Pages: 1 ... 5 6 [7] 8 9
Author Topic: Logging with KWP-2000 protocol  (Read 144879 times)
R32Dude
Full Member
***

Karma: +45/-10
Offline Offline

Posts: 248



« Reply #90 on: July 08, 2021, 05:06:45 AM »

Awesome Blazius, thanks for checking!  I borrowed a 64 bit win 7 pc to test it myself but EcuXplot only worked once and now shows the circular watchglass no matter who's csv I download from here. Weird.

I'm all done... I think.  Did the last of the coding today. Works in the car, tested 40 mins of logging, can be paused at the touch of the spacebar, doesn't care when disconnected briefly, reconnects by pressing a key if a big disconnection occurs( neither actually occured during testing), doesn't overwrite files and on the bench logged over 1 million reads of 40 variables no problem (except excel couldn't handle all the data). I tested it with XP, Win7 32 & 64 and Win10 64.

The R32Logger will soon be uploaded, all thanks mostly to the info on this thread- all of those legends present and past who posted the vital info.
R32Logger does all I need for playing with the motor, but I decided to share it for those hobbyists in the future who want to put turbos on their BUB motors.
Hopefully it will work on other ST10s too but there are no guarantees.
As requested by Nyet its got provisions for testing on c167s,  with slow init only. It might work on others too as long as they are little endian
Main problem is that there is no Me7Info.exe for the ST10. Im not man enough to tackle that job. Luckily Gremlin posted some files with the A2L for my ECU in them so I don't need such a program. alternatively, someone could easily add blocks to the code, instead of RAM variables so it becomes like a better VCDS if they really want.
Logged
BlackT
Hero Member
*****

Karma: +79/-40
Offline Offline

Posts: 1425



« Reply #91 on: July 08, 2021, 05:29:19 AM »

Great work man  Cheesy Cheesy Well done
Logged
nyet
Administrator
Hero Member
*****

Karma: +607/-168
Offline Offline

Posts: 12270


WWW
« Reply #92 on: July 08, 2021, 03:20:26 PM »

fantastic, great work!
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
nyet
Administrator
Hero Member
*****

Karma: +607/-168
Offline Offline

Posts: 12270


WWW
« Reply #93 on: July 08, 2021, 03:22:35 PM »

Main problem is that there is no Me7Info.exe for the ST10.

You might start with 360trev's swissarmyknife tools (dont have the link handy)
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #94 on: July 17, 2021, 05:26:34 AM »

Just catching up on this now.Nice Job!

I can auto-detect tonnes of variables and maps now in most ME7.x firmwares. Let me know the ones you want and give me links to the bin files and I'll see what my latest version pulls. It can even instrument all the KWP2000 functions in a rom and pull out all of the LocalIdentifier table entries if they are present..

e.g.

ReadDataByLocalIdentifier() : 0x21 @ 037570
Address of subfunc() : 0x00838204 : seg=0x020C)

SEGC            @ ROM:0X838204 RAM:0X2706224 File-Offset:0X38204 (seg=0x020C [segadr=0x830000] val=0x8204)
Searching for 'XXXXxxxxXXXXxxxxF0xx5c2x20xx5c1x00xxdcxxa9xx'...
1) found reference to sig @ byte_offset=0x3825c
2) found reference to sig @ byte_offset=0x384be
Matches=2

The offset we care about is: 0x3825C segm: 0x206 valu: 0x2C54
LIT             @ ROM:0X81AC54 RAM:0X26E8C74 File-Offset:0X1AC54 (seg=0x0206 [segadr=0x818000] val=0x2C54)

