[Dev/Disassembly] The beginners' guide to Evo ECU table lookups
Jan 3, 2010, 09:07 AM
#46
Without understanding GDI modes and routines how do you change injectors and fuel pressure with a full understanding of all its knock on effects, how do you control EGTs when you use a much higher torque strategy that can result in meltdown if you use OEM style prolonged stoich or heterogenous mixtures? Without understanding SST how do you overcome torque limits and control clutch operation properly when changing airflow meters or converting to speed density?
I don't feel happy writing significant mods to ECUs unless I know all the implications. I felt I needed to know the whole process from MAF interrupt to injectors to do an SD conversion on the Evo for example, and there was still an unpredictable effect related to jitter on the IPW signal.
I can't say much more about my GTR project because of commercial considerations either (but I'm not held back by lack of tools and have made good progress but it is orders of complexity higher than the Evo was), but how about we take Bosch Motronic ME7.8 that has been on the 996 turbo for just over 10 years. Despite many with factory links and lots of money in Porsche tuning, they can't do anything like the things we can with Evo ECUs that whilst they have similar memory and more processing power, have many complex models (and about 4000 maps) that do get in the way of modification when it comes to things that are routine in the Evo ECU world.
When we look back at some of the early ECUs, we didn't know we were born in terms of how easy they were. You could do a really good tune on some of them just by changing one table each for boost, fuel, timing, and maybe an increase in boost limit. Then you could go and make the engine bigger, change the airflow meter, injectors, turbo, gearbox and still just use those three tables to do everything. The GTR isn't so terrible compared to some because you can like HKS fit exhaust, fuel cut defenders and a boost controller and add 25% power on the standard ECUs. Some modern ECUs will open the dump valves, shut the throttles, cut the fuel and limp if you do things like that to them. So I suppose I'm lucky
I don't feel happy writing significant mods to ECUs unless I know all the implications. I felt I needed to know the whole process from MAF interrupt to injectors to do an SD conversion on the Evo for example, and there was still an unpredictable effect related to jitter on the IPW signal.
I can't say much more about my GTR project because of commercial considerations either (but I'm not held back by lack of tools and have made good progress but it is orders of complexity higher than the Evo was), but how about we take Bosch Motronic ME7.8 that has been on the 996 turbo for just over 10 years. Despite many with factory links and lots of money in Porsche tuning, they can't do anything like the things we can with Evo ECUs that whilst they have similar memory and more processing power, have many complex models (and about 4000 maps) that do get in the way of modification when it comes to things that are routine in the Evo ECU world.
When we look back at some of the early ECUs, we didn't know we were born in terms of how easy they were. You could do a really good tune on some of them just by changing one table each for boost, fuel, timing, and maybe an increase in boost limit. Then you could go and make the engine bigger, change the airflow meter, injectors, turbo, gearbox and still just use those three tables to do everything. The GTR isn't so terrible compared to some because you can like HKS fit exhaust, fuel cut defenders and a boost controller and add 25% power on the standard ECUs. Some modern ECUs will open the dump valves, shut the throttles, cut the fuel and limp if you do things like that to them. So I suppose I'm lucky
Last edited by jcsbanks; Jan 3, 2010 at 09:14 AM.
Jan 4, 2010, 09:33 AM
#47
On the 996 point I agree. I've spent a little time looking at it and true to German engineering their stuff is really complicated and for no apparent reason. I don't tune many euro cars so I don't have a lot of reason for working on those roms.
The GTR stuff is actually pretty easy to do if you have the correct tools. Pure disassembly in IDA is one approach but there are definitely other ways you can do things. The company I'm working with now has done enough reverse engineering on the GTR stuff so they could produce a reflash that gives really good results for 85% of cases. From a business point of view it is sometimes better to cover the most customers with the least effort. There is no money to be made on the last 15% of cases where they've got highly modified setups putting out 1000+hp.
Part of understanding all the logic is to decode all the flag bits in the ECU. I've written dozens of IDC scripts and plugins to do automatic analysis of these settings and flags. Once you propogate the flag settings the logic becomes pretty apparent.
That's pretty hard to understand.
