Updated Fuel Level

Added Euro 6, now covering all model generations; improved result plots
Link to post: “Fuel Level”

Advertisements

Log Graphs 1

Specification

Car: 2009 Impreza 2.0 Turbo Diesel, 110 kW / 148 hp / 150 PS, European domestic market, Euro 4 spec.

Important: Newer Boxer Diesel generations (Euro 5/6) may show different behaviour!

ECU firmware: patched ROM for unlimited logging, otherwise stock.
Protocol: SSM2 via CAN
More than 120 items had been logged, plenty of RAM variables (*) plus standard SSM2 items at roughly 170 ms interval.

Graphs

I prepared two graph images plotting some interesting parameters, click picture for full resolution:

---

Image 1/2

---

Image 2/2

Additional details

… at specific time positions:

#1: State before active regeneration

Time @ ~ 33 ½ min
Cruise Control: active
Vehicle Speed*: 110 km/h
Engine Speed: 2300 rpm
Gear: 5
Coolant Temperature: 93 °C
Injections: 2 (pre + main)
Soot Accumulation Ratio: 64 %
DPF Pressure Difference: ~ 5 kPa
Exhaust Gas Temperature (EGT) Catalyst Inlet: 345 °C
EGT DPF Inlet: 370 °C
Intake Air Amount: 430 mg/cyl
Mass Air Flow: 33.8 g/s
Manifold Absolute Pressure (MAP)*: 126 kPa
Inlet Air Temperature: 25 °C
Manifold Air Temperature: 48 °C
Fuel Temperature: 58 °C
Throttle Opening Angle: 79 deg
EGR Valve Opening Angle: 38 deg
Final Oil Dilution Rate*: -1.9 mg/s (evaporation)
Oil Dilution Amount: 282.0 g (4.6 %)

#2: Soot 65%, preparing for DPF regeneration

@ 33 ¾ min
Soot Accumulation Ratio* reaches 65%, this triggers active regeneration preparations. Note: I am referring to the actual RAM value, diagnostic parameter may indicate 65% earlier due to rounding.
Apparently ECU now does 3 injections (pre + main + after) when power demand is high enough, no post injections yet

#3: Active Regen ON

@ 34:04; = 20 seconds after #2, DPF Regeneration Switch turns ON
EGR valve closes instantly, 0 deg
Manifold Air Temperature dropping
Boost Control opens VGT immediately, from 52 to 25%
Manifold Absolute Pressure* dropping
pilot-injection kicks in, 2 injections (pilot C + main)
post-injections begin to fade in but not active yet

#4: Post-Injections

@ 33 seconds after #2, post-injections A + B become operational (injection amount > 0)
oil dilution rising
EGTs climbing
Manifold Absolute Pressure*: 75 kPa (~ 25 below ambient), varying, stays below ambient most of the time during regen at low power demand
EGT Catalyst Inlet: 340 °C
EGT DPF Inlet: 320 °C
injections: 4 (pilot C + main + post A + post B)

#5: Coasting Fuel Cut-Off During Regen

Example @ 35:12
EGR valve opens instantaneously, 70 deg; EGR behaves rather digitally during regen – either fully closed (0 deg, for max EGT) or max opened (70 deg, less fresh air)
Throttle Opening Angle: rising up to 31 deg
injections: 0
Fuel Consumption*: 0 mm³/s
oil dilution going down slowly due to estimated evaporation
EGT Catalyst Inlet: decreases fast, EGT at DPF inlet (> 600 °C) follows with a delay
Engine Speed: gear change from 5th to 6th to reduce engine braking effect

#6: Idling with Active Regen ON

@ 45:30
Engine Speed: 800 rpm
Post A Injection Amount*: 0
Post B Injection Amount*: ~ 8 mm³/st
Apparently while idling the ECU prefers the 2nd post-injection (“B”), otherwise during driving it’s rather mixed
Final Oil Dilution Rate: ~ 20 mg/s (medium)
Boost Control: 25 % (VGT fully open)
Manifold Absolute Pressure*: 74 kPa
Throttle Opening Angle: 5.5 deg
EGR Valve Opening Angle: 0 deg
Intake Air Amount: 370 mg/cyl
Mass Air Flow: 9.8 g/s

