It's been super busy for me the last week or so, and will probably continue to be. But, there's a lot of cool stuff going on in here all of a sudden lol. I am not likely to be testing the ignition-based rev limiter since I have a WBO2 and catalytic converter on the car, but we'll get it figured out.
The way that the tables are accessed seems nuts to me. Like, super inefficient, especially considering how badly these ECUs could use more instruction cycles in the main loop at high RPM. Anyway, I will try to take a look through instruction areas that look like what you showed and trace them into the actual table accesses. I'd really like to see how they look-up and interpolate table values since the way that axes are defined seems like it would inherently eat way more instruction cycles than necessary.
The checksum is dead simple on these DME's. It just sums up all of the values in program memory from 0x0000 - 0x9FFF, EXCLUDING 0x3F00 - 0x3FFF in the full 40K binary dump (0x1F00:1FFF in the EPROM) and truncates them to a 16 bit value, which is stored at 0x3F00:3F01. The value of 46367 from my previous post is simply the sum of the 8K internal program memory of the SAB80C515 MCU, which is mainly just interrupt vectors and some other stuff I am unsure of. I used the constant because I had not yet dumped the internal MCU program memory. This is identical in M1.3 & M1.7, and probably others. The IDA project based on "TotalCombinedROM" uses a binary I made by dumping the MCU's internal 8K via the K-line and combining it with the 32K from the EPROM (well, actually I just tapped an Arduino directly into the MCU's UART).
-
I added the M1.7 checksum to my web app a while back. I also tested it on a couple other DMEs (such as the M70) and it worked fine. Would be cool to extend it to 1.3, even if 1.7 is much improved 1.3 is far more common on the E30.Leave a comment:
-
Checksum DLL for tuner pro
If someone here knows and is willing to share how the M1.7 checksum or checksums work and are calculated i can make a plugin for tunerpro RT that will auto correct the checksum. i'll include the source code for it so others can expand on that and make checksum plugins for other DME's.Leave a comment:
-
High speed logging output base
I made a base high speed logging output file for M1.7. This is made from an audi M2.3.2 file that i made several months back. The RAM variables are not right for the output but the base is there. i corrected all the jumps so that everything flows correctly and keeps logic with this code. over all it still needs work but could be tested using a freeware program called coolterm. coolterm will show the raw hex code output on a serial port. the baud rate for this is 187500 which is the maximum that the processor can output.
for hardware you will need to use a generic blue VAG cable or a BMW K+DCAN cable connected to the K-line. how it should work is when the key is on and engine in not running you have access to the factory diagnostics but when the car is running the high speed data logging protocol takes over and starts constant output.
The suggested RAM variables along with their equations that need to be found/added to this are
-RPM in RAM
-Ignition angle in RAM
-coolant temp in RAM
-intake air temp in RAM
-injector constant in RAM
-Injector dead time in RAM
-Injector on time high and low bytes in RAM
-wheel speed in RAM
-TPS position through ADC
-Load (preferribly 16bit because load could be uncapped) in RAM
-MAF voltage
-Knock control retard degree or counts of knock in RAM
Also a wideband input could be added for logging as well, how i did it before was i found a spare unused ADC input on the processor and wired the 0-5V output from my zeitronix wideband controller into that. also using the ZT-3 controller it will simulate the 0-1V output of the stock lambda controller too! the ZT-3 is the best bang for the buck wideband controller on the market with both 0-5V and 0-1V dual outputs!
With something like this working it will make the job of reverse engineering the rest of the ECU a heck of a lot easier because you can just change RAM variables and see what your output is. The other end of this that will need to be setup is a tuner pro RT ADX definition and dash layout. for now though using coolterm to get the logging output working is the first step. if you can get data to flow and see the raw hex in coolterm than you have something thats working.
in coolterm you need to add 187500 baud to the through adding baudrates.ini file to the cooltermwin folder. you can make this with a text editor. in the baudrates.ini file add this and save the ini file.this is all i can do because i dont own an E30 to test anything with so someone with 8051 knowledge, a moates ostrich emulator and some free time in their hands will have to develop this further.Code:[baudrates] 187500=187500
files attached are an IDB for IDA 7.0 that has the logging code patched in and the BIN file itself that is a direct output from the IDB.
for those who dont have IDA 7.0 and have to run the BIN through an older version the logging code is at the addresses in the code windows below.
