R32Dude
Full Member
Karma: +45/-10
 Offline
Posts: 248
|
 |
« Reply #90 on: July 08, 2021, 05:06:45 AM »
|
|
|
Awesome Blazius, thanks for checking! I borrowed a 64 bit win 7 pc to test it myself but EcuXplot only worked once and now shows the circular watchglass no matter who's csv I download from here. Weird.
I'm all done... I think. Did the last of the coding today. Works in the car, tested 40 mins of logging, can be paused at the touch of the spacebar, doesn't care when disconnected briefly, reconnects by pressing a key if a big disconnection occurs( neither actually occured during testing), doesn't overwrite files and on the bench logged over 1 million reads of 40 variables no problem (except excel couldn't handle all the data). I tested it with XP, Win7 32 & 64 and Win10 64.
The R32Logger will soon be uploaded, all thanks mostly to the info on this thread- all of those legends present and past who posted the vital info.
R32Logger does all I need for playing with the motor, but I decided to share it for those hobbyists in the future who want to put turbos on their BUB motors.
Hopefully it will work on other ST10s too but there are no guarantees.
As requested by Nyet its got provisions for testing on c167s, with slow init only. It might work on others too as long as they are little endian
Main problem is that there is no Me7Info.exe for the ST10. Im not man enough to tackle that job. Luckily Gremlin posted some files with the A2L for my ECU in them so I don't need such a program. alternatively, someone could easily add blocks to the code, instead of RAM variables so it becomes like a better VCDS if they really want.
|
|
|
|
|
Logged
|
|
|
|
|
BlackT
|
|
« Reply #91 on: July 08, 2021, 05:29:19 AM »
|
|
|
Great work man  Well done |
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #92 on: July 08, 2021, 03:20:26 PM »
|
|
|
fantastic, great work!
|
|
|
|
|
Logged
|
ME7.1 tuning guideECUx PlotME7Sum checksumTrim heatmap toolPlease do not ask me for tunes. I'm here to help people make their own. Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
|
|
|
|
nyet
|
|
« Reply #93 on: July 08, 2021, 03:22:35 PM »
|
|
|
Main problem is that there is no Me7Info.exe for the ST10.
You might start with 360trev's swissarmyknife tools (dont have the link handy) |
|
|
|
|
Logged
|
ME7.1 tuning guideECUx PlotME7Sum checksumTrim heatmap toolPlease do not ask me for tunes. I'm here to help people make their own. Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #94 on: July 17, 2021, 05:26:34 AM »
|
|
|
Just catching up on this now.Nice Job!
I can auto-detect tonnes of variables and maps now in most ME7.x firmwares. Let me know the ones you want and give me links to the bin files and I'll see what my latest version pulls. It can even instrument all the KWP2000 functions in a rom and pull out all of the LocalIdentifier table entries if they are present..
e.g.
ReadDataByLocalIdentifier() : 0x21 @ 037570
Address of subfunc() : 0x00838204 : seg=0x020C)
SEGC @ ROM:0X838204 RAM:0X2706224 File-Offset:0X38204 (seg=0x020C [segadr=0x830000] val=0x8204)
Searching for 'XXXXxxxxXXXXxxxxF0xx5c2x20xx5c1x00xxdcxxa9xx'...
