// EXTERNAL FLASH (Group_Curve) range: Num of entries = 136
// EXTERNAL FLASH (Curve) range: Num of entries = 188
// EXTERNAL FLASH (Group_map) range: Num of entries = 91
// EXTERNAL FLASH (maps) range: Num of entries = 78
// EXTERNAL FLASH (fixed_curve) range: Num of entries = 19
// EXTERNAL FLASH (fixed_maps) range: Num of entries = 3
// EXTERNAL FLASH (strings) range: Num of entries = 6

This can also generate the IDC script for IDA Pro to import the lot of this back into IDA..  (not included in this tool I just built but if anyone is interested let me know)...

With a bit more work I could probably derive a hundred or so remaining internal variables then its fully complete...

I've also written a tool to allow you to search for all variables referenced by main functions, e.g. GGPED, GGKS, GGHFM, PROKON (refer to Functional datasheet for more..).. So you give it the function and it tells you all of the internal ram variables used, the external ram variables used, maps referenced and all the addresses. You get the picture... It uses wildcards so you can do stuff like *GG* and find everything GG related which yield a huge list..

E.g.
$ me7vars.exe *GGHFM*                                     
    1) addr=0x0000f970 name="mlhfma_w" (;s)               
    2) addr=0x00381e1a name="mlhfmm_w" (;s)               
    3) addr=0x0000f97b name="rl" (;s)                     
    4) addr=0x00380b32 name="wdkba" (;s)                   
    5) addr=0x00810afb name="KFKHFM" (;s)                 
    6) addr=0x00380b52 name="fkhfm" (;s)                   
    7) addr=0x00810e83 name="KFPUSU" (;s)                 
    Cool addr=0x00818596 name="PUKANS" (;s)                 
    9) addr=0x00810cbf name="KFPU2SU" (;s)                 
   10) addr=0x00810da1 name="KFPU3SU" (;s)                 
   11) addr=0x00810bdd name="KFPU" (;s)                   
   12) addr=0x00380b53 name="fpuk" (;s)                   
   13) addr=0x0000f86c name="nmot" (;s)                   
   14) addr=0x00380bba name="tans" (;s)                   
   15) addr=0x0000f972 name="mshfm_w" (;s)                 
   16) addr=0x00380b54 name="nmotkor" (;s)                 
   17) addr=0x00814300 name="MLHFM" (;s)                   
   18) addr=0x00814700 name="MLOFS" (;s)                   
   19) addr=0x00380f60 name="uhfm_w" (;s)                 
   20) addr=0x00380b6e name="sumode" (;s)                 
                                                           
// Total defines: 6223                                     
Free table..                                               

I'm not yet ready to release this source-code to the generator just yet as I haven't got it working generically enough yet (great on Ferrari 360 rom's but I need more work to clean it up) but I absolutely plan to. The question I have is what format do you want me to generate this is and is there a spec I can follow (or examples at least)...

Already this tool is useful.. here is a link just for the Window Command Line executable..
https://drive.google.com/open?id=1tkoeN3hg0sUu-Z4Qa6gA5V1_gXo1DZ3t

Source will be released in good time...

Any feedback for options let me know.. Its been *invaluable* for working my way around the ROM as my disassembler can reference variables and functions rather than just absolute addresses you'd normally get..

Next step on the disassembler front is to map this to auto generate C style syntax code which will speed up conversion back to even more...
Logged
360trev
Full Member
***

Karma: +19/-1
Offline Offline

Posts: 121


« Reply #17 on: November 30, 2018, 02:53:21 PM »

Part 1...

