|
Title: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:14:59 AM Anyone interested ?
For various reasons (see below) the ArgDub tool was not sufficient for my requirements, I also didn't like that you had to specify which pins to use (when you can in fact automatically discover this, more to follow on how I accomplished this on my own implementation). While ArgDub's tool was free it was never open sourced (proprietary close source) and therefore nobody could improve on it or add new features so when the project stops getting supported its dead. Also I have never been truly satisfied with the reliability of it depending on the speed on your PC, etc. I suspect the timing accuracy isn't as good as it needs to be for the serial drivers. I had issues several times getting it to work. So I needed to do a clean room implementation which I did a while back ago now. I'm just tidying it up for public release but it is working very well so I will be releasing the full source-code to it very shortly on Github. Before I do that I just wanted to give you some technical details to how ArgDub's tool actually works. It may come as a surprise to some but his tool was very heavily influenced and indeed includes code derived from the free Minicom software from Siemens. Also I think probably some open sources available at the time for a published eeprom driver. Ofcourse getting this to work is a lot of work and reverse engineering of ME7.x rom's to see how Bosch integrated the gpio itself is obviously timing consuming (so thank you ArgDub for the release) but with effort anyone with embedded experience and appropriate documentation can write their own, its very doable (as I have done). The driver itself is pretty straight forward and the most important elements are how to configure the correct gpio pins so that its compatible with your pcb wiring. I'll post several posts now on the inner workings of how this all is done and show you the possibilities this opens up (like cheap Arduino's from ME7's :) Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:24:09 AM OK. So on to how the EEPROM Tool works.
It actually uses Bootmode to load a minimon app, then uploaded an eeprom driver (which is patched before upload for the appropriate gpio pins) and then runs the code with the pc app controlling the me7 app to download memory. Lets delve into how this all works in detail. First of all, lets start with the basics, Bootmode... What is it? It is basically a "special debugging/programming mode" built into the C16x Microcontroller series (a bit like a crude pre-cursor to JTAG) which allowed you to override the default booting behavior configured by board manufacturer (in this case Bosch or its affiliates). To activate it you simply short to ground the appropriate pin on the micro-controller and at this point an alternative boot loader inside the MCU (Microcontroller) is executed. Ever wondered what the internals of this bootloader looks like? Here it is... Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:31:18 AM I highlighted in Yellow the hex code, in this particular spin of the C167SR its going to send us 0xC5h back once serial comms are established.
So once we have serial port opened this is what going's on.. { Send BSL + Minimon Monitor Core -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Request: (0.0000 seconds) <--- Send HELLO byte (i.e. the single byte 0x00, to internal bootmode loader of C16x) 00 Response:(+0.0300 seconds) 00 <--- HELLO ::echo:: reply C5 which is :CPU_ID_C167 (see picture of the actual code running inside the microcontroller, highlighted in YELLOW this is the MCU's response) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Request: (+0.0100 seconds) If you analyze the bootloader running in boot mode you'll see it waits at this point for 32-bytes to be sent by the host to the ecu.. <--- Send 32-byte Bootstrap Loader (BSL) E6 58 01 00 9A B7 FE 70 E6 F0 60 FA 7E B7 9A B7 FE 70 A4 00 B2 FE 86 F0 E9 FB 3D F8 EA 00 60 FA (these hex codes are the machine code of the boot strap loader, i will include the source code ) Response: (+0.0401 seconds) <--- Echo 32-byte Bootstrap Loader (BSL) E6 58 01 00 9A B7 FE 70 E6 F0 60 FA 7E B7 9A B7 FE 70 A4 00 B2 FE 86 F0 E9 FB 3D F8 EA 00 60 FA <--- Send I_LOADER_STARTED 01 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Request: (+0.0200 seconds) Next Minimon sends its application core which allows us to issue commands from the Host... <--- Send Minimon Monitor Core Application (copied by BSL loader to ram) 7E B7 7E B6 E1 31 BB 6E BB 74 F1 B0 E7 F1 AA 00 BB 69 E7 F1 EA 00 47 FB 31 00 3D 03 B5 4A B5 B5 0D 5F 47 FB 93 00 3D 01 0D 5B 47 FB 32 00 3D 03 BB 59 B7 48 B7 B7 47 FB 33 00 3D 05 F1 1A BB 52 E7 F1 EA 00 0D 4D 47 FB 84 00 3D 1E E1 0A BB 6B BB 72 A0 03 3D 01 0D 44 BB 4C F1 80 51 A8 BB 70 F0 C6 0E FC A8 7C 8A F6 04 00 66 F7 00 FF 71 E8 0D 03 