Pages: 1 [2] 3
Author Topic: Disable kr during nls  (Read 43573 times)
nyet
Administrator
Hero Member
*****

Karma: +607/-168
Offline Offline

Posts: 12268


WWW
« Reply #15 on: May 20, 2017, 04:18:20 PM »

what's the meaning of #10h ?

r4 &= 00010000
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
nubcake
Sr. Member
****

Karma: +53/-4
Offline Offline

Posts: 400


« Reply #16 on: May 21, 2017, 05:55:22 AM »

how to jump to there from nls routine?

You don't.
You set up some kind of "NLS active" flag in your original routine and check for it in KR one.
Logged
armageddon
Sr. Member
****

Karma: +20/-3
Offline Offline

Posts: 348


« Reply #17 on: May 21, 2017, 06:52:18 AM »

all of you already helped me alot, but if you could help me a litle more with the code....

this is what I'm thinking, but not sure where to place it, does it have to be inside nls routine or can be placed outside

Code:
loc_875E06:                             ; CODE XREF: ROM:loc_875DF8j
ROM:875E06                 jnb     word_FDB4.0, loc_875E1C
ROM:875E0A                 jnb     word_FD92.9, loc_875E1C
ROM:875E0E                 calls   8Ah, sub_8Axxxx
ROM:875E12                 and     r4, #10h
ROM:875E16                 jmpr    cc_Z, loc_875E1C
ROM:875E18                 bset    word_FD90.10
ROM:875E1A                 jmpr    cc_UC, loc_875E1E
ROM:875E1C ; ---------------------------------------------------------------------------
ROM:875E1C
ROM:875E1C loc_875E1C:                             ; CODE XREF: ROM:875E04j
ROM:875E1C                                         ; ROM:loc_875E06j ...
ROM:875E1C                 bclr    word_FD90.10
ROM:875E1E


 

Code:
 sub_8Axxxx:                      movbz   r4, byte_A50E
                                  jnb     word_Fxxx.0, locret_8Azzzz
                                  and     r4, #EFh   

 locret_8Azzzz:                         
                                  rets

set bit Fxxx.0 somewhere before/after trsldyn on NLS

Code:
ROM:8A4690                 jnb     word_FD5C.9, loc_8A46BA
ROM:8A4694                 mov     r4, word_9E7C
ROM:8A4698                 exts    #81h, #1 ; 'ü'
ROM:8A469C                 mov     r9, word_817200
ROM:8A46A0                 cmp     r4, r9
ROM:8A46A2                 jmpr    cc_NC, loc_8A46BA
ROM:8A46A4                 mov     r4, word_F802
ROM:8A46A8                 exts    #81h, #1 ; 'ü'
ROM:8A46AC                 mov     r9, word_817202
ROM:8A46B0                 cmp     r4, r9
ROM:8A46B2                 jmpr    cc_ULE, loc_8A46BA
ROM:8A46B4                 movb    byte_8CB2, ZEROS
ROM:8A46B8                 jmpr    cc_UC, loc_8A4718
ROM:8A46BA ; ---------------------------------------------------------------------------
ROM:8A46BA
ROM:8A46BA loc_8A46BA:                             ; CODE XREF: ROM:8A4690j
ROM:8A46BA                                         ; ROM:8A46A2j ...
ROM:8A46BA                 jnb     word_FD5C.9, loc_8A4710
ROM:8A46BE                 jb      word_FD5C.5, loc_8A4706
ROM:8A46C2                 mov     r4, word_F802
ROM:8A46C6                 exts    #81h, #1 ; 'ü'
ROM:8A46CA                 mov     r9, word_817206
ROM:8A46CE                 cmp     r4, r9
ROM:8A46D0                 jmpr    cc_ULE, loc_8A4706
ROM:8A46D2                 movbz   r4, byte_8AB0
ROM:8A46D6                 exts    #81h, #1 ; 'ü'
ROM:8A46DA                 movbz   r9, byte_817208
ROM:8A46DE                 cmp     r4, r9
ROM:8A46E0                 jmpr    cc_ULE, loc_8A4706
ROM:8A46E2                 exts    #38h, #1 ; '8'
ROM:8A46E6                 mov     r4, word_384FF0
ROM:8A46EA                 exts    #81h, #1 ; 'ü'
ROM:8A46EE                 mov     r9, word_817204
ROM:8A46F2                 cmp     r4, r9
ROM:8A46F4                 jmpr    cc_NC, loc_8A4718
ROM:8A46F6                 movb    byte_8CB2, ZEROS
ROM:8A46FA                 add     r4, #1
ROM:8A46FC                 exts    #38h, #1 ; '8'
ROM:8A4700                 movb    word_384FF0, rl4
ROM:8A4704                 jmpr    cc_UC, loc_8A4718
ROM:8A4706 ; ---------------------------------------------------------------------------
ROM:8A4706
ROM:8A4706 loc_8A4706:                             ; CODE XREF: ROM:8A46BEj
ROM:8A4706                                         ; ROM:8A46D0j ...
ROM:8A4706                 exts    #38h, #1 ; '8'
ROM:8A470A                 mov     word_384FF0, ONES
ROM:8A470E                 jmpr    cc_UC, loc_8A4718
ROM:8A4710 ; ---------------------------------------------------------------------------
ROM:8A4710
ROM:8A4710 loc_8A4710:                             ; CODE XREF: ROM:loc_8A46BAj
ROM:8A4710                 exts    #38h, #1 ; '8'
ROM:8A4714                 mov     word_384FF0, ZEROS
ROM:8A4718
ROM:8A4718 loc_8A4718:                             ; CODE XREF: ROM:8A46B8j
ROM:8A4718                                         ; ROM:8A46F4j ...
ROM:8A4718                 movb    rl4, byte_8AA4
ROM:8A471C                 rets


