Title: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 05:14:59 AM
Anyone interested ?
For various reasons (see below) the ArgDub tool was not sufficient for my requirements, I also didn't like that you had to specify which pins to use (when you can in fact automatically discover this, more to follow on how I accomplished this on my own implementation).
While ArgDub's tool was free it was never open sourced (proprietary close source) and therefore nobody could improve on it or add new features so when the project stops getting supported its dead. Also I have never been truly satisfied with the reliability of it depending on the speed on your PC, etc. I suspect the timing accuracy isn't as good as it needs to be for the serial drivers. I had issues several times getting it to work.
So I needed to do a clean room implementation which I did a while back ago now. I'm just tidying it up for public release but it is working very well so I will be releasing the full source-code to it very shortly on Github.
Before I do that I just wanted to give you some technical details to how ArgDub's tool actually works.
It may come as a surprise to some but his tool was very heavily influenced and indeed includes code derived from the free Minicom software from Siemens. Also I think probably some open sources available at the time for a published eeprom driver. Ofcourse getting this to work is a lot of work and reverse engineering of ME7.x rom's to see how Bosch integrated the gpio itself is obviously timing consuming (so thank you ArgDub for the release) but with effort anyone with embedded experience and appropriate documentation can write their own, its very doable (as I have done). The driver itself is pretty straight forward and the most important elements are how to configure the correct gpio pins so that its compatible with your pcb wiring.
I'll post several posts now on the inner workings of how this all is done and show you the possibilities this opens up (like cheap Arduino's from ME7's :)
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 05:24:09 AM
OK. So on to how the EEPROM Tool works.
It actually uses Bootmode to load a minimon app, then uploaded an eeprom driver (which is patched before upload for the appropriate gpio pins) and then runs the code with the pc app controlling the me7 app to download memory. Lets delve into how this all works in detail.
First of all, lets start with the basics, Bootmode... What is it?
It is basically a "special debugging/programming mode" built into the C16x Microcontroller series (a bit like a crude pre-cursor to JTAG) which allowed you to override the default booting behavior configured by board manufacturer (in this case Bosch or its affiliates). To activate it you simply short to ground the appropriate pin on the micro-controller and at this point an alternative boot loader inside the MCU (Microcontroller) is executed.
Ever wondered what the internals of this bootloader looks like?
Here it is...
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 05:31:18 AM
I highlighted in Yellow the hex code, in this particular spin of the C167SR its going to send us 0xC5h back once serial comms are established.
So once we have serial port opened this is what going's on..
{ Send BSL + Minimon Monitor Core
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (0.0000 seconds)
<--- Send HELLO byte (i.e. the single byte 0x00, to internal bootmode loader of C16x)
00
Response:(+0.0300 seconds)
00 <--- HELLO ::echo:: reply
C5 which is :CPU_ID_C167 (see picture of the actual code running inside the microcontroller, highlighted in YELLOW this is the MCU's response)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
If you analyze the bootloader running in boot mode you'll see it waits at this point for 32-bytes to be sent by the host to the ecu..
<--- Send 32-byte Bootstrap Loader (BSL)
E6 58 01 00 9A B7 FE 70 E6 F0 60 FA 7E B7 9A B7 FE 70 A4 00 B2 FE 86 F0 E9 FB 3D F8 EA 00 60 FA
(these hex codes are the machine code of the boot strap loader, i will include the source code )
Response: (+0.0401 seconds)
<--- Echo 32-byte Bootstrap Loader (BSL)
E6 58 01 00 9A B7 FE 70 E6 F0 60 FA 7E B7 9A B7 FE 70 A4 00 B2 FE 86 F0 E9 FB 3D F8 EA 00 60 FA
<--- Send I_LOADER_STARTED
01
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0200 seconds)
Next Minimon sends its application core which allows us to issue commands from the Host...
<--- Send Minimon Monitor Core Application (copied by BSL loader to ram)
7E B7 7E B6 E1 31 BB 6E BB 74 F1 B0 E7 F1 AA 00 BB 69 E7 F1 EA 00 47 FB 31 00 3D 03 B5 4A B5 B5 0D 5F 47 FB 93 00 3D 01 0D 5B 47 FB 32 00 3D 03 BB 59 B7 48 B7 B7 47 FB 33 00 3D 05 F1 1A BB 52
E7 F1 EA 00 0D 4D 47 FB 84 00 3D 1E E1 0A BB 6B BB 72 A0 03 3D 01 0D 44 BB 4C F1 80 51 A8 BB 70 F0 C6 0E FC A8 7C 8A F6 04 00 66 F7 00 FF 71 E8 0D 03 66 F7 FF 00 71 F8 B8 7C A9 96 41 98 3D 01
0D E8 E7 F1 11 00 0D E5 47 FB 85 00 3D 0D E1 0A BB 4A BB 51 A0 03 3D 03 E7 F1 EA 00 0D 21 BB 50 A9 16 51 A1 BB 1F 0D F6 47 FB 41 00 3D 05 BB 3B BB 19 EC F2 EC F1 DB 00 47 FB CD 00 3D 0A BB 33
BB 3F A8 36 F1 16 BB 0E F1 17 BB 0C E7 F1 EA 00 0D 07 47 FB 82 00 3D 15 BB 26 BB 2D BB 31 B8 36 BB 01 0D 92 F7 F1 B0 FE 9A B7 FE 70 7E B7 7E B6 CB 00 A7 58 A7 A7 9A B7 FC 70 7E B7 F3 F0 B2 FE
CB 00 47 FB 9F 00 3D ED BB 0E BB 29 BB 00 FC F7 06 F7 10 00 EC 04 EC F7 EC F2 EC F1 DB 00 BB 2A E7 F1 EA 00 0D DD BB E5 F1 20 BB E3 F1 30 BB E1 F1 40 E1 05 CB 00 BB DD F1 60 BB DB F1 70 CB 00
F0 61 F0 72 7C E6 5C 27 70 76 F6 F7 04 FE F0 61 08 11 18 20 66 F6 FF 3F 76 F6 00 80 CB 00 F2 F6 10 FE 06 F6 10 00 E0 07 BB C4 B9 06 08 61 80 F7 3D FB CB 00 F2 F6 10 FE 06 F6 10 00 E0 07 A9 16
BB B1 08 61 80 F7 3D FB CB 00
Response: (+0.3805 seconds)
<--- Echo Minimon Application (copied by BSL loader to ram)
7E B7 7E B6 E1 31 BB 6E BB 74 F1 B0 E7 F1 AA 00 BB 69 E7 F1 EA 00 47 FB 31 00 3D 03 B5 4A B5 B5 0D 5F 47 FB 93 00 3D 01 0D 5B 47 FB 32 00 3D 03 BB 59 B7 48 B7 B7 47 FB 33 00 3D 05 F1 1A BB 52
E7 F1 EA 00 0D 4D 47 FB 84 00 3D 1E E1 0A BB 6B BB 72 A0 03 3D 01 0D 44 BB 4C F1 80 51 A8 BB 70 F0 C6 0E FC A8 7C 8A F6 04 00 66 F7 00 FF 71 E8 0D 03 66 F7 FF 00 71 F8 B8 7C A9 96 41 98 3D 01
0D E8 E7 F1 11 00 0D E5 47 FB 85 00 3D 0D E1 0A BB 4A BB 51 A0 03 3D 03 E7 F1 EA 00 0D 21 BB 50 A9 16 51 A1 BB 1F 0D F6 47 FB 41 00 3D 05 BB 3B BB 19 EC F2 EC F1 DB 00 47 FB CD 00 3D 0A BB 33
BB 3F A8 36 F1 16 BB 0E F1 17 BB 0C E7 F1 EA 00 0D 07 47 FB 82 00 3D 15 BB 26 BB 2D BB 31 B8 36 BB 01 0D 92 F7 F1 B0 FE 9A B7 FE 70 7E B7 7E B6 CB 00 A7 58 A7 A7 9A B7 FC 70 7E B7 F3 F0 B2 FE
CB 00 47 FB 9F 00 3D ED BB 0E BB 29 BB 00 FC F7 06 F7 10 00 EC 04 EC F7 EC F2 EC F1 DB 00 BB 2A E7 F1 EA 00 0D DD BB E5 F1 20 BB E3 F1 30 BB E1 F1 40 E1 05 CB 00 BB DD F1 60 BB DB F1 70 CB 00
F0 61 F0 72 7C E6 5C 27 70 76 F6 F7 04 FE F0 61 08 11 18 20 66 F6 FF 3F 76 F6 00 80 CB 00 F2 F6 10 FE 06 F6 10 00 E0 07 BB C4 B9 06 08 61 80 F7 3D FB CB 00 F2 F6 10 FE 06 F6 10 00 E0 07 A9 16
BB B1 08 61 80 F7 3D FB CB 00
<--- Send I_APPLICATION_STARTED
03
}
At this stage we have a monitor loaded and can do many things...
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 05:39:53 AM
With the minimon core loaded we have several commands at our disposal.. Before we go delve into them lets look at the header file which is self documents them C_WRITE_BLOCK 0x84 // Write memory block to target mem
C_READ_BLOCK 0x85 // Read memory block from target mem
C_EINIT 0x31 // Execute Einit Command
C_SWRESET 0x32 // Execute Software Reset
C_GO 0x41 // Jump to user program
C_GETCHECKSUM 0x33 // get checksum of previous sent block
C_TEST_COMM 0x93 // Test communication
C_CALL_FUNCTION 0x9F // Mon. extension interface: call driver
C_WRITE_WORD 0x82 // write word to memory/register
C_MON_EXT 0x9F // call driver routine
C_ASC1_CON 0xCC // Connection over ASC1
C_READ_WORD 0xCD // Read Word from memory/register
C_WRITE_WORD_SEQUENCE 0xCE // Write Word Sequence
C_CALL_MEMTOOL_DRIVER 0xCF // Call memtool driver routine
C_AUTOBAUD 0xD0 // Call autobaud routine
C_SETPROTECTION 0xD1 // Call security function
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 05:42:19 AM
Depending on the processor derivative of the C16x (x being any of them) you will have different response codes returned for the initial 'HELLO'.. #define CPU_ID_C165_OLD 0xA5
#define CPU_ID_C165 0xB5
#define CPU_ID_C166 0x55
#define CPU_ID_C167 0xC5
And ofcourse there are more.. But these are some of the common ones...
