I tried doing local heating with a heater like that on the M1.7, and that is how I ended up with bubbles in the layers. The thermal expansion of the board in small local areas was too much since the surrounding areas were cooler, and the stresses from this separated layers. So I think that a small toasting oven should work better since the whole board will heat at the same rate. I have been wanting to build a reflow soldering oven for a while anyway, and a solid state relay with an Arduino and K-type thermocouple should be about all I need to make a regular toaster oven into a PID-controlled soldering oven. But, I will do that later, all I need for now is to heat the PCB to ~200°C.
-
-
OK, I have a new thread specific to M1.7.3 efforts. This one has a lot of good info on M1.7.x and it is very long already. So, work will continue here:
Thanks!Comment
-
Rasp, are there definitions for other Motronic ECU's such as M1.3? Also, is the source code for the program available? I'd like to pot it into a microcontroller, and seeing the source would be a big help.Originally posted by Rasp View PostIf you want play with Motronic datalogging RAM variables by K2 protocol with standart baudrate 9600, you can use KWP71Diag tool https://mega.nz/#!jU8A1ZYA!ajEXKoQy_...hmoGrmZh3r0T54
with predefined config to M1.7-M1.7.3
This program will work with simple VAG COM KKL 409.1 adapter, but only with FTDI chip!
Virtual COM port must be configured:
URL: www.dsylva-tech.caComment
-
Hello
Great job here!
I have loaded TotalCombinedROM.bin in IDA, following Rasp indications.
Trying to understand the code but, can anybody post a simple function explained? Like calls to 2D or 3D tables.
ThanksRacing is life. Anything that happens before or after is just waitingComment
-
Wow! This thread is way above my head, but I think it's fascinating. Nice work!Comment
-
nice to see the BMW community doing some reversing of the old motronics! you guys make me wish i still had my E30 so i could join in the fun! ive done a lot of work on PRJ's audi M2.3.2 stuff like the high speed logging, the speed density conversion etc. i'd have to disassemble an E30 BIN but if all my findings from looking at all the other 8051 based motronics falls true than you can simply study what was done in the audi M2.3.2 binary files and relate it almost directly to the E30 files. not everything is going to line up but you have to realize that all the old 8051 based chips regardless of who the car manufacturer was created with bosch's assembler and they didnt exactly go out of their way to make radical changes in the software as per the manufacturer they was making it for, they just put things in different places and worded things differently per say.
when i say worded things differently like in some BIN files i found that the analog inputs are accessed withthan the raw value is moved the ADC converter. The other way i have seen isCode:mov DPTR, #BE06
. the both achieve the same thing essentially but they are just done in different ways. The other thing i found is sometimes they have indirect constant and table addressing while other times its a direct address to a table or constant via DPTR.Code:mov ADCON1, #6
For making a high speed logging output that should not be too difficult. the max baud rate of the siemens based 8051 processor is 187500baud. All you have to do is find the original factory data output in the code and where it starts. than from that point jump out to some custom code that will essentially grab whatever variables from RAM and push them out through the processors serial port over the K-line. In the case of M2.3.2 high speed logging it was told to send 0xAA and 0xBB before the RAM variables, sending these 2 bits is a good way to tell software like tuner pro RT that the ECU is sending data and to watch for these 2 bits to start the live reading.
Here is an example of test logging code i made for M2.3.2 motor chip for audi 200 20v turbo. fyi the audi motronic has 2 ECU's in one, one to control the timing/fueling and the other is boost control/knock control. the code from the boost processor/chip would be useless in the BMW application.
