Pages: 1 2 [3] 4 5 6
Author Topic: Reversing an ME7.1.1 St10F27X Audi TT 3.2  (Read 56013 times)
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #30 on: September 19, 2017, 04:12:14 AM »

Took a look at your binary and I can assure you that flash resides at 0x800000.
Let me give you one more hint - you can't directly use a KTAG readout for the MPC. Data has to be shifted a bit. Take a look at Porsche 997TT A2L&hex, it's public and has a very similar data arrangement. Or you can read MPC with flashit or minimon, then it'll come out at correct addresses.

I knew about the 0x800000 because at first i loaded a hex(from an a2l) file which is already set as it should. You can see it on the output windows while you are importing it on ida.What i didn`t knew is that ktag is actually reading differently then minimon or flashit. Will check how much this should be shifted while i am importing the binary.
« Last Edit: September 26, 2017, 03:47:13 AM by gt-innovation » Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #31 on: September 26, 2017, 04:16:14 AM »

New things attached here again   Wink

So after some tests with the LC code i can report that by using the correct registers you should have a good functioning Launch control using TSRLDYN without affecting the rest of the code or disturbing the stack.

Further more the stock coils don`t give a F$)K if you use FTOMN 0.2 0.1 or 0 and on Turbo applications you have the appropriate flame and banging Effect... On the NA engine things are different and when stock catalyst is installed it is acting like a normal Limiter if you just use TSRLDYN even with the schubabschaltung deactivated the pops are not something spectacular or loud as it is on an Turbo application so i will have to do something about this too.

Right now i am using a simple version that jumps right off ub checks for B_br and Vfil_w and Nmot_W to activate the lc and i will add the no lift shift by using B_gsch (not sure if it will work though) since we have a DSG car.. Has someone used B_gsch ?

Will do some more tests and report.

Hints for those that will try to do it themselves..

1.Use correct registers to store your variables as i stated above to avoid having a dead ecu after 1-2 days
2.Use "extp    #23Fh, #1" to access your flash (Depends on where you have free space for variables)
3.Use B_br (b_brems) on dsg or B_kuppl for manual.
4.If the car is Dsg set your Lc from the dsg 500+rpm higher than your custom code



« Last Edit: October 20, 2017, 04:07:35 AM by gt-innovation » Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #32 on: October 20, 2017, 04:05:23 AM »

So work kept me busy but i did a lot of progress on that project as well.

Here is the code that someone can use for a simple launch control function bug free on st10f27x.

Loc_LC
      jnb     word_FD5E.B_brems, loc_exit  (use b_brems if it is dsg b_kuppl for clutch)
      mov     r7, vfil_w
      extp    #23Fh, #1
      mov     r9, word_XxXFlash-addressXxX ; speed check
      cmp     r7, r9
      jmpr    cc_NC, loc_Exit
      mov     r7, NMOT_W
      extp    #23Fh, #1
      mov     r9, word_XxXFlash-addressXxX ; rpm check
      cmp     r7, r9
      jmpr    cc_ULE, loc_Exit
      movb    tsrldyn, ZEROS
      jmpr    cc_UC, loc_Exit
loc_exit:                             
                                       
      movbz   r12, UB
      jmpa    cc_UC, loc_return




In addition i am attaching all the latest work i did on this ida project so everything you need to build something from scratch is in there.There could be mistakes in the definitions as i said before because an FR does not exist in this ecu however i will keep fixing and updating it until it is 100% defined.

Currently i am testing something a bit better with more options but time is not enough to do everything at once Smiley
Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #33 on: November 06, 2017, 04:59:47 PM »

More good news for my personal project.

First of all i now have no need to define the complete file as i found somewhere on my pile a matching a2l for my binary.
After i studied a bit i found the correct addressing scheme as there is always inside A2l Files.

Basically you can not use ktag boot reads directly as they are missing some "padding" areas.

  /begin MEMORY_SEGMENT Pst0 "" RESERVED FLASH INTERN 0x0 0x8000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x0 /*mapping_adr:*/0x0 /*length:*/0x8000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst18000 "" RESERVED FLASH INTERN 0x18000 0x8000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x18000 /*mapping_adr:*/0x18000 /*length:*/0x8000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst20000 "" RESERVED FLASH INTERN 0x20000 0xB0000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x20000 /*mapping_adr:*/0x20000 /*length:*/0xB0000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst800000 "" CODE EPROM EXTERN 0x800000 0xE0000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x800000 /*mapping_adr:*/0x800000 /*length:*/0xE0000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Dst8E0000 "" DATA EPROM EXTERN 0x8E0000 0x20000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x8E0000 /*mapping_adr:*/0x8E0000 /*length:*/0x20000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT ExtRam380000 "" VARIABLES RAM EXTERN 0x380000 0x6000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x380000 /*mapping_adr:*/0x380000 /*length:*/0x6000 /end IF_DATA
    /begin IF_DATA ASAP1B_MCMESS ADDRESS_MAPPING /*orig_adr:*/0x380000 /*mapping_adr:*/0x388000 /*length:*/0x6000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT ExtRam386000 "" VARIABLES RAM EXTERN 0x386000 0x2000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x386000 /*mapping_adr:*/0x386000 /*length:*/0x2000 /end IF_DATA
    /begin IF_DATA ASAP1B_MCMESS ADDRESS_MAPPING /*orig_adr:*/0x386000 /*mapping_adr:*/0x386000 /*length:*/0x2000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT ExtRam388000 "" VARIABLES RAM EXTERN 0x388000 0x200 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x388000 /*mapping_adr:*/0x388000 /*length:*/0x200 /end IF_DATA
    /begin IF_DATA ASAP1B_MCMESS ADDRESS_MAPPING /*orig_adr:*/0x388000 /*mapping_adr:*/0x388000 /*length:*/0x200 /end IF_DATA
    /end MEMORY_SEGMENT


