Pages: [1] 2 3 ... 40
Author Topic: Anti-lag launch and no-lift-shift secrets inside  (Read 482272 times)
julex
Hero Member
*****

Karma: +78/-4
Offline Offline

Posts: 923


« on: May 12, 2011, 06:35:20 PM »

Disclaimer:

The code was found in certain canadian tuner file and is 100% working since I drove the car with the features enabled.

Here is the secret to Anti-lag launch and no lift shift. To remind everyone, the anti lag is a mode of operation where ECU interrupts spark every so many ignition cycles as long as the RPM are above set limit causing previously unburned fuel to burn in manifold as soon as RPMs fall and mixture ignites. This results in turbos spooling while the engine doesn't raise RPMs while you sit at the strip waiting for lunch.

The no lift shift kicks in when you press a clutch and is active for a preset amount of time. I am not sure when the spark is provided but expert looking at the code example should tell if this is at certain RPMs that are stored as soon as you hit the clutch or just every N otto cycles.

The M-box bin has alterations in three spots and there also are three DWORD variables stored in EEPROM space for Speed Threshold, Launch RPM and time duration of anti-lag for spots.

I need somebody to alter the assembly code to access currently unused three Dword addresses (your choice) in calibration map space where we can establish three new scalars for the three variables needed to operate the mode properly.

Once this is figured out, the anti lag can for launch control can be controlled by two means:

1) speed, set to 0 and it doesn't work, anthing above 0 works like standard launch control
2) RPM, set it high enough (10,000) and it will never reach the threshold to cut spark

No-Lift shift can be controlled in one way:

1) time value in ms, set to 0 to disable, otherwise it interrupts spark for a preset amount of time after pressing clutch.

We can also alter and improve he behavior of this by ensuring cluch pedal is pressed in both modes (why would you like to launch control without cluthc pressed) and change the behavior of no lift shift to interrupt spark for a given amount of time mask AND only when clutch is still pressed.  c

Now, somebody handy with IDA/hex editor please make it work with alternative memory locations so we can enjoy this feature.


#1:

Original (Change FTOMN "minimum opening time" to 0):
0001a340h: 05 40 54 83 84 B8 C0 C0 C0 80 80 05 00 08 05 01

Changed to:
0001a340h: 05 40 54 83 84 B8 C0 C0 C0 80 80 00 00 08 05 01

#2 (redirect a call to alternate custom function):
Orig:
0008b3a0h: F0 49 F7 F8 AC 8D F3 F8 F3 8A D7 40 06 02 03 F8

New:
0008b3a0h: F0 49 F7 F8 AC 8D DA 8F 60 FA D7 40 06 02 03 F8

#3 (the juice, actual function):
Orig:
000ffa60h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffa70h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffa80h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffa90h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffaa0h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffab0h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffac0h: FF FF FF FF FF FF F6 8E F0 CF F6 8F F2 CF F3 F8

New:
000ffa60h: F2 F4 40 8E F2 F9 80 BE 40 94 FD 08 F2 F4 7A F8
000ffa70h: F2 F9 82 BE 40 49 FD 02 F7 8E AC 8D D7 40 E1 20
000ffa80h: F2 F4 F2 CF 9A F4 09 20 9A 24 04 90 D7 40 E1 20
000ffa90h: F6 8E F2 CF F3 F8 F3 8A DB 20 D7 40 E1 20 F2 F4
000ffaa0h: F0 CF F2 F9 7E BE 40 94 FD 0A F7 8E AC 8D 09 81
000ffab0h: D7 40 E1 20 F7 F8 F0 CF F3 F8 F3 8A DB 20 8A 24
000ffac0h: 06 90 D7 50 E1 20 F6 8E F0 CF F6 8F F2 CF F3 F8
« Last Edit: May 01, 2012, 08:43:49 PM by nyet » Logged
Tony@NefMoto
Administrator
Hero Member
*****

Karma: +130/-4
Offline Offline

Posts: 1389


2001.5 Audi S4 Stage 3


« Reply #1 on: May 12, 2011, 10:19:08 PM »

Julex, thanks for sharing what you found. Would you mind telling us which tuner this is from so credit is give where credit is due?

I think it is fine to post what Julex has found. Normally this information is traded secretly for money, here it is posted publicly for free.

