well, lets have at it:)

im in
i'll do what i can :) :cool:

I'll do NOTHING!!

hahahaha

OK we need someone with a MK4 and two laptops and two vag com cables.We also need to make a splitter to divide the signal output.Let me know if you have any of the above.

so transient, what do you see as the steps to do this.. in order with elaborations please

Originally posted by Slappynuts
OK we need someone with a MK4 and two laptops and two vag com cables.We also need to make a splitter to divide the signal output.Let me know if you have any of the above.

i have 2 cables to conniect via SPS and 2 SPS... both are serial port... Twin_turbo Se7en on this forum is familiar with all this, i'll get him in on this conversation when he gets in from vacation...

Ill send out a few more PMs to the smart people...

ssounds like a plan

if anything, i'm glad i could bring all of you together for this. even though i'm a complete noob to this shit. thanks! i will do what i can!

- travis

so............. i took a nap and im back

Here is the free software that I believe is going to give us the info that we need.It also looks like we wouldnt need to have to computers and vag cables,just one.Anybody care to take a stab at logging some port activity?

http://www.sysinternals.com/Utilities/Portmon.html

I can do the whole 2 laptop, 2 vag thing on multiple cars. DBW B5 Passat, DBC B5 A4, DBW A4 GTI, DBW A5 GLI 2.0T, A4 Golf TDI, A4 Golf 1.8T DBW


I'll try and pull some DBW B5 Passat stuff today, can do some AEB DBC A4 stuff tonight/tomorrow.

The stuff to do the dbc is not to hard to do with standard hardware,so lets just concentrate on the DBW stuff for now.

tommorrow I will extract a binary file from an me7 ecu. Anyone know a program that can open that file and read it.

I'm working on getting the i/o logs. Of course I can't connect with the vag com when I try to do it. I'm gonna have to wait till I get home to do it on my mk4.

I have a stock binary file open and am looking for the maps

Send me a file on AIM or mail to turbomk1us@yahoo.com

What are you using to check out the bin? I have demo of WINOLS and a hexeditor. I only have Andy Whittakers (spelling) bin file from a S4 from his site. Doesn't look too easy to find the maps though!

I am a bit of a noob at this but I can maybe help write a front end to show the maps in a readable way and in numbers that make sense for tuning.

Ian just shot me some files. Chuck, I know you've got them already. I haven't looked at them yet. Post up when you get a chance.

As far as writting a front end...Do you have Visual Basic knowledge? Tony was telling me that he had developed a couple programs utilizing VB/C- for the tuning that he does. Seems really interesting to me.

I have experience with VB.

Ian, I don't know where Shad found that link you gave me, but I've PM'd him and emailed him asking him to remove it from the 'Tex. :smack:

edit: Link removed. :nice:

The lemingwinks logs look pretty good.

0 01:21:56 Lemmiwinks.exe IRP_MJ_CREATE Serial0 SUCCESS Options: Open
1 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_SET_QUEUE_SIZE Serial0 SUCCESS InSize: 3328 OutSize: 3328
2 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_GET_BAUD_RATE Serial0 SUCCESS
3 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_GET_LINE_CONTROL Serial0 SUCCESS
4 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_GET_CHARS Serial0 SUCCESS
5 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_GET_HANDFLOW Serial0 SUCCESS
6 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_GET_BAUD_RATE Serial0 SUCCESS
7 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_GET_LINE_CONTROL Serial0 SUCCESS
8 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_GET_CHARS Serial0 SUCCESS
9 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_GET_HANDFLOW Serial0 SUCCESS
10 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_SET_BAUD_RATE Serial0 SUCCESS Rate: 10400
11 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_CLR_RTS Serial0 SUCCESS
12 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_CLR_DTR Serial0 SUCCESS
13 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_SET_LINE_CONTROL Serial0 SUCCESS StopBits: 1 Parity: NONE WordLength: 8
14 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_SET_CHAR Serial0 SUCCESS EOF:0 ERR:0 BRK:0 EVT:0 XON:11 XOFF:13
15 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_SET_HANDFLOW Serial0 SUCCESS Shake:0 Replace:80000000 XonLimit:2048 XoffLimit:512

It looks to me like we have the read and write location.All we would need to do is duplicate this with a loop at that point and run the whole chip file.

Anybody?

Today I had the chip in my car replaced with a completely new one that had been programmed before I got to the tuner.

My lemmiwinks settings were still in the ECU even after the replacement, meaning Lemmiwinks is changing something else in a different chip.

Originally posted by t3t41.8tgti
tommorrow I will extract a binary file from an me7 ecu. Anyone know a program that can open that file and read it.

What are you going to use to extract the file??

Are you doing it via OBDII or are you yanking out the EEPROM??

Originally posted by Slappynuts
The lemingwinks logs look pretty good.

0 01:21:56 Lemmiwinks.exe IRP_MJ_CREATE Serial0 SUCCESS Options: Open
1 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_SET_QUEUE_SIZE Serial0 SUCCESS InSize: 3328 OutSize: 3328
2 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_GET_BAUD_RATE Serial0 SUCCESS
3 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_GET_LINE_CONTROL Serial0 SUCCESS
4 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_GET_CHARS Serial0 SUCCESS
5 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_GET_HANDFLOW Serial0 SUCCESS
6 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_GET_BAUD_RATE Serial0 SUCCESS
7 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_GET_LINE_CONTROL Serial0 SUCCESS
8 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_GET_CHARS Serial0 SUCCESS
9 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_GET_HANDFLOW Serial0 SUCCESS
10 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_SET_BAUD_RATE Serial0 SUCCESS Rate: 10400
11 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_CLR_RTS Serial0 SUCCESS
12 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_CLR_DTR Serial0 SUCCESS
13 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_SET_LINE_CONTROL Serial0 SUCCESS StopBits: 1 Parity: NONE WordLength: 8
14 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_SET_CHAR Serial0 SUCCESS EOF:0 ERR:0 BRK:0 EVT:0 XON:11 XOFF:13
15 01:21:56 Lemmiwinks.exe IOCTL_SERIAL_SET_HANDFLOW Serial0 SUCCESS Shake:0 Replace:80000000 XonLimit:2048 XoffLimit:512

What operation was logged above?? "read ecu" or "write ecu"?

Looks like write log.

The read is identical to write except the command read or write.It looks like when the handshake is done it will let you pull anything that you address.The replace command looks like a hex address that has for some reason been converted to decimal.If we run a loop here starting at zero and going on until the end of the file it should spit out the whole file.

What about my post above about the chip replacement.

Here is a good link as well.

http://groups.yahoo.com/group/opendiag/

Originally posted by SAGTI
What about my post above about the chip replacement.

Its reading and writing to a different location.We can make the read/write for any part of the file we want I believe.

How do we find the correct address to start at zero on the correct chip?

I think that logging Lemmiwinks will give a small picture, but not the entire thing since Lemmiwinks deals with portions of the EPROM not directly associated with the maps / checsummed areas.

Note the following from a post by RevoTechnik @ vortex:
Adaptation channels allow VW/Audi dealers to make minor tweaks to engine
operating parameters (e.g. engine idle speed adjustment). These
settings can be modified using the dealer's diagnostic equipment or
VAG-COM.

These settings are stored in a serial eeprom which means the settings
will not be lost if the ECU loses power. This is the same eeprom that
stores data that can change from time to time like diagnostic trouble
codes. This serial eeprom is different from the flash memory chip that
stores the main engine control program, and therefore changes made to
adaptation channels will not affect code checksums.


Here is the actual thread:
http://forums.vwvortex.com/zerothread?id=1191064

The checksum ranges are discussed on the Andy Whittaker site in more detail.

I just wanted to bring this up, but I think we are on the right track...

Originally posted by SAGTI
So you are saying Lemmiwinks is accessing a file on another chip in the ecu? If so how do we find the correct address to start at zero on the correct chip?

Its just a seperate part of the file thats not affected by checksums.

Have any of you guys gone through the andy witticker page and looked at the checksum routine?I have done all the checksums,but to do it by hand it would take forever.He does have enough info there to do it yourself though.Who wants to write a GUI for this?

Originally posted by Slappynuts
Its just a seperate part of the file thats not affected by checksums.

Have any of you guys gone through the andy witticker page and looked at the checksum routine?I have done all the checksums,but to do it by hand it would take forever.He does have enough info there to do it yourself though.Who wants to write a GUI for this?

since I can't catch you on AIM, you've got PM @ the Tex regarding this. :nice:

I've done checksum code in the past on PIC's.. Doing the checksum in a console application wouldn't be hard.. and then later it could be added to a GUI once the code is bulletproof..

