Pages: [1]
Author Topic: Locating CW_CAN_R to disable ABS in firmware (4D0907559D)  (Read 7886 times)
narotic
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 5


« on: January 17, 2015, 08:44:23 AM »

Hi all,

My father and brother are building a car based on a 4.2L V8 from a S6 and Porsche brakes. Not surprisingly given this setup, the ECU throws P1649 - 35-00 - Missing Message from ABS Controller. The specific firmware is 4D0907559D and thus identical to the one posted by hopsis (http://nefariousmotorsports.com/forum/index.php?topic=4296.0). Since I have a background in computer science, I've offered to help them to take care of modifying the ECU to get rid of this error.

Thanks to the invaluable information on this forum, it's clear to me that the neatest way would be to change CW_CAN_R (as opposed to masking DTC tables or emulating ABS messages on the canbus). Unfortunately, CW_CAN_R is not in the definition file for the 4D0907559D and I'm having a hard time locating it. Does someone have an idea where it might be located in the ECU file, or what would be a reliable procedure to find it?

To give some background information (and to hopefully avoid claims that I want spoonfeeding  Wink): the approach I have taken so far is to check the context of memory accesses for ECU files for which CW_CAN_R is known. As expected, these often take the form of moving the content from the memory location to a register, then a binary and, and finally a conditional jump. For example,

mov     r5, [r4+2C7Ah]
and     r5, #4
jmpr    cc_NZ, loc_82C51E


Based on the common patterns I formed a couple of regular expressions to locate potential candidates. This strategy works quite well on the ECU files I have considered (e.g., in 4D0907559E the address should be 0x133ec), but I keep on drawing a blank for 4D0907559D. The patterns I found seem to depend on ME version (at least between ME7.1 and ME7.1.1), but I created sets for either version.

I only started using IDA now and have no real experience in reverse engineering, so some help or further suggestions would be highly appreciated.
Logged
ddillenger
Hero Member
*****

Karma: +641/-21
Offline Offline

Posts: 5640


« Reply #1 on: January 17, 2015, 02:03:06 PM »

Well, there are 2 versions of 559D, both of which are drastically different.

Given as you failed to post your binary Tongue the best I can do is say that in the version I use, CW_CAN_R_0_A and 1_A are located at 0x1C098, and 0x1C09A.

Logged

Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience!

Email/Google chat:
DDillenger84(at)gmail(dot)com

Email>PM
narotic
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 5


« Reply #2 on: January 17, 2015, 02:53:21 PM »

I should've been more explicit: my binary is literally (bitwise) identical to the one posted in the cited topic. Anyways, the values at that location seem to make sense, so many thanks for that!

However, the value at 0x1c098 is "20 00", which according to the FR means that it does not check ABS. The three subsequent words 0x1c09a, 0x1c09c, 0x1c09e instead have the ABS bit on. Forgive my ignorance on the topic, but does this have to do with variant coding? If so, is there a way to figure out which variants are supported by the ECU and what the currently active one is?

Finally, I'd be curious to know how you located it. Even knowing the address I cannot make sense out of it, since it does not seem to be addressed in the ways I've seen in the other firmwares. I would've expected to find interesting things searching for hexadecimal '98 [0,4,8,c]0' (for DPP's of 0x204 to 0x207), but I don't...
« Last Edit: January 17, 2015, 03:22:12 PM by narotic » Logged
ddillenger
Hero Member
*****

Karma: +641/-21
Offline Offline

Posts: 5640


« Reply #3 on: January 17, 2015, 04:07:52 PM »

The first is for coding 05612. No ESP, but with ABS. The second is 05712. ESP and ABS. Read the FR a bit more carefully and you'll see this:

16 bit

Bit = 1 -> Reception, bit = 0 -> no reception and no timeout monitoring

Bit Function

15 Not assigned
14 Not assigned
13 % CANSEN
12 BSG_Last
11 Botschaft ZAS
10 Botschaft Fahrwerk (Chassis)
9 Botschaft Clima 1
8 Bothschaft Niveau 1
7 Botschaft Bremse 3
6 Botschaft Allrad 1
5 Kombi 1, 2 ,3
4 Botschaft LWS
3 Botschaft Airbag
2 Botschaft Brake 1
1 Botschaft Gearbox 2
0 Botschaft Gearbox 1

So I guess the question is, what is your current coding?
Logged

Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience!

Email/Google chat:
DDillenger84(at)gmail(dot)com

Email>PM
narotic
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 5


« Reply #4 on: January 17, 2015, 04:31:18 PM »

I have studied that page of the FR quite well, but I might've misunderstood it. My reasoning was as follows: the 16 bits at 0x1C098 are 0x2000, considering that the value is stored in little endian (correct?) this would mean that bit 5 is high. So only "Kombi 1, 2 ,3" is active (unfortunately, I do not know what "Kombi 1, 2 ,3" means  Huh). Where do I go wrong?

According to the VCDS log the coding is 05712. Based on what you say that would mean the second CW_CAN_R word at 0x1C09A is active. The current value at this location is 0x2400, so following my reasoning above setting these to 0x2000 should disable ABS. But then I'd end it with the same value as at 0x1C098 (05612 coding) Huh
Logged
ddillenger
Hero Member
*****

Karma: +641/-21
Offline Offline

Posts: 5640


« Reply #5 on: January 17, 2015, 04:41:45 PM »

05612 will disable the missing message from ABS code.

Kombi is instrument cluster.
Logged

Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience!

Email/Google chat:
DDillenger84(at)gmail(dot)com

Email>PM
narotic
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 5


« Reply #6 on: January 17, 2015, 04:56:31 PM »

Great. So the way I understood CW_CAN_R wasn't wrong after all?

I'll have my father try to change the coding using VAG-COM/VCDS. Anyways, many thanks again for the help, it's highly appreciated. This car is just a hobby project, so it's nice to be able to do as much as possible by ourselves while learning a thing or two along the way.
Logged
ddillenger
Hero Member
*****

Karma: +641/-21
Offline Offline

Posts: 5640


« Reply #7 on: January 17, 2015, 05:09:00 PM »

nope, your interpretation seems spot on. I just think you're coded wrong Smiley
Logged

Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience!

Email/Google chat:
DDillenger84(at)gmail(dot)com

Email>PM
narotic
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 5


« Reply #8 on: January 19, 2015, 07:18:33 AM »

Just a follow-up to let you know the ABS CAN-Bus error disappeared after recoding to 05612. In a sense I'm disappointed that it turned out to be so easy...

I guess my confusion came from the fact that 05612 is listed as having ABS. Of course, thinking about it CW_CAN_R determines merely reception of ABS messages by the ECU, not whether ABS works or not (the latter may well be implemented independently by the ABS module).
Logged
nyet
Administrator
Hero Member
*****

Karma: +607/-168
Offline Offline

Posts: 12268


WWW
« Reply #9 on: January 19, 2015, 10:08:54 AM »

Of course, thinking about it CW_CAN_R determines merely reception of ABS messages by the ECU, not whether ABS works or not (the latter may well be implemented independently by the ABS module).

More than that, CW_CAN_R determines what is considered an error: receiving an unexpected CAN message, or not receiving an expected CAN message.
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.018 seconds with 16 queries. (Pretty URLs adds 0s, 0q)