Pages: 1 2 [3] 4 5 6
Author Topic: LC/NLS ASM help  (Read 33249 times)
fknbrkn
Hero Member
*****

Karma: +186/-24
Offline Offline

Posts: 1455


mk4 1.8T AUM


« Reply #30 on: December 14, 2019, 02:38:40 PM »

Real men write straight hex on c167  Grin

ive done once some routine with customer (it guy) on the back
and i just write some hook like an DA 8B 00 10 etc in hex editor (rare file, one-time job) and hes like wtf
Logged
BlackT
Hero Member
*****

Karma: +79/-40
Offline Offline

Posts: 1425



« Reply #31 on: December 16, 2019, 02:23:57 PM »

You cannot learn about asm wo dissasembled flash code
As for the ignition personally im using another hook for my brakeboost routine. Just right above ZWGRU calculation
c167 super friendly for begginers, just replace some code with calls to your routine, do your thing, keep in mind about registers if they has been write above your code and read after, do the code that you replaced with calls and then rets
get ida, load original file and the same with implemented als/nls and youve see what im talkin bout
oh common, get the masterj me7 tuning wizard excel sheet from 2007
Thank you for your help, I will try to get some progress now
Logged
armaan
Full Member
***

Karma: +6/-15
Offline Offline

Posts: 97



« Reply #32 on: February 02, 2020, 03:29:40 PM »

Hi all, hope you all are well. Smiley

Followed the instructions for 2Step LC in the attached document (Except for NLS, only for 2Step).
Didn't move code (the addresses Setzi originally used are different from the ones I used, but I think I applied the principle correctly, especially the part for DA (calls) & used Setzi's standard example which is:

"A6 01 50 46 0A 00 F0 55 E6 FF FF FF FF FF FF FF" atleast, according to the Document.
Definitely DID NOT use Eduu's 2StepScript. Checksummed one file with MTX's ME7-2002 plugin for TunerPro RT V5 & the other with ME7Sum.

So far, ME7Sum has been working for all my Map files, but I'm not so certain it would work on this one since I had to toy around with Hex addresses which brings me to my question:

Have I implemented 2Step correctly and which checksummed file should I test flash onto my Polo GTI 9n3?

Here's the full log of ME7Sum:

Code:
Attempting to open firmware file 'image.bin'

 Step #1: Reading ROM info ..
 Searching for EPK signature...OK
 Searching for ECUID table...OK
 EPK         : '39/1/ME7.5/3/X505R//24C/SP24C91/270705/'
 Part Number : '06A906032TL '
 Engine ID   : '1.8l R4/5VT     '
 SW Version  : '0040'
 HW Number   : '0261208950'
 SW Number   : '1037378104'

Step #2: Reading ROMSYS ..
 Startup section: word[0x008000]+word[0x00FFFE]
 @08038 Add=0x000106FF CalcAdd=0x000106FF  ADD OK
 All param page: word[0x010000]+word[0x01FFFE]
 @01bf98 Add=0x00971D CalcAdd=0x00971D  ADD OK

Step #3: Reading RSA signatures ..
 Searching for RSA offset #0...OK
 Searching for RSA offset #1...OK
         Signature: @95b78-95bf8
           Modulus: @16a22-16aa2
          Exponent: @16aa2 = 3
 Searching for MD5 ranges...OK
 MD5 Block Offset Table @169fe [32 bytes]:
 1) 0x00010002-0x00013FFE
 2) 0x00014252-0x00017F4E
 3) 0x00018192-0x0001FBDC
 4) 0x00026A00-0x0002FFFC
 EncrMD5: cf d7 85 02 3c 13 57 97 f2 e0 b4 72 5f 4a a4 87
 CalcMD5: d7 5e a0 ec 5b 52 27 06 0d 88 2f be b0 2d 53 6b
 ** FIXED **