I'll have to look through the witticker site to check all the details, but I'll volunteer to do this checksum operation :beer:

Originally posted by transient
I've done checksum code in the past on PIC's.. Doing the checksum in a console application wouldn't be hard.. and then later it could be added to a GUI once the code is bulletproof..

I'll have to look through the witticker site to check all the details, but I'll volunteer to do this checksum operation :beer:

There is many and many different types of checksums involved in these files.

As soon as we get someone to host a chip file I will start working with you guys on the layout of motronic chip files.Until then here is a nice free hex editor that people can download to get into the operation.

http://www.x-ways.net/winhex/index-m.html

test hosting of chip file.

No worky I guess.I'm stupid like that.:drunk:

www.whiteg60.com/3510_441_ORI.zip
This is the dump that Shad sent me. It from an AUQ engine that is purportedly a clone of the AWP engine.

How'd he pull the file?

Visual Basic is not good at binary files I am finding out. But I am slowly learning. Is there anyone who can write a control in another language that I can use in VB to get at the binary.

I see winols opens the AUQ engine file and even identifies it as a ME7.5 file. Get it here if interested.

Slappy - how about giving us the info about the file structure now we all have access to the AUQ file.

www.evc.de
Sorry rather get it here.

Originally posted by SAGTI
www.evc.de
Sorry rather get it here.

that link isnt working for me:confused:

Originally posted by silvercar
that link isnt working for me:confused:

WinOLS (http://www.evc.de/en/download/down_winols.asp)

it's just a demo though. :cry2:

hey everybody. If you have any files you want hosted, send me them @ icase81@mac.com and I'll put them here:

www.whiteg60.com/ME7

Already I have there some files that might be useful. Take a look and see whats there.

i don't suppose you could throw up an index in a text file, listing files with an explanation, could you? that way we know exactly what we're looking at. it would help out. :nice:

Hi Guys!



I like what I see here. I am not good with code as some of you guys seam to be. I do understand the other half of this process(tuning). I would like to offer my services to help finish the end product when you guys get this figured out.



Thank You
Chris Macellaro:)

neat..

Any group discount on taking any of the EFI101 courses :P

Any words of wisdom on our persuits?

Chris was one of the two awesome tuners i mentioned having close by... So as this comes into fruition, I will gladly be a dyno Guinea... :D

Originally posted by transient
neat..

Any group discount on taking any of the EFI101 courses :P

Any words of wisdom on our persuits?


Unfortunately I am not the person who could help you with a group discount. A gentleman by the name of Chris Cline may be able to help you sir. His contact number is 1-866-316-7744.

I am personally very very excited to see something like this come together. It looks as though the group assembled here can definitely make this a reality. Again please let me know how I can help you guys with the end process. And when you get close to a working interface and have any questions about the functionality of the program/interface with the end user please let me know.



thank you sir
Chris Macellaro:)

Originally posted by silvercar
Chris was one of the two awesome tuners i mentioned having close by... So as this comes into fruition, I will gladly be a dyno Guinea... :D

Thank you!

I would be more than glad to use your car as proof to these guys success.






Chris Macellaro:)

I can write it in C. It will, however, be a while until I can get into it. Im on vacation right now.

Originally posted by inivid
i don't suppose you could throw up an index in a text file, listing files with an explanation, could you? that way we know exactly what we're looking at. it would help out. :nice:

I'm working with John now on doing a wiki-style page where you can add or modify or delete files by end users. It'll have a link to the file, and a description.

i just talked to my friend
who is a programming major

and hes willing to help out, im gonna get him everything i have

see if he can get somewhere

www.whiteg60.com/motronic

If anyone has files to upload, upload them here.
PS: I'm gonna trust you guys not to be stupid with this. Its 100% open and freee of restrictions. Please do not make me lock it down with login and passwords.

I have looked at the maps and I can tell what the maps are by general looking at them,but they are missing some of the usual map structure motrinc has.This is probably part of the load calculation that I have just started to look at.I am only seeing one of the usual map scalers.

Slappy, are you using the WINOLS demo? It shows 51 potential maps! Do any of those look right to you? If we can identify the real maps out of the 51 it would be great. I have managed to get VB to read in the Binary file but it takes a long time due to VBs inability to deal with Binary and Hex very well. If I could read in only what is needed it would be much better! I can edit only those parts of the file then save the new binary file.

I can tell by looking at the maps what they are for,they just lack some of the motronic structure that I an used to.I can only identify one of the usual map discriptors.I suspect that the other one is a load function thats located elsewhere in the file.This could take me a while to figure out.I would be easier if I had a stock file and a tuned file to compare it to.

SAGTI can you send me what you have going right now and then I can pull a tuned file and look it over?

I have looked at the winols demo and have tried it out before.I'll go down load it now and look at the maps.I can tell you what they look like to me.

OK I just figured it out.I'll fill everyone out later today.

neat..

I only have that file from Shad. I have no way of pulling a file off my car. That file is a stock one I thought?

Sounds like you have figured something anyway.

the seat leon file should be a stock file slappy...

as soon as we figure out how to read and write through the OBDII port I can get you 2 revo BT files, and a APR-ko3 file..

Ok... at the risk of sounding stupid...

could we not get two identical ecus, one tuned, one stock. and copy them both and compare with say a simple 'if/else' statement that would flag all of the differences?

Sorry, my programming knowledge is very limited. But it seems like that would be the fastest way to spot all of the changed locations.

Is there a reason we cant do that?

Yes silver thats what we can do.I can also break down the maps to timing advance and variation from stoich for the main fuel maps.I can also scale the blocks for rpm and MAF flow.

Then all we need to do is write a definition file for tuner pro,and find someone who can write a GUI for the checksums.

Originally posted by Slappynuts
Yes silver thats what we can do.I can also break down the maps to timing advance and variation from stoich for the main fuel maps.I can also scale the blocks for rpm and MAF flow.

Then all we need to do is write a definition file for tuner pro,and find someone who can write a GUI for the checksums.


is it going to be possible to write for a larger map and can the maf altogether?

Im not trying to put the cart in front of the horse... just curious

Slappynuts, have you identified any maps relating to the MAP sensor? There must also be some for throttle position, or am I being stupid?

I am making slow progress with communicating with the ecu. It looks like I need to use the DTR and CTS lines through the RS232 for communicating at non RS232 Baud Rates. It looks fairly complex for that reason. For example to transmit a Byte of data at a given KWP2000 rate by changing dtr lines high for x time then low for x time etc. X time defines the rate. Hope this makes sense. What do you guys think? Luckily I think it only does this when establishing a connection.

I remember reading somewhere in the lemmiwinks posts that the initial handshakes are at 5hz..

I have some Lemmiwinks references listed at the top of the following thread:
http://forums.vwvortex.com/zerothread?id=1940678

I'll try to dig through this tonight and find that reference..

Here is a group that is developing a diagnostic tool like vag com.They have a bunch of good info here.

http://groups.yahoo.com/group/opendiag/

Here is some more info along the same lines:
http://www.obddiagnostics.com/obdinfo/info.html

Note the code for the checksum.

http://www.vwfixx.com/forums/index.php?showtopic=15329&hl=lemmiwinks+guid

Anyone know who THEWALLY is on the tex? He seems to have got some info. Check this thread?
http://forums.vwvortex.com/zerothread?id=2542935

thewally is john Wall.

He gave me a spec sheet on an IC that does all the vag protocl stuff..

The company that makes the IC is here:
http://www.ozenelektronik.com/

I'll post the whitepaper up with whiteg60 soon :P


I agree with lemmiwinks potentially leading us nowhere.. but I still think we should explore this communication more fully..

I've rallied John W. and another guy Derek (derekste) from the vortex..

Derek made this site in honor of reverse-engineering the motronic ECU:
http://stealyourface.net/bosch/

there looks to be a strong interest in this and I think it's good that we're finally doing something...

I can do the tune.The only reason we need the lemmingwinks is for learning the comunication protocal.The rest is pretty easy,and I will enlighten you guys when I get some time.Maybe later this evening if I dont fall asleep first.

hello, I just thought I would stop by and check out this thread.

don't have a world of time right now, but there has been substantial work on finding maps as well as being able to read/write over the OBD port.

lots of code and maps at this yahoo group (which I might even be the admin of these days)

http://autos.groups.yahoo.com/group/openecu/

read through the archives and see what you guys can find. I can almost guarantee that monitoring port traffic of lemmiwinks will give us nothing useful.

