cherry
|
|
« Reply #15 on: October 12, 2022, 07:15:08 PM »
|
|
|
Btw your Scirocco instrument is not from Scirocco, but from beetle. Not sure if there is any difference in CAN data.
Which bit(s) from CWLDANZ did you set? Set bit 0, 1 and 2 -> 07h, in the Scirocco file it´s at adress 1D43E5.
|
|
« Last Edit: October 12, 2022, 07:40:21 PM by cherry »
|
Logged
|
|
|
|
cherry
|
|
« Reply #16 on: October 12, 2022, 07:45:12 PM »
|
|
|
+-----+---+-------------------------+ | Bit | | Bedeutung | +---------+=====+===+=========================+ | CWLDANZ | 0 | 1 | Anzeige des Ladedrucks | | | | 0 | keine Anzeige | | +-----+---+-------------------------+ | | 1 | 1 | Saugrohrdruck | | | | 0 | Druck vor Drosselklappe | | +-----+---+-------------------------+ | | 2 | 1 | Hüllkurve | | | | 0 | Messwert | | +-----+---+-------------------------+ | | 3 | 1 | Relativer Druck | | | | 0 | Absoluter Druck | | +-----+---+-------------------------+ | | 4 | 1 | Druck ungefiltert | | | | 0 | Druck gefiltert | | +-----+---+-------------------------+ | | 5 | | frei | | | 6 | | frei | | | 7 | | frei | +---------+-----+---+-------------------------+
Not sure why bit 2 is set, but this is how it´s done in the file. Maybe the value is calculated, because there is no map sensor after throttle. Bit 3 should reduce value minor 1 bar. Did you read the FR???
Edit: Ok, i think not all MED9.1 FR does not contain this informations...
|
|
« Last Edit: October 12, 2022, 07:53:12 PM by cherry »
|
Logged
|
|
|
|
elias
Full Member
Karma: +20/-3
Offline
Posts: 66
|
|
« Reply #17 on: October 14, 2022, 03:47:16 PM »
|
|
|
Hello cherry,
First of all, in my binary the value of CWLDANZ is only used once and compared only against 0. I havent seen any other checks(using Find-Reference in Ghidra). So putting any value is enough to enable the Can-Message. I assume that newer binaries have a different logic , and may use the value like you described.
I made some progress by hacking together a RAM-Read/Write Tool for investigating the adresses needed. The tool itself can login into the ECU using SA2 Algo and then should read/write ram. Currently i am investigating this read_data_by_identifier and dynamically_define_data_identifier
|
|
|
Logged
|
|
|
|
cherry
|
|
« Reply #18 on: October 14, 2022, 05:34:18 PM »
|
|
|
Besides your reverse engineering, did you try it?
|
|
|
Logged
|
|
|
|
elias
Full Member
Karma: +20/-3
Offline
Posts: 66
|
|
« Reply #19 on: October 18, 2022, 02:20:24 PM »
|
|
|
Hello everyone, With the help of basano threads, i made a ram-reader for MED9.1. However i havent figured out the RAM-writing yet. It seems that the ECU is locked for RAM-Writing. The tool itself can be found here: https://github.com/EliasKotlyar/MED9RamReader/@cherry : Will try it out(setting bits) and report. Now i have the right tool and can figure out all the mysteries of the ECU. Besides, can someone tell me which values the Boost-Gauges should display when installed normally in a car? Is it "Boost Pressure,(specified)" or "Boost Pressure,(actual)"? Greatings Elias
|
|
|
Logged
|
|
|
|
prj
|
|
« Reply #20 on: October 19, 2022, 01:37:08 PM »
|
|
|
No $3D service on VAG MED9 and no $2E for Dynamic DID iirc.
|
|
« Last Edit: October 19, 2022, 01:40:53 PM by prj »
|
Logged
|
|
|
|
elias
Full Member
Karma: +20/-3
Offline
Posts: 66
|
|
« Reply #21 on: October 23, 2022, 04:27:26 AM »
|
|
|
Okey,
@cherry: I tried and it did not give me any different results. It seems that the byte do nothing else as enabling the message.
I tried around with and found out that the Boost Pressure Variable is located here: 0x007fc99a
It seems that i need to create a map function, which will map the values of the boost pressure gauge into the values which are accepted by the boost gauge. Will try to do it...
|
|
|
Logged
|
|
|
|
prj
|
|
« Reply #22 on: October 23, 2022, 06:38:06 PM »
|
|
|
You don't need to map anything since it's linear. It's enough to have a factor + offset.
Also stuff is referenced via SDA and TOC. Might be a good idea to set those properly in Ghidra if you haven't already. Not sure why you need the RAM reader. It's not neccessary for what you want to accomplish. Reading RAM is open via $2C on these anyway.