ACIFI       Output for cylinder-individual injection
ADVE        Activation of the DV-E by means of the DLR
AEKP        EKP control
AES         Overview calculation of injection time
AEVAB       Output injection valve cut off
AEVABU      Output injection-valve cut-off by monitoring functions (EGAS)
AEVABZK     Output injection-valve cut-off %MDRED + total shutdown by monitioring functions
AK          Overview Emission reduction / catalyst
ALE         Detection of engine stop position
ARMD        Torque based anti jerk function
AS          Output signal adaption
ASCETBLK    Description of ASCET block library
ASCETSDB    ASCET-SD descripton of block library
ATEV        Purge valve drive (duty cycle)
ATM         Exhaust temperature model
ATWAL       Output engine temperature warning lamps
AZUE        Output ignition
BBBO        Start operating range with fuel in oil
BBGANG      Detection of actual gear
BBKHZ       Control of catalyst heating
BBSAWE      Conditions for fuel cut-off / cut-in
BBSTT       Condition Engine start
BBTEGA      Operating contitions for purge canister control / fuel adaption
BGAGR       Correction air charge calculation by exhaust gas recirculation
BGBSZ       Calculated Variable Operating Track Counter
BGDVE       Values for DV-E control from the learning and checking routines
BGEVAB      Calculation of the actual reduction stage by ignition-valve cut-off
BGKMST      Calculation of odometer value (Km)
BGKV        Calculation variable consumed fuel
BGLBZ       Calculated charge deficit of the battery
BGMSABG     Calculation of exhaust emission mass fiow - bank-dependent
BGMSZS      Calculation of mass fiows into intake manifold
BGNG        Calculated variable: engine-speed gradient
BGNMOT      Calculated variable: engine speed
BGPU        Calculation value ambient pressure
BGRLG       RL-GRADIENT
BGRLP       Calculation variable rlp: predicted air charge
BGRML       Calculation Value of Relative Air Mass according to SAE J1979 Mode $01 + $02 PID
BGSRM       Model of intake manif. for calc. relative air charge and intake manif. pressure
BGTABST     Calculated variable: cut-off time
BGTEMPK     Calculation of temperature compensation for intake manifold model
BGTEV       Calculation variable, mass fiow TEV
BGWDKM      Calculation of throttle angle model
BGWPFGR     Calculation variable, back-calculated pedal value for FGR
CAN         CAN signal list
D2CTR       Diagnosis; system verification counter
DCAS        Diagnosis CAN timeout ASC interface
DCDACC      Diagnosis; access to tester data
DCINS       Diagnostics; CAN timeout instrument (Combi)
DCKUP       Diagnosis; CAN-Timeout interface electronic clutch control (KUP)
DDCY        OBDII; fulfillment condition 'driving cycle'
DDG         Diagnosis: engine speed sensor
DDST        Diagnosis of tank pressure sensor
DDVE        Diagnosis: EGAS-Actuator DV-E
DECJ        Diagnosis; Power stage CJ9x
DEGFE       Diagnosis of input variables for charge detection
DEKON       Configuration of power stage diagnosis
DEKPE       Diagnosis; power stage of fuel pump relay
DEPCL       Diagnosis; electronic powertrain control lamp
DEVE        Diagnosis; power stage of injector valve
DFFT        Diagnostics; Freeze frame selection table
DFFTCNV     Diagnosis; freeze frame table, conversion to bytes
DFFTK       Diagnosis; customer-specific list for selection of freeze-frame values
DFPM        OBDII; Fault path manager
DFPMEEP     Diagnosic; Fault Path Manager, EEPROM storage
DFPMPWF     Diagnosis fault path management; detection of powerfail
DFRZ        OBDII; description 'freeze frame'
DHFM        Diagnosis; plausibility test hot film air fiow sensor
DHLSHK      Diagnosis: sensor heating downstream of catalytic converter
DHLSVK      Diagnosis sensor heating upstream catalyst
DHLSVKE
DIMC        OBDII; inspection/maintenance-ready
DKAT        Diagnosis; catalyst conversion
DKOSE       Diagnosis of power stage for AC compressor
DKRNT       Diagnosis; Knock-control, zero-test (OBDII)
DKRS        Diagnosis; knock sensor
DKRTP       Diagnosis of knock control, test pulse for OBDII
DKVS        Diagnosis; plausibility test fuel supply system
DLLR        Diagnosis: idle speed control, recognising a blocked actuator
DLSA        Lambda sensor aging monitoring
DLSAHK      Ageing monitoring for lambda sensor downstream of catalytic converter
DLSH        Diagnosis; Readiness for operation of sensor downstream catalyst
DLSSA       Signal output from lambda sensors
DLSV        Diagnosis; Readiness for operation of sensor upstream catalyst
DMDDLU      Diagnostic routine Misfire Detection, forming the diff. for irregular running
DMDFON      Diagnosis Misfire Detection fuel-on Adaptation
DMDLAD      Logic and Delay; Logical operation,different blocks for misfire detection
DMDLU       Diagnostic routine misfire detection: Irregular running
DMDLUA      Diagnostic routine Misfire Detection irregular running spacing
DMDMIL      Fault treatment of misfire detection, control on MIL and rectification
DMDSTP      Diagnostic of misfire detection : Stop conditions
DMDTSB      Diagnosis misfire detection by segment time formation
DMDUE       Diagnostic routine misfire detection Overview
DMIL        OBDII; MIL control
DMILE       OBDII; MIL-power stage
DMLSE       Diagnosis; power stage check of electric cooling fan
DMS         Diagnosis; permanent data aquisition (serial)
DNWKW       Diagnosis alignment between camshaft and crankshaft
DNWS        Diagnosis camshaft control
DNWSE       Diagnosis; camshaft control power stage
DPH         Diagnosis; plausibility test phase sensor
DSUE        Diagnosis; driver for intake manifold fiap
DSWEC       Bumpy road detection from wheel acceleration, -> via CAN from ABS CU
DTEV        Diagnosis; canister purge valve (OBDII)
DTEVE       Diagnosis; power stage of canister purge valve
DTIP        OBDII; tester interface package
DTOP        Diagnosis; operating time
DTRIG       OBDII; Selectable trigger for fault path management
DUF         Diagnostic interface of the function monitoring
DUR         Diagnosis from computer monitoring
DVEUE       Overview of DV-E-control
DVFZ        Diagnosis; plausibility test vehicle speed
DVKUP       Diagnosis; Switch-off engine by electronic clutch control (KUP)
DWUC        OBDII; fulfillment condition 'warm up cycle'
EEPROM      EEPROM treatment
EG          Input variables including diagnostics for these
EGAG        General inputs
EGAK        Input values of exhaust value of catalyst
EGEG        Input variable E-GAS
EGFE        Input variables for charging detection
EGKE        Input variables for knocking detection
EGNWE       Input values rotational speed- and angle detection
EGTE        Input variables for recording the temperature
ESGRU       Basic function injection
ESNSWL      Injection during afterstart and warm-up
ESSTT       Injection duration at start
ESUK        Injection: transient compensation
ESUKA       Wall wetting adaptation based on ZPR
ESVST       Fuel injection pre-control
ESVW        Injection : calculation of injection angle
ESWE        Injection, resumption of overrun fuel cut-off
FE          Charging interventions
FGRABED     Shutdown conditions, vehicle-speed controller
FGRBESI     Operating signals, vehicle-speed controller
FGRFULO     Function logic, vehicle-speed controller
FGRREGL     Control algorithm, vehicle-speed controller
FGRUE       Overview of vehicle-speed controller
FUEDK       Charge control (calculation of nominal throttle-valve angle)
FUEDKSA     Infiuence of air charge by throttle blade, processing throttle-valve angle
FUEREG      Charge controller
GGDPG       Input Signals: engine speed and phase sensor
GGDST       Pickup tank pressure sensor
GGDVE       Sensor variables for throttle-valve actuator
GGEGAS      Sensor variable for brake and clutch switches
GGFGRH      Sensor Signals Cruise Control Lever
GGFST       Sensor variable tank level
GGHFM       Sensor signal, hot-film air-mass meter
GGKS        Sensor signal for knocking detection
GGLSH       Sensor variable for lambda sensor downstream of catalytic converter
GGLSV       Sensor signal lambda upstream catalyst
Logged
360trev
Full Member
***

