Spent a little bit of time working through the 10ms task in the master binary to figure out what each of the functions it calls does. There's several still to work out but have made some pretty good progress. I've also figured out the inter-processor monitoring of the system timers and the EGAS Safety Concept Program Execution Control mechanism, as well as confirmed via the funktionsrahmen that the MSS54 uses dual-ported RAM to share variables between the two processors for non-critical purposes (which confirms my previous suspicion that that RAM space is shared). Also found in that same document that for sharing of variables for critical functions the IPK (inter processor communication) system is used. I'll try to find that mechanism in the code as well as would be useful to understand how it works.

Yes I believe it is (at least the first half of the condition is) I haven't quite worked out the "Schalten" (Shifting) bit - I'm not quite sure why that's included/why it needs to be. Does that mean every time the gearbox is "Shifting" the flap qualifies to be open? That bit doesn't seem quite right, so maybe "Schalten" means something a little bit different?

Edit: bmwfnatic has confirmed that in context "Schalten" is definitely "while shifting" - he suggests that this is possibly to pre-empt the situation where downshifting brings RPM etc. above the threshold so the flap is preemptively opened for the "blip". This seems like a logical explanation for this condition.

Could condition 3 be SMG launch mode?

Oh man that’s super interesting. Like a secret raw mode. Interested to hear what you find as you dig in more. This might be easier to set to 6 than setting every flap open engine speed for those that don’t have the flap installed. Thank you for all this work!

So I've been thinking about this and decided to have more of a look into it to see if I can figure out why BMW would go to the trouble for such a small variation.

I have been going through the function that determines the opening/closing of the flap and it turns out there actually more to it when it comes to deciding whether the flap should be open or closed. There are a range of different conditions that can contribute to the flap being opened.

Condition 1: Engine Speed (RPM) is greater than the FlapOpen RPM from the FlapOpen(Comfort/Sport depending) (this is the one we're expecting) plus a hysteresis value AND ML (air mass) is greater than a minimum value (20 kg/hr by default in 0401).
OR
Condition 2: Engine Speed (RPM) is 800rpm or greater AND a config parameter (0xA1DF is set to decimal 6 (it's 1 by default in the 0401 tune))
OR
Condition 3: SMG is in launch control mode OR SMG is "Schalten​" (Shifting?)

Against all of these there is an additional condition that Ambient temperature must be above 3 degrees C or so (presuming I did the value conversion right).

So the flap open WDK table looks to be there for the launch control situation in production code, plus whatever the A1DF parameter does.

The same function also contains additional logic in the event that 0xA1DF is set to decimal 6. I haven't worked through this code yet to see exactly how that piece all works and whether setting the flap always open is as simple as setting 0xA1DF to 6.

❤️ lots of credit goes to bmwfnatic as well - wouldn't have been able to do all this without him. And of course to those who have done all the work on the earlier XDF, etc. It's a community effort :-)


Sent from my iPhone using Tapatalk

karter16 and bmwfnatic thank you both your selfless devotion undertaking this mammoth task.

Well it was an arduous job but I now have a "complete" 0401 XDF built out. I had to make well north of 500 changes/additions/deletions to the public 0401 XDF. The automated process that was used a few years ago to generate the XDF was impressive, but still seems to have had an error rate of about 20% or so.

Below is the process I've followed for building this out:

1: Build out 1801 disassembly
2: Compare SMG characteristics and code between 0901 and 1801 to map across the characteristics that can be.
3: Map 1801 disassembly across to 0401 (I sighted every variable/characteristic individually in context to ensure it was mapped correctly, any that I couldn't verify have been marked as unknown)
4: Take the publicly available 0401 XDF
5: Run comparison on the XDF against symbols from 0401 disassembly
6: Add/Update/Delete from XDF as necessary

Is this 100% accurate? Certainly not! I did this by hand and I have undoubtedly made errors along the way. That said the error rate should be about a 20th of what it was before.

The XDF now identifies unknown characteristics that are referenced in the code, so although we don't know everything about them we can see that they exist and what we do know.

What next? I need to do some tidy up on the layout, unfortunately it's a manual job to re-order the characteristics in the XDF and they're not in sequential order because others who have built out the public xdd in the past have used the "insert at this point" feature, which overrides the default of placing the item in the right location.

Interestingly I came across a not insignificant number of items which had been manually corrected by others in the past but which were in fact still incorrect. It is not enough to look at the order/placement of the parameters against a known version, you have to actually compare at the line-by-line code level to be sure you are mapping the parameters correctly as BMW have inserted/removed items in the middle of the lists of parameters (rather than adding at the end in all cases) between versions.


As soon as I have things tidied up I'll share the XDF here.

Repo is now updated with known global variables (1179) for the Slave binary, as well as unknown characteristics (104) for the slave as well.

That's interesting. The CSL flap in factory software is never open under 1600rpm. This situation should only occur in an error state where the flap is stuck open. Or you've modified the binary to open earlier of course.

bmwfnatic and I have been making a lot of progress, and that's culminated this weekend in me having the time to map across characteristics (Parameters, Curves and Maps) as well as Global Variables from the 1801 master binary to the 0401 master (I'm still to do the slave binary).

We've managed to map 973 global variables which I've listed here: https://github.com/karter16/CSL_0401...#master-binary



As well as all the characteristics from 1801 (except for things which don't apply to the CSL like HFM). There were 5 characteristics in the 1801 master binary I wasn't able to identify, plus another 115 that are specific to the 0401 binary. These 120 characteristics which are still to be identified are listed here: https://github.com/karter16/CSL_0401...#master-binary



I should be able to work out what a bunch of these are, I'm just focused first on getting in all the characteristics, etc. to both the Master and Slave so we can update the archive to share with others.


Side note - I found it interesting as I was going through the master binary to see that the EGAS module has a separate EGAS_WDK table for when the CSL snorkel flap is open which has some subtle differences in both the interpolation point and the values around the 1200 RPM mark - others are probably already aware of this but I hadn't come across it before:

This could be a reason, why I never really got a emulator to work in one of the eeproms. The emulator doesn't support writing from ecu side to it.

Seems it's just a bit shifted, 0 starts earlier and there are 6.
At the bottom of function 0x1ddfc there seems to be some logic where the old amount of activated lights is compared against a new hypothetical value, and once this new value has been consistent for at least K_DWF_T_HYS (0xac7b) amount of times, the new value is adpoted.
This is to prevent the lights from going back on and off if the temperature is on the edge I think.

Here's the function that calculates the variable speed lights based on oil temp. Useful to find this as these parameters are incorrectly mapped in the XDF.

Nice work, the next consequent step would be to advance or reroute the SMG-CAN-functionality (or PT-CAN) to deal with the E92 and/or F8x DCT.