Pages: 1 ... 133 134 [135] 136 137 ... 182
Author Topic: The Volvo ME7 thread:  (Read 1076715 times)
dikidera
Full Member
***

Karma: +8/-8
Offline Offline

Posts: 149


« Reply #2010 on: January 02, 2023, 04:01:13 AM »

prometey1982, what is the CAN command that AW55 send to the ECU to limit torque? Do you have data logs?

Meanwhile, I have found that the bootloader command (PBL) bytes are AND'ed with 0xF8. So 0x9C&0xF8=0x98 which is what the code checks for.

And in other more significant news, the 29LV200BC chip seems to contain...executable code. A lot of it. So it's not just the maps inside. The SH7055 PBL/Main rom, when it receives an interrupt, it looks up a table in RAM at FFFF7448.





And I was like, this can't be right...or rather, they couldn't have done this, could they? Turns out they have.

I am attaching the .idb file of the binary and what I've managed to stitch together into something coherent as well as the names of various functions I believe i have figured out, function names that contain a question mark are those I am not entirely certain what they do.
« Last Edit: January 02, 2023, 04:22:28 PM by dikidera » Logged
prometey1982
Sr. Member
****

Karma: +70/-60
Offline Offline

Posts: 323



WWW
« Reply #2011 on: January 03, 2023, 12:42:04 AM »

prometey1982, what is the CAN command that AW55 send to the ECU to limit torque? Do you have data logs?
I'm trying to identify how TCM sends requests but it's not easy. Advice for you. Try to find data table for A6 command. From this table and DHA you can identify many helpfull memory addresses.
Logged

Россия - Великая страна!
https://youtu.be/fup5GzIFdXk
dikidera
Full Member
***

Karma: +8/-8
Offline Offline

Posts: 149


« Reply #2012 on: January 03, 2023, 01:47:20 PM »

I'm trying to identify how TCM sends requests but it's not easy. Advice for you. Try to find data table for A6 command. From this table and DHA you can identify many helpfull memory addresses.
I haven't managed to find it. I found two functions that maybe check for CAN commands. And even then I am not sure. I expected something like

while(0)
{
    receive_can_commands();
    if(command == 0xA6)
        do_something();
}

You can see only the bootloader commands return data via HCAN interface. I basically do not see any code that accepts 0xA6 and returns data via CAN.



do_tx_ack is the function that sends data over CAN.

I mean if the command is 0xA6, then 0xA6&0xF8 = 0xA0, but remember, 0xA0 is the jump to code command. So we can exclude the bootloader commands.

I am very stuck here.
« Last Edit: January 03, 2023, 03:19:53 PM by dikidera » Logged
dikidera
Full Member
***

Karma: +8/-8
Offline Offline

Posts: 149


« Reply #2013 on: January 06, 2023, 04:57:50 AM »

I decided to finally test out the SBL's F8 delete command. I noticed several things. After you have deleted the chip or sector, when you write to an address, you do 7A AE <write data>, this does not actually commit the data. The data is still unwritten. As soon as you do 7A 9C <new address>, the data is finally commited and actually written.

Likewise, the WE pin is pulsed 4 times during writing(driven to logic low) every ~150 nanoseconds which I measured with my scope. I think we can deduce one thing here from this, if it's pulsed 4 times, this means 4 writes OR 4 bytes(although as usual this could be wrong). This only happens on 9C command, if I write first with 7A AE <data> and do 7A B4 <address + 1>, I do not get the correct checksum data, and no pulsing happens so the data is still unwritten to the flash chip.

This is curious, because I am looking at the 9C and AE handlers in the PBL and none of them show any functionality related to pulsing.  The only thing similar between the AE and 9C handlers, is two memory addresses, FFFFDFA0 and FFFFDB8B.

As I don't see any pulsing code in AE or 9C handlers, this must be done elsewhere, perhaps the secondary undocumented chip. If I have time I'd buy a small jtag header and poke around, but I wasted too much time already.