1) found reference to sig @ byte_offset=0x3825c
2) found reference to sig @ byte_offset=0x384be
Matches=2
The offset we care about is: 0x3825C segm: 0x206 valu: 0x2C54
LIT @ ROM:0X81AC54 RAM:0X26E8C74 File-Offset:0X1AC54 (seg=0x0206 [segadr=0x818000] val=0x2C54)
--
Idx: 0x2F addr: 0x00F27A entryType: 0x0208 nmot_w ; engine speed : Location: Memory Type: Data
Idx: 0x32 addr: 0x00F32C entryType: 0x0208 ml_w ; filtered air mass flow : Location: Memory Type: Data
Idx: 0x34 addr: 0x381B50 entryType: 0x0208 ti_w ; injector : Location: Memory Type: Data
Idx: 0x35 addr: 0x00F330 entryType: 0x0208 rl_w ; relative air charge : Location: Memory Type: Data
Idx: 0x36 addr: 0x00F2A6 entryType: 0x0208 wdkba_w ; throttle angle : Location: Memory Type: Data
Idx: 0x37 addr: 0x813532 entryType: 0x0108 mshfm_w ; mass air-flow HFM : Location: Calibration Type: Data
Idx: 0x39 addr: 0x380E66 entryType: 0x0208 vfzg_w ; vehicle speed : Location: Memory Type: Data
Idx: 0x3A addr: 0x813534 entryType: 0x0208 usvkk_w ; primary O2 Lambda probe LSU voltage (corrected) : Location: Memory Type: Data
Idx: 0x3B addr: 0x381964 entryType: 0x0208 ushk_w ; primary O2 Lambda probe voltage : Location: Memory Type: Data
Idx: 0x3C addr: 0x813532 entryType: 0x0108 nsol_w ; idle setpoint speed : Location: Calibration Type: Data
Idx: 0x3E addr: 0x381B8E entryType: 0x0208 tvu_w ; battery voltage : Location: Memory Type: Data
Idx: 0x3F addr: 0x380ECA entryType: 0x0208 upwg1_w ; throttle pedal voltage PWG potentiometer 1 : Location: Memory Type: Data
Idx: 0x40 addr: 0x380ECC entryType: 0x0208 upwg2_w ; throttle pedal voltage PWG potentiometer 2 : Location: Memory Type: Data
Idx: 0x41 addr: 0x3819C6 entryType: 0x0208 wped_w ; normalized angle acceleration pedal : Location: Memory Type: Data
Idx: 0x42 addr: 0x381E32 entryType: 0x0208 fr_w ; lambda controller output : Location: Memory Type: Data
Idx: 0x43 addr: 0x384EA4 entryType: 0x0208 frao_w ; multipl. mixture adaptation factor higher load : Location: Memory Type: Data
Idx: 0x44 addr: 0x384EAC entryType: 0x0208 frau_w ; multipl. mixture adaptation factor of the lower mult. section : Location: Memory Type: Data
Idx: 0x45 addr: 0x381B78 entryType: 0x0208 fra_w ; multiplicative mixture adaptation factor : Location: Memory Type: Data
Idx: 0x46 addr: 0x384EB2 entryType: 0x0208 rkat_w ; additive correction (per time) of the mixture adaptation : Location: Memory Type: Data
Idx: 0x47 addr: 0x38185E entryType: 0x0208 rkaz_w ; additive correction (per ignition) of the mixture adaptation : Location: Memory Type: Data
Idx: 0x48 addr: 0x381B7A entryType: 0x0208 rka_w ; additive adaptive correction of the relative fuel amount : Location: Memory Type: Data
Idx: 0x4B addr: 0x384F68 entryType: 0x0208 dmvad_w ; delta motor torque from loss torque adaptation : Location: Memory Type: Data
Idx: 0x4C addr: 0x381D7A entryType: 0x0208 mdverl_w ; resistant torque of the engine : Location: Memory Type: Data
Idx: 0x4D addr: 0x384E5E entryType: 0x0208 fho_w ; correction factor: altitude : Location: Memory Type: Data
Idx: 0x4F addr: 0x384E6C entryType: 0x0208 pu_w ; ambient pressure : Location: Memory Type: Data
Idx: 0x50 addr: 0x38211A entryType: 0x0208 lamsoni_w ; lambda actual value : Location: Memory Type: Data
Idx: 0x51 addr: 0x382190 entryType: 0x0208 lamsons_w ; required lambda referred to lambda sensor fitting location : Location: Memory Type: Data
