Pages: [1] 2 3 ... 21
Author Topic: 06A906032HN, Implementation of launch-control and NLS  (Read 227617 times)
sn00k
Sr. Member
****

Karma: +59/-2
Offline Offline

Posts: 277


« on: January 06, 2012, 08:21:51 PM »

So.. ive been testing a "wotbox" for a few days, and this thing is awesome..

..and so i came across a thread here where i found ppl have been able to implement these 2 functions into the me7.x.. now i find this REALLY interesting and i would love to learn how to do this, and also i would like to modify the function a bit to suite my needs for this car.

Im working on this me 7.5, 06A906032HN box, original bin attached.

now my knowledge in assembler is very rusty, but higher levels i have a better understanding of, so i went thru the routine that zetzi wrote, v2, and his pseudo code for this one, and that is pretty much what i want to accomplish.. except for a few minor tweaks.

i understand patching asm isnt really an easy task, and so ive been gathering info.


ive located unused space to place the new data for setting the conditions of this new function, the new variables added in setzis pseudo code, and placed them starting at 0x17E00:

SpeedThreshold: 0x17E00
LaunchRPM: 0x17E02
IgnitionCutDuration: 0x17E04
RPMThreshold: 0x17E06
AccPedalThreshold: 0x17E08


FTOMN is located at: 0x1A43D

then ive tried to locate the adresses of the RAM variables needed, and came up with this after some basic research:

tsrldyn: 0x380BB7
B_kuppl: 0x00FD4E
vfil_w: 0x381C0C
nmot_w: 0x00F89E
wped: 0x3809B1
B_brems: Huh - i cannot find this one atm, any help would be appreciated.


now the next step would be to dissassemble the image.. and ive been using IDA Pro.. using the siemens c166 family cpus, and more specific the c167, trying to dissasemble this into something understandable where i could fetch the adresses of needed variables, and where to link-in and put the code..

i have used an oem bin for reference and then one with launch control/NLS implemented.


skipping ahead to the new function.. i would eventually like to place it somewhere around A9C00, as this space seems to be free to use, from my limited understanding, as i cannot find any cross references to this area, pls correct me if im wrong.

it will take some tinkering to write the actual function in asm, and to assemble it with a c167 assembler, that im sure of..
(ive read setzis thread about code patching, and how to figure out where to place local variables etc.. many thanks for this info!)

any help in this will be greatly appreciated, this custom code-patching really opens up the potential of the me 7.x.  Smiley
« Last Edit: January 08, 2012, 08:34:52 PM by sn00k » Logged
sn00k
Sr. Member
****

Karma: +59/-2
Offline Offline

Posts: 277


« Reply #1 on: January 08, 2012, 07:50:12 PM »

today ive been able to dissassemble the code and look at some functions and adresses.. i still cannot figure out how to fetch the names of the varibles and functions im seeing.. but perhaps i need to look in the actual RAM to fetch these..?

atleast now i know WHICH ones i will be needing, and where most of them are located =)

still missing the B_brems item.. if needed..

fairly sure i can manage to get the new function written in asm.. but it will take some time having to relearn everything from scratch.

now, can someone perhaps recommend an assembler for this c167?


also, ive been looking into the dissassembled source, and im fairly sure ive found the routine in which i need to call my NEW function, and it is located at: 0xA605C
when making changes to this routine(call function) my guess is im going to need to recompile it, and patch it in there again, correct?

any kind souls out there willing to aid in this project?
« Last Edit: January 08, 2012, 08:14:32 PM by sn00k » Logged
createddeleted
Full Member
***

Karma: +7/-2
Offline Offline

Posts: 90


« Reply #2 on: January 08, 2012, 11:03:26 PM »

today ive been able to dissassemble the code and look at some functions and adresses.. i still cannot figure out how to fetch the names of the varibles and functions im seeing.. but perhaps i need to look in the actual RAM to fetch these..?

atleast now i know WHICH ones i will be needing, and where most of them are located =)

still missing the B_brems item.. if needed..

fairly sure i can manage to get the new function written in asm.. but it will take some time having to relearn everything from scratch.

now, can someone perhaps recommend an assembler for this c167?


also, ive been looking into the dissassembled source, and im fairly sure ive found the routine in which i need to call my NEW function, and it is located at: 0xA605C
when making changes to this routine(call function) my guess is im going to need to recompile it, and patch it in there again, correct?

any kind souls out there willing to aid in this project?

