The canbus is quite a bit more complicated than EDC15/MED9. A lot of tables along with indirect referencing is used, which makes the code very obsure and difficult to follow.
Fortunately, I had access to an ELF file which when loaded in IDA, names all the functions, creates segments and names RAM variables. However the xrefs to RAM variables are not aligned, even though I've set SDA(r13)
Once I had it on bench, it only took around a week to figure out everything...
FrmMng is the proc responsible for preparing the CAN packets.
I needed a way to change ID 280 byte 3 and 4(Eng_nAvrg is transmitted on these bytes), so that I can show my own values on the RPM gauge.
In the FR, it is explained that Eng_nAvrg is transmitted over CAN.
However there is no xref to this in the FrmMng_Snd proc. So I searched in the ELF for all Eng_n variables.
After many failed attemts at finding anything relevant, I found an xref to Eng_nAvrg__0__ in the FrmMng proc!
After a lot of studying of the code, I finally found the area responsible for RPM being transmitted over CAN
FrmMng_TransINT2CANLim is used to apply the factor/offset to and convert the integer variables to CAN packets
All that needs to be done now, is change r3 to the desired value
I have attached the ELF file for benefit of other users and because of my general hate for the corporates(screw them!)
PS- please don't PM me for multimap files unless you're willing to pay. I have released the most difficult part of making the file, if you still can't make it, you must pay me/someone else to do it for you.
Regards