You have 2 choices here for loading the files to IDA. Either reconstructing the mpc file by padding the areas that are empty or load the binary with offsets.I cross referenced a hex file that i loaded earlier so i can be sure that whatever i do maches that.I always like to reconstruct things so what i did is the following :

Separate the first 32 kb from the mpc (ktag read) pad until 0x18000 and add the rest of the file from 0x18000 and up

ram2(0xf0000)should be added as i stated in the first post and also ram(0x38000)

finally add the flash file with 0x800000 offset and the dpp`s from my first post and you are done.

Now every call or memory address will line up perfectly.

Attached you will find a VIRGIN ida import (Defining has not been done to it)
« Last Edit: November 09, 2017, 03:38:45 AM by gt-innovation » Logged
Gonzo
Sr. Member
****

Karma: +21/-30
Offline Offline

Posts: 483


« Reply #34 on: November 09, 2017, 07:01:30 AM »

Thanks to you I figured it all out.

For ME7.5.30 (and potentially other ECU's that only have iROM and no xROM), read ECU with MPPS (real one). At 0x8000 offset add a padding of 10000. Then load into IDA with all the same settings listed here, except that ROM should be 0x0 and length will be whatever the size of your file is.
« Last Edit: November 09, 2017, 07:04:16 AM by Gonzo » Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #35 on: November 09, 2017, 01:24:46 PM »

Thanks to you I figured it all out.

For ME7.5.30 (and potentially other ECU's that only have iROM and no xROM), read ECU with MPPS (real one). At 0x8000 offset add a padding of 10000. Then load into IDA with all the same settings listed here, except that ROM should be 0x0 and length will be whatever the size of your file is.

Happy to help and good to know Smiley it was not that hard at the end.I have been testing my retardation algo lately and the only thing left is to make the bang effect on gear shifts on a dsg car cause manuals work fine.Both ignition cut and ignition retard works perfect.The boost on the lc with ignition retard though comes much better.

Once that is done i will add a wkrma indicator as well and move onto med17.

Here is the video in proper quality 

https://www.youtube.com/watch?v=bAks3zVOTR4

« Last Edit: November 09, 2017, 01:29:35 PM by gt-innovation » Logged
Gonzo
Sr. Member
****

Karma: +21/-30
Offline Offline

Posts: 483


« Reply #36 on: November 09, 2017, 01:54:33 PM »

Thank you for answering my (in retrospect) stupid questions.

the only thing left is to make the bang effect on gear shifts on a dsg car cause manuals work fine

I tried doing this with regular automatic with 1.8T ME7 and I couldn't find a variable that would tell me when the ECU is shifting.

Let me know if you find one.
Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #37 on: November 09, 2017, 02:23:13 PM »

Thank you for answering my (in retrospect) stupid questions.

I tried doing this with regular automatic with 1.8T ME7 and I couldn't find a variable that would tell me when the ECU is shifting.

Let me know if you find one.

Tried B_gsch without success...have 2 more in mind that i will test if i succeed i will post it here aswell.
Logged
Gonzo
Sr. Member
****

Karma: +21/-30
Offline Offline

Posts: 483


« Reply #38 on: November 09, 2017, 04:19:49 PM »

I actually remember trying B_gsch and no dice
Logged
Mikhail
Full Member
***

Karma: +2/-4
Offline Offline

Posts: 136


« Reply #39 on: November 09, 2017, 10:51:30 PM »

bang effect on gear shifts on a dsg car
Do the bang if gearbox requests less than 100%? And don't limit revs with bang only cut some ignitions? This may work also at launch when gearbox controls rpm. At least my old dsg may not do the launch if gearbox don't control rpm.
Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #40 on: November 10, 2017, 03:43:05 AM »

Do the bang if gearbox requests less than 100%? And don't limit revs with bang only cut some ignitions? This may work also at launch when gearbox controls rpm. At least my old dsg may not do the launch if gearbox don't control rpm.

I do not exactly understand what you are talking about but i will figure out a way...
Logged
Gonzo
Sr. Member
****

Karma: +21/-30
Offline Offline

Posts: 483


« Reply #41 on: November 11, 2017, 03:05:51 AM »

I think he means do ignition cut if you get torque intervention from TCU
Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #42 on: November 11, 2017, 11:43:18 AM »

I think he means do ignition cut if you get torque intervention from TCU


There are 4 at least conditions that Could Fit this function.I will try to keep things simple for starters.
Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #43 on: November 13, 2017, 07:50:41 AM »

Seems like B_gfen did the job but the duration is too small to produce something with ignition retardation so ignition cut should be used.
Logged
Gonzo
Sr. Member
****

Karma: +21/-30
Offline Offline

Posts: 483


« Reply #44 on: November 13, 2017, 09:10:13 PM »

Drat. Looks like B_gfen isn't available on most binaries.

Guess I'll have to dig a bit deeper
Logged
Pages: 1 2 [3] 4 5 6
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.023 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)