Logged
prj
Hero Member
*****

Karma: +1072/-480
Online Online

Posts: 6035


« Reply #18 on: May 21, 2017, 03:42:15 PM »

You need to read some programming basics.
You have no idea what you are doing.

Learn at least a programming language, hell QBASIC will do.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
Khendal
Full Member
***

Karma: +9/-8
Offline Offline

Posts: 226


« Reply #19 on: May 22, 2017, 02:56:36 PM »

I've found this condition on FR... for Knock control active :

Condition KC active : B_kr : (( rl > LKRN ) v B krldy ) & ( tmot > TMKR ) & B_stend

Maybe we need to change this condition by entering a check inside on a nls variable on or off Huh  

Something like :

(( rl > LKRN ) v B krldy ) & ( tmot > TMKR ) & B_stend & NLS_off

I've also found this info... if needed :

The knock control can be switched off via the label TMKR: TMKR > tmot ==> !B kr
« Last Edit: May 22, 2017, 03:08:43 PM by Khendal » Logged
jcsbanks
Full Member
***

Karma: +19/-3
Offline Offline

Posts: 146


« Reply #20 on: May 23, 2017, 10:16:18 AM »

I have no idea about ME7, but have modified a lot of C167 code on MS43, so some general tips.

You need to work out how to intervene on a functional level first. Often there are a range of options that vary from trivial to complex to code. You need to think about all the side effects and possible side effects.

As others have pointed out, the logic and data integrity is everything, you need to be writing something that isn't going to get trampled by something else writing the same, especially if more frequently than you or causing an oscillation.

If you can achieve a result with existing code by altering a map or a codeword, do so.

If that isn't possible, consider whether to change an axis of an existing map to change it to do what you want.

Or a strategically placed NOP, change to a branch condition etc.

Or change the address of a pointer and make a new one (find free space, initialise the value, change code that uses your pointer).

Sometimes you need to add a hook by replacing an existing instruction with a jmp or call. Or change the address of an existing jmp or call.

Preserve register integrity, don't screw the stack. Have a way to boot recover your ECU when you mess it up. Simulate everything. Don't assume anything, Bosch are very clever. Dunning Kruger zone alert.

Edit: also, label your disasm. It will then make a lot more sense to you and everyone reading. You probably have an a2l for your ROM, so import it into your idb. If you don't, work on one for which you do until you understand it.
« Last Edit: May 23, 2017, 10:22:08 AM by jcsbanks » Logged
armageddon
Sr. Member
****

Karma: +20/-3
Offline Offline

Posts: 348


« Reply #21 on: May 30, 2017, 11:37:32 AM »

Just to give some feedback,

b_kr  disabled in the right place did the trick

from today test it is working fine but will do some logs to make sure that everything is working as it should

thanks to all that contributed for this  Wink
Logged
Khendal
Full Member
***

Karma: +9/-8
Offline Offline

Posts: 226


« Reply #22 on: May 30, 2017, 02:37:18 PM »

Just to give some feedback,

b_kr  disabled in the right place did the trick

from today test it is working fine but will do some logs to make sure that everything is working as it should

thanks to all that contributed for this  Wink

Ohhh really Huh Nice work Wink
Logged
woj
Hero Member
*****

Karma: +43/-3
Offline Offline

Posts: 500


« Reply #23 on: March 15, 2018, 12:53:00 PM »

Let's try this here, B_kr seems easy enough, but I am also trying to figure out dmd. B_dmdstop seems to be impossible to locate in the code for me (it is mostly in procedures where there is several other bit flags manipulated, very hard to tell which is which, and I am loosing my patience with this). But, as with CWKR, I could do it with moving CDMD to RAM and switch it there. I found the code where CDMD goes to B_cdmd and then everything follows. But what I'd need to know, if that is crank synchronous, or periodic (100ms or else). I can see that in the same loop there are DTC reporting procedure for IAT or CTS for example, but I am still not 100% sure about the procedure's frequency. Anyone?

(Yes, I know that for "big boy" applications with NLS/LC one can just turn off CDMD, unlike CWKR that should be retained, nevertheless I want to know).

