Pages: [1]
Author Topic: EDC17CV52 Mandatory DPF regen shutdown.  (Read 1579 times)
Vdoubleyou
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


« on: March 04, 2018, 05:57:44 PM »

Hello all,

I have a vehicle with an EDC17CV52 ECU (Tricore 1797 micro). I'm attempting to shutdown the DPF system, but am having trouble stopping the mandatory 500 stand-still DPF regeneration from happening.

I have not been able to find an a2l file for this software in the ECU.

Somewhere in the software I'm expecting that there is a 'level' of 500 hours that I would like to set to something incredibly high, so the stand-still DPF regeneration will not be required during the life time of the vehicle.

I'm going to attempt to disassemble the ECU's bin file and hope to be able to find where the 500 hour 'level' is. This would be my first time using IDA Pro, and I'm hoping some of you with experience might be able to give me some direction.

Attached are some screenshots of what I've done to import the file into IDA Pro so far. Does this look correct?




Logged
prj
Hero Member
*****

Karma: +289/-29
Offline Offline

Posts: 3513


« Reply #1 on: March 04, 2018, 06:27:00 PM »

You are never going to find it without having a hex/a2l for a similar type of system, reverse engineering the routines and finding the routines in your binary.
And yeah you can just throw the binary in there... use the correct address for PFLASH though when loading it. It's not 0x0.
Logged
Vdoubleyou
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


« Reply #2 on: March 05, 2018, 06:56:59 PM »

Thanks for your reply and advice.

I've been unable to find a damos file for any EDC17CV52 ECU. What information would be needed from the DAMOS?

I've been able to work out the DTC table and the associated actions, and shortly I will know which fault codes occur when the engine begins to derate because the stand-still regeneration has not happened. Also I'm pretty sure I can identify the DPF sensor calibrations with some testing.

I've been looking through the TC1797 user manual, and found the 'Flash Memory Map'. This indicates that the Program Flash starts at 8000 0000H. I've attached an image of the relevant page. I'm confused as to where I enter this when importing my file into IDA Pro, is it the:

- 'Rom start address'
- 'Input file Loading address'
- Somewhere else?



Logged
prj
Hero Member
*****

Karma: +289/-29
Offline Offline

Posts: 3513


« Reply #3 on: March 06, 2018, 01:06:23 PM »

The answer is both, but...
What is your background? Do you have experience with assembler on any other platform? Maybe even x86?
Because if not, you might as well stop now, it'll take you 10 years to get there if ever.

Also you don't need damos for CV52, even though that's around probably.
Anything similar, with a similar system, the routines will be similar.

That said - I'll give you a medal if you even figure out the ADDRESSING done on this software.
If you think you'll load it in, press X and have an instant answer you're in for a big surprise.
« Last Edit: March 06, 2018, 01:08:41 PM by prj » Logged
Vdoubleyou
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


« Reply #4 on: March 07, 2018, 12:49:54 AM »

I don't have any experience with assembly language.  I expect what I'm wanting to do will be difficult and have a steep learning curve. I'm not going to stop trying yet! That's why I'm reaching out to others who are willing to point me in the right direction when I'm going the wrong way.

I do have a previous project I've worked on that used an EDC17CV41. I have an a2l file for this, but this particular engine did not have a DPF system, but relied only on Adblue.

I'll post back here once I've made some progress in IDA.

Logged
prj
Hero Member
*****

Karma: +289/-29
Offline Offline

Posts: 3513


« Reply #5 on: March 07, 2018, 02:37:39 AM »

My IDA tools thread has some useful python scripts for reverse engineering TriCore.

But yeah, find some EDC17CVxx that has a DPF system working with the same method as the one you are trying to disable.
There are different kinds, classic systems, external burners etc they all work differently. Last I worked on that ECU it was in a huge industrial loader with a Deutz engine and an external DPF burner.

If you don't have prior assembler knowledge, then as I said, this stuff takes years to learn and decades to master.
Logged
Vdoubleyou
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


« Reply #6 on: March 08, 2018, 08:55:43 PM »

Thanks, I've found the thread with your IDA python scripts and will look into that more.