Idx: 0x52 addr: 0x384FA0 entryType: 0x0208 lamsonh_w ; pseudo lambda actual value measured w/nernst probe behind cat : Location: Memory Type: Data
Idx: 0x53 addr: 0x384F9E entryType: 0x0208 lamsolh_w ; pseudo lambda setpoint behind cat : Location: Memory Type: Data
Idx: 0x54 addr: 0x382078 entryType: 0x0208 wnkwas_w ; Angle of camshaft to crankshaft in the working cycle : Location: Memory Type: Data
Idx: 0x55 addr: 0x381F66 entryType: 0x0208 wnwue_w ; camshaft overlap angle of inlet and outlet valve opening : Location: Memory Type: Data
Idx: 0x58 addr: 0x380ED2 entryType: 0x0208 msdk_w ; air-mass flow through throttle valve : Location: Memory Type: Data
Idx: 0x59 addr: 0x00F388 entryType: 0x0208 dlahi_w ; I-portion of the LRSHK : Location: Memory Type: Data
Idx: 0x5A addr: 0x381D80 entryType: 0x0208 miist_w ; indexed engine torque high pressure phase actual value : Location: Memory Type: Data
Idx: 0x5B addr: 0x381D1E entryType: 0x0208 mifa_w ; indexed engine torque driver request : Location: Memory Type: Data
Idx: 0x5C addr: 0x381D38 entryType: 0x0208 mrfa_w ; relative driver request torque from FGR and pedal : Location: Memory Type: Data
Idx: 0x5D addr: 0x381D70 entryType: 0x0208 miopt_w ; optimal indexed moment : Location: Memory Type: Data
Idx: 0x5F addr: 0x813532 entryType: 0x0108 mizsol_w ; indexed resulting target torque for ZW intervention : Location: Calibration Type: Data
Idx: 0x62 addr: 0x813532 entryType: 0x0108 mimax_w ; maximum achievable indexed moment : Location: Calibration Type: Data
Idx: 0x64 addr: 0x380EE8 entryType: 0x0208 miasrs_w ; indexed engine target torque ASR (for rapid intervention) : Location: Memory Type: Data
Idx: 0x65 addr: 0x380EE6 entryType: 0x0208 miasrl_w ; indexed engine target torque ASR (for slow intervention) : Location: Memory Type: Data
Idx: 0x66 addr: 0x380EF2 entryType: 0x0208 mimsr_w ; indexed engine target torque MSR : Location: Memory Type: Data
Idx: 0x68 addr: 0x381B38 entryType: 0x0208 nskup_w ; target speed F1 gearbox (CAN signal) : Location: Memory Type: Data
Idx: 0x69 addr: 0x381CB8 entryType: 0x0208 dmar_w ; delta torque anti-jerk : Location: Memory Type: Data
Idx: 0x6A addr: 0x381C76 entryType: 0x0208 dmllri_w ; desired torque change from the idle speed control (I-) : Location: Memory Type: Data
Idx: 0x6B addr: 0x381C80 entryType: 0x0208 dmllr_w ; desired torque change from the idle speed control (PD-part) : Location: Memory Type: Data
Idx: 0x6E addr: 0x385056 entryType: 0x0208 ftead_w ; charcoal canister charge : Location: Memory Type: Data
Idx: 0x6F addr: 0x384654 entryType: 0x0208 msndko_w ; norm leakage air mass flow through throttle blade : Location: Memory Type: Data
Idx: 0x74 addr: 0x83738A entryType: 0x0248 DCLA_TriggerEvent1() : Location: Firmware Type: Function
Idx: 0x75 addr: 0x837418 entryType: 0x0248 DCLA_TriggerEvent2() : Location: Firmware Type: Function
Idx: 0x76 addr: 0x837466 entryType: 0x0248 DCLA_TriggerEvent3() : Location: Firmware Type: Function
.. etc..
|
|
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #95 on: July 17, 2021, 05:28:14 AM »
|
|
|
Obviously this LIT dump varies from firmware to firmware as the LIT table is optional by manufacturer and not all ME7's have it present.
|
|
|
|
|
Logged
|
|
|
|
R32Dude
Full Member
Karma: +45/-10
Offline
Posts: 248
|
|
« Reply #96 on: July 17, 2021, 06:02:11 AM »
|
|
|
Hi Trev!
