Pages: [1]
Author Topic: MED9 launch control reversing  (Read 7734 times)
vwnut8392
Sr. Member
****

Karma: +19/-7
Offline Offline

Posts: 271


« on: March 07, 2018, 02:45:41 AM »

was poking around on a forum and found a random file someone had posted that claimed to have a launch control and map switching, i looked through it and didnt find any major brand name or tuner in it so i figured id share it for everyone trying to crack the MED9 mystery. i did a little bit of poking around in IDA with it and i think i have deciphered the launch control code from the map switching code.

Entry to the code i think is launch control
Code:
ROM:00596E08 # ---------------------------------------------------------------------------
ROM:00596E08
ROM:00596E08 loc_596E08:                             # CODE XREF: sub_4C62A4:loc_4C6350j
ROM:00596E08                 lis       r12, 0x19 # 0x196848 # Load Immediate Shifted
ROM:00596E0C                 addi      r12, r12, 0x6848 # 0x196848 # Add Immediate
ROM:00596E10                 lbz       r12, 0(r12)   # Load Byte and Zero
ROM:00596E14                 andi.     r12, r12, 1   # AND Immediate
ROM:00596E18                 cmpwi     r12, 1        # Compare Word Immediate
ROM:00596E1C                 beq       loc_596E54    # Branch if equal
ROM:00596E20                 lis       r12, 0x19 # 0x196848 # Load Immediate Shifted
ROM:00596E24                 addi      r12, r12, 0x6848 # 0x196848 # Add Immediate
ROM:00596E28                 lbz       r12, 0(r12)   # Load Byte and Zero
ROM:00596E2C                 andi.     r12, r12, 2   # AND Immediate
ROM:00596E30                 cmpwi     r12, 2        # Compare Word Immediate
ROM:00596E34                 beq       loc_596E64    # Branch if equal
ROM:00596E38                 lis       r12, 0x19 # 0x196848 # Load Immediate Shifted
ROM:00596E3C                 addi      r12, r12, 0x6848 # 0x196848 # Add Immediate
ROM:00596E40                 lbz       r12, 0(r12)   # Load Byte and Zero
ROM:00596E44                 andi.     r12, r12, 4   # AND Immediate
ROM:00596E48                 cmpwi     r12, 4        # Compare Word Immediate
ROM:00596E4C                 beq       loc_596E74    # Branch if equal
ROM:00596E50                 b         loc_596DF8    # Branch
ROM:00596E54 # ---------------------------------------------------------------------------
ROM:00596E54
ROM:00596E54 loc_596E54:                             # CODE XREF: sub_4C62A4+D0B78j
ROM:00596E54                 lbz       r12, byte_7FD667 # Load Byte and Zero
ROM:00596E58                 cmpwi     r12, 2        # Compare Word Immediate
ROM:00596E5C                 beq       Custom_code06 # Branch if equal
ROM:00596E60                 b         loc_596DF8    # Branch
ROM:00596E64 # ---------------------------------------------------------------------------
ROM:00596E64
ROM:00596E64 loc_596E64:                             # CODE XREF: sub_4C62A4+D0B90j
ROM:00596E64                 lbz       r12, byte_7FD667 # Load Byte and Zero
ROM:00596E68                 cmpwi     r12, 1        # Compare Word Immediate
ROM:00596E6C                 beq       Custom_code06 # Branch if equal
ROM:00596E70                 b         loc_596DF8    # Branch
ROM:00596E74 # ---------------------------------------------------------------------------
ROM:00596E74
ROM:00596E74 loc_596E74:                             # CODE XREF: sub_4C62A4+D0BA8j
ROM:00596E74                 lbz       r12, byte_7FD667 # Load Byte and Zero
ROM:00596E78                 cmpwi     r12, 0        # Compare Word Immediate
ROM:00596E7C                 beq       Custom_code06 # Branch if equal
ROM:00596E80                 b         loc_596DF8    # Branch
ROM:00596E80 # END OF FUNCTION CHUNK FOR sub_4C62A4
ROM:00596E80 # ---------------------------------------------------------------------------