A true speed density conversion would be possible with an external MAP sensor wired into the MAF's signal wire but i feel it would also require some ECU hardware modifications to get a proper signal to the processor. Than there would have to be software modifications as well to compensate for the MAP sensor. also if i remember correctly only automatic E30's had a TPS sensor where as the manual ones had only closed and WOT? if thats true than everyone would need to convert to the auto TPS sensor because a sort of alpha-N blending is necessary with speed density in motronic for sharp throttle movements. basically theres a bit to the speed density conversion but i wont get into that right now.Code:code:00005B30 code:00005B30 ; =============== S U B R O U T I N E ======================================= code:00005B30 code:00005B30 code:00005B30 code_5B30: ; CODE XREF: code_3C4E↑p code:00005B30 20 24 15 jb RAM_24.4, code_5B48 ; Jump if Bit is set code:00005B33 E5 3A mov A, RAM_3A ; Move (Op1 <- Op2) code:00005B35 70 0B jnz code_5B42 ; Jump if Acc is not zero code:00005B37 90 BE 00 mov DPTR, #0xBE00 ; Move (Op1 <- Op2) code:00005B3A 12 13 5D lcall code_135D ; Long Subroutine Call code:00005B3D F4 cpl A ; Complement Operand code:00005B3E 60 02 jz code_5B42 ; Jump if Acc is zero code:00005B40 D2 24 setb RAM_24.4 ; Set Direct Bit code:00005B42 code:00005B42 code_5B42: ; CODE XREF: code_5B30+5↑j code:00005B42 ; code_5B30+E↑j ... code:00005B42 12 34 08 lcall code_3408 ; Long Subroutine Call code:00005B45 02 3C 51 ljmp code_3C51 ; Long Jump code:00005B48 ; --------------------------------------------------------------------------- code:00005B48 code:00005B48 code_5B48: ; CODE XREF: code_5B30↑j code:00005B48 E5 3A mov A, RAM_3A ; Move (Op1 <- Op2) code:00005B4A B4 0A 00 cjne A, #0xA, code_5B4D ; Compare Operands and JNE code:00005B4D code:00005B4D code_5B4D: ; CODE XREF: code_5B30+1A↑j code:00005B4D 40 F3 jc code_5B42 ; Jump if Carry is set code:00005B4F 75 87 80 mov PCON, #0x80 ; Power Control Register code:00005B52 75 98 E8 mov SCON, #0xE8 ; Serial Channel Control Reg. code:00005B55 75 A0 00 mov P2, #0 ; Port 2 code:00005B58 30 AC 01 jnb IEN0.4, code_5B5C ; Interrupt Enable Register 0 code:00005B5B 22 ret ; Return from subroutine code:00005B5C ; --------------------------------------------------------------------------- code:00005B5C code:00005B5C code_5B5C: ; CODE XREF: code_5B30+28↑j code:00005B5C 78 AF mov R0, #0xAF ; Move (Op1 <- Op2) code:00005B5E 08 inc R0 ; Increment Operand code:00005B5F 74 FD mov A, #0xFD ; Move (Op1 <- Op2) code:00005B61 F2 movx @R0, A ; Move from/to external RAM code:00005B62 08 inc R0 ; Increment Operand code:00005B63 E5 3A mov A, RAM_3A ; Move (Op1 <- Op2) code:00005B65 F2 movx @R0, A ; Move from/to external RAM code:00005B66 08 inc R0 ; Increment Operand code:00005B67 E5 3F mov A, RAM_3F ; Move (Op1 <- Op2) code:00005B69 F2 movx @R0, A ; Move from/to external RAM code:00005B6A 08 inc R0 ; Increment Operand code:00005B6B E5 36 mov A, RAM_36 ; Move (Op1 <- Op2) code:00005B6D F2 movx @R0, A ; Move from/to external RAM code:00005B6E 08 inc R0 ; Increment Operand code:00005B6F E5 37 mov A, RAM_37 ; Move (Op1 <- Op2) code:00005B71 F2 movx @R0, A ; Move from/to external RAM code:00005B72 08 inc R0 ; Increment Operand code:00005B73 E5 