Pages: 1 [2] 3
Author Topic: Reverse Engineering EDC15  (Read 48871 times)
ne0h
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 18


« Reply #15 on: January 31, 2014, 02:13:28 AM »

I've been able to find some RAM variables as a reference and from that I've reloaded the entire file,
now I've been able to find every map, variable and procedure that I needed without any problem...
I'm currently developing some new features for this Ecu like:
- Overboost for x seconds (depending on the EGTs) activated by Cruise Control
- 3 Complete Map switch also via Cruise Control (current map is visualized via RPM on the Instrument Cluster)
Have already written the code for Overboost & Map switch,
the only real problem is to find some empty locations on either the internal or external RAM.

@Brumbassen, I've written a my own program to read\write the E2prom\Flash and it's calculating the checksums on the fly anyway I recall that there's a small program distributed by MTX Electronics that is free (something like "Vagcheckfix"), it has some bugs but it'll do the job for almost every Vag EDC15 ecu... Smiley
Logged
Faboka
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #16 on: January 31, 2014, 01:11:24 PM »

Sounds really interesting. I would love to he able to reverse engineer how I know nothing about cpu's and memory and how they work together Sad
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6038


« Reply #17 on: January 31, 2014, 03:37:23 PM »

Would be nice if you posted DPP and segment info.
Not required, just nice.

I made a script for loading ME7 binaries, I am sure the same script can be adapted for EDC15:
http://nefariousmotorsports.com/forum/index.php?topic=2431.30
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
eliotroyano
Hero Member
*****

Karma: +48/-8
Offline Offline

Posts: 826


« Reply #18 on: January 31, 2014, 07:27:07 PM »

I've been able to find some RAM variables as a reference and from that I've reloaded the entire file,
now I've been able to find every map, variable and procedure that I needed without any problem...
I'm currently developing some new features for this Ecu like:
- Overboost for x seconds (depending on the EGTs) activated by Cruise Control
- 3 Complete Map switch also via Cruise Control (current map is visualized via RPM on the Instrument Cluster)
- Live tuning of some maps (SOI, N75)
Have already written the code for Overboost & Map switch,
the only real problem is to find some empty locations on either the internal or external RAM.

@Brumbassen, I've written a my own program to read\write the E2prom\Flash and it's calculating the checksums on the fly anyway I recall that there's a small program distributed by MTX Electronics that is free (something like "Vagcheckfix"), it has some bugs but it'll do the job for almost every Vag EDC15 ecu... Smiley

Amazing work...... really impressive  Shocked Shocked Shocked Shocked Shocked Shocked. I wish I had the time to learn to do reverse engineering.
How much time do you take to made these mods to EDC15 firmware?
Logged
IamwhoIam
Hero Member
*****

Karma: +52/-115
Offline Offline

Posts: 1070


« Reply #19 on: February 01, 2014, 04:15:20 AM »

Overboost on a diesel? Do you know what boost does on a diesel engine at least?
Logged

I have no logs because I have a boost gauge (makes things easier)
ne0h
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 18


« Reply #20 on: February 01, 2014, 05:30:07 AM »

The loading of the file is very simple, I was having problems with DPPs settings because in fact DPPs (0 to 2) are changed at runtime depending on the ECU coding because of the 3 codeblocks (Manual, Auto & 4x4)...
The default settings to the DPPs are ok to start reversing (DPP0: 0, DPP1: 1, DPP2: 2, DPP3: 3),
then it's easy to change DPP0-2 to point to the codeblock you want to be selected.
(3 pages of 16kb each, so for example set DPP0 to 0x3C if you want the third codeblock to be selected).

At first I was changing every DPP to the values present in the IROM and so having a lot of problems locating anything... Sad
DPP3 it's used for RAM\CAN access so the default value (3) is OK for the entire file.
The 29F400BT flash is mapped @ 0x80000 so loading in IDA you have to put 0x8000 (paragraphs).
I suggest to first locate a RAM variable like dzmNmit (engine rpm) or something like this,
will give you a nice picture of how the system control strategy works.
There are NO direct Maps references in EDC15 due to codeblocks so its a bit tricky to found how they're addressed.

