Pages: [1]
Author Topic: ME7 CAN-Configuration  (Read 550 times)
flamy
Jr. Member
**

Karma: +4/-0
Offline Offline

Posts: 30


« on: March 07, 2019, 03:14:25 PM »

Good Evening Gents,

did someone ever try to find the CAN-configuration in the binary of a ME7 (with C167)?

Referenced documents:

According to FR page 1632 a 6 cylinder ECU (In my case ME7.1 K-Box RS4) should send/receive following messages:
Code:
ID Name DLC
0x280 Motor 1 8
0x288 Motor 2 8
0x380 Motor 3 8
0x480 Motor 5 8
0x488 Motor 6 8
0x588 Motor 7 8
0x580 Motor Flexia 8
0x440 Getriebe 1 8
0x540 Getriebe 2 8
0x1A0 Bremse 1 8
0x2C0 Allrad 1 5
0x320 Kombi 1 8
0x420 Kombi 2 8
0x520 Kombi 3 8
0x38A GRA_neu 4
0x362 ACC 1 8

UM page 18-5 tells that the CAN address area of 256 bytes is mapped into segment 0 (dpp: 3; located at 0xC000) and uses addresses 00'EF00h trough 00'EFFFh, but I was not able to find that location.

So, I tried to find a configured message object (UM page 18-18) by it's arbitration registers (UM page 18-21) based on the list of CAN-messages above:
Code:
UARn: ID20...18 | ID17-13 | ID28-21
LARn: ID4...0 | 000 | ID12-5

Code:
0x280 (Motor 1)
=> 0b010 1000 0000 (standard 11-bit identifier)
=> 0b0 1010 0000 0000 0000 0000 0000 0000 (extended ro 29-bit identifier)

=> UARn: 0b000|00000|01010000 = 0x0050
=> LARn: 0b00000|000|00000000 = 0x0000
Code:
0x288 (Motor 2)
=> 0b010 1000 1000 (standard 11-bit identifier)
=> 0b0 1010 0010 0000 0000 0000 0000 0000 (extended to 29-bit identifier)

=> UARn: 0b000|00000|01010001 = 0x0051
=> LARn: 0b00000|000|00000000 = 0x0000
Code:
0x380 (Motor 3)
=> 0b011 1000 0000 (standard 11-bit identifier)
=> 0b0 1110 0000 0000 0000 0000 0000 0000 (extended to 29-bit identifier)

=> UARn: 0b000|00000|01110000 = 0x0070
=> LARn: 0b00000|000|00000000 = 0x0000

Now, I was searching for following sequences of bytes with IDA: "00 50 00 00", "00 51 00 00" and "00 70 00 00".
I hoped to find those within a range of 256 bytes, but that was also not the case.

First question is: What am I missing?
Second question is: Is anybody able to help me respectively us to localize the CAN-configuration in a ME7 binary?

Best Regards,
Nils
« Last Edit: March 07, 2019, 08:08:40 PM by flamy » Logged
fukenbroken
Hero Member
*****

Karma: +54/-4
Offline Offline

Posts: 684


mk4 1.8T AUM


« Reply #1 on: March 07, 2019, 05:57:14 PM »

CW_CAN_R / CW_CAN_S ?
or what?
what is the aim of your research?

if you want to locate where is CAN params received/transmitted, just look at the FR, find some rare variable and search cross refs in ida, one of them is CAN-bus operation,  iirc mov to 0xF826 or 0xF862 or smthng like this area

long story short there is CAN header forming with ID (some kind of mov r5, 0x288h <-- yay) and message with variables next to it
Logged
woj
Sr. Member
****

Karma: +20/-1
Offline Offline

Posts: 400


« Reply #2 on: March 08, 2019, 12:13:02 PM »

My ME7.9.10 is slightly different looking at your docs (or is it, I am not really sure), its newer generation ST10 I guess, but I can see yours also has the 16 message objects. On my ECU they are configured once and for all in one initialisation function, and the IDs are given there. And its indirect too, because there is a generic init function that takes the ID as its argument and then inside it the CAN registers are set. Because of this it also took me a considerable while to find where my CAN messages I wanted to know about are. It looks something like this, the init function for one message object (channel I called it):