66 F7 FF 00 71 F8 B8 7C A9 96 41 98 3D 01 0D E8 E7 F1 11 00 0D E5 47 FB 85 00 3D 0D E1 0A BB 4A BB 51 A0 03 3D 03 E7 F1 EA 00 0D 21 BB 50 A9 16 51 A1 BB 1F 0D F6 47 FB 41 00 3D 05 BB 3B BB 19 EC F2 EC F1 DB 00 47 FB CD 00 3D 0A BB 33 BB 3F A8 36 F1 16 BB 0E F1 17 BB 0C E7 F1 EA 00 0D 07 47 FB 82 00 3D 15 BB 26 BB 2D BB 31 B8 36 BB 01 0D 92 F7 F1 B0 FE 9A B7 FE 70 7E B7 7E B6 CB 00 A7 58 A7 A7 9A B7 FC 70 7E B7 F3 F0 B2 FE CB 00 47 FB 9F 00 3D ED BB 0E BB 29 BB 00 FC F7 06 F7 10 00 EC 04 EC F7 EC F2 EC F1 DB 00 BB 2A E7 F1 EA 00 0D DD BB E5 F1 20 BB E3 F1 30 BB E1 F1 40 E1 05 CB 00 BB DD F1 60 BB DB F1 70 CB 00 F0 61 F0 72 7C E6 5C 27 70 76 F6 F7 04 FE F0 61 08 11 18 20 66 F6 FF 3F 76 F6 00 80 CB 00 F2 F6 10 FE 06 F6 10 00 E0 07 BB C4 B9 06 08 61 80 F7 3D FB CB 00 F2 F6 10 FE 06 F6 10 00 E0 07 A9 16 BB B1 08 61 80 F7 3D FB CB 00 Response: (+0.3805 seconds) <--- Echo Minimon Application (copied by BSL loader to ram) 7E B7 7E B6 E1 31 BB 6E BB 74 F1 B0 E7 F1 AA 00 BB 69 E7 F1 EA 00 47 FB 31 00 3D 03 B5 4A B5 B5 0D 5F 47 FB 93 00 3D 01 0D 5B 47 FB 32 00 3D 03 BB 59 B7 48 B7 B7 47 FB 33 00 3D 05 F1 1A BB 52 E7 F1 EA 00 0D 4D 47 FB 84 00 3D 1E E1 0A BB 6B BB 72 A0 03 3D 01 0D 44 BB 4C F1 80 51 A8 BB 70 F0 C6 0E FC A8 7C 8A F6 04 00 66 F7 00 FF 71 E8 0D 03 66 F7 FF 00 71 F8 B8 7C A9 96 41 98 3D 01 0D E8 E7 F1 11 00 0D E5 47 FB 85 00 3D 0D E1 0A BB 4A BB 51 A0 03 3D 03 E7 F1 EA 00 0D 21 BB 50 A9 16 51 A1 BB 1F 0D F6 47 FB 41 00 3D 05 BB 3B BB 19 EC F2 EC F1 DB 00 47 FB CD 00 3D 0A BB 33 BB 3F A8 36 F1 16 BB 0E F1 17 BB 0C E7 F1 EA 00 0D 07 47 FB 82 00 3D 15 BB 26 BB 2D BB 31 B8 36 BB 01 0D 92 F7 F1 B0 FE 9A B7 FE 70 7E B7 7E B6 CB 00 A7 58 A7 A7 9A B7 FC 70 7E B7 F3 F0 B2 FE CB 00 47 FB 9F 00 3D ED BB 0E BB 29 BB 00 FC F7 06 F7 10 00 EC 04 EC F7 EC F2 EC F1 DB 00 BB 2A E7 F1 EA 00 0D DD BB E5 F1 20 BB E3 F1 30 BB E1 F1 40 E1 05 CB 00 BB DD F1 60 BB DB F1 70 CB 00 F0 61 F0 72 7C E6 5C 27 70 76 F6 F7 04 FE F0 61 08 11 18 20 66 F6 FF 3F 76 F6 00 80 CB 00 F2 F6 10 FE 06 F6 10 00 E0 07 BB C4 B9 06 08 61 80 F7 3D FB CB 00 F2 F6 10 FE 06 F6 10 00 E0 07 A9 16 BB B1 08 61 80 F7 3D FB CB 00 <--- Send I_APPLICATION_STARTED 03 } At this stage we have a monitor loaded and can do many things... Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:39:53 AM With the minimon core loaded we have several commands at our disposal..
Before we go delve into them lets look at the header file which is self documents them Code: C_WRITE_BLOCK 0x84 // Write memory block to target mem Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:42:19 AM Depending on the processor derivative of the C16x (x being any of them) you will have different response codes returned for the initial 'HELLO'..
Code: #define CPU_ID_C165_OLD 0xA5 Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:44:09 AM When minimon acknowledges your commands having been sent it sends codes back
For a 1st acknowledgement its an 0xAA, second is a 0xEA Code: #define A_ACK1 0xAA // 1st Acknowledge to function code Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:45:43 AM After getting a response back from uploading the minimon app we also get an acknowledgement byte...
Minimon authors defined 4 different apps Code: #define I_LOADER_STARTED 0x01 // Loader successfully launched Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:47:33 AM I'll upload the source-code to minimon too into the github which generates the binary you see us sending after the 32-byte BSL (Boot Strap Loader).
Ok. Once its loaded its time to verify its working. One of the commands its called C_TEST_COMM Lets see how this works... Code: //********************************************************************************************************************************************************************************************************// Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:51:27 AM We can also read and write to CPU registers which allows us to easily configure the hardware registers to whatever we need to do...
In this case let us configure BUS CONTROL and SYSTEM CONTROL registers (refer to the C167 datasheet for details on their purpose and bits) To accomplish this we can use the command C_WRITE_WORD.. Code: //********************************************************************************************************************************************************************************************************// And we can then read it back (to verify it worked) by using the C_READ_WORD command Code: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:57:52 AM So now we can load minimon and then after loading it we can send it commands which allows us to read and write registers AND memory. So yes its possible to READ the entire firmware out and send it chunk by chunk back to the HOST PC. We will do that exercise later for now lets continue with the eeprom reading/writing...
