View Single Post
      04-23-2009, 10:08 PM   #94
Drives: 335xi Sedan
Join Date: Sep 2008
Location: Arcadia, CA

Posts: 633
iTrader: (0)

This sure looks like assembly language code. (It took me a while to recognize it as I've been out of the computer field for some time.) I wouldn't dare recommend trying this unless the person who gave it said it was specific to your exact ECU!!! You are moving bits around, and so you better know what the heck you are doing. If hill descent control, like available on the xis, is right before the speed limiter code you might be moving around the wrong bits, for example!!!

As an aside I have grown wary to try changing my speed limiter. I brought my car in for underbody wash via Service and Warranty Brochure Tue. morning @ 7, and since my SA had never heard of it I was embarrassed and decided to mention I've been living with "sticky brakes." They didn't have the facilities to wash the underbody, so the whole time they were working on reprogramming my ECU. It took until today, Thurs. at 4 to give the car back to me. On the invoice it shows how they attempted several times to program the vehicle.... (I must admit it might have something to do with the "Rear Entertainment" as my invoice states but I've gotten chicken nonetheless.) This ECU is definitely protective about it's data.

Duram has offered me code to remove the limiter altogether, but he has warned it will cause a fault code, and I'm not sure he's 100% sure it will work. (He seems pretty confident after studying Dinan code though.) If anyone in the Los Angeles area would like to try, you are welcome to come by and we can let him know. He'll probably need a screenshot of your Information screen, (ECU data,) and possibly a backup of your coding, as I decided to send him, (he didn't ask for that though.) I actually sent them an email asking them if the speed limiter can be changed, and he said yes, and I told him I would buy it just for that purpose. I will wait for my warranty to be up before I do it though, so I don't think he would mind helping someone out in that respect at least once, if you dare or find the need to go so fast that is.

Originally Posted by DMETune View Post
It would be interesting to see if the code change (done after 54 minutes of total run time) actually does anything since it's written here that it does not.

Mike/Bubbles, can either of you *safely* test whether or not this code 'change' actually has an impact on speed limit?

0000:8017E908 WriteDataByCommonIdentifierMAIN: ; DATA XREF: ROM:801E6860o
0000:8017E908 ; FUNCTION CHUNK AT 0000:80175A72 SIZE 000000A8 BYTES
0000:8017E908 ; FUNCTION CHUNK AT 0000:80175BA0 SIZE 00000012 BYTES
0000:8017E908 ; FUNCTION CHUNK AT 0000:80175C24 SIZE 00000356 BYTES
0000:8017E908 ; FUNCTION CHUNK AT 0000:80176260 SIZE 0000001A BYTES
0000:8017E908 movh.a a4, #0xC040
0000:8017E90C lea a4, [a4]-0x3CD4
0000:8017E910 ld16.a a15, [a4]
0000:8017E912 lea a2, dword_D0001B4C
0000:8017E916 ld16.bu d15, [a15]
0000:8017E918 st16.h [a2], d15
0000:8017E91A d15, dword_D0001B4C
0000:8017E91E sha32 d15, d15, #8
0000:8017E922 st16.h [a2], d15
0000:8017E924 d15, dword_D0001B4C
0000:8017E928 ld16.bu d0, [a15]1
0000:8017E92A or16 d15, d0
0000:8017E92C st16.h [a2], d15
0000:8017E92E mov32 d15, #0x1000
0000:8017E932 d0, dword_D0001B4C
0000:8017E936 sub16.a sp, #8
0000:8017E938 jeq32 d15, d0, loc_8017EA30
0000:8017E93C mov32 d15, #0x1001
0000:8017E940 jeq32 d15, d0, loc_8017EA70
0000:8017E944 mov32 d15, #0x3000
0000:8017E948 jeq32 d15, d0, loc_8017EAAC
0000:8017E94C mov32 d15, #0x3001
0000:8017E950 jeq32 d15, d0, loc_8017EB60
0000:8017E954 mov32 d15, #0x3010
0000:8017E958 jeq32 d15, d0, loc_8017EBFC <- 2E 30 10

