Ducati.ms - The Ultimate Ducati Forum banner

1 - 20 of 39 Posts

·
Registered
Joined
·
87 Posts
Discussion Starter #1
Hi,

some might have seen my posts in which analysis of the BINs was mentioned, most recently concerning the 59M. The lesson learned is that Marelli uses a library of functions in the code.

Some days ago I decided to take a look at the 5AM-HW103 BIN, used in a MTS1000. Mostly because the BIN was on my PC. And again it became appearent, that analysing a BIN has become more a question of time, not assembler language skills.

Here are some of the results, Fuel calculation, ignition and ignition trim calculation.

Cheers
Meinolf
 

Attachments

·
Registered
Joined
·
87 Posts
Discussion Starter #3
Hi Zeppo,

I'm using IDAPro. The CPU is a ST10-269.

Marelli's library approach makes it (loosely speaking) quite easy to analyze all BINs used in 5AMs. So far I've done Guzzi 4V and 8V and Aprilia Mana, GP850 and SRV 850 BINs using this approach.

I thought this might be of interest as base for a community effort in the Ducati community; I'd be happy to share.

Cheers
Meinolf
 

·
Registered
Joined
·
49 Posts
Cool! I want to look at the 848EVO CORSE and 1198SP ECU software (32A0A0... and 3220... resp). They are a good base for race-bikes (848/1x98 and 9XX conversions), includes quickshifter, possibility for basic traction control etc.
 

·
Registered
Joined
·
87 Posts
Discussion Starter #5
Hi,

Zeppo kindly sent the BINs and a XDF, so the exploration could proceed. It seems that the code section(s) which accesses the immobilizer byte is identified, hence future searches in other BINs can start with the code section and from there on quickly find the immobilizer byte.

The attached picture shows the subs in which the byte is used, one of them, btw, is a OBD function which can be queried with software such as Guzzi/IAWDiag. In the different subs the byte is compared to 1 and 3, so the value range seems to be 1-3.

The byte is also referenced in the sub which contains the dash text, which is sent from the ECU to the dash as part of a CANBus packet.

While studying above inevitably the other relevant subs and tables, scalars and bytes/flags, both in RAM and ROM, were looked at. I'll go thru the interesting subs (fuel, ignition, OBD, CAN, ADC, injector correction, etc, one by one in the next posts.

Cheers
Meinolf
 

Attachments

·
Registered
Joined
·
87 Posts
Discussion Starter #6
Hi,

let's begin with the fuel calculation. It begins with a look at the IdleFuelRPM legend and then branches, depending on the IdleFuel_en_dis_able_byte_48442 to the left, idle mode, or the right. The flag is used in quite a few subs, so I wouldn't change it before a more detailed analysis.

Then, depending on the value of tps_state_1_word_C6A6, the branch leads to the idle mode calculation using the IdleFuelTable_4D796, or the Mainfuel/Delta tables, depending on the value of cyl_num_byte_C9B0.
 

Attachments

·
Registered
Joined
·
87 Posts
Discussion Starter #12
finally checks if neither the max. fuel limit is reached and branches to, if the engine mode so forces, special mode 10 or mode 11 fuel routines. And voila, fuel calculation for each cylinder is done
 

Attachments

·
Registered
Joined
·
87 Posts
Discussion Starter #16
Ignition timing is a rather substantial.

It uses the FuelPhaseTable (I've no idea who invented this commonly used name for this table), which determines the end of the ignition coil pulse in relation to TDC. And the injector details (voltage trim, injector flow equivalent) are called upon
 

Attachments

·
Registered
Joined
·
49 Posts
The attached picture shows the subs in which the byte is used, one of them, btw, is a OBD function which can be queried with software such as Guzzi/IAWDiag. In the different subs the byte is compared to 1 and 3, so the value range seems to be 1-3.
The byte is also referenced in the sub which contains the dash text, which is sent from the ECU to the dash as part of a CANBus packet.
While studying above inevitably the other relevant subs and tables, scalars and bytes/flags, both in RAM and ROM, were looked at. I'll go thru the interesting subs (fuel, ignition, OBD, CAN, ADC, injector correction, etc, one by one in the next posts.
Great work with this Meinolf! Maybe we'll come to a complete and correct XDF for these softwares.

I've verified your findings regarding the immobilizer at 0x4bc02 in both softwares and 0x4D02A for 1198S DP FULL, 3213B13SQBB. Default value is 3 but when set to any other value except 1 the bike starts (dash will still throw IMMO37.1). Value 1 also throws error IMMO37.4.

Just got IDA installed and will look at these subroutines when I've found my way around.
 

·
Registered
Joined
·
87 Posts
Hi zeppo,

the Immobilizer_Byte_4BC02 is tested against 1 and 3, not any other value. Attached picture shows all subs in which it is called, thex range from the OBD routines to a CANBus read ident sub.

I checked again and can't find any mention of Byte_4BC02 in the code. That doesn't neccessarily mean that it's not used, the addressing scheme used by the ST10 is not trivial, so it could be hidden in a referenced address. Something like 0x7C02+1 (0x7C02 translates to the real address 4BC02).

I have no experience at all with the Duc dashboards, so there's nothing I can add in regards to the error message thrown up when 0x4BC02 is changed. However, I did explore the Digitec dashboards used in Guzzi CARC models and the Aprilia Mana at length and investigated the ID packets send back and forth on the CANBus. See attached for the results.

I suggest that hooking a CAN Analyzer to a Duc would be very helpful in deciphering the CAN_TX and CAN_RX tables in the code.

Btw, these two and the CAN_ID table were also found and brought into an understandable format. See attached.

In your mail you asked about 0x4BC07. It's tested against 0 and 1, so I understand it to be a Lambda_Flag_3. There are some other places where it's looked at bit-wise, but my programming skills, being close to zero, don't allow me to understand if the bits 0-3 are of importance.
....
ROM:0002145A movb rl2, Lambda_3_4BC07
ROM:0002145E jmpa cc_NZ, loc_216DE

In your email you wrote "Fuelling & ignition is then pretty much worked out". I don't want to disappoint you, but it's quite a bit more complicated than that and far from being understood. That's why I suggested in the first post that this could be a community effort. I'm sure there are people skilled in assembly language in the Duc world.

Cheers
Meinolf
 

Attachments

·
Registered
Joined
·
87 Posts
Discussion Starter #20
Hi,

I have no experience at all with the Duc dashboards, so there's nothing I can add in regards to the error message thrown up when 0x4BC02 is changed. However, I did explore the Digitec dashboards used in Guzzi CARC models and the Aprilia Mana at length and investigated the ID packets send back and forth on the CANBus. See attached for the results.
btw, if someone has a dashboard he doesn't need anymore because it's damaged, I would accept it as a gift and try to read the EEPROM and sniff the CANBus. Similar to what I did with the Guzzi/Aprilia dashboards. Of course the electronics must be working.

https://wildguzzi.com/forum/index.php?topic=93758.msg1481938#msg1481938

Cheers
Meinolf
 
1 - 20 of 39 Posts
Top