Pages: [1] 2 3
Author Topic: RS6 C5 Gearbox TCU 4B0927156FB 0260002849  (Read 19316 times)
sweegie
Full Member
***

Karma: +10/-2
Offline Offline

Posts: 136


« on: January 08, 2013, 07:36:03 AM »

As per title.

Some maps defined & still very much work in progress.
Zip contains Binary, KP, CSV and OLS files.
Logged
AARDQ
Sr. Member
****

Karma: +10/-0
Offline Offline

Posts: 337


« Reply #1 on: January 08, 2013, 12:29:47 PM »

As per title.

Some maps defined & still very much work in progress.
Zip contains Binary, KP, CSV and OLS files.

Fantastic.  I had found a few of those but got discouraged and turned my attention to a hardware solution for the mods I want to make (modifying current feedback to the control process to alter shift and TC parameters), but your work may help me get back on track with software mods.  What are you using?  IDA?  Mind sharing the parameters you use to set up?  I understand if not...
Logged
prj
Hero Member
*****

Karma: +315/-46
Offline Offline

Posts: 3711


« Reply #2 on: January 08, 2013, 12:53:35 PM »

You guys need to hook up an emu instead of the 29F800 in there...
Also I am unsure how checksumming works on this.
Logged
sweegie
Full Member
***

Karma: +10/-2
Offline Offline

Posts: 136


« Reply #3 on: January 09, 2013, 03:50:58 AM »

More than happy to share everything, but unfortunately it's not much at this stage... Not even tried loading this into IDA yet unfortunately - really just started looking at the structure of the file and maps... If I get anywhere with IDA, i will of course let you know. An emulator would indeed work wonders here, but its not something I have access to unfortunately. I believe EVC have a checksum module available (OLS816) but this isn't something I have access to either.  Undecided

@AARDQ - are you looking specifically at the RS6 gearbox?
Logged
AARDQ
Sr. Member
****

Karma: +10/-0
Offline Offline

Posts: 337


« Reply #4 on: January 09, 2013, 10:13:09 AM »

More than happy to share everything, but unfortunately it's not much at this stage... Not even tried loading this into IDA yet unfortunately - really just started looking at the structure of the file and maps... If I get anywhere with IDA, i will of course let you know. An emulator would indeed work wonders here, but its not something I have access to unfortunately. I believe EVC have a checksum module available (OLS816) but this isn't something I have access to either.  Undecided

@AARDQ - are you looking specifically at the RS6 gearbox?

I, too, looked into emulators but given this is a one-off, and I may switch to an M6 if (when?) I blow up the Tip, I can't justify it at this point.

It seems like I'm getting OK results loading into IDA, and the programming actually seems fairly simple, but it looks like indirects are the name of the game, and I'm just not very good at this given it's my first foray into disassembly.  (I was wrong in the other thread about entry point and I will update it.  I may still be wrong, but what I wrote before definitely ain't it.)

My box is a run-of-the-mill 5HP19, not 24, and my TCU is an 4BO927156FE, but I'm hopeful that the programming is similar, if not identical. 

The table values (the one's I've looked at, anyway), seem to be final, whole numbers and not converted to avoid decimals as is the case w/ the ME7X.  It would be nice if ultimately true.  Like you, I don't have a clue as to what they mean yet, and that leads me to think that the PWM drivers may do more conversion.  Another big question I have is why I'm not seeing any TBL lookup instructions in the disassembly.  Direct table lookup is supposed to be a main reason for using a 6833X processor. 
Logged
sweegie
Full Member
***

Karma: +10/-2
Offline Offline

Posts: 136


« Reply #5 on: January 10, 2013, 03:25:31 PM »

Sounds like you're well ahead of me at the moment on the disassembly - if you'd be willing to share your settings, I'll have a look also. It's been a while since I worked in IDA though, but the rust may come off after a while.

Logged
AARDQ
Sr. Member
****

Karma: +10/-0
Offline Offline

Posts: 337


« Reply #6 on: January 10, 2013, 04:12:41 PM »

Sounds like you're well ahead of me at the moment on the disassembly - if you'd be willing to share your settings, I'll have a look also. It's been a while since I worked in IDA though, but the rust may come off after a while.



No real idea if this is ultimately right!

processor either 68K (loads all instructions in the family) or 68330

check analysis options checkbox (there's a dialogue box pop-up; I think it's at this step)

Just ROM, default values (could be a problem!)
press 'd' for 'Data' x3 at address 0000h
'd' for Data x3 at address 0004h, points to 00412h

From Tool bar, Options, General, Analysis, Kernel 1 Options, check box Make Final Analysis Pass

Reanalyze Program

Does what seems to be a fairly complete job but gets tripped up in places, not unexpected given the nature of disassembly.