Now after running some scripts you can start to see what the logic does.
Another thing that went a long way was actually paying for a legit copy of IDA. There are a lot of bugs in the older versions and I've found their support is well worth the money for the program. A number of times I've found little gotchas and they had a fix compiled and sent to me within hours. Simple things from incorrect decoding of instructions to problems bugs that caused the system to crash.
-Michael
The GTR stuff is actually pretty easy to do if you have the correct tools. Pure disassembly in IDA is one approach but there are definitely other ways you can do things. The company I'm working with now has done enough reverse engineering on the GTR stuff so they could produce a reflash that gives really good results for 85% of cases. From a business point of view it is sometimes better to cover the most customers with the least effort. There is no money to be made on the last 15% of cases where they've got highly modified setups putting out 1000+hp.
Part of understanding all the logic is to decode all the flag bits in the ECU. I've written dozens of IDC scripts and plugins to do automatic analysis of these settings and flags. Once you propogate the flag settings the logic becomes pretty apparent.
Code:
lduh R2, @((word_805A7C - heap_start), fp) slli R2, #0x1D addx R2, R2 bnc.s loc_1286C || nop
Code:
lduh R3, @((ram_sensor_failed_flags - heap_start), fp) slli R3, #maf_failed_bit addx R3, R3 bc.s loc_17B00 || nop
Another thing that went a long way was actually paying for a legit copy of IDA. There are a lot of bugs in the older versions and I've found their support is well worth the money for the program. A number of times I've found little gotchas and they had a fix compiled and sent to me within hours. Simple things from incorrect decoding of instructions to problems bugs that caused the system to crash.
-Michael
Jan 5, 2010, 05:29 AM
#48
We have all that covered including plug ins, but my approach is not to get an easy 85% but to properly describe, manipulate and rewrite where appropriate to give a thoroughly engineered solution which is understood from the ground up. With that in mind I've spend a few months working part time to properly understand the air, fuel, timing and boost calculations and am told this has solved things that have had others puzzled for some time and am encouraged to keep going along this line. I took a similar approach on the Evo and would like to think this has encouraged others to do similar to make it the great platform it is now. Had I just gone for the easy 85% I would have just been a user of Ecuflash and not bothered to describe the OEM knock control, change the comms to DMA, write to RAM, write speed density, do realtime mapping etc. These were all nice to have on my stage 1 Evo, although they didn't make it faster, it enabled many other cars to run the stock ECU. I'm trying to go for excellence here.
85% of cars could be done with the product before I joined the effort, helping to polish the product and keep it ahead is my raison d'etre. So I'm quite pleased they don't want to stop at 85% and want to keep the quality good. What attracted me was their frequent use of custom mods on other platforms and interest in things like realtime mapping on OEM ECUs, which is refreshing.
85% of cars could be done with the product before I joined the effort, helping to polish the product and keep it ahead is my raison d'etre. So I'm quite pleased they don't want to stop at 85% and want to keep the quality good. What attracted me was their frequent use of custom mods on other platforms and interest in things like realtime mapping on OEM ECUs, which is refreshing.
Last edited by jcsbanks; Jan 5, 2010 at 05:43 AM.
Jan 5, 2010, 08:44 AM
#49
jcsbanks, I think it's really cool what you've done for the community. You and others have easily contributed $500k in research and development labour to the community for absolutely nothing. I did some similar work on all the non-turbo models independant of the OpenECU group and personally have close to 2500h of unpaid R&D time into my reflash stuff. The EVO is completely different but you guys are still ahead of my work.
Although I do try to contribute a little to the community, understand I'm doing reverse engineering and tuning as a full time 60h a week job. When you're not saying exactly what you're doing on the GT-R, I understand because there are many ralliart things I have to be purposely vague about. Nobody likes to go to work and not get a paycheque at the end of the day and people will have to eventually understand that not everything in ECU tuning is going to be free.
-Michael
Although I do try to contribute a little to the community, understand I'm doing reverse engineering and tuning as a full time 60h a week job. When you're not saying exactly what you're doing on the GT-R, I understand because there are many ralliart things I have to be purposely vague about. Nobody likes to go to work and not get a paycheque at the end of the day and people will have to eventually understand that not everything in ECU tuning is going to be free.
