|
BlackT
|
 |
« Reply #75 on: March 02, 2023, 12:53:02 AM »
|
|
|
Thank you that is really helpfull
|
|
|
|
|
Logged
|
|
|
|
|
BlackT
|
|
« Reply #76 on: September 14, 2023, 01:52:15 PM »
|
|
|
EDIT: solved, I see I move R4 to byte. But let it stay for other users if someone make this silly mistake I am trying to make rolling LC, and i have problem with this code section ROM:008C0030 9A 29 21 F0 jnb word_FD52.15, loc_8C0076
ROM:008C0034 9A 6D 08 40 jnb word_FDDA.4, loc_8C0048
ROM:008C0038 4E 6D bclr word_FDDA.4
ROM:008C003A 4E 6D bclr word_FDDA.4
ROM:008C003C F2 F4 9E F8 mov r4, nmot_w
ROM:008C0040 F6 F4 DB F8 mov byte_F8DB, r4
ROM:008C0044 CC 00 nop
ROM:008C0046 0D 1A jmpr cc_UC, loc_8C007C
ROM:008C0048 ; ---------------------------------------------------------------------------
ROM:008C0048
ROM:008C0048 loc_8C0048: ; CODE XREF: sub_8BFEF8+13C↑j
ROM:008C0048 F2 F4 9E F8 mov r4, nmot_w
ROM:008C004C CC 00 nop
ROM:008C004E CC 00 nop
ROM:008C0050 F2 F9 DB F8 mov r9, byte_F8DB
ROM:008C0054 40 49 cmp r4, r9
ROM:008C0056 FD 12 jmpr cc_ULE, loc_8C007C
ROM:008C0058 CC 00 nop
ROM:008C005A F2 F4 98 9E mov r4, vfil_w
ROM:008C005E D7 00 81 00 exts #81h, #1
ROM:008C0062 F2 F9 D8 7E mov r9, word_817ED8
ROM:008C0066 40 49 cmp r4, r9
ROM:008C0068 FD 09 jmpr cc_ULE, loc_8C007C
ROM:008C006A 6F 6D bset word_FDDA.6
ROM:008C006C F7 8E B6 8C movb tsrldyn, ZEROS
ROM:008C0070 CC 00 nop
ROM:008C0072 CC 00 nop
ROM:008C0074 0D 03 jmpr cc_UC, loc_8C007C
ROM:008C0076 ; ---------------------------------------------------------------------------
ROM:008C0076
ROM:008C0076 loc_8C0076: ; CODE XREF: sub_8BFEF8:loc_8C0030↑j
ROM:008C0076 CC 00 nop
ROM:008C0078 6E 6D bclr word_FDDA.6
ROM:008C007A 4F 6D bset word_FDDA.4
ROM:008C007C
ROM:008C007C loc_8C007C: ; CODE XREF: sub_8BFEF8+14E↑j
ROM:008C007C ; sub_8BFEF8+15E↑j ...
ROM:008C007C FA 8B E4 FF jmps 8Bh, loc_8BFFE4 I get EPC light and car shuts down FDDA and FDDB variables are free, as I am manage to see maybe this is problem? ROM:008C003C F2 F4 9E F8 mov r4, nmot_w ROM:008C0040 F6 F4 DB F8 mov byte_F8DB, r4 Is this okay to do? |
|
|
|
« Last Edit: September 14, 2023, 01:54:00 PM by BlackT »
|
Logged
|
|
|
|
|
BlackT
|
|
« Reply #77 on: September 24, 2023, 03:25:31 AM »
|
|
|
Can someone explain me what is this whit this function with zwout?
Is this mean that zwout is stored in stack in four places?
|
|
|
|
|
Logged
|
|
|
|
fknbrkn
Hero Member
Karma: +207/-24
 Offline
Posts: 1494
mk4 1.8T AUM
|
|
« Reply #78 on: September 24, 2023, 06:46:13 AM »
|
|
|
For each cylinder
|
|
|
|
|
Logged
|
|
|
|
|
BlackT
|
|
« Reply #79 on: November 23, 2023, 04:10:57 PM »
|
|
|
In this file KFZW load axis should be at 0x132E6 And table look like it, but when I change that load values nothing happen? It always follow same load. Let say 40% is original load in 3th column. If I multiply whole load table with 2, ECU still get that value from 3th column when load is 40%  |
|
|
|
|
Logged
|
|
|
|
|
BlackT
|
|
« Reply #80 on: December 09, 2024, 07:45:09 AM »
|
|
|
Let say at 06A906032HS
SW: 1037363908
FPWDKAPP is at 0x14F72
How to find that in IDA?
|
|
|
|
|
Logged
|
|
|
|
fknbrkn
Hero Member
Karma: +207/-24
Offline
Posts: 1494
mk4 1.8T AUM
|
|
« Reply #81 on: December 09, 2024, 10:15:31 AM »
|
|
|
Let say at 06A906032HS
SW: 1037363908
FPWDKAPP is at 0x14F72
How to find that in IDA?
there are few guides at new about map location check axis size before map axis, easiest way if its cross-referenced try to search '4F72' as map start or similar for axis size offset before map, should look like like 'mov r12, #4F72h' , or r4,r5 if both ways not give you any results, check FR for a program flow, if its generates some variable or 1x1 map nearby trace where it written in this case WKDSAPP / WDKSOFS easily gets you in the right place |
|
|
|
|
Logged
|
|
|
|
|
Blazius
|
|
« Reply #82 on: December 09, 2024, 04:39:37 PM »
|
|
|
Let say at 06A906032HS
SW: 1037363908
FPWDKAPP is at 0x14F72
How to find that in IDA?
