Pages: [1]
Author Topic: ME7.5 Launch Control On 4B0906018CH_360854  (Read 7830 times)
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« on: May 11, 2018, 09:27:07 AM »

Im hoping Im placing this in the right section.

I just recently helped install this into a S4 M-Box and the results were fantastic.  I had intentions of doing this eventually but the success there has made me want to do it to my car sooner.  I have disassembled my ch-box and loaded all the RAM values that I know.  I have also disassembled the M-Box anti lag file.  I have found the proper place to interrupt the routine and jump to the patched code in both files.

The jump replaces the bits F3 F8 F3 8A with DA 88 00 E8.

The original code reads
movb      r14, byte_380AF3

its is replaced by
calls       88h, sub_88E800

Where the subroutine for the function is located.  Where Im having an issue is that 88E800 is used for instruction on my ECU and I need to place the routine elsewhere.  I am new to disassembly and patching, and Im looking at this as my way to learn more.  Id like to insert the routine at 0x8A4000.  Im going to do more research to understand the assembly, but could someone help me edit this line?  My stab in the dark would be DA 8A 00 40?
Logged
woj
Hero Member
*****

Karma: +43/-3
Offline Offline

Posts: 500


« Reply #1 on: May 11, 2018, 10:30:01 AM »

Your stab in the dark would be correct. However, since you need to ask this, I would really really strongly suggest going through this:

http://www.st.com/content/ccc/resource/technical/document/programming_manual/27/c0/48/83/94/9d/4d/45/CD00147146.pdf/files/CD00147146.pdf/jcr:content/translations/en.CD00147146.pdf

page by page (they are not very dense and less than 200 in total Wink) before you do any code hacks yourself. Specifically you said "movb r14" instead of "movb rl4". Missing on small details like this is the source of all kinds of cries for help later on Wink
Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #2 on: May 11, 2018, 11:36:41 AM »

Thank you.  I will read all of that.  Its why I'm using this as a guide.  This is something that properly works and I can reconfigure it to understand what's going on.
Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #3 on: May 12, 2018, 06:44:58 PM »

Ok.  So I think I'm doing good cross checking everything.  I have the code inserted and matching the image of the m box.  I have the bits for the controls entered in the ROM and addressed properly.  Where I'm running into an issue is referencing the RAM addresses.
Code reads
F2 F4 40 8E
mov.    r4, word_380E40

It references vfil_w.

In my file vfil_w is located at 0x381C40.  The coding from the file says mov can be referenced F2 RR MM MM as reg, mem. 

I followed another cross reference and got
F6 F2 40 9C
mov.    word_381C40, r2
And it says with F6 for mov the format is mem, reg.

I'm trying, but I dont get it.  Can someone help get me back on track?

Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #4 on: May 12, 2018, 06:59:52 PM »

I got it.

F2 F4 40 9C
From what I see
F2 = mov reg, men
F4 = r4
40 = ending in 40
9C =ram location 1C

Am I getting it?
Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #5 on: May 12, 2018, 08:01:11 PM »

This is incredible.  I'm learning so incredibly much.  So for the m box, the code you splice in at reads like this.
F0 49 F7 F8 AC 8D F3 F8 F3 8A
With the F3 F8 F3 8A being replaced by DA 88 00 E8.

So it reads
mov.   r4, r9
movb.   tsrldyn, r14
movb.   ub, r14

I realized I had been splicing in at the wrong place using F3 F8 F3 8A.

Using this, I rewrote my search parameters to find
F0 49 F7 A4 8B(my location for tsrldyn) F3 F8 9C 89(my location for ub)

So now I feel really confident that I have things put together correct once I correct the values for the ub RAM location.  im going to post some shots of the disassembly to see if anyone sees any error.
Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #6 on: May 12, 2018, 08:18:00 PM »

Ok.  This is the copying of the routine for the M-Box v2 Launch Control and No Lift Shift.  Its been adjusted for the RAM locations, free space in the file, and had the areas added for the scalars.  Im going to be posting a stock file with the adjustments edited in and hopefully make this available for the 1.8t ch box.  There is a rets not included in teh screenshots to complete the routine.
Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #7 on: May 12, 2018, 08:29:18 PM »

So I think I have it together.  Here is the stock file with launch control and no lift shift applied.  This file is for the review of others and untested on any vehicle.  I dont really know any assembly.  Use it at your own risk.  File is not checksummed.
Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #8 on: May 15, 2018, 06:30:42 PM »

The original file contained the wrong RAM locations for the brake and clutch pedal.  This is the corrected file.
Logged
TijnCU
Hero Member
*****

Karma: +60/-4
Offline Offline

Posts: 690


flying brick


« Reply #9 on: May 17, 2018, 01:47:23 AM »

If you get checksum problems after using this file, change 384FF0 to 383xxx, I have never had issues with that ram range.
You did a good job by dissecting this code to understand how stuff works  Smiley
Logged

Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #10 on: May 18, 2018, 05:46:56 AM »

So, after some frustration looking at the thread on antilag revisions that existed but were never released, im taking a stab at this myself.  To do what I'd like, I'd like to set a byte of ROM to be CWALS.  That way individual features could be controlled by CWALS.0, CWALS.1, etc like the other areas of the system.  Then use the conditions to set a RAM location, e.g. B_launch_control.  From there that RAM location could be used to alter as many maps as desired to refine the launch control.  LAMFAW, KFZW, misfire and knock recognition.

So at work with a pen and paper and my rudimentary understanding of assembly, heres what I've come up with.. Obviously there are some addresses that need to be added and some missing data points but I'm just after the structure.

jmpa. CWALS.0, BIt set routine
Movb. B_launch_control, ZEROS
Jmpa. cc_UC resume


Bit set routine
Jnb.  Clutch pedal switch
Mov. r4, RAM_Coolant Temperature
Exts
Mov r9, temperature threshold
Cmp r4,r9
Jmpa cc_C
Mov r4, RAM Vehicle speed
Exts
Nov r9, ROM Launch Control Speed Threshold
Cmp. r4,r9
Jmp. cc_NC
Mov r4, RAM Engine Speed
Exts
Mov. r9, ROM Launch RPM
Cmp. r4,r9
Jmpa cc_ULE
Movb RAM_B_Launch Control, ONES
Jmpa. cc_UC resume

For conditions not true
Movb. RAM_Launch Control, Zeros
Jmpa. cc_UC resume

Do I have a good idea of the coding path and just need to get the locations figured out?  I am happy to have any input.
Logged
woj
Hero Member
*****

Karma: +43/-3
Offline Offline

Posts: 500


« Reply #11 on: May 18, 2018, 06:48:53 AM »

You might have missed this: http://nefariousmotorsports.com/forum/index.php?topic=10485.msg114637#msg114637
Logged
Cadensdad14
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 134


« Reply #12 on: May 18, 2018, 07:45:43 AM »

I did and I will have to review that.  More coding to look at and spot patterns is great.  Part of this is just an exercise in assembly coding to learn it so I can implement things I want.  I have some ideas for things, and I'm starting with something I can do and log that doesnt interfere in any routines.  Once I have that down ill continue implementing things.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.019 seconds with 18 queries. (Pretty URLs adds 0s, 0q)