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 05:44:09 AM
When minimon acknowledges your commands having been sent it sends codes back For a 1st acknowledgement its an 0xAA, second is a 0xEA #define A_ACK1 0xAA // 1st Acknowledge to function code
#define A_ACK2 0xEA // 2nd Acknowledge (last byte)
#define A_ASC1_CON_INIT 0xCA // ASC1 Init OK
#define A_ASC1_CON_OK 0xD5 // ASC1 Connection OK
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 05:45:43 AM
After getting a response back from uploading the minimon app we also get an acknowledgement byte... Minimon authors defined 4 different apps #define I_LOADER_STARTED 0x01 // Loader successfully launched
#define I_APPLICATION_LOADED 0x02 // Application succ. loaded
#define I_APPLICATION_STARTED 0x03 // Application succ. launched
#define I_AUTOBAUD_ACKNOWLEDGE 0x04 // Autobaud detection acknowledge
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 05:47:33 AM
I'll upload the source-code to minimon too into the github which generates the binary you see us sending after the 32-byte BSL (Boot Strap Loader). Ok. Once its loaded its time to verify its working. One of the commands its called C_TEST_COMM Lets see how this works... //********************************************************************************************************************************************************************************************************//
{ Test Communications are working to Minicom Monitor Core
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send C_TEST_COMM
93
Response: (+0.0200 seconds)
<--- Echo C_TEST_COMM
93
<--- Send A_ACK1
AA
<--- Send A_ACK2
EA
}
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 05:51:27 AM
We can also read and write to CPU registers which allows us to easily configure the hardware registers to whatever we need to do... In this case let us configure BUS CONTROL and SYSTEM CONTROL registers (refer to the C167 datasheet for details on their purpose and bits) To accomplish this we can use the command C_WRITE_WORD.. //********************************************************************************************************************************************************************************************************//
{ Send/Verify BUSCON & SYSCON
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds) : Write 0xE604 to 0xFF12 (BUSCON Address Register)
<--- Send C_WRITE_WORD
82
Response: (+0.0200 seconds)
<--- Echo C_WRITE_WORD
82
<--- Send A_ACK1
AA
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send 0x00FF12 [Address to write 16-bits to - SYSCON ] - Register Address
12 FF 00
<--- Send 0xE604 [Address to write 16-bits to] - Register value
04 E6
Response: (+0.0200 seconds)
<--- Echo 0x00FF12 [Address to write 16-bits to - SYSCON ] - Register Address
12 FF 00
<--- Echo 0xE604 [Address to write 16-bits to] - Register value
04 E6
<--- Send A_ACK2
EA
And we can then read it back (to verify it worked) by using the C_READ_WORD command --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds) : Read BUSCON and verify 0xE604
<--- Send C_READ_WORD
CD
Response: 92664 (+0.0200 seconds)
<--- echo C_READ_WORD
CD
<--- Send A_ACK1
AA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send 0x00FF12 [Address to read 16-bits from - SYSCON ] - Register Address
12 FF 00
Response: (+0.0100 seconds)
<--- Echo 0x00FF12 [Address to read 16-bits from - SYSCON ] - Register Address
12 FF 00
<--- Echo 0xE604 [Value read 16-bits] - Register value
04 E6
<--- Send A_ACK2
EA
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 05:57:52 AM
So now we can load minimon and then after loading it we can send it commands which allows us to read and write registers AND memory. So yes its possible to READ the entire firmware out and send it chunk by chunk back to the HOST PC. We will do that exercise later for now lets continue with the eeprom reading/writing... Lets also configure BUSCON0 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send C_WRITE_WORD
82
Response: (+0.0200 seconds)
<--- Echo C_WRITE_WORD
82
<--- Send A_ACK1
AA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send 0x00FF0C [Address to write 16-bits to - BUSCON0 ] - Register Address
0C FF 00
<--- Send 0x04AE [Value to write 16-bits] - Register value
AE 04
Response: 08664 (+0.0100 seconds)
<--- Echo 0x00FF0C [Address to write 16-bits to - BUSCON0 ] - Register Address
0C FF 00
<--- Echo 0x04AE [Value to write 16-bits] - Register value
AE 04
<--- Send A_ACK2
EA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send C_READ_WORD
CD
Response: 12664 (+0.0200 seconds)
<--- Echo C_READ_WORD
CD
<--- Send A_ACK1
AA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send 0x00FF0C [Address to write 16-bits to - BUSCON0 ] - Register Address
0C FF 00
Response: 15664 (+0.0200 seconds)
<--- Echo 0x00FF0C [Address to write 16-bits to - BUSCON0 ] - Register Address
0C FF 00
<--- Echo 0x04AE [Value to write 16-bits] - Register value
AE 04
<--- Send A_ACK2
EA
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 06:05:15 AM
Ok so far we've not touched on ArgDub's code.. This was all minimon... ArdDub wrote a driver 'plug-in' for the Bosch series (probably heavily inspired by the rom code itself :) . To upload 'custom' plug-in's Minimon provides is with a handy command, yes we using C_WRITE_BLOCK to send a whole block of binary data (the app or driver for eeprom in this case)... { Send EEPROM Driver to C16x memory
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send C_WRITE_BLOCK
84
Response: (+0.0200 seconds)
<--- Echo C_WRITE_BLOCK
84
<--- Send A_ACK1
AA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send 24-bit address 00x0F600 (in target ram)
00 F6 00
<--- Send 16-bit length 035C
5C 03
Response: (+0.0200 seconds)
<--- Echo 24-bit address 00x0F600 (in target ram)
00 F6 00
<--- Echo 16-bit length 035C
5C 03
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.3104 seconds)
<--- Send EEPROM Driver Code (below) to 0xF600, len of 0x035C
7E E4 CB 00 7F E4 CB 00 7F E5 CB 00 FF FF FF FF 48 81 3D 03 CA 00 FE F7 DB 00 48 82 3D 03 CA 00 E0 F7 DB 00 48 84 3D 03 CA 00 B6 F7 DB 00 48 85 3D 03 CA 00 5A F6 DB 00 48 86 3D 03 CA 00 40 F7
DB 00 48 87 3D 03 CA 00 9C F6 DB 00 46 F8 93 00 3D 03 E6 FF 55 00 DB 00 DB 00 E6 00 00 02 E6 01 00 02 06 01 01 00 F2 F0 1C FF E6 F1 3E F9 F0 20 46 F1 5A F9 2D 0E 98 41 98 32 40 34 2D F9 96 F0
FE 3F 3D F3 06 00 01 00 46 00 40 02 3D EA E0 1F CB 00 F0 D0 F2 FE 00 FE E0 0F CB 00 F0 6C F0 7D F0 8E F6 FB F0 FB F6 FF F2 FB CA 00 B6 F7 48 F1 2D 43 9A FD 41 10 CA 00 00 F6 F2 FB F0 FB F2 FF
F2 FB E6 FD F0 FB E0 3E E0 21 F0 2B 48 F0 3D 08 4A F2 F1 83 DC 5E B9 2D E4 4D 01 00 E0 2C 0D 17 48 F1 3D 08 DC 6E B9 2D E4 5D 01 00 E4 4D 02 00 E0 3C 0D 0D 48 F2 3D 0A 4A F2 F1 83 4A F2 F1 94
DC 5E B9 2D E4 4D 01 00 E0 2C 0D 01 0D 15 CA 00 7E F8 48 40 2D 11 F0 C6 F0 D7 F0 E8 CA 00 7E F8 CA 00 04 F6 48 40 2D 08 CA 00 B6 F7 48 F1 2D 04 8A FD FA 00 E0 0F CB 00 CA 00 04 F6 E0 1F CB 00
CA 00 00 F6 F0 6C F0 7D F0 8E E0 31 F0 2B 48 F0 3D 08 4A FB F1 83 DC 5E B9 2D E4 4D 01 00 E0 2C 0D 17 48 F1 3D 08 DC 6E B9 2D E4 5D 01 00 E4 4D 02 00 E0 3C 0D 0D 48 F2 3D 0A 4A F2 F1 83 4A F2
F1 94 DC 5E B9 2D E4 4D 01 00 E0 2C 0D 01 0D 0F CA 00 7E F8 48 40 2D 0B F0 C6 F0 D7 F0 E8 CA 00 D8 F8 48 40 2D 04 CA 00 04 F6 E0 0F CB 00 CA 00 04 F6 E0 1F CB 00 CA 00 00 F6 E0 5C CA 00 3C F8
48 40 2D 0A E6 FC 55 00 CA 00 3C F8 48 40 2D 04 CA 00 04 F6 E0 0F CB 00 CA 00 04 F6 E0 1F CB 00 CA 00 00 F6 E0 6C CA 00 3C F8 48 40 2D 04 CA 00 04 F6 E0 0F CB 00 CA 00 04 F6 E0 1F CB 00 E0 1F
CA 00 04 F6 CA 00 08 F6 CC 00 8F E2 8E E3 D1 80 8F E3 9F E2 9F E3 D1 80 9E E3 DF E2 DF E3 D1 80 DE E3 E6 A2 45 00 DE E2 FE D9 E6 D9 37 46 D1 80 E6 5A 0B 00 FF D9 DF E2 E0 0F CB 00 9A D9 02 C0
E0 04 CB 00 66 D9 FF F0 7E BB F0 4C C0 84 F6 F4 B0 F0 F2 FF 44 FE F2 F4 44 FE 20 4F 42 F4 02 00 9D 02 8A D9 F8 C0 8A D9 02 C0 9A BB 02 70 E0 04 CB 00 F3 F8 B2 F0 C0 84 F0 D4 E0 14 CB 00 E0 09
66 D9 FF F0 7E BB 9A D9 02 C0 E0 04 0D 24 F2 F4 B2 F0 0D 1A F0 49 08 91 F0 AD F0 BE 00 A4 DC 4B A9 8A C0 84 F6 F4 B0 F0 F2 FF 44 FE F2 F4 44 FE 20 4F 42 F4 02 00 9D 02 8A D9 F8 C0 F2 F4 B2 F0
9A D9 02 C0 E0 04 0D 07 40 9C 8D E4 9A BB 02 70 E0 04 0D 01 E0 14 CB 00 E0 09 66 D9 FF F0 7E BB 48 C0 3D 02 E0 14 0D 2A 9A D9 02 C0 E0 04 0D 26 F2 F4 B2 F0 D1 80 E6 58 55 00 F2 FF 44 FE F2 F4
44 FE 20 4F 42 F4 02 00 9D 02 8A D9 F8 C0 9A D9 02 C0 E0 04 0D 13 F3 F8 B2 F0 F0 59 08 91 F0 AD F0 BE 00 A5 DC 4B B9 8A 40 9C 8D E4 E1 08 4A BB F4 70 49 81 3D 02 E0 04 0D 01 E0 14 CB 00 CC 00
8F E2 8E E3 D1 80 8F E3 9F E2 9F E3 D1 80 9E E3 DF E2 DF E3 D1 80 DE E3 DB 00 1C 00
Response: (+0.5308 seconds)
<--- Echo EEPROM Driver Code (below) to 0xF600, len of 0x035C