Second Part of this code
Code:
ROM:00596DB0 # ---------------------------------------------------------------------------
ROM:00596DB0 Start Of Launch Control????
ROM:00596DB0 # START OF FUNCTION CHUNK FOR sub_4C62A4
ROM:00596DB0
ROM:00596DB0 Custom_code06:                          # CODE XREF: sub_4C62A4+D0BB8j
ROM:00596DB0                                         # sub_4C62A4+D0BC8j ...
ROM:00596DB0                 lbz       r12, vfzg     # Load Byte and Zero
ROM:00596DB4                 cmpwi     r12, 8        # Compare Word Immediate
ROM:00596DB8                 bge       loc_596DF8    # Branch if greater than or equal
ROM:00596DBC                 lbz       r12, nmot     # Load Byte and Zero
ROM:00596DC0                 cmpwi     r12, 0x51     # Compare Word Immediate
ROM:00596DC4                 ble       loc_596DF8    # Branch if less than or equal
ROM:00596DC8                 lbz       r12, Wped     # Load Byte and Zero
ROM:00596DCC                 cmpwi     r12, 0x26     # Compare Word Immediate
ROM:00596DD0                 ble       loc_596DF8    # Branch if less than or equal
ROM:00596DD4                 lbz       r12, B_kuppl  # Load Byte and Zero
ROM:00596DD8                 cmpwi     r12, 1        # Compare Word Immediate
ROM:00596DDC                 bne       loc_596DF8    # Branch if not equal
ROM:00596DE0                 li        r12, 1        # Load Immediate
ROM:00596DE4                 stb       r12, byte_807005 # Store Byte
ROM:00596DE8                 li        r30, 0xDF     # Load Immediate
ROM:00596DEC                 li        r31, 0xDF     # Load Immediate
ROM:00596DF0                 stb       r30, byte_7FEDE0 # Store Byte
ROM:00596DF4                 b         loc_4C6354    # Branch
ROM:00596DF8 # ---------------------------------------------------------------------------
ROM:00596DF8
ROM:00596DF8 loc_596DF8:                             # CODE XREF: sub_4C62A4+D0B14j
ROM:00596DF8                                         # sub_4C62A4+D0B20j ...
ROM:00596DF8                 li        r12, 0        # Load Immediate
ROM:00596DFC                 stb       r12, byte_807005 # Store Byte
ROM:00596E00                 stb       r30, byte_7FEDE0 # Store Byte
ROM:00596E04                 b         loc_4C6354    # Branch
ROM:00596E08 # ---------------------------------------------------------------------------

Attached are the BIN file i found. have fun guys and enjoy!
Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #1 on: March 07, 2018, 03:00:37 AM »

was poking around on a forum and found a random file someone had posted that claimed to have a launch control and map switching, i looked through it and didnt find any major brand name or tuner in it so i figured id share it for everyone trying to crack the MED9 mystery. i did a little bit of poking around in IDA with it and i think i have deciphered the launch control code from the map switching code.

Entry to the code i think is launch control
Code:
ROM:00596E08 # ---------------------------------------------------------------------------
ROM:00596E08
ROM:00596E08 loc_596E08:                             # CODE XREF: sub_4C62A4:loc_4C6350j
ROM:00596E08                 lis       r12, 0x19 # 0x196848 # Load Immediate Shifted
ROM:00596E0C                 addi      r12, r12, 0x6848 # 0x196848 # Add Immediate
ROM:00596E10                 lbz       r12, 0(r12)   # Load Byte and Zero
ROM:00596E14                 andi.     r12, r12, 1   # AND Immediate
ROM:00596E18                 cmpwi     r12, 1        # Compare Word Immediate
ROM:00596E1C                 beq       loc_596E54    # Branch if equal
ROM:00596E20                 lis       r12, 0x19 # 0x196848 # Load Immediate Shifted
ROM:00596E24                 addi      r12, r12, 0x6848 # 0x196848 # Add Immediate
ROM:00596E28                 lbz       r12, 0(r12)   # Load Byte and Zero
ROM:00596E2C                 andi.     r12, r12, 2   # AND Immediate
ROM:00596E30                 cmpwi     r12, 2        # Compare Word Immediate
ROM:00596E34                 beq       loc_596E64    # Branch if equal
ROM:00596E38                 lis       r12, 0x19 # 0x196848 # Load Immediate Shifted
ROM:00596E3C                 addi      r12, r12, 0x6848 # 0x196848 # Add Immediate
ROM:00596E40                 lbz       r12, 0(r12)   # Load Byte and Zero
ROM:00596E44                 andi.     r12, r12, 4   # AND Immediate
ROM:00596E48                 cmpwi     r12, 4        # Compare Word Immediate
ROM:00596E4C                 beq       loc_596E74    # Branch if equal
ROM:00596E50                 b         loc_596DF8    # Branch
ROM:00596E54 # ---------------------------------------------------------------------------
ROM:00596E54
ROM:00596E54 loc_596E54:                             # CODE XREF: sub_4C62A4+D0B78j
ROM:00596E54                 lbz       r12, byte_7FD667 # Load Byte and Zero
ROM:00596E58                 cmpwi     r12, 2        # Compare Word Immediate
ROM:00596E5C                 beq       Custom_code06 # Branch if equal
ROM:00596E60                 b         loc_596DF8    # Branch
ROM:00596E64 # ---------------------------------------------------------------------------
ROM:00596E64
ROM:00596E64 loc_596E64:                             # CODE XREF: sub_4C62A4+D0B90j
ROM:00596E64                 lbz       r12, byte_7FD667 # Load Byte and Zero
ROM:00596E68                 cmpwi     r12, 1        # Compare Word Immediate
ROM:00596E6C                 beq       Custom_code06 # Branch if equal
ROM:00596E70                 b         loc_596DF8    # Branch
ROM:00596E74 # ---------------------------------------------------------------------------
ROM:00596E74
ROM:00596E74 loc_596E74:                             # CODE XREF: sub_4C62A4+D0BA8j
ROM:00596E74                 lbz       r12, byte_7FD667 # Load Byte and Zero
ROM:00596E78                 cmpwi     r12, 0        # Compare Word Immediate
ROM:00596E7C                 beq       Custom_code06 # Branch if equal
ROM:00596E80                 b         loc_596DF8    # Branch
ROM:00596E80 # END OF FUNCTION CHUNK FOR sub_4C62A4
ROM:00596E80 # ---------------------------------------------------------------------------


