|
prj
|
 |
« Reply #30 on: September 19, 2012, 10:19:01 AM »
|
|
|
Yeah just wanted to post that it's 10B78, and it is indeed AA FA like I thought. Before I saw your post  Cool, thanks for the assistance. |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #31 on: September 19, 2012, 10:40:55 AM »
|
|
|
try address 10B78
Mbox = 170 250 085 085 085 255 Description from Alfa FR: Pair of Bits: 1. Bit 2. Bit 0 0 Diagnosıs active with OBDII-malfunction storage with test of healing 0 1 Diagnosis active without OBDII-malfunction storage with test of healing 1 0 Diagnosis active without OBDII-Fehlerspeicherung without test of healing (-> EKP) 1 1 Diagnosis not active Full values:
AA - 10 10 10 10 - ZUE4 ZUE3 ZUE2 ZUE1
FA - 11 11 10 10 - ZUE8 ZUE7 ZUE6 ZUE5
55 - 01 01 01 01 - block is skipped
55 - 01 01 01 01 - block is skipped
55 - 01 01 01 01 - block is skippedI wonder if it does start at AA FF though. My guess is - it does not. Might easily start earlier etc. I bought a second ECU today to play with, I will install my emulator in it, and then have a go. The 7E EE after it is BFGRO... |
|
|
|
« Last Edit: September 19, 2012, 10:49:59 AM by prj »
|
Logged
|
|
|
|
|
elRey
|
|
« Reply #32 on: September 19, 2012, 11:04:01 AM »
|
|
|
It's very possible the address is 10B76 like you suggest.
243 255 170 085 085
about where exactly it turns off adaptation, here's my 'theory'
e_sls -> func DTEV -> b_dteenf -> b_dtezam -> b_dteaa -> func LRAEB -> b_gasp
b_gasp = 1 = disable adaptation
|
|
|
|
« Last Edit: September 19, 2012, 11:09:08 AM by elRey »
|
Logged
|
|
|
|
|
prj
|
|
« Reply #33 on: September 19, 2012, 11:22:16 AM »
|
|
|
SY_CONFSL would disable it...
But yeah, that's a compile time flag.
So you are correct, there is no way to disable it without disabling it in ESKONF or an ASM hack.
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #34 on: September 19, 2012, 11:25:25 AM »
|
|
|
It's very possible the address is 10B76 like you suggest.
243 255 170 085 085 It is presumably 7 bytes long, so F3 FF AA FA 55 55 55 or 243 255 170 250 085 085 085. The odd thing is that leaves only one location to try - 10B76 -> 0xFF. If that does not fix it, then it means the diagnosis for the valve is done differently on ME7.1 What I don't like is that there are no references in ASM to F3 FF in the 551K bin. Might be loaded differently for all I know, but there is a reference to 0xAA and the next block which has 0x55. |
|
|
|
« Last Edit: September 19, 2012, 11:33:16 AM by prj »
|
Logged
|
|
|
|
|
elRey
|
|
« Reply #35 on: September 19, 2012, 11:33:06 AM »
|
|
|
Looking at it again, I think it's @ 10B78.
170 = 10 10 10 10 (coils for 1-2 cyl)
250 = 11 11 10 10 (coils for 5-6 cyl)
|
|
|
|
|
Logged
|
|
|
|
|
elRey
|
|
« Reply #36 on: September 19, 2012, 11:36:33 AM »
|
|
|
I'll disassem to make sure. nm looks like you did already.
The older 7.3 doc looks like it starts with injectors (EV) = 00
Does your car use a ICM for coils? If so it wouldn't have ZUE which is what I'm basing 'starts with' my logic on.
|
|
|
|
« Last Edit: September 19, 2012, 11:41:20 AM by elRey »
|
Logged
|
|
|
|
|
prj
|
|
« Reply #37 on: September 19, 2012, 11:43:27 AM »
|
|
|
I'll disassem to make sure. nm looks like you did already.
The older 7.3 doc looks like it starts with injectors (EV) = 00
Does your car use a ICM for coils? If so it wouldn't have ZUE which is what I'm basing 'starts with' my logic on.