The ECU software I'm wanting to do this on is from a Deutz engine also. Do you have an a2l file and hex for the one you worked on that you are willing to share?

I've been looking at an EDC17CV41 a2l and bin file I have. I'm finding some similarities in the memory segments between the CV41 and the CV52, even though they are software from different manufacturers. One thing that I find interesting is there are two sections of data in the CV52 that are exactly the same, and then there is a third section of data that is very similar, but not exactly the same as the other two sections.

Amazing how much time can be absorbed on something like this.


Logged
prj
Hero Member
*****

Karma: +289/-29
Offline Offline

Posts: 3513


« Reply #7 on: March 09, 2018, 12:46:05 PM »

1. I do not have hex or a2l. Even if I had, the price for these is four digits usually.
2. I did DPF disable in a different way - because the one I was working on had a DPF with separate injector / burner system, no post-injection. There was also no mandatory regeneration, so it was enough to disconnect the hardware and kill all error checking related to the DPF system. Was pretty laborous, but it worked and saved someone 10 grand. This is not 100% the "right" way of course, IF your ECU has a switch, it is possible to find it by finding some DPF routines and seeing if there is some sort of check at the very start, which bypasses the entire thing.
3. CV52 data - each segment is it's own data bank. It is possible to switch between them by altering coding.

As I told you before, these engines are fitted to (very expensive) industrial machines.
You need to go to basics and understand how DPF is regenerated. Is it an external system? Post-injection directly into the engine? No regeneration at all and DPF element replaceable/discardable after X hours? And so on.
Then - what happens if you don't do the mandatory DPF regeneration, etc.
As for the solution - there are more ways than one to skin a cat.

I can't help you any further. I don't even know what the engine is attached to and how regeneration is done.
You can try yourself, if you don't manage and it's something important for you, you can see if someone has a ready made solution, or you can hire someone to develop the solution for you.
The first of the latter options is a LOT cheaper, if their solution works. One off development is usually also a four digit affair.
« Last Edit: March 09, 2018, 12:49:09 PM by prj » Logged
neuro
Full Member
***

Karma: +21/-4
Offline Offline

Posts: 74


WWW
« Reply #8 on: March 09, 2018, 08:23:36 PM »

Post ori file here
Logged
Vdoubleyou
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


« Reply #9 on: March 13, 2018, 05:37:38 PM »

Hi prj,

1. Yes, a2l files can be pricey.
2. I've done DPF deletes in similar ways before, but unfortunately this one is more complex.
3. Thanks for the info.

The engine in this machine is a 6 litre deutz engine that does the standstill (active) DPF regeneration by flowing extra fuel through the standard common rail injectors, it does not have an extra injector into the exhaust system.

Yes, there are often other ways to skin a cat. The past few days I've been trying another method, but no success so far. As far as I'm aware there is not complete solution offered by anyone for this engine yet. Thanks for your help so far, I'll keep posting here so others or maybe your self are able to join in the discussion if you have something you want to add. Mainly I'm after help on using IDA pro to learn and explore about this ECU software.

Hi neuro,

Here is a link to the mpc file.

https://drive.google.com/open?id=1v5Z0FrxKdstWWwskuXB3qYXq7VtgdzhS

Thanks.


Logged
Vdoubleyou
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


« Reply #10 on: March 13, 2018, 08:30:32 PM »

I've imported my file into IDA using the following settings:





I have no idea about the RAM start address or RAM size.

Looking at the file in WinOLS I'm thinking that the 'data' starts at 0x80200000, so I have selected everything forward of this and pressed 'c' for code.



IDA has then told me 'Undefine already existing code/data?' to which I have clicked Yes. IDA then spent the next few minutes analyzing and when finished, had identified some functions.

As mentioned earlier, I'm a beginner with IDA. If you notice anything so far that I've done incorrectly please feel free to let me know.



Logged
TiaGTC
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 1


« Reply #11 on: May 10, 2019, 05:56:00 AM »

Hello,

I Have same problem with the same ECU on a LINDE H70D with Deutz Engine, after 8Hours of working the vehicle need a regeneration, anyone have solved this issue on EDC17CV52?
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.02 seconds with 17 queries. (Pretty URLs adds 0s, 0q)