Pages: 1 [2] 3 4 ... 40
Author Topic: Anti-lag launch and no-lift-shift secrets inside  (Read 529662 times)
DJGonzo
Guest
« Reply #15 on: May 15, 2011, 09:06:42 PM »

Finding the routine is easy. On any ME7 file, go to end of file and search up for "D7 40 06 02 03 F8". First match is the correct routine.
« Last Edit: June 26, 2011, 04:56:18 AM by Gonzo » Logged
matchew
Hero Member
*****

Karma: +47/-22
Offline Offline

Posts: 503


« Reply #16 on: May 15, 2011, 09:18:47 PM »

In the file that you wish to add this code to you need to find certain variables, and apply them to this routine.

The ram address used for dwell time is easy, as it is contained with in the routine that the original code writer jumped out of.

You need to find the ram address of vehicle speed and engine speed

You need to understand that the eeprom is being accessed by this new routine, it looks at 3 address'
Logged
DJGonzo
Guest
« Reply #17 on: May 15, 2011, 09:21:35 PM »

Seems simple enough (if we can find the addresses).

Can you identify the addresses in the added routine?
Logged
matchew
Hero Member
*****

Karma: +47/-22
Offline Offline

Posts: 503


« Reply #18 on: May 15, 2011, 09:23:34 PM »

Seems simple enough (if we can find the addresses).

Can you identify the addresses in the added routine?

sure
Logged
matchew
Hero Member
*****

Karma: +47/-22
Offline Offline

Posts: 503


« Reply #19 on: May 15, 2011, 09:40:04 PM »

sub_FFA60:
FFA60                 mov     r4, word_8E40
FFA64                 mov     r9, word_BE80
FFA68                 cmp     r9, r4
FFA6A                 jmpr    cc_ULE, loc_FFA7C
FFA6C                 mov     r4, word_F87A
FFA70                 mov     r9, word_BE82
FFA74                 cmp     r4, r9
FFA76                 jmpr    cc_ULE, loc_FFA7C
FFA78                 movb    byte_8DAC, ZEROS
FFA7C
FFA7C loc_FFA7C:                              
FFA7C                                        
FFA7C                 extp    #0E1h, #1  
FFA80                 mov     r4, 0CFF2h
FFA84                 jnb     r4.2, loc_FFA9A
FFA88                 jnb     word_FD48.9, loc_FFA94
FFA8C                 extp    #0E1h, #1
FFA90                 mov     0CFF2h, ZEROS
FFA94
FFA94 loc_FFA94:                            
FFA94                 movb    rl4, byte_8AF3
FFA98                 rets
FFA9A ; ---------------------------------------------------------------------------
FFA9A
FFA9A loc_FFA9A:                              
FFA9A                 extp    #0E1h, #1
FFA9E                 mov     r4, 0CFF0h
FFAA2                 mov     r9, word_BE7E
FFAA6                 cmp     r9, r4
FFAA8                 jmpr    cc_ULE, loc_FFABE
FFAAA                 movb    byte_8DAC, CC2IC
FFAAE                 addb    rl4, #1
FFAB0                 extp    #0E1h, #1
FFAB4                 movb    0CFF0h, rl4
FFAB8                 movb    rl4, byte_8AF3
FFABC                 rets
FFABE ; ---------------------------------------------------------------------------
FFABE
FFABE loc_FFABE:                              
FFABE                 jb      word_FD48.9, loc_FFACE
FFAC2                 extp    #0E1h, #2
FFAC6                 mov     0CFF0h, ZEROS
FFACA                 mov     0CFF2h, ONES
FFACE
FFACE loc_FFACE:                            
FFACE                 movb    rl4, byte_8AF3
FFAD2                 rets
FFAD2 ; End of function sub_FFA60


Reverse engineering is indeed tuning Wink
« Last Edit: May 15, 2011, 09:42:26 PM by matchew » Logged
orienz
Full Member
***

Karma: +12/-2
Offline Offline

Posts: 113


« Reply #20 on: May 16, 2011, 03:30:46 AM »

Is this routine always at the same address? I pulled a file from ME7.5 from the same tuner and can't find this.

By the way does anyone here recognize this signature?

"ERCSU V1.1.6 SAB_C16x (c)ETAS Jul 24 1999"
Logged
setzi62
Full Member
***

Karma: +142/-0
Offline Offline

Posts: 249


« Reply #21 on: May 16, 2011, 06:20:49 AM »

By the way does anyone here recognize this signature?