--
        Idx: 0x2F addr: 0x00F27A entryType: 0x0208      nmot_w     ; engine speed                                                   : Location: Memory        Type: Data
        Idx: 0x32 addr: 0x00F32C entryType: 0x0208      ml_w       ; filtered air mass flow                                         : Location: Memory        Type: Data
        Idx: 0x34 addr: 0x381B50 entryType: 0x0208      ti_w       ; injector                                                       : Location: Memory        Type: Data
        Idx: 0x35 addr: 0x00F330 entryType: 0x0208      rl_w       ; relative air charge                                            : Location: Memory        Type: Data
        Idx: 0x36 addr: 0x00F2A6 entryType: 0x0208      wdkba_w    ; throttle angle                                                 : Location: Memory        Type: Data
        Idx: 0x37 addr: 0x813532 entryType: 0x0108      mshfm_w    ; mass air-flow HFM                                              : Location: Calibration   Type: Data
        Idx: 0x39 addr: 0x380E66 entryType: 0x0208      vfzg_w     ; vehicle speed                                                  : Location: Memory        Type: Data
        Idx: 0x3A addr: 0x813534 entryType: 0x0208      usvkk_w    ; primary O2 Lambda probe LSU voltage (corrected)                : Location: Memory        Type: Data
        Idx: 0x3B addr: 0x381964 entryType: 0x0208      ushk_w     ; primary O2 Lambda probe voltage                                : Location: Memory        Type: Data
        Idx: 0x3C addr: 0x813532 entryType: 0x0108      nsol_w     ; idle setpoint speed                                            : Location: Calibration   Type: Data
        Idx: 0x3E addr: 0x381B8E entryType: 0x0208      tvu_w      ; battery voltage                                                : Location: Memory        Type: Data
        Idx: 0x3F addr: 0x380ECA entryType: 0x0208      upwg1_w    ; throttle pedal voltage PWG potentiometer 1                     : Location: Memory        Type: Data
        Idx: 0x40 addr: 0x380ECC entryType: 0x0208      upwg2_w    ; throttle pedal voltage PWG potentiometer 2                     : Location: Memory        Type: Data
        Idx: 0x41 addr: 0x3819C6 entryType: 0x0208      wped_w     ; normalized angle acceleration pedal                            : Location: Memory        Type: Data
        Idx: 0x42 addr: 0x381E32 entryType: 0x0208      fr_w       ; lambda controller output                                       : Location: Memory        Type: Data
        Idx: 0x43 addr: 0x384EA4 entryType: 0x0208      frao_w     ; multipl. mixture adaptation factor higher load                 : Location: Memory        Type: Data
        Idx: 0x44 addr: 0x384EAC entryType: 0x0208      frau_w     ; multipl. mixture adaptation factor of the lower mult. section  : Location: Memory        Type: Data
        Idx: 0x45 addr: 0x381B78 entryType: 0x0208      fra_w      ; multiplicative mixture adaptation factor                       : Location: Memory        Type: Data
        Idx: 0x46 addr: 0x384EB2 entryType: 0x0208      rkat_w     ; additive correction (per time) of the mixture adaptation       : Location: Memory        Type: Data
        Idx: 0x47 addr: 0x38185E entryType: 0x0208      rkaz_w     ; additive correction (per ignition) of the mixture adaptation   : Location: Memory        Type: Data
        Idx: 0x48 addr: 0x381B7A entryType: 0x0208      rka_w      ; additive adaptive correction of the relative fuel amount       : Location: Memory        Type: Data
        Idx: 0x4B addr: 0x384F68 entryType: 0x0208      dmvad_w    ; delta motor torque from loss torque adaptation                 : Location: Memory        Type: Data
        Idx: 0x4C addr: 0x381D7A entryType: 0x0208      mdverl_w   ; resistant torque of the engine                                 : Location: Memory        Type: Data
        Idx: 0x4D addr: 0x384E5E entryType: 0x0208      fho_w      ; correction factor: altitude                                    : Location: Memory        Type: Data
        Idx: 0x4F addr: 0x384E6C entryType: 0x0208      pu_w       ; ambient pressure                                               : Location: Memory        Type: Data
        Idx: 0x50 addr: 0x38211A entryType: 0x0208      lamsoni_w  ; lambda actual value                                            : Location: Memory        Type: Data