Code:ode:000006C0 code:000006C0 ; =============== S U B R O U T I N E ======================================= code:000006C0 code:000006C0 code:000006C0 code_6C0: ; CODE XREF: code_809D↓j code:000006C0 code:000006C0 ; FUNCTION CHUNK AT code:000080A0 SIZE 000000D1 BYTES code:000006C0 code:000006C0 20 24 15 jb RAM_24.4, code_6D8 ; Jump if Bit is set code:000006C3 E5 3B mov A, RAM_3B ; Move (Op1 <- Op2) code:000006C5 70 0B jnz code_6D2 ; Jump if Acc is not zero code:000006C7 90 BE 00 mov DPTR, #code_BE00 ; Move (Op1 <- Op2) code:000006CA 12 9E C2 lcall code_9EC2 ; Long Subroutine Call code:000006CD F4 cpl A ; Complement Operand code:000006CE 60 02 jz code_6D2 ; Jump if Acc is zero code:000006D0 D2 24 setb RAM_24.4 ; Set Direct Bit code:000006D2 code:000006D2 code_6D2: ; CODE XREF: code_6C0+5↑j code:000006D2 ; code_6C0+E↑j ... code:000006D2 90 44 F5 mov DPTR, #code_44F5 ; Move (Op1 <- Op2) code:000006D5 02 80 A0 ljmp code_80A0 ; Long Jump code:000006D8 ; --------------------------------------------------------------------------- code:000006D8 code:000006D8 code_6D8: ; CODE XREF: code_6C0↑j code:000006D8 E5 3B mov A, RAM_3B ; Move (Op1 <- Op2) code:000006DA B4 0A 00 cjne A, #0xA, code_6DD ; Compare Operands and JNE code:000006DD code:000006DD code_6DD: ; CODE XREF: code_6C0+1A↑j code:000006DD 40 F3 jc code_6D2 ; Jump if Carry is set code:000006DF 75 87 80 mov PCON, #0x80 ; Power Control Register code:000006E2 75 98 E8 mov SCON, #0xE8 ; Serial Channel Control Register code:000006E5 75 A0 00 mov P2, #0 ; Port 2 code:000006E8 30 AC 01 jnb ES, Logging_Variables ; Interrupt Enable Register 0 code:000006EB 22 ret ; Return from subroutine code:000006EC ; --------------------------------------------------------------------------- code:000006EC code:000006EC Logging_Variables: ; CODE XREF: code_6C0+28↑j code:000006EC 78 AF mov R0, #0xAF ; Move (Op1 <- Op2) code:000006EE 08 inc R0 ; Increment Operand code:000006EF 74 FD mov A, #0xFD ; Move (Op1 <- Op2) code:000006F1 F2 movx @R0, A ; Move from/to external RAM code:000006F2 08 inc R0 ; Increment Operand code:000006F3 E5 3A mov A, RAM_3A ; RPM code:000006F5 F2 movx @R0, A ; Move from/to external RAM code:000006F6 08 inc R0 ; Increment Operand code:000006F7 E5 3F mov A, RAM_3F ; Load code:000006F9 F2 movx @R0, A ; Move from/to external RAM code:000006FA 08 inc R0 ; Increment Operand code:000006FB E5 36 mov A, RAM_36 ; Battery code:000006FD F2 movx @R0, A ; Move from/to external RAM code:000006FE 08 inc R0 ; Increment Operand code:000006FF E5 37 mov A, RAM_37 ; IAT code:00000701 F2 movx @R0, A ; Move from/to external RAM code:00000702 08 inc R0 ; Increment Operand code:00000703 E5 38 mov A, RAM_38 ; CLT code:00000705 F2 movx @R0, A ; Move from/to external RAM code:00000706 08 inc R0 ; Increment Operand code:00000707 90 BE 00 mov DPTR, #0xBE00 ; TPS code:0000070A 12 9E C2 lcall code_9EC2 ; Long Subroutine Call code:0000070D F2 movx @R0, A ; Move from/to external RAM code:0000070E 08 inc R0 ; Increment Operand code:0000070F 79 5F mov R1, #0x5F ; '_' ; Move (Op1 <- Op2) code:00000711 E3 movx A, @R1 ; Move from/to external RAM code:00000712 F2 movx @R0, A ; Move from/to external RAM code:00000713 08 inc R0 ; Increment