I have found a source for the KWP2000 Flasher Plus. The Guy has promised me it works on ME7.5. The Price is $260.00 with only the OBD cable for VW and $288.00 if we want the other cables for Mercedes etc. He is going to send me the software so I can see for myself that it supports ME7.5. I will keep you updated.

I think this could be the best way to go instead of trying to DIY.
This is apparently a discounted price as I explained that we may all buy one.

We will still have to work on the remapping as all this does is read and write via the OBD2 port.

What do you guys think?

SAGTI has the right idea. KWP2000 and J2534 are already a standard that is established and documented, no need to reinvent the wheel.

SAGTI, my question to you would be this: Can this device only read, or can it also reflash?

Yes, of course we would still have to identify all the maps and variables, but even if we still had to burn modified files to chips (which I can do, or anyone else who buys a universal programmer). If you have the coid to drop on the reader, I'd say go for it. Mind posting a link to what type it is?

I would also like to get my hands on a few DBW ECUs for the reverse engineering aspect of the project... Ideally I would have a complete ECU+wiring harness+sensors and could trick the ECU into think it is in a running car, and be able to observe the memory space in action. This would make identifying maps trivial.

derekste, Yes it can also reflash. There is no link I can give you, I arrived at this after emailing someone who put me in touch. There are quite a few for sale on ebay, but the info they give is usually not particularly useful.

What do you guys think of the price, worth it or not?

Communicating with this guy is a little slow as English is a small problem for him! But we are getting there.

$260 seems awful cheap.

Compare to DrewTech's offerings http://www.drewtech.com/

I think around 300 isn't bad to start off with for a kwp2000 programmer..

HOWEVER.. I still think it would be good to be able to do this with a DIY hardware and software kit..

Just need to find that "KWP2000 whitepaper" I keep hearing people reference (like Tony and others who have already been able to do this)

here is some software connection info I found on openecu:
Let's assume you have a KWP2000 connection with your VAG group ECU :)

Then let's go send these messages:

82 : 2 data bytes
01
F1
1A : ISO 14230-3 ReadECUIdentification
92 : systemSupplierSpecific
20 : CRC

The ECU should respond with

87 : 7 data bytes
F1
01
5A : ISO 14230-3 positive reply
92 : systemSupplierSpecific
VV
WW
XX
YY
ZZ
CS : CRC

Now compute the following

ecuid = (VV+WW+XX+YY+ZZ) & 0x3f

Then send:

82 : 2 data bytes
01
F1
27 : ISO 14230-3 SecurityAccessRequest
01 : Request Seed
9C : CRC

The ECU should respond with

86 :6 data bytes
01
F1
67 : ISO 14230-3 positive reply
01 : Request Seed
WW : Seed MSB
XX
YY
ZZ : Seed LSB
CS : CRC

Now compute the following

Seed = (WW<<24)+(XX<<16)+(YY<<8)+(ZZ)

unsigned int table[64] =
{
0x0A221289,0x144890A1,0x24212491,0x290A0285,
0x42145091,0x504822C1,0x0A24C4C1,0x14252229,
0x24250525,0x2510A491,0x28488863,0x29148885,
0x422184A5,0x49128521,0x50844A85,0x620CC211,
0x124452A9,0x18932251,0x2424A459,0x29149521,
0x42352621,0x4A512289,0x52A48911,0x11891475,
0x22346523,0x4A3118D1,0x64497111,0x0AE34529,
0x15398989,0x22324A67,0x2D12B489,0x132A4A75,
0x19B13469,0x25D2C453,0x4949349B,0x524E9259,
0x1964CA6B,0x24F5249B,0x28979175,0x352A5959,
0x3A391749,0x51D44EA9,0x564A4F25,0x6AD52649,
0x76493925,0x25DE52C9,0x332E9333,0x68D64997,
0x494947FB,0x33749ACF,0x5AD55B5D,0x7F272A4F,
0x35BD5B75,0x3F5AD55D,0x5B5B6DAD,0x6B5DAD6B,
0x75B57AD5,0x5DBAD56F,0x6DBF6AAD,0x75775EB5,
0x5AEDFED5,0x6B5F7DD5,0x6F757B6B,0x5FBD5DBD
};

for (int i=0; i<5; i++)
{
if ((seed & 0x80000000) == 0)
{
seed = (table[ecuid]) ^ (seed << 1);
}
else
{
seed = (seed << 1);
}
}


Then send:

88 : 8 data bytes
01
F1
27 : ISO 14230-3 SecurityAccessRequest
02 : Send Key
WW : (seed >> 24 ) & 0xff
XX : (seed >> 16 ) & 0xff
YY : (seed >> 8 ) & 0xff
ZZ : (seed ) & 0xff
00
00
CS : CRC

The ECU should respond with

83 : 3 data bytes
01
F1
67 : ISO 14230-3 positive reply
02 : Send Key
34 : Not sure what this means
12 : CRC

Secure access granted, now you can read/write anything (eeprom etc.)

Enjoy!

Compile it and run it.

Originally posted by Slappynuts
Compile it and run it.

believe me.. I want to.. but this assumes alot, specifically:
Let's assume you have a KWP2000 connection with your VAG group ECU

need information on baud rate, parity bits, start/stop bits.. bla bla bla..

I'm still trying to dig around the net for the KWP2000 ISO9141 document and other related whitepapers on this protocol: it's not like a computer automatically vomits this format out an RS-232 port.

If anyone has the ISO or good low-level details on the K-wire protocol, please contribute here, or shoot me a gmail : transient.analysis

We need to pull a log off the kwp2000 programmer.We would have to run a split cord with another diag port on it and run that into another computer through the vag com cable.

oh yeah.. this iso standard too: ISO14230-44

To setup a KWP2000 connection will be the same as what we have seen with Lemmiwinks. I think the first part is done at Baud 5 which you cannot set a RS232 port to. This is why the circuit in the vag cable will use the DTR or CTS line for this part
From the Log of lemmiwinks:
23 01:23:28 Lemmiwinks.exe IOCTL_SERIAL_SET_BREAK_OFF Serial0 SUCCESS
24 01:23:28 Lemmiwinks.exe IOCTL_SERIAL_SET_BREAK_ON Serial0 SUCCESS
25 01:23:29 Lemmiwinks.exe IOCTL_SERIAL_SET_BREAK_OFF Serial0 SUCCESS
26 01:23:29 Lemmiwinks.exe IOCTL_SERIAL_SET_BREAK_ON Serial0 SUCCESS
27 01:23:29 Lemmiwinks.exe IOCTL_SERIAL_SET_BREAK_ON Serial0 SUCCESS
28 01:23:29 Lemmiwinks.exe IOCTL_SERIAL_SET_BREAK_ON Serial0 SUCCESS
29 01:23:29 Lemmiwinks.exe IOCTL_SERIAL_SET_BREAK_OFF Serial0 SUCCESS
30 01:23:30 Lemmiwinks.exe IOCTL_SERIAL_SET_BREAK_ON Serial0 SUCCESS
31 01:23:30 Lemmiwinks.exe IOCTL_SERIAL_SET_BREAK_ON Serial0 SUCCESS
32 01:23:30 Lemmiwinks.exe IOCTL_SERIAL_SET_BREAK_ON Serial0 SUCCESS
33 01:23:30 Lemmiwinks.exe IOCTL_SERIAL_SET_BREAK_OFF Serial0 SUCCESS

The timing between on and off will be calculated on the baud 5 speed.

Maybe this is a dumb question..

but is a VAG-COM cable "connected" via the kwp2000 protocol when the light is green?

If so, tossing some bits through the serial port may be somewhat easier..

I have a cable I made myself, so I don't know about the LEDs on the commercial units, but most of the stuff on VAG is KWP1281. You can see the protocol being used at the top of the screen in VAG.

OK now there is another connector for the actual load.The vag cam cable has been used by the subaru guys to pull the file,but they need another type to reflash.Here is the connector.

http://tactrix.com/

OK so vag com goes into the main file and retrieves the software code right after it does the handshake.What if we do the loop there and run it to download the whole file?

I will look into the Vag-com thing, I was thinking the same thing when I noticed my ecu code has changed from 06A 906 032 HP to 06A 906 032 HK since they changed my chip. The only problem I see with this is I read on the post about lemmiwinks (the one I posted before) that the VAG protocol does not allow you to write.

Can you see in the file where about the code is stored, I see WINOLS decodes and displays this as well.

My stupid hex editor wont load the whole file,so I'll have to find another one.It should be later today.

