[MK4] Convers+ CAN RX messages handling

IPC - Instrument cluster panels (like Convers+)
Post Reply
User avatar
Ursadon
Active member
Posts: 81
Joined: 10 Mar 2019, 19:23

[MK4] Convers+ CAN RX messages handling

Post by Ursadon »

Let's see how the dashboard processes messages on the CAN bus

First of all, at 0x5100 we have FIQ vectors, most of which are undefined. But not all:
Screenshot_1.png
CAN A - MM-bus (multimedia)
CAN D - MS-bus (midspeed)

Both vectors end up being processed in one handler - 0x000209DA CAN_message_handler:
2.png
Line 36-53: enter critical section and copy data from FlexCan Message buffer
3.png
Line 56-57: since the message buffers are bidirectional, we check whether the message is transmitted or received. If TX - function returns.

Line 59-63: copy message to bus-specific buffer in memory (16 bytes):
0x40006AA4 - for CAN A
0x40006AB4 - for CAN D
It is presented in the form of a structure:

Code: Select all

0x00000000 hdr DCD ?
0x00000004 ptr_FlexCan_MBHeader DCD ?
0x00000008 ptr_FlexCan_MBData DCD ?
0x0000000C function_ID DCW ?
0x0000000E masked_can_pid DCB ?
0x0000000F wtf2 DCB ?
Line 67-74: check if OBD2 PID matched some sort of debug PID (but I'm not sure about that))

Line 77-87: convert PID to internal form: BUS_ID + PID, where BUS_ID: 0 - CAN A, 1 - CAN D

Line 86-97: Here comes the magic. At 0x0006BF4C there is an array with a list of all registered PIDs. And if we found the received PID in it, we save its index (function_idx). In subsequent functions, we will look for certain values (or functions) precisely by this index.
Now let's try to perform the first part of the analysis of the CAS message - to find the function responsible for processing this PID by passing function_idx to 0x0002092C XXX_can_funct_select_by_CANID:
4.png
Line 18: if function_idx below 0x40, go next, otherwise return
Line 21-27: get pointer to PID handler in array 0x0006CDDC at index "function_idx", then run function
5.png
All but 0x720 have the same form - a binary semaphore
6.png
After all this, we are looking for a data buffer for this function_idx in 0x0006CC80 "CAN_BUFFERS_PER_CAN_ID", and if it is found, copy the contents of CAN into it for release and further use
7.png

AND IT'S ALL???? WAT??? WHERE MY F**** FUNCTIONS!!
Since everything starts in a miserable similarity to RTOS, periodically, according to the PIT2 timer, 384 functions are performed. Sequentially. And they are all waiting for some kind of binary semaphore. Here, for example, for PID 068:
8.png
The function takes data from the buffer (CAN_BUFFERS_PER_CAN_ID), moves bits, uses masks, and eventually fills the variables with them.
Then, other functions launched by the timer will use them, so that other functions launched by the timer use them, so that other functions launched by the timer use them.
we_need_to_go_deeper.jpg
You do not have the required permissions to view the files attached to this post.
Not native English speaker :cry:
IPC hacker, embedded cracker, tamer of bears & beers
Top
Go4IT
Pro
Posts: 967
Joined: 08 Feb 2019, 12:25

Re: [MK4] Convers+ CAN RX messages handling

Post by Go4IT »

Extremely good results! Even if it shows how much it takes to understand komplex programs. I think it would also be complex when the sources are at hand...
Keep on going those kind of educations, i eager to read and reproduce them!

I would love to have you and your skills in the Navigation software of an FX, NX or MCA, since there are so many open questions and things to do :D
Top
Post Reply

Return to “Clocks/Speedos”