Karma: +19/-1
Offline Offline

Posts: 121


« Reply #18 on: November 30, 2018, 02:54:49 PM »

GGPED       Sensor variable for accelerator pedal
GGPOEL      Sensor signal oil pressure sensor, incl. diagnosis
GGTFA       Diagnosis; intake air temperature sensor
GGTFM       Signal engine temperature sensor
GGUB        Sensor variable for battery voltage incl. diagnosis
GGVFZG      Input signal: vehicle speed
GK          Mixture control
GKEB        Operating condition mixture control overview
GKRA        Mixture control and adaptive pilot control
HLS         Lambda sensor heater
KHMD        Calculation of torque reserve for heating catalytic converter
KOEVAB      Coordination of injection valve cutoff
KOS         Control of A/C compressor
KRDY        Knock control for load dynamics
KRKE        Knocking detection
KRRA        Adaptive knock control
KVA         Output signal: display of fuel consumption
LAKH        Lambda coordination for catalyst heating
LAMBTS      Lambda component protection
LAMFAW      Lambda vehicle-operator demand
LAMKO       Lambda coordination
LAMSOLL     Lambda setpoint input
LFS         Engine cooling fan control
LLRBB       Operating conditions of idle speed control
LLRMD       Torque-based idle-speed control
LLRMR       Torque reserve for idle speed control
LLRNFA
LLRNS       Idle control; Nominal engine speed for idle speed control
LLRRM       Idle speed control: torque controller
LR          Lambda closed loop control
LRA         Lambda closed loop control; Adaptive pilot control
LRAEB       Conditions adaptive pilot control
LREB        Activation conditions for lambda closed loop control
LRHK        Lambda closed loop control downstream catalyst (OBDII)
LRINI       Coordination initializing lambda controller
LRKA        Two Sensor Lambda Control: Oxygen Clear Out Function
MDAUTG      Calculation of torque actual value for gear control
MDBAS       Basic calculation for torque interface
MDBGRG      Torque limitation mimimum
MDFAW       Calculation of vehicle-operator demand
MDFUE       Nominal-value input from nominal torque for airmass
MDIST       Engine torque calculation
MDKOG       Coordination torque intervention
MDKOL       Coordination torque intervention air path
MDMAX       Calculation maximum torque
MDMIN       Minimum engine torque coordination
MDNSTAB     Torque: engine-speed stabilization
MDRED       Calculation reduction step from torque demand
MDTRIP      Calculation of torque reserve for short trip
MDVER       Loss in engine torque
MDVERAD     Adaptation of torque loss
MDVERB      Torque demand by auxiliary systems (e.g. air conditioner, misc. consumers)
MDWAN       Torque of the AT-converter
MDZUL       Calculation of maximum permitted set torque
MDZW        Calculation of torque in nominal ignition timing
MOTAUS      Engine switch-off
MSF         Engine control functions
NLDG        Limp-home for defective engine speed sensor
NLPH        Limp-home for phase synchronization
NMAXMD      Torque calculation during maximum speed control
NWS         Camshaft control
PROKON      Project configurations
RDE         Detection of reverse rotation
RKTI        Calculation of injection time ti from relative fuel mass rk
RSTMON      Reset monitor
SCATT       SCAN TOOL-tester interface
SREAKT      EGAS: safety concept, failure reactions
STADAP      Starting fuel adaptation
STECK       Plug pin arrangement
SU          Intake manifold switch-over
TC1MOD      Tester communication CARB; Mode 1
TC2MOD      Tester communication CARB; Mode 2
TC5MOD      Tester communikation CARB; Mode 5
TC6MOD      Tester communikation CARB; Mode 6
TC8MOD      Tester communikation CARB; Mode 8
TC9MOD      Tester communication CARB; Mode 9, Request vehicle information
TCKOMUE     Tester communication CARB; Communication structure overview
TCSORT      Tester communicstion CARB; sort function
TEB         Purge canister function
TEBEB       Switch-on conditions for purge control
TN          Output of engine speed signal
UFEING      ETS monitoring concept: Input signal transfer used in function monitoring
UFFGRC      ETS monitoring concept: Monitoring of Cruise Control of function monitoring
UFFGRE      ETS monitoring concept: CC input information used in function monitoring
UFMER       ETS monitoring concept:
UFMET       ETS monitoring concept:
UFMIST      ETS monitoring concept: Calculation of the actual torque in UF
UFMSRC      ETS monitoring concept: MSR intervention surveillance for function monitoring
UFMVER      ETS monitoring concept: Torque comparison of function monitoring
UFMZF       ETS monitoring concept: Torque filter for function monitoring
UFMZUL      ETS monitoring concept: Calculation of permissible torque in UF
UFNC        ETS monitoring concept: Monitoring of engine speed for function monitoring
UFNSC       ETS monitoring concept: Afterstart monitoring for function monitoring
UFOBP       ETS monitoring concept: OBP operation of function monitoring
UFREAC      ETS monitoring concept: Monitoring of fault reaction of function monitoring
UFRLC       ETS monitoring concept: Monitoring of load signal for function monitoring
UFSGSC      EGAS-monitoring concept: SGS-intervention-monitoring for the function overview
UFSPSC      ETS monitoring concept: Monitoring of accelerator pedal value for function m.
UFUE        ETS monitoring concept: function monitoring overview
UFZWC       ETS monitoring concept: Monitoring of ignition angle for function monitoring
UMAUSC      ETS monitoring concept: test of the shut-down path of the monitoring module
UMFPW       ETS monitoring concept: fiash programming request in the monitoring module (UM)
UMFSEL      ETS monitoring concept: inquiry selection in the monitoring module(UM)
UMKOM       ETS monitoring concept: Inquiry/response communication between UM/FR
UMTOUT      ETS monitoring concept: time-out for UM/FR-communication
URADCC      ETS monitoring concept: test of the AD-converter
URCPU       ETS monitoring concept: Instruction test by means of level 2'
URMEM       ETS monitoring concept: cyclic memory test
URPAK       ETS monitoring concept: program fiow check
URRAM       ETS monitoring concept: RAM-test
URROM       ETS monitoring concept: ROM-test
VMAXMD      Torque request of Vmax regulation
WANWKW      Angle adaptation of alignment between camshaft and crankshaft
WDKSOM      Calculation of desired throttle angle without torque structure
ZUE         Basic function - ignition
ZUESZ       Ignition, calculation of coil closing time
ZWGRU       Basic ignition angle
ZWMIN       Calculation of maximum retarded spark limitation
ZWSTT       Igniton at start
ZWWL        Ignition during warm-up
Logged
360trev
Full Member
***