Slappy, check out Hexplorer. It can load files up to 20MB+ (done this in the past with video files):
http://artemis.wszib.edu.pl/~mdudek/

Also, it appears that the subi guys also have to deal with the 5baud handshake BS. This may handle the "loop" of reading the eeprom that we're seeking. Here is some more reading material (and BASIC coding for you to plop down and run):
http://forums.openecu.org/viewtopic.php?t=8

I'll be digging through the source code on EcuFlash (the older console version) tonight and seing if I can find the exciting handshaking part in the C-code for EVOs / Subi.

TONS of information is on openECU.org and I recommend taking a look so that you guys know what we need to catch up to (or maybe take advantage of).

I really think you guys are barking up the wrong tree here.

Order of importance:

1. Ability to identify and modify maps, calculate checksums, and achieve what GIAC/REVO/APR/Uni/etc have already done.

The reason we want to do this first is because it is the goal of the project: being able to tweak the ECU. It is trivial to socket your ECU and burn chips for it (hell, I think Unitronic still does this, but I have yet to see a Uni ECU)

2. HW Signal conditioning, load calculation... basically go beyond the maps and analyze how exactly the maps are used (this is where WinOLS becomes most useful). This involves dissassembly of the "operating system" or whatever you want to call it. Do this, and you can figure out exactly how loads are calculated, the timing advances/decrease formulas, and then things just start to get interesting.


3. Being able to flash over OBDII port. This is pretty much an ease of use feature. Sure, having this would make testing and whatnot easier... but this is a very low priority in the scheme of things.

just my $.02. I put up a WTB ad on vortex for VW ECUs/Wiring harnesses if anyone wants to go my route.

I am very excited to see what is going on here. I feel derekste has some very valid points. Other people have already made this happen. With all of the talented people in this thread little things sometime can be overlooked. Let us not overlook the small stuff.




Chris Macellaro:)

hey Derek

I think I'd have to disagree with you on the importance of OBDII flashing.

Slappy appears to know what he's doing with looking into the maps and seems to be able to identify the precise locations of key tuning parameters... he just needs more of database of ECU files to go through to really know what's going on between the different 1.8t's.

Making it so that anyone with a vag cable or generic OBDII cable can yank a rom out of an ECU will open the floodgates to lots and lots of ECU info. It will also spark more interest from people who already have a backgroud in EFI tuning once the eeprom reading/writing is made easier.

I don't disagree with your goals of the project, I just believe that doing the OBDII stuff should be tackled first :)

also, if you want to get a stock ECU I'd suggest looking at www.car-parts.com which will search for the ECU you want at junkyards around the nation.. I've purchased 2 ecu's from these guys for $120 and $200 shipped for LP ECU's to give you an idea of cost.

one last thing.. you may not need a stock harnes if you want to connect the ecu to a bench.. you can use old IED cables instead for portions of the connectors (depending on what you want to do of course :) )

I already do my own motronic tuning and know most of the tuning end of the spectrum so we dont really have to worry about that part of the equation.If you guys want to know anything on any specific map from winols on the file we are using as away.I'll scale it for you and tell you what it is for.

Originally posted by Slappynuts
I already do my own motronic tuning and know most of the tuning end of the spectrum so we dont really have to worry about that part of the equation.If you guys want to know anything on any specific map from winols on the file we are using as away.I'll scale it for you and tell you what it is for.

see.. that's why I'm focused on the OBDII approach :)

It took me awhile to realize that slappy does have the skillz to tune the stuff, but once I did I figured it would be best to focus my efforts in an area not yet covered for the open source VW scene.

although soldering a socket to use chips is an option, I still feel the OBDII approach is a far better option :)

Originally posted by transient
see.. that's why I'm focused on the OBDII approach :)

It took me awhile to realize that slappy does have the skillz to tune the stuff, but once I did I figured it would be best to focus my efforts in an area not yet covered for the open source VW scene.

although soldering a socket to use chips is an option, I still feel the OBDII approach is a far better option :)

slappy, have you looked at the program that professorquail was working on with the openecu yahoo group?

He had a visualizer written up in C# or .Net something and had a system for defining maps for certain ECU models, iirc. Also, the openecu group had lots of .bins from lots of ECUs. I think I have a bunch at home that could be useful... (it's called BinReader, it and its source are in the files section)

If you have already identified some of the maps, if you could publish that information in a formal manner, I could start coding a GUI (I didn't get involved in professorquails one, and have a better idea anyways!)

I will when I get some time.

Slappy, when you do get the time to put something about the maps up, for now could you just give the address ranges as found in winols and the names/ranges of the three axis in the winols 3d map view. This will give the guys that don't know too much about ecu maps a good starting point to understanding how they work.

Does tunerpro do pretty much the same thing as winols in this regard? - once we can give it the definitions it needs. Or is it completely different?

Tunerpro will do most of what winols will do.You do however need to write your own definition file.I use this program on all the OBD1 cars.This coming week I have to tune a 93 bmw 318 we are putting a GT28rs in and 42# injectors.

Slappy - do you know what it means to put the ECU into Boot Mode? The reason I am asking is that the KWP2000 flasher Plus unit says it supports the VW/AUDI ME7.x in boot mode.

While I am on the subject, what do you think of us getting some money together between us and buying one of these units. We could then log what that does to get what we want.

I have found the location of the 06A906032HP in the file as well as the location of the addaptation settings in the binary file we have been working on. the 06A906032HP is at address 11242 - 1124C. The lemmiwinks settings are at 15A3B and the next 14.

For the 06a906032hp it works like this
0=30.....9=39
a=41.....z=5a

The problem remains working out how to get to this. VAG-COM uses a completely different way of communicating. This is why VAG_COM cannot set some of the addaptation values - the ECU just won't let it write using the KWP1281 protocol.

Nice job SA..I on the other hand am having some trouble with the map descriptors in the ME7 at the moment.I have not really had much time to look at them though because a couple of weeks ago I broke my leg and I am now trying to catch back up at the shop.

Digging some more on openecu.org forums, I found this good thread on the kwp interface:
http://forums.openecu.org/viewtopic.php?t=115

and then this link for the standards documents on KWP2000:
http://www.alfa145.co.uk/dl.html

Still in research mode before plopping down to code some junk..

Slappy, how about the "Boot Mode" question From my above post?

I know very little about the boot mode or anything in the comunication.

The file that we are using,what is the redline on this car?Also what is the highest MAF reading you can get to and what voltage is that at?

I want to say that redline is 6500, and the rev limiter is at 7000 (on my Revo BT file the rev is set to 7400)

I also want to say the maf maxes out at 300g/s @ 5v, but that may be bogus too... maybe someone can do vag-com logs of MAF G/s versus voltage??

These numbers, however, are in the right ballpark and should give you somehting to play with..

I you are talking about the 06A906032HP - the file is from a standard none chipped car. 180hp.

do you mean HS or LP ecu??

I was added to the opendiag group at yahoo this weekend and they have a few stock roms of different 1.8t engines. It's worth taking a look into..

anyone have any progress from the weekend?

slappy.. you still alive after more vikatan and vodka? Is the leg any better?

I have figured out how to send and receive from the OBD2, busy figuring what must be sent and received when. Transient, do you know if those KWP2000 documents you linked apply to VW as well? I see they are for the "Swedish Implementation".

That ECU number is HP, it is the same as my car before they replaced the chip. My car is now HK. If you write your own chips you can write anything in that field. If you open the file with WINOLS you will see that it actually displays this info as well as the fact that it is a ME7.5 file.

I have been really busy lately,but I will try to get some info up soon.I still need some time with the ME7 stuff because it is a little different than I am used to.Most of this stuff shows up if you stare at it really hard for a few hours though(I am not kidding here).I think I figured out the rpm scaler and it looks like the MAF scale is set up the same way.I found where it tells you the size of the map you are looking at,but I am still trying to find the structure for the map pointers and the ID#s for the type of map,but I have only spent about a hour looking at it in the last week.

I have seen 3 different ways of initialising the connection, we need to find out what the differences are. Andy Whittaker says send 33 to the ecu, another web site says to send the address of the controller you want to talk to, and lemmiwinks sends 3B. These are all done with the 5 baud.

There is just so little real solid info about this stuff out there. It would be great if one of us had a "connection" at VW who could get us the VAG KWP documentation.

I'm pretty darn sure that the swiss version of the KWP documents is practically identical.. I plan to read through all the documents in detail once work lets up a bit..

if really necessary I can buy the standards from ISO.. they're like 80 bucks each..

also something to play with is all the "KWP" stuff you can find on edonkey or emule networks.. there are a few tools there that I think we can log to find out the details of the initialization process.. and then we can do the "log-in" process as I posted earlier (with the seed and handshakes)

lots of stuff to do... and I have some more roms for you slappy.. I'll get them to you in an email.