Code:
setup_CAN_channel_0C7CC2:
        flash_0C7CC2:[88,60]            mov     [-r0], r6
        flash_0C7CC4:[F0,3D]            mov     r3, r13
        flash_0C7CC6:[D4,20,08,00]      mov     r2, [r0+#$0008]
        flash_0C7CCA:[D4,D0,06,00]      mov     r13, [r0+#$0006]
        flash_0C7CCE:[F4,C0,02,00]      movb    rl6, [r0+#$0002]
        flash_0C7CD2:[D4,A0,0A,00]      mov     r10, [r0+#$000A]
        flash_0C7CD6:[46,FC,1F,00]      cmp     r12, #$001F
        flash_0C7CDA:[EA,E0,7A,7D]      jmpa    cc_UGT, loc_0C7D7A
loc_0C7CDE:
        flash_0C7CDE:[E1,42]            movb    rl1, #$4
loc_0C7CE0:
        flash_0C7CE0:[FF,31]            bset    iram_word_FD62.15
        flash_0C7CE2:[49,60]            cmpb    rl3, #0
        flash_0C7CE4:[3D,12]            jmpr    [cc_NZ,cc_NE], loc_0C7D0A
loc_0C7CE6:
        flash_0C7CE6:[F6,8E,14,EF]      mov     CAN1IF1M1_IF1_Mask_1, ZEROS
        flash_0C7CEA:[F0,4D]            mov     r4, r13
        flash_0C7CEC:[5C,24]            shl     r4, #2
        flash_0C7CEE:[66,F4,FC,1F]      and     r4, #0b0001111111111100
        flash_0C7CF2:[F6,F4,16,EF]      mov     CAN1IF1M2_IF1_Mask_2, r4
        flash_0C7CF6:[F6,8E,18,EF]      mov     CAN1IF1A1_IF1_Arbitration_1, ZEROS
        flash_0C7CFA:[F0,4E]            mov     r4, r14
        flash_0C7CFC:[5C,24]            shl     r4, #2
        flash_0C7CFE:[66,F4,FC,1F]      and     r4, #0b0001111111111100
        flash_0C7D02:[FF,F4]            bset    r4.15
        flash_0C7D04:[F6,F4,1A,EF]      mov     CAN1IF1A2_IF1_Arbitration_2, r4
        flash_0C7D08:[0D,17]            jmpr    cc_UC, loc_0C7D38
loc_0C7D0A:
        flash_0C7D0A:[49,61]            cmpb    rl3, #1
        flash_0C7D0C:[3D,35]            jmpr    [cc_NZ,cc_NE], loc_0C7D78
loc_0C7D0E:
        flash_0C7D0E:[F6,FD,14,EF]      mov     CAN1IF1M1_IF1_Mask_1, r13
        flash_0C7D12:[F0,4D]            mov     r4, r13
        flash_0C7D14:[F0,42]            mov     r4, r2
        flash_0C7D16:[E0,05]            mov     r5, #$0
        flash_0C7D18:[66,F4,FF,1F]      and     r4, #0b0001111111111111
        flash_0C7D1C:[FF,F4]            bset    r4.15
        flash_0C7D1E:[F6,F4,16,EF]      mov     CAN1IF1M2_IF1_Mask_2, r4
        flash_0C7D22:[F6,FE,18,EF]      mov     CAN1IF1A1_IF1_Arbitration_1, r14
        flash_0C7D26:[F0,4E]            mov     r4, r14
        flash_0C7D28:[F0,4F]            mov     r4, r15
        flash_0C7D2A:[E0,0B]            mov     r11, #$0
        flash_0C7D2C:[66,F4,FF,1F]      and     r4, #0b0001111111111111
        flash_0C7D30:[76,F4,00,C0]      or      r4, #0b1100000000000000
        flash_0C7D34:[F6,F4,1A,EF]      mov     CAN1IF1A2_IF1_Arbitration_2, r4
loc_0C7D38:
        flash_0C7D38:[49,C1]            cmpb    rl6, #1
        flash_0C7D3A:[ED,1E]            jmpr    cc_UGT, loc_0C7D78
loc_0C7D3C:
        flash_0C7D3C:[49,C1]            cmpb    rl6, #1
        flash_0C7D3E:[3D,08]            jmpr    [cc_NZ,cc_NE], loc_0C7D50
loc_0C7D40:
