|
nyet
|
 |
« Reply #15 on: May 20, 2017, 04:18:20 PM »
|
|
|
what's the meaning of #10h ?
r4 &= 00010000 |
|
|
|
|
Logged
|
ME7.1 tuning guideECUx PlotME7Sum checksumTrim heatmap toolPlease do not ask me for tunes. I'm here to help people make their own. Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
|
|
|
|
nubcake
|
|
« Reply #16 on: May 21, 2017, 05:55:22 AM »
|
|
|
how to jump to there from nls routine? You don't. You set up some kind of "NLS active" flag in your original routine and check for it in KR one. |
|
|
|
|
Logged
|
|
|
|
|
armageddon
|
|
« Reply #17 on: May 21, 2017, 06:52:18 AM »
|
|
|
all of you already helped me alot, but if you could help me a litle more with the code.... this is what I'm thinking, but not sure where to place it, does it have to be inside nls routine or can be placed outside loc_875E06: ; CODE XREF: ROM:loc_875DF8�j
ROM:875E06 jnb word_FDB4.0, loc_875E1C
ROM:875E0A jnb word_FD92.9, loc_875E1C
ROM:875E0E calls 8Ah, sub_8Axxxx
ROM:875E12 and r4, #10h
ROM:875E16 jmpr cc_Z, loc_875E1C
ROM:875E18 bset word_FD90.10
ROM:875E1A jmpr cc_UC, loc_875E1E
ROM:875E1C ; ---------------------------------------------------------------------------
ROM:875E1C
ROM:875E1C loc_875E1C: ; CODE XREF: ROM:875E04�j
ROM:875E1C ; ROM:loc_875E06�j ...
ROM:875E1C bclr word_FD90.10
ROM:875E1E sub_8Axxxx: movbz r4, byte_A50E
jnb word_Fxxx.0, locret_8Azzzz
and r4, #EFh
locret_8Azzzz:
rets set bit Fxxx.0 somewhere before/after trsldyn on NLS ROM:8A4690 jnb word_FD5C.9, loc_8A46BA
ROM:8A4694 mov r4, word_9E7C
ROM:8A4698 exts #81h, #1 ; 'ü'
ROM:8A469C mov r9, word_817200
ROM:8A46A0 cmp r4, r9
ROM:8A46A2 jmpr cc_NC, loc_8A46BA
ROM:8A46A4 mov r4, word_F802
ROM:8A46A8 exts #81h, #1 ; 'ü'
ROM:8A46AC mov r9, word_817202
ROM:8A46B0 cmp r4, r9
ROM:8A46B2 jmpr cc_ULE, loc_8A46BA
ROM:8A46B4 movb byte_8CB2, ZEROS
ROM:8A46B8 jmpr cc_UC, loc_8A4718
ROM:8A46BA ; ---------------------------------------------------------------------------
ROM:8A46BA
ROM:8A46BA loc_8A46BA: ; CODE XREF: ROM:8A4690�j
ROM:8A46BA ; ROM:8A46A2�j ...
ROM:8A46BA jnb word_FD5C.9, loc_8A4710
ROM:8A46BE jb word_FD5C.5, loc_8A4706
ROM:8A46C2 mov r4, word_F802
ROM:8A46C6 exts #81h, #1 ; 'ü'
ROM:8A46CA mov r9, word_817206
ROM:8A46CE cmp r4, r9
ROM:8A46D0 jmpr cc_ULE, loc_8A4706
ROM:8A46D2 movbz r4, byte_8AB0
ROM:8A46D6 exts #81h, #1 ; 'ü'
ROM:8A46DA movbz r9, byte_817208
ROM:8A46DE cmp r4, r9
ROM:8A46E0 jmpr cc_ULE, loc_8A4706
ROM:8A46E2 exts #38h, #1 ; '8'
ROM:8A46E6 mov r4, word_384FF0
ROM:8A46EA exts #81h, #1 ; 'ü'
ROM:8A46EE mov r9, word_817204
ROM:8A46F2 cmp r4, r9
ROM:8A46F4 jmpr cc_NC, loc_8A4718
ROM:8A46F6 movb byte_8CB2, ZEROS
ROM:8A46FA add r4, #1
ROM:8A46FC exts #38h, #1 ; '8'
ROM:8A4700 movb word_384FF0, rl4
ROM:8A4704 jmpr cc_UC, loc_8A4718
ROM:8A4706 ; ---------------------------------------------------------------------------
ROM:8A4706
ROM:8A4706 loc_8A4706: ; CODE XREF: ROM:8A46BE�j
ROM:8A4706 ; ROM:8A46D0�j ...