In fact this whole thread makes me scratch my head. This modification is super simple. If the codeword doesn't do it, find where it's written to CAN (xref some references of other things written into this packet) and just modify what's written. You can use any file for which there is A2L. Scripts for IDA to populate vars based on A2L are also posted.
|
|
« Last Edit: October 23, 2022, 06:42:47 PM by prj »
|
Logged
|
|
|
|
Dmitrii-VR6T
Newbie
Karma: +6/-0
Offline
Posts: 16
|
|
« Reply #23 on: February 04, 2023, 09:13:47 AM »
|
|
|
You can use direct signal from boost sensor to arduino. Install arduino between car canbus and your beetle gauges. Make a arduino program which will filtrate messages with zero boost bytes, add boost pressure data to it and send it to beetle gauges.
|
|
|
Logged
|
|
|
|
prj
|
|
« Reply #24 on: February 04, 2023, 10:54:30 AM »
|
|
|
You can use direct signal from boost sensor to arduino. Install arduino between car canbus and your beetle gauges. Make a arduino program which will filtrate messages with zero boost bytes, add boost pressure data to it and send it to beetle gauges.
Perfect example of making something super simple insanely complicated and failure prone. An Arduino is not: a) Extended temperature rated b) Not vibration proof c) Your connection won't be shock and vibration proof either No, don't do it. Modifying 5-6 commands in ASM is 10x easier, and it's not gonna make your clocks stop working randomly.
|
|
« Last Edit: February 04, 2023, 10:56:02 AM by prj »
|
Logged
|
|
|
|
elias
Full Member
Karma: +20/-3
Offline
Posts: 66
|
|
« Reply #25 on: May 04, 2023, 08:58:26 AM »
|
|
|
I finally managed to solve my issue....It was indeed as PRG said only a few assembler commands but ...getting there was a lot of pain. The coding part was really fun, but the ASM part was weird and complicated. As some "byproducts" i have coded a whole tool which is capable of reading/writing memory, seeing measuring blocks etc. Without it, it would be a lot more pain, as it would not be possible to see whats happening inside the ECU and modifiying it. It can be found here: https://github.com/EliasKotlyar/MED9RamReaderAlso i coded a lot of small scripts for automatically tagging MED9-Stuff into Ghidra: https://github.com/EliasKotlyar/Med9GhidraScriptsThe whole script can be found here, if someone wants to patch his binary: https://github.com/EliasKotlyar/Med9GhidraScripts/blob/main/PatchBoostGauge.pyAs extra tip for someone who wants to do similar things in the future: Start with the measuring blocks. It will allow you to see how VCDS is dealing with variables, and therefore allow you seeing the scaling of the values. The absolute pressure which i have been using, is not scaled with some constants (which i would expect) but rather with code. The code goes like: uVar1 = (uint)absolutePressure; if (uVar1 < 0x8000) { uVar1 = ((int)uVar1 >> 7) * 100; } else { uVar1 = ((int)uVar1 >> 8) * 200; }
(just an example). Do not use A2L-Variables as they are heavily edited before its transmitted into VCDS.
|
|
|
Logged
|
|
|
|
prj
|
|
« Reply #26 on: May 04, 2023, 12:33:39 PM »
|
|
|
I finally managed to solve my issue....It was indeed as PRG said only a few assembler commands but ...getting there was a lot of pain. The coding part was really fun, but the ASM part was weird and complicated. As some "byproducts" i have coded a whole tool which is capable of reading/writing memory, seeing measuring blocks etc. Without it, it would be a lot more pain, as it would not be possible to see whats happening inside the ECU and modifiying it. It can be found here: https://github.com/EliasKotlyar/MED9RamReaderAlso i coded a lot of small scripts for automatically tagging MED9-Stuff into Ghidra: https://github.com/EliasKotlyar/Med9GhidraScriptsThe whole script can be found here, if someone wants to patch his binary: https://github.com/EliasKotlyar/Med9GhidraScripts/blob/main/PatchBoostGauge.pyAs extra tip for someone who wants to do similar things in the future: Start with the measuring blocks. It will allow you to see how VCDS is dealing with variables, and therefore allow you seeing the scaling of the values. The absolute pressure which i have been using, is not scaled with some constants (which i would expect) but rather with code. The code goes like: uVar1 = (uint)absolutePressure; if (uVar1 < 0x8000) { uVar1 = ((int)uVar1 >> 7) * 100; } else { uVar1 = ((int)uVar1 >> 8) * 200; }
(just an example). Do not use A2L-Variables as they are heavily edited before its transmitted into VCDS. If you have an a2l then it makes 0 sense to do any of this. The FR tells you which variables go into which CAN packets (it essentially defines the CAN matrix) and you can just look up what should be there and in which location. FR's are easily found for MED9. Good job on coding this stuff, but you made something 100x more complicated than it could have been. But seeing what you did it was not about the result for you but more about the journey. Which is very good and this knowledge will serve you well in the future
|
|
|
Logged
|
|
|
|
|