|
vwnut8392
|
 |
« on: March 07, 2018, 02:45:41 AM »
|
|
|
was poking around on a forum and found a random file someone had posted that claimed to have a launch control and map switching, i looked through it and didnt find any major brand name or tuner in it so i figured id share it for everyone trying to crack the MED9 mystery. i did a little bit of poking around in IDA with it and i think i have deciphered the launch control code from the map switching code. Entry to the code i think is launch control ROM:00596E08 # ---------------------------------------------------------------------------
ROM:00596E08
ROM:00596E08 loc_596E08: # CODE XREF: sub_4C62A4:loc_4C6350�j
ROM:00596E08 lis r12, 0x19 # 0x196848 # Load Immediate Shifted
ROM:00596E0C addi r12, r12, 0x6848 # 0x196848 # Add Immediate
ROM:00596E10 lbz r12, 0(r12) # Load Byte and Zero
ROM:00596E14 andi. r12, r12, 1 # AND Immediate
ROM:00596E18 cmpwi r12, 1 # Compare Word Immediate
ROM:00596E1C beq loc_596E54 # Branch if equal
ROM:00596E20 lis r12, 0x19 # 0x196848 # Load Immediate Shifted
ROM:00596E24 addi r12, r12, 0x6848 # 0x196848 # Add Immediate
ROM:00596E28 lbz r12, 0(r12) # Load Byte and Zero
ROM:00596E2C andi. r12, r12, 2 # AND Immediate
ROM:00596E30 cmpwi r12, 2 # Compare Word Immediate
ROM:00596E34 beq loc_596E64 # Branch if equal
ROM:00596E38 lis r12, 0x19 # 0x196848 # Load Immediate Shifted
ROM:00596E3C addi r12, r12, 0x6848 # 0x196848 # Add Immediate
ROM:00596E40 lbz r12, 0(r12) # Load Byte and Zero
ROM:00596E44 andi. r12, r12, 4 # AND Immediate
ROM:00596E48 cmpwi r12, 4 # Compare Word Immediate
ROM:00596E4C beq loc_596E74 # Branch if equal
ROM:00596E50 b loc_596DF8 # Branch
ROM:00596E54 # ---------------------------------------------------------------------------
ROM:00596E54
ROM:00596E54 loc_596E54: # CODE XREF: sub_4C62A4+D0B78�j
ROM:00596E54 lbz r12, byte_7FD667 # Load Byte and Zero
ROM:00596E58 cmpwi r12, 2 # Compare Word Immediate
ROM:00596E5C beq Custom_code06 # Branch if equal
ROM:00596E60 b loc_596DF8 # Branch
ROM:00596E64 # ---------------------------------------------------------------------------
ROM:00596E64
ROM:00596E64 loc_596E64: # CODE XREF: sub_4C62A4+D0B90�j
ROM:00596E64 lbz r12, byte_7FD667 # Load Byte and Zero
ROM:00596E68 cmpwi r12, 1 # Compare Word Immediate
ROM:00596E6C beq Custom_code06 # Branch if equal
ROM:00596E70 b loc_596DF8 # Branch
ROM:00596E74 # ---------------------------------------------------------------------------
ROM:00596E74
ROM:00596E74 loc_596E74: # CODE XREF: sub_4C62A4+D0BA8�j
ROM:00596E74 lbz r12, byte_7FD667 # Load Byte and Zero
ROM:00596E78 cmpwi r12, 0 # Compare Word Immediate
ROM:00596E7C beq Custom_code06 # Branch if equal
ROM:00596E80 b loc_596DF8 # Branch
ROM:00596E80 # END OF FUNCTION CHUNK FOR sub_4C62A4
ROM:00596E80 # --------------------------------------------------------------------------- Second Part of this code ROM:00596DB0 # ---------------------------------------------------------------------------
ROM:00596DB0 Start Of Launch Control????
ROM:00596DB0 # START OF FUNCTION CHUNK FOR sub_4C62A4
ROM:00596DB0
ROM:00596DB0 Custom_code06: # CODE XREF: sub_4C62A4+D0BB8�j
ROM:00596DB0 # sub_4C62A4+D0BC8�j ...