7E E4 CB 00 7F E4 CB 00 7F E5 CB 00 FF FF FF FF 48 81 3D 03 CA 00 FE F7 DB 00 48 82 3D 03 CA 00 E0 F7 DB 00 48 84 3D 03 CA 00 B6 F7 DB 00 48 85 3D 03 CA 00 5A F6 DB 00 48 86 3D 03 CA 00 40 F7
DB 00 48 87 3D 03 CA 00 9C F6 DB 00 46 F8 93 00 3D 03 E6 FF 55 00 DB 00 DB 00 E6 00 00 02 E6 01 00 02 06 01 01 00 F2 F0 1C FF E6 F1 3E F9 F0 20 46 F1 5A F9 2D 0E 98 41 98 32 40 34 2D F9 96 F0
FE 3F 3D F3 06 00 01 00 46 00 40 02 3D EA E0 1F CB 00 F0 D0 F2 FE 00 FE E0 0F CB 00 F0 6C F0 7D F0 8E F6 FB F0 FB F6 FF F2 FB CA 00 B6 F7 48 F1 2D 43 9A FD 41 10 CA 00 00 F6 F2 FB F0 FB F2 FF
F2 FB E6 FD F0 FB E0 3E E0 21 F0 2B 48 F0 3D 08 4A F2 F1 83 DC 5E B9 2D E4 4D 01 00 E0 2C 0D 17 48 F1 3D 08 DC 6E B9 2D E4 5D 01 00 E4 4D 02 00 E0 3C 0D 0D 48 F2 3D 0A 4A F2 F1 83 4A F2 F1 94
DC 5E B9 2D E4 4D 01 00 E0 2C 0D 01 0D 15 CA 00 7E F8 48 40 2D 11 F0 C6 F0 D7 F0 E8 CA 00 7E F8 CA 00 04 F6 48 40 2D 08 CA 00 B6 F7 48 F1 2D 04 8A FD FA 00 E0 0F CB 00 CA 00 04 F6 E0 1F CB 00
CA 00 00 F6 F0 6C F0 7D F0 8E E0 31 F0 2B 48 F0 3D 08 4A FB F1 83 DC 5E B9 2D E4 4D 01 00 E0 2C 0D 17 48 F1 3D 08 DC 6E B9 2D E4 5D 01 00 E4 4D 02 00 E0 3C 0D 0D 48 F2 3D 0A 4A F2 F1 83 4A F2
F1 94 DC 5E B9 2D E4 4D 01 00 E0 2C 0D 01 0D 0F CA 00 7E F8 48 40 2D 0B F0 C6 F0 D7 F0 E8 CA 00 D8 F8 48 40 2D 04 CA 00 04 F6 E0 0F CB 00 CA 00 04 F6 E0 1F CB 00 CA 00 00 F6 E0 5C CA 00 3C F8
48 40 2D 0A E6 FC 55 00 CA 00 3C F8 48 40 2D 04 CA 00 04 F6 E0 0F CB 00 CA 00 04 F6 E0 1F CB 00 CA 00 00 F6 E0 6C CA 00 3C F8 48 40 2D 04 CA 00 04 F6 E0 0F CB 00 CA 00 04 F6 E0 1F CB 00 E0 1F
CA 00 04 F6 CA 00 08 F6 CC 00 8F E2 8E E3 D1 80 8F E3 9F E2 9F E3 D1 80 9E E3 DF E2 DF E3 D1 80 DE E3 E6 A2 45 00 DE E2 FE D9 E6 D9 37 46 D1 80 E6 5A 0B 00 FF D9 DF E2 E0 0F CB 00 9A D9 02 C0
E0 04 CB 00 66 D9 FF F0 7E BB F0 4C C0 84 F6 F4 B0 F0 F2 FF 44 FE F2 F4 44 FE 20 4F 42 F4 02 00 9D 02 8A D9 F8 C0 8A D9 02 C0 9A BB 02 70 E0 04 CB 00 F3 F8 B2 F0 C0 84 F0 D4 E0 14 CB 00 E0 09
66 D9 FF F0 7E BB 9A D9 02 C0 E0 04 0D 24 F2 F4 B2 F0 0D 1A F0 49 08 91 F0 AD F0 BE 00 A4 DC 4B A9 8A C0 84 F6 F4 B0 F0 F2 FF 44 FE F2 F4 44 FE 20 4F 42 F4 02 00 9D 02 8A D9 F8 C0 F2 F4 B2 F0
9A D9 02 C0 E0 04 0D 07 40 9C 8D E4 9A BB 02 70 E0 04 0D 01 E0 14 CB 00 E0 09 66 D9 FF F0 7E BB 48 C0 3D 02 E0 14 0D 2A 9A D9 02 C0 E0 04 0D 26 F2 F4 B2 F0 D1 80 E6 58 55 00 F2 FF 44 FE F2 F4
44 FE 20 4F 42 F4 02 00 9D 02 8A D9 F8 C0 9A D9 02 C0 E0 04 0D 13 F3 F8 B2 F0 F0 59 08 91 F0 AD F0 BE 00 A5 DC 4B B9 8A 40 9C 8D E4 E1 08 4A BB F4 70 49 81 3D 02 E0 04 0D 01 E0 14 CB 00 CC 00
8F E2 8E E3 D1 80 8F E3 9F E2 9F E3 D1 80 9E E3 DF E2 DF E3 D1 80 DE E3 DB 00 1C 00
EA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send C_GETCHECKSUM
33
Response: 18864 (+0.0200 seconds)
<--- Echo C_GETCHECKSUM
33
<--- Send 16-Bit Checksum Value 0x6AAA (from target C16x)
AA 6A
<--- Send A_ACK2
EA
}
I have reverse engineered ArgDub's driver and yes indeed a lot of that code is recognizable... I will again upload it to Github in due time... At this point we've now uploaded the driver. There are some areas in the driver where we must write some hex values so it can use the correct gpio pins (the Bosch ecu's put the eeprom into different gpio pins depending on the ecu).
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 06:08:17 AM
Argdub followed the same architecture as Minimon for his commands. To use the loaded driver we use the Minimon C_CALL_FUNCTION command to setup the registers (prior to the call) and then jump into that code block, thereby executing it. { Read EEPROM
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send C_CALL_FUNCTION
9F
Response: (+0.0200 seconds)
<--- Echo C_CALL_FUNCTION
9F
<--- Send A_ACK1
AA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send C Call Address and Registers R8 to R15
10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
93 00 : R8 = 0x0093 : Command ID - EEPROM_TEST_COMM
A0 FC : R9
BF 18 : R10
C4 FF : R11
72 00 : R12
30 24 : R13
1A 00 : R14
01 00 : R15
Response: (+0.0200 seconds)
<--- Echo C Call Address and Registers R8 to R15 [before execution of call]
10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
93 00 : R8 = 0x0093 : Command ID - EEPROM_TEST_COMM
A0 FC : R9
BF 18 : R10
C4 FF : R11
72 00 : R12
30 24 : R13
1A 00 : R14
01 00 : R15
<--- Echo C Call Address and Registers R8 to R15 [after execution of call]
93 00 : R8
A0 FC : R9
BF 18 : R10
C4 FF : R11
72 00 : R12
30 24 : R13
1A 00 : R14
55 00 : R15 : <---- RETURN 0x55
<--- Send A_ACK2
EA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So before we run anything we EEPROM_TEST communications...
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 06:13:37 AM
The rest of the sequence is also straight forward... We issue C_READ_BLOCK commands which tell his driver to read a block of eeprom into memory. and ofcouse C_WRITE_BLOCK to write. Only reading is show in this trace. Once its in ram (we do it in small chunks due to limited resources on the C167) we can then issue the command to send that MEMORY block back to the host (our app running on whatever, pc. etc.). Depending on the type of eeprom and its size we have to iterate for the number of blocks (1k, 2k, 4k ) the eprom is in size.. Any questions just ask.. Before we do any of this we must Init registers (gpio etc.) required for eeprom access and then jump into the drivers main code block.. See below... --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send C_CALL_FUNCTION
9F
Response: (+0.0200 seconds)
<--- Echo C_CALL_FUNCTION
9F
<--- Send A_ACK1
AA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send C Call Address and Registers R8 to R15
10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
01 00 : R8 = 0x0001 : Command ID - EEPROM_INIT_REGISTERS
30 24 : R9
1E 00 : R10
01 00 : R11
9C FD : R12
00 04 : R13
E0 FF : R14
94 5C : R15
Response: (+0.0200 seconds)
<--- Echo C Call Address and Registers R8 to R15 [before execution of call]
10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
01 00 : R8 = 0x0001 : Command ID - EEPROM_INIT_REGISTERS
30 24 : R9
1E 00 : R10
01 00 : R11
9C FD : R12
00 04 : R13
E0 FF : R14
94 5C : R15
<--- Echo C Call Address and Registers R8 to R15 [after execution of call]
01 00 : R8 = 0x0001
30 24 : R9
1E 00 : R10
01 00 : R11
9C FD : R12
00 04 : R13
E0 FF : R14
00 00 : R15
<--- Send A_ACK2
EA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send C_CALL_FUNCTION
9F
Response: (+0.0200 seconds)
<--- Echo C_CALL_FUNCTION
9F
<--- Send A_ACK1
AA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send C Call Address and Registers R8 to R15
10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
04 00 : R8 = 0x0004 : Command ID
30 24 : R9 = 0x2430
24 00 : R10 = 0x0024
01 00 : R11 = 0x0001
9C FD : R12 = 0xFD9C
00 04 : R13 = 0x0400
E0 FF : R14 = 0xFFE0
94 5C : R15 = 0x5C94
Response: (+0.0300 seconds)
<--- Echo C Call Address and Registers R8 to R15 [before execution of call]
10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
04 00 : R8 = 0x0004 : Command ID
30 24 : R9 = 0x2430
24 00 : R10 = 0x0024
01 00 : R11 = 0x0001
9C FD : R12 = 0xFD9C
00 04 : R13 = 0x0400
E0 FF : R14 = 0xFFE0
94 5C : R15 = 0x5C94
<--- Send C Call Address and Registers R8 to R15 [after execution of call]
04 00 : R8 = 0x0004
30 24 : R9 = 0x2430
24 00 : R10 = 0x0024
01 00 : R11 = 0x0001
55 00 : R12 = 0x0055
80 00 : R13 = 0x0080
E0 FF : R14 = 0xFFE0
00 00 : R15 = 0x0000
<--- Send A_ACK2
EA
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 06:14:42 AM
We are now ready to read blocks and pull them back into host ram... --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send C_CALL_FUNCTION
9F
Response: (+0.0200 seconds)
<--- Echo C_CALL_FUNCTION
9F
<--- Send A_ACK1
AA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)
<--- Send C Call Address and Registers R8 to R15
10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
06 00 : R8 = 0x0006 : Command ID
A0 FC : R9 = 0xFCA0
BF 18 : R10 = 0x18BF
00 00 : R11 = 0x0000 : Offset
00 02 : R12 = 0x0200 : Length
00 FC : R13 = 0xFC00 : Copy to address
03 00 : R14 = 0x0003
01 00 : R15 = 0x0001
Response: (+0.0200 seconds)
<--- Echo C Call Address and Registers R8 to R15 [before execution of call]
10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
06 00 : R8 = 0x0006 : Command ID
A0 FC : R9 = 0xFCA0 :
BF 18 : R10 = 0x18BF :
00 00 : R11 = 0x0000 : Offset
00 02 : R12 = 0x0200 : Length
00 FC : R13 = 0xFC00 : Copy to address
03 00 : R14 = 0x0003 :
01 00 : R15 = 0x0001 :
<--- Send C Call Address and Registers R8 to R15 [after execution of call]
03 00 : R8 = 0x0003 :
00 02 : R9 = 0x0200 :
FF FD : R10 = 0xFDFF :
03 00 : R11 = 0x0003 :
00 02 : R12 = 0x0200 :