Lets also configure BUSCON0 Code: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:05:15 AM Ok so far we've not touched on ArgDub's code.. This was all minimon...
ArdDub wrote a driver 'plug-in' for the Bosch series (probably heavily inspired by the rom code itself :) . To upload 'custom' plug-in's Minimon provides is with a handy command, yes we using C_WRITE_BLOCK to send a whole block of binary data (the app or driver for eeprom in this case)... Code: { Send EEPROM Driver to C16x memoryI have reverse engineered ArgDub's driver and yes indeed a lot of that code is recognizable... I will again upload it to Github in due time... At this point we've now uploaded the driver. There are some areas in the driver where we must write some hex values so it can use the correct gpio pins (the Bosch ecu's put the eeprom into different gpio pins depending on the ecu). Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:08:17 AM Argdub followed the same architecture as Minimon for his commands.
To use the loaded driver we use the Minimon C_CALL_FUNCTION command to setup the registers (prior to the call) and then jump into that code block, thereby executing it. Code: { Read EEPROMSo before we run anything we EEPROM_TEST communications... Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:13:37 AM The rest of the sequence is also straight forward...
We issue C_READ_BLOCK commands which tell his driver to read a block of eeprom into memory. and ofcouse C_WRITE_BLOCK to write. Only reading is show in this trace. Once its in ram (we do it in small chunks due to limited resources on the C167) we can then issue the command to send that MEMORY block back to the host (our app running on whatever, pc. etc.). Depending on the type of eeprom and its size we have to iterate for the number of blocks (1k, 2k, 4k ) the eprom is in size.. Any questions just ask.. Before we do any of this we must Init registers (gpio etc.) required for eeprom access and then jump into the drivers main code block.. See below... Code: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:14:42 AM We are now ready to read blocks and pull them back into host ram...
Code: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:16:56 AM I will document writing our OWN eeprom driver, rather than focus on ArgDubs as its pretty straight forward to do.
I will also show how to read and write to flash in boot mode if anyone is interested using the above method of loading a driver (again the source-code to all the AMD 512k/1mb/2mb flash drivers is available)... Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:33:40 AM Forgot to mention the minimon stuff is entirely MCU architecture (Micro-controller) related. It has nothing to do with Bosch. You can use this approach on ANY C16x derived architecture including ST derivatives etc.
Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:54:24 AM As promised here's a BSL (Boot Strap Loader) to understand..
Code: ;---------------------------------------------------------------------------------------------------------------------- Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:57:32 AM Hope this mini tutorial was useful to someone :)
Source code will be uploaded soon to GitHub.. Title: Re: Fully open source ME7 EEPROM tool :) Post by: gremlin on November 12, 2020, 07:19:07 AM I have reverse engineered ArgDub's driver and yes indeed a lot of that code is recognizable... Why going such a long and difficult way? 18 years ago it takes me half hour to patch free source code example for X25160 eepom from minimon driver directory and compile new driver for 95040. Now I looked for and found it in my archive... Code: ; My driver to work with SPI EEPROM in ECUs Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 07:32:36 AM All you guys looking at this when it was new had access to the a lot of the manufacturer SDK's and documentations, source-codes, etc. I didn't spot that code! Most of this is rapidly dissappearing off the web as these 16-bit cpu's have long reached end of life. Any source-code contributions are indeed welcome. Finding stuff on these older mcu's isn't so easy these days and yet they are still quite capable processors and good for teaching.
I thought it would be a good example for people to work through from 1st principals. I.e. understand exactly all the details by actually building code that runs on the actual microcontroller. I've built my own assembler, dissassembler and C compiler for the C16x series now too. (Yes I know others exist) and soon I plan to integrate the Arduino IDE so that you can build apps which can manipulate the gpio's etc. directly from the ide... I took a look quick look at your driver, the only recommendation I would have would be to use a hardware timer for your delay as running on a 20MHz vs 40MHz device will yield different times for your nop's... Title: Re: Fully open source ME7 EEPROM tool :) Post by: gremlin on November 12, 2020, 08:29:22 AM All you guys looking at this when it was new had access to the a lot of the manufacturer SDK's and documentations, source-codes, etc. I didn't spot that code! When I was working on this driver, I did not have any non-public documents or special access to professional ide / sdk. Only minimon, which has not disappeared anywhere and is still freely available on the Internet. All sources texts present now. http://www.perschl.at/minimon.html As for the driver's optimality, was say that this is a "five-minute soup" and no one bothers to improve it. In my opinion, the time for such a program has gone like the last train. Everything has already been done and more than once. It can be interesting only for educational purposes. Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 08:58:15 AM I hear you...
There are still however millions of cars on the road with these ecu's inside them and millions more in scrap yards. There is still value there if you care to look hard enough. The concepts of these old obsolete 16-bit microcontroller are still alive and kicking and found in modern applications. Even modern cars can still use them, just likely with a different instruction set driving them which is probably arm based. Your soft close door locks on a 2020 MY car very likely have a modernized NXP 16-bit MCU driving them. SPI, I2C, PWM, GPIO, Serial, CAN, DMA, etc. all used today in pretty much same way except hidden behind layers of API's. If you extrapolate away from bare metal assembly you find you can still write a lot of the code in a portable way in C, then that inself can be transferred across to current soc's like infineon tricore's and such via cross compilation (even in the eeprom is now emulated in flash :). The biggest problem with these obscure instruction sets like C16x is lack of good tooling, the code optimization of those proprietary (very old GCC based!) C compilers is frankly shocking, no wonder so much was written in assembly at the time... -T Title: Re: Fully open source ME7 EEPROM tool :) Post by: Blazius on November 12, 2020, 10:04:58 AM Terrific job! Thanks for all your contributions.
