Hi Nef, i've recently created a map switching routine switching ldrxn on med9.1 (edition 30 golf) using basanos method (Thanks!) and i'm putting a big turbo on the car soon so thought it would be easy to get all the data for setting up the boost by creating multiple TVLDMX's then just switching them from the CC and Brake pedal when wanting to switch between maps. (instead of using KFLDRAPP and flashing 5-6 different maps each at 12 min write speed.)

I've already written the code for the map switching but i've never created extra maps so i was just wondering if i've done it correctly? If so then hopefully this can help someone else.

I first found the address of TVLDMX in my bin @1CFA38 then added the offset 0x400000 = 5CFA38
This took me directly to the place that stores TVLDMX so i then cross referenced the address and found where i was being used.

It was being loaded at 0044EA2C so i added my branch just before this to my map switching code.

Original code:

 ROM:0044EA14 # ---------------------------------------------------------------------------
ROM:0044EA14                 lbz       r12, byte_7FEC7F
ROM:0044EA18                 cmpwi     r12, 0
ROM:0044EA1C                 bne       locret_44EA6C
ROM:0044EA20                 lbz       r12, byte_7FEC80
ROM:0044EA24                 cmpwi     r12, 0
ROM:0044EA28                 bne       locret_44EA6C
ROM:0044EA2C                 lis       r4, word_5CFA38@ha
ROM:0044EA30                 lhz       r4, word_5CFA38@l(r4)
ROM:0044EA34                 li        r11, 0x4E
ROM:0044EA38                 divwu     r3, r4, r11
ROM:0044EA3C                 lis       r4, 0 # 0xFFFF
ROM:0044EA40                 ori       r4, r4, 0xFFFF # 0xFFFF
ROM:0044EA44                 cmplw     r3, r4
ROM:0044EA48                 ble       loc_44EA50
ROM:0044EA4C                 b         loc_44EA54
ROM:0044EA50 # ---------------------------------------------------------------------------
ROM:0044EA50

New code:
0 locret_44EA10:                          # CODE XREF: sub_44A858+41ACj
ROM:0044EA10                 blr
ROM:0044EA10 # End of function sub_44A858
ROM:0044EA10
ROM:0044EA14 # ---------------------------------------------------------------------------
ROM:0044EA14                 lbz       r12, byte_7FEC7F
ROM:0044EA18                 cmpwi     r12, 0
ROM:0044EA1C                 bne       locret_44EA6C
ROM:0044EA20                 lbz       r12, byte_7FEC80
ROM:0044EA24                 cmpwi     r12, 0
ROM:0044EA28                 bne       locret_44EA6C
ROM:0044EA2C                 b         loc_47D46C
ROM:0044EA30 # ---------------------------------------------------------------------------
ROM:0044EA30                 nop
ROM:0044EA34
ROM:0044EA34 loc_44EA34:                             # CODE XREF: ROM:0047D490j
ROM:0044EA34                                         # ROM:0047D49Cj ...
ROM:0044EA34                 li        r11, 0x4E
ROM:0044EA38                 divwu     r3, r4, r11
ROM:0044EA3C                 lis       r4, 0 # 0xFFFF
ROM:0044EA40                 ori       r4, r4, 0xFFFF # 0xFFFF
ROM:0044EA44               


Now my branch is added this then goes to the map switching code which simply switchs the map depending on what value is stored in the byte i've created which uses the CC and brake pedal as an input to increase the value each time the CC stalk input is pressed and shows up as an RPM signal depending on what map im in i.e. 1000rpm = map 1 etc

So now onto creating the extra TVLDMX i will need for my routine. TVLDMX is a 16bit map so i designated 2 bytes a value in IDA (these can be changed later in winols for your duty cycle %) and used the same code to load the original TVLDMX. (See below)