« Last Edit: January 06, 2023, 07:01:09 AM by dikidera » Logged
rkam
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 55


« Reply #2014 on: January 07, 2023, 06:35:08 AM »

@dikidera

The A6 parameters 11BD to 11F8 seems to be linked to memory addresses 817B32 to 817BA8
There you will probably find the values 80 A4 repeated 60 times on your desk ECM

31DB20: A6 11 BD: 817B32 Adaption value of rOmgDifl800 at 850rpm
..
31DCA0: A6 11 EE: 817B92
..
31DDEC: A6 11 EF: 817B94
..
31DE3C: A6 11 F8: 817BA8 Adaption value of rOmgDifl804 at 6000rpm
Logged
dikidera
Full Member
***

Karma: +8/-8
Offline Offline

Posts: 149


« Reply #2015 on: January 07, 2023, 11:50:26 AM »

@dikidera

The A6 parameters 11BD to 11F8 seems to be linked to memory addresses 817B32 to 817BA8
There you will probably find the values 80 A4 repeated 60 times on your desk ECM

31DB20: A6 11 BD: 817B32 Adaption value of rOmgDifl800 at 850rpm
..
31DCA0: A6 11 EE: 817B92
..
31DDEC: A6 11 EF: 817B94
..
31DE3C: A6 11 F8: 817BA8 Adaption value of rOmgDifl804 at 6000rpm

If it's in address space 0x8XXXXX, this is the external SRAM chip TC55 with 128KB of RAM. When SH7055 is booting up, it instructs the DMAC to copy data from 0x320000(external flash chip) to external SRAM. And the external SRAM's I/O pins have connections to the undocumented chip. Which may mean that A6 command is handled by the undocumented chip. In my opinion it's another Renesas MCU, but I did not find any compatible 120 pin version.

Anyway, I have some bad news. Due to my negligence, I fried my rpi. So it's dead. I would definitely blame volvo for using a secondary bus which caused me all the headaches, otherwise I was pretty much there. Anyway, I will now see if it's better to buy one of these MPPS,KESS tools or if I have to buy another RPI.

I will buy these tools only if: I can program via OBD2. If I have to remove the ECU from the car, it's a hassle. But with my RPI I could use it as a J2534 device and use VIDA(although because I fried my RPI I could not further test this functionality)
« Last Edit: January 07, 2023, 12:19:23 PM by dikidera » Logged
prometey1982
Sr. Member
****

Karma: +70/-60
Offline Offline

Posts: 323



WWW
« Reply #2016 on: January 08, 2023, 12:46:39 AM »

Meanwhile, I have found that the bootloader command (PBL) bytes are AND'ed with 0xF8. So 0x9C&0xF8=0x98 which is what the code checks for.
Same approach for TCU SBL:
Code:
ROM:FFFF8D1A                 mov     #h'12, r0       ; CAN Command
ROM:FFFF8D1C                 mov.b   @(r0,r15), r0
ROM:FFFF8D1E                 extu.b  r0, r0
ROM:FFFF8D20                 and     #h'F8, r0
ROM:FFFF8D22                 mov.w   #h'A0, r1
ROM:FFFF8D24                 cmp/eq  r1, r0
ROM:FFFF8D26                 bt      loc_FFFF8D32
ROM:FFFF8D28                 mov.w   #h'A8, r1       ; AE command processing
ROM:FFFF8D2A                 cmp/eq  r1, r0
ROM:FFFF8D2C                 bt      loc_FFFF8D36
ROM:FFFF8D2E                 bra     loc_FFFF8E0E
Logged

Россия - Великая страна!
https://youtu.be/fup5GzIFdXk
dikidera
Full Member
***

Karma: +8/-8
Offline Offline

Posts: 149


« Reply #2017 on: January 08, 2023, 04:06:45 AM »

Same approach for TCU SBL:
Code:
ROM:FFFF8D1A                 mov     #h'12, r0       ; CAN Command
ROM:FFFF8D1C                 mov.b   @(r0,r15), r0
ROM:FFFF8D1E                 extu.b  r0, r0
ROM:FFFF8D20                 and     #h'F8, r0
ROM:FFFF8D22                 mov.w   #h'A0, r1
ROM:FFFF8D24                 cmp/eq  r1, r0
ROM:FFFF8D26                 bt      loc_FFFF8D32
ROM:FFFF8D28                 mov.w   #h'A8, r1       ; AE command processing
ROM:FFFF8D2A                 cmp/eq  r1, r0
ROM:FFFF8D2C                 bt      loc_FFFF8D36
ROM:FFFF8D2E                 bra     loc_FFFF8E0E

Do you have a picture of the TCU circuit board? I am curious if it has the same or similar undocumented chip as the ECU.
Logged
prometey1982
Sr. Member
****

Karma: +70/-60
Offline Offline

Posts: 323



WWW
« Reply #2018 on: January 08, 2023, 09:33:35 AM »