Karma: +19/-1
Offline Offline

Posts: 121


« Reply #19 on: November 30, 2018, 02:59:12 PM »

That's the functions you can search for variables in so far...

E.g.

$ me7vars.exe ZUE                                       
 
    1) addr=0x00811ce6 name="WMNDOPZ" (;s)               
    2) addr=0x00811ce7 name="ZWAPPL" (;s)               
    3) addr=0x00811ce5 name="NACHANZ" (;s)               
    4) addr=0x0081986e name="WPHN" (;s)                 
    5) addr=0x00380d14 name="wphg" (;s)                 
    6) addr=0x00380d15 name="zwbasar_0_A" (;s)           
    7) addr=0x00380d16 name="zwbasar_1_A" (;s)           
    Cool addr=0x00380d17 name="zwbasar_2_A" (;s)           
    9) addr=0x00380d18 name="zwbasar_3_A" (;s)           
                                                         
Discovers ZUE(), the Basic function of ignition uses 5 variables for logging out of ram (0x380dXX) and 4 in map region of flash...
Logged
360trev
Full Member
***

Karma: +19/-1
Offline Offline

Posts: 121


« Reply #20 on: November 30, 2018, 03:00:31 PM »

Obviously becomes more useful when its not hardcoded to the one firmware but you get the idea.. Smiley
Logged
360trev
Full Member
***

Karma: +19/-1
Offline Offline

Posts: 121


« Reply #21 on: November 30, 2018, 03:07:44 PM »

And with this many variables defined even the C167 assembly is VERY readable.. e.g..

