Cadensdad14
Full Member
Karma: +8/-1
Offline
Posts: 134
|
|
« on: May 11, 2018, 09:27:07 AM »
|
|
|
Im hoping Im placing this in the right section.
I just recently helped install this into a S4 M-Box and the results were fantastic. I had intentions of doing this eventually but the success there has made me want to do it to my car sooner. I have disassembled my ch-box and loaded all the RAM values that I know. I have also disassembled the M-Box anti lag file. I have found the proper place to interrupt the routine and jump to the patched code in both files.
The jump replaces the bits F3 F8 F3 8A with DA 88 00 E8.
The original code reads movb r14, byte_380AF3
its is replaced by calls 88h, sub_88E800
Where the subroutine for the function is located. Where Im having an issue is that 88E800 is used for instruction on my ECU and I need to place the routine elsewhere. I am new to disassembly and patching, and Im looking at this as my way to learn more. Id like to insert the routine at 0x8A4000. Im going to do more research to understand the assembly, but could someone help me edit this line? My stab in the dark would be DA 8A 00 40?
|
|
|
Logged
|
|
|
|
|
Cadensdad14
Full Member
Karma: +8/-1
Offline
Posts: 134
|
|
« Reply #2 on: May 11, 2018, 11:36:41 AM »
|
|
|
Thank you. I will read all of that. Its why I'm using this as a guide. This is something that properly works and I can reconfigure it to understand what's going on.
|
|
|
Logged
|
|
|
|
Cadensdad14
Full Member
Karma: +8/-1
Offline
Posts: 134
|
|
« Reply #3 on: May 12, 2018, 06:44:58 PM »
|
|
|
Ok. So I think I'm doing good cross checking everything. I have the code inserted and matching the image of the m box. I have the bits for the controls entered in the ROM and addressed properly. Where I'm running into an issue is referencing the RAM addresses. Code reads F2 F4 40 8E mov. r4, word_380E40
It references vfil_w.
In my file vfil_w is located at 0x381C40. The coding from the file says mov can be referenced F2 RR MM MM as reg, mem.
I followed another cross reference and got F6 F2 40 9C mov. word_381C40, r2 And it says with F6 for mov the format is mem, reg.
I'm trying, but I dont get it. Can someone help get me back on track?
|
|
|
Logged
|
|
|
|
Cadensdad14
Full Member
Karma: +8/-1
Offline
Posts: 134
|
|
« Reply #4 on: May 12, 2018, 06:59:52 PM »
|
|
|
I got it.
F2 F4 40 9C From what I see F2 = mov reg, men F4 = r4 40 = ending in 40 9C =ram location 1C
Am I getting it?
|
|
|
Logged
|
|
|
|
Cadensdad14
Full Member
Karma: +8/-1
Offline
Posts: 134
|
|
« Reply #5 on: May 12, 2018, 08:01:11 PM »
|
|
|
This is incredible. I'm learning so incredibly much. So for the m box, the code you splice in at reads like this. F0 49 F7 F8 AC 8D F3 F8 F3 8A With the F3 F8 F3 8A being replaced by DA 88 00 E8.
So it reads mov. r4, r9 movb. tsrldyn, r14 movb. ub, r14
I realized I had been splicing in at the wrong place using F3 F8 F3 8A.
Using this, I rewrote my search parameters to find F0 49 F7 A4 8B(my location for tsrldyn) F3 F8 9C 89(my location for ub)
So now I feel really confident that I have things put together correct once I correct the values for the ub RAM location. im going to post some shots of the disassembly to see if anyone sees any error.
|
|
|
Logged
|
|
|
|
Cadensdad14
Full Member
Karma: +8/-1
Offline
Posts: 134
|
|
« Reply #6 on: May 12, 2018, 08:18:00 PM »
|
|
|
Ok. This is the copying of the routine for the M-Box v2 Launch Control and No Lift Shift. Its been adjusted for the RAM locations, free space in the file, and had the areas added for the scalars. Im going to be posting a stock file with the adjustments edited in and hopefully make this available for the 1.8t ch box. There is a rets not included in teh screenshots to complete the routine.
|
|
|
Logged
|
|
|
|
Cadensdad14
Full Member
Karma: +8/-1
Offline
Posts: 134
|
|
« Reply #7 on: May 12, 2018, 08:29:18 PM »
|
|
|
So I think I have it together. Here is the stock file with launch control and no lift shift applied. This file is for the review of others and untested on any vehicle. I dont really know any assembly. Use it at your own risk. File is not checksummed.
|
|
|
Logged
|
|
|
|
Cadensdad14
Full Member
Karma: +8/-1
Offline
Posts: 134
|
|
« Reply #8 on: May 15, 2018, 06:30:42 PM »
|
|
|
The original file contained the wrong RAM locations for the brake and clutch pedal. This is the corrected file.
|
|
|
Logged
|
|
|
|
TijnCU
Hero Member
Karma: +60/-4
Offline
Posts: 690
flying brick
|
|
« Reply #9 on: May 17, 2018, 01:47:23 AM »
|
|
|
If you get checksum problems after using this file, change 384FF0 to 383xxx, I have never had issues with that ram range. You did a good job by dissecting this code to understand how stuff works
|
|
|
Logged
|
|
|
|
Cadensdad14
Full Member
Karma: +8/-1
Offline
Posts: 134
|
|
« Reply #10 on: May 18, 2018, 05:46:56 AM »
|
|
|
So, after some frustration looking at the thread on antilag revisions that existed but were never released, im taking a stab at this myself. To do what I'd like, I'd like to set a byte of ROM to be CWALS. That way individual features could be controlled by CWALS.0, CWALS.1, etc like the other areas of the system. Then use the conditions to set a RAM location, e.g. B_launch_control. From there that RAM location could be used to alter as many maps as desired to refine the launch control. LAMFAW, KFZW, misfire and knock recognition.
So at work with a pen and paper and my rudimentary understanding of assembly, heres what I've come up with.. Obviously there are some addresses that need to be added and some missing data points but I'm just after the structure.
jmpa. CWALS.0, BIt set routine Movb. B_launch_control, ZEROS Jmpa. cc_UC resume
Bit set routine Jnb. Clutch pedal switch Mov. r4, RAM_Coolant Temperature Exts Mov r9, temperature threshold Cmp r4,r9 Jmpa cc_C Mov r4, RAM Vehicle speed Exts Nov r9, ROM Launch Control Speed Threshold Cmp. r4,r9 Jmp. cc_NC Mov r4, RAM Engine Speed Exts Mov. r9, ROM Launch RPM Cmp. r4,r9 Jmpa cc_ULE Movb RAM_B_Launch Control, ONES Jmpa. cc_UC resume
For conditions not true Movb. RAM_Launch Control, Zeros Jmpa. cc_UC resume
Do I have a good idea of the coding path and just need to get the locations figured out? I am happy to have any input.
|
|
|
Logged
|
|
|
|
woj
|
|
« Reply #11 on: May 18, 2018, 06:48:53 AM »
|
|
|
|
|
|
Logged
|
|
|
|
Cadensdad14
Full Member
Karma: +8/-1
Offline
Posts: 134
|
|
« Reply #12 on: May 18, 2018, 07:45:43 AM »
|
|
|
I did and I will have to review that. More coding to look at and spot patterns is great. Part of this is just an exercise in assembly coding to learn it so I can implement things I want. I have some ideas for things, and I'm starting with something I can do and log that doesnt interfere in any routines. Once I have that down ill continue implementing things.
|
|
|
Logged
|
|
|
|
|