Title: Re: Fully open source ME7 EEPROM tool :) Post by: DT on November 12, 2020, 12:43:36 PM Thank you for this write up. Always nice to see custom code.
Title: Re: Fully open source ME7 EEPROM tool :) Post by: nyet on November 12, 2020, 03:05:29 PM Amazing. Any chance I can get you to finish the bootmode flash stuff in the nef flasher?
or even better, integrate eeprom access into the nef flasher? Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 04:19:10 PM Nyet, DT and Blazius,
Thank you so much for the nice comments. I was beginning to think nobody cared anymore. I'm determined to get an Arduino IDE running on Bosch ME7 hardware, it will be called the ME7duino :) And yes I can take a look soon... Title: Re: Fully open source ME7 EEPROM tool :) Post by: nyet on November 12, 2020, 05:02:59 PM While im here, the nef flasher shouldn't require ftdi cables anymore either... its been on my list to fix but i dont have a functional non-ftdi cable to test on.
I assume none of your routines strictly depend on the ftdi dll either. Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:34:39 PM Nothing that's talking over K-Line serial alone requires anything at USB level.
I've written a Serial UART abstraction api, this means you can indeed cross compile all the higher level code to run across any OS. I.e. on OSX, Linux and any other embedded mcu. Technically you can re-flash or read eeprom from a simple microcontroller with an SD card attached or Wifi connection to your mobile hotspot. Your not strictly limited to just UART serial as a means of communication either, as long as you software bridge the connection api's you can even re-direct read/writes over tcp/ip (internet) and on the device side flash receive data over CAN at 1Mbps. Its something I would like to implement a driver for along with differential flashing capability, so if you've previously flashed the same image and want to make incremental changes to just some maps like KFZW, checksums etc. your "update" is going to be pretty much instantaneous rather than minutes. The bottleneck for boot flashing is the relatively slow uart uplink speed. Title: Re: Fully open source ME7 EEPROM tool :) Post by: nyet on November 12, 2020, 05:44:45 PM Differential flashing still sucks in Nef because you have to erase/write the whole affected block.
It is already implemented. back on topic: the only reason it used the ftdi dll was for licensing against fdti serial number, which is no longer a requirement. In this case (coincidentally) on the topic of differential flashing. Or are you talking about bootmode differential flashing? Because that would be amazing. Still, it suffers from the block issue. Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:28:00 PM Yes I'm talking about differential flashing in bootmode and also download of the data via high speed CAN driver. This obviously means you cannot just have a dumb K-Line serial to uart IC. You also need a CAN ic too. These however are less than $1 these days and the big benefit is dramatically faster downloads. The flashing isn't really the slowest part, its the download speeds, 1mbps is multiple times quicker than serial uart can do it. Did you know on these AMD flash devices that even if you don't erase a sector you can still write to it too? You can just OR each byte. @Fluke9 explained the trick to me. You can flip the bit to a high in a write but never to a low, so you can do bitwise changes and not disturb the whole byte. Title: Re: Fully open source ME7 EEPROM tool :) Post by: nyet on November 12, 2020, 06:35:53 PM Yes. Unfortunately most of the changes (in small changes to maps/code) are in checksums (even worse, often spread across many blocks), and because of the nature of checksums (and crcs) the odds of having only bit sets (or clears) is nearly zero.
Title: Re: Fully open source ME7 EEPROM tool :) Post by: Blazius on November 12, 2020, 06:42:58 PM Unfortunately the cheap Ch340 cables dont come with a can chip(if i remember right), so if you do precompile this for public it would be nice to have the option to "choose".