        Idx: 0x51 addr: 0x382190 entryType: 0x0208      lamsons_w  ; required lambda referred to lambda sensor fitting location     : Location: Memory        Type: Data
        Idx: 0x52 addr: 0x384FA0 entryType: 0x0208      lamsonh_w  ; pseudo lambda actual value measured w/nernst probe behind cat  : Location: Memory        Type: Data
        Idx: 0x53 addr: 0x384F9E entryType: 0x0208      lamsolh_w  ; pseudo lambda setpoint behind cat                              : Location: Memory        Type: Data
        Idx: 0x54 addr: 0x382078 entryType: 0x0208      wnkwas_w   ; Angle of camshaft to crankshaft in the working cycle           : Location: Memory        Type: Data
        Idx: 0x55 addr: 0x381F66 entryType: 0x0208      wnwue_w    ; camshaft overlap angle of inlet and outlet valve opening       : Location: Memory        Type: Data
        Idx: 0x58 addr: 0x380ED2 entryType: 0x0208      msdk_w     ; air-mass flow through throttle valve                           : Location: Memory        Type: Data
        Idx: 0x59 addr: 0x00F388 entryType: 0x0208      dlahi_w    ; I-portion of the LRSHK                                         : Location: Memory        Type: Data
        Idx: 0x5A addr: 0x381D80 entryType: 0x0208      miist_w    ; indexed engine torque high pressure phase actual value         : Location: Memory        Type: Data
        Idx: 0x5B addr: 0x381D1E entryType: 0x0208      mifa_w     ; indexed engine torque driver request                           : Location: Memory        Type: Data
        Idx: 0x5C addr: 0x381D38 entryType: 0x0208      mrfa_w     ; relative driver request torque from FGR and pedal              : Location: Memory        Type: Data
        Idx: 0x5D addr: 0x381D70 entryType: 0x0208      miopt_w    ; optimal indexed moment                                         : Location: Memory        Type: Data
        Idx: 0x5F addr: 0x813532 entryType: 0x0108      mizsol_w   ; indexed resulting target torque for ZW intervention            : Location: Calibration   Type: Data
        Idx: 0x62 addr: 0x813532 entryType: 0x0108      mimax_w    ; maximum achievable indexed moment                              : Location: Calibration   Type: Data
        Idx: 0x64 addr: 0x380EE8 entryType: 0x0208      miasrs_w   ; indexed engine target torque ASR (for rapid intervention)      : Location: Memory        Type: Data
        Idx: 0x65 addr: 0x380EE6 entryType: 0x0208      miasrl_w   ; indexed engine target torque ASR (for slow intervention)       : Location: Memory        Type: Data
        Idx: 0x66 addr: 0x380EF2 entryType: 0x0208      mimsr_w    ; indexed engine target torque MSR                               : Location: Memory        Type: Data
        Idx: 0x68 addr: 0x381B38 entryType: 0x0208      nskup_w    ; target speed F1 gearbox (CAN signal)                           : Location: Memory        Type: Data
        Idx: 0x69 addr: 0x381CB8 entryType: 0x0208      dmar_w     ; delta torque anti-jerk                                         : Location: Memory        Type: Data
        Idx: 0x6A addr: 0x381C76 entryType: 0x0208      dmllri_w   ; desired torque change from the idle speed control (I-)         : Location: Memory        Type: Data
        Idx: 0x6B addr: 0x381C80 entryType: 0x0208      dmllr_w    ; desired torque change from the idle speed control (PD-part)    : Location: Memory        Type: Data
        Idx: 0x6E addr: 0x385056 entryType: 0x0208      ftead_w    ; charcoal canister charge                                       : Location: Memory        Type: Data
        Idx: 0x6F addr: 0x384654 entryType: 0x0208      msndko_w   ; norm leakage air mass flow through throttle blade              : Location: Memory        Type: Data
        Idx: 0x74 addr: 0x83738A entryType: 0x0248      DCLA_TriggerEvent1()                                                        : Location: Firmware      Type: Function
        Idx: 0x75 addr: 0x837418 entryType: 0x0248      DCLA_TriggerEvent2()                                                        : Location: Firmware      Type: Function
        Idx: 0x76 addr: 0x837466 entryType: 0x0248      DCLA_TriggerEvent3()                                                        : Location: Firmware      Type: Function
.. etc..
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #95 on: July 17, 2021, 05:28:14 AM »