ROM:8A4706 exts #38h, #1 ; '8'
ROM:8A470A mov word_384FF0, ONES
ROM:8A470E jmpr cc_UC, loc_8A4718
ROM:8A4710 ; ---------------------------------------------------------------------------
ROM:8A4710
ROM:8A4710 loc_8A4710: ; CODE XREF: ROM:loc_8A46BA�j
ROM:8A4710 exts #38h, #1 ; '8'
ROM:8A4714 mov word_384FF0, ZEROS
ROM:8A4718
ROM:8A4718 loc_8A4718: ; CODE XREF: ROM:8A46B8�j
ROM:8A4718 ; ROM:8A46F4�j ...
ROM:8A4718 movb rl4, byte_8AA4
ROM:8A471C rets |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #18 on: May 21, 2017, 03:42:15 PM »
|
|
|
You need to read some programming basics.
You have no idea what you are doing.
Learn at least a programming language, hell QBASIC will do.
|
|
|
|
|
Logged
|
|
|
|
Khendal
Full Member
Karma: +9/-8
 Offline
Posts: 226
|
|
« Reply #19 on: May 22, 2017, 02:56:36 PM »
|
|
|
I've found this condition on FR... for Knock control active : Condition KC active : B_kr : (( rl > LKRN ) v B krldy ) & ( tmot > TMKR ) & B_stend Maybe we need to change this condition by entering a check inside on a nls variable on or off  Something like : (( rl > LKRN ) v B krldy ) & ( tmot > TMKR ) & B_stend & NLS_off I've also found this info... if needed : The knock control can be switched off via the label TMKR: TMKR > tmot ==> !B kr |
|
|
|
« Last Edit: May 22, 2017, 03:08:43 PM by Khendal »
|
Logged
|
|
|
|
jcsbanks
Full Member
Karma: +19/-3
Offline
Posts: 146
|
|
« Reply #20 on: May 23, 2017, 10:16:18 AM »
|
|
|
I have no idea about ME7, but have modified a lot of C167 code on MS43, so some general tips.
You need to work out how to intervene on a functional level first. Often there are a range of options that vary from trivial to complex to code. You need to think about all the side effects and possible side effects.
As others have pointed out, the logic and data integrity is everything, you need to be writing something that isn't going to get trampled by something else writing the same, especially if more frequently than you or causing an oscillation.
If you can achieve a result with existing code by altering a map or a codeword, do so.
If that isn't possible, consider whether to change an axis of an existing map to change it to do what you want.
Or a strategically placed NOP, change to a branch condition etc.
Or change the address of a pointer and make a new one (find free space, initialise the value, change code that uses your pointer).
Sometimes you need to add a hook by replacing an existing instruction with a jmp or call. Or change the address of an existing jmp or call.
Preserve register integrity, don't screw the stack. Have a way to boot recover your ECU when you mess it up. Simulate everything. Don't assume anything, Bosch are very clever. Dunning Kruger zone alert.
Edit: also, label your disasm. It will then make a lot more sense to you and everyone reading. You probably have an a2l for your ROM, so import it into your idb. If you don't, work on one for which you do until you understand it.
|
|
|
|
« Last Edit: May 23, 2017, 10:22:08 AM by jcsbanks »
|
Logged
|
|
|
|
|
armageddon
|
|
« Reply #21 on: May 30, 2017, 11:37:32 AM »
|
|
|
Just to give some feedback, b_kr disabled in the right place did the trick from today test it is working fine but will do some logs to make sure that everything is working as it should thanks to all that contributed for this  |
|
|
|
|
Logged
|
|
|
|
Khendal
Full Member
Karma: +9/-8
Offline
Posts: 226
|
|
« Reply #22 on: May 30, 2017, 02:37:18 PM »
|
|
|
Just to give some feedback, b_kr disabled in the right place did the trick from today test it is working fine but will do some logs to make sure that everything is working as it should thanks to all that contributed for this Ohhh really Nice work |
|
|
|
|
Logged
|
|
|
|
|
woj
|
|
« Reply #23 on: March 15, 2018, 12:53:00 PM »
|
|
|
Let's try this here, B_kr seems easy enough, but I am also trying to figure out dmd. B_dmdstop seems to be impossible to locate in the code for me (it is mostly in procedures where there is several other bit flags manipulated, very hard to tell which is which, and I am loosing my patience with this). But, as with CWKR, I could do it with moving CDMD to RAM and switch it there. I found the code where CDMD goes to B_cdmd and then everything follows. But what I'd need to know, if that is crank synchronous, or periodic (100ms or else). I can see that in the same loop there are DTC reporting procedure for IAT or CTS for example, but I am still not 100% sure about the procedure's frequency. Anyone?
(Yes, I know that for "big boy" applications with NLS/LC one can just turn off CDMD, unlike CWKR that should be retained, nevertheless I want to know).
