Pages: 1 ... 134 135 [136] 137 138 ... 182
Author Topic: The Volvo ME7 thread:  (Read 1083899 times)
rkam
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 55


« Reply #2025 on: January 08, 2023, 03:47:54 PM »

@daniel2345
Volvo is the best :-)
I have a 2007 XC70 now, so there is plenty to look into if I want.
But I've been spending more time on other activities some years now.
Once in a while I take a look at the 32kB Motronic 1.8 file from my 960, but then I get lost in other more interesting stuff.
The reason I started looking at an old Denso unit lying around was that I noticed the PBL commands in a Nissan X-trail was more or less identical.
Logged
rkam
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 55


« Reply #2026 on: January 08, 2023, 03:56:52 PM »

One problem with IDA is that there are many ways to jump to a program position that IDA cannot figure out.
One trick may be to change the return address while you are in a subroutine.
When you issue the return command, you then end up in a different spot than where you came from.
Jump tables are also not easy to view or follow.

This way it is difficult to figure out the program flow. At least for me.
But one day I will figure out the whole 32kB of M1.8 :-)
Logged
dikidera
Full Member
***

Karma: +8/-8
Offline Offline

Posts: 149


« Reply #2027 on: January 08, 2023, 04:07:39 PM »

You are one the wrong way.

HCAN is referenced via indirect addressing in application layer.

The unknown chip is external watchdog/external safety layer.

Just because you can load a bin in IDA doesn't mean you get full understanding what's going on Wink


@rkam: still on the Volvo path after all this years? Smiley
Well thank you.

I am no stranger to reverse engineering, but it was always on x86, and you *almost* cannot hide data from dynamic execution there, but it's different here. I cannot place breakpoints, I cannot single step, so indirect addressing if it happens, I cannot know it without executing.

But I believe you, I have seen the sh compilers outputting code like so : address(say an IO register) and then rather than storing another adjacent MMIO, it does <address + 4>.
Logged
t6
Full Member
***

Karma: +0/-5
Offline Offline

Posts: 55


« Reply #2028 on: January 09, 2023, 01:12:54 PM »

Can any colleagues share maps.kp for QHHJ
Logged
prometey1982
Sr. Member
****

Karma: +70/-60
Offline Offline

Posts: 323



WWW
« Reply #2029 on: January 11, 2023, 11:17:57 AM »

Hey Vollmer see what I can and you can't.

Testing of raised switch revs on tf80sc gearbox in sport mode
https://www.youtube.com/watch?v=ECz0psJe094
Logged

Россия - Великая страна!
https://youtu.be/fup5GzIFdXk
rlinewiz
Jr. Member
**

Karma: +12/-1
Offline Offline

Posts: 42


« Reply #2030 on: January 12, 2023, 02:16:58 PM »

Hey Vollmer see what I can and you can't.

Testing of raised switch revs on tf80sc gearbox in sport mode
https://www.youtube.com/watch?v=ECz0psJe094
woah thats high! makes me nervous  Grin
Logged

2005 S60R M66-Swapped // Self-tuned @ 22psi
[[forever coding for the OpenMoose project]]
dikidera
Full Member
***

Karma: +8/-8
Offline Offline

Posts: 149


« Reply #2031 on: January 12, 2023, 02:33:28 PM »

woah thats high! makes me nervous  Grin
It wouldn't like them?
Logged
rlinewiz
Jr. Member
**

Karma: +12/-1
Offline Offline

Posts: 42


« Reply #2032 on: January 13, 2023, 09:29:42 AM »

It wouldn't like them?
im just really paranoid.. the kind of person to baby my car, redline is where bad things always happen to me haha
Logged

2005 S60R M66-Swapped // Self-tuned @ 22psi
[[forever coding for the OpenMoose project]]
t6
Full Member
***

Karma: +0/-5
Offline Offline

Posts: 55


« Reply #2033 on: January 13, 2023, 11:33:37 AM »

Can any colleagues share maps.kp for QHHJ

maybe one of the colleagues has WinOLS file QHHJ manual EU
Logged
BaxtR
Full Member
***

Karma: +17/-25
Offline Offline

Posts: 64


« Reply #2034 on: January 13, 2023, 07:38:29 PM »

maybe one of the colleagues has WinOLS file QHHJ manual EU

sorry mate, looks like youre going to have to learn IDA...
Logged

2007 Volvo S60R, PT6266 BB, 1700x ID Injectors, Walbro525. Halme Built manifold and exhaust #BaxtrPerformance
rlinewiz
Jr. Member
**

Karma: +12/-1
Offline Offline

Posts: 42


« Reply #2035 on: January 16, 2023, 09:28:03 PM »

does anyone know the address for reading the clutch pedal sensor?
Logged

2005 S60R M66-Swapped // Self-tuned @ 22psi
[[forever coding for the OpenMoose project]]
prometey1982
Sr. Member
****

Karma: +70/-60
Offline Offline

Posts: 323



WWW
« Reply #2036 on: January 16, 2023, 10:05:07 PM »

does anyone know the address for reading the clutch pedal sensor?
It depends on hardware. For example for EC.2 ECM it should be here:
Code:
ROM:000408B8                 mov     r2, F_AD11    ; F_AD11 = 0xF2C6
ROM:000408BC                 and     r2, #3FFh
ROM:000408C0                 mov     word_30198E, r2