Lets not turn this thread into a "what is stealing" thread. If you want to discuss what is stealing, please use this thread: http://www.nefariousmotorsports.com/forum/index.php/topic,609.0.html
Logged

Remember you have to log in if you want to see the file attachments!
Info or questions, please add to the wiki: http://www.nefariousmotorsports.com/wiki
Follow NefMoto developments on Twitter: http://twitter.com/nefmoto
matchew
Hero Member
*****

Karma: +47/-22
Offline Offline

Posts: 503


« Reply #2 on: May 13, 2011, 02:38:37 AM »


New:
000ffa60h: F2 F4 40 8E F2 F9 80 BE 40 94 FD 08 F2 F4 7A F8
000ffa70h: F2 F9 82 BE 40 49 FD 02 F7 8E AC 8D D7 40 E1 20
000ffa80h: F2 F4 F2 CF 9A F4 09 20 9A 24 04 90 D7 40 E1 20
000ffa90h: F6 8E F2 CF F3 F8 F3 8A DB 20 D7 40 E1 20 F2 F4
000ffaa0h: F0 CF F2 F9 7E BE 40 94 FD 0A F7 8E AC 8D 09 81
000ffab0h: D7 40 E1 20 F7 F8 F0 CF F3 F8 F3 8A DB 20 8A 24
000ffac0h: 06 90 D7 50 E1 20 F6 8E F0 CF F6 8F F2 CF F3 F8


You need to post the next few lines.
Logged
DJGonzo
Guest
« Reply #3 on: May 13, 2011, 08:55:44 AM »

There is more information missing. Im sure they change fuel/timing maps.

I can already get 0.5bar on stock 2step on a 1.8T with just some timing tweaks  Wink
Logged
carlossus
Sr. Member
****

Karma: +38/-0
Offline Offline

Posts: 394

Leon Curpa Stg1+


« Reply #4 on: May 13, 2011, 10:17:18 AM »

There is more information missing. Im sure they change fuel/timing maps.

I can already get 0.5bar on stock 2step on a 1.8T with just some timing tweaks  Wink

I'm sure you're right, but that information is discussed in depth in other threads. The really interesting stuff is the specific areas Julex has identified used to cut ignition without closing the throttle (right?). This is new to me and I suspect many of us.

Nice work Julex.
Logged
julex
Hero Member
*****

Karma: +78/-4
Offline Offline

Posts: 923


« Reply #5 on: May 13, 2011, 11:29:07 AM »

The tune file in question is  8d0907551M ecu and is from Eurodyne. I will post a stock tune file with only the differences implemented later on so that people with know-how have it easier loading into disassembler.


New:
000ffa60h: F2 F4 40 8E F2 F9 80 BE 40 94 FD 08 F2 F4 7A F8
000ffa70h: F2 F9 82 BE 40 49 FD 02 F7 8E AC 8D D7 40 E1 20
000ffa80h: F2 F4 F2 CF 9A F4 09 20 9A 24 04 90 D7 40 E1 20
000ffa90h: F6 8E F2 CF F3 F8 F3 8A DB 20 D7 40 E1 20 F2 F4
000ffaa0h: F0 CF F2 F9 7E BE 40 94 FD 0A F7 8E AC 8D 09 81
000ffab0h: D7 40 E1 20 F7 F8 F0 CF F3 F8 F3 8A DB 20 8A 24
000ffac0h: 06 90 D7 50 E1 20 F6 8E F0 CF F6 8F F2 CF F3 F8


You need to post the next few lines.

Nope, red area is extra stuff added by the tuner, grey area is the same as stock 8d0907551M tune.
Logged
DJGonzo
Guest
« Reply #6 on: May 13, 2011, 12:02:33 PM »

There is more information missing. Im sure they change fuel/timing maps.

I can already get 0.5bar on stock 2step on a 1.8T with just some timing tweaks  Wink

I'm sure you're right, but that information is discussed in depth in other threads. The really interesting stuff is the specific areas Julex has identified used to cut ignition without closing the throttle (right?). This is new to me and I suspect many of us.

Nice work Julex.
Im not saying this isn't better than what I have, Im just saying there has to be MORE to it then just this routine. Unless the launch control is a little crude and just cuts spark.  Wink
Logged
ElementalVoid
Jr. Member
**

Karma: +9/-0
Offline Offline

Posts: 43


« Reply #7 on: May 13, 2011, 12:58:09 PM »

The tune file in question is  8d0907551M ecu and is from Eurodyne. I will post a stock tune file with only the differences implemented later on so that people with know-how have it easier loading into disassembler.