EDIT: I might have found a solution that does not require the answer to the posted questions, nevertheless, I'd still be interested in feedback on this.
« Last Edit: March 15, 2018, 03:05:31 PM by woj » Logged
nubcake
Sr. Member
****

Karma: +53/-4
Offline Offline

Posts: 400


« Reply #24 on: March 15, 2018, 06:16:24 PM »

Let's try this here, B_kr seems easy enough, but I am also trying to figure out dmd. B_dmdstop seems to be impossible to locate in the code for me (it is mostly in procedures where there is several other bit flags manipulated, very hard to tell which is which, and I am loosing my patience with this). But, as with CWKR, I could do it with moving CDMD to RAM and switch it there. I found the code where CDMD goes to B_cdmd and then everything follows. But what I'd need to know, if that is crank synchronous, or periodic (100ms or else). I can see that in the same loop there are DTC reporting procedure for IAT or CTS for example, but I am still not 100% sure about the procedure's frequency. Anyone?

(Yes, I know that for "big boy" applications with NLS/LC one can just turn off CDMD, unlike CWKR that should be retained, nevertheless I want to know).

EDIT: I might have found a solution that does not require the answer to the posted questions, nevertheless, I'd still be interested in feedback on this.

Dxxx (diag) routines usually run at 100ms intervals.
Scheduler is actually fairly easy to figure out. If the function reads "zzyl", it's likely to lead you to cylinder sync intervals.
Main load signal voltage (e.g. udss_w) will be written to by 1ms ADC.
"slow" periods (50/100/200/1000 ms) as well as "init" will be called from a list of offsets in the bin.
"fast" periods (sync/10/20) will be called by big functions with a lot of calls in them.
Etc.

P.S.
Just turning off misfire detection completely is not a "big boy" application, it's a crude hack.
Logged
woj
Hero Member
*****

Karma: +43/-3
Offline Offline

Posts: 500


« Reply #25 on: March 16, 2018, 06:51:51 AM »

Thanks a lot! This is in sync with what I see in the code and it parks me closer to what I want to know (and I have all these bin offsets / call vectors nicely defined), but I'd need to do some experiments to confirm the timings. For some other work I have identified the init and 100ms vectors, but never looked deeper as that was the only thing I needed. And I am probably guessing right that some of these call vectors are going to be alive only when the engine is?

Yes, I also like elegant solutions, but I did experience people saying "why you spend so much time on it, just make it go fast and forget the rest". Well, these guys later post "I have a X-mas tree of DTCs, what's going on" or "I blew my engine up" Wink

EDIT: If it helps anybody - looking for the family of AUFW constants gives you almost an instant answer as to which vector / procedure loop is which Wink

On my ECU: dwell times are calculated and used at crank sync (daah?), CWKR / B_kr is done every 10ms, not 100% sure about CDMD, but it seems to run every 100ms with other diagnostic procedures.
« Last Edit: March 16, 2018, 07:53:23 AM by woj » Logged
TijnCU
Hero Member
*****

Karma: +60/-4
Offline Offline

Posts: 690


flying brick


« Reply #26 on: March 18, 2018, 03:03:57 PM »

Without overcomplicating things:
seg003:21EAC                 extp    #206h, #1
seg003:21EB0
seg003:21EB0 CDMDcheck:                              ; call to misfire disable here, replace cdmd with 0
seg003:21EB0                 movbz   r4, byte_CDMD
seg003:21EB4                 and     r4, #1
seg003:21EB6                 jmpr    cc_Z, loc_821EC0

Or this:
seg003:42EE6                 movb    rl4, nmot
seg003:42EEA
seg003:42EEA NMIDLUcheck:                             ; call to misfire disable here, you can even choose whether you'd like to
seg003:42EEA                 cmpb    rl4, NMIDLU      ; replace nmot with a low value or replace nmidlu with a high one.
seg003:42EEE                 jmpr    cc_C, loc_842EF4
seg003:42EF0                 bclr    USR0
seg003:42EF2                 jmpr    cc_UC, loc_842EF6
Logged

woj
Hero Member
*****

Karma: +43/-3
Offline Offline

Posts: 500


« Reply #27 on: March 18, 2018, 04:00:37 PM »

Did not get my head around the first option yet, the second one though - that's only disabling one of the detection methods (DMDLU - irregular running), isn't it? Is that sufficient?

In any case - good stuff, this should eventually get me to what I want.
Logged
TijnCU
Hero Member
*****

Karma: +60/-4
Offline Offline

Posts: 690


flying brick


« Reply #28 on: March 18, 2018, 05:33:08 PM »

The first one is a bitwise check of the "Eurobyte CDMD". 1=misfire detection enabled, 0=misfire detection disabled. Not sure if it runs all the time, but the second one will be live during operation in any case.
Logged

woj
Hero Member
*****

Karma: +43/-3
Offline Offline

Posts: 500


« Reply #29 on: March 19, 2018, 03:39:37 PM »

OK, I now have identified B_dmdstop in the code with 99.9% confidence, and it looks like the one I should use. Unless somebody convinces me otherwise...
Logged
Pages: 1 [2] 3
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.056 seconds with 16 queries. (Pretty URLs adds 0.008s, 0q)