38 mov A, RAM_38 ; Move (Op1 <- Op2) code:00005B75 F2 movx @R0, A ; Move from/to external RAM code:00005B76 08 inc R0 ; Increment Operand code:00005B77 90 BE 00 mov DPTR, #0xBE00 ; Move (Op1 <- Op2) code:00005B7A 12 13 5D lcall code_135D ; Long Subroutine Call code:00005B7D F2 movx @R0, A ; Move from/to external RAM code:00005B7E 08 inc R0 ; Increment Operand code:00005B7F 79 5F mov R1, #0x5F ; '_' ; Move (Op1 <- Op2) code:00005B81 E3 movx A, @R1 ; Move from/to external RAM code:00005B82 F2 movx @R0, A ; Move from/to external RAM code:00005B83 08 inc R0 ; Increment Operand code:00005B84 E5 54 mov A, RAM_54 ; Move (Op1 <- Op2) code:00005B86 F2 movx @R0, A ; Move from/to external RAM code:00005B87 08 inc R0 ; Increment Operand code:00005B88 E5 5E mov A, RAM_5E ; Move (Op1 <- Op2) code:00005B8A F2 movx @R0, A ; Move from/to external RAM code:00005B8B 08 inc R0 ; Increment Operand code:00005B8C E5 5F mov A, RAM_5F ; Move (Op1 <- Op2) code:00005B8E F2 movx @R0, A ; Move from/to external RAM code:00005B8F 08 inc R0 ; Increment Operand code:00005B90 E5 6F mov A, RAM_6F ; Move (Op1 <- Op2) code:00005B92 F2 movx @R0, A ; Move from/to external RAM code:00005B93 08 inc R0 ; Increment Operand code:00005B94 75 A0 01 mov P2, #1 ; Port 2 code:00005B97 79 70 mov R1, #0x70 ; 'p' ; Move (Op1 <- Op2) code:00005B99 E3 movx A, @R1 ; Move from/to external RAM code:00005B9A 75 A0 00 mov P2, #0 ; Port 2 code:00005B9D F2 movx @R0, A ; Move from/to external RAM code:00005B9E 08 inc R0 ; Increment Operand code:00005B9F 12 5B C5 lcall code_5BC5 ; Long Subroutine Call code:00005BA2 F2 movx @R0, A ; Move from/to external RAM code:00005BA3 08 inc R0 ; Increment Operand code:00005BA4 79 20 mov R1, #0x20 ; ' ' ; Move (Op1 <- Op2) code:00005BA6 E7 mov A, @R1 ; Move (Op1 <- Op2) code:00005BA7 F2 movx @R0, A ; Move from/to external RAM code:00005BA8 08 inc R0 ; Increment Operand code:00005BA9 90 63 60 mov DPTR, #0x6360 ; Move (Op1 <- Op2) code:00005BAC E4 clr A ; Clear Operand (0) code:00005BAD 93 movc A, @A+DPTR ; Move code byte relative to second op to Acc code:00005BAE F2 movx @R0, A ; Move from/to external RAM code:00005BAF 08 inc R0 ; Increment Operand code:00005BB0 E5 5A mov A, RAM_5A ; Move (Op1 <- Op2) code:00005BB2 F2 movx @R0, A ; Move from/to external RAM code:00005BB3 08 inc R0 ; Increment Operand code:00005BB4 E5 5B mov A, RAM_5B ; Move (Op1 <- Op2) code:00005BB6 F2 movx @R0, A ; Move from/to external RAM code:00005BB7 E8 mov A, R0 ; Move (Op1 <- Op2) code:00005BB8 C3 clr C ; Clear Operand (0) code:00005BB9 94 AF subb A, #0xAF ; Subtract Second Operand from Acc with Borrow code:00005BBB 78 AF mov R0, #0xAF ; Move (Op1 <- Op2) code:00005BBD F2 movx @R0, A ; Move from/to external RAM code:00005BBE D2 AC setb IEN0.4 ; Interrupt Enable Register 0 code:00005BC0 75 99 FE mov SBUF, #0xFE ; Serial Channel Buffer Reg. code:00005BC3 22 ret ; Return from subroutine code:00005BC3 ; End of function code_5B30 code:00005BC3 code:00005BC3 ; --------------------------------------------------------------------------- code:00005BC4 FF .byte 0xFF code:00005BC5 code:00005BC5 ; =============== S U B R O U T I N E ======================================= code:00005BC5 code:00005BC5 code:00005BC5 code_5BC5: ; CODE XREF: code_5B30+6F↑p code:00005BC5 90 BE 06 mov DPTR, #0xBE06 ; Move (Op1 <- Op2) code:00005BC8 E0 movx A, @DPTR ; Move from/to external RAM code:00005BC9 22 ret ; Return from subroutine code:00005BC9 ; End of function code_5BC5 code:00005BC9 code:00005BC9 ; --------------------------------------------------------------------------- code:00005BCA FF .byte 0xFF code:00005BCB FF .byte 0xFF code:00005BCC FF .byte 0xFF code:00005BCD FF .byte 0xFF code:00005BCE FF .byte 0xFF code:00005BCF FF .byte 0xFF code:00005BD0 code:00005BD0 ; =============== S U B R O U T I N E ======================================= code:00005BD0 code:00005BD0 code:00005BD0 RI_TI_0_0: ; CODE XREF: RI_TI_0↑j code:00005BD0 code:00005BD0 ; FUNCTION CHUNK AT code:00004185 SIZE 0000000C BYTES code:00005BD0 code:00005BD0 20 24 07 jb RAM_24.4, code_5BDA ; Jump if Bit is set code:00005BD3 02 41 85 ljmp code_4185 ; Long Jump code:00005BD6 ; --------------------------------------------------------------------------- code:00005BD6 20 99 01 jb SCON.1, code_5BDA ; Serial Channel Control Reg. code:00005BD9 32 reti ; Return from Interrupt code:00005BDA ; --------------------------------------------------------------------------- code:00005BDA code:00005BDA code_5BDA: ; CODE XREF: RI_TI_0_0↑j code:00005BDA ; RI_TI_0_0+6↑j code:00005BDA C0 83 push DPH ; Data Pointer, High Byte code:00005BDC C0 82 push DPL ; Data Pointer, Low Byte code:00005BDE C0 E0 push ACC ; Accumulator code:00005BE0 C2 99 clr SCON.1 ; Serial Channel Control Reg. code:00005BE2 90 00 AF mov DPTR, #0xAF ; Move (Op1 <- Op2) code:00005BE5 E0 movx A, @DPTR ; Move from/to external RAM code:00005BE6 70 09 jnz code_5BF1 ; Jump if Acc is not zero code:00005BE8 C2 AC clr IEN0.4 ; Interrupt Enable Register 0 code:00005BEA D0 E0 pop ACC ; Accumulator code:00005BEC D0 82 pop DPL ; Data Pointer, Low Byte code:00005BEE D0 83 pop DPH ; Data Pointer, High Byte code:00005BF0 32 reti ; Return from Interrupt code:00005BF1 ; --------------------------------------------------------------------------- code:00005BF1 code:00005BF1 code_5BF1: ; CODE XREF: RI_TI_0_0+16↑j code:00005BF1 C0 D0 push PSW ; Program Status Word Register code:00005BF3 14 dec A ; Decrement Operand code:00005BF4 F0 movx @DPTR, A ; Move from/to external RAM code:00005BF5 24 B0 add A, #0xB0 ; Add Second Operand to Acc code:00005BF7 F5 82 mov DPL, A ; Data Pointer, Low Byte code:00005BF9 E0 movx A, @DPTR ; Move from/to external RAM code:00005BFA F5 99 mov SBUF, A ; Serial Channel Buffer Reg. code:00005BFC D0 D0 pop PSW ; Program Status Word Register code:00005BFE D0 E0 pop ACC ; Accumulator code:00005C00 D0 82 pop DPL ; Data Pointer, Low Byte code:00005C02 D0 83 pop DPH ; Data Pointer, High Byte code:00005C04 32 reti ; Return from Interrupt code:00005C04 ; End of function RI_TI_0_0 code:00005C04 code:00005C04 ; ---------------------------------------------------------------------------
Last edited by vwnut8392; 12-29-2018, 01:47 PM.Comment
-
Hey vwnut, welcome! Thanks for popping in with some useful technical info. There was a period of time where I was in the big M2.3.2 thread before it turned into a subforum of its own. Do the various modified binaries/IDA projects for M2.3.2 on m232.org (or somewhere else?) have comments in them describing what is what? It has been a while since I worked on this at all since I ended up getting a proper remap for my engine.