        flash_0C7D40:[E6,F4,00,40]      mov     r4, #$4000
        flash_0C7D44:[74,F4,16,EF]      or      CAN1IF1M2_IF1_Mask_2, r4
        flash_0C7D48:[E6,F4,00,20]      mov     r4, #$2000
        flash_0C7D4C:[74,F4,1A,EF]      or      CAN1IF1A2_IF1_Arbitration_2, r4
loc_0C7D50:
        flash_0C7D50:[F4,80,04,00]      movb    rl4, [r0+#$0004]
        flash_0C7D54:[47,F8,08,00]      cmpb    rl4, #$08
        flash_0C7D58:[ED,0F]            jmpr    cc_UGT, loc_0C7D78
loc_0C7D5A:
        flash_0C7D5A:[66,F4,0F,00]      and     r4, #0b0000000000001111
        flash_0C7D5E:[F6,F4,1C,EF]      mov     CAN1IF1MC_IF1_Message_Control, r4
        flash_0C7D62:[49,C0]            cmpb    rl6, #0
        flash_0C7D64:[3D,07]            jmpr    [cc_NZ,cc_NE], loc_0C7D74
loc_0C7D66:
        flash_0C7D66:[F0,42]            mov     r4, r2
        flash_0C7D68:[70,4D]            or      r4, r13
        flash_0C7D6A:[2D,04]            jmpr    [cc_Z,cc_EQ], loc_0C7D74
loc_0C7D6C:
        flash_0C7D6C:[E6,F4,00,10]      mov     r4, #$1000
        flash_0C7D70:[74,F4,1C,EF]      or      CAN1IF1MC_IF1_Message_Control, r4
loc_0C7D74:
        flash_0C7D74:[48,A1]            cmp     r10, #1
        flash_0C7D76:[BD,05]            jmpr    cc_SLE, loc_0C7D82
loc_0C7D78:
        flash_0C7D78:[FE,31]            bclr    iram_word_FD62.15
loc_0C7D7A:
        flash_0C7D7A:[E7,F8,FF,00]      movb    rl4, #$FF
        flash_0C7D7E:[EA,00,C0,7D]      jmpa    cc_UC, loc_0C7DC0
loc_0C7D82:
        flash_0C7D82:[48,A1]            cmp     r10, #1
        flash_0C7D84:[3D,04]            jmpr    [cc_NZ,cc_NE], loc_0C7D8E
loc_0C7D86:
        flash_0C7D86:[E6,F4,80,00]      mov     r4, #$0080
        flash_0C7D8A:[74,F4,1C,EF]      or      CAN1IF1MC_IF1_Message_Control, r4
loc_0C7D8E:
        flash_0C7D8E:[E6,F4,F0,00]      mov     r4, #$00F0
        flash_0C7D92:[F6,F4,12,EF]      mov     CAN1IF1CM_IF1_Command_Mask, r4
        flash_0C7D96:[EC,88]            push    PSW
        flash_0C7D98:[D1,30]            atomic  #4
        flash_0C7D9A:[76,88,00,F0]      or      PSW, #0b1111000000000000
        flash_0C7D9E:[62,88,18,E1]      and     PSW, xram1_word_E118
        flash_0C7DA2:[CC,00]            nop
        flash_0C7DA4:[9A,31,05,F0]      jnb     iram_word_FD62.15, loc_0C7DB2
loc_0C7DA8:
        flash_0C7DA8:[F0,1C]            mov     r1, r12
        flash_0C7DAA:[08,11]            add     r1, #1
        flash_0C7DAC:[F6,F1,10,EF]      mov     CAN1IF1CR_IF1_Command_Request, r1
        flash_0C7DB0:[E1,12]            movb    rl1, #$1
loc_0C7DB2:
        flash_0C7DB2:[FC,88]            pop     PSW
        flash_0C7DB4:[29,21]            subb    rl1, #1
        flash_0C7DB6:[49,20]            cmpb    rl1, #0
        flash_0C7DB8:[EA,E0,E0,7C]      jmpa    cc_UGT, loc_0C7CE0
loc_0C7DBC:
        flash_0C7DBC:[FE,31]            bclr    iram_word_FD62.15
        flash_0C7DBE:[E1,08]            movb    rl4, #$0
loc_0C7DC0:
        flash_0C7DC0:[98,60]            mov     r6, [r0+]
        flash_0C7DC2:[DB,00]            rets