-Michael
Jan 5, 2010, 09:49 AM
#50
Agree on the paycheque, I'm only doing 16 hours reverse engineering and for a lower rate than I make in medical practice the rest of the time (I see it as getting paid to do my hobby though 
), but I cannot safely share a load of stuff I've developed simply because an earlier version of our software has already been ripped off. If that happens with the new stuff I do it is a waste of money for my employer because he won't get any profit/advantage from it. Then I won't be able to be paid to do what I love.
), but I cannot safely share a load of stuff I've developed simply because an earlier version of our software has already been ripped off. If that happens with the new stuff I do it is a waste of money for my employer because he won't get any profit/advantage from it. Then I won't be able to be paid to do what I love.
Nov 24, 2010, 09:05 PM
#51
Hey so sorry for old thread bump but figured better this than starting another thread dealing with this exact issue. So following Danieln's awesome picture guided Ida Pro guide I have one question. Right after the "choose device name" window appears another window pops up saying it cannot find the entry point and I must manually locate it. I can follow his remaining steps although I am unsure if it is disassembling it correctly or fully because of that message. Is this an issue?
Nov 26, 2010, 09:06 AM
#52
Nobody? Cmon guys I help plenty of people out on this site I am not just another passer by check my post count. 
Anyways so after doing alot of research and messing with this program I am thinking that hitting the D 3 times its showing you the entry point but please set me straight if this is not the case. So after the wait portions and IDA does its thing is this a full disassembly I am looking at? The blue sections show me the graphs with the graph overview and then all the yellow/greenish areas are still just the lines of numbers is this supposed to be this way?
I really REALLY want to understand this stuff and help out the base lancer community but have no formal education on the subject and I am persistent and stubborn lol.
Anyways so after doing alot of research and messing with this program I am thinking that hitting the D 3 times its showing you the entry point but please set me straight if this is not the case. So after the wait portions and IDA does its thing is this a full disassembly I am looking at? The blue sections show me the graphs with the graph overview and then all the yellow/greenish areas are still just the lines of numbers is this supposed to be this way?
I really REALLY want to understand this stuff and help out the base lancer community but have no formal education on the subject and I am persistent and stubborn lol.
Last edited by 03lances; Nov 26, 2010 at 09:12 AM.
Nov 27, 2010, 08:51 AM
#54
Evolved Member
iTrader: (2)
Join Date: Mar 2003
Location: Santa Cruz
Posts: 2,218
Likes: 0
Received 0 Likes
on
0 Posts
hey guys,
I don't have a lot of time to do disassembly these days, but in the past when I was working for a tuner here in the US, we used winols to locate maps. The tool is designed to find checksums, but in addition it also has a very good map finding tool.
http://www.evc.de/en/product/ols/software/default.asp
you can view the rom in 8, 16, and 32 bit views
view maps in 3d
and once you have identified a map, you can find all the maps easily
I used this tool quite a lot when I was hunting for maps on the BMW's
I don't have a lot of time to do disassembly these days, but in the past when I was working for a tuner here in the US, we used winols to locate maps. The tool is designed to find checksums, but in addition it also has a very good map finding tool.
http://www.evc.de/en/product/ols/software/default.asp
you can view the rom in 8, 16, and 32 bit views
view maps in 3d
and once you have identified a map, you can find all the maps easily
I used this tool quite a lot when I was hunting for maps on the BMW's
Nov 27, 2010, 08:55 AM
#55
Also, this is probably a really stupid question but I have to ask it. The names of all the tables in ecuflash ie: high octane timing map, maf scaling, maf smoothing etc. are these names basically given by you guys to describe what this table does? Or is this a name that was pulled out directly from the rom during the disassembly?
Last edited by 03lances; Nov 27, 2010 at 09:55 AM.
Nov 27, 2010, 10:10 AM
#56
I have. So I basically will be able to find just about anything I might need with the partial dissasembly then? I am not getting into anything real in depth just trying to find all the knock settings for the base lancer rom. I am doing a disassembly on an evo rom right now just to start figuring this all out since this guide is for the evo rom. If its too complicated for IDA then its well beyond my current ability anyways lol. Thanks for the reply ziad!!