(Tried using ch340 cable with argdubs tool a while back , and I couldnt not get it working for the life of me for some reason [through OBD bootmode that is, could've been many things]) And yes technically nef should work on ch340 or cheaper usbtoserial chips without serial number id's if not for the dll, I am sure it would be nice for some people. Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 07:28:27 PM Unfortunately the cheap Ch340 cables dont come with a can chip(if i remember right), so if you do precompile this for public it would be nice to have the option to "choose". (Tried using ch340 cable with argdubs tool a while back , and I couldnt not get it working for the life of me for some reason [through OBD bootmode that is, could've been many things]) And yes technically nef should work on ch340 or cheaper usbtoserial chips without serial number id's if not for the dll, I am sure it would be nice for some people. Well with a good serial port abstraction interface your really just talking about 2 way streams i/o... You can do multiple different things here and it really is up to your imagination how much support you add... 1. Search via linking against the the FDTI lib for Unique named devices or serial's (ugh!), this could also read eeprom and determine if the device supports CAN, If that fails to find any ; 2. Search for USB attached serial devices by looking for compatible VID/PID's in the registry entries, 3. If none exist, search for any other attached USB devices which are of type serial port, 4. If that fails try to fallback to Auto-discovery of regular good old fashioned serial attached to non (virtual) com ports and if multiple serial devices are present allow you to choose which one to use. 5. Override with ability to choose com port number manually. 6. Override with ability to redirect and tunnel serial traffic over TCP/IP. This allows you to run a client/server over the internet and read from a remote serial port attached, i.e. flash over the internet. The only challenge is to do a speed test on setup to determine if your speed and latency is good enough. To make it all encompassing its quite a lot of work but you get the most flexibility.. Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 07:33:51 PM Yes. Unfortunately most of the changes (in small changes to maps/code) are in checksums (even worse, often spread across many blocks), and because of the nature of checksums (and crcs) the odds of having only bit sets (or clears) is nearly zero. True, checksums however are not scattered everywhere, typically the multipoints are all in one location and the shadow and main sums can be done but even so, 95% of the rom is going to be the same so it can yield big benefits still for speed. Title: Re: Fully open source ME7 EEPROM tool :) Post by: nyet on November 12, 2020, 07:54:56 PM True, checksums however are not scattered everywhere, typically the multipoints are all in one location and the shadow and main sums can be done but even so, 95% of the rom is going to be the same so it can yield big benefits still for speed. I have yet to see a change that is entirely bit sets in a given block .. ymmv ... At 16 blocks (or even 32), its never going to be 95% Again, i have written flash drivers (unrelated to car tuning) that attempt to do this. They don't work as well as you'd think. There are filesystems though (back when this sort of flash was popular) that attempt to do this with set-only bits baked into the format (e.g. jffs). They're long dead. If Bosch had cared, they could have written their checksum system to take advantage of this. They did not, since they no doubt never used an ECU with flash during ECU tuning/mapping/calibration Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 08:19:30 PM I'm still using JFFS in some Linux project today :)
My observation is that the writing time is a smaller proportion of the overall re-flashing time. The vast majority is the bottleneck of the download itself. So if you remove the downloading time by only downloading the differential data then read back into ram, erase and individual sector, merge differences in ram and write back you should see a big improvement in speed. I will test this shortly and give you some figures... Title: Re: Fully open source ME7 EEPROM tool :) Post by: d3irb on November 12, 2020, 08:54:00 PM With respect to CAN, it's unfortunate there is no standard (or even de facto standard like FTDI ended up being for bitbang+UART) driver interface for CAN. SocketCAN on Linux and J2534 on Windows seem to be the closest to dominant standards, but J2534 is a mess of expensive and non-compliant "compliant" vendor devices and SocketCAN requires being a bit of a Linux nerd to deal with (finding hardware, configuring the interface, adding isotp kernel module if necessary, and so on). And then there are all of the weird serial<->CAN devices which all seem to implement different little wire protocols. A higher-level abstraction would be truly amazing but also quite a lot of work since there is a fair amount of nuance (between baud rate, filters/interrupt setup, padding, ISOTP framing, etc.).
As for this bootloader work, amazing. It's great to see people still reversing stuff and rebuilding, even if it is for ancient ECUs. Title: Re: Fully open source ME7 EEPROM tool :) Post by: nyet on November 12, 2020, 10:30:40 PM I'm still using JFFS in some Linux project today :) My observation is that the writing time is a smaller proportion of the overall re-flashing time. The vast majority is the bottleneck of the download itself. So if you remove the downloading time by only downloading the differential data then read back into ram, erase and individual sector, merge differences in ram and write back you should see a big improvement in speed. I will test this shortly and give you some figures... This sounds totally doable and will almost certainly dramatically decrease flashing time. The Nef flasher already does this to some extent (but NOT bootmode!) Title: Re: Fully open source ME7 EEPROM tool :) Post by: Tohmerdis on December 09, 2020, 04:05:25 PM Wonderful work!
Do you put full source to Github or somewhere similar? Title: Re: Fully open source ME7 EEPROM tool :) Post by: darklet on September 11, 2022, 05:34:57 PM did the source code ever get made open, i cant see it on your github :(
Update: I reversed it, and added a me7.4.5 95320 read/write function... Well hardcode IMMO off write function that just updated bytes 40h-60h Switching it to use XSSC bus was a right pain. Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on January 29, 2023, 03:14:59 AM Hi to all!
I can´t find the source code for this tool and has there been work on integrating it into nefmoto flasher? Title: Re: Fully open source ME7 EEPROM tool :) Post by: fragolas on February 24, 2023, 07:35:29 PM @360trev Will you ever release the source code? Besides the me7/edc15 , I have a airbag ecu with c164 and I could use bsl to read and write the eeprom without desolder . I could probably write driver for minimon, but this would also be helpful.
Kwp services could also work, but that's beside the point. I also wonder which cpu does Bosch abs 5.7 uses... Enviado do meu M2102J20SG através do Tapatalk Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on February 26, 2024, 09:31:05 AM Hi,
done a rework of argdubs tool, eeprom driver is a adapted version of post from gremlin. Tested on Me7.5 and ME7.1. The tool reconnects to running minimon core, so no need to restart ecu after one operation (read or write). Source code of eeprom drivers are included. Eeprom read and write on C167 and St10 ( XSSC module ) for type 0 95080 - 95320 and type 1 95040 / 95p08 supported, type 2-4 are 93cxx versions, read internal Rom/IFlash . Read and write of external Flash now supported on Me7xx and Simos 3.x. Please try and report. update 28.2.2024: Now works with psa ME7.4.5 (ME745) with ST10 . Cs pin is P6.2 , XSSC module is used. update 09.3.2024: works now on Simos 3 with 93Cxx eeprom (only ssc module) update 12.9.2024: read write of ext flash on Me(d)7.xx and Simos 3.x supported command line has changed a little bit (-readeeprom / -writeeeprom instead of only read or write): update 21.102024 V1_2: read write of ext flash and eeprom on EDC15VM/P+ with 29f800BT and 24C04, read internal rom also Help output: Code: BootMode Tool for me(d)7 , Simos 3.x & EDC15VM/P+ Variants inspired by ArgDub , 360trev and Gremlin newest on Git: https://github.com/EcuProg7/C167BootTool (https://github.com/EcuProg7/C167BootTool) Title: Re: Fully open source ME7 EEPROM tool :) Post by: ejg3855 on May 18, 2024, 09:31:47 AM Tool appears to read properly, but when i go to write back the changed file and read it back out to verify nothing is changed.