Step #4: Finding CRC table(s) ..
 Searching for CRC table(s)...OK
 CRC table(s) OK

Step #5: Reading Main Data Checksums ..
 Searching for main data CRC pre block...missing
 Searching for main data CRC/csum blocks...OK
 Searching for main data CRC offsets...missing
 Searching for main data checksum offsets...OK
 Main Checksums:
 1) 0x010002-0x013FFE CalcCSM: 001398C5
 2) 0x014252-0x017F4E CalcCSM: 0026055E
 3) 0x018192-0x01FBDC CalcCSM: 00441514
 4) 0x026A00-0x02FFFC CalcCSM: 00BFEF41
 @8ffb6 CSM: 00BFE857 CalcCSM: 00BFEF41 ** FIXED **

Step #6: ROMSYS Program Pages
 Program pages: 8k page first+last in 0x0000-0xFFFF and 0x20000-0xFFFFF
 @00803c Add=0xA19B73 CalcAdd=0xA19B73  ADD OK

Step #7: Reading Main Program Checksums ..
 Searching for main program checksum..OK
 ROM Checksum Block Offset Table @1fb72 [16 bytes]:
 1) 0x000000-0x00FBFF CalcChk: 48D09FE4
    0x00FC00-0x01FFFF CalcChk: 20D987EB CalcCRC: CB1C2009 SKIPPED
 2) 0x020000-0x0FFFFF CalcChk: 2B10DB2A
 @fffe0 Chk: 2B08E592 CalcChk: 2B10DB2A ** FIXED **

Step #8: Reading Multipoint Checksum Blocks ..
 Searching for multipoint block descriptor #1...missing
 Searching for multipoint block descriptor #2...OK
 1) <1fbde>  0x000000-0x003FFF Chk: 0FA0F5CF Boot: (whitelisted) OK
 2) <1fbee>  0x004000-0x007FFF Chk: 0F4716B3 Boot: (whitelisted) OK
 3) <1fbfe>  0x000000-0x003FFF Chk: 0FA0F5CF CalcChk: 0FA0F5CF OK
 ..........
64) <1ffce>  0x0F4000-0x0F7FFF Chk: 1FFFE000 CalcChk: 1FFFE000 OK
65) <1ffde>  0x0F8000-0x0FBFFF Chk: 1FFFE000 CalcChk: 1FFFE000 OK
66) <1ffee>  0x0FC000-0x0FFFFF Chk: 1FFDE002 CalcChk: 1FFDE002 OK
 Multipoint #2: [66 blocks x <16> = 1056 bytes]

Step #9: Looking for rechecks ..
    <1fc6e>  0x01C000-0x01FFFF Chk: 062978B8 CalcChk: 062978B8 OK (recheck)

*** Found 70 checksums in image.bin

Attempting to output corrected firmware file 'out.bin'
þ Opening 'out.bin' file for writing
þ Writing to file
þ Validating size correct 1048576=1048576
þ All OK, closing file

*** DONE! 5/5 error(s) in image.bin corrected in out.bin! ***

The document I used is this one: ME7.x_LC_NLS_rev003.pdf  (Shows Setzis method)
Doesnt seem to want to upload, but I got it off this forum.
Logged

It is indeed a difference of perception that brings about our and others reality.
BlackT
Hero Member
*****

Karma: +79/-40
Offline Offline

Posts: 1425



« Reply #33 on: August 10, 2020, 08:03:57 AM »

Can someone check, did i forget something?

my plan is to translate this to ASM
Code:
f (B_kuppl && vfil_w < SpeedThreshold && nmot_w > LaunchRPM)
  {
    tsrldyn = 0;                // Interrupt ignition
    return;
  }


Code:
9A 26 13 60 F2 F4 00 9E D7 00 81 00 F2 F9 D0 7E 40 49 9D 0B F2 F4 9E F8 D7 00 81 00 F2 F9 D2 7E 40 49 FD 03 F7 8E EC 8B 0D 02 D7 00 38 00 F6 8E 00 60 F3 F8 B3 89 DB 00



