Pages: 1 2 [3] 4 5
Author Topic: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)  (Read 75475 times)
Blazius
Hero Member
*****

Karma: +89/-40
Offline Offline

Posts: 1277



« Reply #30 on: January 15, 2019, 06:41:43 AM »

Hahahahaa....simple huh.Thanks. I will try it.

@Blazius...Thanks man. it worked.

You are welcome Smiley
Logged
moodz
Newbie
*

Karma: +2/-0
Offline Offline

Posts: 9

Im addicted to developments


WWW
« Reply #31 on: May 14, 2019, 03:00:07 PM »

This is awesome work! you are a genius!
Im more than happy to assists with the GUI, (external offcoarse)

amazingly i just wrote a program to find maps in the 180HP vag me7.5 today ,only to find this that is just on another level.

respect!

Logged

---------------------------------------
Wayne Modz (ToxicTuning)
360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235


« Reply #32 on: June 12, 2019, 07:02:30 AM »

I will be releasing a big update soon..

I have re-designed the way my search works now to be more like the way my custom disassembler works. This allows me to automatically mask out physical addresses for given instructions, etc. and therefore compare dumped functions between ecu dumps. This in turn allows rapid discovery of variables for the purposes of logging, etc.

Another big advantage is I was able to ignore the differences between a 512Kbyte compiled function and a 1Mb compiled function in that the extX (e.g. extp etc.) instructions used to get access to larger address space can be ignored in both the needles and the rom code being searched through as part of a 'fuzzy logic' based search. The net result is that even functions compiled for a 512Kbyte rom file can be discovered on a larger address space rom like a 1Mb one without having to have unique signatures for each different variation just because a few differences existed due to the way the compiler addresses memory (short vs long memory model). Also going to do the same for a few other instructions too meaning that its technically possible in the future to define signatures based on higher level requirements such as finding that a function used variables like 'nmot' and looked up some known table references. Based on this inference you can pretty much auto discover a huge number of functions without requiring tonnes of signatures...

So yes, you could say this works really well!

Watch this space!

Logged
360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235


« Reply #33 on: June 12, 2019, 07:07:56 AM »

E.g...

0x00067DD0:
  • E6 FC 970B ==  E6 XX 0000 ; mov       : ** MATCH [4] **
0x00067DD4:
  • E6 FD 0602 ==  E6 XX 0000 ; mov       : ** MATCH [4] **
0x00067DD8:
  • C2 FE 74F2 ==  C2 XX 0000 ; movbz     : ** MATCH [4] **
0x00067DDC:
  • D7 40 E100 ~~  C2 00 0000 ; extx  ... SKIP OPCODE IN NEEDLE
0x00067DE0:
  • C2 FF 710A ~~  C2 00 0000 ; extx  ... SKIP OPCODE IN BUFFER
0x00067DE0:
  • C2 FF 710A ==  C2 XX 0000 ; extx  ... : ** MATCH [4] **
0x00067DE4:
  • DA 83 DC46 ==  DA XX 0000 ; calls     : ** MATCH [4] **
0x00067DE8:
  • F1 XX       ==  F1 XX       ; movb      : ** MATCH [2] **
match #2 at offset 0x00067DD0 (0x2602df0)


0x00067DD0: (+0  )  E6 FC 97 0B                  mov      r12, #0B97h
0x00067DD4: (+4  )  E6 FD 06 02                  mov      r13, #0206h
0x00067DD8: (+8  )  C2 FE 74 F2                  movbz    r14, byte_F274
0x00067DDC: (+12 )  D7 40 E1 00                  extp     #00E1h, #1
0x00067DE0: (+16 )  C2 FF 71 0A                  movbz    r15, byte_A71
0x00067DE4: (+20 )  DA 83 DC 46                  calls    83h, loc_646DC
; ------------------------------------------------------------------------------

***
KFAGK      @ ROM:0x818b97 RAM:0x25b3bb7 File-Offset:0x18b97 (seg=0x0206 val=0x0B97)

KFAGK
    Long identifier:           Characteristic map for exhaust flap changeover.
    Display identifier:
    Address:                   0x818b97
    Value:

 No.           |        0        1        2        3        4        5        6        7        8        9
            PHY|   880.00   920.00  1000.00  3320.00  3400.00  4520.00  5840.00  5920.00  6000.00  9000.00
 --------------+------------------------------------------------------------------------------------------
  0         PHY|      0.0      0.0      0.0      0.0      0.0      0.0      0.0      1.0      2.0      2.0
  10        PHY|      0.0      0.0      0.0      0.0      0.0      0.0      0.0      1.0      2.0      2.0
  26        PHY|      0.0      0.0      0.0      0.0      1.0      1.0      1.0      1.0      2.0      2.0
  50        PHY|      0.0      0.0      0.0      0.0      1.0      2.0      2.0      2.0      2.0      2.0
  81        PHY|      0.0      0.0      0.0      0.0      1.0      2.0      2.0      2.0      2.0      2.0
  100       PHY|      0.0      0.0      0.0      0.0      1.0      2.0      2.0      2.0      2.0      2.0