Second Part of this code
Code:
ROM:00596DB0 # ---------------------------------------------------------------------------
ROM:00596DB0 Start Of Launch Control????
ROM:00596DB0 # START OF FUNCTION CHUNK FOR sub_4C62A4
ROM:00596DB0
ROM:00596DB0 Custom_code06:                          # CODE XREF: sub_4C62A4+D0BB8j
ROM:00596DB0                                         # sub_4C62A4+D0BC8j ...
ROM:00596DB0                 lbz       r12, vfzg     # Load Byte and Zero
ROM:00596DB4                 cmpwi     r12, 8        # Compare Word Immediate
ROM:00596DB8                 bge       loc_596DF8    # Branch if greater than or equal
ROM:00596DBC                 lbz       r12, nmot     # Load Byte and Zero
ROM:00596DC0                 cmpwi     r12, 0x51     # Compare Word Immediate
ROM:00596DC4                 ble       loc_596DF8    # Branch if less than or equal
ROM:00596DC8                 lbz       r12, Wped     # Load Byte and Zero
ROM:00596DCC                 cmpwi     r12, 0x26     # Compare Word Immediate
ROM:00596DD0                 ble       loc_596DF8    # Branch if less than or equal
ROM:00596DD4                 lbz       r12, B_kuppl  # Load Byte and Zero
ROM:00596DD8                 cmpwi     r12, 1        # Compare Word Immediate
ROM:00596DDC                 bne       loc_596DF8    # Branch if not equal
ROM:00596DE0                 li        r12, 1        # Load Immediate
ROM:00596DE4                 stb       r12, byte_807005 # Store Byte
ROM:00596DE8                 li        r30, 0xDF     # Load Immediate
ROM:00596DEC                 li        r31, 0xDF     # Load Immediate
ROM:00596DF0                 stb       r30, byte_7FEDE0 # Store Byte
ROM:00596DF4                 b         loc_4C6354    # Branch
ROM:00596DF8 # ---------------------------------------------------------------------------
ROM:00596DF8
ROM:00596DF8 loc_596DF8:                             # CODE XREF: sub_4C62A4+D0B14j
ROM:00596DF8                                         # sub_4C62A4+D0B20j ...
ROM:00596DF8                 li        r12, 0        # Load Immediate
ROM:00596DFC                 stb       r12, byte_807005 # Store Byte
ROM:00596E00                 stb       r30, byte_7FEDE0 # Store Byte
ROM:00596E04                 b         loc_4C6354    # Branch
ROM:00596E08 # ---------------------------------------------------------------------------

Attached are the BIN file i found. have fun guys and enjoy!

The code you are looking at is 100% the one that BC consulting is using thus the non commercial file posting rule applies.

As for the signature you just didn`t pay attention to the XOR command with the 0xBCBC string.If i remember correctly the vin is also included.

This code is utilizing the same method that has been described by basano years ago by switching to different LDRXN maps.In any case that is not a mutlimap that has many options. Just ldrxn is useless in order to make a proper good tune.

Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #2 on: March 07, 2018, 03:34:53 AM »

Forgot to mention that the lc function is probably not what you are looking for.It is a kind of 2 step but without bangs and most important it will not produce the boost you are going to need in big turbo applications.It is safe for catalytic systems though..
Logged
vwnut8392
Sr. Member
****

Karma: +19/-7
Offline Offline

Posts: 271


« Reply #3 on: March 07, 2018, 01:44:42 PM »

Thanks for sharing. i dont know very little about disassembling MED9, im just starting to learn it. i was just looking for branding like normal commercial tuners add to files.

as for the launch control i have a feeling your right about it not being the hard cut version. either way its a starting point to learn how the code works and can be modified. i really want to use the spark cut version but anyone who has ever talked about it/developed it publically pulled all their info because tuners took the info and was selling it which in turn made these guys mad i guess.
« Last Edit: March 07, 2018, 01:48:03 PM by vwnut8392 » Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #4 on: March 07, 2018, 02:18:49 PM »

There was never a public code for med9.1 and at least here no one took back anything.

This is not a good way to start and i would suggest to go into basano`s posts about med9.1 because those will help.

For the als nls there are many ways to approach it but you need to do plenty of things to get a fireball going as it is not like me7.

A simple lc and nls function though is not very hard to do once you get things going with small code parts.If you don`t have your own test car it will be much harder to make something satisfying.

It would be good to ask Nyet about the commercial file post as you could just keep the parts of code you already posted.

Good luck.
Logged
vwnut8392
Sr. Member
****

Karma: +19/-7
Offline Offline

Posts: 271


« Reply #5 on: March 07, 2018, 04:52:11 PM »

There was never a public code for med9.1 and at least here no one took back anything.

This is not a good way to start and i would suggest to go into basano`s posts about med9.1 because those will help.

For the als nls there are many ways to approach it but you need to do plenty of things to get a fireball going as it is not like me7.

A simple lc and nls function though is not very hard to do once you get things going with small code parts.If you don`t have your own test car it will be much harder to make something satisfying.

It would be good to ask Nyet about the commercial file post as you could just keep the parts of code you already posted.


Good luck.

From past experience at looking at the spark cut launch control in other motronics like ME7 and even old M2.3.2 it seems that forcing a false value on anything close to SWOUT or ZWOUT in RAM give the desired effect. i have not looked at the MED9 function sheet yet to see how the ignition system actually functions it seems to me that the apple never fell far from the tree when it came to motronic. it evolved but never really changed a ton because it worked well in the beginning so why try and re-invent the wheel. know what i mean. im sure MED9 has a lot more fail safes than previous motronics and it gets worse as it evolves too. im going to look into it though and use this file as a learning file. i do get that you said most of it is sort of useless but i can now see the difference between hand added code from a human and the bosch machine generated code from when the ECU was developed/manufacturered.

i have read through a few of basano's posts already and they are helping too. very well educated man.

I will mesaage him or maybe he will chime in on this post about the file and if its valid. i have no problems removing it if its not valid. 

My only issue at the moment that would help a lot is identifying what is what in RAM. a few of basano's post talked about finding things but im still having problems finding the stuff that relates to the ignition system. there was one generator that would identify some of the RAM but nothing important as to what im focusing on. it gave me like wped, B_kuppl, and a few other variables like that which helped. what i was doing was trying to use the one map that everyone uses for spark cut RPM limiter in ME7 to locate the RAM ignition interruption. this map is still in MED9 and i think it will lead me to the end result. in all honesty i hate that solution for hard RPM limiter in ME7 lol. it sucks. i re-purposed the coolant temp check for a hard RPM limiter in ME7 instead, it just seems like a better solution. oh well enough rambling, back to looking at this stuff. thanks for the help and info.
Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #6 on: March 20, 2018, 11:46:35 AM »

From past experience at looking at the spark cut launch control in other motronics like ME7 and even old M2.3.2 it seems that forcing a false value on anything close to SWOUT or ZWOUT in RAM give the desired effect.

Why force a false one when you can give it exactly what it needs?Huh? on med9 it is simple

li          r30, 0
sth       r30, szout_w

But again that is not the only thing you need.This will act like a hard cut limiter but no bangs will happen.First you need to retard the ignition for around 160rpm before this happens.
Logged
vwnut8392
Sr. Member
****

Karma: +19/-7
Offline Offline

Posts: 271


« Reply #7 on: June 17, 2018, 02:24:32 PM »

what else is needed?
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.021 seconds with 17 queries. (Pretty URLs adds 0s, 0q)