Code:

00000000 9A261360  JNB      0xFD4C.6,0x00002A          
00000004 F2F4009E  MOV      R4,DPP2:0x1E00              
00000008 D7008100  EXTS     #0x0081,#1
0000000C F2F9D07E  MOV      R9,DPP1:0x3ED0
00000010 4049      CMP      R4,R9
00000012 9D0B      JMPR     CC_NC,0x00002A
00000014 F2F49EF8  MOV      R4,DPP3:0x389E
00000018 D7008100  EXTS     #0x0081,#1
0000001C F2F9D27E  MOV      R9,DPP1:0x3ED2
00000020 4049      CMP      R4,R9
00000022 FD03      JMPR     CC_ULE,0x00002A
00000024 F78EEC8B  MOVB     DPP2:0x0BEC,ZEROS
00000028 0D02      JMPR     CC_UC,0x00002E
0000002A D7003800  EXTS     #0x0038,#1
0000002E F68E0060  MOV      DPP1:0x2000,ZEROS
00000032 F3F8B389  MOVB     RL4,DPP2:0x09B3
00000036 DB00      RETS    

Edit: I tryed and it is working Grin



« Last Edit: August 10, 2020, 08:46:38 AM by BlackT » Logged
bamofo
Sr. Member
****

Karma: +34/-3
Offline Offline

Posts: 420


« Reply #34 on: August 10, 2020, 09:27:01 AM »

Can someone check, did i forget something?

my plan is to translate this to ASM
Code:
f (B_kuppl && vfil_w < SpeedThreshold && nmot_w > LaunchRPM)
  {
    tsrldyn = 0;                // Interrupt ignition
    return;
  }


Code:
9A 26 13 60 F2 F4 00 9E D7 00 81 00 F2 F9 D0 7E 40 49 9D 0B F2 F4 9E F8 D7 00 81 00 F2 F9 D2 7E 40 49 FD 03 F7 8E EC 8B 0D 02 D7 00 38 00 F6 8E 00 60 F3 F8 B3 89 DB 00



Code:

00000000 9A261360  JNB      0xFD4C.6,0x00002A          
00000004 F2F4009E  MOV      R4,DPP2:0x1E00              
00000008 D7008100  EXTS     #0x0081,#1
0000000C F2F9D07E  MOV      R9,DPP1:0x3ED0
00000010 4049      CMP      R4,R9
00000012 9D0B      JMPR     CC_NC,0x00002A
00000014 F2F49EF8  MOV      R4,DPP3:0x389E
00000018 D7008100  EXTS     #0x0081,#1
0000001C F2F9D27E  MOV      R9,DPP1:0x3ED2
00000020 4049      CMP      R4,R9
00000022 FD03      JMPR     CC_ULE,0x00002A
00000024 F78EEC8B  MOVB     DPP2:0x0BEC,ZEROS
00000028 0D02      JMPR     CC_UC,0x00002E
0000002A D7003800  EXTS     #0x0038,#1
0000002E F68E0060  MOV      DPP1:0x2000,ZEROS
00000032 F3F8B389  MOVB     RL4,DPP2:0x09B3
00000036 DB00      RETS    

Edit: I tryed and it is working Grin





so you got it working or no?
Logged
BlackT
Hero Member
*****

Karma: +79/-40
Offline Offline

Posts: 1425



« Reply #35 on: August 10, 2020, 09:40:05 AM »

Yes is working  Grin, next step is to retard ignition...
Logged
bamofo
Sr. Member
****

Karma: +34/-3
Offline Offline

Posts: 420


« Reply #36 on: August 10, 2020, 10:36:10 AM »

Yes is working  Grin, next step is to retard ignition...