Obviously this LIT dump varies from firmware to firmware as the LIT table is optional by manufacturer and not all ME7's have it present.
Logged
R32Dude
Full Member
***

Karma: +45/-10
Offline Offline

Posts: 248



« Reply #96 on: July 17, 2021, 06:02:11 AM »

Hi Trev!

Give this a go please.

Cheers.
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #97 on: July 17, 2021, 07:35:47 AM »

Hi Trev!

Give this a go please.

Cheers.

Ahhh Its an ST10 dump. I didn't see that. First time I've ever even looked at a rom file. They are still based on the same C16x instruction set but very different composition. I will take a look and update my model to support ST10's too.

Succeded loading romfile #1 (0x100000 bytes).

SHA-256 of romfile #1: 6eaf0ab3c17dd1b27299a41ea0d5f22bba32072b43f9e5413559fa25330c8351
Loaded Primary ROM in 1Mb Mode

-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]

Searching for DPPx 'e600xxxxe601xxxxe602xxxxe603xxxx'...
1) found reference to sig @ byte_offset=0xe230

dpp0: (seg: 0x023f phy:0x008fc000) calibration data segment 0, constants
dpp1: (seg: 0x003c phy:0x000f0000) calibration data segment 1, constants
dpp2: (seg: 0x00e0 phy:0x00380000) external RAM
dpp3: (seg: 0x0003 phy:0x0000c000) Int. RAM, XRAM, SFR

Note: dpp3 is always 3, otherwise accessing Int. RAM, XRAM, SFR is not possible

-[ EEPROM Analysis ]-----------------------------------------------------------------

>>> Scanning for basic EEPROM extraction parameters
EEPROM Number of Pages: 128 (2048 Bytes)
EEPROM Chip Select Pin: P6.3

-[ Basic Firmware information (Primary ROM) ]-----------------------------------

>>> Scanning for BOOT ROM Version String [info]
Not found
>>> Scanning for ROM String Table Byte Sequence #1 [info]---------[ ROM #1 ]----------------------


-[ Free Space Analysis ]-----------------------------------

Searching for free space in firmware...

 1) Unused bytes @ 0x003908 - 0x004000 : length    1,784 (0x6F8   ) bytes
 2) Unused bytes @ 0x005786 - 0x00C000 : length   26,746 (0x687A  ) bytes
 3) Unused bytes @ 0x00D024 - 0x00E000 : length    4,060 (0xFDC   ) bytes
 4) Unused bytes @ 0x034F6C - 0x0DFFFA : length  700,558 (0xAB08E ) bytes
 5) Unused bytes @ 0x0F4722 - 0x0FB508 : length   28,134 (0x6DE6  ) bytes
 6) Unused bytes @ 0x0FF4D3 - 0x0FFFFE : length    2,859 (0xB2B   ) bytes

Discovered 764,141 bytes (746.0 KBytes) unused in firmware [72.9%].

Largest free chunk region : 0x34F6C, length  700,558 bytes.

--


So your firmware has a whopping 73% unused space, that's quite some record ! Smiley
Logged
R32Dude
Full Member
***

Karma: +45/-10
Offline Offline

Posts: 248



« Reply #98 on: July 17, 2021, 07:58:25 AM »

Would the MCP be of any use? Its about 832k. Not sure how much of that is actually code.
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #99 on: July 17, 2021, 08:45:41 AM »

Would the MCP be of any use? Its about 832k. Not sure how much of that is actually code.