    Cells:
      Unit:
      Conversion name:         rel_uw_b200
      Conversion formula:      f(phys) = 0.0 + 1.000000 * phys
      Data type:               UBYTE
    X-axis:
      Unit:                    Upm
      Conversion name:         nmot_ub_q40
      Conversion formula:      f(phys) = 0.0 + 0.025000 * phys
      Data type:               UBYTE
    Y-axis:
      Unit:                    %
      Conversion name:         rel_uw_q0p75
      Conversion formula:      f(phys) = 0.0 + 1.333333 * phys
      Data type:               UBYTE
Logged
360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235


« Reply #34 on: June 12, 2019, 07:12:25 AM »

vs ...

0x0004F0AE:
  • E6 FC EE08 ==  E6 XX 0000 ; mov       : ** MATCH [4] **
0x0004F0B2:
  • E6 FD 0602 ==  E6 XX 0000 ; mov       : ** MATCH [4] **
0x0004F0B6:
  • C2 FE 6CF8 ==  C2 XX 0000 ; movbz     : ** MATCH [4] **
0x0004F0BA:
  • C2 FF 658B ~~  C2 00 0000 ; movbz     SKIP OPCODE IN NEEDLE
0x0004F0BA:
  • C2 FF 658B ==  C2 XX 0000 ; movbz     : ** MATCH [4] **
0x0004F0BE:
  • DA 82 F49F ==  DA XX 0000 ; calls     : ** MATCH [4] **
0x0004F0C2:
  • F1 XX       ==  F1 XX       ; movb      : ** MATCH [2] **
match #4 at offset 0x0004F0AE (0x8d90ce)


0x0004F0AE: (+0  )  E6 FC EE 08                  mov      r12, #08EEh
0x0004F0B2: (+4  )  E6 FD 06 02                  mov      r13, #0206h
0x0004F0B6: (+8  )  C2 FE 6C F8                  movbz    r14, byte_F86C
0x0004F0BA: (+12 )  C2 FF 65 8B                  movbz    r15, byte_8B65
0x0004F0BE: (+16 )  DA 82 F4 9F                  calls    82h, loc_49FF4
; ------------------------------------------------------------------------------

0x0004F0C2: (+20 )  F1 E8                        movb     rl7, r14
***
KFAGK      @ ROM:0x8188ee RAM:0x8a290e File-Offset:0x188ee (seg=0x0206 val=0x08EE)

KFAGK
    Long identifier:           Characteristic map for exhaust flap changeover.
    Display identifier:
    Address:                   0x8188ee
    Value:

 No.           |        0        1        2        3        4        5        6        7        8        9       10       11       12       13
            PHY|   520.00  1000.00  1520.00  2000.00  3000.00  5120.00  5320.00  5520.00  6520.00  7520.00  8000.00  9000.00 10000.00 10200.00
 --------------+------------------------------------------------------------------------------------------------------------------------------
  0         PHY|      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0
  35        PHY|      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0
  40        PHY|      0.0      0.0      0.0      0.0      0.0      0.0      1.0      1.0      0.0      0.0      0.0      0.0      0.0      0.0
  47        PHY|      0.0      0.0      0.0      0.0      0.0      0.0      1.0      2.0      1.0      1.0      1.0      1.0      1.0      1.0
  50        PHY|      0.0      0.0      0.0      0.0      0.0      0.0      1.0      2.0      2.0      2.0      2.0      2.0      2.0      2.0
  100       PHY|      0.0      0.0      0.0      0.0      0.0      0.0      1.0      2.0      2.0      2.0      2.0      2.0      2.0      2.0


    Cells:
      Unit:
      Conversion name:         rel_uw_b200
      Conversion formula:      f(phys) = 0.0 + 1.000000 * phys
      Data type:               UBYTE
    X-axis:
      Unit:                    Upm
      Conversion name:         nmot_ub_q40
      Conversion formula:      f(phys) = 0.0 + 0.025000 * phys
      Data type:               UBYTE
    Y-axis:
      Unit:                    %
      Conversion name:         rel_uw_q0p75
      Conversion formula:      f(phys) = 0.0 + 1.333333 * phys
      Data type:               UBYTE