#7: DPF Regeneration OFF

@ 46:15, decision is based on elapsed time from #2, achieved soot level does not matter (!)
DPF Regeneration SW had been ON for 12.2 minutes
all post-injections off
Oil Dilution Amount*: 299.6 g (4.9 %) = + 0.3 % during regeneration
EGR back to normal operation
Boost Control: 65 % instantly (max speed, spooling up turbo)
MAP rising
EGT Catalyst Inlet: 270 °C
EGT DPF Inlet: 490 °C

DPF Light Patch

This is meant for programmers or at least folks who understand coding in general. Here I am going to show how I implemented the DPF light patch, part of Diesel ECU Patch v1, on my former (Euro 4) car.

---

Actual source code, updated to C++14:

// Copyright SubaruDieselCrew (2011-2017)   https://subdiesel.wordpress.com

#include <array>
#include <chrono>
//#include <bitset>
#include "sh.h"
#include "JZ2F401A.h"

using namespace std::chrono_literals;

/**
 * @brief DPF light flashing modes (stock)
 *
 */
enum class DPFLightMode {
    off = 0,
    /**
     * @brief soot-high warning aka vehicle speed request
     *
     */
    on_steady = 1,
    /**
     * @brief error
     *
     * (multiple causes: compulsory regeneration required, oil dilution critical, ash overfill, DPF limp-home mode;
     * see https://subdiesel.wordpress.com/2011/03/21/dpf-light/ )
     */
    flashing = 2,
};

/**
 * @brief time resolution (= CAN frame ID 0x600 interval)
 *
 */
const constexpr auto interval {50ms};
/**
 * @brief stock period for flashing mode is 800 ms,
 *        does not have to match stock here
 *
 */
const constexpr auto dpfLightPeriod {800ms};
/**
 * @brief defines DPF light output over time when active regeneration is on
 *
 */
const constexpr std::array<bool, dpfLightPeriod / interval> dpfLightCustomPattern
{
    1, 1, 0, 0,  1, 1, 0, 0,
    0, 0, 0, 0,  0, 0, 0, 0
};
// tested alternative: bitset; storage-efficient but much more lookup code
// const std::bitset<dpfLightPeriod / interval> bits {"1100110000000000"};

/**
 * @brief Implement custom flashing mode.
 *
 * Called every 50 ms (CAN-ID 0x600 interval)
 * from patched stock function "calcDpfLight".
 * Standard error flashing mode already handled by untouched
 * stock subroutine portion and this case this function won't get called.
 */
void calc_DPFLight_continue()
{
    // needed as original functionality has been overwritten for hook instructions
    if (DPFLightMode(*DPFLightModeEnum_b) == DPFLightMode::on_steady)
    {
        *DPFLight_bool = true;
        return;
    }

    // at this point DPFLightMode == DPFLightMode::off
    if (!*DPF_Regeneration_bool_SSM)
    {
        *DPFLight_bool = false;
        return;
    }

    // at this point active DPF regeneration is ON, do custom flashing
    // reusing DPF light counter var is safe
    auto counter = *DPFLightCounter_b;
    if (++counter >= dpfLightCustomPattern.size())
        counter = 0;
    *DPFLightCounter_b = counter;
    *DPFLight_bool = dpfLightCustomPattern.at(counter);
}

---

// Copyright SubaruDieselCrew (2011-2017)   https://subdiesel.wordpress.com
/*
	For stock ROM:
	Model	2009/2010 Impreza Turbo Diesel 2.0 6MT EDM 110 kW / 150 PS
	ROMID	6644D87207
	CID		JZ2F401A
	CVN		F5AD7142 FB841734
	PAK		22611AP283
*/

#ifndef JZ2F401A_H
#define JZ2F401A_H

#include "diesel_rom.h"