00 FC : R13 = 0xFC00 :
03 00 : R14 = 0x0003 :
00 00 : R15 = 0x0000 :
<--- Send A_ACK2
EA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: 58864 (+0.0100 seconds)
<--- Send C_READ_BLOCK
85
Response: 60864 (+0.0200 seconds)
<--- echo C_READ_BLOCK
85
<--- Send A_ACK1
AA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: 61864 (+0.0100 seconds)
<--- Send : Address = 0x00FC00 - EEProm Memory
00 FC 00
<--- Send : Length: 0x0200 (512 Bytes block size)
00 02
Response: 63864 (+0.0200 seconds)
<--- Echo : Address = 0x00FC00 - EEProm Memory
00 FC 00
<--- Echo : Length: 0x0200 (512 Bytes block size)
00 02
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
01 01 00 00 00 00 00 00 00 00 00 00 00 00 FC FF
03 02 68 02 BD 01 04 00 25 04 06 0E 07 00 88 FE
00 00 B0 0D 5D 0E 00 00 00 00 00 00 00 00 D4 FE
FF FF FF FF FF FF FF FF FF FF FF FF FF FF 09 F2
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
05 00 02 05 00 00 00 00 00 00 00 00 00 00 DB FF
19 19 00 00 00 00 00 00 00 00 00 00 00 00 B4 FF
1A 1A 00 00 00 00 00 00 00 00 00 00 00 00 B1 FF
1B 1B 00 00 00 00 00 00 00 00 00 00 00 00 AE FF
1C 1C 00 00 00 00 00 00 00 00 00 00 00 00 AB FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
<--- Send A_ACK2
EA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: 18964 (+0.0200 seconds)
<--- Send C_GETCHECKSUM
33
Response: 20964 (+0.0200 seconds)
<--- Echo C_GETCHECKSUM
33
<--- Send 16-Bit Checksum Value 0x91AA (from target C16x)
AA 91
<--- Send A_ACK2
EA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: 22964 (+0.0100 seconds)
<--- Send C_CALL_FUNCTION
9F
Response: 24964 (+0.0200 seconds)
<--- Echo C_CALL_FUNCTION
9F
<--- Send A_ACK1
AA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: 25964 (+0.0100 seconds)
<--- Send C Call Address and Registers R8 to R15
10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
06 00 : R8 = 0x0006 : Command ID
00 02 : R9 = 0x0200
FF FD : R10 = 0xFDFF
00 02 : R11 = 0x0200 : Offset
00 02 : R12 = 0x0200 : Length
00 FC : R13 = 0xFC00 : Copy to address
03 00 : R14 = 0x0003
01 00 : R15 = 0x0001
Response: 27964 (+0.0200 seconds)
<--- Echo C Call Address and Registers R8 to R15 [before execution of call]
10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
06 00 : R8 = 0x0006 : Command ID
00 02 : R9 = 0x0200
FF FD : R10 = 0xFDFF
00 02 : R11 = 0x0200 : Offset
00 02 : R12 = 0x0200 : Length
00 FC : R13 = 0xFC00 : Copy to address
03 00 : R14 = 0x0003
01 00 : R15 = 0x0001
<--- Echo C Call Address and Registers R8 to R15 [after execution of call]
03 00
00 02
FF FD
03 00
00 02
00 FC
03 00
00 00
EA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: 32964 (+0.0100 seconds)
<--- Send C_READ_BLOCK
85
Response: 34964 (+0.0200 seconds)
<--- Echo C_READ_BLOCK
85
<--- Send A_ACK1
AA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: 35964 (+0.0100 seconds)
<--- Send : Address = 0x00FC00 - EEProm Memory
00 FC 00
<--- Send : Length: 0x0200 (512 Bytes block size)
00 02
Response: 37964 (+0.0200 seconds)
<--- Echo : Address = 0x00FC00 - EEProm Memory
00 FC 00
<--- Echo : Length: 0x0200 (512 Bytes block size)
00 02
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
<--- Send A_ACK2
EA
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: 89064 (+0.0100 seconds)
<--- Send C_GETCHECKSUM
33
Response: 91064 (+0.0200 seconds)
<--- Echo C_GETCHECKSUM
33
<--- Send 16-bit checksum 0x00AA
AA 00
<--- Send A_ACK2
EA
}
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 06:16:56 AM
I will document writing our OWN eeprom driver, rather than focus on ArgDubs as its pretty straight forward to do.
I will also show how to read and write to flash in boot mode if anyone is interested using the above method of loading a driver (again the source-code to all the AMD 512k/1mb/2mb flash drivers is available)...
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 06:33:40 AM
Forgot to mention the minimon stuff is entirely MCU architecture (Micro-controller) related. It has nothing to do with Bosch. You can use this approach on ANY C16x derived architecture including ST derivatives etc.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 06:54:24 AM
As promised here's a BSL (Boot Strap Loader) to understand.. ;----------------------------------------------------------------------------------------------------------------------
; Siemens C16x - Stage #1 Boot Strap Loader
;----------------------------------------------------------------------------------------------------------------------
; Warning: Hardware dictates cannot exceed 32 bytes!
;
; This simple boot strap loader simply sets up serial port
; and waits for data (393 bytes) before jumping straight into
; that code.
;----------------------------------------------------------------------------------------------------------------------
bslEntrypoint: mov S0TBUF, #1 ; setup serial
_wait_ir1: jnb S0RIR, _wait_ir1 ; wait forever until we get an serial interrupt
mov r0, #entrypoint_2ndStage_start_of_rom ; setup destination ram address for incoming bytes
;
;-------------- main copy loop
;
_copy_ir_loop: bclr S0RIR ; clear the interrupt
_wait_ir2: jnb S0RIR, _wait_ir2 ; wait forever until we get an serial interrupt
movb [r0], S0RBUF ; receive byte from serial port
cmpi1 r0, #entrypoint_2ndStage_end_of_rom ; have we got 393 bytes yet?
jmpr cc_NZ, _copy_ir_loop ; if not clear irq and wait for another byte
;
;-------------- now jump into entrypoint
;
jmpa cc_UC, entrypoint_2ndStage_start_of_rom ; finally lets transfer control to 2nd stage boot loader...
;
;--------------- new 393 byte boot loader will be copied directly after our code...
;
entrypoint_2ndStage_start_of_rom:ds 393
entrypoint_2ndStage_end_of_rom:
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 06:57:32 AM
Hope this mini tutorial was useful to someone :)
Source code will be uploaded soon to GitHub..
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: gremlin on November 12, 2020, 07:19:07 AM
I have reverse engineered ArgDub's driver and yes indeed a lot of that code is recognizable...
Why going such a long and difficult way? 18 years ago it takes me half hour to patch free source code example for X25160 eepom from minimon driver directory and compile new driver for 95040. Now I looked for and found it in my archive... ; My driver to work with SPI EEPROM in ECUs
; 512-byte EEPROM sampling line - P4.7
; The driver is written rather carelessly, it is
; a rewritten version of the driver from the MiniMon kit, in which
; I added a group write function to EEPROM from RAM, using
; script-and this will be done much faster than rather curves
; operations of working with flash by means of the Minimon itself (by byte it works
; extremely slowly).
$SEGMENTED
$MOD167
$NoPaging
assume DPP3:system
; Driver function codes
_WriteSPI equ 00h ; programming one byte
_ReadSPI equ 36h ; read block
_WriteAll equ 37h ; block record
_GetState equ 06h ; read state
; SPI EEPROM Commands
_EEWrite equ 02h ; Write
_EERead equ 03h ; Read
_EEState equ 05h ; Read Status Register
_EEWREN equ 06h ; Enable Write
; MCU registers
P3 defr 0FFC4h ; port P3
DP3 defr 0FFC6h ; its direction lines
P6 defr 0FFC8h ; port P4
DP6 defr 0FFCAh ; its direction lines
SSCRIC defr 0FF74h
SSCCON defr 0FFB2h ; SSC configuration register
SSCTB defr 0F0B0h ; SSC transmit register
SSCRB defr 0F0B2h ; SSC receive register
SSCBR defr 0F0B4h ; SSC baudrate
SSCRIR equ SSCRIC.7 ; exchange completion flag
SPI_CS equ P6.3 ; CS line
SPI_CS_PD equ DP6.3 ; port direction control
DriverC section code at 0FD00h
; ------------------------------------------------- ---------------------
; The beginning of the driver itself - initializing ports
; r8 - operation code;
; r9 - block length in bytes;
; r10 - low bytes of the RAM address;
; r13 - low bytes of the EEPROM address;
; r15 - return code on exit
; ------------------------------------------------- ---------------------
DriverP proc far
; Deselect EEPROM
bset SPI_CS ; -CS=1
nop
bset SPI_CS_PD ; and switch the line to output
; SPI init
extr #1
mov SSCBR,#000Bh ; baudrate speed in the ECU firmware
mov SSCCON,#0C037h ; configuration
bfldh P3,#023h,#23h ; Set MRST=1, MTSR=1, SCLK=1
bfldh DP3,#023h,#22h ; Set MRST=input, MTSR=output, SCLK=output
callr Delay
; ------------------------------------------------- ---------------------
; Programming one byte
; r8 - opcode
; r9 - block length in bytes (for programming - 1, byte!);
; r10 - low bytes of the source block address
; r13 - low bytes of the address in the EEPROM
; r15 - return code on exit
; ------------------------------------------------- ---------------------
cmp r8,#_WriteSPI ; write byte?