Fuzzy Matches <4>


Both are matched yet the code is different and the first (from a Ferrari F430) was discovered as well the one above (from a Ferrari 360) yet the 360 used a different version of the ecu on a 1Mb rom and the 360 a 512Kbyte rom.
Logged
360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235


« Reply #35 on: June 12, 2019, 07:23:26 AM »

And tonnes of new features too like ability to auto analyze, discover and decode the pcodes, error classes, etc. and then from the table id's Do a REVERSE LOOKUP and identify the functions (from the direct lookup calls to the DTC functions!)... This is neat as you find all of the functions in one go rather than having to manually do a lot of work... Smiley


-[ Find Errorclass (Ferrari Diagnostic P-Codes) ]-----------------

>>> Scanning for Errorclass Lookup code sequence - Variant #1...

found needle at offset=0x38892
CDTAAA     @ ROM:0x8135dc RAM:0x8745fc File-Offset:0x135dc (seg=0x0204 val=0x35DC)
CDKAAA     @ ROM:0x8133ec RAM:0x87440c File-Offset:0x133ec (seg=0x0204 val=0x33EC)

Skip Offset 1984
Number of CARB Table Entries: 124
ErrorClass Table Start: ROM:0x812C2C

Num Entries = 124
                     -----[ LH Bank 1 ]-----    -----[ RH Bank 2 ]-----
                     min   max   sig   npl      min   max   sig   npl
0x00 [000]      AAA: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : Dummy Table Start [DFPM_DFPM]
0x01 [001]      AAV: P1462,P1462,P1462,P1462    P0449,P0449,P0449,P0449 : Activated Carbon Filter Shut-Off Valve (Function) [DFPM_DTESK]
0x02 [002]     AAVE: P0000,P0000,P0000,P0000    P0446,P0448,P0447,P0000 : Activated Carbon Filter Shut-Off Valve (Power Amplifier) [DFPM_DEKON]
0x03 [003]     AGKE: P1461,P1461,P1461,P1461    P1448,P1448,P1448,P1448 : Exhaust Bypass Valves [DFPM_DEKON]
0x04 [004]     AGRE: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : (Unsupported) Monitoring EGR Power Amplifier [DFPM_DUMMY_D]
0x05 [005]     AGRF: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : (Unsupported) Monitoring AGR-FLOW [DFPM_DUMMY_D]
0x06 [006]       BM: P0000,P0000,P0000,P0386    P0000,P0000,P0000,P0336 : Engine Revolution Sensing [DFPM_DDG]
0x07 [007]    BREMS: P1569,P1569,P1569,P1569    P0571,P0571,P0571,P0571 : Brake Pedal Encoder [DFPM_GGEGAS]
0x08 [008]      BWF: P0000,P0000,P0000,P0000    P1639,P1639,P1639,P1639 : PWG Movement [DFPM_GGPED]
0x09 [009]      CAS: P1631,P1631,P1631,P1631    P1626,P1626,P1626,P1626 : CAN Interface: Timeout Anti-Slip Control (ABS/ASR ECU) [DFPM_DCAS]
0x0A [010]     CINS: P1675,P1675,P1675,P1675    P1674,P1674,P1674,P1674 : CAN Interface: Timeout Instrument (Dashboard ECU) [DFPM_DCINS]
0x0B [011]     CKUP: P1632,P1632,P1632,P1632    P1627,P1627,P1627,P1627 : CAN Interface: Timeout Electronic Clutch (TCU ECU) [DFPM_DCKUP]
0x0C [012]       DK: P0223,P0222,P0220,P0221    P0123,P0122,P0120,P0121 : DK - Throttle Body Potentiometer [DFPM_DDVE]
0x0D [013]     DK1P: P1190,P1191,P1192,P1192    P1173,P1172,P1170,P1170 : DK - Throttle Body 1. Poti [DFPM_DDVE]
0x0E [014]     DK2P: P1193,P1194,P1195,P1195    P1177,P1176,P1174,P1174 : DK - Throttle Body 2. Poti [DFPM_DDVE]
0x0F [015]      DPL: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : (Unsupported) Continuous plus [DFPM_DUMMY_D]
0x10 [016]      DSS: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : (Unsupported) Suction Pipe Pressure Sensor [DFPM_DUMMY_D]
0x11 [017]      DST: P0000,P0000,P0000,P0000    P0453,P0452,P0451,P0450 : Pressure Sensor Tank [DFPM_DDST]
0x12 [018]     DVEE: P1167,P1167,P1167,P1167    P1184,P1184,P1184,P1184 : DV-E Power Amplifier [DFPM_DDVE]
0x13 [019]     DVEF: P1163,P1163,P1163,P1163    P1180,P1180,P1180,P1180 : DV-E Feather Check Error [DFPM_DDVE]
0x14 [020]    DVEFO: P1162,P1162,P1162,P1162    P1179,P1179,P1179,P1179 : DV-E Return Spring Failure [DFPM_DDVE]
0x15 [021]     DVEL: P1171,P1171,P1171,P1171    P1185,P1185,P1185,P1185 : DV-E Position Deviation [DFPM_DDVE]
0x16 [022]     DVEN: P1164,P1164,P1164,P1164    P1181,P1181,P1181,P1181 : DV-E Error Checking Emergency Air Position [DFPM_DDVE]
0x17 [023]     DVER: P1175,P1175,P1175,P1175    P1186,P1186,P1186,P1186 : DV-E Control Range [DFPM_DDVE]
0x18 [024]     DVET: P1161,P1161,P1161,P1161    P1178,P1178,P1178,P1178 : DV-E Error Undefined [DFPM_DDVE]
0x19 [025]     DVEU: P1165,P1165,P1165,P1165    P1182,P1182,P1182,P1182 : DV-E Errors in UMA Learning [DFPM_DDVE]
