Pages: [1]
Author Topic: Playing with AMB  (Read 3921 times)
mkorneyc
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 10


« on: October 31, 2019, 06:52:28 AM »

Hello Team,
I'm quite a noob in this area, sorry for lame questions from the very beginning.
I bought a car (audi a4 b6 1.8 t AMB) and want to play with it by my own. I've never done it before and would be very gratefull for any help possible.
The first thing I wanted to start with is Rear O2 Sensor. Firmware is already downloaded using galletto v54, but without eeprom (need to unlock "case" where ECU is located to use boot mode, without it only firmware is available).
I read wiki, and not everithing is clear now. So I found few XDFs here, and the thing is ESKONF aria location differs on every XDF, so I cannot be sure that ihis is what I need to modify..
Can anyone point me out how to find what I need int the firmware plz
Here is the file attached


Logged
fknbrkn
Hero Member
*****

Karma: +186/-24
Offline Offline

Posts: 1456


mk4 1.8T AUM


« Reply #1 on: October 31, 2019, 07:10:32 AM »

Long story short try to find definition for your software versikn Or crossflash it with well defined one
Anyway you can find eskonf by AA FF 00 pattern
Logged
mkorneyc
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 10


« Reply #2 on: October 31, 2019, 07:42:03 AM »

Long story short try to find definition for your software versikn Or crossflash it with well defined one
Anyway you can find eskonf by AA FF 00 pattern
So the best way is to find defenition of 366446 sw? where can I get it?
Logged
mkorneyc
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 10


« Reply #3 on: October 31, 2019, 07:51:02 AM »

Long story short try to find definition for your software versikn Or crossflash it with well defined one
Anyway you can find eskonf by AA FF 00 pattern
Why pattern is AA FF 00? I can find it several times
Is data from the wiki inaccurate or not relevant to my block?
https://s4wiki.com/wiki/Tuning#Rear_O2_Sensors
Logged
mkorneyc
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 10


« Reply #4 on: November 01, 2019, 12:40:56 PM »

Can someone point me where to read about hunting for tables/values?
Where can I find patterns?
Logged
Blazius
Hero Member
*****

Karma: +89/-40
Offline Offline

Posts: 1282



« Reply #5 on: November 01, 2019, 12:43:10 PM »

Just use ESKONF tool if its ME 7.5 , which it is.
Logged
mkorneyc
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 10


« Reply #6 on: November 01, 2019, 01:00:35 PM »

Thank you Blazius,
This tool provided 3 addresses:

Code:
C:\Users\mkorneyc\Desktop\chip>me7eskonf.exe ./audi_firmware_play

Reading file [./audi_firmware_play] to buffer...
Buffer ready... Filesize:1048576 (0x100000)

Searching for ESKONF (Bosch ME7.5) in file: ./audi_firmware_play
## ESKONF_0 (Addr:00011218) -- AA FF 00 30 E3 F8 30
b0:AA    ZUE4(95)..:S(10)    ZUE3(94)..:S(10)    ZUE2(103).:S(10)    ZUE1(102).:S(10)   ZUE=Ignition coil
b1:FF    NC........:N(11)    NC........:N(11)    NC........:N(11)    NC........:N(11)
b2:00    EV4(89)...:Y(00)    EV3(88)...:Y(00)    EV2(97)...:Y(00)    EV1(96)...:Y(00)   EV=Fuel injector
b3:30    LSHHK(63).:Y(00)    EFLA(48)..:N(11)    LDR(104)..:Y(00)    TEV(64)...:Y(00)   LSHHK=Rear O2, EFLA=Error lamp, LDR=N75, TEV=N80 purgevalve
b4:E3    BKV(22)...:N(11)    NC(24)....:S(10)    AAV(116)..:N(11)    MIL(47)...:Y(00)   BKV=Brakebooster pump, AAV=Shutoff valve, MIL=OBD lamp
b5:F8    NC........:N(11)    NC........:N(11)    EKP(65)...:S(10)    SLP(66)...:Y(00)   EKP=Fuel pump, SLP=J299 SAI pump
b6:30    ULT(105)..:Y(00)    UAGR(114).:N(11)    SLV(9)....:Y(00)    NWS(115)..:Y(00)   ULT=N249 wg valve, UAGR=EGR valve, SLV=N112 SAI relay, NWS=n205 VVT