First, you should check what kind of map it is 2D or 3D, as the function will differ. FPWDKAPP being a 2D map , it will use a 2D lookup, which generally uses a offset, page number, and the value for the axis. The offset is the start of the map where it actually sets the size, not the start of the values of the axis itself. In this case of rather the C167 based hardware or code , the lookup only contains the offset, and the axis value in this the wped_w, because the page is default at 204. For example in M box, FPWDKAPP is at 813EB6 or rather 813ED8 if going only by the values and winols representation. The offset is 3EB6 hex, the page is default 204 which means 4000*204 = 810000 , and the axis is wped_w. 810000 + 3EB6 = 813EB6 |
|
|
|
|
Logged
|
|
|
|
|
BlackT
|
|
« Reply #83 on: January 24, 2025, 02:47:40 AM »
|
|
|
Thank you guys for explenation everything is clear now.
Next I will try to make my own 2D map
|
|
|
|
|
Logged
|
|
|
|
|
BlackT
|
|
« Reply #84 on: February 25, 2025, 02:54:32 AM »
|
|
|
How can I determine what map is using for coding.
Let say 8E0909518 AL 005 have 5 maps for FKSTT
There is a variable
vkGetriebe3
ECU_ADDRESS 0xFA37
But I don't understand a thing about this
|
|
|
|
|
Logged
|
|
|
|
fknbrkn
Hero Member
Karma: +207/-24
Offline
Posts: 1494
mk4 1.8T AUM
|
|
« Reply #85 on: February 25, 2025, 08:54:14 AM »
|
|
|
its getriebe codierung
You can fill them flat with different values and log produced value to be sure
|
|
|
|
|
Logged
|
|
|
|
|
BlackT
|
|
« Reply #86 on: March 03, 2025, 07:05:11 AM »
|
|
|
I am still not sure I am at this level to understand this. Simply can't find where FKSTT is in IDA. I will leave that for some next time
Now I have other task to overcome.
I want to make simple counter, when ECU is powered up counter start to count.
Let say I want use 386004 variable. Problem is every time I start ECU it have different value.
So i need to make some functon to make variable initialization, but if there something in ECU already?
Is there any function that is only runned once so I can set that variable to 0
|
|
|
|
|
Logged
|
|
|
|
fknbrkn
Hero Member
Karma: +207/-24
Offline
Posts: 1494
mk4 1.8T AUM
|
|
« Reply #87 on: March 04, 2025, 01:50:17 PM »
|
|
|
but if there something in ECU already? sure if its non FF or 00, use another one. 387Fxx usually free me7 memory powered constantly so youve got to reset counter, b_kl15 is true when ignition is on whats the goal behind this? |
|
|
|
|
Logged
|
|
|
|
|
BlackT
|
|
« Reply #88 on: March 05, 2025, 01:58:32 PM »
|
|
|
sure if its non FF or 00, use another one. 387Fxx usually free
387Fxx are also some random values. I was asking is there function in ME7 that runs only once at startup, so I can set my variables to zero. Or I can read some timer value maybe? Goal is to activate some things like fuel pump, fans and so on for few seconds every time when ignition is on. I was planing to use fuel pump variable but it does not start at every ignition. And function for fuel pump is crazy big and complicated, I have A2L but it is still hard to trace how to start it every time One more question, I make my functions in tsrldyn routine ( one that LC script use before ub) is there some limit about size of function I can put? Beacuse once I got a MIL light and ECU reset after 6500 RPM, but I am not sure that I am mess up something or I have put too much stuff in this routine |
|
|
|
|
Logged
|
|
|
|
|
BlackT
|
|
« Reply #89 on: March 25, 2025, 01:53:50 AM »
|
|
|
How much time does it take to jump in some function, or better question how much resource take from C167? I only found this the C167CR operates in slave mode and executes a loop out of external memory
which fits completely into the jump cache (e.g. JB bitaddr, $) its BREQ output may
toggle (period = 2 CPU clock cycles). BREQ is activated by the prefetcher that
wants to read the next sequential intstruction. BREQ is the deactivated, because
the target of the taken jump is found in the jump cache. A loop of a minimum length
of 3 words avoids this. and also usuful info A 32-bit/16-bit division takes 20 CPU clock cycles, a 16-bit × 16-bit multiplication takes
10 CPU clock cycles |
|
|
|
|
Logged
|
|
|
|
|