ROM:00596DB0 lbz r12, vfzg # Load Byte and Zero
ROM:00596DB4 cmpwi r12, 8 # Compare Word Immediate
ROM:00596DB8 bge loc_596DF8 # Branch if greater than or equal
ROM:00596DBC lbz r12, nmot # Load Byte and Zero
ROM:00596DC0 cmpwi r12, 0x51 # Compare Word Immediate
ROM:00596DC4 ble loc_596DF8 # Branch if less than or equal
ROM:00596DC8 lbz r12, Wped # Load Byte and Zero
ROM:00596DCC cmpwi r12, 0x26 # Compare Word Immediate
ROM:00596DD0 ble loc_596DF8 # Branch if less than or equal
ROM:00596DD4 lbz r12, B_kuppl # Load Byte and Zero
ROM:00596DD8 cmpwi r12, 1 # Compare Word Immediate
ROM:00596DDC bne loc_596DF8 # Branch if not equal
ROM:00596DE0 li r12, 1 # Load Immediate
ROM:00596DE4 stb r12, byte_807005 # Store Byte
ROM:00596DE8 li r30, 0xDF # Load Immediate
ROM:00596DEC li r31, 0xDF # Load Immediate
ROM:00596DF0 stb r30, byte_7FEDE0 # Store Byte
ROM:00596DF4 b loc_4C6354 # Branch
ROM:00596DF8 # ---------------------------------------------------------------------------
ROM:00596DF8
ROM:00596DF8 loc_596DF8: # CODE XREF: sub_4C62A4+D0B14�j
ROM:00596DF8 # sub_4C62A4+D0B20�j ...
ROM:00596DF8 li r12, 0 # Load Immediate
ROM:00596DFC stb r12, byte_807005 # Store Byte
ROM:00596E00 stb r30, byte_7FEDE0 # Store Byte
ROM:00596E04 b loc_4C6354 # Branch
ROM:00596E08 # --------------------------------------------------------------------------- Attached are the BIN file i found. have fun guys and enjoy! |
|
|
|
|
Logged
|
|
|
|
|
gt-innovation
|
|
« Reply #1 on: March 07, 2018, 03:00:37 AM »
|
|
|
was poking around on a forum and found a random file someone had posted that claimed to have a launch control and map switching, i looked through it and didnt find any major brand name or tuner in it so i figured id share it for everyone trying to crack the MED9 mystery. i did a little bit of poking around in IDA with it and i think i have deciphered the launch control code from the map switching code. Entry to the code i think is launch control ROM:00596E08 # ---------------------------------------------------------------------------
ROM:00596E08
ROM:00596E08 loc_596E08: # CODE XREF: sub_4C62A4:loc_4C6350�j
ROM:00596E08 lis r12, 0x19 # 0x196848 # Load Immediate Shifted
ROM:00596E0C addi r12, r12, 0x6848 # 0x196848 # Add Immediate
ROM:00596E10 lbz r12, 0(r12) # Load Byte and Zero
ROM:00596E14 andi. r12, r12, 1 # AND Immediate
ROM:00596E18 cmpwi r12, 1 # Compare Word Immediate
ROM:00596E1C beq loc_596E54 # Branch if equal
ROM:00596E20 lis r12, 0x19 # 0x196848 # Load Immediate Shifted
ROM:00596E24 addi r12, r12, 0x6848 # 0x196848 # Add Immediate
ROM:00596E28 lbz r12, 0(r12) # Load Byte and Zero
ROM:00596E2C andi. r12, r12, 2 # AND Immediate
ROM:00596E30 cmpwi r12, 2 # Compare Word Immediate
ROM:00596E34 beq loc_596E64 # Branch if equal
ROM:00596E38 lis r12, 0x19 # 0x196848 # Load Immediate Shifted
ROM:00596E3C addi r12, r12, 0x6848 # 0x196848 # Add Immediate
ROM:00596E40 lbz r12, 0(r12) # Load Byte and Zero
ROM:00596E44 andi. r12, r12, 4 # AND Immediate
ROM:00596E48 cmpwi r12, 4 # Compare Word Immediate
ROM:00596E4C beq loc_596E74 # Branch if equal
ROM:00596E50 b loc_596DF8 # Branch
ROM:00596E54 # ---------------------------------------------------------------------------
ROM:00596E54
ROM:00596E54 loc_596E54: # CODE XREF: sub_4C62A4+D0B78�j
ROM:00596E54 lbz r12, byte_7FD667 # Load Byte and Zero
ROM:00596E58 cmpwi r12, 2 # Compare Word Immediate
ROM:00596E5C beq Custom_code06 # Branch if equal
ROM:00596E60 b loc_596DF8 # Branch
ROM:00596E64 # ---------------------------------------------------------------------------
ROM:00596E64
ROM:00596E64 loc_596E64: # CODE XREF: sub_4C62A4+D0B90�j
ROM:00596E64 lbz r12, byte_7FD667 # Load Byte and Zero
ROM:00596E68 cmpwi r12, 1 # Compare Word Immediate
ROM:00596E6C beq Custom_code06 # Branch if equal
ROM:00596E70 b loc_596DF8 # Branch
ROM:00596E74 # ---------------------------------------------------------------------------
ROM:00596E74
ROM:00596E74 loc_596E74: # CODE XREF: sub_4C62A4+D0BA8�j
ROM:00596E74 lbz r12, byte_7FD667 # Load Byte and Zero
ROM:00596E78 cmpwi r12, 0 # Compare Word Immediate
ROM:00596E7C beq Custom_code06 # Branch if equal
ROM:00596E80 b loc_596DF8 # Branch
ROM:00596E80 # END OF FUNCTION CHUNK FOR sub_4C62A4
ROM:00596E80 # --------------------------------------------------------------------------- Second Part of this code ROM:00596DB0 # ---------------------------------------------------------------------------
ROM:00596DB0 Start Of Launch Control????