## ESKONF_1 (Addr:0001121F) -- AA FF 00 30 23 F8 30
b0:AA    ZUE4(95)..:S(10)    ZUE3(94)..:S(10)    ZUE2(103).:S(10)    ZUE1(102).:S(10)   ZUE=Ignition coil
b1:FF    NC........:N(11)    NC........:N(11)    NC........:N(11)    NC........:N(11)
b2:00    EV4(89)...:Y(00)    EV3(88)...:Y(00)    EV2(97)...:Y(00)    EV1(96)...:Y(00)   EV=Fuel injector
b3:30    LSHHK(63).:Y(00)    EFLA(48)..:N(11)    LDR(104)..:Y(00)    TEV(64)...:Y(00)   LSHHK=Rear O2, EFLA=Error lamp, LDR=N75, TEV=N80 purgevalve
b4:23    BKV(22)...:Y(00)    NC(24)....:S(10)    AAV(116)..:N(11)    MIL(47)...:Y(00)   BKV=Brakebooster pump, AAV=Shutoff valve, MIL=OBD lamp
b5:F8    NC........:N(11)    NC........:N(11)    EKP(65)...:S(10)    SLP(66)...:Y(00)   EKP=Fuel pump, SLP=J299 SAI pump
b6:30    ULT(105)..:Y(00)    UAGR(114).:N(11)    SLV(9)....:Y(00)    NWS(115)..:Y(00)   ULT=N249 wg valve, UAGR=EGR valve, SLV=N112 SAI relay, NWS=n205 VVT

## ESKONF_2 (Addr:00033F7D) -- FF FF 00 F0 3F F0 2C
b0:FF    ZUE4(95)..:N(11)    ZUE3(94)..:N(11)    ZUE2(103).:N(11)    ZUE1(102).:N(11)   ZUE=Ignition coil
b1:FF    NC........:N(11)    NC........:N(11)    NC........:N(11)    NC........:N(11)
b2:00    EV4(89)...:Y(00)    EV3(88)...:Y(00)    EV2(97)...:Y(00)    EV1(96)...:Y(00)   EV=Fuel injector
b3:F0    LSHHK(63).:N(11)    EFLA(48)..:N(11)    LDR(104)..:Y(00)    TEV(64)...:Y(00)   LSHHK=Rear O2, EFLA=Error lamp, LDR=N75, TEV=N80 purgevalve
b4:3F    BKV(22)...:Y(00)    NC(24)....:N(11)    AAV(116)..:N(11)    MIL(47)...:Y(00)   BKV=Brakebooster pump, AAV=Shutoff valve, MIL=OBD lamp
b5:F0    NC........:N(11)    NC........:N(11)    EKP(65)...:Y(00)    SLP(66)...:Y(00)   EKP=Fuel pump, SLP=J299 SAI pump
b6:2C    ULT(105)..:Y(00)    UAGR(114).:S(10)    SLV(9)....:N(11)    NWS(115)..:Y(00)   ULT=N249 wg valve, UAGR=EGR valve, SLV=N112 SAI relay, NWS=n205 VVT
Logged
fknbrkn
Hero Member
*****

Karma: +186/-24
Offline Offline

Posts: 1456


mk4 1.8T AUM


« Reply #7 on: November 01, 2019, 08:22:09 PM »

again
AA FF 00
Logged
mkorneyc
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 10


« Reply #8 on: November 01, 2019, 11:25:57 PM »

again
AA FF 00
I got it. The address I need is 00011218.
But why there is similar area starting from 0001121F? The only difference in Brake booster pump bit.
Сould it be like that one area relevant to automatic transmission and another to manual? I have auto.
If I do not have a pattern (like here AA FF 00) how can I find area in this case? For example how to find KRKTE?
Sorry for stupid questions again.
Logged
BlackT
Hero Member
*****

Karma: +79/-40
Offline Offline

Posts: 1425



« Reply #9 on: November 02, 2019, 02:53:32 AM »

I got it. The address I need is 00011218.
But why there is similar area starting from 0001121F? The only difference in Brake booster pump bit.
Сould it be like that one area relevant to automatic transmission and another to manual? I have auto.
If I do not have a pattern (like here AA FF 00) how can I find area in this case? For example how to find KRKTE?
Sorry for stupid questions again.

Yes there is a two ESKONF,  one for manual second for auto.
https://youtu.be/nKSe1fPbTlA
Logged
Blazius
Hero Member
*****

Karma: +89/-40
Offline Offline

Posts: 1282



« Reply #10 on: November 02, 2019, 05:03:31 AM »

Exactly, 2 versions dont bother with the 3rd. Just change both to the same ( what you wanna code out) and you should be fine. Single value adresses are bit harder to find for newbies, but either you use a similar damos and look where the locations of the maps are , then you go find manually or/and you use IDA to find it in the flash via text and patterns.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.019 seconds with 17 queries. (Pretty URLs adds 0s, 0q)