You should really add in some flags there that you can use to say "when" to retard ignition. then you wont have to do all that magic in one piece of code.
Logged
BlackT
Hero Member
*****

Karma: +79/-40
Offline Offline

Posts: 1425



« Reply #37 on: September 25, 2020, 12:05:32 AM »

You should really add in some flags there that you can use to say "when" to retard ignition. then you wont have to do all that magic in one piece of code.
Yes, that will be a easy part
Hard part for me, would be to find in flash ZWGRU calculation
Logged
BlackT
Hero Member
*****

Karma: +79/-40
Offline Offline

Posts: 1425



« Reply #38 on: June 16, 2021, 02:12:32 AM »

Can someone please explain me (With example) what EXTS function does

Code:
The extension instructions EXTP, EXTPR, EXTS, and EXTSR override the standard
DPP addressing scheme, using immediate addresses instead.

what is difference between  EXTS     #0x0081,#1   and EXTS     #0x0038,#1  ?



Code:
00000000 9A261360  JNB      0xFD4C.6,0x00002A
00000004 F2F4009E  MOV      R4,DPP2:0x1E00
00000008 D7008100  EXTS     #0x0081,#1
0000000C F2F9D07E  MOV      R9,DPP1:0x3ED0
00000010 4049      CMP      R4,R9
00000012 9D0B      JMPR     CC_NC,0x00002A
00000014 F2F49EF8  MOV      R4,DPP3:0x389E
00000018 D7008100  EXTS     #0x0081,#1
0000001C F2F9D27E  MOV      R9,DPP1:0x3ED2
00000020 4049      CMP      R4,R9
00000022 FD03      JMPR     CC_ULE,0x00002A
00000024 F78EEC8B  MOVB     DPP2:0x0BEC,ZEROS
00000028 0D2F      JMPR     CC_UC,0x000088
0000002A 9A262960  JNB      0xFD4C.6,0x000080
0000002E 8A262220  JB       0xFD4C.2,0x000076
00000032 F2F49EF8  MOV      R4,DPP3:0x389E
00000036 D7008100  EXTS     #0x0081,#1
0000003A F2F9D67E  MOV      R9,DPP1:0x3ED6
0000003E 4049      CMP      R4,R9
00000040 FD1A      JMPR     CC_ULE,0x000076
00000042 C2F4C789  MOVBZ    R4,DPP2:0x09C7
00000046 D7008100  EXTS     #0x0081,#1
0000004A C2F9D87E  MOVBZ    R9,DPP1:0x3ED8
0000004E 4049      CMP      R4,R9
00000050 FD12      JMPR     CC_ULE,0x000076
00000052 D7003800  EXTS     #0x0038,#1
00000056 F2F40060  MOV      R4,DPP1:0x2000
0000005A D7008100  EXTS     #0x0081,#1
0000005E F2F9D47E  MOV      R9,DPP1:0x3ED4
00000062 4049      CMP      R4,R9
00000064 9D11      JMPR     CC_NC,0x000088
00000066 F78EEC8B  MOVB     DPP2:0x0BEC,ZEROS
0000006A 0841      ADD      R4,#1
0000006C D7003800  EXTS     #0x0038,#1
00000070 F7F80060  MOVB     DPP1:0x2000,RL4
00000074 0D09      JMPR     CC_UC,0x000088
00000076 D7003800  EXTS     #0x0038,#1
0000007A F68F0060  MOV      DPP1:0x2000,ONES
0000007E 0D04      JMPR     CC_UC,0x000088
00000080 D7003800  EXTS     #0x0038,#1
00000084 F68E0060  MOV      DPP1:0x2000,ZEROS
00000088 F3F8B389  MOVB     RL4,DPP2:0x09B3
0000008C DB00      RETS     


also this
CC_UC    Unconditional
CC_NC No Carry



Thank you in advance
Logged
Blazius
Hero Member
*****

Karma: +89/-40
Offline Offline

Posts: 1282



« Reply #39 on: June 16, 2021, 05:47:07 AM »

Can someone please explain me (With example) what EXTS function does

Code:
The extension instructions EXTP, EXTPR, EXTS, and EXTSR override the standard
DPP addressing scheme, using immediate addresses instead.

what is difference between  EXTS     #0x0081,#1   and EXTS     #0x0038,#1  ?