Operand code:00000714 E5 54 mov A, RAM_54 ; IGN angle code:00000716 F2 movx @R0, A ; Move from/to external RAM code:00000717 08 inc R0 ; Increment Operand code:00000718 E5 5E mov A, RAM_5E ; Injector High byte code:0000071A F2 movx @R0, A ; Move from/to external RAM code:0000071B 08 inc R0 ; Increment Operand code:0000071C E5 5F mov A, RAM_5F ; Injector Low byte code:0000071E F2 movx @R0, A ; Move from/to external RAM code:0000071F 08 inc R0 ; Increment Operand code:00000720 75 A0 01 mov P2, #1 ; Wheel speed input code:00000723 79 70 mov R1, #0x70 ; 'p' ; Move (Op1 <- Op2) code:00000725 E3 movx A, @R1 ; Move from/to external RAM code:00000726 75 A0 00 mov P2, #0 ; Port 2 code:00000729 F2 movx @R0, A ; Move from/to external RAM code:0000072A 08 inc R0 ; Increment Operand code:0000072B 79 E8 mov R1, #0xE8 ; Move (Op1 <- Op2) code:0000072D E7 mov A, @R1 ; Move (Op1 <- Op2) code:0000072E F2 movx @R0, A ; Move from/to external RAM code:0000072F 08 inc R0 ; Increment Operand code:00000730 79 EA mov R1, #0xEA ; Move (Op1 <- Op2) code:00000732 E7 mov A, @R1 ; Move (Op1 <- Op2) code:00000733 F2 movx @R0, A ; Move from/to external RAM code:00000734 08 inc R0 ; Increment Operand code:00000735 90 63 72 mov DPTR, #0x6372 ; Injector Constant code:00000738 E4 clr A ; Clear Operand (0) code:00000739 93 movc A, @A+DPTR ; Move code byte relative to second op to Acc code:0000073A F2 movx @R0, A ; Move from/to external RAM code:0000073B 08 inc R0 ; Increment Operand code:0000073C E5 5A mov A, RAM_5A ; Move (Op1 <- Op2) code:0000073E F2 movx @R0, A ; Move from/to external RAM code:0000073F 08 inc R0 ; Increment Operand code:00000740 E5 5B mov A, RAM_5B ; Move (Op1 <- Op2) code:00000742 F2 movx @R0, A ; Move from/to external RAM code:00000743 08 inc R0 ; Increment Operand code:00000744 E5 5C mov A, RAM_5C ; Move (Op1 <- Op2) code:00000746 F2 movx @R0, A ; Move from/to external RAM code:00000747 E8 mov A, R0 ; Move (Op1 <- Op2) code:00000748 94 AF subb A, #0xAF ; Subtract Second Operand from Acc with Borrow code:0000074A 78 AF mov R0, #0xAF ; Move (Op1 <- Op2) code:0000074C F2 movx @R0, A ; Move from/to external RAM code:0000074D D2 AC setb ES ; Interrupt Enable Register 0 code:0000074F 75 99 FE mov SBUF, #0xFE ; Serial Channel Buffer Register code:00000752 22 ret ; Return from subroutine code:00000752 ; End of function code_6C0 code:00000752 code:00000752 ; ---------------------------------------------------------------------------
your welcome guys! remember, this is my hobby so im doing this for fun. i dont own an E30 nor a BMW anymore, its been years since i owned one and dont plan on owning another one unless its a free car to develop on.Code:ode:00000760 code:00000760 ; =============== S U B R O U T I N E ======================================= code:00000760 code:00000760 code:00000760 RI_TI_0_1: ; CODE XREF: RI_TI_0↓j code:00000760 20 24 07 jb RAM_24.4, code_76A ; Jump if Bit is set code:00000763 02 89 60 ljmp RI_TI_0_0 ; Long Jump code:00000766 ; --------------------------------------------------------------------------- code:00000766 20 99 01 jb TI, code_76A ; Serial Channel Control Register code:00000769 32 reti ; Return from Interrupt code:0000076A ; --------------------------------------------------------------------------- code:0000076A code:0000076A code_76A: ; CODE XREF: RI_TI_0_1↑j code:0000076A ; RI_TI_0_1+6↑j code:0000076A C0 83 push DPH ; Data Pointer, High Byte code:0000076C C0 82 push DPL ; Data Pointer, Low Byte code:0000076E C0 E0 push ACC ; Accumulator code:00000770 C2 99 clr TI ; Serial Channel Control Register code:00000772 90 00 AF mov DPTR, #0xAF ; Move (Op1 <- Op2) code:00000775 E0 movx A, @DPTR ; Move from/to external RAM code:00000776 70 09 jnz code_781 ; Jump if Acc is not zero code:00000778 C2 AC clr ES ; Interrupt Enable Register 0 code:0000077A D0 E0 pop ACC ; Accumulator code:0000077C D0 82 pop DPL ; Data Pointer, Low Byte code:0000077E D0 83 pop DPH ; Data Pointer, High Byte code:00000780 32 reti ; Return from Interrupt code:00000781 ; --------------------------------------------------------------------------- code:00000781 code:00000781 code_781: ; CODE XREF: RI_TI_0_1+16↑j code:00000781 C0 D0 push PSW ; Program Status Word Register code:00000783 14 dec A ; Decrement Operand code:00000784 F0 movx @DPTR, A ; Move from/to external RAM code:00000785 24 B0 add A, #0xB0 ; Add Second Operand to Acc code:00000787 F5 82 mov DPL, A ; Data Pointer, Low Byte code:00000789 E0 movx A, @DPTR ; Move from/to external RAM code:0000078A F5 99 mov SBUF, A ; Serial Channel Buffer Register code:0000078C D0 D0 pop PSW ; Program Status Word Register code:0000078E D0 E0 pop ACC ; Accumulator code:00000790 D0 82 pop DPL ; Data Pointer, Low Byte code:00000792 D0 83 pop DPH ; Data Pointer, High Byte code:00000794 32 reti ; Return from Interrupt code:00000794 ; End of function RI_TI_0_1 code:00000794 code:00000794 ; ---------------------------------------------------------------------------
Last edited by vwnut8392; 01-05-2019, 02:11 PM.Leave a comment:
-
Spark Cut RPM Limiter test file
Here is a quick dirty file i patched that has a hard spark RPM limiter. this file is an output from biela's IDB file so its stock with only my code changes. i would only suggest someone with a chip emulator like a moates ostrich and understands how to use tuner pro RT to test this because some of the variables will have to be adjusted to see if its going to work right.
to test it open tuner pro RT and load an XDF that matches this BIN. you will have add a few new things to your XDF.
RPM Limit hex address=0x4127 equation=X*40
Ignition Dwell Angle address=0x412D equation=0.75*(X-30)
Actual Ignition Angle address=0x4130 equation=0.75*(X-30) This is ATDC not BTDC
Set the RPM to something like 3000RPM to test this. i suggest leaving the dwell angle maxed out and adjusting the actual ignition angle at first. what this does is force false values into RAM than the right values right after. This will create a sort of fast on/off ignition cut. this has worked in several audi motronics so i dont see why it wont work here. someone test this and report back if it works since i dont have a test car. videos are always cool too!
and remember to remove the .pdf from the file because its a bin file. also checksum is corrected on this file at its current settings. This could easily turn into a launch control and flat shift as well.