Also, this is probably a really stupid question but I have to ask it. The names of all the tables in ecuflash ie: high octane timing map, maf scaling, maf smoothing etc. are these names basically given by you guys to describe what this table does? Or is this a name that was pulled out directly from the rom during the disassembly?
Also, this is probably a really stupid question but I have to ask it. The names of all the tables in ecuflash ie: high octane timing map, maf scaling, maf smoothing etc. are these names basically given by you guys to describe what this table does? Or is this a name that was pulled out directly from the rom during the disassembly?
Nov 29, 2010, 10:49 AM
#59
I just recently purchased an Evo and want to look into tuning or ECU mods. I'm a seasoned developer with many apps under my belt and figure this is something I can perhaps contribute towards.
So far I've understood basically everything explained. I've wrote assembly but mostly 6000 series chips, some 8088, and x86. I've done desktop apps, mobile apps, embedded apps, and lots of custom development for small business. Now I'm with a big automaker as the Lead Developer on my team in IT.
Since everything I plan to use has basically been developed..... I'd like to ask what are the big roadblocks right now that people are working towards? Winter is coming and in my spare time inside I'd like to take on a new project. I've been currently working on an enterprise scale network monitoring tool with agents and the whole 9 yards. Took a small break to write a turret defense game in python with pygame that has level editors and such. I work pretty quickly but mostly when I'm allowed to use my own constraints.
So what can I do to help if I decide to make this my next hobby? I know *much* more about computers than I do about cars....
So far I've understood basically everything explained. I've wrote assembly but mostly 6000 series chips, some 8088, and x86. I've done desktop apps, mobile apps, embedded apps, and lots of custom development for small business. Now I'm with a big automaker as the Lead Developer on my team in IT.
Since everything I plan to use has basically been developed..... I'd like to ask what are the big roadblocks right now that people are working towards? Winter is coming and in my spare time inside I'd like to take on a new project. I've been currently working on an enterprise scale network monitoring tool with agents and the whole 9 yards. Took a small break to write a turret defense game in python with pygame that has level editors and such. I work pretty quickly but mostly when I'm allowed to use my own constraints.
So what can I do to help if I decide to make this my next hobby? I know *much* more about computers than I do about cars....
Nov 29, 2010, 12:12 PM
#60
I just recently purchased an Evo and want to look into tuning or ECU mods. I'm a seasoned developer with many apps under my belt and figure this is something I can perhaps contribute towards.
So far I've understood basically everything explained. I've wrote assembly but mostly 6000 series chips, some 8088, and x86. I've done desktop apps, mobile apps, embedded apps, and lots of custom development for small business. Now I'm with a big automaker as the Lead Developer on my team in IT.
Since everything I plan to use has basically been developed..... I'd like to ask what are the big roadblocks right now that people are working towards? Winter is coming and in my spare time inside I'd like to take on a new project. I've been currently working on an enterprise scale network monitoring tool with agents and the whole 9 yards. Took a small break to write a turret defense game in python with pygame that has level editors and such. I work pretty quickly but mostly when I'm allowed to use my own constraints.
So what can I do to help if I decide to make this my next hobby? I know *much* more about computers than I do about cars....
So far I've understood basically everything explained. I've wrote assembly but mostly 6000 series chips, some 8088, and x86. I've done desktop apps, mobile apps, embedded apps, and lots of custom development for small business. Now I'm with a big automaker as the Lead Developer on my team in IT.
Since everything I plan to use has basically been developed..... I'd like to ask what are the big roadblocks right now that people are working towards? Winter is coming and in my spare time inside I'd like to take on a new project. I've been currently working on an enterprise scale network monitoring tool with agents and the whole 9 yards. Took a small break to write a turret defense game in python with pygame that has level editors and such. I work pretty quickly but mostly when I'm allowed to use my own constraints.
So what can I do to help if I decide to make this my next hobby? I know *much* more about computers than I do about cars....