Hey @MercedesBenz , thought I'd ask, but is it possible to speak to someone who worked on the 722.6's EGS52/53 ECUs back in the early 2000s? - Almost completed reverse engineering the entire ECU, and I'd like to ask a couple questions about its very interesting design choices!

This has to be an #easteregg . Opening up 3 #Mercedes Distronic ECUs, and all of them have epoxy at this exact same spot so it reads "ART ANAL"🤣

Join millions who have switched to Grok.

Oh yeah!, working USB enumeration using #Rustlang on SAME54!

New video!! After months of work, I'm ready to show everything I've reverse engineered from the original #mercedes 722.6 EGS52 #ecu!.

Asking around, if anyone who works at #MercedesBenz knows. on the EGS51/2/3 ECU series, is there some form of runtime information available in DAS?. I found when decompiling the software that the ECU keeps track of the time in Drive with specific oil temperatures! - And i cannot

So over-enginnered, but this is the backlight control system I've come up with for my #mercedes #w211 car #PC . Just seems so counter-intuitive that the from user interaction to actuation, there has been a whole trip around the car across 3 different systems

So according to my in progress disassembly of @MercedesBenz's 722.6 EGS52 ECU, @Chrysler cars of this era (Early 2000s) did not actually come with a kickdown switch, even in their auto configuration! - Neat find!

100% coded in simulink or something similar. There is no way this logic was hand programmed (Without bugs)!. The #mercedes EGS52 TCU uses different phases when shifting to represent a finite state machine. Each phase has sub-phases for Shift and Modulating pressure control

For those who want to see what I've done, you can checkout the repository for my 722.6 TCU! - Its about 20K lines of C++ :) about 3 years worth of work so far, and supports all 3 CAN Matrix versions mercedes used from 1998-2014.

I just hope that one day, it would be possible to sit with one of the developers of this EGS52 ECU and ask what/how the development process was, as I find it fascinating, and to ask why certain decisions were taken where better solutions seem obvious!.

7/7 Now with all this work ive been doing to reverse the original unit, I've been putting it into my own 722.6 TCU (Ultimate-NAG52), and its very interesting to improve things! Stay tuned on Youtube, I'll likely do a video when I have time documenting EVERYTHING I've found!

6/7 Conclusion. So, its fair to say, I suspect the development of this unit was done in a model simulation software like Matlab, which then outputs generated code to be compiled, and the developers did not care about optimization at all.

5/7 Apply with tape patches. In some cases, there appears to be last minute patches by the developers to fix some issues:. In this case, spc_multiplier[0] is used for the 1-2 shift. But there is a patch here where for 2-3, this value is also used if a specific shift algo is used

4/7 Wasted flash space. In many areas of the TCU, there are if/else blocks like this where internally, the same instructions are executed, BUT, these are 2 different ROM regions, so essentially, instructions are copy pasted.

3/7 Profiling was left inside the firmware! - Which is quite nice as on my real unit I can now see (By reading memory using KWP 0x23 service), how long the original EGS52 unit is spending in each execution phase of its main single threaded loop.

2/7 No optimizations at all. There are so many wasted instructions in the Mercedes app layer! Most famously, the program instructs the CPU to multiply numbers by 0, and then parse the result. Any modern compiler would skip this and just put 0 into the dest register

1.5/7. this also means it was possible for MB and Siemens to write their code base(s) and then link the compiled output together into 1 app, so both companies never saw each-others source code!.

1/7 The firmware is structured in a really interesting way. EGS has a bootloader, but then 2 different blocks for the main app. One is Siemens and one is MB. Siemens exposes 1 function which MB uses for their entire app. So the entire gearbox execution is single threaded.

0/7 Did not expect this tweet to blow up as much as it did! - So lets do a thread on some of the oddities that I found in the firmware!.

So this is a cool update to the Ultimate-NAG52 project. I created a build process with PlatformIO that generates YML from structures in code, and allows me to view them in the configuration app, and edit/save them! - Endless user customization for very little code