Regarding to the time it takes I worked on this for 2-3 hours for 3-4 days because I've some important & difficult exams to do (I'm a computer science student) and I've very little time to work on this...
I've worked on the PSP modding scene before ("Xplora" is one of my projects) and comparing the two systems the ECU is just a small, easy module (code section is less than 300kb)...
Adding the "overboost" feature & the map switch isn't difficult at all once you have a good picture of the program...
« Last Edit: May 27, 2014, 01:28:42 AM by ne0h » Logged
ne0h
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 18


« Reply #21 on: February 01, 2014, 05:47:12 AM »

@IamwhoIam, "overboost" is just a name for the basic "no IQ limitation" function I've added,
in fact now the desidered boost pressure isn't even modified,
for now it just bypasses every IQ limitation (no smoke limit, no torque limit, no REV limit, no launch control etc) when Cruise Control is enabled...
I'll add some sort of "boost up" feature but it isn't simple to istantly lift the boost because of N75,
anyway I'll soon rewrite it because bypassing the entire IQ limitation is not exacly the best way to do this... Smiley

Asap I'll rewrite everything to:
- activate only if CC SET+RES are pressed at the same time
- deactivate CC if it has been enabled
- bypass smoke & torque limitation (with some checks for component protection)
- make the MIL blink while "Iq bypass" is actived
- disable it after 'x' seconds due to EGTs
Logged
ne0h
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 18


« Reply #22 on: February 04, 2014, 05:13:15 PM »

Finally had the time to finish the "IQ no limit" and map switch functions!! (3 complete maps)
Tested and working perfectly!! Cheesy
So the "IQ no limit" function:
- disabled under 2700 rpm (components protection)
- popping rev limiter to 5200 rpm
- activates via Cruise Control SET+RES
- diagnostic light flashes while active
- deactivates after 10 sec due to EGTs
And the map switch:
- 3 complete maps (with every switch\map\curve)
- can be changed while driving via CC SET & clutch
- current map visualized on the instrument cluster via Rpm
   the first time SET is pressed and while selecting maps (3 sec timeout)
- configuration is saved (i'm adding this now)

Asap I'll upload a video and I'll start working on the Live Tuning function!! Grin
Any other useful function suggestion is really appreciated!!
Logged
hash512
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 1


« Reply #23 on: February 22, 2014, 03:26:23 AM »

hi ne0h,

are there any news about your amazing revering work? (videos, ida file, ecc)
Your posts rekindled my interest at these stuff !!  Grin

I have lot of x86 reversing experience and some related to ARM architecture (nokia 3310 Wink ),
and i would like to play with my rover 75 with edc15 DDE 4.0


best regards



Logged
ne0h
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 18


« Reply #24 on: March 03, 2014, 03:53:22 AM »

Hi,
sorry but I'm really busy atm due to exams and some jobs...
Soon I'll finish my "EDC15 Project"...
Just have to do some test to confirm everything is working properly, write a bit of documentation on this
and reorder the code or I'm gonna struggle understanding my own work in future.
« Last Edit: March 27, 2014, 03:32:16 PM by ne0h » Logged
ne0h
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 18


« Reply #25 on: March 14, 2014, 04:02:47 AM »

Hi again,
finally had some time to make a little video of the map switch function.
Soon I'll make the "overboost" video.

Here the video: www.youtube.com/watch?v=t81zevGZieQ
Logged
john9357
Full Member
***

Karma: +10/-1
Offline Offline

Posts: 54


« Reply #26 on: March 14, 2014, 02:32:00 PM »

Hi Neoh,
very very nice work!
your work really interested me.
For months I disassembles my edc15p without much result and you in some time you succeeded!
impressed!
I work on a french (my english is very bad) forum but little french guy know the disassembling.
Are you using ida or another software? ida make many errors in disassembling.
I hope one day you will share your work.
see you later.
Logged
ne0h
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 18


« Reply #27 on: March 15, 2014, 06:19:25 AM »

Hi,
I'm using IDA to disassemble and for me it's the best so far...
Probably the errors are related to "wrong" DPPs settings but there's no way IDA could resolve the addressing in the right way,
even with the right DPP settings some addressing errors are quite normal considering that all the procedures are called from a table.

Regarding disassembly, my suggestion is to start reversing from something known or easy to find, usually some kind of output but this isn't the case
so I've started from the known variables IDs found in the EDC15 software doc...

About sharing the work, I'm not really keen do distribute the sources but only because I'm pretty sure they will not be used in the right way.

Also, I'm trying to build a work around this, but it's really difficult as there are no good tuners around here and (I hope you will not misunderstand what I'm saying) having analized the local tuners work I'll probably end up "teaching" more than "learning" and that's not what I'm after.

Best regards
« Last Edit: March 27, 2014, 03:28:51 PM by ne0h » Logged
john9357
Full Member
***

Karma: +10/-1
Offline Offline

Posts: 54


« Reply #28 on: March 15, 2014, 03:19:21 PM »

this is a good way for locating the map?
« Last Edit: March 15, 2014, 03:21:26 PM by john9357 » Logged
john9357
Full Member
***

Karma: +10/-1
Offline Offline

Posts: 54


« Reply #29 on: March 16, 2014, 04:04:03 PM »

For the 4d soi?
Logged
Pages: 1 [2] 3
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.025 seconds with 16 queries. (Pretty URLs adds 0s, 0q)