jmp cc_ne,Cmd1 ; no
mov r8,#_WriteAll ; block write command
mov r9,#1 ; and the explicit length is 1 byte
xor r10,r13 ; addresses in registries r10 and r13
xor r13,r10 ; swapping
xor r10,r13
; ------------------------------------------------- ---------------------
; Writing a block from RAM to EEPROM
; r8 - operation code;
; r9 - block length in bytes (for programming - 1, byte!);
; r10 - EEPROM address
; r13 - RAM address
; r15 - return code on exit
; ------------------------------------------------- ---------------------
Cmd1:
cmp r8,#_WriteAll ; block recording?
jmp cc_ne,Cmd2 ; no
Block:
bclr SPI_CS ; -CS
mov r3,#_EEState
callr SendRecSSC status register read command
callr SendRecSSC ; send dummy byte, receive data byte
bset SPI_CS ; remove the sample
and r4,#01h ; WIP control
jmp cc_nz,Block ; busy ?
exts #0,#1
movb rl5,[r13] ; byte of data from RAM
bclr SPI_CS ; EEPROM selection
mov r3,#_EEWREN ; recording enable
callr SendRecSSC
bset SPI_CS ; switch off EEPROM selection
callr Delay
bclr SPI_CS ; EEPROM selection
mov r6,r10 ; EEPROM address
and r6,#0700h ; A8,A9,A10
shr r6,#5 ; shift
mov r3,#_EEWrite
or r3,r6 ; add A8 in command
callr SendRecSSC
mov r3,r10 ; transmit byte
callr SendRecSSC ; address
mov r3,r5 ; data to write in low byte r5
callr SendRecSSC ;
bset SPI_CS ; switch off EEPROM selection
add r13,#1 ; next byte in RAM
add r10,#1 ; next EEPROM address
sub r9,#1
jmp cc_nz,Block
mov r15,#0 ; completion code
rets
; ------------------------------------------------- ---------------------
; Reading SPI EEPROM to buffer
; r8 - operation code;
; r9 is the length of the read block;
; r10 - address in EEPROM;
; r13 - buffer address;
; r15 - return code on exit
; ------------------------------------------------- ---------------------
Cmd2: cmp r8,#_ReadSPI ; reading a block?
jmp cc_ne,Cmd3 ; no
bclr SPI_CS ; -CS
mov r3,#_EERead
callr SendRecSSC ; read command
mov r3,r10 ; MSB of byte address
ror r3,#8
callr SendRecSSC
mov r3,r10 ; LSB of byte address
callr SendRecSSC
sub r9,#1
; mov r5,#0F200h ; fixed buffer addr=F200
mov r5,r13 ; buffer addr
addc r5,r10 ; + offset
ReadLoop:
callr SendRecSSC ; read byte
exts #0,#1
movb [r5],rl4 ; store byte in buffer
add r5,#1 ; next address
cmpd1 r9,#0
jmpr cc_ugt,ReadLoop ; until r9 > 0
bset SPI_CS ; switch off EEPROM selection
mov r15,#0 ; completion code
rets
; ------------------------------------------------- ---------------------
; Reading EEPROM status, r9 returns status value
; ------------------------------------------------- ---------------------
Cmd3:
; cmp r8,#_GetState
; jmp cc_ne,CmdC
;
Read_S:
bclr SPI_CS ; -CS
mov R3,#_EEState
callr SendRecSSC ; status register read command
callr SendRecSSC ; send dummy byte, receive data byte
mov r9,r4 ; in r9
bset SPI_CS ; switch off EEPROM selection
mov r15,#0 ; completion code
rets
; ------------------------------------------------- ---------------------
; Unrecognized command, exit c r15 = 1
; ------------------------------------------------- ---------------------
CmdC: mov r15,#1
rets
DriverP endp
;----------------------------------------------------------------------
; Small delay ...
;----------------------------------------------------------------------
Delay proc near
nop
nop
nop
nop
ret
Delay endp
; ------------------------------------------------- ---------------------
; SSC work program - data reception and transmission
; r3 - transmitted value; r4 - received value
; ------------------------------------------------- ---------------------
SendRecSSC proc near
bclr SSCRIR ; reset flag
mov SSCTB,r3 ; transmission start
SSCWait:
jnb SSCRIR,SSCWait ; waiting for completion
mov r4,SSCRB ; received data
ret
SendRecSSC endp
;----------------------------------------------------------------------
DriverC ends
end
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 07:32:36 AM
All you guys looking at this when it was new had access to the a lot of the manufacturer SDK's and documentations, source-codes, etc. I didn't spot that code! Most of this is rapidly dissappearing off the web as these 16-bit cpu's have long reached end of life. Any source-code contributions are indeed welcome. Finding stuff on these older mcu's isn't so easy these days and yet they are still quite capable processors and good for teaching.
I thought it would be a good example for people to work through from 1st principals. I.e. understand exactly all the details by actually building code that runs on the actual microcontroller.
I've built my own assembler, dissassembler and C compiler for the C16x series now too. (Yes I know others exist) and soon I plan to integrate the Arduino IDE so that you can build apps which can manipulate the gpio's etc. directly from the ide...
I took a look quick look at your driver, the only recommendation I would have would be to use a hardware timer for your delay as running on a 20MHz vs 40MHz device will yield different times for your nop's...
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: gremlin on November 12, 2020, 08:29:22 AM
All you guys looking at this when it was new had access to the a lot of the manufacturer SDK's and documentations, source-codes, etc. I didn't spot that code!
When I was working on this driver, I did not have any non-public documents or special access to professional ide / sdk. Only minimon, which has not disappeared anywhere and is still freely available on the Internet. All sources texts present now. http://www.perschl.at/minimon.html As for the driver's optimality, was say that this is a "five-minute soup" and no one bothers to improve it. In my opinion, the time for such a program has gone like the last train. Everything has already been done and more than once. It can be interesting only for educational purposes.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 08:58:15 AM
I hear you...
There are still however millions of cars on the road with these ecu's inside them and millions more in scrap yards. There is still value there if you care to look hard enough.
The concepts of these old obsolete 16-bit microcontroller are still alive and kicking and found in modern applications. Even modern cars can still use them, just likely with a different instruction set driving them which is probably arm based. Your soft close door locks on a 2020 MY car very likely have a modernized NXP 16-bit MCU driving them. SPI, I2C, PWM, GPIO, Serial, CAN, DMA, etc. all used today in pretty much same way except hidden behind layers of API's. If you extrapolate away from bare metal assembly you find you can still write a lot of the code in a portable way in C, then that inself can be transferred across to current soc's like infineon tricore's and such via cross compilation (even in the eeprom is now emulated in flash :). The biggest problem with these obscure instruction sets like C16x is lack of good tooling, the code optimization of those proprietary (very old GCC based!) C compilers is frankly shocking, no wonder so much was written in assembly at the time...
-T
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: Blazius on November 12, 2020, 10:04:58 AM
Terrific job! Thanks for all your contributions.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: DT on November 12, 2020, 12:43:36 PM
Thank you for this write up. Always nice to see custom code.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: nyet on November 12, 2020, 03:05:29 PM
Amazing. Any chance I can get you to finish the bootmode flash stuff in the nef flasher?
or even better, integrate eeprom access into the nef flasher?
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 04:19:10 PM
Nyet, DT and Blazius,
Thank you so much for the nice comments. I was beginning to think nobody cared anymore.
I'm determined to get an Arduino IDE running on Bosch ME7 hardware, it will be called the ME7duino :)
And yes I can take a look soon...
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: nyet on November 12, 2020, 05:02:59 PM
While im here, the nef flasher shouldn't require ftdi cables anymore either... its been on my list to fix but i dont have a functional non-ftdi cable to test on.
I assume none of your routines strictly depend on the ftdi dll either.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 05:34:39 PM
Nothing that's talking over K-Line serial alone requires anything at USB level.
I've written a Serial UART abstraction api, this means you can indeed cross compile all the higher level code to run across any OS. I.e. on OSX, Linux and any other embedded mcu. Technically you can re-flash or read eeprom from a simple microcontroller with an SD card attached or Wifi connection to your mobile hotspot.
Your not strictly limited to just UART serial as a means of communication either, as long as you software bridge the connection api's you can even re-direct read/writes over tcp/ip (internet) and on the device side flash receive data over CAN at 1Mbps. Its something I would like to implement a driver for along with differential flashing capability, so if you've previously flashed the same image and want to make incremental changes to just some maps like KFZW, checksums etc. your "update" is going to be pretty much instantaneous rather than minutes. The bottleneck for boot flashing is the relatively slow uart uplink speed.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: nyet on November 12, 2020, 05:44:45 PM
Differential flashing still sucks in Nef because you have to erase/write the whole affected block.
It is already implemented.
back on topic: the only reason it used the ftdi dll was for licensing against fdti serial number, which is no longer a requirement. In this case (coincidentally) on the topic of differential flashing.
Or are you talking about bootmode differential flashing? Because that would be amazing. Still, it suffers from the block issue.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 06:28:00 PM
Yes I'm talking about differential flashing in bootmode and also download of the data via high speed CAN driver.
This obviously means you cannot just have a dumb K-Line serial to uart IC. You also need a CAN ic too. These however are less than $1 these days and the big benefit is dramatically faster downloads. The flashing isn't really the slowest part, its the download speeds, 1mbps is multiple times quicker than serial uart can do it.
Did you know on these AMD flash devices that even if you don't erase a sector you can still write to it too? You can just OR each byte. @Fluke9 explained the trick to me. You can flip the bit to a high in a write but never to a low, so you can do bitwise changes and not disturb the whole byte.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: nyet on November 12, 2020, 06:35:53 PM
Yes. Unfortunately most of the changes (in small changes to maps/code) are in checksums (even worse, often spread across many blocks), and because of the nature of checksums (and crcs) the odds of having only bit sets (or clears) is nearly zero.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: Blazius on November 12, 2020, 06:42:58 PM
Unfortunately the cheap Ch340 cables dont come with a can chip(if i remember right), so if you do precompile this for public it would be nice to have the option to "choose".
(Tried using ch340 cable with argdubs tool a while back , and I couldnt not get it working for the life of me for some reason [through OBD bootmode that is, could've been many things])
And yes technically nef should work on ch340 or cheaper usbtoserial chips without serial number id's if not for the dll, I am sure it would be nice for some people.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 07:28:27 PM
Unfortunately the cheap Ch340 cables dont come with a can chip(if i remember right), so if you do precompile this for public it would be nice to have the option to "choose".
(Tried using ch340 cable with argdubs tool a while back , and I couldnt not get it working for the life of me for some reason [through OBD bootmode that is, could've been many things])
And yes technically nef should work on ch340 or cheaper usbtoserial chips without serial number id's if not for the dll, I am sure it would be nice for some people.