I think it wries..... Code: Call C_GETSTATE successfull: True state is 0x80 Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on May 20, 2024, 11:53:42 PM Code: [quote author=ejg3855 link=topic=18686.msg165859#msg165859 date=1716049907] Call line is wrong, i´m suprised the tool does anything, this should do the job: ME7BootEeprom 9600 -read -SSC 1 Port6 Pin3 512 confirm.ori ME7BootEeprom 9600 -write -SSC 1 Port6 Pin3 immoOff.bin Edit: the Port in call line is not com port of kkl cable, its the pin Port of the Processor. On ME7.5 its Port4 Pin7, Me711 Port6 Pin3. the virtual com port is searched from the tool and if you have connected more than one you can choose which to use Title: Re: Fully open source ME7 EEPROM tool :) Post by: ejg3855 on May 21, 2024, 10:00:10 AM Still Doesn't want to write anything
Code: C:\Users\ericg\Desktop\me2024>ME7BootEeprom 9600 -write -SSC 1 Port6 Pin3 IMMOoffWRITE.bin Title: Re: Fully open source ME7 EEPROM tool :) Post by: elektronik13 on May 21, 2024, 11:02:16 PM Still Doesn't want to write anything this is bullshit, so there's no way it could be written downC:\Users\ericg\Desktop\me2024>ME7BootEeprom 9600 -read -SSC 1 Port6 Pin3 512 ReadagainafterWRITE.ori BootMode EEprom Tool for me7 Variants inspired by ArgDub , 360trev and Gremlin *********** -read baudrate: 9600 eeprom type is 95040 or 5P08C3 size: 0x200 C16x SSC is used Waiting for K+Can or KKL Adapter (plug in USB if not done!!) using COM3 Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on May 21, 2024, 11:05:49 PM From the log i only see that the chip select is not the problem, please write which ecu you are using and if known the eeprom chip type on it.
MH-Auto states on this ME7.1.1 Ecu is a 95160 eeprom so you need to adapt the call line. 95160 is type 0 and size needs to be 0x800 for full read, if there are only zeros or FF´s in upper half you can use 0x400 read: ME7BootEeprom 9600 -read -SSC 0 Port6 Pin3 0x800 Read.ori write: ME7BootEeprom 9600 -write -SSC 0 Port6 Pin3 immoOff.bin the driver used for read and write 95040/5P08C3 against the 95080-95320 is different. please read again, your readout is wrong, if you read with a 95160 with type 1 the readout has an extra byte like ff on start of each line. i will do it on an me7.1.1 in the afternoon and post logs Title: Re: Fully open source ME7 EEPROM tool :) Post by: ejg3855 on May 22, 2024, 06:18:06 AM I am not sure I have seen conflicting information on this chip that it might be 95040 because its early?
2006 07K Beetle Manual Transmission 0 261 208 869 See Photos https://imgur.com/a/1jFQ4I7 Title: Re: Fully open source ME7 EEPROM tool :) Post by: prj on May 22, 2024, 06:28:24 AM None of your photos contain the EEPROM chip, it's on the other side of the PCB iirc.
Title: Re: Fully open source ME7 EEPROM tool :) Post by: ejg3855 on May 22, 2024, 06:52:42 AM you are correct I was thinking the memory chip.
it is confirmed to be a 95160. updated imgur link. Here is what I Read does it look right? Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on May 22, 2024, 07:20:13 AM readout looks good to me, try to use eeprom immo tool to verify checksums
Title: Re: Fully open source ME7 EEPROM tool :) Post by: unicorn89 on May 25, 2024, 03:39:41 PM Having an issue with a ME7.5 1.8T VW ecu. Not sure what is going on with this one.
