NefMoto

Hi,

I was going through EDC15C2 dumps - comparing, trying to understand bits and bytes beyond the map data and found about what you guys are doing. Great knowledge base you have here! 8)

EDC15C2 uses the same Infenion CPU as does ME7.1 - 16bit Infineon B59233. ECU has Am29F400BT mounted instead of Am29F800BB.

Has anyone done any of this with EDC15C2?
I will probably need IROM contents that matches my ECU to do some stuff in IDA. I guess I can't use what ME7.1 has, or?

I've played around with the me7.1 IROM and my ECU bin. Some addresses are missing especially stuff in 0x8200000.. I guess it is time to lookup the DPP values and get the real EDC15C2 IROM..

Here's a tiny IDC script I used to get all the functions.

Did some more work on this.
There are pictures floating around with EDC15C2 with B59233 CPU marking. Today I've opened up my ECU and found out that the marking is B59388.
In my effort I've identified both, in fact they are the "same" Infineon CPU.

Bosch       Siemens/Infineon
name       name
B59388    SAK-C167CR-4RM (GA) EDC15C2
B59233    SAK-C167CR-4RM (FA) EDC15C2
B00017    SAK-C167CR-4RM (HA) ME7.5/ME7.1 ??

Can someone confirm these findings?

Further, I'm expecting to find IROM in the same place you guys have it in ME7.5.

Thank you!

Hi guys,
I'm new to this forum and I'm very happy to find some guys interested in reverse engineering as I'm not new to this on embedded systems...
Regarding to EDC15, I've a Golf mk4 with EDC15P+ 22.3.2, I really want to start reversing the flash code but I've no idea on how I can dump the CPU ROM code, I've read that on ME 7.xx ECUs it is possible to read the IROM with Minimon in bootmode...
So having the EDC15P the same Infineon C167 processor can I dump the code this way??
Just in case using Minimon what cable can I use for that?? I've a Galletto 1260, Mpps v12, Vag.com 10.6 hex and a Vag KKL cable...
Thanks you and sorry for my bad english :)

IMO, it should be possible. Since my post here, I've managed to get the C167 ROM out of my EDC15C2, since there was no interest in the topic here I never put any effort to post my findings.. lazy.. i know.

I used minimon and KKL like cable, built on my breadbord. Just connect with the minimon, and set the address range, and then do the upload (i thinks)..
If you need minimon settings let me know, I have some that worked with my EDC15C2.

Cheers!

Thank you very much!! :)

Nevermind, I've figured out how Minimon works and then I'm pretty sure it can only run in bootmode... :)
Thanks :D

Yep, you need to put the ECU in the bootmode for Minicom.

Hi,
I've managed to read the ecu IROM with Minimon but I was wondering is possible to read the 24c04 eeprom (immo\vin etc) and the 29F400bt flash through Minimon...
I've seen the external bus is disabled by default therefore I presume I have to build my own firmware to read\write the 24c04 or there is another way??
I'm trying to clone my ECU but I miss read\write access on the 24c04...
Thank you!! :)

I'm it worked for you too!  8)


It should be possible to read the 24c04, too. I believe it is a matter of setting up the C167 to use I2C/SPI through the Minimon. I had made a stab at my eeprom 95sp08 readout some time ago, but I have not succeeded.

For the flash, I think it is possible to read it -  it was almost a year since I've done it and I'm quite sure what was the Minimon setup exactly. You need to tell the Minimon to use external bus in the preferences IIRC, OTOH you can always try to read flash and compare the results with the galletto dump.