0x1A [026]    DVEUB: P1196,P1196,P1196,P1196    P1187,P1187,P1187,P1187 : DV-E Errors in Motor Driven Throttle [DFPM_DDVE]
0x1B [027]    DVEUW: P1197,P1197,P1197,P1197    P1188,P1188,P1188,P1188 : DV-E Errors Undefined [DFPM_DDVE]
0x1C [028]     DVEV: P1166,P1166,P1166,P1166    P1183,P1183,P1183,P1183 : DV-E Amplifier Matching Error [DFPM_DDVE]
0x1D [029]     EGFE: P1148,P1148,P1148,P1148    P1145,P1145,P1145,P1145 : Load Detection [DFPM_EGFE]
0x1E [030]    EPCLE: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : Driving Behavior Error Lamp (Power Amplifier) [DFPM_DEKON]
0x1F [031]     ETSE: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : Electric Thermostat Power Amplifier [DFPM_DEKON]
0x20 [032]      EV1: P1217,P1229,P1241,P1205    P1213,P1225,P1237,P1201 : EV by Cylinder 1 [DFPM_DEKON]
0x21 [033]      EV2: P1218,P1230,P1242,P1206    P1214,P1226,P1238,P1202 : EV by Cylinder 2 [DFPM_DEKON]
0x22 [034]      EV3: P1219,P1231,P1243,P1207    P1215,P1227,P1239,P1203 : EV by Cylinder 3 [DFPM_DEKON]
0x23 [035]      EV4: P1220,P1232,P1244,P1208    P1216,P1228,P1240,P1204 : EV by Cylinder 4 [DFPM_DEKON]
0x24 [036]     FP1P: P0000,P0000,P0000,P0000    P1146,P1147,P1147,P1149 : Throttle Pedal Poti 1 [DFPM_GGPED]
0x25 [037]     FP2P: P0000,P0000,P0000,P0000    P1150,P1151,P1151,P1153 : Throttle Pedal Poti 2 [DFPM_GGPED]
0x26 [038]      FPP: P0000,P0000,P0000,P0000    P1189,P1189,P1189,P1189 : Gas Pedal [DFPM_GGPED]
0x27 [039]     FRAO: P1158,P1157,P1157,P1157    P1156,P1155,P1155,P1155 : LR-Adaption Upper Multiplicative [DFPM_DKVS]
0x28 [040]     FRAU: P1154,P1152,P1152,P1152    P1160,P1159,P1159,P1159 : LR Adaption Lower Multiplicative [DFPM_DKVS]
0x29 [041]     FRST: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : LR Deviation [DFPM_DKVS]
0x2A [042]     GRBH: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : GRA Control Lever Error [DFPM_GGFGRH]
0x2B [043]      HSH: P0000,P0000,P0000,P1113    P0000,P0000,P0000,P1144 : Lambda Probe Heater Behind Catalyst [DFPM_DHLSHK]
0x2C [044]     HSHE: P1110,P1121,P1122,P0000    P1105,P1117,P1118,P0000 : Power amplifier heating probe behind cat. [DFPM_DEKON]
0x2D [045]      HSV: P1107,P1119,P1120,P1114    P1102,P1115,P1116,P1103 : Lambda Probe Heating Before Catalyst [DFPM_DHLSU]
0x2E [046]     HSV2: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : Lambda probe heater in front of catalyst; (Bank2) [DFPM_DHLSU]
0x2F [047]    HSVSA: P1198,P1198,P1198,P1198    P1135,P1135,P1135,P1135 : Lambda Probe Heating Before Catalyst [DFPM_DHLSU]
0x30 [048]   HSVSA2: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : Lambda Probe Heating 2 before Catalyst [DFPM_DHLSU]
0x31 [049]      KAS: P1454,P1454,P1454,P1454    P1446,P1446,P1446,P1446 : Catalyst Protection Active [DFPM_SAK]
0x32 [050]      KAT: P0432,P0432,P0432,P0432    P0422,P0422,P0422,P0422 : Catalyst Efficiency [DFPM_DKAT]
0x33 [051]     KATT: P1449,P1449,P1449,P1449    P1445,P1445,P1445,P1445 : Catalyst Temperature [DFPM_DTKAT]
0x34 [052]     KOSE: P0000,P0000,P0000,P0000    P1456,P1457,P1455,P1455 : Air Conditioning Compressor Control Power Amplifier [DFPM_DEKON]
0x35 [053]      KPE: P1505,P1504,P1506,P1503    P1502,P1501,P1541,P1500 : EKP relay power amplifier [DFPM_DEKON]
0x36 [054]     KRNT: P1387,P1387,P1387,P1387    P1386,P1386,P1386,P1386 : Knock Control Null Test [DFPM_DKRNT]
0x37 [055]     KROF: P1390,P1390,P1390,P1390    P1388,P1388,P1388,P1388 : Knock Control Offset [DFPM_DKRNT]
0x38 [056]     KRTP: P1394,P1394,P1394,P1394    P1393,P1393,P1393,P1393 : Knock Control Test Pulses [DFPM_DKRTP]
0x39 [057]      KS1: P1384,P1383,P1384,P1384    P0328,P0327,P0325,P0326 : Knock Sensor 1 [DFPM_DKRS]
0x3A [058]      KS2: P1385,P1382,P1385,P1385    P0333,P0332,P0330,P0331 : Knock Sensor 2 [DFPM_DKRS]
0x3B [059]      KS3: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : Knock Sensor 3 [DFPM_DKRS]
0x3C [060]      KS4: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : Knock Sensor 4 [DFPM_DKRS]
0x3D [061]     LASH: P0159,P0159,P0159,P0159    P0139,P0139,P0139,P0139 : Lambda Probe aging behind cat. [DFPM_DLSAHK]
0x3E [062]     LATP: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : (Unsupported) Lambda Probe Aging TP [DFPM_DUMMY_D]
0x3F [063]     LATV: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : (Unsupported) Lambda Probe Aging TV [DFPM_DUMMY_D]
.. cut .. cut ... cut