"ERCSU V1.1.6 SAB_C16x (c)ETAS Jul 24 1999"
This is the identification of the realtime OS (ERCOS) made by the company ETAS, it  has nothing to do
with a tuner. Normally this states as date "Jul 24 1997", I guess you have just mistyped the year.
Logged
setzi62
Full Member
***

Karma: +142/-0
Offline Offline

Posts: 249


« Reply #22 on: May 17, 2011, 06:08:00 AM »

The no lift shift kicks in when you press a clutch and is active for a preset amount of time. I am not sure when the spark is provided but expert looking at the code example should tell if this is at certain RPMs that are stored as soon as you hit the clutch or just every N otto cycles.
...
I need somebody to alter the assembly code to access currently unused three Dword addresses (your choice) in calibration map space where we can establish three new scalars for the three variables needed to operate the mode properly.
...
We can also alter and improve he behavior of this by ensuring cluch pedal is pressed in both modes (why would you like to launch control without cluthc pressed) and change the behavior of no lift shift to interrupt spark for a given amount of time mask AND only when clutch is still pressed.  c
Hi Julex,

The function at 8FFA60 gets called each 20ms after computation of the closing time (tsrldyn) was done.
To interrupt the ignition, the closing time is just set to 0.  Does this way of cutting the ignition
induce any problems?  E.g. DTC's raised or unburned fuel that kills your cats (if they are still present)?

The original function implements the following pseudo code:

function_8FFA60()
{
  // Anti-Lag
  if (vehicleSpeed < ThresholdSpeed && engineRpm > ThresholdRpm)
  {
    closingTime = 0;                // Interrupt ignition
  }

  // No-Lift-Shift
  if (! noLiftShift_active)
  {
    // NoLiftShift is inactive
    if (cond_clutchPressed)
    {
      noLiftShift_active = TRUE;
    }
  }
  else
  {
    // NoLiftShift is active
    if (counter_NoLiftShift < ThresholdCounter)
    {
      closingTime = 0;            // Interrupt ignition
      counter_NoLiftShift++;
    }
    else
    {
      if (! cond_clutchPressed)
      {
        counter_NoLiftShift = 0;
        noLiftShift_active = FALSE;
      }
    }
  }
}


Find attached a stock Mbox binary with inserted AntiLag&NoLiftShift function (now located at 88'E800).
I made following modifications to the original function:
1. the three threshold values are read from parameter space in flash.
2. Anti-Lag is only active when the clutch is pressed.
3. NoLiftShift stops cutting ignition immediately when the clutch is released,
   even if the delay counter is still running.

Also an XDF with the description of the used parameters/thresholds is attached,
so the parameters can be edited quite easily.
Logged
robin
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 139


« Reply #23 on: May 17, 2011, 08:33:49 AM »

Wow!!

Will give this a shot a little later. Thanks for the work.
Logged
Tony@NefMoto
Administrator
Hero Member
*****

Karma: +132/-4
Offline Offline

Posts: 1389


2001.5 Audi S4 Stage 3


« Reply #24 on: May 17, 2011, 10:33:58 AM »

So I assume I am correct when I guess that it was Eurodyne that created this code modification?
Logged

Remember you have to log in if you want to see the file attachments!
Info or questions, please add to the wiki: http://www.nefariousmotorsports.com/wiki
Follow NefMoto developments on Twitter: http://twitter.com/nefmoto
Jason
Hero Member
*****

Karma: +38/-0
Offline Offline

Posts: 500


Breaks everything!


« Reply #25 on: May 17, 2011, 10:39:33 AM »

Am I correct in assuming this doesn't hold the throttle open?
Logged
chris66
Newbie
*

Karma: +1/-2
Offline Offline

Posts: 4


« Reply #26 on: May 17, 2011, 10:40:43 AM »

Yes. Why did you delete my last post?
Logged
DJGonzo
Guest
« Reply #27 on: May 17, 2011, 10:44:53 AM »

So I assume I am correct when I guess that it was Eurodyne that created this code modification?
Yes.

Maestro7.
Logged
Tony@NefMoto
Administrator
Hero Member
*****

Karma: +132/-4
Offline Offline

Posts: 1389


2001.5 Audi S4 Stage 3


« Reply #28 on: May 17, 2011, 10:56:43 AM »

Yes. Why did you delete my last post?

Because this isn't a thread about whether or not this is stealing.

This is the thread to discuss what is stealing: http://www.nefariousmotorsports.com/forum/index.php/topic,609.0.html
Logged

Remember you have to log in if you want to see the file attachments!
Info or questions, please add to the wiki: http://www.nefariousmotorsports.com/wiki
Follow NefMoto developments on Twitter: http://twitter.com/nefmoto
chris66
Newbie
*

Karma: +1/-2
Offline Offline

Posts: 4


« Reply #29 on: May 17, 2011, 11:11:54 AM »

Right.
Well this is the thread where the OP posted the code he took that I wrote for my customers, and then asked someone more capable/less lazy than him to patch so he could use it in other files. It is not something put out there by bosch, it is not harmless either.

What do you think about that?
Logged
Pages: 1 [2] 3 4 ... 40
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.026 seconds with 17 queries. (Pretty URLs adds 0s, 0q)