Features that would be super cool to add would be MAF (not quite as fast as MAP, but VE changes do not affect its calibration) and a WBO2 sensor. The MAF would definitely require some firmware work since it is extremely sensitive and the signal would need to be sampled at specific crank angles to get an aggregate flow value. For WBO2, it would mean bypassing S600 and probably buffering the signal directly to the 8051's ADC, but it would allow for some really amazing new tuning capabilities.Comment
-
MAF would be a hardware mod just like it is in M2.3.2. now im not sure how the BMW AFM works on the hardware level but it may be more difficult to do than M2.3.2 due to the fact that M2.3.2 is already a hot wire MAF and we just converted to a hot film sensor by reconfiguring the voltage divider circuit on the ECU.Originally posted by bmwman91 View Post
yes MAP doesnt work well alone, thats why it is necessary to add alpha-N blending to the equation for sharp throttle movements and such till the MAP sensor catches up with the rest of what the engine is doing. this post from RASP indicates to me that the 1.7.3 ECU is the one you want to work with if you want to do speed density and turbo setup. seeing that he said about VAF limp mode by throttle position, wall film enrichment and IAT compensation are all good indicators. https://www.r3vlimited.com/board/sho...7&postcount=34
wideband isnt really useful for anything else other than data logging in the ECU. S600 doesnt need to be bypassed for logging a 0-5V signal from a wideband controller. i use zeitronix ZT-3 wideband controller which has 2 outputs. one is 0-5V wideband signal and the second is a 0-1V simulated narrowband signal for the ECU to run in closed loop on.
One suggestion i do have is to build a small database in a google drive or some sort of online cloud file storage with stock BIN files for people to download from the various ECU's used in the E30 along with any technical documents like DAMOS files, function sheets etc. already disassembled IDB files are always nice as well.
one thing i do have but im not sure if im allowed to release it is a disassembly of an E30 ECU from jim conforti. he gave it to me a few years ago. its basically an output in a text file with commenting but i did start to convert it over to IDA pro for easier reference. now if i can remember where i put it on my personal server lol.Last edited by vwnut8392; 12-30-2018, 12:59 PM.Comment
-
The VAF outputs a 0-5V signal proportional to air flow. My car currently runs a MAF, but I had to develop a real time signal processing box to do it properly. It converts from one transfer function to another, uses IAT to correct for density (mass flow to volume flow) and does some hefty low pass filtering since the MAF's response time constant is like 1/100th of the VAF's (and the ECU waffleswaffleswaffles snot sample nearly fast enough or at the right crank angles to deal with this at WOT when you can resolve individual intake pulses).
M1.7 on the E30 also uses a proper TPS. The M20-powered cars (325) that used a switch. So that much is already there at least.
My thought with the WBO2 was to use the full 0-5V output range for better accuracy (100-900mV is only ~41 counts on an 8 bit ADC with a 5V reference). I am currently running a 14point7 SLC with the NB simulated output.
DAMOS for E30 ECUs...man I wish. To the best of my knowledge, the only one ever dumped on the web was for a Group B M3 or something like that. I forget which ECU it used, but it was a very early Motronic 1.x.