You have two power output stages and then the coils are connected to them. There is no separate module, or well, at least I hope you are not referring to the POS-s as ICM-s as they are simple switches. I took a look at an ME7.5 binary and that has no references to the bytes after the ZUE config either which are picked up by IDA. So they are probably checked differently - loaded indirectly. I guess you could alt+t and look for #55h, and then go through all the code  I'll try FF-ing that first byte... and well I can FF all of it as well I guess to see if it is what is needed. |
|
|
|
« Last Edit: September 19, 2012, 11:45:45 AM by prj »
|
Logged
|
|
|
|
|
phila_dot
|
|
« Reply #38 on: September 19, 2012, 02:25:10 PM »
|
|
|
It is presumably 7 bytes long, so F3 FF AA FA 55 55 55 or 243 255 170 250 085 085 085.
The odd thing is that leaves only one location to try - 10B76 -> 0xFF.
If that does not fix it, then it means the diagnosis for the valve is done differently on ME7.1
What I don't like is that there are no references in ASM to F3 FF in the 551K bin. Might be loaded differently for all I know, but there is a reference to 0xAA and the next block which has 0x55.
I found the same in the M box. Different location, but the exact same results. Same two bytes had a direct reference and I didn't see any promising indirect references. I only took a brief look because I only had a few minutes. I will look a little deeper later when I get the chance. |
|
|
|
|
Logged
|
|
|
|
|
phila_dot
|
|
« Reply #39 on: September 19, 2012, 06:51:50 PM »
|
|
|
It looks like it is referenced with an offset from 10C75 in the M box.
i.e. movb rl5, [r4+byte_810C75]
|
|
|
|
|
Logged
|
|
|
|
|
elRey
|
|
« Reply #40 on: September 19, 2012, 08:16:55 PM »
|
|
|
function DECJ on Mbox @ 04EB88
But is ESKONF is indeed @ 10C75, that doesn't align with the fact that 10C7D is referenced similar to an 032HS file for ZUE.
|
|
|
|
« Last Edit: September 19, 2012, 08:22:08 PM by elRey »
|
Logged
|
|
|
|
|
prj
|
|
« Reply #41 on: September 20, 2012, 01:23:35 AM »
|
|
|
Changing 10B76 did nothing for me as expected.
The ZUE diagnosis is for sure 10B78, 10B79 because the routine that references is exact the same as in a 1.8T file I checked.
I am talking about 551K here.
M-Box is 10C7D indeed.
Assuming this would make it 0x10B70 for 551K:
00 C0 EF FC 0C 00 F3 FF AA FA 55 55 55
And 0x10C75 for 551M:
00 FC E3 FF 3C 00 F3 FF AA FA 55 55 55
Looks quite different to me.
I will try to rig up my emulator today and I will just FF the entire region...
|
|
|
|
« Last Edit: September 20, 2012, 01:30:44 AM by prj »
|
Logged
|
|
|
|
|
matchew
|
|
« Reply #42 on: September 20, 2012, 07:00:25 AM »
|
|
|
E_sls doesnt effect B_dteenf on 551K
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #43 on: September 20, 2012, 08:04:29 AM »
|
|
|
E_sls doesnt effect B_dteenf on 551K Oh... then I am wasting my time. I never bothered to check if the fuel trims are learning or not. Thank you matchew. |
|
|
|
|
Logged
|
|
|
|
|
professor
|
|
« Reply #44 on: October 05, 2012, 02:10:56 AM »
|
|
|
Trying to clarify the ESKONF parameters i end up to the following results:
ES-Blocks: 0 1 2 3 4 5 6
Amplifiers: 170 255 0 48 255 248 48 (the example of ESKONF is from 032HN)
We are interested for blocks 5 & 6 where amplifiers of SLP & SLV are checked for working status.
00 is active, 01 is skipped (bin format).
Those are original values from documentation for 1.8L 5V turbo:
5 | NC | NC | ERP 65 | SLP 66 | 11 11 11 10 = 251
6 | ULT 105 | EEGR 114 | SLV 9 | NWS 115 | 11 00 11 00 = 204
If i am correct, values of amplifiers from box to box are different.
How can i find the block bin sequence or to be more precise the bin value of its amplifier?
|
|
|
|
« Last Edit: October 05, 2012, 02:14:05 AM by professor »
|
Logged
|
Seat Ibiza MK4 Cupra 1.8t 20V, stg3.
"Those 1.8T 20V machines are really tough" ©
|
|
|
|
