Yeah definitely - it's riddled with inaccuracies/additions that have been made in code after that version of the funktionsrahmen was written. Have found it useful though to explain some of the concepts / thinking behind various modules that you can then match up (or not) to what's in the code.


Sent from my iPhone using Tapatalk

Awesome work! Its nice to see more people diving into this. I have some IDA disassemblies of MSS54 from the CAN bus analysis, I dig them out and send them to you, maybe its of use for you.

Would you be fine with me linking this thread or the Github page on MS4X.net?

That would be awesome thanks! The more we share the better! Yes please feel free to link to either or!


Sent from my iPhone using Tapatalk

I haven't posted any updates in a few days but have been making some progress.

One of the key components of MpowerE36's work is the calculation of what he terms m_720_map, which is the calculated air mass per 720 degrees of crankshaft rotation. It's the main component of the calculation of RF from MAP.

as he identifies the calculation of m_720_map looks like this:

Now m_720_1 is calculated air mass based on the MAP sensor reading and nominal air pressure and temperature - that's the baseline if you will.

m_720_2 is a compensation for pressure loss in the system (due to TETV (tank ventilation) and the like).

m_720_3 Mpower_E36 has identified as "air mass correction per 720 degrees of crankshaft rotation" and referred to the table at 0xe42c - it looks like this:



Now the thing is, by default 0401 doesn't use this table. If we look at the segment task we see (in part):



k_rg_m_cfg's (my name) value is 1 in 0401:



So by default two functions are called. the second of these (what I've called rg_m_calc()) provides a calculated value for MpowerE36's m_720_3.

And when I look through this function it is calculating a mass value based on things like intake and exhaust camshaft position, tabg (there are an entire separate set of tabg calculation functions solely for informing this function), etc.

Now why would we need to know camshaft position and exhaust gas temperature? Because what m_720_3 is is the calculation of the mass of residual exhaust gas left in the cylinder (which varies, especially, based on cam overlap). Remember the DME intentionally recirculates some exhaust gas (particularly at certain RPM and loads) to reduce emissions and we can see this playing out in the table above (which isn't used by default, but gives us a representation of what the system is doing).

Anyway - I have some more work to do to finish up documenting the interpretation of this function, but pleased to have figured this out and have a more concrete understanding of exactly what it is.

I've renamed the function "calculate_pressure_from_air_mass()" in my previous post to "p_egbp_calc()" given, as I've been working through everything, I've identified that this function is looking up a value for exhaust gas back pressure.

This is the function with parameter and variable names that make sense:



The function looks up a curve which provides an estimated value of exhaust gas back pressure based on current ML (air mass flow).

This value is relative (e.g. it's just the back pressure component). so this is then added to P_UMG_FILTER (ambient air pressure) to get an absolute exhaust gas back pressure measurement.

This value is filtered through a PT1 filter and then checked for max/min values for plausibility, before returning.

Here's what the parameters look like:




The calculated value p_egbp is then used in the calculation of rg_m.

I'm continuing to make good progress. I've now understood and named about 70 of the 112-odd CSL specific parameters. The names are of course my best guess as to what they would logically be named based on what I can figure out from BMW's naming convention. Unless anyone who has access to the actual names of these parameters is willing to share then my made-up names will have to do :-)

There's about 40 more parameters which I'm still working through to establish their purpose and what they should be called, but I'm very pleased with how it's going. I'm categorizing as I go (as can be seen in the screenshot below), which shows the modules which contain changes for 0401.

Great work as always mate.

8a980 KL_TANM_PT1_INIT
8e5f4 K_RF_DIAG_F_KATH
8e5f6 K_RF_DIAG_F_VAN
8e5f8 K_RF_DIAG_SCHWELLE
8e848 KF_RF_KORR_DRREL
8e6c8 K_RG_R
8e6ca K_RG_V_HUB
8e6cc K_RG_ZYLANZ_BANK

Amazing - thank you so so much!


Sent from my iPhone using Tapatalk

ppm008 really appreciate your help - any chance I could list out all the parameter addresses I'm working on and see if you've got details for any others? I've come up with names for a bunch but if it's possible to confirm the actual names that would be even more ideal. (don't want to bug you too much though so feel free to say no!)

These are all of the parameters from the master binary which we currently don't have the actual names for. For anyone who's wondering the addresses below are as the prog binary references them, so the actual addresses in the partial would be the value below minus 0x80000. e.g. 00088826 would be 0x8826.
And these are all the parameters from the slave binary which we currently don't have actual names for. I've included all the SMG parameters (0008a8xx to 0008aexx) which are missing actual names as well. Not sure if anyone has those, but thought I'd include them for completeness. To convert the below addresses to the offset in the partial it's what's below minus 0x88000. e.g. 0008808a would be 0x008a.

If anyone has any info about these 4 curves it would be super useful to know. From the code I I've worked through so far I *think* that 0xe708 and 0xe732 respectively are possibly representing molar mass of the residual gas mix based on camshaft position, but not overly confident about that yet.

0x00ffe508 and 0x00ffe50a appear to be "total count of interrupts" and "number of interrupt service routines currently in progress" (note it is possible for this to be greater than 1 as a higher priority interrupt will "interrupt" a lower priority ISR) respectively.

I've named these "sys_interrupt_counter" and "sys_active_interrupts".

edit: renamed to sys_isr_count to mirror BMW's naming of CAN_ISR_COUNT