I've been able to read the flash reading the datasheet that the extmemory is mapped from 0x80000 (finally I've found a 464 pages pdf,  I've had a 74 pages before).
I've been wondering on how the EEPROM could be read then thanks for the tip (SPI), I'll investigate on this!!  :)

Just to update the thread, I've successful read and written the 24c04 I2C e2p creating a custom loader\driver in bootmode, I thought it was the simplest way...
I haven't tried to read/write via obd "normal" KWP mode, I'll try it asap...
Thank you :)

Great m8!!! Care to share the i2c driver ;)

Hi,
I've been able to read the 24c04 via OBD on a EDC15P ECU but I encountered the WFS (Immo) protection,
reading the software manual logins from 0-9999 are Immo-related so I think there is a way to disable the WFS protection, asap I'll try some login pass I've found in the file...
Relating to map finding on a Vag EDC15P, I'm usually pretty good at reversing, analyzing or cracking code on any platform
but this time I can't find any map reference in the code... :(
The frustrating thing is that there's no output reference as usual to start with, except made from DTCs or Maps Addresses but everything seems to be "dinamically" referenced (due to the 3 Codeblocks available I think)...
I've also determined the DPPs settings from the IROM dump but it's difficult to know if they're right...
In the meantime I'm writing a program to read the RAM and so try to find some "easy" references...
So has anyone succeded on finding maps refs on a EDC15??
I'll attach the IDA idb file I'm working on as soon as I'm at home!
Thank you guys!! :)

just a question when you do changes what program do you use to correct the checksum ??

I've been able to find some RAM variables as a reference and from that I've reloaded the entire file,
now I've been able to find every map, variable and procedure that I needed without any problem...
I'm currently developing some new features for this Ecu like:
- Overboost for x seconds (depending on the EGTs) activated by Cruise Control
- 3 Complete Map switch also via Cruise Control (current map is visualized via RPM on the Instrument Cluster)
Have already written the code for Overboost & Map switch,
the only real problem is to find some empty locations on either the internal or external RAM.

@Brumbassen, I've written a my own program to read\write the E2prom\Flash and it's calculating the checksums on the fly anyway I recall that there's a small program distributed by MTX Electronics that is free (something like "Vagcheckfix"), it has some bugs but it'll do the job for almost every Vag EDC15 ecu... :)

Sounds really interesting. I would love to he able to reverse engineer how I know nothing about cpu's and memory and how they work together :(

Would be nice if you posted DPP and segment info.
Not required, just nice.

I made a script for loading ME7 binaries, I am sure the same script can be adapted for EDC15:
http://nefariousmotorsports.com/forum/index.php?topic=2431.30 (http://nefariousmotorsports.com/forum/index.php?topic=2431.30)

Amazing work...... really impressive  :o :o :o :o :o :o. I wish I had the time to learn to do reverse engineering.
How much time do you take to made these mods to EDC15 firmware?

Overboost on a diesel? Do you know what boost does on a diesel engine at least?

The loading of the file is very simple, I was having problems with DPPs settings because in fact DPPs (0 to 2) are changed at runtime depending on the ECU coding because of the 3 codeblocks (Manual, Auto & 4x4)...
The default settings to the DPPs are ok to start reversing (DPP0: 0, DPP1: 1, DPP2: 2, DPP3: 3),
then it's easy to change DPP0-2 to point to the codeblock you want to be selected.
(3 pages of 16kb each, so for example set DPP0 to 0x3C if you want the third codeblock to be selected).

At first I was changing every DPP to the values present in the IROM and so having a lot of problems locating anything... :(
DPP3 it's used for RAM\CAN access so the default value (3) is OK for the entire file.
The 29F400BT flash is mapped @ 0x80000 so loading in IDA you have to put 0x8000 (paragraphs).
I suggest to first locate a RAM variable like dzmNmit (engine rpm) or something like this,
will give you a nice picture of how the system control strategy works.
There are NO direct Maps references in EDC15 due to codeblocks so its a bit tricky to found how they're addressed.

Regarding to the time it takes I worked on this for 2-3 hours for 3-4 days because I've some important & difficult exams to do (I'm a computer science student) and I've very little time to work on this...
I've worked on the PSP modding scene before ("Xplora" is one of my projects) and comparing the two systems the ECU is just a small, easy module (code section is less than 300kb)...
Adding the "overboost" feature & the map switch isn't difficult at all once you have a good picture of the program...