0000:8017EBFC loc_8017EBFC: ; CODE XREF: WriteDataByCommonIdentifierMAIN+50j
0000:8017EBFC movh.a a12, #0xC040
0000:8017EC00 lea a12, [a12]-0x3CDE
0000:8017EC04 d15, [a12]0
0000:8017EC08 jeq16 d15, #4, loc_8017EC1A
0000:8017EC0A movh.a a15, #0xC040
0000:8017EC0E lea a15, [a15]-0x3D00
0000:8017EC12 d15, [a15]0
0000:8017EC16 jz32.t d15:4, loc_8017F9D2
0000:8017EC1A loc_8017EC1A: ; CODE XREF: WriteDataByCommonIdentifierMAIN+300j
0000:8017EC1A movh.a a2, #0xC040
0000:8017EC1E lea a2, [a2]-0x3D00
0000:8017EC22 mov16 d8, #0
0000:8017EC24 movh.a a15, #0x8000
0000:8017EC28 lea a15, [a15]0x1DB0 ; 0x80001DB0
0000:8017EC2C ld16.bu d15, [a15]
0000:8017EC2E jz16 d15, loc_8017EC4C
0000:8017EC30 movh.a a15, #0x8000
0000:8017EC34 lea a15, [a15]0xD00 ; 0x80000D00
0000:8017EC38 ld16.bu d15, [a15]
0000:8017EC3A jz16 d15, loc_8017EC4C
0000:8017EC3C mov.u d0, #0x7E40
0000:8017EC40 ld32.w d15, [a0]0x3740 ; 0xD000B740 (TRT)
0000:8017EC44 addih d0, d0, #5
0000:8017EC48 jlt.u d0, d15, loc_8017EE10
0000:8017EC4C loc_8017EC4C: ; CODE XREF: WriteDataByCommonIdentifierMAIN+326j
0000:8017EC4C ; WriteDataByCommonIdentifierMAIN+332j
0000:8017EC4C lea a15, [a0]0x4CD
0000:8017EC50 ld16.bu d15, [a15]
0000:8017EC52 jeq32 d15, #0, loc_8017EB48
0000:8017EC56 lea a15, [a0]0x405
0000:8017EC5A ld16.bu d15, [a15]
0000:8017EC5C jeq32 d15, #0, loc_8017EB48
0000:8017EC60 d15, [a2]0
0000:8017EC64 jnz32.t d15:4, loc_8017EDA8
0000:8017EC68 ld16.a a15, [a4]
0000:8017EC6A ld16.bu d0, [a15]2
0000:8017EC6C jge.u d0, #4, loc_8017F8DE
0000:8017EC70 insert d15, d15, #1, #4, #1
0000:8017EC74 st16.h [a2], d15
0000:8017EC76 movh.a a15, #0xC040
0000:8017EC7A lea a15, [a15]-0x3BC4
0000:8017EC7E mov16 d15, #0x78
0000:8017EC80 st16.b [a15], d15
0000:8017EC82 movh.a a15, #0xC040
0000:8017EC86 ld32.w d15, [a15]-0x3CD0
0000:8017EC8A d0, [a12]0
0000:8017EC8E add16 d15, d0
0000:8017EC90 st32.w [a15]-0x3CD0, d15
0000:8017EC94 ld16.a a4, [a4]
0000:8017EC96 add16.a a4, #2
0000:8017EC98 j32 loc_80175A9E

If TRT (Total Running Time) is over 0x7E40 (almost 54 minutes) then....

0000:8017EE10 loc_8017EE10: ; CODE XREF: WriteDataByCommonIdentifierMAIN+1F0j
0000:8017EE10 ; WriteDataByCommonIdentifierMAIN+2A4j ...
0000:8017EE10 d15, [a2]0
0000:8017EE14 insert d15, d15, #0, #4, #1
0000:8017EE18 st16.h [a2], d15
0000:8017EE1A j32 loc_8017F9E0

0000:8017F9E0 loc_8017F9E0: ; CODE XREF: WriteDataByCommonIdentifierMAIN+124j
0000:8017F9E0 ; WriteDataByCommonIdentifierMAIN+512j ...
0000:8017F9E0 movh.a a15, #0xC040
0000:8017F9E4 lea a15, [a15]-0x3BC4
0000:8017F9E8 mov16 d15, #0x12 <------- KWP Error 0x12 subFunctionNotSupported
0000:8017F9EA st16.b [a15], d15
0000:8017F9EC ret16
0000:8017F9EC ; End of function WriteDataByCommonIdentifierMAIN
jzchen is offline   United_States
Reply With Quote