ROM:00596DB0 # START OF FUNCTION CHUNK FOR sub_4C62A4
ROM:00596DB0
ROM:00596DB0 Custom_code06: # CODE XREF: sub_4C62A4+D0BB8�j
ROM:00596DB0 # sub_4C62A4+D0BC8�j ...
ROM:00596DB0 lbz r12, vfzg # Load Byte and Zero
ROM:00596DB4 cmpwi r12, 8 # Compare Word Immediate
ROM:00596DB8 bge loc_596DF8 # Branch if greater than or equal
ROM:00596DBC lbz r12, nmot # Load Byte and Zero
ROM:00596DC0 cmpwi r12, 0x51 # Compare Word Immediate
ROM:00596DC4 ble loc_596DF8 # Branch if less than or equal
ROM:00596DC8 lbz r12, Wped # Load Byte and Zero
ROM:00596DCC cmpwi r12, 0x26 # Compare Word Immediate
ROM:00596DD0 ble loc_596DF8 # Branch if less than or equal
ROM:00596DD4 lbz r12, B_kuppl # Load Byte and Zero
ROM:00596DD8 cmpwi r12, 1 # Compare Word Immediate
ROM:00596DDC bne loc_596DF8 # Branch if not equal
ROM:00596DE0 li r12, 1 # Load Immediate
ROM:00596DE4 stb r12, byte_807005 # Store Byte
ROM:00596DE8 li r30, 0xDF # Load Immediate
ROM:00596DEC li r31, 0xDF # Load Immediate
ROM:00596DF0 stb r30, byte_7FEDE0 # Store Byte
ROM:00596DF4 b loc_4C6354 # Branch
ROM:00596DF8 # ---------------------------------------------------------------------------
ROM:00596DF8
ROM:00596DF8 loc_596DF8: # CODE XREF: sub_4C62A4+D0B14�j
ROM:00596DF8 # sub_4C62A4+D0B20�j ...
ROM:00596DF8 li r12, 0 # Load Immediate
ROM:00596DFC stb r12, byte_807005 # Store Byte
ROM:00596E00 stb r30, byte_7FEDE0 # Store Byte
ROM:00596E04 b loc_4C6354 # Branch
ROM:00596E08 # --------------------------------------------------------------------------- Attached are the BIN file i found. have fun guys and enjoy! The code you are looking at is 100% the one that BC consulting is using thus the non commercial file posting rule applies. As for the signature you just didn`t pay attention to the XOR command with the 0xBCBC string.If i remember correctly the vin is also included. This code is utilizing the same method that has been described by basano years ago by switching to different LDRXN maps.In any case that is not a mutlimap that has many options. Just ldrxn is useless in order to make a proper good tune. |
|
|
|
|
Logged
|
|
|
|
|
gt-innovation
|
|
« Reply #2 on: March 07, 2018, 03:34:53 AM »
|
|
|
Forgot to mention that the lc function is probably not what you are looking for.It is a kind of 2 step but without bangs and most important it will not produce the boost you are going to need in big turbo applications.It is safe for catalytic systems though..
