Hello rear readers,

I own a EOS with BWA Motor and installed "Additional Instruments"(PN 5C5919527B) from VW Scirocco into my car. The clock and the Oil-Temperature are working fine, but unfortunately the Boost Pressure Gauge is not. Its
basically stuck at zero and does not move. There are some "messages missing" according to VCDS.

I am trying to make it work be adding this feature into the ECU. Here is my journey so far:
1. Tried around with the Additional-Instruments on Bench with Arduino CAN-Shield. A Friend of mine gave me the tip to try to send CAN-Message 0x588 with Byte5 set to a value will to the trick. It did work.
2. Looked it up on Funktionsrahmen. It looks that this functionality is not implemented at all, and it always sends 0 on Byte5.
3. Dumped the binary with Kess from a friend and started to looking for Definition Files. Found some which were supposed to be "well documented" for Tunerpro, unfortunately it has not much tables. Found a documented binary + winols project here:  http://nefariousmotorsports.com/forum/index.php?topic=18618.0. Started with this binary as a start.
4. Started disassembly with IDA Pro using Basano Tutorials. IDA Pro turned to be out really complicated to use.
5. Switched to Ghidra as i had some previous experience with it. Unfortunately there is no tutorial for Ghidra + MED9.1.
For anyone wanting to use ghidra, use PPC(Big Endian) and set following registers and you are good to go:
assume r13 = 0x7ffff0
assume r2 = 0x5c9ff0
Memory map can be used from Basano Tutorial.

6. Started looking around for entry points for CAN-Bus Messages. Found "PMAXKBI_W" in WINOLS. Address is 005c6300. Used as entry point in Disassembly
7. Found Mot8Byte6 under 008043b1(by reference from PMAXKBI_W)
8. Found Mot7Byte5 under 008043a0 (by reading Basano tutorial and assuming that the CAN-Buffers are all nearby)
9. Found that the "boost pressure" which will be written there will be under 008028e
10. Got a spare ECU and tried to build up a Bench-Setup. Unfortunately i cannot write binary to the spare ecu due to the Immo being active. Need to buy BDM100/or KTAG to proceed further.

Questions so far:
1. Has anyone done it before?
2. Is there any tool which can read/write ram on MED9.1 using TP2.0? I have seen some basic scripts in python which can do it, however i would really appriciate if there is any tool which is capable of doing it.
3. Can someone confirm/decline my findings regarding adresses? The file which i am currently using is 1K0907115.

Greatings
Elias

Why you cannot even write correct part number or upload your file? For the BWA file from other thread it should be at 1C6338...

My logger will read RAM.
Write no, but you can read all you want.
www.vehical.net

Hello everyone,

I made a lot of progress today:
1. Realized that i can make IMMO-Off on the spare ECU with an EEPROM reader + KESS. Did exactly that. Wanted to have a Backup-ECU if something goes wrong while flashing it into the car.
2. Dumped original ECU(which is in the car), patched the address(0x1C6338), corrected checksums using WINOLS and flashed it back.

Result:
Kind of working, but not without problems:
Before the flash, the gauge was not doing anything.
Currently it does go to 2 bar as soon as you idle the car. As soon as you start driving, it starts moving to 3 bar. It does respond to throttle, but always moves between 2 and 3 bars. I suspect that the gauge is expecting the data in different format.


My plan changed to:
1. I will try to tinker around with my ArduinoCan-Shield and try to find the values which will set the gauge to different values (1 bar, 2 bar, 3 bar).
2. I will monitor the values which the ECU is sending out. I assume that it will send the boost pressure in decimal settings(seen it in Funktionsrahmen).

0x00 = 0 bar
0x7F(decimal 127) = 1,27 bar
0xFE(decimal 254) = 2,54 bar
3. Write some function in ASM which will do the mapping

I researched the code, and it seems that it is calculated here:

Just log can byte with arduino
FR shows same conversion formula as pvdkds so its just an absolute pressure

You have to subtract atmosperic pressure to get boost from absolute pressure

Then do some math or map() with arduino to calibrate gauge

Idk why you make this things so complex

I think its related to the fact that this gauges were never sold with the MED9.1 motors. They appeared on the VW Beetle Facelift and VW Scirocco Facelift. Both were produced long after the MED9.1 was canceled.

Nevertheless, i am 100% sure that the gauges are working correctly, as the oil-gauge is working fine and i can drive the boost-gauge with my arduino. I suppose they just changed the mapping to allow higher boost values. The original values from FR are limited to 2,55 bar(0xFF) , and the gauge can drive up to 3 bar. So it makes sense, that they just divided the value by 2 to make it work.

Regarding pointers: they are working fine.
Regarding Coding-Options: I checked but there are no related coding options in this gauges.

I did the changes however they havent change any visible value. I suppose that i havent found the correct can-bus buffer on this firmware.

Question:
Does someone know the adresses of the Canbus-Buffer on the  firmware?
I know that the one for MOT8-Message Can Buffer is starting at 008043ac. I am searching for the MOT7-Message Can-Buffer so i can modify the value before it will be sended out. I assumed that it would be at 008043a0, however this was not the case...

many thanks, learned something new. I was thinking that the ECU was dropped after the Golf 6R...

1. I got a binary(1K8907115L) from http://nefariousmotorsports.com/forum/index.php?topic=14741.0
2. Loaded in Ghidra and wanted to compare the code
3. Oh boy - nothing is same between my binary and 1K8907115L. Cannot find any common adresses etc. Also do not have any Damos for that file. I stopped it here as i really doubt that i can "copy" it over from that file.
4. I really doubt that its a good idea to flash this file onto my car, as its designed for the 280PS CDL Engine and i have only 200PS BWA Engine.
5. My plan would be first of all to do some base-research...i need to find the adresses of the canbuffers on my binary to move forward with this project. Idea is still to "reprogram" the code which is writing the can-message.


Questions so far:
1. Does anyone adapted the 1K8907115L Binary for BWA motor? Maybe someone did already, however its very unlikely that someone done it.
2. Does anyone know where the can-buffers are located on my binary?