Next is example from 50WRHJ software.
This variable is used here:
Code:
ROM:00076AA4                 mov     r4, word_30198E
ROM:00076AA8                 shr     r4, #2
ROM:00076AAA                 movb    byte_3015C1, rl4
Then here:
Code:
ROM:000CAD6E                 movb    rl1, byte_3015C1
ROM:000CAD72                 cmpb    rl1, byte_1458D ; looks like threshold for clutch pressed state
ROM:000CAD76                 jmpr    cc_ULE, loc_CAD7C

And later B_kuppl bit is set:
Code:
ROM:000CADC0                 bset    word_FD64.9     ; 9 - B_kuppl - clutch pressed
ROM:000CADC2                 bset    word_FD64.10    ; 9 - B_kuppl - clutch pressed
« Last Edit: January 16, 2023, 10:09:26 PM by prometey1982 » Logged

Россия - Великая страна!
https://youtu.be/fup5GzIFdXk
Toys-n-joys
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3


« Reply #2037 on: January 17, 2023, 03:12:59 AM »

Using a VAG171 cable. I did the galetto hex fix. FT_Prog recognises the cable no problem. Interesting is: I power up the ECU and if I put my multimeter on pin 24 the ground is already there.

Is this a way to get into bootmode with ecu installed into the car? Or Is my interpretation off?
Logged
prometey1982
Sr. Member
****

Karma: +70/-60
Offline Offline

Posts: 323



WWW
« Reply #2038 on: January 17, 2023, 03:27:26 AM »

Additionals to document about flashing over Volcano protocol https://github.com/prometey1982/VolvoTools/blob/master/PrimaryBoot_169.pdf

Send data to CM:
A8 + number of bytes. For example for TCM with 6E addr:
Send 6 bytes:
FFFFE 6E AE 11 22 33 44 55 66
Send 5 bytes:
FFFFE 6E AD 11 22 33 44 55
Send 4 bytes:
FFFFE 6E AC 11 22 33 44
Send 3 bytes:
FFFFE 6E AB 11 22 33
Send 2 bytes:
FFFFE 6E AA 11 22
Send 1 byte:
FFFFE 6E A9 11
Send transmission completed:
FFFFE 6E A8

I'm using next sequence to write TCM:
FFFFE FF 86 multiple times to both CAN buses to stop CAN transmission

FFFFE 6E C0 - start primary bootloader

FFFFE 6E 9C FF FF 82 00 - set memory pointer for next command
5 6E 9C FF FF 82 00 - answer from TCM

Then loop with (A8+size) commands with bootloader data.

FFFFE 6E 9C FF FF 82 00 - set memory pointer for jump command
5 6E 9C FF FF 82 00 - answer from TCM

FFFFE 6E A0 - run code at jump point


At this point TCM is running SBL. Then for each block except last
Code:
const std::vector<uint32_t> chunks{0x8000,  0x10000, 0x20000,
                                     0x30000, 0x40000, 0x50000,
                                     0x60000, 0x70000, 0x80000};
Erasing and writing should be done.

Erase command for 0x8000 block:
FFFFE 6E C9 00 00 80 00 00 00
5 6E C9 00 00 80 00 00 00 - set pointer complete
FFFFE 6E F8 00 00 00 00 00 00 - erase command
5 6E F9 - erase complete

Write data to 0x8000 block command:
FFFFE 6E C9 00 00 80 00 00 00
5 6E C9 00 00 80 00 00 00 - set pointer complete
loop with block data:
FFFFE 6E AE 11 22 33 44 55 66 - send data to TCM

the last block should be filled with (A8+length) rules.
And this transfer completed command must be send
FFFFE 6E A8
Logged

Россия - Великая страна!
https://youtu.be/fup5GzIFdXk
rlinewiz
Jr. Member
**

Karma: +12/-1
Offline Offline

Posts: 42


« Reply #2039 on: January 17, 2023, 06:27:01 AM »

It depends on hardware. For example for EC.2 ECM it should be here:
Code:
ROM:000408B8                 mov     r2, F_AD11    ; F_AD11 = 0xF2C6
ROM:000408BC                 and     r2, #3FFh
ROM:000408C0                 mov     word_30198E, r2

Next is example from 50WRHJ software.
This variable is used here:
Code:
ROM:00076AA4                 mov     r4, word_30198E
ROM:00076AA8                 shr     r4, #2
ROM:00076AAA                 movb    byte_3015C1, rl4
Then here:
Code:
ROM:000CAD6E                 movb    rl1, byte_3015C1
ROM:000CAD72                 cmpb    rl1, byte_1458D ; looks like threshold for clutch pressed state
ROM:000CAD76                 jmpr    cc_ULE, loc_CAD7C

And later B_kuppl bit is set:
Code:
ROM:000CADC0                 bset    word_FD64.9     ; 9 - B_kuppl - clutch pressed
ROM:000CADC2                 bset    word_FD64.10    ; 9 - B_kuppl - clutch pressed

immensely helpful, thanks!
Logged

2005 S60R M66-Swapped // Self-tuned @ 22psi
[[forever coding for the OpenMoose project]]
Pages: 1 ... 134 135 [136] 137 138 ... 182
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.03 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)