ROM:0047D46C loc_47D46C:                             # CODE XREF: ROM:0044EA2Cj
ROM:0047D46C                 lbz       r10, byte_7FABF7
ROM:0047D470                 cmpwi     r10, 0
ROM:0047D474                 beq       loc_47D488
ROM:0047D478                 cmpwi     r10, 1
ROM:0047D47C                 beq       loc_47D494
ROM:0047D480                 cmpwi     r10, 2
ROM:0047D484                 bge       loc_47D4A0
ROM:0047D488
ROM:0047D488 loc_47D488:                             # CODE XREF: ROM:0047D474j
ROM:0047D488                 lis       r4, word_5CFA38@ha
ROM:0047D48C                 lhz       r4, word_5CFA38@l(r4)
ROM:0047D490                 b         loc_44EA34
ROM:0047D494 # ---------------------------------------------------------------------------
ROM:0047D494
ROM:0047D494 loc_47D494:                             # CODE XREF: ROM:0047D47Cj
ROM:0047D494                 lis       r4, word_5F0800@h
ROM:0047D498                 lhz       r4, word_5F0800@l(r4)
ROM:0047D49C                 b         loc_44EA34
ROM:0047D4A0 # ---------------------------------------------------------------------------
ROM:0047D4A0
ROM:0047D4A0 loc_47D4A0:                             # CODE XREF: ROM:0047D484j
ROM:0047D4A0                 lis       r4, word_5F0810@h
ROM:0047D4A4                 lhz       r4, word_5F0810@l(r4)
ROM:0047D4A8                 b         loc_44EA34
ROM:0047D4AC # -----------

So the new address's for TVLDMX 2 and 3 are 5F0800 and 5F0810. The code jumps here from the original code and picks an address depending on the value stored in the byte (1,2,3) this then loads the h and l halves with the values stored and then it branches back to the original code.


This is the code for the extra TVLDMX maps below, as you can see i've just used 2 bytes to stored data and this is then used to load the value stored in them to TVLDMX to be used to limit duty cycle.

I don't know if this is correct or if i've done this right but i'd love to hear from some more experienced guys on here to steer me in the right direction if what i've dones wrong and hopefully help anyone else who's planning similar.

ROM:005F0800 word_5F0800:    .short 0x2710           # DATA XREF: ROM:loc_47D494o
ROM:005F0800                                         # ROM:0047D498r
ROM:005F0802                 .short 0xFFFF
ROM:005F0804                 .long 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF
ROM:005F0810 word_5F0810:    .short 0                # DATA XREF: ROM:loc_47D4A0o
ROM:005F0810                                         # ROM:0047D4A4r
ROM:005F081

Cheers!

So another update....

I've been trying to add 5x TVLDMX maps to switch via the CC and brake and have successfully managed switching 3 but when going to 5 using the same programming concepts just copy/paste and adding new address's i just keep bricking the ecu.

I've disassembled the code again and again and the code looks OK i believe but the only issue i might be having is writing too much code in one space? i feel the area may be used even though in IDA is FF'd. (i believe its the first bit of code which stores the can/cluster comms and checksum that may be the issue) - 0x47BD40

Ill attach my IDA project of the 5x tvldmx and also my .bin so someone on here that's a bit more experienced may be able to see a mistake or guide me in the right location?

 My code for map switching starts at 0x47BD40 (in IDA) - 0x07BD40 in the .bin and the TVLDMX map switching locations start at 0x47D46C (in IDA) - 0x07D46C

Cheers

It is good that you are learning, but this is like doing dental surgery through the rectum.

The correct solution is to modify the binary and make a flash tool so that you can flash calibration changes only, bringing down the flashing time to <1 minute.
The less correct solution is to change a single variable - the axis on kfldrapp to read for example the cruise control mask instead of wped. Or ushk_w with a potentiometer also works.

Precisely. Resize the map to have everything covered.
If you want to be more advanced, make the axis a location in memory that gets incremented by 1 each time there is a leading edge on a CC input, and then gets wrapped back to zero.
Toggle between columns by pushing a button.