Well with a good serial port abstraction interface your really just talking about 2 way streams i/o... You can do multiple different things here and it really is up to your imagination how much support you add... 1. Search via linking against the the FDTI lib for Unique named devices or serial's (ugh!), this could also read eeprom and determine if the device supports CAN, If that fails to find any ; 2. Search for USB attached serial devices by looking for compatible VID/PID's in the registry entries, 3. If none exist, search for any other attached USB devices which are of type serial port, 4. If that fails try to fallback to Auto-discovery of regular good old fashioned serial attached to non (virtual) com ports and if multiple serial devices are present allow you to choose which one to use. 5. Override with ability to choose com port number manually. 6. Override with ability to redirect and tunnel serial traffic over TCP/IP. This allows you to run a client/server over the internet and read from a remote serial port attached, i.e. flash over the internet. The only challenge is to do a speed test on setup to determine if your speed and latency is good enough. To make it all encompassing its quite a lot of work but you get the most flexibility..
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 07:33:51 PM
Yes. Unfortunately most of the changes (in small changes to maps/code) are in checksums (even worse, often spread across many blocks), and because of the nature of checksums (and crcs) the odds of having only bit sets (or clears) is nearly zero.
True, checksums however are not scattered everywhere, typically the multipoints are all in one location and the shadow and main sums can be done but even so, 95% of the rom is going to be the same so it can yield big benefits still for speed.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: nyet on November 12, 2020, 07:54:56 PM
True, checksums however are not scattered everywhere, typically the multipoints are all in one location and the shadow and main sums can be done but even so, 95% of the rom is going to be the same so it can yield big benefits still for speed.
I have yet to see a change that is entirely bit sets in a given block .. ymmv ... At 16 blocks (or even 32), its never going to be 95% Again, i have written flash drivers (unrelated to car tuning) that attempt to do this. They don't work as well as you'd think. There are filesystems though (back when this sort of flash was popular) that attempt to do this with set-only bits baked into the format (e.g. jffs). They're long dead. If Bosch had cared, they could have written their checksum system to take advantage of this. They did not, since they no doubt never used an ECU with flash during ECU tuning/mapping/calibration
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: 360trev on November 12, 2020, 08:19:30 PM
I'm still using JFFS in some Linux project today :)
My observation is that the writing time is a smaller proportion of the overall re-flashing time. The vast majority is the bottleneck of the download itself. So if you remove the downloading time by only downloading the differential data then read back into ram, erase and individual sector, merge differences in ram and write back you should see a big improvement in speed. I will test this shortly and give you some figures...
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: d3irb on November 12, 2020, 08:54:00 PM
With respect to CAN, it's unfortunate there is no standard (or even de facto standard like FTDI ended up being for bitbang+UART) driver interface for CAN. SocketCAN on Linux and J2534 on Windows seem to be the closest to dominant standards, but J2534 is a mess of expensive and non-compliant "compliant" vendor devices and SocketCAN requires being a bit of a Linux nerd to deal with (finding hardware, configuring the interface, adding isotp kernel module if necessary, and so on). And then there are all of the weird serial<->CAN devices which all seem to implement different little wire protocols. A higher-level abstraction would be truly amazing but also quite a lot of work since there is a fair amount of nuance (between baud rate, filters/interrupt setup, padding, ISOTP framing, etc.).
As for this bootloader work, amazing. It's great to see people still reversing stuff and rebuilding, even if it is for ancient ECUs.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: nyet on November 12, 2020, 10:30:40 PM
I'm still using JFFS in some Linux project today :)
My observation is that the writing time is a smaller proportion of the overall re-flashing time. The vast majority is the bottleneck of the download itself. So if you remove the downloading time by only downloading the differential data then read back into ram, erase and individual sector, merge differences in ram and write back you should see a big improvement in speed. I will test this shortly and give you some figures...
This sounds totally doable and will almost certainly dramatically decrease flashing time. The Nef flasher already does this to some extent (but NOT bootmode!)
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: Tohmerdis on December 09, 2020, 04:05:25 PM
Wonderful work!
Do you put full source to Github or somewhere similar?
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: darklet on September 11, 2022, 05:34:57 PM
did the source code ever get made open, i cant see it on your github :(
Update:
I reversed it, and added a me7.4.5 95320 read/write function...
Well hardcode IMMO off write function that just updated bytes 40h-60h
Switching it to use XSSC bus was a right pain.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: ecuprog7 on January 29, 2023, 03:14:59 AM
Hi to all!
I can´t find the source code for this tool and has there been work on integrating it into nefmoto flasher?
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: fragolas on February 24, 2023, 07:35:29 PM
@360trev Will you ever release the source code? Besides the me7/edc15 , I have a airbag ecu with c164 and I could use bsl to read and write the eeprom without desolder . I could probably write driver for minimon, but this would also be helpful.
Kwp services could also work, but that's beside the point.
I also wonder which cpu does Bosch abs 5.7 uses...
Enviado do meu M2102J20SG através do Tapatalk
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: ecuprog7 on February 26, 2024, 09:31:05 AM
Hi, done a rework of argdubs tool, eeprom driver is a adapted version of post from gremlin. Tested on Me7.5 and ME7.1. The tool reconnects to running minimon core, so no need to restart ecu after one operation (read or write). Source code of eeprom drivers are included. Eeprom read and write on C167 and St10 ( XSSC module ) for type 0 95080 - 95320 and type 1 95040 / 95p08 supported, type 2-4 are 93cxx versions, read internal Rom/IFlash . Read and write of external Flash now supported on Me7xx and Simos 3.x. Please try and report. update 28.2.2024: Now works with psa ME7.4.5 (ME745) with ST10 . Cs pin is P6.2 , XSSC module is used. update 09.3.2024: works now on Simos 3 with 93Cxx eeprom (only ssc module) update 12.9.2024: read write of ext flash on Me(d)7.xx and Simos 3.x supported command line has changed a little bit (-readeeprom / -writeeeprom instead of only read or write): update 21.102024 V1_2: read write of ext flash and eeprom on EDC15VM/P+ with 29f800BT and 24C04, read internal rom also Help output: BootMode Tool for me(d)7 , Simos 3.x & EDC15VM/P+ Variants inspired by ArgDub , 360trev and Gremlin
***********
type -h for this help
Arguments in [] are optional:
-------------------- Read EEProm--------------------
ME7BootTool baudrate -readeeprom -PeriphType eepromtype Port(of chip select) Pin(of chip select) size(hex or dezimal) [filename]
eg: ME7BootTool 9600 -readeeprom -XSSC 1 Port4 Pin7 0x100 551Eeprom.ori
eg: ME7BootTool 28800 -readeeprom -SSC 1 Port4 Pin7 0x200 551Eeprom.ori
eg: ME7BootTool 28800 -readeeprom -I2C 11 0x200 551Eeprom.ori
----------------------------------------------------
-------------------- Write EEProm--------------------
ME7BootTool baudrate -writeeeprom -PeriphType eepromtype Port(of chip select) Pin(of chip select) filename
eg: ME7BootTool 9600 -writeeeprom -XSSC 1 Port6 Pin3 551ImmoOff.bin
eg: ME7BootTool 28800 -writeeeprom -SSC 1 Port6 Pin3 551ImmoOff.bin
eg: ME7BootTool 28800 -writeeeprom -I2C 11 551ImmoOff.bin
----------------------------------------------------
-------------------- Parameters for R/W EEProm--------------------
type of eeprom is 0 for 95080 to 95320, 1 for 95040 or 95p08,
2 for 93S46 with 6bit address, 3 for 93S56 or 93S66 with 8 bit address, 4 for 93S76 or 93S86 with 10 bit address
10 for 24c02 with 8bit address, 11 for 24c04 with 9bit address
Chip select for eeprom: Port2,3,4,6,7,8 are supported, pins 0-15; ME7.5 & 7.1 P4.7; ME7.1.1 P6.3 ; SIMOS 3.2 is P6.4
-PeriphType : -SSC for C16x or ST10, -XSSC for ST10 and XC167 (only type 0 and 1 supported),
-PeriphType : -I2C for EDC15VM/P+ (only type 10 and 11 supported)
----------------------------------------------------
-------------------- read internal Rom or Flash (IROM, IFLASH) --------------------
ME7BootTool baudrate -readInt size(hex or dezimal) [filename]
eg: ME7BootTool 28800 -readInt 0x8000 551IntRom.ori
----------------------------------------------------
-------------------- read external Flash --------------------
ME7BootTool baudrate -readextflash size(hex or dezimal) [filename]
eg: ME7BootTool 28800 -readextflash 0x80000 551extFlash.ori
----------------------------------------------------
-------------------- write external Flash --------------------
ME7BootTool baudrate -writeextflash filename Ecu/FlashType (ME7, Simos3, EDC15)
eg: ME7BootTool 28800 -writeextflash 551extFlash.bin simos3
eg: ME7BootTool 57600 -writeextflash 551extFlash.bin me7
eg: ME7BootTool 57600 -writeextflash 551extFlash.bin edc15
----------------------------------------------------
-------------------- Baudrate --------------------
standard rates: 9600, 19200, 28800, 38400, 57600, 115200 ; depending on cable 115200 or 57600 may not work
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: ejg3855 on May 18, 2024, 09:31:47 AM
Tool appears to read properly, but when i go to write back the changed file and read it back out to verify nothing is changed. I think it wries..... Call C_GETSTATE successfull: True state is 0x80
************* start write *************
Call C_WRITESPI at: 0x0 successfull: True
********** write successfull!! ***********
************* start verify *************
Call C_READSPI at: 0x0 successfull: True
write data not equal verify data at pos: 0x12
write data not equal verify data at pos: 0x1e
write data not equal verify data at pos: 0x1f
write data not equal verify data at pos: 0x22
write data not equal verify data at pos: 0x2e
write data not equal verify data at pos: 0x2f
write data not equal verify data at pos: 0x3e
write data not equal verify data at pos: 0x3f
write data not equal verify data at pos: 0x4e
write data not equal verify data at pos: 0x4f
write data not equal verify data at pos: 0x5e
write data not equal verify data at pos: 0x5f
write data not equal verify data at pos: 0x6e
write data not equal verify data at pos: 0x6f
write data not equal verify data at pos: 0x7e