 
Logged
nyet
Administrator
Hero Member
*****

Karma: +604/-166
Offline Offline

Posts: 12232


WWW
« Reply #36 on: June 12, 2019, 08:38:57 AM »

AWESOME! good work! Any idea if autodetecting ESKONF is possible? (i.e. correlate it with the various inputs/output on the ECU?)
Logged

ME7.1 tuning guide (READ FIRST)
ECUx Plot
ME7Sum checksum checker/corrrector for ME7.x

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience.
Blazius
Hero Member
*****

Karma: +89/-40
Offline Offline

Posts: 1277



« Reply #37 on: June 12, 2019, 09:02:11 AM »

AWESOME! good work! Any idea if autodetecting ESKONF is possible? (i.e. correlate it with the various inputs/output on the ECU?)

Thats amazing. btw n156 is not in ESKONF via FR is it? I need to code it out but I dont know which pair is it Cheesy
Logged
360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235


« Reply #38 on: June 12, 2019, 01:35:17 PM »

AWESOME! good work! Any idea if autodetecting ESKONF is possible? (i.e. correlate it with the various inputs/output on the ECU?)

Yes ESKONF is entirely possible to detect and I already support it!

... however the meanings to decode it are specific to a vehicle model so quite how you'd interpret and visualize that is challenging to understand, config files perhaps?

Here's the way it works on the Ferrari 360 version of ME7 Swiss Army Knife..