Instead of pulling the ecu ID we should try to pull something else.If we can do that then we should be able to make a loop to pull each byte.

Is there something in the logs that sends it to the address of the ecu ID?Send it somewhere else next time?

Slappy, I hope I have not misled you guys with the progress I am making over here. I have NOT managed to pull anything from the ECU yet. If I do I will post with plenty smilies and sh1t!!

What I meant in my previous post is that I found the place where the info is stored in the binary file which we have been looking at with WINOLS and worked out how it is encoded into HEX data.

Communicating with our ECU via the OBD2 port is by no means easy! And to make matters worse, info on the subject is like hens teeth. Then when you do find info in a couple of places - the info does not agree.

This is why I made the suggestion that the best option may be to purchase the KWP2000 Flasher Plus system I talked about. If it works I know I would be prepared to buy one for myself in order to be able to load our maps we develop in this forum.

I suggested we put some money together between us to buy one unit which we can test. If it works we can organise everyone a unit or whoever wants one. Some of the guys may rather remove there chip and program it that way.

Have you seen FAQ at Ross-tech's web site where they state that they gave up one the idea of flashing the eeprom due to encryption and licensing issues. They decided it was too difficult for them to do!!

For these reasons I think we may be farting against thunder trying to do it ourselves.

Don't get me wrong, I am still doing my level best as I like the idea of doing it ourselves.

Transient, I had a look at the openecu yahoo group, there is a fair amount of good info there. I am especially interested in that info regarding SECURE ACCESS that you pointed out. It all makes sense and seems to agree with the KWP2000 documents. My problem is with the programming language it is using to do the calculations using that table. Is that C or what? If you understand what it is on about, would you mind explaining it so I can try and see if I can achieve the same result using VB?

I wish I could help more on this part,but i am not a programmer or interface guy.I understand how alot of this stuff works however.

Now wouldnt you need this type of access to get the ecu coding info when you initiate the conversation with the vag com?This is the part that I dont understand.Vag com goes in and pulls out the info off the file at the location that seems to be the same for all ME7 stuff.Right?

OK lets try this.Can we write our own interface to go into the chip file and pull the software code out?We need to have the handshake info and then whatever the vag-com does to pull the info out to get that info.We should be able to see this part in the logs from the port logger.

Am I missing something?

The reason why others were going to have trouble with encryption is because the hellatious checksums.I had all this figured out at one point and could do it again with the andy witticker checking program.I could do it manually and then check it with his free program.

Slappy, there are a couple of problems, I dont think vag-com gets the info from the eeprom, it seems to get it from the ECU which has got it from the eeprom - in other words I think the ECU has a working RAM like a computer. Vag-com and Lemmiwinks seems to be able to access the RAM but not the eeprom. When you change a setting with lemmiwinks, all it does is change the setting in the "RAM" of the ecu, then when you turn off the key, the ECU then writes the new info to the eeprom.

To make matters worse, I dont think vag-com can help us as the protocol it uses is not allowed to write certain info to the ECU or even access half the available functions - only the diagnostic stuff. You can demo this to yourself by trying to change addaptation values with vag-com, it wont let you change most of them, even though they are what lemmiwinks is actually changing, lemmiwinks is just using a different protocol (KWP2000) which allows this.

Also logging info helps get an idea, but only gives a small picture. The reason for this is that to gain access to the functions we want there are security SEEDS and Tables we would need in order to gain access (Passwords if you like). From what I have gathered these are calculated from things like the ECU's ID and seed values it sends you, you then use these seeds to look up another seed in a table so that you can respond correctly.

Transient found some info on these tables, which is what I asked him about in my last post. That is if that table even relates to our ECUs.

If we figure out how to gain access, the next problem will be what "commands" to send to the ecu to read and write data as well as what the addresses are for the eeprom.

The ecu is still fetching the info from the eeprom.There has to be something in the exchange from the processor and the laptop that indicates the addresses that hold the software info.Thats the only thing that would explain the code changing when people chip these things.

If we look at the logs where it is looking at the location where this software code is the read function should be right there as well.Right?

With vag-com, that info is fetched by a command that tells the ECU to start sending that info, not by addressing that info!

The software info is definitely stored on the eeprom, like you are thinking, the problem is that when you turn on the key and the ECU "wakes up" it reads certain info into its "RAM" from the eeprom - Then the programs we have get that info from the "RAM" and NOT from the eeprom.

Do you see what I mean? It is not that the ECU fetches the info when you request it. It is just part of what the ECU does to start running the car.

VW has hidden the eeprom behind "PASSWORDS" (seeds and lookup tables) to stop people doing what we want to do. We need accurate info about that.

The KWP2000 protocol also makes provision to lock up the ECU in the event that someone tries to gain access and gives the wrong info. This can be a simple timed lockup or it could be perminent and a visit to a Stealership may be necessary to get the car going again, it all depends on how VW implemented this.

Ok ic.My penis is fucking enormous.I'll see what I can do.

Cool

SAGTI.. you're coming to the same conclusions I am about establishing a "sercure connection" with an ECU: it's difficult and not verified on a VW. That snippet I posted earlier is more "pseudo code" than VB or C code.. although the variable declarations look like C. Once I get some time I'll see if I can write some test code that does all the logon information with random test data.. then I'll work on the serial interface comms.

I think playing with and logging the KWP2000 + flasher may get us closer, but I recall people having difficulty pulling files off of VAG cars with this. I think this is something sill worth trying, and I'd be more than happy to purchase one of these for myself. I think we would all benefit from having similar equipment so that we can verify results from each other.

There were a couple programs on emule/edonky that -appear- to do the same thing as the KWP2000 + flasher with a generic OBDII interface.. but I haven't verified this yet... my car laptop died on me before I could play with it. I'd highly reccomend digging through the P2P area to gain more information from the crazy german guys that have already hacked this kwp stuff.




Do you guys know the memory map layout of the ME7 EEPROM?

Transient, what did you search for on the P2P?

- kwp2000
- kwp
- VAG
- obd
- obd2
- obdII
- chiptuning
...
etc..

The biggest hits were for the kwp items..

I am on it, the only problem is my broadband in South Africa is shapped which means P2P does not work very well.

I have managed to write a program that communicates perfectly with the ECU. The format is completely different to that document you (Transient) posted about gaining secure access. I managed to work out how to send the messages correctly, but the ECU just responds with the negative response, Hey - at least it responds with the negative response correctly!

At least I have got comms with the ECU! Now we just need the correct info to get what we want.

woah.. that's good news..

do you mind sharing your source code?

The source is a real mess at the moment as I have been adding stuff as I go along. Do you have VB5 or VB6? I dont mind sending the source to you.

If you want to change something you send to the ecu you have to change it in the code. As I said its a real mess, but if you know vb you should be able to follow whats happening.

I'm more than happy to look at it to try it out on my system.. I'd be happy to help clean it up too..

I have access to VB5/6

Done

Can you send it off to turbomk1us@yahoo as well?

Done

Here is a good thread on tuning motronic.

http://www.and1c.com/forums/showthread.php?t=21

Slappy, does WINOLS not show all the maps? In that file we are looking at it shows 51 potential maps. Do those look like some of them and are there more? Most of them look like maps if you look at them in 3d mode - but I am no expert.

On the OBD flashing front, I have made some progress - I can get the ecu into a "diagnostic programming mode" which sounds good but I cannot give the ecu any other commands after that.

But I think the documentation we have for the KWP2000 protocol is different to the way VW implements the system. You can see that the way you must send data to the ecu is different and the responses it gives back are different.


So, if we can get the documentation for the VAG implementation of the KWP2000 protocol, then I can write a program to communicate and get what we want. Without that I think we are not going to win.

The only other possibilty is to buy a commercial unit, then log what it does, then try to write a program that can do the same with our interfaces. For example I can write a program that can do what lem does now. Not that there is any point in doing that!

One other interesting thing is if we had the documentation for VAG KWP2000, we can write a program that will work similar to VAG_COM except you should get better results because I think KWP1281 uses 9600 baud whereas KWP2000 uses 10400 - you should get better resolution on logs etc. But that can be a future project!

Winols shows some of the main maps.There are over 600 maps in a me7.There is a section of the chip file that points to all the maps in the ecu.

Do we have to edit them all?

No.Alot of them are for things like DBW and there are usually sets of 4 or 5 maps that are for different things like ac on and crap like that.

So, is it looking good for being able to write the def file for tuner pro?

Yea I can do that when I get time.We will need either the andy wittacker checksum program or someone will need to write a GUI for the checksum routine.

Can anyone get me a ME7 2l or vr6 MK4 chip file.

