Pages: [1]
Author Topic: EDC16 CANBUS interaction with cluster  (Read 6631 times)
nihalot
Full Member
***

Karma: +40/-3
Offline Offline

Posts: 116


« on: June 15, 2017, 03:51:58 AM »

The canbus is quite a bit more complicated than EDC15/MED9. A lot of tables along with indirect referencing is used, which makes the code very obsure and difficult to follow.

Fortunately, I had access to an ELF file which when loaded in IDA, names all the functions, creates segments and names RAM variables. However the xrefs to RAM variables are not aligned, even though I've set SDA(r13)

Once I had it on bench, it only took around a week to figure out everything...

FrmMng is the proc responsible for preparing the CAN packets.
I needed a way to change ID 280 byte 3 and 4(Eng_nAvrg is transmitted on these bytes), so that I can show my own values on the RPM gauge.

In the FR, it is explained that Eng_nAvrg is transmitted over CAN.



However there is no xref to this in the FrmMng_Snd proc. So I searched in the ELF for all Eng_n variables.



After many failed attemts at finding anything relevant, I found an xref to Eng_nAvrg__0__ in the FrmMng proc!

After a lot of studying of the code, I finally found the area responsible for RPM being transmitted over CAN



FrmMng_TransINT2CANLim is used to apply the factor/offset to and convert the integer variables to CAN packets

All that needs to be done now, is change r3 to the desired value Cheesy

I have attached the ELF file for benefit of other users and because of my general hate for the corporates(screw them!)

PS- please don't PM me for multimap files unless you're willing to pay. I have released the most difficult part of making the file, if you still can't make it, you must pay me/someone else to do it for you.

Regards



Logged

www.tangentmotorsport.com

multimap/LC/rolling antilag for MED17/EDC17/MED9/EDC15

contact for reverse engineering services of any ECU/TCU
moodz
Newbie
*

Karma: +2/-0
Offline Offline

Posts: 9

Im addicted to developments


WWW
« Reply #1 on: July 02, 2019, 05:56:56 AM »

great job Nihal, keep the great work.
Logged

---------------------------------------
Wayne Modz (ToxicTuning)
AngelPowy
Full Member
***

Karma: +1/-0
Offline Offline

Posts: 55


« Reply #2 on: July 13, 2019, 06:28:15 AM »

I don't know if it can help but I see that in my EDC16U1 file R13 is 0x4017f0
I found this in hex 3D A0 00 40 39 AD 17 F0
Logged
jochen_145
Full Member
***

Karma: +9/-4
Offline Offline

Posts: 177


« Reply #3 on: September 14, 2019, 01:30:38 AM »

I needed a way to change ID 280 byte 3 and 4(Eng_nAvrg is transmitted on these bytes), so that I can show my own values on the RPM gauge.

Becareful with changing meaning of signals on CAN-IDs.

As you allready know, CAN-bus is a multi-master and ALL controler, connected to the same CAN-bus will be effected to you chance.
An engine speed is one of the importened signal von AntriebsCAN, so better do not chance or bend exactly THIS signal !

(or you have to chance every other controler too  Tongue )

There is a CAN signal, with have the same effect, you want to, but only read by cluster.
Use this one

BR
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.033 seconds with 16 queries. (Pretty URLs adds 0s, 0q)