Code:
-[ ESKONF Configuration of power stage (actuators) ]-----------------------------
                                                                                
>>> Scanning for ESKONF Lookup code sequence...                                  
                                                                                
found needle at offset=0x55da2                                                  
                                                                                
 1. Configuration of output stages                                              
 =================================                                              
 The configuration is made with the Label ESKONF_R (right bank) & ESKONF_L (left
                                                                                
 Every byte is standing for 4 output stages. Therefore every output stage has got
 configuration Bits.                                                            
                                                                                
 Enable of the output stages diagnosis                                          
 -------------------------------------                                          
 With the configurations-Bytes in ESKONF the functions have to be set active / in
 on the available components in the car. At the same time with the 2 Bits the fun
 diagnosis is set.                                                              
                                                                                
 Assignment of the Bit pattern:                                                  
 ------------------------------                                                  
 00  Diagnosis active with OBDII-malfunction storage with test of healing        
 01  Diagnosis active without OBDII-malfunction storage with test of healing    
 10  Diagnosis active without OBDII-fault memory without test of healing (EKP)  
 11  Diagnosis not active                                                        
                                                                                
                                                                                
ESKONF_L @ ADR:0x810acd (offset 0x10acd) - Left Bank Configuration              
----------+----------------------------------------------------------------------
[i] Hex   |           Bit                                                        
          | 76     54     32     10                                              
----------+----------------------------------------------------------------------
          | EV4    EV3    EV2    EV1                                            
[0] 0x00  | 00     00     00     00                                              
          | M52    M03    M35    M19                                            
          +----------------------------------------------------------------------
          | M52   Cylinder 6 injector control power output                      
          | M03   Cylinder 8 injector control power output                      
          | M35   Cylinder 7 injector control power output                      
          | M19   Cylinder 5 injector control power output                      
----------+----------------------------------------------------------------------
          | LSHVK1 xxxx   TEV    MIL                                            
[1] 0x33  | 00     11     00     11                                              
          | M34    M21    M05    F46                                            
          +----------------------------------------------------------------------
          | M34   LH rear Lambda sensor heater (duty cycle) Power output        
          | M21   Not Used                                                      
          | M05   Control for LH canister purge valve (duty cycle) Power output  
          | F46   Not Used                                                      
----------+----------------------------------------------------------------------
          | EKP    LUE1   LSHVK2 MIL                                            
[2] 0xbf  | 10     11     11     11                                              
          | F30    F50    M02    F02                                            
          +----------------------------------------------------------------------
          | F30   Fuel pump control Digital output                              
          | F50   Not Used                                                      
          | M02   Not Used                                                      
          | F02   Not Used                                                      
----------+----------------------------------------------------------------------
          | --     --     KOS    LUE2                                            
[3] 0xff  | 11     11     11     11                                              
          | Fxx    Fxx    F13    F62                                            
          +----------------------------------------------------------------------
          | Fxx   Not Used                                                      
          | Fxx   Not Used                                                      
          | F13   Not Used                                                      
          | F62   Not Used                                                      
----------+----------------------------------------------------------------------
          | xxxx   SU1    NWS    xxxx                                            
[4] 0xfc  | 11     11     11     00                                              
          | M53    M04    M36    M20                                            
          +----------------------------------------------------------------------
          | M53   Not Used                                                      
          | M04   Not Used                                                      
          | M36   Not Used                                                      
          | M20   Control for LH exhaust by-pass power output                    
----------+----------------------------------------------------------------------
          | xxxx   xxxx   xxxx   xxxx                                            
[5] 0xff  | 11     11     11     11                                              
          | F18    F33    F34    F01                                            
          +----------------------------------------------------------------------
          | F18   Not Used                                                      
          | F33   Not Used                                                      
          | F34   Not Used                                                      
          | F01   Not Used                                                      
----------+----------------------------------------------------------------------
          | xxxx   xxxx   xxxx   xxxx                                            
[6] 0xff  | 11     11     11     11                                              
          | M13    M13    M45    M45                                            
          +----------------------------------------------------------------------
          | M13   Not Used                                                      
          | M13   Not Used                                                      
          | M45   Not Used                                                      
          | M45   Not Used                                                      
----------+----------------------------------------------------------------------
Logged
360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235


« Reply #39 on: June 12, 2019, 01:36:43 PM »

.. and also does the same decoding for RHS bank too...