Do you know what the routine is? If so - send it to me on email and I will have a look.

Just a quick warning, I managed to download a few KWP2000 programs from P2P and they all had at least 4 VIRUSES and not one of the downloads had anything to do with KWP2000.

Whats happened to INIVID?

Hey guys just joined, I'll be playing catch-up for a few days but I hope to get a web page set with up-to-date info on what we've figured out and what we're working on. I also have a VAG-COM and may end up with a unlimited access to a dyno if things go good for me in the next few weeks. If some one wants to send me info like the actually file that slappynuts is working so we all are looking at the same file and thus addresses and such.

Booseda4 - you can get the file here - www.whiteg60.com/ME7/3510_441_ORI.zip

Sorry about that you got nothing but viruses out of the p2p junk.. That's dissapointing.

Booseda4, can you elaborate on more of what you've already been able to figure out?

Anymore logs available?

I'll get you some more logs as soon as i get back home this weekend (out on business)

There is another company that makes a lemmiwinks clone called "CustomSettings":
http://www.jbsautodesigns.co.uk/customcode/downloads.htm

I haven't been able to get this to work with my USB Key-Com, but it should work with generic OBDII -> computer cables.

As far as I can tell we are working on 2 current projects:
one being able to comunicate with ecu is such a way so we can send data to the eeprom (the part of the ecu's memory that doesn't get erased and also all ways loads when the car is started) SAGTI has been working on this and can talk to the ecu but as of now we don't really know if the way we are trying will allow us to write data.
The second part is looking at the data from the eeprom (pulled from chips that were removed and scaned) and figuring out what little bits go to what. Slappy knows a good bit about what we are looking at. The file he is looking at is the one listed at the top of page 6 in this thread. WinOLS is probally the easiest way to open the file but the "maps" it finds by it's self are pretty much pointless.

I can for the most part identify the maps by looking at them.There are some drive by wire maps and boost maps that I am not fimillar with the are confusing me.I need a early 2l MK4 chip file(non dbw) and a dbw MK4 chip file as well.This should make all this info obvious to me.

I can get all the info we need on datalog soon.We will do a split connector and I will datalog the port activity of one of the demo flashes.

My current location is for a reason.I also edited a few of my former posts.

With you slappy! How soon is soon

That file you are looking at is from a mk4 GTi DBW. (The one I linked to above) That is the stock file and is exactly the same as the my car before being chipped. 180hp. Cars with that ECU code are from Brazil, as well as South Africa.

We have some early DBC 2l ME7 cars in the US.I need a chip file from one of those and a chip file from one of the later DBW 2l ME7 cars to find out a little more about these cars.This should make finding all the load functions and dbw functions obvious.This should also make the wideband part more visable as well because the early cars are not wideband.

If anybody has any of these file let me know.

Here is some info for us all to try and research.

When I get the ecu into a diagnostic programming session, I think the ecu switches itself off at that point which is why I cannot communicate with it after that.

I came to this conclusion because after I switch ignition off and on again I get the code for pin 30 no power on the ecu and the instrument gives " no communication with ecu" code.

I have had time to do a little searching and I think we need to apply power to one of the OBD2 pins to stop this happening. I also think we may have to switch over at that point to J2534 protocol to access the eeprom.

So we need to find out if the proccess is something like this:

1) Apply power to one of the OBD2 pins with VAG cable
2) Setup ECU for programming with KWP2000 protocol
3) Switch to J2534 protocol to access eeprom

We need to try and find some documents about J2534.

Ok - it seems J2534 is only a standard that gives specs for reflashing, its not a protocol. So it may be what specifies the voltage that should be applied to the OBD2 port to enable programming the eeprom.

So step three will probably be accessing the eeprom with KWP2000 protocol.

So we need to find out what voltage should be applied to which pin.

Did any of you guys look at the cable that I posted a link up for?That should have all the stuff needed for the voltage crap.

I did look at the cable, but thought if I am going to spend the money on that I might as well buy that unit I have been talking about and save all the trouble of trying to write software.

Slappy, have you received my Emails?

Yea.I havent had a chance to look yet.

I'll see if I can find a wiring diagram because I think there are only 4 wires on the back of my ODB connector (98 Audi A4) so it very likly does want some power there. Also can you put the ecu into other modes?

Also I saw in another post that the flow meter maxs at 179 G/s but I'm pretty sure I've seen 200+ on my GIAC chip and stock meter. I'll see if I can log the voltage and if I can it should help. Also I do have my stock chip is someone has a EEPROM read and would like me to send it to them.

I think it may be Pin 13.

Looking through some pages on montronic tuning, I stumbled on one that skims over using the KWP2000 programer and it says for VAG cars to remove the insterment panel fuse before starting any compunications. Also the comunication can only be done in Boot Mode. (Looking more into that right now.)

Yip, I also saw that when I was looking at the KWP2000 Plus Flasher. I could not find any info about what boot mode means.

I think I am going to order the KWP2000 Plus Flasher I was talking about in my other posts. Maybe from there I can develop something that will work - eg design an interface and software that can do the same thing. If not, I think most people would agree that US$288 is not bad for something that can read write the EEPROM or PROM not sure exactly what it is called.

Does anyone know how to program an AM29F800 chip out of the car?

All you need is a chip burner with the proper adaptor.

You will need the programmer and the 44pin psop adaptor.

http://www.sivava.com/detail.htm

Whenwe can pull files out of cars via the diag port then we can do some compareing of files to see what others have done.This will make it all pretty obvious.The rest of the breakdown to real #s like timing advance and things like that I can do.

Slappy, how many maps have you identified so far. Can you perhaps send the addresses as well as what you think they are for, so that I can have a look in winols and try and understand how these things look.

SAGTI.. after thinking about the external power thing you mentioned earlier, I don't think it's required.

When I had REVO re-flash my software they just used a laptop connected via serial (to a black box which I'm assuming takes power off of the OBDII port to power the optio-isolators inside) to the OBDII port.

The laptop was not plugged in (operated off of batteries) and there was no voltage supply from the laptop that I could identify.

I think playing around with the KWP flasher will be the next thing to do.

Could you post a link to the flasher you're going to buy?? I'll get one of these too along with another spare ECU :P

Transient - you have PM.

Also remember that the OBD2 port has permanent 12V. I think it is on pin 15 or 16. This could be used by the device to switch a voltage, be it anything from 5V to 12V on to any other pins on the OBD2 port as and when it needs.

Check this link http://www.drewtech.com/support/j2534/
Pay special attention to "reflashing" part of the table. Do a search for J2534 and you will see mention of the voltage very often.

Thanks for the PM. I'll look into picking up a flasher.

I appreciate your hard work SAGTI.

I added the link to the list of stuff I need to read :)

Originally posted by BOOSTEDA4
I'll see if I can find a wiring diagram because I think there are only 4 wires on the back of my ODB connector (98 Audi A4) so it very likly does want some power there. Also can you put the ecu into other modes?

Also I saw in another post that the flow meter maxs at 179 G/s but I'm pretty sure I've seen 200+ on my GIAC chip and stock meter. I'll see if I can log the voltage and if I can it should help. Also I do have my stock chip is someone has a EEPROM read and would like me to send it to them.

if you need any data from either of my cars just let me know, we're only about 60 miles apart...

Slappy, How much do you know about the checksums in the file.

What do you think the chances are that we can find all the maps and exactly what each map is for.

I just don't want to spend all this money on a unit to flash the eprom and all the time to develop something for us all to use if we are not going to be able to use it properly in the end.

Do you have any ideas on where I can learn some of the mapping stuff while I wait for the KWP2000 flasher thing to get to me?

I have another file from an A4 1.8t that I downloaded from the open ecu yahoo group. If you haven't got it already, I can send it to you. It looks the same except that the "maps" as id'd by winols are different and winols id's 57 maps as opposed to the 51 in the other file.

The ecufix program from andy whittaker seems a little expensive for what it does.

I thought I would get a quote from EVC who make WINOLS.

To get WINOLS and the correct checksum module will cost 2000EURO! They also informed me that the program still does not show you the maps or define the maps! They say all their tuners compare files the same way we want to do it!

So at the end of the day WINOLS gets you a hex editor that can show data in a graph and check checksums! Wonderful stuff for 2000 EURO.

Certainly makes ECUFIX look like a bargain.

On the ecufix site there is enough info on that page(this seems to have been done deliberatly) to calculate the checksums manually.I have done this,but it takes a long ass time to do.If one of you guys could write a user interface to do this that would be awsome.

You have used that info to calculate the checksums for the 1.8t files?