And then its called like this (r14/r15 are extended CAN ID):

Code:
        ...
        flash_0C7EB0:[E6,FE,01,A0]      mov     r14, #$A001
        flash_0C7EB4:[E6,FF,20,00]      mov     r15, #$0020
        flash_0C7EB8:[DA,0C,C2,7C]      calls   setup_CAN_channel_0C7CC2

And then (skipping details) there are several places in the code when the data is copied to/from the buffer for the given channel / message object when sending / receiving.
Logged
phila_dot
Hero Member
*****

Karma: +157/-11
Offline Offline

Posts: 1704


« Reply #3 on: March 19, 2019, 10:35:01 AM »

Code:
mov     r12, #0
mov     r13, #280h
mov     r14, #1
mov     r15, #8

Parameters passed to the function - each ID is offset from EF10 exactly as outlined in the FR.

r12 - offset
r13 - ID
r14 - rx/tx
r15 - bytes
Logged
flamy
Jr. Member
**

Karma: +4/-0
Offline Offline

Posts: 30


« Reply #4 on: March 29, 2019, 03:29:48 PM »

Hi,

what is the aim of your research?
Trying to figure out, how it is possible to send some useful variables to the CAN.

Code:
mov     r12, #0
mov     r13, #280h
mov     r14, #1
mov     r15, #8

Parameters passed to the function - each ID is offset from EF10 exactly as outlined in the FR.

r12 - offset
r13 - ID
r14 - rx/tx
r15 - bytes
Thanks a lot for your hint!

Found the patterns for:
- TX:
Code:
sub_828AAA:
mov     r12, #0
mov     r13, #280h
mov     r14, #1
mov     r15, #8
calls   83h, sub_836CBE
mov     r12, #1
mov     r13, #288h
mov     r14, #1
mov     r15, #8
calls   83h, sub_836CBE
mov     r12, #2
mov     r13, #380h
mov     r14, #1
mov     r15, #8
calls   83h, sub_836CBE
mov     r12, #4
mov     r13, #488h
mov     r14, #1
mov     r15, #8
calls   83h, sub_836CBE

-RX:
Code:
loc_828AF2:
mov     r12, #0Dh
mov     r13, #10h
mov     r14, #1
mov     r15, #6
calls   83h, sub_836CBE
mov     r12, #21Fh
mov     r13, #6
mov     r14, #1EFCh
calls   83h, loc_836D18+2
mov     r12, #5
mov     r13, #440h
mov     r14, #0
mov     r15, #8
calls   83h, sub_836CBE
mov     r12, #8
mov     r13, #1A0h
mov     r14, #0
mov     r15, #8
calls   83h, sub_836CBE
mov     r12, #6
mov     r13, #540h
mov     r14, #0
mov     r15, #8
calls   83h, sub_836CBE
mov     r12, #7
mov     r13, #420h
mov     r14, #0
mov     r15, #8
calls   83h, sub_836CBE
mov     r12, #9
mov     r13, #5E0h
mov     r14, #0
mov     r15, #8
calls   83h, sub_836CBE
mov     r12, #0Ah
mov     r13, #2C0h
mov     r14, #0
mov     r15, #8
calls   83h, sub_836CBE
mov     r12, #0Bh
mov     r13, #590h
mov     r14, #0
mov     r15, #8
calls   83h, sub_836CBE

Means:
Code:
MOB ID Name DLC DIR
0 0x280 Motor 1 8 TX
1 0x288 Motor 2 8 TX
2 0x380 Motor 3 8 TX
3 ----- --- - --
4 0x488 Motor 6 8 TX

5 0x440 Getriebe 1 8 RX
6 0x540 Getriebe 2 8 RX
7 0x420 Kombi 2 8 RX
8 0x1A0 Bremse 1 8 RX
9 ----- --- - --
A 0x2C0 Allrad 1 8 RX
B 0x590 Niveau 1 8 RX
C ----- --- - --
D 0x010 ??? 6 RX
E ----- --- - --

Kind Regards
Logged
jochen_145
Full Member
***

Karma: +4/-3
Offline Offline

Posts: 97


« Reply #5 on: March 31, 2019, 05:16:53 AM »


Code:
MOB ID Name DLC DIR
0 0x280 Motor 1 8 TX
1 0x288 Motor 2 8 TX
2 0x380 Motor 3 8 TX
3 ----- --- - --
4 0x488 Motor 6 8 TX

5 0x440 Getriebe 1 8 RX
6 0x540 Getriebe 2 8 RX
7 0x420 Kombi 2 8 RX
8 0x1A0 Bremse 1 8 RX
9 ----- --- - --
A 0x2C0 Allrad 1 8 RX
B 0x590 Niveau 1 8 RX
C ----- --- - --
D 0x010 ??? 6 RX
E ----- --- - --

0x010 is used for IMMO request of kombi. Wink

Do you think, you are able to enable mMotor7 (0x588) message.
AFAIK are all CAN message only activable via hardcoding software
Logged
fukenbroken
Hero Member
*****

Karma: +54/-4
Offline Offline

Posts: 684


mk4 1.8T AUM


« Reply #6 on: March 31, 2019, 10:06:41 AM »

No you cannot change 588 wo tons of useless work
There are few unused bytes in existing msgs and you can use them as sub-protocol using first byte as id and second as data and looping them
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.023 seconds with 18 queries. (Pretty URLs adds 0s, 0q)