Logged
k0mpresd
Hero Member
*****

Karma: +138/-50
Offline Offline

Posts: 1641


« Reply #7 on: January 10, 2013, 04:26:24 PM »

this is fantastic except i just wish the maps had names.  Cheesy
Logged
ddillenger
Hero Member
*****

Karma: +618/-19
Offline Offline

Posts: 5647


« Reply #8 on: January 11, 2013, 12:39:27 AM »

Wonder where one could procure this.

http://www.amazon.de/Elektronische-Getriebesteuerung-EGS-Getriebeausf%C3%BChrungen-Steuerger%C3%A4teentwicklung/dp/3865220266
Logged

Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience!

Email/Google chat:
DDillenger84(at)gmail(dot)com

Email>PM
sweegie
Full Member
***

Karma: +10/-2
Offline Offline

Posts: 136


« Reply #9 on: January 13, 2013, 07:36:03 AM »

1 step forward 2 steps back...

itSh! My original file was byteswapped - no wonder IDA had issues trying to analyze it. I was beginning to think Bosch had used a little endian processor for my file, as nothing made sense with the Motorola settings. Decompiled nicely with your settings Aardq & looks very similar in structure to the file posted by K0mpresd.

Does anyone know if the ECU and TCU communicate via CAN? If so, i have some CAN tools that may be of use to capture what the TCU is transmitting. Maybe this would be a start at tracing things back to the code subroutines.

this is fantastic except i just wish the maps had names.  Cheesy

0x604AA (8x10) = Mavis
0x6523A (6x4) = Charlie

Still looking for "%PWM Drive to solenoid A" though Cheesy
Logged
AARDQ
Sr. Member
****

Karma: +10/-0
Offline Offline

Posts: 337


« Reply #10 on: January 13, 2013, 11:37:45 AM »

Yes, they do communicate via CAN, both directions.  Load, throttle angle, kickdown switch, brake, velocity, etc. are all transmitted over CAN.  Very little info to the TCU comes directly from sensors (turbine speed, output speed, fluid temp, shifter position are about all, I think). Torque reduction requests are sent the other way, TCU to ECU.  The 68376 has a built-in CAN module (TouCan is the Motorola/Freescale trade name).



Logged
AudiMan85
Full Member
***

Karma: +19/-7
Offline Offline

Posts: 215



WWW
« Reply #11 on: January 29, 2013, 02:27:14 AM »

So it is not possible to flash the RS6 tcu to a A6 2.7t and would there be any benefit from this?
Logged

"Ride like I got a horse stable under my hood" ~ The Game - Too Much
AARDQ
Sr. Member
****

Karma: +10/-0
Offline Offline

Posts: 337


« Reply #12 on: February 02, 2013, 11:59:27 AM »

So it is not possible to flash the RS6 tcu to a A6 2.7t and would there be any benefit from this?

This is uncharted territory as far as I can tell.
Logged
AARDQ
Sr. Member
****

Karma: +10/-0
Offline Offline

Posts: 337


« Reply #13 on: February 02, 2013, 06:46:33 PM »

For fun I played with the current signals by changing resistance of the shunts.  My particular issue was a torque converter that occasionally would throw the P0741 code (it's new so probably isn't faulty).  I decreased the resistance from 1 ohm to .8 ohms.  (The EDS valves run stock at up to 67% duty cycle so I feel comfortable upping to 75% or so.)  The controller therefore thinks it's working at less current than it actually is.

I also took line pressure up 20% by increasing the resistance for EDS 1 (EDS 1 is reverse-acting; lower current is more pressure.)  20% is probably a bit too much, 4-3 downshift as when slowing to a stop is a bit clunky.  I'll probably drop it back 10 +10%.

I really want to do this in code someday...



Getting too far afield for this forum category.  Starting a new thread in Reverse Engineering.
« Last Edit: February 03, 2013, 02:36:05 PM by AARDQ » Logged
AARDQ
Sr. Member
****

Karma: +10/-0
Offline Offline

Posts: 337


« Reply #14 on: February 06, 2013, 08:11:08 PM »


There's one available at present.  I've contacted the seller to see if they can ship to the USA (my address wouldn't take) but if someone over on that side of the pond wants to go for it, I won't be devastated.
Logged
Pages: [1] 2 3
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.026 seconds with 16 queries. (Pretty URLs adds 0s, 0q)