EDIT: I might have found a solution that does not require the answer to the posted questions, nevertheless, I'd still be interested in feedback on this.
|
|
|
|
« Last Edit: March 15, 2018, 03:05:31 PM by woj »
|
Logged
|
|
|
|
|
nubcake
|
|
« Reply #24 on: March 15, 2018, 06:16:24 PM »
|
|
|
Let's try this here, B_kr seems easy enough, but I am also trying to figure out dmd. B_dmdstop seems to be impossible to locate in the code for me (it is mostly in procedures where there is several other bit flags manipulated, very hard to tell which is which, and I am loosing my patience with this). But, as with CWKR, I could do it with moving CDMD to RAM and switch it there. I found the code where CDMD goes to B_cdmd and then everything follows. But what I'd need to know, if that is crank synchronous, or periodic (100ms or else). I can see that in the same loop there are DTC reporting procedure for IAT or CTS for example, but I am still not 100% sure about the procedure's frequency. Anyone?
(Yes, I know that for "big boy" applications with NLS/LC one can just turn off CDMD, unlike CWKR that should be retained, nevertheless I want to know).
EDIT: I might have found a solution that does not require the answer to the posted questions, nevertheless, I'd still be interested in feedback on this.
Dxxx (diag) routines usually run at 100ms intervals. Scheduler is actually fairly easy to figure out. If the function reads "zzyl", it's likely to lead you to cylinder sync intervals. Main load signal voltage (e.g. udss_w) will be written to by 1ms ADC. "slow" periods (50/100/200/1000 ms) as well as "init" will be called from a list of offsets in the bin. "fast" periods (sync/10/20) will be called by big functions with a lot of calls in them. Etc. P.S. Just turning off misfire detection completely is not a "big boy" application, it's a crude hack. |
|
|
|
|
Logged
|
|
|
|
|
woj
|
|
« Reply #25 on: March 16, 2018, 06:51:51 AM »
|
|
|
Thanks a lot! This is in sync with what I see in the code and it parks me closer to what I want to know (and I have all these bin offsets / call vectors nicely defined), but I'd need to do some experiments to confirm the timings. For some other work I have identified the init and 100ms vectors, but never looked deeper as that was the only thing I needed. And I am probably guessing right that some of these call vectors are going to be alive only when the engine is? Yes, I also like elegant solutions, but I did experience people saying "why you spend so much time on it, just make it go fast and forget the rest". Well, these guys later post "I have a X-mas tree of DTCs, what's going on" or "I blew my engine up" EDIT: If it helps anybody - looking for the family of AUFW constants gives you almost an instant answer as to which vector / procedure loop is which On my ECU: dwell times are calculated and used at crank sync (daah?), CWKR / B_kr is done every 10ms, not 100% sure about CDMD, but it seems to run every 100ms with other diagnostic procedures. |
|
|
|
« Last Edit: March 16, 2018, 07:53:23 AM by woj »
|
Logged
|
|
|
|
TijnCU
Hero Member
Karma: +60/-4
Offline
Posts: 690
flying brick
|
|
« Reply #26 on: March 18, 2018, 03:03:57 PM »
|
|
|
Without overcomplicating things:
seg003:21EAC extp #206h, #1
seg003:21EB0
seg003:21EB0 CDMDcheck: ; call to misfire disable here, replace cdmd with 0
seg003:21EB0 movbz r4, byte_CDMD
seg003:21EB4 and r4, #1
seg003:21EB6 jmpr cc_Z, loc_821EC0
Or this:
seg003:42EE6 movb rl4, nmot
seg003:42EEA
seg003:42EEA NMIDLUcheck: ; call to misfire disable here, you can even choose whether you'd like to
seg003:42EEA cmpb rl4, NMIDLU ; replace nmot with a low value or replace nmidlu with a high one.
seg003:42EEE jmpr cc_C, loc_842EF4
seg003:42EF0 bclr USR0
seg003:42EF2 jmpr cc_UC, loc_842EF6
|
|
|
|
|
Logged
|
|
|
|
|
woj
|
|
« Reply #27 on: March 18, 2018, 04:00:37 PM »
|
|
|
Did not get my head around the first option yet, the second one though - that's only disabling one of the detection methods (DMDLU - irregular running), isn't it? Is that sufficient?
In any case - good stuff, this should eventually get me to what I want.
|
|
|
|
|
Logged
|
|
|
|
TijnCU
Hero Member
Karma: +60/-4
Offline
Posts: 690
flying brick
|
|
« Reply #28 on: March 18, 2018, 05:33:08 PM »
|
|
|
The first one is a bitwise check of the "Eurobyte CDMD". 1=misfire detection enabled, 0=misfire detection disabled. Not sure if it runs all the time, but the second one will be live during operation in any case.
|
|
|
|
|
Logged
|
|
|
|
|
woj
|
|
« Reply #29 on: March 19, 2018, 03:39:37 PM »
|
|
|
OK, I now have identified B_dmdstop in the code with 99.9% confidence, and it looks like the one I should use. Unless somebody convinces me otherwise...
|
|
|
|
|
Logged
|
|
|
|
|