I hear you on the proprietary info thing. As much as I'd like to see it, I am a big fan of small businesses and stuff, so it's probably best not to put JimC's stuff out on the web. But if you learned a lot from it and had put together an IDA project, then that seems fine. What all got put out there for M2.3.2.? Was any of the m232.org stuff commented or in a project format?Comment
-
no one really released a fully documented IDB for M2.3.2. i have one i made myself based on PRJ's speed density files. I also have the factory bosch M2.3.2 ECU schematics, damos, and function sheets for both motor and boost chips so im pretty far ahead in that game.Originally posted by bmwman91 View Post
I did make a hard spark cut launch control and rev limiter for one of the E30 ECU's for a guy in germany as a one off project. it was pretty easy to do because the part of the ignition/load routine that gets jumped out for the custom launch control code is virtually identical in all of the old 8051 based motronics. even though it wasnt a turbo car it would spit like 3 feet of fire out the exhaust and sounded like a machine gun lol. a false crank angle value and a ton of timing retard does really really fun stuff lol.
if you have an IDB file you would be willing to share with me from a 1.7.3 ECU i'll look at it and see what i can quickly make based on my knowledge on M2.3.2. i just dont have the time to sit down and start an IDB from scratch. i'll add jim C's commenting to that too and send it back your way for personal reference. Jim doesnt care if i share an IDB with a few guys, he just doesnt want the info to be full blown public.
Making a logging protocol should be easy with a few jumps out of the main loop in strategic places where the factory diag is accessed. i mean within reason the factory diag is pretty much useless in this day and age.
as for the wideband i thought about that on M2.3.2 but i realized it worked well as it was because the stock 02 sensor is only really referenced in part throttle driving and idle, when in boost or WOT above a certain load threshold the the ECU goes open loop and just follows the mapping directly for the most part which is nice.
Another thing i did on the M2.3.2 front was on the old audi 200 20V turbo. what i did was convert the MAF scalars into a 16x16 VE table for fueling and added an IAT compensation table that goes along with the VE table for ease of fuel tuning. basically i set the injector constant as per what FPR im running, than just tune the VE table till i get the fueling that i want and tweak the IAT compensation table around a little as per the car im working with. in M2.3.2 there are also scalars that can be used to adjust the resolution of the 16x16 VE table as well which is pretty cool. they are essentially adders that are in place before the VE table. this is all based on PRJ's findings and developments but it definitely works. my 200 20V turbo sedan runs circles around any of the other ones in my area and its a stock car with an exhaust and a K&N drop in air filter lol.Comment
-
Heres a little tool i found in my archive of stuff. its a tool to correct the checksum for M1.3 and a few other motronics. I have it as a PDF file but its really a ZIP file so rename the extension to .zip from .pdf.Comment
-
Hello
I have attached an ida project from M1.7 ecu.
I think i have found table access to 2D or 3D maps.
Some subroutines (that are similar to older ecus) have names.
All comments are welcome.