// RAM vars
static auto const DPFLight_bool = reinterpret_cast<volatile bool*>(0xFFFF9C1E);
static auto const DPFLightModeEnum_b = reinterpret_cast<volatile int8_t*>(0xFFFF9C1F);
static auto const DPFLightCounter_b = reinterpret_cast<volatile uint8_t*>(0xFFFF9C53);
static auto const DPF_Regeneration_bool_SSM = reinterpret_cast<volatile bool*>(0xFFFFB222);
…

---

Disassembly made by objdump:

c: 91 26 mov.w 0x5c,r1 ! 9c1f e: 61 10 mov.b @r1,r1 10: 60 1c extu.b r1,r0 12: 88 01 cmp/eq #1,r0 14: 89 14 bt 0x40 16: 91 22 mov.w 0x5e,r1 ! b222 18: 61 10 mov.b @r1,r1 1a: 62 1c extu.b r1,r2 1c: 22 28 tst r2,r2 1e: 8d 0f bt.s 0x40 20: e2 0f mov #15,r2 22: 91 1d mov.w 0x60,r1 ! 9c53 24: 61 10 mov.b @r1,r1 26: 71 01 add #1,r1 28: 61 1c extu.b r1,r1 2a: 31 26 cmp/hi r2,r1 2c: 8d 0c bt.s 0x48 2e: 60 13 mov r1,r0 30: 92 16 mov.w 0x60,r2 ! 9c53 32: 22 10 mov.b r1,@r2 34: d1 0b mov.l 0x64,r1 ! 945a8 36: 02 1c mov.b @(r0,r1),r2 38: 91 13 mov.w 0x62,r1 ! 9c1e 3a: 21 20 mov.b r2,@r1 3c: 00 0b rts 3e: 00 09 nop 40: 92 0f mov.w 0x62,r2 ! 9c1e 42: 22 10 mov.b r1,@r2 44: 00 0b rts 46: 00 09 nop 48: 92 0a mov.w 0x60,r2 ! 9c53 4a: e1 00 mov #0,r1 4c: e0 00 mov #0,r0 4e: 22 10 mov.b r1,@r2 50: d1 04 mov.l 0x64,r1 ! 945a8 52: 02 1c mov.b @(r0,r1),r2 54: 91 05 mov.w 0x62,r1 ! 9c1e 56: 21 20 mov.b r2,@r1 58: 00 0b rts 5a: 00 09 nop 5c: 9c 1f mov.w 0x9e,r12 ! 600c 5e: b2 22 bsr 0x4a6 60: 9c 53 mov.w 0x10a,r12 ! e000 62: 9c 1e mov.w 0xa2,r12 ! e0ff 64: 00 09 nop 66: 45 a8 .word 0x45a8 5a8: 01 01 .word 0x0101 5aa: 00 00 .word 0x0000 5ac: 01 01 .word 0x0101 5ae: 00 00 .word 0x0000 5b0: 00 00 .word 0x0000 5b2: 00 00 .word 0x0000 5b4: 00 00 .word 0x0000 5b6: 00 00 .word 0x0000

---

As you can tell there is not much code required. Much more work, orders of magnitude (!), is necessary to reverse-engineer the related stock ROM portions in the first place, defining functions, disassembling machine instructions, naming local and global variables etc.

Usually, ROM and RAM addresses depend on the actual ROM version used. Above definitions work for outdated CID JZ2F401A (dated 2009-Sep). Apart from ROM specific variable addresses the same code will work for all known Euro 4/5/6 models.

Resultant binary data is meant to be inserted into a free unused ROM region. On Renesas SH microprocessors (i.e. SH7058S) free ROM space is rather easy to find – just look for big chunks of continuous FF-bytes. This is because those chips erase bytes to value 0xFF. Others, e.g. Infineon TriCore series, erase their internal flash ROM to zeroes instead.

To actually make use of the added logic, I had to modify (patch) a few bytes in the original calc_DPF_light subroutine, so that after doing some of its work it will call my own function, knowing its start address (0x9400C). Usually there is no free space in between stock functions, therefore we have to apply clever patching tricks to make room for a few new instructions and/or divert execution flow.