Code:
GGHFM_Func:                             ; ...
                mov     [-r0], r9
                movbz   r9, nmot        ; nmot : Motordrehzahl [BGNMOT ACIFI ADVE AEVABU AGK ARMD ATEV ATM BBFGR BBSAWE BBSTT BGAGR BGMSZS BGPU BGTABST BGTEMPK BGTEV DECJ DFFT DFFTK DFPM DKATLRS DKRNT DKRS DLSU DMDDLU DMDFON DMDLU DMDLUA DMDMIL DMDSTP DMDUE DNWS DTKAT DVFZ ESGRU ESNST ESSTT ESUK ESUKAS ESVW ESWL F1MD FUEDK FUEREG GGDPG GGDVE GGHFM GGKS GGLSU GGPED GK KOS KRDY KRKE KRRA KWP2000F KWPIOC LAKH LAMBTS LAMFAW LLRBB LLRNS LLRRM LRA LRAEB LRS LRSEB LRSHK LRSKA MDBAS MDFUE MDKOL MDMAX MDVERB MDZUL NWS PROKON RKTI RUNTIME SLS SSTB STADAP SU TEB UFNC VMAXMD WANWKW WFS ZUE ZUESZ ZWGRU ZWMIN ZWSTT ZWWL]
                movbz   r4, puans
                mulu    r9, r4
                mov     r9, MDL
                cmp     r9, #7FFFh
                jmpr    cc_ULE, get_nmotkor
                movb    nmotkor, ONES   ; nmotkor : Motordrehzahl ansaugluftkorrigiert (zur Pulsationskorrektur) [GGHFM]
                jmpr    cc_UC, check_sumode
; ---------------------------------------------------------------------------
get_nmotkor:                            ; ...
                mov     r4, r9
                shr     r4, #7
                movb    nmotkor, rl4    ; nmotkor : Motordrehzahl ansaugluftkorrigiert (zur Pulsationskorrektur) [GGHFM]
check_sumode:                           ; ...
                movb    rl4, sumode     ; sumode : Zustand der Saugrohrumschaltung [SU BGSRM GGHFM KWPDATR]
                cmpb    rl4, #1
                jmpr    cc_Z, sumode_1
                cmpb    rl4, #2
                jmpr    cc_Z, sumode_2
                cmpb    rl4, #3
                jmpr    cc_Z, sumode_3
                jmpr    cc_UC, other_mode
; ---------------------------------------------------------------------------
sumode_1:                               ; ...
                mov     r12, #KFPUSU    ; KFPUSU : Pulsationskennfeld bei aktiver Saugrohrumschaltung sumode=1 [GGHFM]
                movbz   r13, nmotkor    ; nmotkor : Motordrehzahl ansaugluftkorrigiert (zur Pulsationskorrektur) [GGHFM]
                movbz   r14, wdkba      ; wdkba : Drosselklappenwinkel bezogen auf unteren Anschlag [GGDVE BGPU BGTEV CAN DFFT GGHFM LRAEB RUNTIME SSTB TC1MOD TEB]
                calls   0, Lookup_2D_Byte_table ; 2D Lookup Byte Arguments usually Fuel related
                                        ;
                                        ; r12= Map address, 1st byte width, 2nd byte height
                                        ; r13= Y
                                        ; r14= X
                movb    fpuk, rl4       ; fpuk : HFM-Korrekturfaktor im Pulsationsbereich [GGHFM]
                jmpr    cc_UC, do_kfkhfm_lookup
; ---------------------------------------------------------------------------
sumode_2:                               ; ...
                mov     r12, #KFPU2SU   ; KFPU2SU : Pulsationskennfeld bei aktiver Saugrohrumschaltung sumode=2 [GGHFM]
                movbz   r13, nmotkor    ; nmotkor : Motordrehzahl ansaugluftkorrigiert (zur Pulsationskorrektur) [GGHFM]
                movbz   r14, wdkba      ; wdkba : Drosselklappenwinkel bezogen auf unteren Anschlag [GGDVE BGPU BGTEV CAN DFFT GGHFM LRAEB RUNTIME SSTB TC1MOD TEB]
                calls   0, Lookup_2D_Byte_table ; 2D Lookup Byte Arguments usually Fuel related
                                        ;
                                        ; r12= Map address, 1st byte width, 2nd byte height
                                        ; r13= Y
                                        ; r14= X
                movb    fpuk, rl4       ; fpuk : HFM-Korrekturfaktor im Pulsationsbereich [GGHFM]
                jmpr    cc_UC, do_kfkhfm_lookup