ThanksRacing is life. Anything that happens before or after is just waitingComment
-
how most of the mapping/constants is accessed is indirect. i'll give an example.Originally posted by biela View Post
Im starting at 0x21C6
from here we want to look atCode:code:000021C6 ; FUNCTION CHUNK AT code:000073AF SIZE 0000014F BYTES code:000021C6 code:000021C6 lcall code_7BEE ; Long Subroutine Call code:000021C9 ljmp code_73AF ; Long Jump code:000021C9 ; End of function code_21C6_Aslave
which gives us this. Note the stuff in red.Code:code:000021C6 lcall code_7BEE ; Long Subroutine Call
now that we know these addresses we need to go back to 0x21C6 and than followCode:code:00007BEE ; =============== S U B R O U T I N E ======================================= code:00007BEE code:00007BEE code:00007BEE code_7BEE: ; CODE XREF: code_21C6_Aslavep code:00007BEE mov RAM_73_TAB_ADD_H, #0x46 ; 'F' ; [COLOR="Red"]0x46E8[/COLOR] code:00007BF1 mov RAM_74_TAB_ADD_L, #0xE8 ; 'F' ; Move (Op1 <- Op2) code:00007BF4 mov RAM_75_TAB_IND_H, #0x41 ; 'A' ; [COLOR="Red"]0x4110[/COLOR] code:00007BF7 mov RAM_76_TAB_IND_L, #0x10 ; Move (Op1 <- Op2) code:00007BFA mov R0, #0xBA ; '¦' ; Move (Op1 <- Op2) code:00007BFC mov A, @R0 ; Move (Op1 <- Op2) code:00007BFD jb ACC1, code_7C04 ; Accumulator code:00007C00 mov DPTR, [COLOR="red"]#code_459D[/COLOR] ; [COLOR="Red"]Constant value @ 0x459D[/COLOR]
once at 0x73AF scroll down a little till you find this.Code:code:000021C9 ljmp code_73AF ; Long Jump
you notice mov A, #4. what we do here is take the constant we seen in 0x7BEE which is 0x459D and add 4 to it which gives us 0x45A1. this is the constant that is referenced at this given point. most of the constants will be referenced in this manner instead of them being directly accessed with DPTR.Code:code:000073D9 mov A, #4 ; Move (Op1 <- Op2) code:000073DB movc A, @A+DPTR ; Move code byte relative to second op to Acc
hopefully you guys will see the trend in the references. you have to start in the area where i started to get the base starting point to know what constant and map is used as the starting point.
also on another note while we looking at this point in the disassembly look above the first constant reference i used as an example, you will notice thismov DPTR, #BE04 is referencing analog input 04 on the processor. any place you see DPTR, #BEXX is an analog input reference. they are potentially 0 to 7 analog inputs available.Code:code:000073CA mov DPTR, #0xBE04 ; Move (Op1 <- Op2) code:000073CD lcall code_9EC2_ADRead ; Long Subroutine Call
Now for table accesses. Note things in red.
Im going to start here
Code:0000339D ; Attributes: thunk code:0000339D code:0000339D code_339D_Bmast: ; CODE XREF: RESET_0+5FBCp code:0000339D ljmp code_211E ; Long Jump code:0000339D ; End of function code_339D_Bmast
at 0x211E we have this, follow to 0x793D first.
Code::0000211E ; FUNCTION CHUNK AT code:000033A0 SIZE 000000FB BYTES code:0000211E code:0000211E 12 79 3D lcall code_793D_add_ind ; Long Subroutine Call code:00002121 02 33 A0 ljmp code_33A0 ; Long Jump code:00002121 ; End of function code_211E
now you have your base addresses again, jump back to 0x211E than followCode:code:0000793D code_793D_add_ind: ; CODE XREF: code_211Ep code:0000793D 75 73 45 mov RAM_73_TAB_ADD_H, #[COLOR="red"]0x45[/COLOR] ; 'E' ; [COLOR="red"]0x45C4-base table reference[/COLOR] code:00007940 75 74 C4 mov RAM_74_TAB_ADD_L, #[COLOR="red"]0xC4[/COLOR] ; '-' ; Move (Op1 <- Op2) code:00007943 78 BA mov R0, #0xBA ; '¦' ; Move (Op1 <- Op2) code:00007945 E6 mov A, @R0 ; Move (Op1 <- Op2) code:00007946 20 E1 05 jb ACC1, code_794E ; Accumulator code:00007949 75 2E CF mov RAM_2E, #0xCF ; '-' ; Move (Op1 <- Op2) code:0000794C 80 03 sjmp code_7951 ; Short jump code:0000794E ; --------------------------------------------------------------------------- code:0000794E code:0000794E code_794E: ; CODE XREF: code_793D_add_ind+9j code:0000794E 75 2E DF mov RAM_2E, #0xDF ; '¯' ; Move (Op1 <- Op2) code:00007951 code:00007951 code_7951: ; CODE XREF: code_793D_add_ind+Fj code:00007951 90 43 20 mov [COLOR="red"]DPTR, #code_4320[/COLOR] ; [COLOR="red"]0x4320-base constant reference[/COLOR] code:00007954 75 75 40 mov RAM_75_TAB_IND_H, #0x40 ; '@' ; 0x4002 code:00007957 75 76 02 mov RAM_76_TAB_IND_L, #2 ; Move (Op1 <- Op2) code:0000795A 22 ret ; Return from subroutine code:0000795A ; End of function code_793D_add_ind