Finally, after carefully verifying the changes applied to the stock ROM, you have to correct checksums. Flashing software usually does this anyway, perhaps asking first. Checksum correction and verification is actually very easy to do for such Denso firmware.

Providing SDC-modified ROMs is possible, however will not be free due to amount of labour involved. Contact us if you’re interested.

Updates

• 2017-10: update code, syntax-highlighted disassembly, C++17
• 2017-04: minor update, actual disassembly
• 2016-11: updated source to C++14
• 2016-10: updated source to C++11 with Doxygen documentation
• 2016-01: added disassembly

Updated Extended OBD-II definitions

Added 7 PIDs (0x10A1, 0x10A3..0x10A7, 0x1137), some are petrol-only, some diesel-only, some mixed.
See Extended OBD-II definitions page.
Downloads (spreadsheet, CSV) as well as ParsePID project are up to date.
Note that some PIDs have not been tested on actual cars yet – feedback is appreciated!

Yet another color map for EcuFlash

Perhaps another color map for EcuFlash might be interesting? I wrote a little SageMath python script to generate a ScoobyRom-like color map file.

EcuFlash using ScoobyRom color map

Note: Although generated color map matches ScoobyRom’s precisely, EcuFlash applies colors based on “min” and “max” specified in XML definitions.

Excerpt from EcuFlash definition file: 32BITDIESELBASE.xml

<scaling name="ChargeAirPressure" units="kPa" toexpr="x" frexpr="x" format="%.0f" min="0" max="255" inc="1" storagetype="uint8" endian="big"/>

Whereas ScoobyRom scales colors ranging from a map’s actually used mininum and maximum. For example, if you would change min="0" to min="100" in above scaling definition, low value colors would appear bluish like in ScoobyRom, effectively making map graphics cover more/most of available color range.

Install

1) Download file scoobyrom-map.odt

2) Rename downloaded file to ScoobyRom.map, since normal file extension is not allowed on wordpress.com.

3) Move file into EcuFlash’s color maps folder, i.e.

C:\Program Files (x86)\OpenECU\EcuFlash\colormaps\

4) Launch or restart EcuFlash.

5) Via EcuFlash menu: File → Options → Appearance → Default Color Map
Select “ScoobyRom.map”
(Btw., default color map directory can also be defined in Options)

Color Map File Format

Color map format is plain text ASCII file, usually 256 lines as in this case, specifying RGB values which will be applied to maps, from low to high:

153 153 255
153 154 255
153 156 255
152 157 255
...
255 110 103
255 107 102
255 105 102
255 102 102

ScoobyRom v0.8.2 Released

What’s new in v0.8.2:

• Export as TunerPro XDF format.
• Support for ROM type SH72531 (1.25 MiB = 1280 KiB size)
• Display Reflash Count if known/available (Properties-window).

Project homepage: ScoobyRom Software

Properties

Already implemented in previous version is the ability to parse and display ROM Date (year-month-day), diesel as well as petrol type encodings. May not work for all ROM types (yet), though. AFAIK, ScoobyRom is the only software parsing this Denso specific date.

ScoobyRom 0.8.2 – Properties window, CID JZ4A211B

TunerPro (XDF)

Due to my intense work on BMW ECUs in recent years, I got familiar with TunerPro which is a generic ROM editor. It is quite popular in the BMW community, it can handle lots of data format options. Its definition format “XDF” is XML-based as usual. As an exercise to verify XDF knowledge I implemented XDF output in ScoobyRom.

Compared to RomRaider, reading an XDF containing hundreds of tables is very fast, almost instant. TunerPro is Windows-only and closed-source however.

TunerPro 5.00.8853 screenshot, Windows 10 x64, XDF generated by ScoobyRom

New pages: Software

Added new category “Software”. See sub-page Logging for software comparison.

Still incomplete and under construction. As always, do not hesitate to report feedback!