Attempting to log Volvo Me7.

Pages: 1 [2]

« previous next »

Author

Topic: Attempting to log Volvo Me7. (Read 13377 times)

nyet

Administrator
Hero Member

Karma: +604/-166
Offline

Offline

Posts: 12233

	Re: Attempting to log Volvo Me7. « Reply #15 on: November 06, 2019, 08:54:40 AM »

Quote from: fluke9 on November 06, 2019, 08:52:59 AM

ME7Logger would not be hard to do, i basically have the cfg and .ecu parsing running and a KWP2000 HM-2 layer implemented,
but i do not own any VAG car and most likely never will, the ddli hack only applies to them.

Not to give you more work, but ME7Logger will log an ECU sitting on the bench...


	Logged

ME7.1 tuning guide (READ FIRST)
ECUx Plot
ME7Sum checksum checker/corrrector for ME7.x

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience.

ruan

Jr. Member

Karma: +2/-8
Offline

Offline

Posts: 33

	Re: Attempting to log Volvo Me7. « Reply #16 on: November 08, 2019, 05:56:27 AM »

I've posted the Volvo DHA tool on here somewhere - take a look at it, you might find it useful. I cobbled together my own logging stuff for P1 and P2 D2 vehicles using information I gleaned from it. I had problems with my host application crashing and not being able to handle too many frames coming back, but it was also combined with the J2534 adapter crashing, so I suspect my J2534 adapter probably is shit. I didn't look any further as I didn't have time to look into the issues I was having any more and managed to get the information I needed, but will probably come back to it when I've another car I need to log.


« Last Edit: November 08, 2019, 08:24:59 AM by ruan »	Logged

fluke9

Full Member

Karma: +26/-1
Offline

Offline

Posts: 113

	Re: Attempting to log Volvo Me7. « Reply #17 on: November 08, 2019, 10:20:40 AM »

Quote from: nyet on November 06, 2019, 08:54:40 AM

Not to give you more work, but ME7Logger will log an ECU sitting on the bench...

My ME7.3.1 is on the bench too, winter is coming ;-)

What would be the cheapest ME7Logger compatible ecu to get in the EU ?
The audi v6 ones are like 100+€ too much for somehing i can not use.
Maybe some 1.8T ?


	Logged

nyet

Administrator
Hero Member

Karma: +604/-166
Offline

Offline

Posts: 12233

	Re: Attempting to log Volvo Me7. « Reply #18 on: November 08, 2019, 10:30:06 AM »

Quote from: fluke9 on November 08, 2019, 10:20:40 AM

yea any ME7.5 1.8t older than 2002/3 should work.


	Logged

360trev

Full Member

Karma: +66/-2
Offline

Offline

Posts: 235

	Re: Attempting to log Volvo Me7. « Reply #19 on: November 19, 2019, 04:15:05 PM »

@fluke9

I'm all in on helping get a fully working ME7Logger that works on non-vag roms... I've just done a bit of an upgrade to SAK tool... here's what it can do now... Uploading to github shortly

me7romtool.exe -romfile "2001.5 Audi S4 8D0907551M 0261207143.bin" -vsv Ferrari 360 ME7.3 Rom Tool. *BETA TEST Last Built: Nov 19 2019 18:22:37 v1.71 by 360trev. Needle lookup function borrowed from nyet (Thanks man!) from the ME7sum tool development (see github). ..Now fixed and working on 64-bit hosts, Linux, Apple and Android devices ├╛ Opening '2001.5 Audi S4 8D0907551M 0261207143(1).bin_corrected.bin' file Succeded loading romfile #1. Loaded Primary ROM in 1Mb Mode -[ DPPx Setup Analysis ]----------------------------------------------------------------- >>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom] main rom dppX byte sequence #1 found at offset=0xdc08. dpp0: (seg: 0x0204 phy:0x00810000) dpp1: (seg: 0x0205 phy:0x00814000) dpp2: (seg: 0x00e0 phy:0x00380000) ram start address dpp3: (seg: 0x0003 phy:0x0000c000) cpu registers Note: dpp3 is always 3, otherwise accessing CPU register area not possible -[ Basic Firmware information (Primary ROM) ]------------------------------------------------------------------- >>> Scanning for ROM String Table Byte Sequence #1 [info] found needle @ offset=0x20254 found table at offset=0001A8C8. Idx=2 { 0261207143 } 0x18400 -> 0x1840a (10 bytes) : SSECUHN Idx=4 { 1037360857 } 0x1840a -> 0x18414 (10 bytes) : SSECUSN Idx=10 { 8D0907551M } 0x110ed -> 0x110f9 (12 bytes) : DIF Idx=11 { 0002 } 0x1110d -> 0x11111 ( 4 bytes) : BRIF Idx=19 { 2.7l V6/5VT } 0x110f9 -> 0x11109 (16 bytes) : OTHERID Idx=20 { ììBì } 0x82fb2 -> 0x82fb6 ( 4 bytes) >>> Scanning for EPK information [info] found needle at offset=0x2158. EPK: @ 0x10007 -> 0x10060 (39 bytes) { /1/ME7.1/5/6005.01//22m/DstC2o/011200// } >>> Scanning for ROM VerstellSystem Variables table... found needle @ offset=0x236a2 Num of entries: 17 VSV @ ROM:0x812c4e RAM:0x24b0c6e File-Offset:0x12c4e (seg=0x0204 val=0x2C4E) 1) vszw | 0x3809B2 | Ignition timing | 0 KW | Byte |-96..95.25 KW | 0.75 KW | ZUE 2) vsfrk | 0x3809AB | Mixture factor | 1,0 | Byte | 0.75..1.25 | 0.001953 | ESGRU 3) vsvw | 0x3809B0 | Advancement angle | 0 KW | Byte | -768...762 | 6 KW | ESVW 4) vsns | 0x3809AE | Nominal speed | 0 RPM | Byte | 0..2550/min | 10 RPM | LLRNS 5) vszwkr_0_A | 0x3809B3 | Ignition timing firing 1 | 0 | Byte |-96..95.25 KW | 0.75 KW | KRRA 6) vszwkr_1_A | 0x3809B4 | Ignition timing firing 2 | 0 | Byte |-96..95.25 KW | 0.75 KW | KRRA 7) vszwkr_2_A | 0x3809B5 | Ignition timing firing 3 | 0 | Byte |-96..95.25 KW | 0.75 KW | KRRA vszwkr_3_A | 0x3809B6 | Ignition timing firing 4 | 0 | Byte |-96..95.25 KW | 0.75 KW | KRRA 9) vszwkr_4_A | 0x3809B7 | Ignition timing firing 5 | 0 | Byte |-96..95.25 KW | 0.75 KW | KRRA 10) vszwkr_5_A | 0x3809B8 | Ignition timing firing 6 | 0 | Byte |-96..95.25 KW | 0.75 KW | KRRA 11) vszwkr_6_A | 0x3809B9 | Ignition timing firing 7 | 0 | Byte |-96..95.25 KW | 0.75 KW | KRRA 12) vszwkr_7_A | 0x3809BA | Ignition timing firing 8 | 0 | Byte |-96..95.25 KW | 0.75 KW | KRRA 13) vske | 0x3809AC | Knock detection threshold | 0 | Byte | -8..8 | 0,0627 | KRKE 14) vsdmr | 0x3809A9 | Torque reserve | 0 % | Byte | 0..99.6% | 0.3906% | MDKOL 15) vsfpses | 0x3809AA | Manifold air pressure | 1 | Byte | 0..2 | 0,0078 | AES 16) vsrlmx | 0x3809AF | max.rl for LDR | 0% | Byte | rel sb q0p75 | LDRLMX ** Note: This is a SY_Turbo=true Application** 17) vsldtv | 0x3809AD | TV LDR for appl. control | 0% | Byte | tv ub q0p64 | LDTVMA ** Note: This is a SY_Turbo=true Application**