also on another note 3000RPM might be too low of an RPM to test at so if it does not activate at 3000 move to 3500 than 4000 etc. for testing go no higher than 5000RPM. you dont have to floor the car, applying light throttle till you reach whatever RPM you set and see if the engine stutters or stops revving than if that works you can have a little fun and floor it. this is suggest for cars with no cat and a free flowing exhaust.Last edited by vwnut8392; 01-04-2019, 10:40 PM.Leave a comment:
-
Spark cut launch control, flat shift and RPM limiter
well after sifting through biela's IDB file i have a solution for the addition of these 3 features. now to find unused grounding inputs that would have been used for automatic cars or just spare ones to wire in a clutch switch. also gotta find wheel speed in RAM. if the add on code is written properly which i know i can do there will be a timing retard than a hard spark cut based off RPM. the old E30 M1.7 could just be starting to get interesting!Leave a comment:
-
how most of the mapping/constants is accessed is indirect. i'll give an example.Originally posted by biela View Post
Im starting at 0x21C6
from here we want to look atCode:code:000021C6 ; FUNCTION CHUNK AT code:000073AF SIZE 0000014F BYTES code:000021C6 code:000021C6 lcall code_7BEE ; Long Subroutine Call code:000021C9 ljmp code_73AF ; Long Jump code:000021C9 ; End of function code_21C6_Aslave
which gives us this. Note the stuff in red.Code:code:000021C6 lcall code_7BEE ; Long Subroutine Call
now that we know these addresses we need to go back to 0x21C6 and than followCode:code:00007BEE ; =============== S U B R O U T I N E ======================================= code:00007BEE code:00007BEE code:00007BEE code_7BEE: ; CODE XREF: code_21C6_Aslavep code:00007BEE mov RAM_73_TAB_ADD_H, #0x46 ; 'F' ; [COLOR="Red"]0x46E8[/COLOR] code:00007BF1 mov RAM_74_TAB_ADD_L, #0xE8 ; 'F' ; Move (Op1 <- Op2) code:00007BF4 mov RAM_75_TAB_IND_H, #0x41 ; 'A' ; [COLOR="Red"]0x4110[/COLOR] code:00007BF7 mov RAM_76_TAB_IND_L, #0x10 ; Move (Op1 <- Op2) code:00007BFA mov R0, #0xBA ; '¦' ; Move (Op1 <- Op2) code:00007BFC mov A, @R0 ; Move (Op1 <- Op2) code:00007BFD jb ACC1, code_7C04 ; Accumulator code:00007C00 mov DPTR, [COLOR="red"]#code_459D[/COLOR] ; [COLOR="Red"]Constant value @ 0x459D[/COLOR]
once at 0x73AF scroll down a little till you find this.Code:code:000021C9 ljmp code_73AF ; Long Jump
you notice mov A, #4. what we do here is take the constant we seen in 0x7BEE which is 0x459D and add 4 to it which gives us 0x45A1. this is the constant that is referenced at this given point. most of the constants will be referenced in this manner instead of them being directly accessed with DPTR.Code:code:000073D9 mov A, #4 ; Move (Op1 <- Op2) code:000073DB movc A, @A+DPTR ; Move code byte relative to second op to Acc
hopefully you guys will see the trend in the references. you have to start in the area where i started to get the base starting point to know what constant and map is used as the starting point.
also on another note while we looking at this point in the disassembly look above the first constant reference i used as an example, you will notice thismov DPTR, #BE04 is referencing analog input 04 on the processor. any place you see DPTR, #BEXX is an analog input reference. they are potentially 0 to 7 analog inputs available.Code:code:000073CA mov DPTR, #0xBE04 ; Move (Op1 <- Op2) code:000073CD lcall code_9EC2_ADRead ; Long Subroutine Call
Now for table accesses. Note things in red.
Im going to start here
Code:0000339D ; Attributes: thunk code:0000339D code:0000339D code_339D_Bmast: ; CODE XREF: RESET_0+5FBCp code:0000339D ljmp code_211E ; Long Jump code:0000339D ; End of function code_339D_Bmast
at 0x211E we have this, follow to 0x793D first.
