Saturday Feb 10 2024 status: stock ECU, man in the middle, I substitute all torque numbers from ECU with TPS-based approximation (and TPS does not really mean thus torque does not really mean)
In the end with me producing all nine MOTOR_xxx packets TCU engages reasonably well while on jack stands but TCU outputs are really confused.
Tomorrow I will take steps back and record traces of same exact experiments with more different versions of the script, not just 'no substitution' and 'full substitution'.
As of Feb 2024 it has been _years_ since I've on and off started to work on getting an open source ECU to communicate with a transmission control unit via CANbus. So far I have not accomplished the goal which makes it a great point to write an article on the subject!
I have a [2006 Volkswagen Passat 2.0 Turbo GDI PG35 non-DSG automatic complete running and driving test mule](https://rusefi.com/forum/viewtopic.php?f=2&t=1631) idling on rusEFI open source ECU. Attempting to engage transmission while posting only minimal dashboard CANbus messages causes something violent to happen and the engine would usually stall see https://youtu.be/rTobt4l-iEs
Original ECU which I am looking to replace for no good reason is BOSCH MED9.1. Conveniently the relevant Bosch Funktionsrahmen Ea827 TSI is available on the internet. CANbus traffic seems to mostly align with https://github.com/commaai/opendbc/blob/master/vw_golf_mk4.dbc DBC file. I've used google translate to translate some of interesting field descriptions those are already merged into the file.
First let's grab a trace and a snapshot of CANbus traffic while engine is not running, both with OEM ECU and with OEM ECU disconnected. We get https://github.com/rusefi/rusefi_documentation/commit/722e81d2b0dd2b1f9661a3e9fd6383087ba4418a#diff-457155f3530fe11dbca1083aa1860f4e3cccc8f2d8b78d81634def58fbc38d9f
Comparing these two files we confirm which packets are clearly originating from the now disconnected OEM ECU https://github.com/rusefi/rusefi_documentation/commit/8575c7292d975c2477ccf070634883f5a9423c7e
I am going to use the https://en.wikipedia.org/wiki/Man-in-the-middle_attack approach meaning I want to drop the CANbus wire coming into TCU, install my Proteus and by means of Lua scripting alter the flow between
vehicle and TCU. By doing that I hope to understand what TCU cares about and what it does care about while running OEM ECU in order to later apply that knowledge while making my own ECU cooperate with same TCU.
Nice! TCU reports an error now! We've learned that MOTOR_5 0x480 is required.
Manually resetting codes gets old really quickly so I have a second Proteus constantly checking if there are error codes to reset https://github.com/rusefi/rusefi/blob/0bcf342976951a24c9e81a3524e0c897b29e5440/firmware/controllers/lua/examples/vw-tp-tcu.txt
Repeating same procedure while dropping each packet ID one by one we get to https://github.com/rusefi/rusefi_documentation/blob/master/OEM-Docs/VAG/2006-Passat-B6/HOWTO/script_4_explicit_list_of_allowed_packets.lua which
explicitly mentions all the IDs allowed to pass, and drops everything else.
🔴 I've made a mistake of not running same wheel spinning scenario on each iteration and not recording CANbus traces and not looking at those traces. I was just focusing on "IS_ERROR" not on actual TCU outputs 🔴
Test scenario: engine is running in P, engage R, engage P, engage R, engage P end test.
https://github.com/rusefi/rusefi_documentation/tree/master/OEM-Docs/VAG/2006-Passat-B6/2024.02 has script-1-stock-ecu-reverse-twice.trc and script-7-stock-ecu-reverse-twice.trc