|
|
|
|
|
Logged
|
|
|
|
|
vwnut8392
|
|
« Reply #3 on: March 07, 2018, 01:44:42 PM »
|
|
|
Thanks for sharing. i dont know very little about disassembling MED9, im just starting to learn it. i was just looking for branding like normal commercial tuners add to files.
as for the launch control i have a feeling your right about it not being the hard cut version. either way its a starting point to learn how the code works and can be modified. i really want to use the spark cut version but anyone who has ever talked about it/developed it publically pulled all their info because tuners took the info and was selling it which in turn made these guys mad i guess.
|
|
|
|
« Last Edit: March 07, 2018, 01:48:03 PM by vwnut8392 »
|
Logged
|
|
|
|
|
gt-innovation
|
|
« Reply #4 on: March 07, 2018, 02:18:49 PM »
|
|
|
There was never a public code for med9.1 and at least here no one took back anything.
This is not a good way to start and i would suggest to go into basano`s posts about med9.1 because those will help.
For the als nls there are many ways to approach it but you need to do plenty of things to get a fireball going as it is not like me7.
A simple lc and nls function though is not very hard to do once you get things going with small code parts.If you don`t have your own test car it will be much harder to make something satisfying.
It would be good to ask Nyet about the commercial file post as you could just keep the parts of code you already posted.
Good luck.
|
|
|
|
|
Logged
|
|
|
|
|
vwnut8392
|
|
« Reply #5 on: March 07, 2018, 04:52:11 PM »
|
|
|
There was never a public code for med9.1 and at least here no one took back anything.
This is not a good way to start and i would suggest to go into basano`s posts about med9.1 because those will help.
For the als nls there are many ways to approach it but you need to do plenty of things to get a fireball going as it is not like me7.
A simple lc and nls function though is not very hard to do once you get things going with small code parts.If you don`t have your own test car it will be much harder to make something satisfying.
It would be good to ask Nyet about the commercial file post as you could just keep the parts of code you already posted.
Good luck.
From past experience at looking at the spark cut launch control in other motronics like ME7 and even old M2.3.2 it seems that forcing a false value on anything close to SWOUT or ZWOUT in RAM give the desired effect. i have not looked at the MED9 function sheet yet to see how the ignition system actually functions it seems to me that the apple never fell far from the tree when it came to motronic. it evolved but never really changed a ton because it worked well in the beginning so why try and re-invent the wheel. know what i mean. im sure MED9 has a lot more fail safes than previous motronics and it gets worse as it evolves too. im going to look into it though and use this file as a learning file. i do get that you said most of it is sort of useless but i can now see the difference between hand added code from a human and the bosch machine generated code from when the ECU was developed/manufacturered. i have read through a few of basano's posts already and they are helping too. very well educated man. I will mesaage him or maybe he will chime in on this post about the file and if its valid. i have no problems removing it if its not valid. My only issue at the moment that would help a lot is identifying what is what in RAM. a few of basano's post talked about finding things but im still having problems finding the stuff that relates to the ignition system. there was one generator that would identify some of the RAM but nothing important as to what im focusing on. it gave me like wped, B_kuppl, and a few other variables like that which helped. what i was doing was trying to use the one map that everyone uses for spark cut RPM limiter in ME7 to locate the RAM ignition interruption. this map is still in MED9 and i think it will lead me to the end result. in all honesty i hate that solution for hard RPM limiter in ME7 lol. it sucks. i re-purposed the coolant temp check for a hard RPM limiter in ME7 instead, it just seems like a better solution. oh well enough rambling, back to looking at this stuff. thanks for the help and info. |
|
|
|
|
Logged
|
|
|
|
|
gt-innovation
|
|
« Reply #6 on: March 20, 2018, 11:46:35 AM »
|
|
|
From past experience at looking at the spark cut launch control in other motronics like ME7 and even old M2.3.2 it seems that forcing a false value on anything close to SWOUT or ZWOUT in RAM give the desired effect.
Why force a false one when you can give it exactly what it needs?  ? on med9 it is simple li r30, 0 sth r30, szout_w But again that is not the only thing you need.This will act like a hard cut limiter but no bangs will happen.First you need to retard the ignition for around 160rpm before this happens. |
|
|
|
|
Logged
|
|
|
|
|
vwnut8392
|
|
« Reply #7 on: June 17, 2018, 02:24:32 PM »
|
|
|
what else is needed?
|
|
|
|
|
Logged
|
|
|
|
|