; ---------------------------------------------------------------------------
sumode_3:                               ; ...
                mov     r12, #KFPU3SU   ; KFPU3SU : Pulsationskennfeld bei aktiver Saugrohrumschaltung sumode=3 [GGHFM]
                movbz   r13, nmotkor    ; nmotkor : Motordrehzahl ansaugluftkorrigiert (zur Pulsationskorrektur) [GGHFM]
                movbz   r14, wdkba      ; wdkba : Drosselklappenwinkel bezogen auf unteren Anschlag [GGDVE BGPU BGTEV CAN DFFT GGHFM LRAEB RUNTIME SSTB TC1MOD TEB]
                calls   0, Lookup_2D_Byte_table ; 2D Lookup Byte Arguments usually Fuel related
                                        ;
                                        ; r12= Map address, 1st byte width, 2nd byte height
                                        ; r13= Y
                                        ; r14= X
                movb    fpuk, rl4       ; fpuk : HFM-Korrekturfaktor im Pulsationsbereich [GGHFM]
                jmpr    cc_UC, do_kfkhfm_lookup
; ---------------------------------------------------------------------------
other_mode:                             ; ...
                mov     r12, #KFPU      ; KFPU : Pulsations - Kennfeld [GGHFM]
                movbz   r13, nmotkor    ; nmotkor : Motordrehzahl ansaugluftkorrigiert (zur Pulsationskorrektur) [GGHFM]
                movbz   r14, wdkba      ; wdkba : Drosselklappenwinkel bezogen auf unteren Anschlag [GGDVE BGPU BGTEV CAN DFFT GGHFM LRAEB RUNTIME SSTB TC1MOD TEB]
                calls   0, Lookup_2D_Byte_table ; 2D Lookup Byte Arguments usually Fuel related
                                        ;
                                        ; r12= Map address, 1st byte width, 2nd byte height
                                        ; r13= Y
                                        ; r14= X
                movb    fpuk, rl4       ; fpuk : HFM-Korrekturfaktor im Pulsationsbereich [GGHFM]
do_kfkhfm_lookup:                       ; ...
                mov     r12, #KFKHFM    ; KFKHFM : Korrekturkennfeld fnr HFM [GGHFM]
                movbz   r13, nmot       ; nmot : Motordrehzahl [BGNMOT ACIFI ADVE AEVABU AGK ARMD ATEV ATM BBFGR BBSAWE BBSTT BGAGR BGMSZS BGPU BGTABST BGTEMPK BGTEV DECJ DFFT DFFTK DFPM DKATLRS DKRNT DKRS DLSU DMDDLU DMDFON DMDLU DMDLUA DMDMIL DMDSTP DMDUE DNWS DTKAT DVFZ ESGRU ESNST ESSTT ESUK ESUKAS ESVW ESWL F1MD FUEDK FUEREG GGDPG GGDVE GGHFM GGKS GGLSU GGPED GK KOS KRDY KRKE KRRA KWP2000F KWPIOC LAKH LAMBTS LAMFAW LLRBB LLRNS LLRRM LRA LRAEB LRS LRSEB LRSHK LRSKA MDBAS MDFUE MDKOL MDMAX MDVERB MDZUL NWS PROKON RKTI RUNTIME SLS SSTB STADAP SU TEB UFNC VMAXMD WANWKW WFS ZUE ZUESZ ZWGRU ZWMIN ZWSTT ZWWL]
                movbz   r14, rl         ; rl : relative Luftfnllung [BGSRM ATM BGAGR BGTEMPK DFFT DKATLRS DLLR DLSU DMDDLU DMDFON DMDLU DMDLUA DMDMIL DMDSTP DTESK DTKAT ESGRU ESNST ESUKAS ESVW ESWL GGDVE GGHFM GGKS GGLSU GK KRDY KRRA LAKH LAMBTS LLRNS LRA LRS LRSEB LRSHK NMAXMD NWS RUNTIME SLS SSTB TEB UFRLC ZWGRU ZWMIN ZWWL]
                calls   0, Lookup_2D_Byte_table ; 2D Lookup Byte Arguments usually Fuel related
                                        ;
                                        ; r12= Map address, 1st byte width, 2nd byte height
                                        ; r13= Y
                                        ; r14= X
                movb    fkhfm, rl4      ; fkhfm : HFM-Korrekturfaktor [GGHFM]
                movbz   r4, fpuk        ; fpuk : HFM-Korrekturfaktor im Pulsationsbereich [GGHFM]
                movbz   r5, fkhfm       ; fkhfm : HFM-Korrekturfaktor [GGHFM]
                mul     r4, r5
                mov     restore_MDL, MDL
                mov     r4, MDL
                mov     r9, [r0+]
                rets
Logged
360trev
Full Member
***