Code:
ESKONF_R @ ADR:0x810ad4 (offset 0x10ad4) - Right Bank Configuration
----------+----------------------------------------------------------------------
[i] Hex   |           Bit
          | 76     54     32     10
----------+----------------------------------------------------------------------
          | EV4    EV3    EV2    EV1
[0] 0x00  | 00     00     00     00
          | M52    M03    M35    M19
          +----------------------------------------------------------------------
          | M52   Cylinder 2 injector control power output
          | M03   Cylinder 4 injector control power output
          | M35   Cylinder 3 injector control power output
          | M19   Cylinder 1 injector control power output
----------+----------------------------------------------------------------------
          | LSHVK1 xxxx   TEV    MIL
[1] 0x33  | 00     11     00     11
          | M34    M21    M05    F46
          +----------------------------------------------------------------------
          | M34   RH rear Lambda sensor heater (duty cycle) power output
          | M21   Not Used
          | M05   Control for RH canister purge valve (duty cycle) power output
          | F46   Not Used
----------+----------------------------------------------------------------------
          | EKP    LUE1   LSHVK2 MIL
[2] 0xbf  | 10     11     11     11
          | F30    F50    M02    F02
          +----------------------------------------------------------------------
          | F30   Fuel pump control digital output
          | F50   Not Used
          | M02   Not Used
          | F02   Not Used
----------+----------------------------------------------------------------------
          | --     --     KOS    LUE2
[3] 0xf3  | 11     11     00     11
          | Fxx    Fxx    F13    F62
          +----------------------------------------------------------------------
          | Fxx   Not Used
          | Fxx   Not Used
          | F13   A/C compressor control digital output
          | F62   Secondary air pump control digital output
----------+----------------------------------------------------------------------
          | xxxx   SU1    NWS    xxxx
[4] 0x00  | 00     00     00     00
          | M53    M04    M36    M20
          +----------------------------------------------------------------------
          | M53   Modular manifolds control power output
          | M04   Compensation throttle control power output
          | M36   Timing variator control  Digital output
          | M20   Control for RH exhaust by-pass power output
----------+----------------------------------------------------------------------
          | xxxx   xxxx   xxxx   xxxx
[5] 0xff  | 11     11     11     11
          | F18    F33    F34    F01
          +----------------------------------------------------------------------
          | F18   Canister closing control power output
          | F33   Not Used
          | F34   Secondary air valve control digital output
          | F01   Not Used
----------+----------------------------------------------------------------------
          | xxxx   xxxx   xxxx   xxxx
[6] 0xff  | 11     11     11     11
          | M13    M13    M45    M45
          +----------------------------------------------------------------------
          | M13   Not Used
          | M13   Not Used
          | M45   Not Used
          | M45   Not Used
----------+----------------------------------------------------------------------
Secondary Air Valve Diagnostics are off: This is probably a European spec car
Air Injection Diagnostics are off: This is probably a European spec car
LH Rear O2 Heater is on : Secondary O2 sensor heating is enabled
RH Rear O2 Heater is on : Secondary O2 sensor heating is enabled
LH Canister Purge Valve is: on
RH Canister Purge Valve is: on
Logged
360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235


« Reply #40 on: June 12, 2019, 01:53:44 PM »

On the Ferrari 360 its really easy to detect functions (and even the GPIO bsets) from discovery of the ESKONF..

For example. Here's the segment of code regarding selection of either LHS or RHS banks...

                       DEKON_Get_ESKONF:
9A 23 09 E0                             jnb     word_FD46.14, Get_ESKONF_L ; Are we running on LHS or RHS ?
                        Get_ESKONF_R:
E6 F4 E6 4F                             mov     r4, #prokon_tbl_RHS
F6 F4 F8 A0                             mov     dekon_v, r4
E6 F5 EB 0A                             mov     r5, #ESKONF_R   ; ESKONF_R : Undefined [DEKON]
F6 F5 FA A0                             mov     ram_ESKONF_p, r5
DB 00                                   rets
                        Get_ESKONF_L:                           ; ...
E6 F4 64 50                             mov     r4, #prokon_tbl_LHS
F6 F4 F8 A0                             mov     dekon_v, r4
E6 F5 E4 0A                             mov     r5, #ESKONF_L   ; ESKONF_L : Undefined [DEKON]
F6 F5 FA A0                             mov     ram_ESKONF_p, r5
DB 00                                   rets



If you decode the lookup tables you see something like this (after you correctly define the offsets);


                       ESKONF_R - Right Bank Configuration
                        ----------+----------------------------------------------------------------------
                         Hex   |           Bit
                                  | 76     54     32     10
                        ----------+----------------------------------------------------------------------
                                  | EV4    EV3    EV2    EV1
                        
  • 0x00  | 00     00     00     00
                                 | M52    M03    M35    M19
                                  +----------------------------------------------------------------------
                                  | M52   Cylinder 2 injector control power output
                                  | M03   Cylinder 4 injector control power output
                                  | M35   Cylinder 3 injector control power output
                                  | M19   Cylinder 1 injector control power output
                        ----------+----------------------------------------------------------------------

02 00                   prokon_tbl_RHS: dw 2                    ; ...
8A C3                                   dw Process_State_Cylinder2_InjectorControl ; M19
84 00                                   dw 84h
DA C3                                   dw Process_State_Cylinder4_InjectorControl ; M35
84 00                                   dw 84h
2A C4                                   dw Process_State_Cylinder3_InjectorControl ; M03
84 00                                   dw 84h
7A C4                                   dw Process_State_Cylinder1_InjectorControl ; M52
84 00                                   dw 84h