I would love to help, but I am still lost in adding code. I'll read some more and see if I can provide any help.
Logged
sn00k
Sr. Member
****

Karma: +59/-2
Offline Offline

Posts: 277


« Reply #3 on: January 09, 2012, 11:45:18 AM »

great, well here is todays news:

i think i have found a c167 assembler/compiler so i can soon start my code-tinkering.. aka brick the ECU  Roll Eyes

..and i have found B_brems, which in this ecu is actually named B_br, and located in a registry at: 0x00FD4E.A and the B_kuppl in the same registry at: 0x00FD4E.E
« Last Edit: January 11, 2012, 05:55:15 PM by sn00k » Logged
Tony@NefMoto
Administrator
Hero Member
*****

Karma: +132/-4
Offline Offline

Posts: 1389


2001.5 Audi S4 Stage 3


« Reply #4 on: January 09, 2012, 11:56:21 AM »

This is the assembler I have used in the past: Keil uVision http://www.keil.com/uvision/ The free version limits the size of the file you can assemble, but you only need to assemble one function to make your change.

User setzi62 made the ME7Logger tool which can generate the variable RAM locations for you from your bin file.
Logged

Remember you have to log in if you want to see the file attachments!
Info or questions, please add to the wiki: http://www.nefariousmotorsports.com/wiki
Follow NefMoto developments on Twitter: http://twitter.com/nefmoto
sn00k
Sr. Member
****

Karma: +59/-2
Offline Offline

Posts: 277


« Reply #5 on: January 09, 2012, 02:24:51 PM »

thank you tony for pitching in, i actually stumbled across that kiel one just now before i read your reply and managed to fetch me a trial version, as said, the function is very small, and the compiler is limited to 4kb of code in trial mode, so this will do =)

i had a look in the ecu definition file in setzis me7logger and ye, the variables are there, very good to know for future references Smiley
Logged
professor
Sr. Member
****

Karma: +25/-0
Offline Offline

Posts: 409



« Reply #6 on: January 10, 2012, 01:56:14 AM »

I read this thread now but can not help cause i am confused a bit while reading the disassembled code.
Although i am familiar with C i still cant figure a way to implement the routine for those functions.
Its a matter of time  Grin



Logged

Seat Ibiza MK4 Cupra 1.8t 20V, stg3.
"Those 1.8T 20V machines are really tough" ©
sn00k
Sr. Member
****

Karma: +59/-2
Offline Offline

Posts: 277


« Reply #7 on: January 11, 2012, 04:11:16 PM »

Help needed to finish the function.. im really not used to compiling asm code  Huh
i cannot seem to get it to work.. ive tried different compilers/assemblers, and i cannot figure out how to assemble just this small portion of code, placed on the right adresses.. what to do?  Cry
Logged
Tony@NefMoto
Administrator
Hero Member
*****

Karma: +132/-4
Offline Offline

Posts: 1389


2001.5 Audi S4 Stage 3


« Reply #8 on: January 11, 2012, 04:46:24 PM »

You should contact user setzi62 and sweet talk him into getting involved in this forum thread.

Personally I would just try to take the block of compiled code that was already written by setzi, and then paste it into your file. Then just manually replace the different instructions referencing memory addresses.

Also, if you write your assembly code only using relative jumps, then the code should be safe to locate anywhere.
Logged

Remember you have to log in if you want to see the file attachments!
Info or questions, please add to the wiki: http://www.nefariousmotorsports.com/wiki
Follow NefMoto developments on Twitter: http://twitter.com/nefmoto
sn00k
Sr. Member
****

Karma: +59/-2
Offline Offline

Posts: 277


« Reply #9 on: January 11, 2012, 05:48:56 PM »

You should contact user setzi62 and sweet talk him into getting involved in this forum thread.

