I'm really stoked about this idea, but maybe it will not work without other modifications to the code. I logged fnwue on my car, and with the engine running it is 0. So to fully understand what I need to do, lets take another look at the code that I have split into 3 sections
seg010:EE22 sub_9EE22: ;ROUTINE FOR ABSOLUTE KFZW2 INPUT
seg010:EE22 mov [-r0], r9
seg010:EE24 mov [-r0], r7
seg010:EE26 mov [-r0], r6
seg010:EE28 sub r0, #2
seg010:EE2A extp #0E1h, #1 ; 'ß'
seg010:EE2E movb rl4, fnwue ;move fnwue to rl4 //replace with ushk to manipulate
seg010:EE32 cmpb rl4, #0FFh ;compare byte #0FFh to rl4 //0FFh is the maximum value of a byte.
seg010:EE36 jmpr cc_NZ, loc_9EE58 ;if the result is Not Zero, jump to next part of the routine. if the result is Zero, then
seg010:EE38 mov r12, #kfzw2 ;move contents of kfzw2 to r12
seg010:EE3C mov r13, #33A6h
seg010:EE40 mov r14, word_380C80
seg010:EE44 mov r15, word_380C92
seg010:EE48 calls 0, sub_78B8
seg010:EE4C movb rl7, rl4
seg010:EE4E movb zwnws, rl4
seg010:EE52 movb rl6, #0
seg010:EE54 jmpa cc_UC, loc_9EEE6 ;bypass kfzw1 routine
seg010:EE58 ; ---------------------------------------------------------------------------
So, what I can conclude from this code is that fnwue=0 is passed in the ecu as a value of FF.
I think that because if the difference between 0FFh and the value stored in fnwue has to be zero to actually run from the kfzw2 values. So, I need to find out what exact value I am giving to the ecu when I short the lambda2 input.
Next part of the code:
seg010:EE58
seg010:EE58 loc_9EE58: ;ROUTINE FOR ABSOLUTE KFZW1 INPUT
seg010:EE58 extp #0E1h, #1 ; 'ß'
seg010:EE5C movb rl4, fnwue ;move byte fnwue to rl4 // change this for ushk as well
seg010:EE60 jmpr cc_NZ, loc_9EE80 ;jump to interpolation part of routine if the conditionflag Not Zero is set
seg010:EE62 mov r12, #kfzw1 ;move contents of kfzw1 to r12
seg010:EE66 mov r13, #33A6h
seg010:EE6A mov r14, word_380C80
seg010:EE6E mov r15, word_380C92
seg010:EE72 calls 0, sub_78B8
seg010:EE76 movb rl6, rl4
seg010:EE78 movb zwnws, rl4
seg010:EE7C movb rl7, #0
seg010:EE7E jmpr cc_UC, loc_9EEE6 ;bypass interpolation routine
seg010:EE80 ; ---------------------------------------------------------------------------
Now, if I understand this part correctly it means that when the byte of fnwue is at a value of 0, the conditionflag 'Not Zero' will
not be set, and the content of kfzw1 is loaded into the registry. If there is any other value than 0 in fnwue, the routine jumps to the final section of code:
seg010:EE80
seg010:EE80 loc_9EE80: ;ROUTINE FOR INTERPOLATION KFZW2+KFZW1
seg010:EE80 mov r12, #kfzw2
seg010:EE84 mov r13, #33A6h
seg010:EE88 mov r14, word_380C80
seg010:EE8C mov r15, word_380C92
seg010:EE90 calls 0, sub_78B8
seg010:EE94 extp #0E1h, #1 ; 'ß'
seg010:EE98 movbz r5, fnwue
seg010:EE9C mul r4, r5
seg010:EE9E mov r4, word_FE0E
seg010:EEA2 mov [r0], r4
seg010:EEA4 movb rl7, [r0+1]
seg010:EEA8 mov r12, #kfzw1
seg010:EEAC mov r13, #33A6h
seg010:EEB0 mov r14, word_380C80
seg010:EEB4 mov r15, word_380C92
seg010:EEB8 calls 0, sub_78B8
seg010:EEBC extp #0E1h, #1 ; 'ß'
seg010:EEC0 movbz r5, fnwue
seg010:EEC4 mov r2, #100h
seg010:EEC8 sub r2, r5
seg010:EECA mul r4, r2
seg010:EECC mov r4, word_FE0E
seg010:EED0 mov [r0], r4
seg010:EED2 movb rl6, [r0+1]
seg010:EED6 movb rl4, rl6
seg010:EED8 addb rl4, rl7
seg010:EEDA jmpr cc_NV, loc_9EEE2
seg010:EEDC movb rl4, #7Fh ; ''
seg010:EEE0 addcb rl4, #0
This is the part where from my understanding the interpolation and multiplication is done from the factor in fnwue.
To hack the code and force kfzw1 I think I have 2 options:
Find out what values my ushk gives when open and when shorted, if the shorted ushk gives a byte of 0 or 255 it follows the code and runs from either kfzw1 or kfzw2. The catch is that ushk must not give any other value than 255 or 0 or else it will go into interpolation mode.
If the open or shorted ushk does not give 0, maybe I just make it jump to loc_9EE62 so it completes this part of the routine anyway. It will then run from kfzw1 and skip the interpolation part. The only problem in this situation is that I still need the 255 value or I will disable kfzw2.
Lets find out!
Any comments or tips are welcome, I really suck at asm.
I logged the variable ushk without any conversion, and it gives a value of 125 when its open and 38 when it is shorted to the output pin. I assume that these are the actual byte values. So either I need to change the ushk conversion, or just compare to 07Dh in code section #1 and change the jump in section #2. I´ll try to compile something and test it tonight
I have made a seperate topic for the kfzw switching function:
http://nefariousmotorsports.com/forum/index.php?topic=11558.0