Give this a go please.
Cheers.
|
|
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #97 on: July 17, 2021, 07:35:47 AM »
|
|
|
Hi Trev!
Give this a go please.
Cheers.
Ahhh Its an ST10 dump. I didn't see that. First time I've ever even looked at a rom file. They are still based on the same C16x instruction set but very different composition. I will take a look and update my model to support ST10's too.
Succeded loading romfile #1 (0x100000 bytes).
SHA-256 of romfile #1: 6eaf0ab3c17dd1b27299a41ea0d5f22bba32072b43f9e5413559fa25330c8351
Loaded Primary ROM in 1Mb Mode
-[ DPPx Setup Analysis ]-----------------------------------------------------------------
>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
Searching for DPPx 'e600xxxxe601xxxxe602xxxxe603xxxx'...
1) found reference to sig @ byte_offset=0xe230
dpp0: (seg: 0x023f phy:0x008fc000) calibration data segment 0, constants
dpp1: (seg: 0x003c phy:0x000f0000) calibration data segment 1, constants
dpp2: (seg: 0x00e0 phy:0x00380000) external RAM
dpp3: (seg: 0x0003 phy:0x0000c000) Int. RAM, XRAM, SFR
Note: dpp3 is always 3, otherwise accessing Int. RAM, XRAM, SFR is not possible
-[ EEPROM Analysis ]-----------------------------------------------------------------
>>> Scanning for basic EEPROM extraction parameters
EEPROM Number of Pages: 128 (2048 Bytes)
EEPROM Chip Select Pin: P6.3
-[ Basic Firmware information (Primary ROM) ]-----------------------------------
>>> Scanning for BOOT ROM Version String [info]
Not found
>>> Scanning for ROM String Table Byte Sequence #1 [info]---------[ ROM #1 ]----------------------
-[ Free Space Analysis ]-----------------------------------
Searching for free space in firmware...
1) Unused bytes @ 0x003908 - 0x004000 : length 1,784 (0x6F8 ) bytes
2) Unused bytes @ 0x005786 - 0x00C000 : length 26,746 (0x687A ) bytes
3) Unused bytes @ 0x00D024 - 0x00E000 : length 4,060 (0xFDC ) bytes
4) Unused bytes @ 0x034F6C - 0x0DFFFA : length 700,558 (0xAB08E ) bytes
5) Unused bytes @ 0x0F4722 - 0x0FB508 : length 28,134 (0x6DE6 ) bytes
6) Unused bytes @ 0x0FF4D3 - 0x0FFFFE : length 2,859 (0xB2B ) bytes
Discovered 764,141 bytes (746.0 KBytes) unused in firmware [72.9%].
Largest free chunk region : 0x34F6C, length 700,558 bytes.
--So your firmware has a whopping 73% unused space, that's quite some record !  |
|
|
|
|
Logged
|
|
|
|
R32Dude
Full Member
Karma: +45/-10
Offline
Posts: 248
|
|
« Reply #98 on: July 17, 2021, 07:58:25 AM »
|
|
|
Would the MCP be of any use? Its about 832k. Not sure how much of that is actually code.
|
|
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #99 on: July 17, 2021, 08:45:41 AM »
|
|
|
Would the MCP be of any use? Its about 832k. Not sure how much of that is actually code.
Ahh.. so is this not the full dump? Send the full set of files and I will see what it can do. On standard C167 based firmwares it can even analyze eeprom's and find the checksum functions and gpio pins, etc. As for ST10's well its a different skew built with different toolchains, etc. I'm guessing I'm going to need to teach it some new smarts and treat it like my support for PPC and Tricore that I'm currently building preliminary support for. |
|
|
|
|
Logged
|
|
|
|
R32Dude
Full Member
Karma: +45/-10
Offline
Posts: 248
|
|
« Reply #100 on: July 18, 2021, 01:45:40 AM »
|
|
|
Its the full dump of the 29F800 flash that you get from a tool like galletto, and has all the maps just like the others do.