write data not equal verify data at pos: 0x7f
write data not equal verify data at pos: 0x8e
write data not equal verify data at pos: 0x8f
write data not equal verify data at pos: 0x9e
write data not equal verify data at pos: 0x9f
write data not equal verify data at pos: 0xa0
write data not equal verify data at pos: 0xae
write data not equal verify data at pos: 0xaf
write data not equal verify data at pos: 0xb5
write data not equal verify data at pos: 0xb6
write data not equal verify data at pos: 0xb7
write data not equal verify data at pos: 0xb9
write data not equal verify data at pos: 0xbe
write data not equal verify data at pos: 0xbf
write data not equal verify data at pos: 0xc0
write data not equal verify data at pos: 0xc5
write data not equal verify data at pos: 0xc6
write data not equal verify data at pos: 0xc7
write data not equal verify data at pos: 0xc9
write data not equal verify data at pos: 0xce
write data not equal verify data at pos: 0xcf
write data not equal verify data at pos: 0xd0
write data not equal verify data at pos: 0xd1
write data not equal verify data at pos: 0xd2
write data not equal verify data at pos: 0xd3
write data not equal verify data at pos: 0xd4
write data not equal verify data at pos: 0xd5
write data not equal verify data at pos: 0xd6
write data not equal verify data at pos: 0xd8
write data not equal verify data at pos: 0xd9
write data not equal verify data at pos: 0xdb
write data not equal verify data at pos: 0xde
write data not equal verify data at pos: 0xdf
write data not equal verify data at pos: 0xe0
write data not equal verify data at pos: 0xe1
write data not equal verify data at pos: 0xe2
write data not equal verify data at pos: 0xe3
write data not equal verify data at pos: 0xe4
write data not equal verify data at pos: 0xe5
write data not equal verify data at pos: 0xe6
write data not equal verify data at pos: 0xe8
write data not equal verify data at pos: 0xe9
write data not equal verify data at pos: 0xeb
write data not equal verify data at pos: 0xee
write data not equal verify data at pos: 0xef
write data not equal verify data at pos: 0xfe
write data not equal verify data at pos: 0xff
write data not equal verify data at pos: 0x100
write data not equal verify data at pos: 0x10e
write data not equal verify data at pos: 0x10f
write data not equal verify data at pos: 0x15e
write data not equal verify data at pos: 0x15f
write data not equal verify data at pos: 0x16e
write data not equal verify data at pos: 0x16f
write data not equal verify data at pos: 0x17e
write data not equal verify data at pos: 0x17f
write data not equal verify data at pos: 0x18e
write data not equal verify data at pos: 0x18f
write data not equal verify data at pos: 0x19e
write data not equal verify data at pos: 0x19f
write data not equal verify data at pos: 0x1ae
write data not equal verify data at pos: 0x1af
write data not equal verify data at pos: 0x1be
write data not equal verify data at pos: 0x1bf
write data not equal verify data at pos: 0x1ce
write data not equal verify data at pos: 0x1cf
write data not equal verify data at pos: 0x1de
write data not equal verify data at pos: 0x1df
write data not equal verify data at pos: 0x1ee
write data not equal verify data at pos: 0x1ef
write data not equal verify data at pos: 0x1f0
write data not equal verify data at pos: 0x1f1
write data not equal verify data at pos: 0x1f2
write data not equal verify data at pos: 0x1f3
write data not equal verify data at pos: 0x1f4
write data not equal verify data at pos: 0x1f5
write data not equal verify data at pos: 0x1f6
write data not equal verify data at pos: 0x1f7
write data not equal verify data at pos: 0x1f9
write data not equal verify data at pos: 0x1fa
write data not equal verify data at pos: 0x1fb
write data not equal verify data at pos: 0x1fc
write data not equal verify data at pos: 0x1fd
write data not equal verify data at pos: 0x1fe
write data not equal verify data at pos: 0x1ff
********** verify successfull!! ***********
C:\Users\ericg\Desktop\me2024> ME7BootEeprom 9600 -read -SSC 1 Port3 Pin6.3 512 confirm.ori
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: ecuprog7 on May 20, 2024, 11:53:42 PM
[quote author=ejg3855 link=topic=18686.msg165859#msg165859 date=1716049907]
C:\Users\ericg\Desktop\me2024> ME7BootEeprom 9600 -read -SSC 1 Port3 Pin6.3 512 confirm.ori
[/quote] Call line is wrong, i´m suprised the tool does anything, this should do the job: ME7BootEeprom 9600 -read -SSC 1 Port6 Pin3 512 confirm.ori ME7BootEeprom 9600 -write -SSC 1 Port6 Pin3 immoOff.bin Edit: the Port in call line is not com port of kkl cable, its the pin Port of the Processor. On ME7.5 its Port4 Pin7, Me711 Port6 Pin3. the virtual com port is searched from the tool and if you have connected more than one you can choose which to use
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: ejg3855 on May 21, 2024, 10:00:10 AM
Still Doesn't want to write anything C:\Users\ericg\Desktop\me2024>ME7BootEeprom 9600 -write -SSC 1 Port6 Pin3 IMMOoffWRITE.bin
BootMode EEprom Tool for me7 Variants inspired by ArgDub , 360trev and Gremlin
***********
-write baudrate: 9600
eeprom type is 95040 or 5P08C3
C16x SSC is used
Waiting for K+Can or KKL Adapter (plug in USB if not done!!)
using COM3
got cpu version : 0xd5
variantByteC167WithID Or ST10
sending loader
got loader akn : 1
sending core
got core akn : 3
test comm
got core akn : 0xaa 0xea
set Data at: 0xff12 success: True
set Data at: 0xff0c success: True
set Data at: 0xfe18 success: True
set Data at: 0xfe1a success: True
set Data at: 0xfe1c success: True
set Data at: 0xfe1e success: True
set Data at: 0xff14 success: True
set Data at: 0xff16 success: True
set Data at: 0xff18 success: True
set Data at: 0xff1a success: True
sending eeprom driver
set Data at: 0xf600 success: True
set Data at: 0xf604 success: True
set Data at: 0xf60c success: True
set Data at: 0xf608 success: True
Call C_GETSTATE successfull: True state is 0x80
************* start write *************
Call C_WRITESPI at: 0x0 successfull: True
********** write successfull!! ***********
************* start verify *************
Call C_READSPI at: 0x0 successfull: True
write data not equal verify data at pos: 0x12
write data not equal verify data at pos: 0x1e
write data not equal verify data at pos: 0x1f
write data not equal verify data at pos: 0x22
write data not equal verify data at pos: 0x2e
write data not equal verify data at pos: 0x2f
write data not equal verify data at pos: 0x3e
write data not equal verify data at pos: 0x3f
write data not equal verify data at pos: 0x4e
write data not equal verify data at pos: 0x4f
write data not equal verify data at pos: 0x5e
write data not equal verify data at pos: 0x5f
write data not equal verify data at pos: 0x6e
write data not equal verify data at pos: 0x6f
write data not equal verify data at pos: 0x7e
write data not equal verify data at pos: 0x7f
write data not equal verify data at pos: 0x8e
write data not equal verify data at pos: 0x8f
write data not equal verify data at pos: 0x9e
write data not equal verify data at pos: 0x9f
write data not equal verify data at pos: 0xa0
write data not equal verify data at pos: 0xae
write data not equal verify data at pos: 0xaf
write data not equal verify data at pos: 0xb5
write data not equal verify data at pos: 0xb6
write data not equal verify data at pos: 0xb7
write data not equal verify data at pos: 0xb9
write data not equal verify data at pos: 0xbe
write data not equal verify data at pos: 0xbf
write data not equal verify data at pos: 0xc0
write data not equal verify data at pos: 0xc5
write data not equal verify data at pos: 0xc6
write data not equal verify data at pos: 0xc7
write data not equal verify data at pos: 0xc9
write data not equal verify data at pos: 0xce
write data not equal verify data at pos: 0xcf
write data not equal verify data at pos: 0xd0
write data not equal verify data at pos: 0xd1
write data not equal verify data at pos: 0xd2
write data not equal verify data at pos: 0xd3
write data not equal verify data at pos: 0xd4
write data not equal verify data at pos: 0xd5
write data not equal verify data at pos: 0xd6
write data not equal verify data at pos: 0xd8
write data not equal verify data at pos: 0xd9
write data not equal verify data at pos: 0xdb
write data not equal verify data at pos: 0xde
write data not equal verify data at pos: 0xdf
write data not equal verify data at pos: 0xe0
write data not equal verify data at pos: 0xe1
write data not equal verify data at pos: 0xe2
write data not equal verify data at pos: 0xe3
write data not equal verify data at pos: 0xe4
write data not equal verify data at pos: 0xe5
write data not equal verify data at pos: 0xe6
write data not equal verify data at pos: 0xe8
write data not equal verify data at pos: 0xe9
write data not equal verify data at pos: 0xeb
write data not equal verify data at pos: 0xee
write data not equal verify data at pos: 0xef
write data not equal verify data at pos: 0xfe
write data not equal verify data at pos: 0xff
write data not equal verify data at pos: 0x100
write data not equal verify data at pos: 0x10e
write data not equal verify data at pos: 0x10f
write data not equal verify data at pos: 0x114
write data not equal verify data at pos: 0x115
write data not equal verify data at pos: 0x116
write data not equal verify data at pos: 0x11f
write data not equal verify data at pos: 0x15e
write data not equal verify data at pos: 0x15f
write data not equal verify data at pos: 0x16e
write data not equal verify data at pos: 0x16f
write data not equal verify data at pos: 0x17e
write data not equal verify data at pos: 0x17f
write data not equal verify data at pos: 0x18e
write data not equal verify data at pos: 0x18f
write data not equal verify data at pos: 0x19e
write data not equal verify data at pos: 0x19f
write data not equal verify data at pos: 0x1ae
write data not equal verify data at pos: 0x1af
write data not equal verify data at pos: 0x1be
write data not equal verify data at pos: 0x1bf
write data not equal verify data at pos: 0x1ce
write data not equal verify data at pos: 0x1cf
write data not equal verify data at pos: 0x1de
write data not equal verify data at pos: 0x1df
write data not equal verify data at pos: 0x1ee
write data not equal verify data at pos: 0x1ef
write data not equal verify data at pos: 0x1f0
write data not equal verify data at pos: 0x1f1
write data not equal verify data at pos: 0x1f2
write data not equal verify data at pos: 0x1f3
write data not equal verify data at pos: 0x1f4
write data not equal verify data at pos: 0x1f5
write data not equal verify data at pos: 0x1f6
write data not equal verify data at pos: 0x1f7
write data not equal verify data at pos: 0x1f9
write data not equal verify data at pos: 0x1fa
write data not equal verify data at pos: 0x1fb
write data not equal verify data at pos: 0x1fc
write data not equal verify data at pos: 0x1fd
write data not equal verify data at pos: 0x1fe
write data not equal verify data at pos: 0x1ff
********** verify successfull!! ***********
C:\Users\ericg\Desktop\me2024>ME7BootEeprom 9600 -read -SSC 1 Port6 Pin3 512 ReadagainafterWRITE.ori
BootMode EEprom Tool for me7 Variants inspired by ArgDub , 360trev and Gremlin
***********
-read baudrate: 9600
eeprom type is 95040 or 5P08C3
size: 0x200
C16x SSC is used
Waiting for K+Can or KKL Adapter (plug in USB if not done!!)
