sure thing - here we go :-). Note that CAN_send_frame() is the untouched original function that sends CAN frames to the bus.



Thanks! - I've validated it 3 different ways now

1: This morning I went through the assembly by hand, confirming what it was doing and validating it against its sister functions. As part of this I made sure to track the before/after states of all registers, the stack, etc.
2: I loaded the result in to Ghidra as you can see above and confirmed that both the disassembly and the C interpretation match what I expect.
3: I asked ChatGPT to interpret and summarize the assembly to check that it's interpretation of what was going on matched my own.

I'm at the point now where I can't really test it any further without loading it and giving it a go.

To that end I've taken the exact program binary currently on my car, made the above modifications to it, done a before after comparison to make sure I didn't change anything else by accident and loaded it also into Ghidra to validate the assembly and C.

Next up is to flash the program and try it out. As I mentioned I'm not setup for CAN logging, so will simply be validating that the DME, and car, runs without error. From that point on it'll be over to you and Bry5on to actually log the new message and confirm full functionality (if you're still game that is 😉)

Also if there's anything else you want to see in more detail (existing CAN message functions, etc.) let me know!

I figured, but just double checking . Maybe throw a screenshot of that function up for code review completeness?

C code LGTM. I looked through the assembly and it also seems fine, but my assembly skills are rusty, so take that with a grain of salt.

Ah it's the function that actually pushes the frame to the bus. I must have taken that screenshot before I labeled the function.


Sent from my iPhone using Tapatalk

This is awesome!

Question, what is FUN_0003aa20() doing?

Counting the instruction clock cycles shows that this additional CAN message takes approximately 20us (micro-seconds) to run (that's for both the function that constructs the message and to actually push it onto the CAN bus).

I've spent some time going through my work and am probably about as happy as I can be with most of it, I'm still working out a couple of the config bytes in the CAN message table - They don't seem to be relevant for sent CAN messages but I need to be certain on those before I go any further.

After that will be to copy the changes into the flashable 0401 program binary and flash that to my DME as a guinea pig test. Amusingly I'm not setup for CAN logging so all I will be able to do is validate that the new program runs without error.

I'm a bit concerned that I wrote the machine code for the new functions and haven't found any issues whatsoever with that work since. Usually that just means that you haven't found the bug yet 😏

And here's the function to send the new CAN message:




And the C interpretation:



Who wants to check my work lol?

Seriously though - I need to go through this with a fine-toothed comb.

Also started making some progress on the extra CAN message today:

New CAN_Send_DME_ARBIDs_karter16() function which replaces the original CAN_Send_DME_ARBIDs() '



And screenshot of the disassembler's C interpretation below to show that I got the machine code right. our new CAN message is decimal 16 in the table.



And here's our new function being called in the 10ms task:



And here's the new entry in the table:



I've decided on ARBID 7D0 as it is higher (lower priority) than any other message in the table, used or not, and is still within the standard 0x000 to 0x7FF CAN ARBID range.
The pointer to 0x0003f900 leads to empty program rom currently. The next step will be to build the new function to send the CAN message.

Another good discovery today. I've got a whole bunch more work to do before I write up a summary of it but I've figured out a bunch of the Inter-Processor Communication (IPK) mechanism which is used by the Safety Concept to provide a guaranteed communication mechanism between the processors for critical safety variables.

Anyone who has looked into MSS54HP code will be familiar with the memory map table below and the fact that two sectors (0x4000 - 0x5fff and 0x6000 - 0x7fff) are unknown.



0x6000 - 0x7fff (and 0x86000 - 0x87fff for the Slave) is a memory-buffer zone which is used to store IPK frames to be sent over the IPK.

I'm probably going to do a bad job of explaining this as it has a bunch of components to it, but I've figured out the operating system (by the way the name of the OS is OSKAR) task scheduling system. When I have a high enough level of enthusiasm I'll document this properly in the wiki, but for now here's the quick run-down.

Each processor in the DME receives an external timer interrupt from the programmable interrupt timer 1024 times per second (e.g. approximately every millisecond).

The interrupt is handled here:



So this function fires every 1ms, and in it it does some important high frequency things like update the system timertics variables, sync the values in the dual-ported RAM to local copies of the variables, etc.

Every 2ms it calls sys_process_scheduled_tasks() which checks all scheduled tasks, updates the delay timers on each task and reschedules periodic tasks.

Every time the function runs, and provided there are no other active interrupts, the tasks are actually dispatched via sys_dispatch_tasks which in turn calls sys_task_dispatcher.

Both of these functions are below:





There is also a function to schedule a task in the first place:




And to cancel tasks:


The details of the tasks are stored in a pointer array in the program ROM (0x0003d810 in Master) which in turn points to a table of structs



The array of structs starts at 0x0003d798 (in Master program ROM)



And this is what I've figured out of the structure so far:



It's important to note that sys_process_scheduled_tasks runs every 2ms (every other time the timer interrupt fires) so the period and the initial delay of each task is specified in units of 2ms. e.g. task_10ms has period_2s set to 0x0005:



The task manager can manage up to 32 different tasks and can schedule up to 8 of them at once for execution.

This smells like drive-by noise testing..

Either cams or something to do with less restriction in the CSL airbox vs MAF, or both.

Arbitration ID - used as part of the CAN communication format to deal with situations where multiple messages are flying around the bus at the same time. The message with the lowest ARBID value wins. Part of the plan for introducing another CAN message is to give it a suitably high ARBID so that everything else wins. That way the more critical CAN functions continue on unimpeded and the new message can be transmitted when the bus is free.

So would that then mean that the reason why that one region of the table is slightly higher in the CSL tune is that the difference in cams allows for a slightly longer intake period which allows for slightly more mixing time?

Ah, fair enough. I'll settle for proper part throttle performance every time.

Just a few percent higher seems to cause instability. I believe you want the air velocity high enough for effective fuel mixing, so if you open the throttles too much you pass a sad point of no return. They really seem to have pushed it pretty close to the max as far as I could tell when playing with that variable.