Karma: +19/-1
Offline Offline

Posts: 121


« Reply #22 on: November 30, 2018, 03:16:12 PM »

One last example before I pack up for the night  Grin

$ me7vars.exe PROKON                     
    1) addr=0x00818190 name="CDHSVSA" (;s
    2) addr=0x00810003 name="CDAGRL" (;s)
    3) addr=0x00810008 name="CDHSHE" (;s)
    4) addr=0x0081000a name="CDHSVE" (;s)
    5) addr=0x00810002 name="CDAGR" (;s)
    6) addr=0x00810004 name="CDATR" (;s)
    7) addr=0x00810005 name="CDATS" (;s)
    Cool addr=0x00810006 name="CDDST" (;s)
    9) addr=0x00810007 name="CDHSH" (;s)
   10) addr=0x00810009 name="CDHSV" (;s)
   11) addr=0x0081000d name="CDLASH" (;s)
   12) addr=0x0081000e name="CDLATP" (;s)
   13) addr=0x0081000f name="CDLATV" (;s)
   14) addr=0x0081000b name="CDKAT" (;s)
   15) addr=0x0081000c name="CDKVS" (;s)
   16) addr=0x00810010 name="CDLDP" (;s)
   17) addr=0x00810011 name="CDLLR" (;s)
   18) addr=0x00810012 name="CDLSH" (;s)
   19) addr=0x00810013 name="CDLSV" (;s)
   20) addr=0x00810015 name="CDNWS" (;s)
   21) addr=0x00810016 name="CDSLS" (;s)
   22) addr=0x00810018 name="CDSWE" (;s)
   23) addr=0x0081001a name="CDTES" (;s)
   24) addr=0x00810017 name="CDSLSE" (;s)
   25) addr=0x00810025 name="CWUHR" (;s)
   26) addr=0x0081001e name="CWKONABG" (;
   27) addr=0x0081001f name="CWKONFZ1" (;
   28) addr=0x0081001c name="CWERFIL" (;s
   29) addr=0x00818191 name="CWTKAT" (;s)
   30) addr=0x00810014 name="CDMD" (;s) 
   31) addr=0x00810024 name="CWTF" (;s) 
   32) addr=0x0081001d name="CWKLIMA" (;s
   33) addr=0x00810020 name="CWKONLS" (;s
   34) addr=0x00810019 name="CDTANKL" (;s
   35) addr=0x00380a01 name="cw_obd" (;s)
   36) addr=0x00810027 name="NSWO1" (;s)
   37) addr=0x00810028 name="NSWO2" (;s)
                                         