I still plan on doing the checksum fix coding.. but I have to be in town long enough to do some coding :/

This is a goal for early July for me.

-J

If you run the free demo it will tell you the location of the block and the location for each checksum.There is enough of a description on the page to figure out which type if checksum it is and how to calculate each one.Its pretty simple,but very tedious.

I thought that demo was for the S4 file he has on his site for the ME7.1 ecu? I will give it a spin on the two files I have got. I just wondered why they keep releasing new versions of ECUFIX. Only fairly recent versions cover the 1.8t.

Slappy, it don't work on the ME7.5 files. Our problem is going to be finding which blocks are checked with a checksum, where the checksums are then stored in the file and if the same mathematics applies. It won't be easy.

It worked for one of the ones I have on my hard drive.????It tells you where all the blocks are.

Try it with this file http://www.whiteg60.com/ME7/3510_441_ORI.zip

I wasnt able to open that one,but I was able to open another 1.8t file.

Was the file 1024k or 512k? Maybe you have got some old files there. The files for almost all the 1.8t's are 1024k which that program seems to have a problem with. The above file is the original file from a car exactly like mine. It's ecu code as seen in vag-com is 06A 906 032 HP and is from a DBW 180hp. These are the files we need to be able to edit.

Slappy, I read that info you linked to a while ago about finding maps. That guy opens the file with a hex editor, exports it to a file excel can understand, opens the new file with excel, converts hex values to decimal to make it easier to look at. I have managed to do this. I have also written an application that can compare two of these excel files and then highlights all data that is the same and then in a different colour all data that is different.

So you end up with both excel files that are highlighted with same and diff data. It takes the PC a while to complete the job though.

If anyone is interested I can compile and send it.

SAGTI you say there are 2 files sizes, do you know why? I have a NDBW and I'm wondering if thats the only difference or is it M7.1 vs M7.5.

As far as I know all ME7.5 is 1024k. I could be wrong but I think they all use the AMD AM29F800 chip which is 8Mbit (1Mbyte).

I think the difference between DBW and NDBW will only be the maps. NDBW will probably have less maps due to DBW having its own maps to manage the whole DBW setup. Slappy knows more about that than me.

Originally posted by SAGTI
As far as I know all ME7.5 is 1024k. I could be wrong but I think they all use the AMD AM29F800 chip which is 8Mbit (1Mbyte).

I think the difference between DBW and NDBW will only be the maps. NDBW will probably have less maps due to DBW having its own maps to manage the whole DBW setup. Slappy knows more about that than me.

I believe you are correct on the file size.I also believe all the maps/checksums/code are in the same places on all ME7 cars.

Slappy, so you think that none of the second 512k is checksumed?
It would be a little strange if that were the case. Unless all the very important stuff is in the first half. But I would have thought all the maps would be checked.

On Andy Whittakers site he says all important data is written twice to the chip, once as is and again elsewhere on the chip using 1's compliment. This would imply all maps are written twice and this is not counting the other checksums.

If all this fits on a 512k piece of the chip, why did they use the bigger one? Just thinking out loud here. Slappy, maybe you can explain further. Maybe the checksums are worked on the basis of splitting the file into two halves?

Its a redundency checksum to protect it from people like us I would imagine.If they didnt do that it would be easy to go into the file and change it and fix only that part of the checksum.This makes it so you have to recalc the whole checksum routine.

That file of 512 may not be the whole file.

The files are all going to be 1024k because thats how big the ME7 chip is.Whoever has the car in question,can you pull out your ecu and look at the eeprom to see what it actually is?

I saw my cars when they pulled the chip to change it (upsolute). It was the AMD as above. I think they will all be that chip or the same equivalent. You can do a search on it at the vortex.

OK that file wasnt read properly and was saved as a 512k file I believe.Thats one of the reasons I have been having a tough time finding things that I need(they were just not there).I took a quick look at a few different files and it looks like the basic locations are the same from the S4 as they are for the 1.8t cars.They probably use all the same locations for checksums and things like that.The ones I looked at have all the same map pointers as well(this is a section of the chip that identifies each map in the ecu).

I can send you the file I got from one of the yahoo groups if you have not already got it. Its from an Audi A4 1.8t. The whole top piece of the file is exactly the same as the GTi file I have. The maps must be different as I think the Audi 1.8t's were 140KW compared to 132KW for the GTi. (Sorry over here we speak KW not HP) 132KW is 180HP.

I am busy polishing up my program for comparing the excel spread sheets to highlight the differences.

Slappy would it be possible for you to mail me some of the 1.8t 1024K files you have. Do you have any tuned files?

We should be able to find the stuff that is re-written with 1's compliment fairly easily.

How does the DBW stuff compare with NDBW? I take it you can not use a DBW file in a NDBW car

The DBW has alot more maps and extra code at the end.There are a couple of then available in this forum.There are some early A4 1.8t tuned and stock maps you can compare as well.

http://autos.groups.yahoo.com/group/ChipMaker/

Thanks, I have applied to that forum. Is there anything that we can see in the file that tells you for sure it is a DBW or not?

Alright I compared the tuned and untuned file from ChipMaker and found a few maps that were changed and from there I'll see if I can make since of what they are, BUT the addresses are different from the file we've been working on here! Also the file is only 256 not 1K.

Slappy, can you explain the different file sizes? I feel sure we should be looking at 1024k files. Maybe someone has found a way to extract only the maps or something?

Okay now I've got a 1024K file (a418t868.ori)

If you compare them (In WinOLS : View > Differences) there are over 100,000 differences! I'm looking for the maps now and I'll see what I can dig up about the cars the ecu's come in.

I am not getting a response from that yahoo group. Can you guys put some of the 1024k files up on the whiteg60 site? I have the A418t868.ori and the 3510_441.ORI files already.

The KWP2000 flasher is almost here so I should soon be able to get a tuned file off my car if it works.

Well I have got the KWP2000+ Flasher and it don't f-ing work! They say it supports AUDI/VOLKSWAGEN ME7.x (BOOT MODE). I really wish I knew what BOOT MODE means as I think this could be the problem.

The manufacturer says it will work on the 1.8t, but getting support from them seems to be a major issue.

Can anyone here help?

No action on here anymore. Have we given up with this? I am starting to wish I did not spend the money.

I have been swamped at the shop lately,but I will have more time coming up soon.

As you guys know this part of the program is not my strong point.I can throw down the hurt when we get some files pulled.

I'm working for a race team and we're getting ready to go to lime rock on tuesday so I've been working like crazy to get the cars ready but I may not be going with the team in which case I'll have a week or so to work on this little project.

Also I've found a book by Robert Bosch about the Motronic ECUs. I plan on picking up a copy as soon as my cradit card thing gets taken care of (some ass hat stole my CC# and charged a bunch of shit to it!!)

Cool! Bad luck with the credit card deal, happened to me a while ago as well.

The guy I bought the Flasher from has just answered all my questions buy saying "Our engineer says the unit does not support that car".

Wonderful!! Beautiful!! Marvelous!!

All this after asking many times before I bought and getting the answer yes everytime.

Anyone had experience with getting money back through Paypal?

Any chance of getting the Bosch book on cd? I hope it covers the info we need.

I am really thinking our only option is going to be removing the chip and programming that way. There is just not enough info arround on this subject for VW's.

Slappy, how is plan B going? I am guessing you haven't had enough time on your hands yet.

Just dispute the transaction on paypal.I may have time to move on this when people stop buying the BFSM intercoolers.I am up to almost one a day.I also have local busness as well.

My next purcace is probably going to be an EVO :)

You guys are lucky earning US$, over here a VW GTi is already a fairly lux car US$42000! EVO=US$70000. When you consider our earning power compared to yours, well you get the picture.

I am looking a a couple of evo8.They are priced at $1500-$20000us.New ones are about $30000.

As mentioned way earlier in this thread, pulling the chips and tuning that way may just be the way to. I would like flash tuning but it will probally be a backgroung project for a little while.

I haven't had time to look at the maps but I thought slappy had them mostly figured out. Any chance of getting an outline on where they are?

hrmm.. I havn't been getting email notifications of new posts on this site.. odd.

SAGTI, I recall hearing that the KWP flasher is meant for a bench-top system where you have a computer talking directly to an ECU powered by a bench supply.. that's probably heresay.

I'm going to be in town this month (yay!) and hope to battle through a bunch of the obdII stuff + checksum stuff..

Don't be discouraged.. The interest still exists.

Alright guys, I'm going out of town for 4 days. I'll be back sunday and monday I hope to have the CC thing straight and hopfully I'll get me a little reading material. Also it seems spare ecu's are somewhat cheap...~100-150 for my car (but again im NDBW) so i don't know if they may be helpful at some point or not.

