Continuing on with the MAP sensor work. I'll write this up properly and put it in the MAP sensor wiki, but for now here's the disassembled code listing. This is the function that takes the raw MAP sensor AD values from the ring buffer and calculates MAP pressure and manifold vacuum pressure.

It really would be very nice to have the actual parameter/variable names, but you'll have to suffer through my made up names (identified as all lowercase) :-)

Key things of note:
- The code loops through the ring buffer every time it runs and pulls and averages a number of valid samples (by default it's actually only 1 valid value that it samples).
- It then takes the raw value and offsets it and scales it according to the MAP scaler and offset parameters that have been known for some time.
- Manifold vacuum pressure is calculated as P_UMG (ambient pressure from the on-DME pressure sensor) minus MAP pressure.
- The function runs in both the segment task and the 10ms task.

This one is interesting. This (function at 0x00011e3c) is a debug function that runs in the background task. It tracks the time in milliseconds since the function last run and captures the longest time in DB_TBGND_MAX and the average in DB_TBGND_AV. This would have been useful during development as the BMW engineers were adding to the codebase to monitor the system and make sure that the CPU was getting to the background task regularly enough.

0x00ffeb36 is the 32 bit telegram from the MFL to the DME with the cruise control buttons status. This variable in turn is populated from the TPU config RAM (0x00ffff08) which is a shared RAM section between the DME and the TPU to allow transfer of data. The TPU facilitates the one-wire serial interface to the MFL.

Section 8.3.2 in 3.05 EGAS Safety Concept in the funktionsrahmen describes how this works and it seems that this is pretty much how it's implemented in the code as well. The safety concept code is really interesting to dig into and seems in general to be pretty close to how it's documented in the funktionsrahmen.

0x00ffe508 and 0x00ffe50a appear to be "total count of interrupts" and "number of interrupt service routines currently in progress" (note it is possible for this to be greater than 1 as a higher priority interrupt will "interrupt" a lower priority ISR) respectively.

I've named these "sys_interrupt_counter" and "sys_active_interrupts".

edit: renamed to sys_isr_count to mirror BMW's naming of CAN_ISR_COUNT

If anyone has any info about these 4 curves it would be super useful to know. From the code I I've worked through so far I *think* that 0xe708 and 0xe732 respectively are possibly representing molar mass of the residual gas mix based on camshaft position, but not overly confident about that yet.

These are all of the parameters from the master binary which we currently don't have the actual names for. For anyone who's wondering the addresses below are as the prog binary references them, so the actual addresses in the partial would be the value below minus 0x80000. e.g. 00088826 would be 0x8826.
And these are all the parameters from the slave binary which we currently don't have actual names for. I've included all the SMG parameters (0008a8xx to 0008aexx) which are missing actual names as well. Not sure if anyone has those, but thought I'd include them for completeness. To convert the below addresses to the offset in the partial it's what's below minus 0x88000. e.g. 0008808a would be 0x008a.

ppm008 really appreciate your help - any chance I could list out all the parameter addresses I'm working on and see if you've got details for any others? I've come up with names for a bunch but if it's possible to confirm the actual names that would be even more ideal. (don't want to bug you too much though so feel free to say no!)

Amazing - thank you so so much!


Sent from my iPhone using Tapatalk

8a980 KL_TANM_PT1_INIT
8e5f4 K_RF_DIAG_F_KATH
8e5f6 K_RF_DIAG_F_VAN
8e5f8 K_RF_DIAG_SCHWELLE
8e848 KF_RF_KORR_DRREL
8e6c8 K_RG_R
8e6ca K_RG_V_HUB
8e6cc K_RG_ZYLANZ_BANK

Great work as always mate.

I'm continuing to make good progress. I've now understood and named about 70 of the 112-odd CSL specific parameters. The names are of course my best guess as to what they would logically be named based on what I can figure out from BMW's naming convention. Unless anyone who has access to the actual names of these parameters is willing to share then my made-up names will have to do :-)

There's about 40 more parameters which I'm still working through to establish their purpose and what they should be called, but I'm very pleased with how it's going. I'm categorizing as I go (as can be seen in the screenshot below), which shows the modules which contain changes for 0401.

I've renamed the function "calculate_pressure_from_air_mass()" in my previous post to "p_egbp_calc()" given, as I've been working through everything, I've identified that this function is looking up a value for exhaust gas back pressure.

This is the function with parameter and variable names that make sense:



The function looks up a curve which provides an estimated value of exhaust gas back pressure based on current ML (air mass flow).

This value is relative (e.g. it's just the back pressure component). so this is then added to P_UMG_FILTER (ambient air pressure) to get an absolute exhaust gas back pressure measurement.

This value is filtered through a PT1 filter and then checked for max/min values for plausibility, before returning.

Here's what the parameters look like:




The calculated value p_egbp is then used in the calculation of rg_m.

I haven't posted any updates in a few days but have been making some progress.

One of the key components of MpowerE36's work is the calculation of what he terms m_720_map, which is the calculated air mass per 720 degrees of crankshaft rotation. It's the main component of the calculation of RF from MAP.

as he identifies the calculation of m_720_map looks like this:

Now m_720_1 is calculated air mass based on the MAP sensor reading and nominal air pressure and temperature - that's the baseline if you will.

m_720_2 is a compensation for pressure loss in the system (due to TETV (tank ventilation) and the like).

m_720_3 Mpower_E36 has identified as "air mass correction per 720 degrees of crankshaft rotation" and referred to the table at 0xe42c - it looks like this:



Now the thing is, by default 0401 doesn't use this table. If we look at the segment task we see (in part):



k_rg_m_cfg's (my name) value is 1 in 0401:



So by default two functions are called. the second of these (what I've called rg_m_calc()) provides a calculated value for MpowerE36's m_720_3.

And when I look through this function it is calculating a mass value based on things like intake and exhaust camshaft position, tabg (there are an entire separate set of tabg calculation functions solely for informing this function), etc.

Now why would we need to know camshaft position and exhaust gas temperature? Because what m_720_3 is is the calculation of the mass of residual exhaust gas left in the cylinder (which varies, especially, based on cam overlap). Remember the DME intentionally recirculates some exhaust gas (particularly at certain RPM and loads) to reduce emissions and we can see this playing out in the table above (which isn't used by default, but gives us a representation of what the system is doing).

Anyway - I have some more work to do to finish up documenting the interpretation of this function, but pleased to have figured this out and have a more concrete understanding of exactly what it is.

That would be awesome thanks! The more we share the better! Yes please feel free to link to either or!


Sent from my iPhone using Tapatalk

Awesome work! Its nice to see more people diving into this. I have some IDA disassemblies of MSS54 from the CAN bus analysis, I dig them out and send them to you, maybe its of use for you.

Would you be fine with me linking this thread or the Github page on MS4X.net?