But the ST10 has stacks of other code that you need more specialized tools to extract, like MPPS or ST10 flasher.
From memory at least 3/4 of that 832kB has code in it. I know very little about processors but I'd be very interested to know what is in that code and why it needs that much of it, when the C16x seems to get away with just a tiny amount.
I will post the MCP in about 18 hours as I have it on another computer.
|
|
|
|
|
Logged
|
|
|
|
R32Dude
Full Member
Karma: +45/-10
Offline
Posts: 248
|
|
« Reply #101 on: July 18, 2021, 08:11:55 PM »
|
|
|
Here it is.
The first 32kB of the file go into the memory area 0-$8000 of the ST10
The rest of the file is from $18000 .
|
|
|
|
« Last Edit: July 19, 2021, 03:54:41 AM by R32Dude »
|
Logged
|
|
|
|
|
prj
|
|
« Reply #102 on: July 19, 2021, 02:44:52 AM »
|
|
|
The intflash has the majority of important stuff in it. Almost all of it is code. That's why most of the flash is empty.
|
|
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #103 on: July 19, 2021, 05:16:50 AM »
|
|
|
The intflash has the majority of important stuff in it. Almost all of it is code. That's why most of the flash is empty.
Yes thanks Prj, I can see that. Including even the vector table ! Q. Do you have a good memory map layout document for ST10's to hand so I can virtualize the references easily into my own built dissassembler? If not don't worry I will work it out.. |
|
|
|
« Last Edit: July 19, 2021, 05:18:46 AM by 360trev »
|
Logged
|
|
|
|
|
prj
|
|
« Reply #104 on: July 19, 2021, 05:39:07 AM »
|
|
|
def makesegmentsST():
idc.AddSeg(0xE000, 0xE800, 0, 0, 0, idc.scPub)
idc.RenameSeg(0xE000, "XRAM0")
idc.AddSeg(0xF600, 0xFE00, 0, 0, 0, idc.scPub)
idc.RenameSeg(0xF600, "IRAM")
idc.AddSeg(0xFE00, 0x10000, 0, 0, 0, idc.scPub)
idc.RenameSeg(0xFE00, "SFR")
# idc.AddSeg(0x10000, 0xE0000, 0, 0, 0, idc.scPub)
idc.RenameSeg(0x10000, "INTFLASH")
idc.AddSeg(0xE0000, 0x100000, 0, 0, 0, idc.scPub)
idc.RenameSeg(0xE0000, "XRAM1_IND")
idc.AddSeg(0x380000, 0x390000, 0, 0, 0, idc.scPub)
idc.RenameSeg(0x380000, "XRAM1_DIR")
# idc.AddSeg(0x800000, 0x900000, 0, 0, 0, idc.scPub)
idc.RenameSeg(0x800000, "EXTFLASH")
return def setdppST():
idc.SetSegDefReg(0x0000, "dpp0", 0x23F)
idc.SetSegDefReg(0x0000, "dpp1", 0x3C)
idc.SetSegDefReg(0x0000, "dpp2", 0xE0)
idc.SetSegDefReg(0x0000, "dpp3", 0x03)
idc.SetSegDefReg(0x10000, "dpp0", 0x23F)
idc.SetSegDefReg(0x10000, "dpp1", 0x3C)
idc.SetSegDefReg(0x10000, "dpp2", 0xE0)
idc.SetSegDefReg(0x10000, "dpp3", 0x03)
idc.SetSegDefReg(0x800000, "dpp0", 0x23F)
idc.SetSegDefReg(0x800000, "dpp1", 0x3C)
idc.SetSegDefReg(0x800000, "dpp2", 0xE0)
idc.SetSegDefReg(0x800000, "dpp3", 0x03)
return |
|
|
|
|
Logged
|
|
|
|
|