I can now add new variables to the VSV table and extend the table length too, all automatically...


	Logged

360trev

Full Member

Karma: +66/-2
Offline

Offline

Posts: 235

	Re: Attempting to log Volvo Me7. « Reply #20 on: November 19, 2019, 04:21:38 PM »

... and use it as a basic command line disassembler...

me7romtool.exe -romfile "2001.5 Audi S4 8D0907551M 0261207143(1).bin_corrected.bin" -d 0x236a2 Ferrari 360 ME7.3 Rom Tool. *BETA TEST Last Built: Nov 19 2019 18:22:37 v1.71 by 360trev. Needle lookup function borrowed from nyet (Thanks man!) from the ME7sum tool development (see github). ..Now fixed and working on 64-bit hosts, Linux, Apple and Android devices Dissassemble offset: 145058 (0x236A2) ├╛ Opening '2001.5 Audi S4 8D0907551M 0261207143(1).bin_corrected.bin' file Succeded loading romfile #1. Loaded Primary ROM in 1Mb Mode 0x000236A2: (+0 ) D7 50 06 02 extp #0206h, #2 0x000236A6: (+4 ) F4 8C 2C 31 movb r14, [r12+312Ch] 0x000236AA: (+8 ) CC 00 nop 0x000236AC: (+10 ) F0 5C mov r5, r12 0x000236AE: (+12 ) 5C 15 shl r5, #1 0x000236B0: (+14 ) D4 25 4E 2C mov r2, [r5+2C4Eh] 0x000236B4: (+18 ) B9 82 movb [r2], r14 0x000236B6: (+20 ) 08 C1 add r12, #1 0x000236B8: (+22 ) 46 FC 11 00 cmp r12, #0011h 0x000236BC: (+26 ) 8D F2 jmpr cc_C, loc_238A2 ; ------------------------------------------------------------------------------ 0x000236BE: (+28 ) DB 00 rets ; ------------------------------------------------------------------------------ 0x000236C0: (+30 ) C2 F4 7C E0 movbz r4, byte_E07C 0x000236C4: (+34 ) 66 F4 F0 00 and r4, #00F0h 0x000236C8: (+38 ) 46 F4 10 00 cmp r4, #0010h 0x000236CC: (+42 ) 3D 02 jmpr cc_NZ, loc_236D2 ; ------------------------------------------------------------------------------ 0x000236CE: (+44 ) FF 07 bset MDL 0x000236D0: (+46 ) DB 00 rets ; ------------------------------------------------------------------------------ 0x000236D2: (+48 ) E1 08 movb r14, #0 0x000236D4: (+50 ) 4A 07 F4 F0 bmov word_FEE8.0, word_FD0E.15 0x000236D8: (+54 ) 49 81 cmpb r14, #1 0x000236DA: (+56 ) 3D 02 jmpr cc_NZ, loc_236E0 ; ------------------------------------------------------------------------------ 0x000236DC: (+58 ) DA 82 9E 36 calls 82h, loc_2369E ; ------------------------------------------------------------------------------ ***

In this example using the -d option with address to start from (and optional length).

I'm just adding support for loading a definition file so it can automatically substitute known variable addresses and functions just like IDA does. This means you can literally use it as a poor mans IDA then Wink


	Logged

Pages: 1 [2]

« previous next »

Jump to:

Navigation

Personal Tools

April 23, 2024, 02:35:07 AM

Welcome, Guest. Please login or register.
Did you miss your activation email?

Navigation

Personal Tools

Search