Command: ME7BootEeprom 9600 -read -SSC 1 Port3 Pin7 512 eeprom.ori Code: BootMode EEprom Tool for me7 Variants inspired by ArgDub , 360trev and Gremlin ** UPDATE: I was able to get it to pull down the eeprom, But this looks odd to me. I have attached the file. It showing its 256 bytes and not 512 bytes. Title: Re: Fully open source ME7 EEPROM tool :) Post by: elektronik13 on May 26, 2024, 09:57:18 PM Having an issue with a ME7.5 1.8T VW ecu. Not sure what is going on with this one. reading is incorrect sizeCommand: ME7BootEeprom 9600 -read -SSC 1 Port3 Pin7 512 eeprom.ori Code: BootMode EEprom Tool for me7 Variants inspired by ArgDub , 360trev and Gremlin ** UPDATE: I was able to get it to pull down the eeprom, But this looks odd to me. I have attached the file. It showing its 256 bytes and not 512 bytes. Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on May 27, 2024, 12:36:43 AM on me7.5 the chip select should be Port4 Pin7. The port in command is GPIO port from pin not com port. Also you are getting no CPU ID (0xff if wrong) so check connection and be sure ecu is in boot mode
Command: ME7BootEeprom 9600 -read -SSC 1 Port4 Pin7 512 eeprom.ori Title: Re: Fully open source ME7 EEPROM tool :) Post by: unicorn89 on June 20, 2024, 08:49:18 AM I have a 2005 Beetle 2.0 ME7.1.1 ECU and Using Command: ME7BootEeprom 9600 -read -SSC 1 Port6 Pin3 512 eeprom.ori
When i use the eepromtool_04.exe tool it says its a Invalid Checksum, any ideas on why? Read in 512bytes WARNING: cannot decode VIN, try setting VIN to fix WARNING: cannot decode ImmmoID EEPROM Status: - Type: ECU_eeprom - Version: Immo2 - VIN: - SKC: 038145 - Immobiliser: On - Checksum: Invalid Checksum - Size: 512bytes - Cluster Code: 10 19 22 3F 65 76 91 - P0601 DTC: set to C1 C1 - Immo ID: - Softcoding ID: 0768 - Tuner Tag: Not Set - Flash Programming (successful): 48 - Flash Programming (attempts): 4 Title: Re: Fully open source ME7 EEPROM tool :) Post by: unicorn89 on June 20, 2024, 10:46:19 AM I have a 2005 Beetle 2.0 ME7.1.1 ECU and Using Command: ME7BootEeprom 9600 -read -SSC 1 Port6 Pin3 512 eeprom.ori When i use the eepromtool_04.exe tool it says its a Invalid Checksum, any ideas on why? Read in 512bytes WARNING: cannot decode VIN, try setting VIN to fix WARNING: cannot decode ImmmoID EEPROM Status: - Type: ECU_eeprom - Version: Immo2 - VIN: - SKC: 038145 - Immobiliser: On - Checksum: Invalid Checksum - Size: 512bytes - Cluster Code: 10 19 22 3F 65 76 91 - P0601 DTC: set to C1 C1 - Immo ID: - Softcoding ID: 0768 - Tuner Tag: Not Set - Flash Programming (successful): 48 - Flash Programming (attempts): 4 attached is the orginal eeprom file i pulled down. Title: Re: Fully open source ME7 EEPROM tool :) Post by: _nameless on June 23, 2024, 03:32:11 PM your eeprom is not 512 bytes it 1024
Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on June 24, 2024, 05:55:40 AM Hi, you have type 0 eeprom (95080....), use this command line:
ME7BootEeprom 9600 -read -SSC 0 Port6 Pin3 1024 eeprom.ori Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on September 12, 2024, 07:11:45 AM Hi to all, tool is now able to read and write ext flash
http://nefariousmotorsports.com/forum/index.php?topic=18686.msg164642#msg164642 (http://nefariousmotorsports.com/forum/index.php?topic=18686.msg164642#msg164642) Title: Re: Fully open source ME7 EEPROM tool :) Post by: lsdlsd88 on September 28, 2024, 09:26:35 PM Thanks for this fantastic work
Any chance this is compatible with edc15p vag ? Mcu is B59388 Title: Re: Fully open source ME7 EEPROM tool :) Post by: nyet on September 28, 2024, 11:23:08 PM why is this not on github anywhere?
Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on September 28, 2024, 11:53:59 PM Hi, i will consider putting it on github, source is in zips included (python file for command line tool and asm files for drivers).
@ lsdlsd88: is eeprom or ext flash R/W needed for EDC15p? on MHH-Auto i read that flash is a 29f400bT which would need some driver changes Title: Re: Fully open source ME7 EEPROM tool :) Post by: lsdlsd88 on September 29, 2024, 03:42:56 AM There’s plenty of almost free tools to read flash, but next to none to read and write eeprom so thats what i was interested in
Title: Re: Fully open source ME7 EEPROM tool :) Post by: prj on September 29, 2024, 08:22:10 AM The same can be used to create a "bench" mode - use the RCE to inject your loader into a running ECU.
Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on September 30, 2024, 08:45:43 AM i will take a look at edc15, has the edc15vm+ the same eeprom (24c04) as 15P+?