This is function PROKON which accesses the codewords we all seem to want to mess around with. Have fun Smiley
Logged
nyet
Administrator
Hero Member
*****

Karma: +385/-44
Online Online

Posts: 8829


WWW
« Reply #23 on: November 30, 2018, 05:36:02 PM »

If you use .csv we can be assured to be able to convert it to anything else, including IDA scripts or ME7Logger defs...

I'm on travel so I don't have access to my desktop..  will definitely check this out when I get home..

Please consider using the 2.7t 551M as your first non ferrari test thx Smiley
Logged

ME7.1 tuning guide (READ FIRST)
ECUx Plot
ME7Sum checksum checker/corrrector for ME7.x

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience.
360trev
Full Member
***

Karma: +19/-1
Offline Offline

Posts: 121


« Reply #24 on: December 04, 2018, 03:07:18 AM »

Hi Nyet,

Thanks for the note. I will support CSV. I am thinking of making an integrate IDE for the disassembler to make it more user friendly. This will be specifically geared towards understanding Bosch ME firmware images. Concentrating on C16x/ST10 variants in the first instance and ofcourse could be extended to Tricore later (actually tricore is easier since much more information available on it and I have a working board and working C compilers which helps, heck there is even Arduino style tricore board I have).

Anyway, since I have close to 3,000 ram variables which could be potentially logged via K-line (using McMess) what's the most interesting ones  to focus on ? .. Doing this many is surely going to confuse people. Many of them are used internally within functions for example so probably not so interesting once pulled.

On to the topic of logging.
I'd like to make a proper stand alone logger with wifi logging built in (perhaps an ESP32 controller for Wifi and Bluetooth). Its pretty simple to connect K-Line to any microcontroller (including the PC) actually..

For PC just get one of these $2 units which is nothing more than an FDTI to RS232 serial converters so you can get K-Line into USB...
https://www.ebay.co.uk/itm/5V-3-3V-USB-FT232RL-To-Serial-232-Adapter-Download-Cable-Module-For-Arduino-UK/152215744554?epid=2117884573&hash=item2370c3f02a:g:cy4AAOSwCyFbNFb6:rk:2:pf:0

And then wire the Transmit and Receive pins to a L9637D K-Line transceiver... Again $2... For microcontroller you can connect the L9637D directly to a Serial UART..
https://www.ebay.co.uk/itm/2PCS-L9637D-SOP8-ST-IC-INTERFACE-BUS-ISO-9141-8-SOIC-NEW-GOOD-QUALITY/201415108963?hash=item2ee546a963:g:FDQAAOSwVFlT2wW1:rk:2:pf:0

With the other end going to your K-Line on your OBD port...

This project could be a good starting point as its based on a readily available STM32 embedded controller and it comes with full source-code on github and already out of the box supports K-Line and CAN.
https://serwis.avt.pl/manuals/AVT5271.pdf

However to get started instead of having to build your own board (which can come later) during prototyping its easier to get an off the shelf pre-made STM32F103 development board from China again an simply wire up the 3 pins to the L9637D K-Line converter... Volia! You can now communicate with the ECU directly, reflash it, etc. all from a stand alone board. Power can come directly from OBD port...

Had any thoughts about this? Or willing to contribute some time???
Logged
Pages: 1 [2]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.033 seconds with 17 queries. (Pretty URLs adds 0s, 0q)