                        ----------+----------------------------------------------------------------------
                                  | LSHVK1 xxxx   TEV    MIL
                        [1] 0x33  | 00     11     00     11
                                  | M34    M21    M05    F46
                                  +----------------------------------------------------------------------
                                  | M34   RH rear Lambda sensor heater (duty cycle) power output
                                  | M21   Not Used
                                  | M05   Control for RH canister purge valve (duty cycle) power output
                                  | F46   Not Used
                        ----------+----------------------------------------------------------------------
02 00                                   dw 2
90 B2                                   dw Process_State_Unused ; F46
84 00                                   dw 84h
78 85                                   dw Process_State_CanisterPurgeValveDutyCycleOutput_Control ; M05
85 00                                   dw 85h
90 B2                                   dw Process_State_Unused ; M21
84 00                                   dw 84h
6C 87                                   dw Process_State_O2Sensor_Heater_Output ; M34
85 00                                   dw 85h

                        ----------+----------------------------------------------------------------------
                                  | EKP    LUE1   LSHVK2 MIL
                        [2] 0xbf  | 10     11     11     11
                                  | F30    F50    M02    F02
                                  +----------------------------------------------------------------------
                                  | F30   Fuel pump control digital output
                                  | F50   Not Used
                                  | M02   Not Used
                                  | F02   Not Used
                        ----------+----------------------------------------------------------------------
02 00                                   dw 2
90 B2                                   dw Process_State_Unused ; F02
84 00                                   dw 84h
90 B2                                   dw Process_State_Unused ; M02
84 00                                   dw 84h
90 B2                                   dw Process_State_Unused ; F50
84 00                                   dw 84h
D0 87                                   dw Process_State_FuelPumpControl ; F30
85 00                                   dw 85h

                        ----------+----------------------------------------------------------------------
                                  | --     --     KOS    LUE2
                        [3] 0xf3  | 11     11     00     11
                                  | Fxx    Fxx    F13    F62
                                  +----------------------------------------------------------------------
                                  | Fxx   Not Used
                                  | Fxx   Not Used
                                  | F13   A/C compressor control digital output
                                  | F62   Secondary air pump control digital output
                        ----------+----------------------------------------------------------------------
02 00                                   dw 2
F2 85                                   dw Process_State_SecondaryAirPumpControl ; F62
85 00                                   dw 85h
9E 87                                   dw Process_State_AC_CompressorOutput ; F13
85 00                                   dw 85h
90 B2                                   dw Process_State_Unused ; Fxx - Not Used
84 00                                   dw 84h
90 B2                                   dw Process_State_Unused ; Fxx - Not Used
84 00                                   dw 84h

                        ----------+----------------------------------------------------------------------
                                  | xxxx   SU1    NWS    xxxx
                        [4] 0x00  | 00     00     00    

... cut ... cut ... cut ...


Logged
IamwhoIam
Hero Member
*****

Karma: +43/-99
Offline Offline

Posts: 1030


« Reply #41 on: June 12, 2019, 02:53:31 PM »

Nice job man! When is this big update coming?
Logged

I have no logs because I have a boost gauge (makes things easier)
nyet
Administrator
Hero Member
*****

Karma: +604/-166
Offline Offline

Posts: 12232


WWW
« Reply #42 on: June 12, 2019, 02:55:14 PM »

Yes ESKONF is entirely possible to detect and I already support it!

... however the meanings to decode it are specific to a vehicle model so quite how you'd interpret and visualize that is challenging to understand, config files perhaps?



For unknown vehicles just outputting GPIO information would be sufficient, since all thats needed for the rest is the schematic. Beats trail and error.
Logged

ME7.1 tuning guide (READ FIRST)
ECUx Plot
ME7Sum checksum checker/corrrector for ME7.x

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience.
Blazius
Hero Member
*****

Karma: +89/-40
Offline Offline

Posts: 1277



« Reply #43 on: June 12, 2019, 03:00:20 PM »

btw. if you dont me asking, how the hell did you get ur hands on a ferrari 360 :"D
Logged
nyet
Administrator
Hero Member
*****

Karma: +604/-166
Offline Offline

Posts: 12232


WWW
« Reply #44 on: June 12, 2019, 03:04:19 PM »

also, offtopic but it bears mention: if not for this fine fellow me7sum would not exist Smiley
Logged

ME7.1 tuning guide (READ FIRST)
ECUx Plot
ME7Sum checksum checker/corrrector for ME7.x

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience.
Pages: 1 2 [3] 4 5
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.136 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)