@ prj: sounds cool but i definitely have too less knowledge to do this now. Title: Re: Fully open source ME7 EEPROM tool :) Post by: lsdlsd88 on September 30, 2024, 10:08:30 AM Yes 24c04
Pic https://ibb.co/cJJc7Y2 Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on October 21, 2024, 08:13:49 AM Hi, added support for edc15+ with version V1_2, testet on EDC15VM+. Please try and report
http://nefariousmotorsports.com/forum/index.php?topic=18686.msg164642#msg164642 (http://nefariousmotorsports.com/forum/index.php?topic=18686.msg164642#msg164642) Title: Re: Fully open source ME7 EEPROM tool :) Post by: nyet on October 21, 2024, 12:06:51 PM Hi, added support for edc15+ with version V1_2, testet on EDC15VM+. Please try and report http://nefariousmotorsports.com/forum/index.php?topic=18686.msg164642#msg164642 (http://nefariousmotorsports.com/forum/index.php?topic=18686.msg164642#msg164642) Where is the github repo? Zip files of source code are literally the dumbest way to distribute (and develop) open source code. Do you have any experience at all with source repositories? Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on October 22, 2024, 12:04:00 AM here first commit of tool
https://github.com/EcuProg7/C167BootTool (https://github.com/EcuProg7/C167BootTool) hoping its what it should be... Title: Re: Fully open source ME7 EEPROM tool :) Post by: Rick81 on January 03, 2025, 01:50:52 PM here first commit of tool https://github.com/EcuProg7/C167BootTool (https://github.com/EcuProg7/C167BootTool) hoping its what it should be... Hi I downloaded it. At the risk of sounding stupid it looks like a cmd python tool how do i connect to my car to read in bootmode Title: Re: Fully open source ME7 EEPROM tool :) Post by: TC1767 on March 11, 2025, 07:01:10 AM Hello,
anyone can help ? We always get error that ECU should be set to bootmode although it is in bootmode (tried with byteshooter - TOOL A). ME7.1.1 0261S05953 06G906022B Title: Re: Fully open source ME7 EEPROM tool :) Post by: Artemisia on March 11, 2025, 09:28:32 AM Hello, anyone can help ? We always get error that ECU should be set to bootmode although it is in bootmode (tried with byteshooter - TOOL A). ME7.1.1 0261S05953 06G906022B I would try with 9600 -readeeprom -SSC 0 Port6 Pin3 0x800 I would also validate which EEPROM chipset your ECU have and use the proper size for the readout. You can send a picture of your board and how you set it into boot mode Title: Re: Fully open source ME7 EEPROM tool :) Post by: TC1767 on March 11, 2025, 10:52:23 PM In bootmode with 2 x 1k resitor connection, was even able to read flash with byteshooter so bootmode must be correct.
Picture attached Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on March 12, 2025, 01:58:47 AM hi, its like artemisia stated, the baudrate is wrong with 19200 (Ecu cant do such a exotic rate).
9600 or 28800 are valid. so command line is : Me7BootTool 28800 -readeeprom -ssc 1 port6 pin3 512 read.bin Title: Re: Fully open source ME7 EEPROM tool :) Post by: TC1767 on March 12, 2025, 02:55:28 AM First, thank you all for your assistance.
Already tried all rates ;-) Picture attached Title: Re: Fully open source ME7 EEPROM tool :) Post by: R32Dude on March 12, 2025, 04:59:35 AM Its an ST10 right? If so read on.
I just use the attached modded ME7eeprom. Read the bat file for info, then run the bat file to and see how she goes. Its never not worked. Try ST10Ripper, for copying the eeprom while in normal mode (not in boot mode) Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on March 12, 2025, 05:18:37 AM I had no problem with ST10.
Which Cable are you using? The error message wrong echo length points to a baudrate or cable problem. Can you please try to connect to ecu with vcds lite with this cable to verify its working? Title: Re: Fully open source ME7 EEPROM tool :) Post by: TC1767 on March 12, 2025, 05:59:54 AM It was indeed the cable ... Thank you guys, both tools read it.
Got two different readouts/sizes, guess the big one is the right one ? Any of you can do correct immo off ? :-) Title: Re: Fully open source ME7 EEPROM tool :) Post by: TC1767 on March 12, 2025, 06:05:20 AM Now readouts attached ...
Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on March 12, 2025, 06:14:51 AM the big one looks good, the small one is read with the wrong chip type ( i guess type 1 as from your last pic) and too less size, try this one:
Me7BootTool 28800 -readeeprom -ssc 0 port6 pin3 0x400 file.bin Title: Re: Fully open source ME7 EEPROM tool :) Post by: TC1767 on March 12, 2025, 11:56:22 AM Changed that and gave me same size then.
Thank you very much to all of you. Now looking for immo off on this Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on March 12, 2025, 11:09:45 PM use eepromTool:
http://nefariousmotorsports.com/forum/index.php?topic=6134.0 Title: Re: Fully open source ME7 EEPROM tool :) Post by: TC1767 on March 13, 2025, 12:10:33 AM Somehow I always get a verify error after writing ?
Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on March 13, 2025, 01:35:47 AM try bootTool:
Me7BootTool 28800 -writeeeprom -ssc 0 port6 pin3 off.mod then read back: Me7BootTool 28800 -readeeprom -ssc 0 port6 pin3 0x400 readback.bin and post off.mod and readback.bin Title: Re: Fully open source ME7 EEPROM tool :) Post by: TC1767 on March 13, 2025, 02:35:33 AM Thank you.
Doesnt seem to mean anything, car runs normal Thanks again Title: Re: Fully open source ME7 EEPROM tool :) Post by: tao13 on June 15, 2025, 09:41:57 AM I succeeded to read eeprom from me7.5 c167 ecu with 360trev specifications. Only issue after ecu response with eeprom bytes , first byte of eeprom is the last byte in response.
Now i tried to write eeprom after i sniffed on kline eeprom tools but eeprom not succeeded wrote. These are last commands i used (i saw in sniffed file, after these are a lot of code too but i thinked ity is a verification of eeprom) Kline.write(0x84); response 84 AA KLine.write(0x00); KLine.write(0xFC); KLine.write(0x00); KLine.write(0x00); KLine.write(0x02); delay(100); response 00 FC 00 00 02 HERE i send in 64kb block the eeprom bytes from my Array11 writeLargeBufferInBlocks(myArray11, sizeof(myArray11)); response from ecu with all i sent and EA as last byte KLine.write(0x33); response 33 AA 6A EA KLine.write(0x9F); response 9F AA Some advice please. THNAKS in advance! |