I have discovered something interesting.

There is a 512 byte chip in the ecu which stores info like anti theft codes, addaptation values, and trouble codes. There is other info there I want to try and work out.

This is where lemmiwinks reads and writes to. You could also in theory modify the anti theft code of another ecu so that it will work in your car by writting the same values into the new ecu.

I am going to try and write a prog that will read all 512 bytes just to see.

I can work out how lemmiwinks addresses this chip, it does not start at 0, (obviously I guess). But it does make me think that it may just be possible to read data from the AM29F800 in the same way, if we knew the start address.

Anyway, I will start by trying to read that chip, it is apperently a "95040" 8 pin eeprom.

^ could this also be where the ODB2 tests and pass and fail values are? I only ask because I have heard talk that some chip tuners can change the value to which the ecu will learn to (ie A/F being 11.5 instead of 12.2 or something similar) And some say they can get rid of CEL because of no cats. Things like this would be handy for emissions restricted people like me.

It is possible that the "readyness" values are stored there, but if you changed them, I think the ecu would eventually overwrite your values. If tuners can do that it is more likely that they change the actual code (program) that the ecu is running eg- they could change the way the system reports that info to an OBD2 tool. This is way beyond us at this stage.

Ok I just thought of something.The main ecu ID tag is in the main chip file.Maybe we should concentrate on that part of the comunication?When the vag com reads it it has to go into the file and pull all the locations of the file by using a loop that runs through that part of the file.

I have been really busy at work - I work for Siemens and they are going to be retrenching 40% of my department so I have not spent much time on this.

I will check a vag-com log, but I suspect it gets the ecu ID from somewhere other than the main chip. If vag-com does get it from the chip we should be able to get the address of the EEPROM which will be a good start.

Andy whittaker's website talks about the memory map locations for his ME7 s4 ECU..

http://andywhittaker.com/ECU/BoschMotronicME71/tabid/68/Default.aspx

unfortunately he's updating his site with a new theme and the gif that has the memory map addresses on it is not showing up yet.

Andy also indicates he's identified software that reads and writes code to the flash rom and just needs to work out some of the OBD details.. Scroll to the bottom of the above page..

When they rechip the ecu you get the new custom id on the vag com which leads me to believe this is how this is done.I can do this in the chip file on the MK3 cars already so I have a pretty good idea of how this works.

Do we actually have a file here that someone has in their car?This would be a good start of what we could change and maybe this should be our start goal.Change someones software ID to read "go fuck yourself" on the vag com.

We would need to read it,checksum it,and then write it.If we can do this then we are well on our way.

If someone knows someone who has a chip burner and a OBD1 car I can do this for you as a demonstration.

sigh.. no obdI..

the kwp documents hint that there is a level of security in being able to read from certain portions of an ecu.. we may be able to read from parts of it, but the juicy stuff appears to be protected by the security level of the 14230-3 document (the application layer).

after doing the iso 9141 stuff (5 baud init) we can try to do some reading using the kwp2000 "readmemorybyaddress" service and see what areas of the ECU we get starting at 0 and going up to ??

if we get crap, then we look more into security stuff..

if we get good stuff, then this was easy and we can start the tuning process..

I need to fix my laptop so I can start doing some of this work and stop reading stupid specs :P

Most of the file we could care less about anyways.The part of the file we are talking about is very near the maps in most chip files I have looked at.On the BMWs for instance it is covered by the checksum thats protecting the maps.

I pointed out a while back the location of the ECU id in the AM29f800.

Transient, I doubt the addresses of the AM29F800 will start @ 0. Keep in mind that there are a number of "chips" that can be read from the OBD port which means they will all need different addressing. We might find that all "chips" in the whole car have their own address range to facilitate reading via KWP2000, KWP1281 or on a can-bus system.

I see no ones feeling sorry for me - that I may loose my job!!! SOB SOB.

The start address of the code does start at 0.

Sucks ass about the job.Your a smart guy,so you will be fine.

SAGTI, I figured when you were talking about working hard at Siemens that you were the one that was picking up the slack for all the other dudes that are being released..

I'm sure you'll be fine :)

Thanks guys, if you saw my management you would NOT be so sure!!

Slappy, how do you figure the start address is 0? It is 0 if you use an eprom programmer, but I think it will be different through the OBD for my above reasons.

For example on a programmer the 512 byte chip that I reffered to that lemmiwinks writes to is addressed 0-1ff from a programmer point of view and the lemmiwinks settings are stored at 090-09f and again at 0a0-0af. (the last 2 bytes in each range is checksum) But lemmiwinks addresses 383b8e as a start address and reads 16 bytes from there. (again the last 2 bytes are checksum)

I think there is a mis understanding here(kinda tough to explain).

When you hook up the vag com to a OBD1 car it reads the software ID off the chip file at cf1e one byte at a time until it gets to cf31.If we change the locations where the vag com looks for this info we should be able to pull out any part(or length) that we wish of the main chip file.

When you say OBD1, which car are you talking about. Keep in mind that the older vw's had a much more basic system where it could be that the eprom with fuel maps etc is the only eprom in the car.

The other thing to keep in mind is that the VAG-COM program uses KWP1281 not 2000 which might work different. One thing for sure is you cannot use the VAG COM protocol to write data to the eprom, this is why you cannot change some of the addaptation values with VAG COM, you must use Lemmiwinks.

I am not saying you are wrong, I don't know enough about this to do that, only what I have gathered so far from trial and error and reading the limited amount of info available.

Just keep in mind that in my car I have at least 2 "chips" in the ecu that I know of, there will be at least one "chip" in each control unit - abs, instruments, airbag, climatronic etc. Now when you start talking to the OBD2 port using KWP2000 there is no way to say you want to speak to the ecu, instruments etc, it is all done via addressing. The only other explanation is that KWP2000 ONLY speaks to the ECU and nothing else, but I doubt that as I have heard of other programs using KWP2000 that allow you to change the mileage on the instrument cluster by reprogramming that eeprom.

As I said this is all based on limited info and guess work, I could be way off the mark, but it seems logical to me.

Even though I could be wrong, can you see where I am comming from?

I have seen the software id in the maim file from the m7 cars as well.

I found the ID in the file myself as I explained in a post a while back.

I have not.The key is still how this is being addressed(directly or indirectly).How does the ecu spit this info out?

The next step after that will be to change this and rechecksum.The checksum part is easy.

I wrote a quick program to try and extract the addaptation values using the KWP2000 protocol, but it is giving me inconsistent results, which makes it difficult to correct the programming.

I think the main problem I am comming up against is the timing of sending commands and recieving answers from the ecu. I remember reading somewhere that the timing VW has implemented for this is not very clever which has given many people headaches trying to talk to the OBD2.

When I get enough time to work on that again, and I get it reliably reading known data, hopefully I can try and read from a bunch of addresses until I get a result. It would be nice if I had my cars actual file so that I could compare bytes read out and search for that string in the file - it would make it alot easier.

The local revo guy got kinda squeemish on me when I actually showed up to do this so I bailed on it for that day.

I have another idea as well.I will look into the feasibility of it.

I know whats on the stock chip file and this is the key.The vag com looks for a certain address and pulls the info from that part of the file.I know where this is in any file so we need a file thats complete and then we can pull the hex locations we want instead of the hex locations of the ID tag.Make sense?

The problem remains that we cannot write to the chip using the vag-com protocol.

It would be really nice if we can get proper documentation from Volkswagen for this.

The only documents I have seen on communications is at erwin about communicating via the can-bus, which I don't think all GTis have.

By the way, I got half my money back for the KWP2000 plus thing, I agreed to half the money instead of sending the damn thing back to Hong Kong. Hopefully it will come in useful someday!

Ok I have some help from a guy that works at a dealer so I will let you know what I find out.

Good stuff, vw or chiptuner?

Originally posted by SAGTI
No action on here anymore. Have we given up with this? I am starting to wish I did not spend the money.

nope, were watching the smart kids intently so that we can jump into action when you guys make the call for something we can actually help with:tongue:

kudos for working hard on it

I can get a copy of the dealer update cd.I have no idea what this is,but I can get one.

When will you get it? It could just be the info VW supplies to the dealers regarding how to fix known problems with different models. EG different gearbox oil to solve noise etc etc. I have read that type of info on the Russian vw sites.

Hopefully not! If it is about ecu updates it will probably be for the VW diagnostics machine and not for PC. But we can hope!

Slappy, is this dealer update cd just like the "ETKA" stuff you can find on the net..

NM.. you said you have no idea what it is :P