using COM3
got cpu version : 0xd5
variantByteC167WithID Or ST10
sending loader
got loader akn : 1
sending core
got core akn : 3
test comm
got core akn : 0xaa 0xea
set Data at: 0xff12 success: True
set Data at: 0xff0c success: True
set Data at: 0xfe18 success: True
set Data at: 0xfe1a success: True
set Data at: 0xfe1c success: True
set Data at: 0xfe1e success: True
set Data at: 0xff14 success: True
set Data at: 0xff16 success: True
set Data at: 0xff18 success: True
set Data at: 0xff1a success: True
sending eeprom driver
set Data at: 0xf600 success: True
set Data at: 0xf604 success: True
set Data at: 0xf60c success: True
set Data at: 0xf608 success: True
Call C_GETSTATE successfull: True state is 0x80
************* start read *************
Call C_READSPI successfull: True
********** read successfull!! ***********
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: elektronik13 on May 21, 2024, 11:02:16 PM
Still Doesn't want to write anything
C:\Users\ericg\Desktop\me2024>ME7BootEeprom 9600 -read -SSC 1 Port6 Pin3 512 ReadagainafterWRITE.ori
BootMode EEprom Tool for me7 Variants inspired by ArgDub , 360trev and Gremlin
***********
-read baudrate: 9600
eeprom type is 95040 or 5P08C3
size: 0x200
C16x SSC is used
Waiting for K+Can or KKL Adapter (plug in USB if not done!!)
using COM3
this is bullshit, so there's no way it could be written down
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: ecuprog7 on May 21, 2024, 11:05:49 PM
From the log i only see that the chip select is not the problem, please write which ecu you are using and if known the eeprom chip type on it.
MH-Auto states on this ME7.1.1 Ecu is a 95160 eeprom so you need to adapt the call line. 95160 is type 0 and size needs to be 0x800 for full read, if there are only zeros or FF´s in upper half you can use 0x400
read: ME7BootEeprom 9600 -read -SSC 0 Port6 Pin3 0x800 Read.ori
write: ME7BootEeprom 9600 -write -SSC 0 Port6 Pin3 immoOff.bin
the driver used for read and write 95040/5P08C3 against the 95080-95320 is different. please read again, your readout is wrong, if you read with a 95160 with type 1 the readout has an extra byte like ff on start of each line. i will do it on an me7.1.1 in the afternoon and post logs
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: ejg3855 on May 22, 2024, 06:18:06 AM
I am not sure I have seen conflicting information on this chip that it might be 95040 because its early?
2006 07K Beetle Manual Transmission
0 261 208 869
See Photos
https://imgur.com/a/1jFQ4I7
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: prj on May 22, 2024, 06:28:24 AM
None of your photos contain the EEPROM chip, it's on the other side of the PCB iirc.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: ejg3855 on May 22, 2024, 06:52:42 AM
you are correct I was thinking the memory chip.
it is confirmed to be a 95160.
updated imgur link.
Here is what I Read does it look right?
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: ecuprog7 on May 22, 2024, 07:20:13 AM
readout looks good to me, try to use eeprom immo tool to verify checksums
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: unicorn89 on May 25, 2024, 03:39:41 PM
Having an issue with a ME7.5 1.8T VW ecu. Not sure what is going on with this one. Command: ME7BootEeprom 9600 -read -SSC 1 Port3 Pin7 512 eeprom.ori BootMode EEprom Tool for me7 Variants inspired by ArgDub , 360trev and Gremlin
***********
-read baudrate: 9600
eeprom type is 95040 or 5P08C3
size: 0x200
C16x SSC is used
Waiting for K+Can or KKL Adapter (plug in USB if not done!!)
using COM3
got cpu version : 0xff
no C16x Variant, ST10 selected
sending loader
echo error sent: 0xb7 received: 0x34 at data pos : 0x5
echo error sent: 0xb7 received: 0x34 at data pos : 0xd
echo error sent: 0xb7 received: 0x34 at data pos : 0xf
echo error sent: 0xfb received: 0xf8 at data pos : 0x19
echo error sent: 0x3d received: 0x31 at data pos : 0x1a
no response from ecu after sending loader ' ** UPDATE: I was able to get it to pull down the eeprom, But this looks odd to me. I have attached the file. It showing its 256 bytes and not 512 bytes.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: elektronik13 on May 26, 2024, 09:57:18 PM
Having an issue with a ME7.5 1.8T VW ecu. Not sure what is going on with this one. Command: ME7BootEeprom 9600 -read -SSC 1 Port3 Pin7 512 eeprom.ori BootMode EEprom Tool for me7 Variants inspired by ArgDub , 360trev and Gremlin
***********
-read baudrate: 9600
eeprom type is 95040 or 5P08C3
size: 0x200
C16x SSC is used
Waiting for K+Can or KKL Adapter (plug in USB if not done!!)
using COM3
got cpu version : 0xff
no C16x Variant, ST10 selected
sending loader
echo error sent: 0xb7 received: 0x34 at data pos : 0x5
echo error sent: 0xb7 received: 0x34 at data pos : 0xd
echo error sent: 0xb7 received: 0x34 at data pos : 0xf
echo error sent: 0xfb received: 0xf8 at data pos : 0x19
echo error sent: 0x3d received: 0x31 at data pos : 0x1a
no response from ecu after sending loader ' ** UPDATE: I was able to get it to pull down the eeprom, But this looks odd to me. I have attached the file. It showing its 256 bytes and not 512 bytes. reading is incorrect size
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: ecuprog7 on May 27, 2024, 12:36:43 AM
on me7.5 the chip select should be Port4 Pin7. The port in command is GPIO port from pin not com port. Also you are getting no CPU ID (0xff if wrong) so check connection and be sure ecu is in boot mode
Command: ME7BootEeprom 9600 -read -SSC 1 Port4 Pin7 512 eeprom.ori
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: unicorn89 on June 20, 2024, 08:49:18 AM
I have a 2005 Beetle 2.0 ME7.1.1 ECU and Using Command: ME7BootEeprom 9600 -read -SSC 1 Port6 Pin3 512 eeprom.ori
When i use the eepromtool_04.exe tool it says its a Invalid Checksum, any ideas on why?
Read in 512bytes
WARNING: cannot decode VIN, try setting VIN to fix
WARNING: cannot decode ImmmoID
EEPROM Status:
- Type: ECU_eeprom
- Version: Immo2
- VIN:
- SKC: 038145
- Immobiliser: On
- Checksum: Invalid Checksum
- Size: 512bytes
- Cluster Code: 10 19 22 3F 65 76 91
- P0601 DTC: set to C1 C1
- Immo ID:
- Softcoding ID: 0768
- Tuner Tag: Not Set
- Flash Programming (successful): 48
- Flash Programming (attempts): 4
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: unicorn89 on June 20, 2024, 10:46:19 AM
I have a 2005 Beetle 2.0 ME7.1.1 ECU and Using Command: ME7BootEeprom 9600 -read -SSC 1 Port6 Pin3 512 eeprom.ori
When i use the eepromtool_04.exe tool it says its a Invalid Checksum, any ideas on why?
Read in 512bytes
WARNING: cannot decode VIN, try setting VIN to fix
WARNING: cannot decode ImmmoID
EEPROM Status:
- Type: ECU_eeprom
- Version: Immo2
- VIN:
- SKC: 038145
- Immobiliser: On
- Checksum: Invalid Checksum
- Size: 512bytes
- Cluster Code: 10 19 22 3F 65 76 91
- P0601 DTC: set to C1 C1
- Immo ID:
- Softcoding ID: 0768
- Tuner Tag: Not Set
- Flash Programming (successful): 48
- Flash Programming (attempts): 4
attached is the orginal eeprom file i pulled down.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: _nameless on June 23, 2024, 03:32:11 PM
your eeprom is not 512 bytes it 1024
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: ecuprog7 on June 24, 2024, 05:55:40 AM
Hi, you have type 0 eeprom (95080....), use this command line:
ME7BootEeprom 9600 -read -SSC 0 Port6 Pin3 1024 eeprom.ori
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: ecuprog7 on September 12, 2024, 07:11:45 AM
Hi to all, tool is now able to read and write ext flash
http://nefariousmotorsports.com/forum/index.php?topic=18686.msg164642#msg164642 (http://nefariousmotorsports.com/forum/index.php?topic=18686.msg164642#msg164642)
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: lsdlsd88 on September 28, 2024, 09:26:35 PM
Thanks for this fantastic work
Any chance this is compatible with edc15p vag ? Mcu is B59388
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: nyet on September 28, 2024, 11:23:08 PM
why is this not on github anywhere?
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: ecuprog7 on September 28, 2024, 11:53:59 PM
Hi, i will consider putting it on github, source is in zips included (python file for command line tool and asm files for drivers).
@ lsdlsd88: is eeprom or ext flash R/W needed for EDC15p?
on MHH-Auto i read that flash is a 29f400bT which would need some driver changes
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: lsdlsd88 on September 29, 2024, 03:42:56 AM
There’s plenty of almost free tools to read flash, but next to none to read and write eeprom so thats what i was interested in
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: prj on September 29, 2024, 08:22:10 AM
The same can be used to create a "bench" mode - use the RCE to inject your loader into a running ECU.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: ecuprog7 on September 30, 2024, 08:45:43 AM
i will take a look at edc15, has the edc15vm+ the same eeprom (24c04) as 15P+?
@ prj: sounds cool but i definitely have too less knowledge to do this now.
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: lsdlsd88 on September 30, 2024, 10:08:30 AM
Yes 24c04
Pic
https://ibb.co/cJJc7Y2
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: ecuprog7 on October 21, 2024, 08:13:49 AM
Hi, added support for edc15+ with version V1_2, testet on EDC15VM+. Please try and report
http://nefariousmotorsports.com/forum/index.php?topic=18686.msg164642#msg164642 (http://nefariousmotorsports.com/forum/index.php?topic=18686.msg164642#msg164642)
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: nyet on October 21, 2024, 12:06:51 PM
Hi, added support for edc15+ with version V1_2, testet on EDC15VM+. Please try and report
http://nefariousmotorsports.com/forum/index.php?topic=18686.msg164642#msg164642 (http://nefariousmotorsports.com/forum/index.php?topic=18686.msg164642#msg164642)
Where is the github repo? Zip files of source code are literally the dumbest way to distribute (and develop) open source code. Do you have any experience at all with source repositories?
Title: Re: Fully open source ME7 EEPROM tool :)
Post by: ecuprog7 on October 22, 2024, 12:04:00 AM
here first commit of tool
https://github.com/EcuProg7/C167BootTool (https://github.com/EcuProg7/C167BootTool)
hoping its what it should be...
|