permanent cel disable

Developer topics relating to software that provides a tuning UI to alter ECU code and data

Moderator: Freon

permanent cel disable

Postby diablerouge » Thu Dec 29, 2005 8:52 am

not sure if anyone has thought of this, but in case they haven't:
when we download the memory image from the ecu, we get not only the maps for ignition and fueling, but also the code which actually does all the work, correct? if this is the case, and i assume it is, cel codes can be prevented from causing the cel light to come on and will evade obd-ii scan tools (such as inspection stations).
since each cel condition has a specific code relating to a specific malfunction, it must be stored in the same location each time for the obd-ii scanners to find it and recognize it. this means that each cel code has its own address in memory where it can be scanned for. following this logic, we can permanently disable cel codes from appearing by finding each instruction which writes to the address corresponding to a specific cel code, and change the write instruction so that it writes the enable flag for the cel code to some unused memory address.
now, if the coders decided to write the code so that only a few memory words are used to hold all of the cel code flags (one per bit), and these flags are changed by adding xor'ing a mask to the memory word, it would be even easier. one would only have to change the mask for each cel code.
whichever way it works, it shouldn't be terribly difficult for someone who understands the assembly code behind it. i would go ahead with this myself, but i was never terribly good at coding in assembly, and i'm sure there are many others who could whip it up in a quarter of the time i could.

any thoughts? has this been discussed? i'm sure someone had to have thought about this before.
diablerouge
 
Posts: 21
Joined: Tue Dec 27, 2005 7:41 am
Location: pittsburgh

Postby cboles » Thu Dec 29, 2005 10:24 am

It is even easier than that. There is a table of cel codes by their numeric value. If you replace one with special value, it is turned off. Give me an example CEL code and ROM image and I will show you how.
cboles
Site Admin
 
Posts: 1233
Joined: Wed Dec 29, 2004 5:45 pm
Location: Seattle, WA

Postby diablerouge » Thu Dec 29, 2005 10:45 am

well, thats good. i guess i'll close up my motorola processor notes :lol:

i want to turn off all of the tgv cel's so that I can dump the hardware and port the housings, and also a few others like the rear o2 sensor inefficiancy code. it would be nice if there was simply a checkbox or whatnot to disable each code individually in one of the tuning packages, like enginuity.

i will download my usdm 02 rom tonight before i flash to a cobb stage map. would having the cobb maps help the cause at all? i'm surely not going to post them here, but if the group can learn from them, i will flash my ecu and download them.
diablerouge
 
Posts: 21
Joined: Tue Dec 27, 2005 7:41 am
Location: pittsburgh

Postby qoncept » Thu Dec 29, 2005 11:04 am

I'm not sure what the values Colby is talking about are, but in Enginuity I have a checkbox that raises the max allowed EGT to prevent the CEL associated with catless uppipes on a WRX. There are certainly other tables with values for other CELs.
qoncept
 
Posts: 249
Joined: Tue Oct 04, 2005 6:43 pm
Location: Montgomery, AL

Postby cboles » Thu Dec 29, 2005 11:07 am

Definitely download your ROM before running the AccessPort so that you can have a copy of your original stock image, although we may already have it here. You need to be careful intermixing OpenEcu reflashing tools with the AccessPort. If you reflash your ECU with EcuFlash after your AP is married to the car, and the ROM file you are flashing doesn't contain the ID info that creates the marriage, you will end up with a married AP that can't be unmarried.
cboles
Site Admin
 
Posts: 1233
Joined: Wed Dec 29, 2004 5:45 pm
Location: Seattle, WA

Postby qoncept » Thu Dec 29, 2005 11:18 am

To piggyback off Colby, also get an image right after you flash with the AP. That way, if you screw up the key somehow, you can put that image on and unmarry it.
qoncept
 
Posts: 249
Joined: Tue Oct 04, 2005 6:43 pm
Location: Montgomery, AL

Postby diablerouge » Fri Dec 30, 2005 6:02 am

yep, i had planned to download the rom at every stage of flashing, for safety and for learning. i tried to download the image from my stock ecu last night, but kept getting an error. you've probably seen my post on the tari board, but if not: http://www.tari.co.za/cgi-bin/yabb2/YaB ... 7593/15#25

anyway, lets assume that my ecu image is the same as the one in the first post here: http://forums.openecu.org/viewtopic.php?t=63

if i want to turn off the downpipe cat inefficiency code, how would i go about doing so?

what is this 'special value' you speak of? is it just a hex value the ecu looks for before flagging a cel? is it the same value for each cel code?
diablerouge
 
Posts: 21
Joined: Tue Dec 27, 2005 7:41 am
Location: pittsburgh

Postby cboles » Fri Dec 30, 2005 6:41 am

Say your DTC is P0420.

Load the ROM A4SGD10C in a hex editor. Search for either the hex sequence

03 04 20

or

04 04 20

The 03/04 depends on whether the DTC is an OBD or OEM specific code, I think. You can see that the DTC part of the bytes is just encoded as BCD, and looks like decimal. In this case, I find 03 04 20 in one place in the file, at address 0x2DB0D. To eliminate this DTC mapping, replace the 03 04 20 value with 05 00 00, which appears to be Subaru's way of mapping this event to a non-existent DTC, which produces no CEL.

That's it! Just be sure you don't accidentally edit some other part of the ROM that just happens to have a byte sequence that matches the DTC you are looking for!