@IamwhoIam, "overboost" is just a name for the basic "no IQ limitation" function I've added,
in fact now the desidered boost pressure isn't even modified,
for now it just bypasses every IQ limitation (no smoke limit, no torque limit, no REV limit, no launch control etc) when Cruise Control is enabled...
I'll add some sort of "boost up" feature but it isn't simple to istantly lift the boost because of N75,
anyway I'll soon rewrite it because bypassing the entire IQ limitation is not exacly the best way to do this... :)

Asap I'll rewrite everything to:
- activate only if CC SET+RES are pressed at the same time
- deactivate CC if it has been enabled
- bypass smoke & torque limitation (with some checks for component protection)
- make the MIL blink while "Iq bypass" is actived
- disable it after 'x' seconds due to EGTs

Finally had the time to finish the "IQ no limit" and map switch functions!! (3 complete maps)
Tested and working perfectly!! :D
So the "IQ no limit" function:
- disabled under 2700 rpm (components protection)
- popping rev limiter to 5200 rpm
- activates via Cruise Control SET+RES
- diagnostic light flashes while active
- deactivates after 10 sec due to EGTs
And the map switch:
- 3 complete maps (with every switch\map\curve)
- can be changed while driving via CC SET & clutch
- current map visualized on the instrument cluster via Rpm
   the first time SET is pressed and while selecting maps (3 sec timeout)
- configuration is saved (i'm adding this now)

Asap I'll upload a video and I'll start working on the Live Tuning function!! ;D
Any other useful function suggestion is really appreciated!!

hi ne0h,

are there any news about your amazing revering work? (videos, ida file, ecc)
Your posts rekindled my interest at these stuff !!  ;D

I have lot of x86 reversing experience and some related to ARM architecture (nokia 3310 ;) ),
and i would like to play with my rover 75 with edc15 DDE 4.0


best regards

Hi,
sorry but I'm really busy atm due to exams and some jobs...
Soon I'll finish my "EDC15 Project"...
Just have to do some test to confirm everything is working properly, write a bit of documentation on this
and reorder the code or I'm gonna struggle understanding my own work in future.

Hi again,
finally had some time to make a little video of the map switch function.
Soon I'll make the "overboost" video.

Here the video: www.youtube.com/watch?v=t81zevGZieQ

Hi Neoh,
very very nice work!
your work really interested me.
For months I disassembles my edc15p without much result and you in some time you succeeded!
impressed!
I work on a french (my english is very bad) forum but little french guy know the disassembling.
Are you using ida or another software? ida make many errors in disassembling.
I hope one day you will share your work.
see you later.

Hi,
I'm using IDA to disassemble and for me it's the best so far...
Probably the errors are related to "wrong" DPPs settings but there's no way IDA could resolve the addressing in the right way,
even with the right DPP settings some addressing errors are quite normal considering that all the procedures are called from a table.

Regarding disassembly, my suggestion is to start reversing from something known or easy to find, usually some kind of output but this isn't the case
so I've started from the known variables IDs found in the EDC15 software doc...

About sharing the work, I'm not really keen do distribute the sources but only because I'm pretty sure they will not be used in the right way.

Also, I'm trying to build a work around this, but it's really difficult as there are no good tuners around here and (I hope you will not misunderstand what I'm saying) having analized the local tuners work I'll probably end up "teaching" more than "learning" and that's not what I'm after.

Best regards

this is a good way for locating the map?

For the 4d soi?

Hi,
from the first pic I can only understand that something wrong is happening, doublecheck the DPPs settings... the second picture look strange but familiar, 4d maps are loaded that way...
First thing I suggest you to do is to align RAM refs so check the DPP used and set it accordingly to insure every write ref. points to a valid RAM location...

Why you look stange?
Another question, wath do you load in mem_ext (8000h to dfffh). The software use many data in this place (with dpp3, always equal to 3)?