Code:
00000000 9A261360  JNB      0xFD4C.6,0x00002A
00000004 F2F4009E  MOV      R4,DPP2:0x1E00
00000008 D7008100  EXTS     #0x0081,#1
0000000C F2F9D07E  MOV      R9,DPP1:0x3ED0
00000010 4049      CMP      R4,R9
00000012 9D0B      JMPR     CC_NC,0x00002A
00000014 F2F49EF8  MOV      R4,DPP3:0x389E
00000018 D7008100  EXTS     #0x0081,#1
0000001C F2F9D27E  MOV      R9,DPP1:0x3ED2
00000020 4049      CMP      R4,R9
00000022 FD03      JMPR     CC_ULE,0x00002A
00000024 F78EEC8B  MOVB     DPP2:0x0BEC,ZEROS
00000028 0D2F      JMPR     CC_UC,0x000088
0000002A 9A262960  JNB      0xFD4C.6,0x000080
0000002E 8A262220  JB       0xFD4C.2,0x000076
00000032 F2F49EF8  MOV      R4,DPP3:0x389E
00000036 D7008100  EXTS     #0x0081,#1
0000003A F2F9D67E  MOV      R9,DPP1:0x3ED6
0000003E 4049      CMP      R4,R9
00000040 FD1A      JMPR     CC_ULE,0x000076
00000042 C2F4C789  MOVBZ    R4,DPP2:0x09C7
00000046 D7008100  EXTS     #0x0081,#1
0000004A C2F9D87E  MOVBZ    R9,DPP1:0x3ED8
0000004E 4049      CMP      R4,R9
00000050 FD12      JMPR     CC_ULE,0x000076
00000052 D7003800  EXTS     #0x0038,#1
00000056 F2F40060  MOV      R4,DPP1:0x2000
0000005A D7008100  EXTS     #0x0081,#1
0000005E F2F9D47E  MOV      R9,DPP1:0x3ED4
00000062 4049      CMP      R4,R9
00000064 9D11      JMPR     CC_NC,0x000088
00000066 F78EEC8B  MOVB     DPP2:0x0BEC,ZEROS
0000006A 0841      ADD      R4,#1
0000006C D7003800  EXTS     #0x0038,#1
00000070 F7F80060  MOVB     DPP1:0x2000,RL4
00000074 0D09      JMPR     CC_UC,0x000088
00000076 D7003800  EXTS     #0x0038,#1
0000007A F68F0060  MOV      DPP1:0x2000,ONES
0000007E 0D04      JMPR     CC_UC,0x000088
00000080 D7003800  EXTS     #0x0038,#1
00000084 F68E0060  MOV      DPP1:0x2000,ZEROS
00000088 F3F8B389  MOVB     RL4,DPP2:0x09B3
0000008C DB00      RETS     


also this
CC_UC    Unconditional
CC_NC No Carry



Thank you in advance


Everything is described in the instruction set manual, EXT functions do exactly what they say, they override the standart c167 dpp adressing scheme for a certain amount of commands, thats what the number after represents.

Take a look at prjs recent boost controller release:

ps_w_prev_1 EQU 04310h
ps_w_prev_2 EQU 04312h
ps_w_prev_3 EQU 04314h

These variables and their locations are defined here. Now if you take a look at the code:

MOV R4, ps_w
EXTS #38h, #4
MOV ps_w_prev, R4
MOV ps_w_prev_1, R4
MOV ps_w_prev_2, R4
MOV ps_w_prev_3, R4

EXTS tells that you gonna override the standart adressing for 4 commands. In this case exts 38 hex means RAM access basically. ps_w is moved into R4 and then it is used to set/store ps_w_prev values for the controller.