Ahh.. so is this not the full dump? Send the full set of files and I will see what it can do. On standard C167 based firmwares it can even analyze eeprom's and find the checksum functions and gpio pins, etc. As for ST10's well its a different skew built with different toolchains, etc. I'm guessing I'm going to need to teach it some new smarts and treat it like my support for PPC and Tricore that I'm currently building preliminary support for.
Logged
R32Dude
Full Member
***

Karma: +45/-10
Offline Offline

Posts: 248



« Reply #100 on: July 18, 2021, 01:45:40 AM »

Its the full dump of the 29F800 flash that you get from a tool like galletto, and has all the maps just like the others do.
But the ST10 has stacks of other code that you need more specialized tools to extract, like MPPS or ST10 flasher.
 From memory at least 3/4 of that 832kB has code in it. I know very little about processors but I'd be very interested to know what is in that code and why it needs that much of it, when the C16x seems to get away with just a tiny amount.
I will post the MCP in about 18 hours as I have it on another computer.
Logged
R32Dude
Full Member
***

Karma: +45/-10
Offline Offline

Posts: 248



« Reply #101 on: July 18, 2021, 08:11:55 PM »

Here it is.
The first 32kB of the file  go into the memory area 0-$8000 of the ST10
The rest of the file is from $18000 .
« Last Edit: July 19, 2021, 03:54:41 AM by R32Dude » Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6035


« Reply #102 on: July 19, 2021, 02:44:52 AM »

The intflash has the majority of important stuff in it. Almost all of it is code. That's why most of the flash is empty.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #103 on: July 19, 2021, 05:16:50 AM »

The intflash has the majority of important stuff in it. Almost all of it is code. That's why most of the flash is empty.

Yes thanks Prj, I can see that. Including even the vector table !

Q. Do you have a good memory map layout document for ST10's to hand so I can virtualize the references easily into my own built dissassembler? If not don't worry I will work it out..
« Last Edit: July 19, 2021, 05:18:46 AM by 360trev » Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6035


« Reply #104 on: July 19, 2021, 05:39:07 AM »

Code:
def makesegmentsST():
idc.AddSeg(0xE000, 0xE800, 0, 0, 0, idc.scPub)
idc.RenameSeg(0xE000, "XRAM0")
idc.AddSeg(0xF600, 0xFE00, 0, 0, 0, idc.scPub)
idc.RenameSeg(0xF600, "IRAM")
idc.AddSeg(0xFE00, 0x10000, 0, 0, 0, idc.scPub)
idc.RenameSeg(0xFE00, "SFR")
# idc.AddSeg(0x10000, 0xE0000, 0, 0, 0, idc.scPub)
idc.RenameSeg(0x10000, "INTFLASH")
idc.AddSeg(0xE0000, 0x100000, 0, 0, 0, idc.scPub)
idc.RenameSeg(0xE0000, "XRAM1_IND")
idc.AddSeg(0x380000, 0x390000, 0, 0, 0, idc.scPub)
idc.RenameSeg(0x380000, "XRAM1_DIR")
# idc.AddSeg(0x800000, 0x900000, 0, 0, 0, idc.scPub)
idc.RenameSeg(0x800000, "EXTFLASH")
return

Code:
def setdppST():
idc.SetSegDefReg(0x0000, "dpp0", 0x23F)
idc.SetSegDefReg(0x0000, "dpp1", 0x3C)
idc.SetSegDefReg(0x0000, "dpp2", 0xE0)
idc.SetSegDefReg(0x0000, "dpp3", 0x03)

idc.SetSegDefReg(0x10000, "dpp0", 0x23F)
idc.SetSegDefReg(0x10000, "dpp1", 0x3C)
idc.SetSegDefReg(0x10000, "dpp2", 0xE0)
idc.SetSegDefReg(0x10000, "dpp3", 0x03)

idc.SetSegDefReg(0x800000, "dpp0", 0x23F)
idc.SetSegDefReg(0x800000, "dpp1", 0x3C)
idc.SetSegDefReg(0x800000, "dpp2", 0xE0)
idc.SetSegDefReg(0x800000, "dpp3", 0x03)
return
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
Pages: 1 ... 5 6 [7] 8 9
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.028 seconds with 17 queries. (Pretty URLs adds 0s, 0q)