Code::0000211E ; FUNCTION CHUNK AT code:000033A0 SIZE 000000FB BYTES code:0000211E code:0000211E 12 79 3D lcall code_793D_add_ind ; Long Subroutine Call code:00002121 02 33 A0 ljmp code_33A0 ; Long Jump code:00002121 ; End of function code_211E
now you have your base addresses again, jump back to 0x211E than followCode:code:0000793D code_793D_add_ind: ; CODE XREF: code_211Ep code:0000793D 75 73 45 mov RAM_73_TAB_ADD_H, #[COLOR="red"]0x45[/COLOR] ; 'E' ; [COLOR="red"]0x45C4-base table reference[/COLOR] code:00007940 75 74 C4 mov RAM_74_TAB_ADD_L, #[COLOR="red"]0xC4[/COLOR] ; '-' ; Move (Op1 <- Op2) code:00007943 78 BA mov R0, #0xBA ; '¦' ; Move (Op1 <- Op2) code:00007945 E6 mov A, @R0 ; Move (Op1 <- Op2) code:00007946 20 E1 05 jb ACC1, code_794E ; Accumulator code:00007949 75 2E CF mov RAM_2E, #0xCF ; '-' ; Move (Op1 <- Op2) code:0000794C 80 03 sjmp code_7951 ; Short jump code:0000794E ; --------------------------------------------------------------------------- code:0000794E code:0000794E code_794E: ; CODE XREF: code_793D_add_ind+9j code:0000794E 75 2E DF mov RAM_2E, #0xDF ; '¯' ; Move (Op1 <- Op2) code:00007951 code:00007951 code_7951: ; CODE XREF: code_793D_add_ind+Fj code:00007951 90 43 20 mov [COLOR="red"]DPTR, #code_4320[/COLOR] ; [COLOR="red"]0x4320-base constant reference[/COLOR] code:00007954 75 75 40 mov RAM_75_TAB_IND_H, #0x40 ; '@' ; 0x4002 code:00007957 75 76 02 mov RAM_76_TAB_IND_L, #2 ; Move (Op1 <- Op2) code:0000795A 22 ret ; Return from subroutine code:0000795A ; End of function code_793D_add_ind
once there you should alread be able to locate the constants for this area based on my info above so we are going to look for table accesses.Code::00002121 02 33 A0 ljmp code_33A0 ; Long Jump
scroll down till you find this
mov R2, #X and lcall to table access is what we are looking for. in this case are have R2, #0 so the point in the master map table thats looked at is 0x45C4 which points to the actual map at 0x4855. this is a map that uses RAM 0x37 and is a 4x1 table. If you find for example R2, #3 than lcall to table access the #3 means you take your base address which is 0x45C4 than jump 3 down and you have the table being accessed through the master map table. over all there are several different ways maps and constants are accessed but this one is the most difficult to figure out normally. hope this helps you guys!Code:code:000033ED 7A 00 mov R2, #0 ; Move (Op1 <- Op2) code:000033EF 12 04 00 lcall code_400_TableAccess ; Long Subroutine Call
I have attached a revised version of the IDB posted by biela with the master map table setup and the analog inputs base setup along with a database notes tab with changes i personally made.Last edited by vwnut8392; 01-03-2019, 05:05 PM.Leave a comment:
-
Hello
I have attached an ida project from M1.7 ecu.
I think i have found table access to 2D or 3D maps.
Some subroutines (that are similar to older ecus) have names.
All comments are welcome.
ThanksLeave a comment:
-
Heres a little tool i found in my archive of stuff. its a tool to correct the checksum for M1.3 and a few other motronics. I have it as a PDF file but its really a ZIP file so rename the extension to .zip from .pdf.Leave a comment:
-
no one really released a fully documented IDB for M2.3.2. i have one i made myself based on PRJ's speed density files. I also have the factory bosch M2.3.2 ECU schematics, damos, and function sheets for both motor and boost chips so im pretty far ahead in that game.Originally posted by bmwman91 View Post
I did make a hard spark cut launch control and rev limiter for one of the E30 ECU's for a guy in germany as a one off project. it was pretty easy to do because the part of the ignition/load routine that gets jumped out for the custom launch control code is virtually identical in all of the old 8051 based motronics. even though it wasnt a turbo car it would spit like 3 feet of fire out the exhaust and sounded like a machine gun lol. a false crank angle value and a ton of timing retard does really really fun stuff lol.
if you have an IDB file you would be willing to share with me from a 1.7.3 ECU i'll look at it and see what i can quickly make based on my knowledge on M2.3.2. i just dont have the time to sit down and start an IDB from scratch. i'll add jim C's commenting to that too and send it back your way for personal reference. Jim doesnt care if i share an IDB with a few guys, he just doesnt want the info to be full blown public.
Making a logging protocol should be easy with a few jumps out of the main loop in strategic places where the factory diag is accessed. i mean within reason the factory diag is pretty much useless in this day and age.
as for the wideband i thought about that on M2.3.2 but i realized it worked well as it was because the stock 02 sensor is only really referenced in part throttle driving and idle, when in boost or WOT above a certain load threshold the the ECU goes open loop and just follows the mapping directly for the most part which is nice.