Here you go... Patched but not checksummed.

FYI, I think the reason matchew was asking for more lines may have been because he thought you accidentally cut off the end of the new subroutine. There seems to be some more code in your file at 000ffac0h as compared to stock. Do you know what this is?

Stock file:

000ffa60h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffa70h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffa80h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffa90h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffaa0h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffab0h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffac0h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF


And your post of the orig section:
#3 (the juice, actual function):
Orig:
000ffa60h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffa70h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffa80h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffa90h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffaa0h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffab0h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000ffac0h: FF FF FF FF FF FF F6 8E F0 CF F6 8F F2 CF F3 F8

Logged
DJGonzo
Guest
« Reply #8 on: May 13, 2011, 01:29:35 PM »

FYI, I think the reason matchew was asking for more lines may have been because he thought you accidentally cut off the end of the new subroutine. There seems to be some more code in your file at 000ffac0h as compared to stock. Do you know what this is?
I do also believe there is some code missing...
« Last Edit: May 17, 2011, 11:17:06 AM by Gonzo » Logged
matchew
Hero Member
*****

Karma: +47/-22
Offline Offline

Posts: 503


« Reply #9 on: May 13, 2011, 03:28:03 PM »

There is code missing, I have worked it out.

This routine simply manipulates the spark dwell routine.
Logged
julex
Hero Member
*****

Karma: +78/-4
Offline Offline

Posts: 923


« Reply #10 on: May 13, 2011, 06:31:07 PM »

There is code missing, I have worked it out.

This routine simply manipulates the spark dwell routine.
Care to share?

I think I can port this over to 06A906032RN (1.8T AWP) without too many issues and share the BIN Smiley


I apologize  Kiss, I assumed the rest is stock but it is not! I simply initially compared two tune files, one with the option enabled, the other with is disabled, otherwise identical. The software in question was simply adding the code I initially posted when feature was enabled.

Here is the whole piece:


000ffa60h: F2 F4 40 8E F2 F9 80 BE 40 94 FD 08 F2 F4 7A F8
000ffa70h: F2 F9 82 BE 40 49 FD 02 F7 8E AC 8D D7 40 E1 20
000ffa80h: F2 F4 F2 CF 9A F4 09 20 9A 24 04 90 D7 40 E1 20
000ffa90h: F6 8E F2 CF F3 F8 F3 8A DB 20 D7 40 E1 20 F2 F4
000ffaa0h: F0 CF F2 F9 7E BE 40 94 FD 0A F7 8E AC 8D 09 81
000ffab0h: D7 40 E1 20 F7 F8 F0 CF F3 F8 F3 8A DB 20 8A 24
000ffac0h: 06 90 D7 50 E1 20 F6 8E F0 CF F6 8F F2 CF F3 F8
000ffad0h: F3 8A DB 20 FF FF FF FF FF FF FF FF FF FF FF FF


Logged
julex
Hero Member
*****

Karma: +78/-4
Offline Offline

Posts: 923


« Reply #11 on: May 13, 2011, 07:31:41 PM »

Thanks!
Im going to try to port this over to the 1.8T.

Im not sure if I want to go ahead and try it on one of my cars though hahaha.

This was installed on my car and I can attest it works Smiley.
Logged
matchew
Hero Member
*****

Karma: +47/-22
Offline Offline

Posts: 503


« Reply #12 on: May 15, 2011, 03:34:52 PM »


Quote
What SW version you have? Ill make one for ya.

8N0 906 018 CH
« Last Edit: May 15, 2011, 06:37:18 PM by matchew » Logged
matchew
Hero Member
*****

Karma: +47/-22
Offline Offline

Posts: 503


« Reply #13 on: May 15, 2011, 06:35:27 PM »

8N0 906 018 CH

Ill work on it. No promises it will work though. Do you know how to do boot mode just in case?

of course
Logged
matchew
Hero Member
*****

Karma: +47/-22
Offline Offline

Posts: 503


« Reply #14 on: May 15, 2011, 09:03:51 PM »

That 100% will not work

You can not simply copy code from one file to another.

You found the correct routine to jump out of though.
Logged
Pages: [1] 2 3 ... 40
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.041 seconds with 17 queries. (Pretty URLs adds 0s, 0q)