Colby
cboles
Site Admin
 
Posts: 1233
Joined: Wed Dec 29, 2004 5:45 pm
Location: Seattle, WA

Postby diablerouge » Fri Dec 30, 2005 11:20 am

cool. i'm looking at the code right now and i see what you are talking about. i am not sure what you mean about it being encoded as 0xBCD though.

if you use a row length of 4 in ecuEdit, you can see that the first column represents a count of 8-byte chunks, the third and fourth columns are the trouble code. the second column does not correspond to anything that i can see yet, except when the first column is 0x00, and then its a count of 72-byte chunks. the fourth column is also a count of 72-byte chunks when the first column is 0x00.

has anyone documented the list of trouble codes relating to memory address or directly verified that these trouble codes correspond to these memory addresses? i started a list of my own, and if no one has already done so i can publish it when i'm finished. it would be easy to write a loop to do this automatically, but i haven't written any code in a while, especially dealing with low level data formats.

it appears that the checksums and codes span memory addresses 0x2D880-0x2DD8F.

edit: denoted hex addresses.
diablerouge
 
Posts: 21
Joined: Tue Dec 27, 2005 7:41 am
Location: pittsburgh

Postby crispyduck » Fri Dec 30, 2005 2:59 pm

cboles wrote:It is even easier than that. There is a table of cel codes by their numeric value. If you replace one with special value, it is turned off. Give me an example CEL code and ROM image and I will show you how.


Colby, I have the same requirement as 'diablerouge', that is to disable the P0420 CEL on my ECU. The only thing is my ECU (MY03 Impreza 2.0 WRX (EURO) AH750-5141) is only partially 'decoded' (thanks to qoncept). I see your later post about replacing the hex with 05 00 00. Do you (or anyone) know what address I need to look at?

FYI - I posted up my stock ECU a while back if that helps.

-Steve.
crispyduck
 
Posts: 186
Joined: Sun Nov 13, 2005 1:15 pm
Location: www.scoobypedia.co.uk

Postby cboles » Fri Dec 30, 2005 3:09 pm

BCD = binary coded decimal

http://en.wikipedia.org/wiki/Binary-coded_decimal

that is, the decimal DTC name looks just like the hex value in your editor. My previous post describes how to search for and modify these. If you aren't very clear on what I'm talking about, you probably don't want to be messing around with the ROMs with a hex editor anyway. Better to wait for someone to support this with an editing tool...
cboles
Site Admin
 
Posts: 1233
Joined: Wed Dec 29, 2004 5:45 pm
Location: Seattle, WA

Postby Kha0S » Fri Dec 30, 2005 6:21 pm

colby --

I used this technique to try and remove a few codes from my ECU, and have found at least one case, so far, where it hasn't worked... P1086 (TGV #2 sensor low) still pokes through after I found its only instance in the ROM (0x041086 at 0x2E695) and swapped it over to 0x050000... but the code still throws.

I need to keep poking around.

Just found a coolant leak at the bottom of my radiator when I got home tonight. Ugh.
Kha0S
 
Posts: 106
Joined: Tue Jan 11, 2005 12:30 pm
Location: MY02 USDM WRX / Nashua, NH

Postby crazymikie » Fri Dec 30, 2005 9:51 pm

I don't think you should have modified the first instance- I think that is actually code in the ECU. In the 04 ECU, the sequence only appears once- it's above 0x20000.

Mike
crazymikie
 
Posts: 105
Joined: Mon Jan 03, 2005 6:45 pm
Location: Watertown, MA

Fault code table loacted in Euro MY03 WRX 2.0

Postby crispyduck » Sat Dec 31, 2005 2:14 am

Colby,

Thanks for the great post. Understand fully what you have said now! Below are details for a Euro WRX 2.0 MY03:

The fault code table is Fault Codes = 0x024A81 - 0x02515D

The P0420 (CAT inefficency CEL) = 0x024D0D. I modified it using Visual Studio's binary editor and compared the end result to confirm I only changed the correct values, see below:

$ od -x original_ecu_dump.hex > original_ecu_dump.hex.od
$ od -x CEL_Fix_ecu_dump.hex > CEL_Fix_ecu_dump.hex.od

$ diff -w original_ecu_dump.hex.od CEL_Fix_ecu_dump.hex.od | less
8711c8711
< 0446400 0540 0000 0580 0000 5700 dd01 0301 2004
---
> 0446400 0540 0000 0580 0000 5700 dd01 5001 0000
(END)

As a final check I reloaded it in to ECUEdit's hex viewer and all was as expected. I'll try reflashing sometime today and within a couple of days I will know if this works for sure, given that it takes a few days to get P0420 coming back anyway.

Thanks again,
-Steve.
crispyduck
 
Posts: 186
Joined: Sun Nov 13, 2005 1:15 pm
Location: www.scoobypedia.co.uk

Postby diablerouge » Thu Jan 05, 2006 6:46 am

any word on the p0420 dtc coming back crispyduck?

i worked out a table of addresses for dtc's on the A4SGD10C rom image. see attachment for table. the table contains 159 dtc's, and looks fairly comprehensive, but i'm wondering if there may be a few that aren't located in this memory space or coded differently.

it maybe easy to confirm the addresses using the accessport and comparing a rom image with and without specific dtc's disabled, one at a time. since cobb's method of disabling the dtc's works for sure, we would find out how they're doing it too. i ordered an openport 1.2 cable this past weekend, and as soon as i can read an image i will try a few different configurations using the cobb ap and editing the code directly.

edit: apparently i can't post attachments
diablerouge
 
Posts: 21
Joined: Tue Dec 27, 2005 7:41 am
Location: pittsburgh

Next

Return to Tuning Software

Who is online

Users browsing this forum: No registered users and 6 guests