Personally I would just try to take the block of compiled code that was already written by setzi, and then paste it into your file. Then just manually replace the different instructions referencing memory addresses.

Also, if you write your assembly code only using relative jumps, then the code should be safe to locate anywhere.

that is understood tony, i guess his compiled code could be altered.. as i can see allmost all adresses there in the hex.. but that would be a shortcut and we wouldnt really learn a thing from it imo.. i wanna know what im doing here.. =)

i did take a peek at setzis code, v2, dissassembled, to figure out all variables and adresses needed.
i have found all the adresses needed for this, and i have figured out where to put the code/variables without disturbing other functions..
i think i have managed to tinker me a new function, based on setzis code, with all the correct adresses..
so the rest should be pretty easy..

..BUT, i cannot seem to figure out how to work the c167 assembler to make this function into binary code..
and so i cannot compile the function.. or call it from the routine.. even tho its just a few lines need to alter and assemble.. stuck..!  Undecided

it would be awesome to have setzis help with this, as im a big fan of his logger and coding skills, and if i ever get this thing compiled and running i would love to contribute here with a tutorial on how to add this functionality to the me7.x.
« Last Edit: January 11, 2012, 06:34:05 PM by sn00k » Logged
gremlin
Hero Member
*****

Karma: +196/-9
Offline Offline

Posts: 654


« Reply #10 on: January 11, 2012, 09:59:07 PM »

..and i have found B_brems, which in this ecu is actually named B_br, and located in a registry at: 0x00FD4E.A and the B_kuppl in the same registry at: 0x00FD4E.E

It's not correct.
There are both flags present.
b_brems is at 0x00FD4E.C - "brake pedal pressed"
And b_br is used for brake switch checking - "brake test pressed"
Logged
sn00k
Sr. Member
****

Karma: +59/-2
Offline Offline

Posts: 277


« Reply #11 on: January 12, 2012, 05:55:51 AM »

oh, thanks gremlin for that correction, that means in the M-box unit it should be located at: 0x00FD56.6 which would be bitmask 0x0040.. IF im correct.. that cleared some things up  Grin
« Last Edit: January 12, 2012, 06:01:14 AM by sn00k » Logged
sn00k
Sr. Member
****

Karma: +59/-2
Offline Offline

Posts: 277


« Reply #12 on: January 12, 2012, 12:46:17 PM »

update: loads of more tinkering.. and a strange binary produced.. in some strange way.. got the code.. patched it.. and now the NoLiftShift works 100%, it literally shifts like butter.. success!  Grin

But the launch still wont work.. and im beginning to question an adress in my code, or rather the format of the function fetching it..
in the 0x380xxx range the values are easily fetched using word_8xxx.. just cutting out the 0..
but the vfil_w value is located in the 0x381xxx range, so.. what would that fetch be? still word_8xxx? or word 1xxx?
im assuming this is the part where i screwed up.. the call to the new function works great, and all other params seem to work great, the dwelltime and all rpm functions included in the NLS..

..but this vfil_w is trouble.. anyone know what the correct "word_" fetch would be for an 0x381xxx adress?

im getting dizzy from looking at this asm code 24/7.. now i want to get this launch working!  Tongue
Logged
createddeleted
Full Member
***

Karma: +7/-2
Offline Offline

Posts: 90


« Reply #13 on: January 12, 2012, 01:48:36 PM »

This is incredible!

I cant wait for this to come about. When you're done I would also like to see the method in patching this in if you could show how you did so. I still have trouble getting my head around everything.Please. Cheesy

« Last Edit: January 12, 2012, 01:50:13 PM by createddeleted » Logged
gremlin
Hero Member
*****

Karma: +196/-9
Offline Offline

Posts: 654


« Reply #14 on: January 12, 2012, 02:36:25 PM »

but the vfil_w value is located in the 0x381xxx range, so.. what would that fetch be? still word_8xxx? or word 1xxx?

Simple.
380000 ... 383FFF are remaped as 8000...BFFF
Logged
Pages: [1] 2 3 ... 21
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.054 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)