Do you have a picture of the TCU circuit board? I am curious if it has the same or similar undocumented chip as the ECU.
There is picture of TCM https://carmasters.org/topic/34372-как-записать-tcm-volvo/
Logged

Россия - Великая страна!
https://youtu.be/fup5GzIFdXk
rkam
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 55


« Reply #2019 on: January 08, 2023, 09:43:45 AM »

On Motronic 1.8 (TA13255A) and Motronic 4.x the extra chip is a so-called port extender without any internal software.
The main CPU does not have enough pins, and you add a port extender chip to have more in/out pins.
On older Motronics, this is used by writing and reading RAM addresses above the normal RAM.
Therefore the address and datalines are connected.

On ME7, the second chip is another C167 CPU, and has a little bit of software inside.
This can take care of some simple routine tasks, and deliver the data in shared RAM.

On Denso I expect the second chip to be something like on ME7.

----

D2 protocol is handled by the main CPU, but it is possible that low level CAN bus sending and receiving is handled by the second chip.
I am working backward from known data until I find the program code that I need, and not always to the top.

In Volvo 29LV200BC Flash ORI BIFUEL.bin there is a A6 parameter list at 30E104.
10 01 00 13 means that the 1001 parameter is found in A6 jump table row 19 (0x0013) counting from row 0

Volvo 64F7055 Flash ORI BIFUEL.bin the A6 jump table is found at 6B9B8
00 02 00 00 00 31 CC C2 00 00 00 00 means that the sub routine at 31CCC2 will return 02 bytes of data for the parameter at first row.

Well actually 31CCC2 will return nothing, but the next one 31CCC6 will return one byte from FFFFA402 for parameter 109F
« Last Edit: January 08, 2023, 10:04:08 AM by rkam » Logged
dikidera
Full Member
***

Karma: +8/-8
Offline Offline

Posts: 149


« Reply #2020 on: January 08, 2023, 12:05:02 PM »

My theory is, that it is a Renesas MCU or Hitachi, or could be anything else, but it is certain it is executing code, I also have my suspicions that it's also the MCU responsible for enabling flashing of the main chip and external memories. The nice thing about Bosch/EDC is that it has been studied to death and there are no undocumented chips like the unmarked one in Denso, so there is more information to glean, here there has been an attempt to conceal the data.

However I am not too sure I saw a D2 layer on the main chip on Denso, so it's my suspicious it's handled by the other chip. I just need a bit more time to get my new tools.
Logged
rkam
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 55


« Reply #2021 on: January 08, 2023, 02:47:07 PM »

@dikidera
Here is an A6 list made from tables in your CPU and External Flash files.
I'm not sure what you have seen in your files.
Logged
dikidera
Full Member
***

Karma: +8/-8
Offline Offline

Posts: 149


« Reply #2022 on: January 08, 2023, 02:59:39 PM »

@dikidera
Here is an A6 list made from tables in your CPU and External Flash files.
I'm not sure what you have seen in your files.
You have experience with EDC and it's similarities to the params(and their layout) so you were better able to understand the data in the external memories. In Denso there were no references to the data, as the code is in the unmarked chip that handles the A6 command and most other CAN communication(my theory, but supported by the lack of code calling the HCAN controller beyond the PBL commands).

Thank you for the compiled list.

The Denso ECU has code in:
SH7055 internal ROM - I have a dump
External flash 29LV200BC - I have a dump
The undocumented MCU - I do not have a dump.

So I only have 2/3 of the picture.
« Last Edit: January 08, 2023, 03:10:45 PM by dikidera » Logged
rkam
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 55


« Reply #2023 on: January 08, 2023, 03:20:30 PM »

@dikidera
I have used your .idb. So at least what I call D2 protocol is there.
Logged
daniel2345
Full Member
***

Karma: +11/-7
Online Online

Posts: 197


« Reply #2024 on: January 08, 2023, 03:23:05 PM »

You are one the wrong way.

HCAN is referenced via indirect addressing in application layer.

The unknown chip is external watchdog/external safety layer.

Just because you can load a bin in IDA doesn't mean you get full understanding what's going on Wink


@rkam: still on the Volvo path after all this years? Smiley
« Last Edit: January 08, 2023, 03:26:20 PM by daniel2345 » Logged
Pages: 1 ... 133 134 [135] 136 137 ... 182
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.026 seconds with 17 queries. (Pretty URLs adds 0s, 0q)