CC flags are used to create conditional jumps and such,each command sets the cc flags differently:

MOV R4, fixdcflag
JMP CC_z, standard

This is used to determine if the controller is gonna run on fix DC or PID mode.
Logged
BlackT
Hero Member
*****

Karma: +79/-40
Offline Offline

Posts: 1425



« Reply #40 on: June 18, 2021, 12:59:00 AM »

Thank You  Smiley Smiley  Wink


DDP1 ROM
DDP2  RAM
DPP3 Fast RAM


Code:

9A261360  JNB      0xFD4C.6,0x00002A                              // if 0x00FD4C 0x0040(clutch condition adress) is different from zero, go to next instruction
F2F4009E  MOV      R4,DPP2:0x1E00                                  // move 0x381E00 (V-fill or kmh value) to R4
D7008100  EXTS     #0x0081,#1                                       //   
F2F9D07E  MOV      R9,DPP1:0x3ED0                                // move 0x17ED0 (my threshold km/h) to R9

This part I don't understand, why before coping 0x1E00 to R4 there is no EXTS function before? Why it is when copying 0x3ED0 to R9 there is?


4049      CMP      R4,R9                                                    //compare
9D0B      JMPR     CC_NC,0x00002A                                  //Jump to 0x2A if R4 and R9 are not same
F2F49EF8  MOV      R4,DPP3:0x389E                                //again same process for RPM  threshold
D7008100  EXTS     #0x0081,#1
 F2F9D27E  MOV      R9,DPP1:0x3ED2
4049      CMP      R4,R9
FD03      JMPR     CC_ULE,0x00002A                                //Jump to 0x2A if R4  Less Than or Equal to R9
F78EEC8B  MOVB     DPP2:0x0BEC,ZEROS                      //if all conditions are meth, set 0 in 0x380BEC( what is  tsrldyn)
DB00      RETS                                                             // end of function


Why this function use only R4 and R9, why not R4 and R5?


Logged
fknbrkn
Hero Member
*****

Karma: +186/-24
Offline Offline

Posts: 1455


mk4 1.8T AUM


« Reply #41 on: June 20, 2021, 01:10:29 PM »

You could use any (with some restrictions on byte adressing see c167 docs)
Be careful to avoid using registers which stores some data from main code flow i.e.

Mov r4, #22h // r4  22h for now
Calls 8Bh, #your_subroutine // where you used r4 to store zeros
...
Movb tsrldyn, rl4 // stock code expecting 22h here but youve replaced r4 with zeros and get a blown coils


Your_subroutine:
Movb rl4, zeros
Rets
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037


« Reply #42 on: June 20, 2021, 01:16:40 PM »

To understand why which registers are used and especially their volatility, it is a good idea to read the EABI for the processor.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #43 on: June 21, 2021, 06:02:23 AM »

You could use any (with some restrictions on byte adressing see c167 docs)
Be careful to avoid using registers which stores some data from main code flow i.e.

Mov r4, #22h // r4  22h for now
Calls 8Bh, #your_subroutine // where you used r4 to store zeros
...
Movb tsrldyn, rl4 // stock code expecting 22h here but youve replaced r4 with zeros and get a blown coils


Your_subroutine:
Movb rl4, zeros
Rets

Everything that forces 0 to tsrldyn is not optimal and for some older ecus not even safe. you can retard ignition with 2-3 different ways and manipulate ignition fade in/out stat bits.
Logged
fknbrkn
Hero Member
*****

Karma: +186/-24
Offline Offline

Posts: 1455


mk4 1.8T AUM


« Reply #44 on: June 21, 2021, 10:55:31 AM »

Just a sample of typical newbie reverser trap
Logged
Pages: 1 2 [3] 4 5 6
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.054 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)