Another thing i did on the M2.3.2 front was on the old audi 200 20V turbo. what i did was convert the MAF scalars into a 16x16 VE table for fueling and added an IAT compensation table that goes along with the VE table for ease of fuel tuning. basically i set the injector constant as per what FPR im running, than just tune the VE table till i get the fueling that i want and tweak the IAT compensation table around a little as per the car im working with. in M2.3.2 there are also scalars that can be used to adjust the resolution of the 16x16 VE table as well which is pretty cool. they are essentially adders that are in place before the VE table. this is all based on PRJ's findings and developments but it definitely works. my 200 20V turbo sedan runs circles around any of the other ones in my area and its a stock car with an exhaust and a K&N drop in air filter lol.Leave a comment:
-
The VAF outputs a 0-5V signal proportional to air flow. My car currently runs a MAF, but I had to develop a real time signal processing box to do it properly. It converts from one transfer function to another, uses IAT to correct for density (mass flow to volume flow) and does some hefty low pass filtering since the MAF's response time constant is like 1/100th of the VAF's (and the ECU waffleswaffleswaffles snot sample nearly fast enough or at the right crank angles to deal with this at WOT when you can resolve individual intake pulses).
M1.7 on the E30 also uses a proper TPS. The M20-powered cars (325) that used a switch. So that much is already there at least.
My thought with the WBO2 was to use the full 0-5V output range for better accuracy (100-900mV is only ~41 counts on an 8 bit ADC with a 5V reference). I am currently running a 14point7 SLC with the NB simulated output.
DAMOS for E30 ECUs...man I wish. To the best of my knowledge, the only one ever dumped on the web was for a Group B M3 or something like that. I forget which ECU it used, but it was a very early Motronic 1.x.
I hear you on the proprietary info thing. As much as I'd like to see it, I am a big fan of small businesses and stuff, so it's probably best not to put JimC's stuff out on the web. But if you learned a lot from it and had put together an IDA project, then that seems fine. What all got put out there for M2.3.2.? Was any of the m232.org stuff commented or in a project format?Leave a comment:
-
MAF would be a hardware mod just like it is in M2.3.2. now im not sure how the BMW AFM works on the hardware level but it may be more difficult to do than M2.3.2 due to the fact that M2.3.2 is already a hot wire MAF and we just converted to a hot film sensor by reconfiguring the voltage divider circuit on the ECU.Originally posted by bmwman91 View Post
yes MAP doesnt work well alone, thats why it is necessary to add alpha-N blending to the equation for sharp throttle movements and such till the MAP sensor catches up with the rest of what the engine is doing. this post from RASP indicates to me that the 1.7.3 ECU is the one you want to work with if you want to do speed density and turbo setup. seeing that he said about VAF limp mode by throttle position, wall film enrichment and IAT compensation are all good indicators. https://www.r3vlimited.com/board/sho...7&postcount=34
wideband isnt really useful for anything else other than data logging in the ECU. S600 doesnt need to be bypassed for logging a 0-5V signal from a wideband controller. i use zeitronix ZT-3 wideband controller which has 2 outputs. one is 0-5V wideband signal and the second is a 0-1V simulated narrowband signal for the ECU to run in closed loop on.
One suggestion i do have is to build a small database in a google drive or some sort of online cloud file storage with stock BIN files for people to download from the various ECU's used in the E30 along with any technical documents like DAMOS files, function sheets etc. already disassembled IDB files are always nice as well.
one thing i do have but im not sure if im allowed to release it is a disassembly of an E30 ECU from jim conforti. he gave it to me a few years ago. its basically an output in a text file with commenting but i did start to convert it over to IDA pro for easier reference. now if i can remember where i put it on my personal server lol.Last edited by vwnut8392; 12-30-2018, 12:59 PM.Leave a comment:
-
Hey vwnut, welcome! Thanks for popping in with some useful technical info. There was a period of time where I was in the big M2.3.2 thread before it turned into a subforum of its own. Do the various modified binaries/IDA projects for M2.3.2 on m232.org (or somewhere else?) have comments in them describing what is what? It has been a while since I worked on this at all since I ended up getting a proper remap for my engine.
Features that would be super cool to add would be MAF (not quite as fast as MAP, but VE changes do not affect its calibration) and a WBO2 sensor. The MAF would definitely require some firmware work since it is extremely sensitive and the signal would need to be sampled at specific crank angles to get an aggregate flow value. For WBO2, it would mean bypassing S600 and probably buffering the signal directly to the 8051's ADC, but it would allow for some really amazing new tuning capabilities.Leave a comment:
Leave a comment: