Pages: 1 [2] 3 4 ... 6
Author Topic: Reversing an ME7.1.1 St10F27X Audi TT 3.2  (Read 55968 times)
turbojohan
Full Member
***

Karma: +5/-0
Offline Offline

Posts: 185


« Reply #15 on: September 12, 2017, 12:15:03 PM »

It is my car and it is making huge flames  Grin
GT innovations done great work on this ECU, as a ST10 ME7 isn't the easiest to add code!

Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #16 on: September 15, 2017, 02:19:15 PM »

Additions and Fixes.


Logged
Gonzo
Sr. Member
****

Karma: +21/-30
Offline Offline

Posts: 483


« Reply #17 on: September 16, 2017, 03:49:24 AM »

Does the code have to be on mpc or can you branch out to flash?
Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #18 on: September 16, 2017, 09:37:44 AM »

Does the code have to be on mpc or can you branch out to flash?

At the moment it is on Mpc and will stay there for various reasons..They main one is that i don`t know to handle everything correctly when i am outside of mpc memory addressing scheme as i am sure i am missing some critical info about addressing space. I can see some calls on my ida project that are not correctly translated however i do not care about that at the moment.
Logged
Gonzo
Sr. Member
****

Karma: +21/-30
Offline Offline

Posts: 483


« Reply #19 on: September 17, 2017, 02:34:43 PM »

I see...

Are you using tsrldyn for cutting ignition?

I'm interested in making some code for ME7.5.20/30 which come with ST10Fxx. I wonder how different this ECU is from those.
Logged
nubcake
Sr. Member
****

Karma: +53/-4
Offline Offline

Posts: 400


« Reply #20 on: September 17, 2017, 04:23:15 PM »

ST10 ME7 isn't the easiest to add code!

It's just as easy (or hard) as any other ME7, frankly. Smiley
MPC area is at 0x0 (with the exception of IRAM & SFRs), flash is at 0x800000.

EDIT: also, you don't really have to disable MPC checksums. They are stored in the flash and can be fixed either manually or by that "free" OLS floating around. Didn't try it with VAG ST10, but works like a charm with Porsche. Load flash and MPC as 2 separate elements of the same project, then run cks plugin.

But you're definitely on a right track! Smiley
« Last Edit: September 17, 2017, 04:46:08 PM by nubcake » Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #21 on: September 18, 2017, 02:18:26 AM »

It's just as easy (or hard) as any other ME7, frankly. Smiley
MPC area is at 0x0 (with the exception of IRAM & SFRs), flash is at 0x800000.

EDIT: also, you don't really have to disable MPC checksums. They are stored in the flash and can be fixed either manually or by that "free" OLS floating around. Didn't try it with VAG ST10, but works like a charm with Porsche. Load flash and MPC as 2 separate elements of the same project, then run cks plugin.

But you're definitely on a right track! Smiley

Initially i was trying to load flash at 0x800000 and ida was not translating the address bytes correctly and in such a case i can not rename those addresses appropriately. Then i switched to 0x80000 and everything was fine.As for mpc checksums i would prefere to not interfere at all what i understood from this is that you don`t need to put the ecu on TEST mode if you are running the mpc cksum off patch.

Giving that St10f27x has not Direct documentation what so over it is harder to match all things as on me7.5 or other well documented ecus. Tkmwl is way off at some points... As i said before it looks like a hybrid me7/me9 ecu.
Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #22 on: September 18, 2017, 02:20:46 AM »

I see...

Are you using tsrldyn for cutting ignition?

I'm interested in making some code for ME7.5.20/30 which come with ST10Fxx. I wonder how different this ECU is from those.

i haven`t checked yet 7.5.20/30 but if the tsrldyn algo is the same as me7.5 then yes you can use it as i do here.On an NASP car do not expect any big flames or crazy bang sound but it does the job on FI projects.
Logged
RBPE
Sr. Member
****

Karma: +40/-5
Offline Offline

Posts: 395



« Reply #23 on: September 18, 2017, 07:41:31 AM »

Initially i was trying to load flash at 0x800000 and ida was not translating the address bytes correctly and in such a case i can not rename those addresses appropriately. Then i switched to 0x80000 and everything was fine.As for mpc checksums i would prefere to not interfere at all what i understood from this is that you don`t need to put the ecu on TEST mode if you are running the mpc cksum off patch.

Giving that St10f27x has not Direct documentation what so over it is harder to match all things as on me7.5 or other well documented ecus. Tkmwl is way off at some points... As i said before it looks like a hybrid me7/me9 ecu.

As far as I can tell only the TT have things like no MLHFM, mk5 R32, A3 3.2 8P all have it from what I've seen so far, wondered why that was as it looks like older TT's had some of these changes too but A3 matches mk5 Golf so don't think it's an ST10 only thing, seems to be TT?
Logged
Gonzo
Sr. Member
****

Karma: +21/-30
Offline Offline

Posts: 483


« Reply #24 on: September 18, 2017, 07:59:55 AM »

The biggest issue I have is finding ram variables.

I can easily find nmot_w and rl_w but the rest isn't so easy. I think that's half the battle with these ECUs
Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #25 on: September 18, 2017, 09:36:19 AM »

As far as I can tell only the TT have things like no MLHFM, mk5 R32, A3 3.2 8P all have it from what I've seen so far, wondered why that was as it looks like older TT's had some of these changes too but A3 matches mk5 Golf so don't think it's an ST10 only thing, seems to be TT?

You have MSHFMU which is actually not described on all or most of the a2l files out there.But if you check some other engines like
s4 v8 you will find it.It is just not called MLHFM but it looks like one only sorter.If you took like 5 seconds to look at my definitions you would have seen it...Have defined it myself using another damos from a v8 engine.

Then someone will say there is no MLMIN or MLMAX and/or other maps/limits.. Look below at the attached image..
There are tons of maps and things that are not defined from most a2ls and i am really curious in what they all do so...

There is a point in the code checking the first byte of the MSHFMU(MLMIN) and the last byte of MSHFMU(MLMAX) like a hardcoded check without any kind of actual declaration in any document or a2l.

i have posted all this things and if anyone likes to understand he only needs to put the names and the enums i have posted to a freshly made ida project using the loading details i published on the first page.

Anyway there are too many things and i am still trying to work on those so i can have a good FI solution in the future.

address mlmin 0x8fe490
address mlmax 0x8fe592

« Last Edit: September 18, 2017, 09:38:30 AM by gt-innovation » Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #26 on: September 18, 2017, 12:29:43 PM »

The biggest issue I have is finding ram variables.

I can easily find nmot_w and rl_w but the rest isn't so easy. I think that's half the battle with these ECUs

No it is not, once you load the file properly most ram variables are obvious. However which ram variables are you talking about?

i have plenty of stuff on st10fx memory addressing scheme on me7.5.10/20/30
Logged
RBPE
Sr. Member
****

Karma: +40/-5
Offline Offline

Posts: 395



« Reply #27 on: September 18, 2017, 01:06:37 PM »

You have MSHFMU which is actually not described on all or most of the a2l files out there.But if you check some other engines like
s4 v8 you will find it.It is just not called MLHFM but it looks like one only sorter.If you took like 5 seconds to look at my definitions you would have seen it...Have defined it myself using another damos from a v8 engine.

Then someone will say there is no MLMIN or MLMAX and/or other maps/limits.. Look below at the attached image..
There are tons of maps and things that are not defined from most a2ls and i am really curious in what they all do so...

There is a point in the code checking the first byte of the MSHFMU(MLMIN) and the last byte of MSHFMU(MLMAX) like a hardcoded check without any kind of actual declaration in any document or a2l.

i have posted all this things and if anyone likes to understand he only needs to put the names and the enums i have posted to a freshly made ida project using the loading details i published on the first page.

Anyway there are too many things and i am still trying to work on those so i can have a good FI solution in the future.

address mlmin 0x8fe490
address mlmax 0x8fe592



Yeah I went through such changes a while back in the definition files area regarding Jim's TT mk2 3.2T, covered it then, I generally used Porsche files if I remember right, just trying to rescue data at mo to help out;

997 TT Defining by Rick B, on Flickr

I think the mk1 TT DAMOS file knocking about has it too doesn't it? The MLHFM map is way off which I think I assumed it used an MSHFMU map too, hence mentioning the TT based changes only regardless of ST10 or not? Didn't have much call to investigate further though at the time.
« Last Edit: July 05, 2018, 02:14:16 PM by RBPE » Logged
Gonzo
Sr. Member
****

Karma: +21/-30
Offline Offline

Posts: 483


« Reply #28 on: September 18, 2017, 01:46:51 PM »

No it is not, once you load the file properly most ram variables are obvious. However which ram variables are you talking about?

i have plenty of stuff on st10fx memory addressing scheme on me7.5.10/20/30

I'll be honest... I haven't spent a lot of time on it. I need to understand the memory scheme a bit better
Logged
nubcake
Sr. Member
****

Karma: +53/-4
Offline Offline

Posts: 400


« Reply #29 on: September 18, 2017, 05:23:20 PM »

Initially i was trying to load flash at 0x800000 and ida was not translating the address bytes correctly and in such a case i can not rename those addresses appropriately. Then i switched to 0x80000 and everything was fine.As for mpc checksums i would prefere to not interfere at all what i understood from this is that you don`t need to put the ecu on TEST mode if you are running the mpc cksum off patch.

Giving that St10f27x has not Direct documentation what so over it is harder to match all things as on me7.5 or other well documented ecus. Tkmwl is way off at some points... As i said before it looks like a hybrid me7/me9 ecu.

Took a look at your binary and I can assure you that flash resides at 0x800000.
Let me give you one more hint - you can't directly use a KTAG readout for the MPC. Data has to be shifted a bit. Take a look at Porsche 997TT A2L&hex, it's public and has a very similar data arrangement. Or you can read MPC with flashit or minimon, then it'll come out at correct addresses.
Logged
Pages: 1 [2] 3 4 ... 6
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.039 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)