once there you should alread be able to locate the constants for this area based on my info above so we are going to look for table accesses.Code::00002121 02 33 A0 ljmp code_33A0 ; Long Jump
scroll down till you find this
mov R2, #X and lcall to table access is what we are looking for. in this case are have R2, #0 so the point in the master map table thats looked at is 0x45C4 which points to the actual map at 0x4855. this is a map that uses RAM 0x37 and is a 4x1 table. If you find for example R2, #3 than lcall to table access the #3 means you take your base address which is 0x45C4 than jump 3 down and you have the table being accessed through the master map table. over all there are several different ways maps and constants are accessed but this one is the most difficult to figure out normally. hope this helps you guys!Code:code:000033ED 7A 00 mov R2, #0 ; Move (Op1 <- Op2) code:000033EF 12 04 00 lcall code_400_TableAccess ; Long Subroutine Call
I have attached a revised version of the IDB posted by biela with the master map table setup and the analog inputs base setup along with a database notes tab with changes i personally made.Last edited by vwnut8392; 01-03-2019, 05:05 PM.Comment
-
Spark cut launch control, flat shift and RPM limiter
well after sifting through biela's IDB file i have a solution for the addition of these 3 features. now to find unused grounding inputs that would have been used for automatic cars or just spare ones to wire in a clutch switch. also gotta find wheel speed in RAM. if the add on code is written properly which i know i can do there will be a timing retard than a hard spark cut based off RPM. the old E30 M1.7 could just be starting to get interesting!Comment
-
Spark Cut RPM Limiter test file
Here is a quick dirty file i patched that has a hard spark RPM limiter. this file is an output from biela's IDB file so its stock with only my code changes. i would only suggest someone with a chip emulator like a moates ostrich and understands how to use tuner pro RT to test this because some of the variables will have to be adjusted to see if its going to work right.
to test it open tuner pro RT and load an XDF that matches this BIN. you will have add a few new things to your XDF.
RPM Limit hex address=0x4127 equation=X*40
Ignition Dwell Angle address=0x412D equation=0.75*(X-30)
Actual Ignition Angle address=0x4130 equation=0.75*(X-30) This is ATDC not BTDC
Set the RPM to something like 3000RPM to test this. i suggest leaving the dwell angle maxed out and adjusting the actual ignition angle at first. what this does is force false values into RAM than the right values right after. This will create a sort of fast on/off ignition cut. this has worked in several audi motronics so i dont see why it wont work here. someone test this and report back if it works since i dont have a test car. videos are always cool too!
and remember to remove the .pdf from the file because its a bin file. also checksum is corrected on this file at its current settings. This could easily turn into a launch control and flat shift as well.
also on another note 3000RPM might be too low of an RPM to test at so if it does not activate at 3000 move to 3500 than 4000 etc. for testing go no higher than 5000RPM. you dont have to floor the car, applying light throttle till you reach whatever RPM you set and see if the engine stutters or stops revving than if that works you can have a little fun and floor it. this is suggest for cars with no cat and a free flowing exhaust.Last edited by vwnut8392; 01-04-2019, 10:40 PM.Comment
Comment