Gauge sweep

[Gwe89]

Would it be possible to have this in the convers without a third party device like an arduino, it can be triggered by sending a simple can message on ms can and gauges will sweep

[Go4IT]

Really? I only know it from the test menu. What is that message?

[amplified]

ff2 has this but is with the ff2dash device. so, something has to send the command. "gateway", arduino... etc

[Gwe89]

Yes they use a board that you have to solder onto the ic pcb board

[Go4IT]

Somebody on ebay-kleinanzeigen here at Germany offered such a board. He told that it is possible to add it on Mondeo also. But with about 50 bucks it was a little too expensive for me to play around with.

[Go4IT]

Anybody an idea why i can't enter the servicemenu with "OK" button pressed, when i only give "IGNITION" by CAN? It seems this only works when the IPC can communicate to the PCM, ABS, BCM in car?

[Gwe89]

Anybody an idea why i can't enter the servicemenu with "OK" button pressed, when i only give "IGNITION" by CAN? It seems this only works when the IPC can communicate to the PCM, ABS, BCM in car?

Have you tried sending can IDs for things like bcm ect

[Go4IT]

Have you tried sending can IDs for things like bcm ect

No, just send IGN to get the IPC startup. Attached on the bench an steering cross button.
The question is, what else does it need to enter the service menu?

[Gwe89]

Have you tried sending can IDs for things like bcm ect

No, just send IGN to get the IPC startup. Attached on the bench an steering cross button.
The question is, what else does it need to enter the service menu?

Try sending 220 and 120 IDs so it acts like the bcm is there

[Go4IT]

By reverse engineering the board i find out that the gauge needles stepper motors are connect to two driver ICs. They are daisy chained and connected to the SPI port A (DSPI_A) of the MAC7116. So they get controlled via SPI commands. I now try to find the "Sweep Gauge" function by searching for the SPI function calls inside the Firmware.
SPI can be used in conjunction with Interrupts, DMA and direct control. But however it's gonna be used, it must be initialized somehow. The SPI registers are mapped by default to the location 0xFC0B 4000. A first search for this base value does not give me any result, so it's not loaded in a direct way by an immediate value. The base address of all perihpals is 0xFC00 0000 so i first go and ALT-I for that value and found 264 occurrences of it. Just because of curiosity i looked into some of them and often found this kind of addressing:

Code: Select all

ROM:00001114                 LDR     R5, =0xFC000000
ROM:00001116                 LDR     R0, =0xE8180
ROM:00001118                 ADDS    R0, R5, R0
ROM:0000111A                 LDRH    R1, [R0]

So 0xFC00 0000 get's loaded into register R5 and R0 is loaded with 0xE8180. Then R0 = R5 + R0 which means R0 now has address 0xFC0E 8180. The LDRH gets a half-word (2 bytes) loaded from that memory address and store it into R1. So you won't find any absolute addresses inside the code, but only relative offsets to the base address of the memory mapped IO. When looking into the MAC7116 datasheet, you can search for "FC0E 8180" and find that this is the base of "Port G" IOs and on this address "Port G Pin 0 Configuration (CONFIG0_G) is found.

And so it continues all over the code. So to find a reference to DISP_A i need to look for the relative offset to 0xFC00 0000, which is 0xB 4000. Again do a ALT-I but this time with 0xB4000 and found only 3 occurrences:
ROM:0001AC68 sub_1AC64 MOVS R2, #0xB4000
ROM:0001ACEE sub_1ACBC MOVS R1, #0xB4000
ROM:0001AD0C sub_1AD06 MOVS R0, #0xB4000

Now it's going to be interesting