Title: How to identify candidate for reverse engineering/flashing in circuit Post by: thenextdon13 on October 10, 2009, 02:18:41 AM I'm trying to get a handle on how this all works, and at the same time document it for placement into the wiki on this site (as more understanding is built)
As more of a general info thread than an ME7 specific thread. And hopefully folks don't find this type of thread or questioning a waste of time. How do you go about identifying a candidate ECU for flashing in circuit, through ODB port or other method? I am assuming you have to open ECU and identify memory chip. look up datasheet on memory chip to find out if it is re-flashable or not. Identify if chip can be flashed in circuit (called out somewhere on datasheet?) Identify if pins required to flash chip in circuit are taken out anywhere on circuitboard. Are there standard symbols and specification that should be looked for in terms of the communication and boot setting pins? For example the AM29F800BB-70SI that was in my 2001 a4 b4 1.8t box. Datasheet http://pdf1.alldatasheet.com/datasheet-pdf/view/55524/AMD/Am29F800BB-70SI.html (http://pdf1.alldatasheet.com/datasheet-pdf/view/55524/AMD/Am29F800BB-70SI.html) The datasheet indicates it can be flashed in-system... Code: This device is designed to be programmed in- Is this an important hint? Code: The device is entirely command set capatible with the JEDEC single-power-supply Flash standard.' It appears from the datasheet that the 'CE' (Chip Enable), 'OE' (Output Enable) and 'WE' (Write Enable) are particularly important for reading from or writing to the chip. Code: DQ8–DQ15 These appear to control the chip state or expectancies, i.e. prepare to write or prepare to read from the memory. If I am reading this correctly, the following pin(s) are actually used for the data transfer... Code: DQ15/A-1 = DQ15 (data input/output, word mode), So, in order to program this chip in circuit, the CE, WE and OE have to be manipulated correctly, and then the DQ15/A-1 is passed data. Is that accurate? Is there generally some device such as a max232 which sits between the USB Dongle and the flash chip itself to change the level to 0-5v? Or do the dongles themselves put out 0-5 volts for communication? Is there generally some other logic device between the dongle and the chip to control the CE, WE and OE pins after taking input from the dongle? And, what pin is used to get into boot mode (for the folks that have been using Galletto with other vehicles)-- is this the 'RESET' pin which does the following? Code: The hardware RESET# pin terminates any operation Thanks for any insight that can be given... and if these are mundane questions with answers easily availabe through other documentation, please point toward some.. :) Camden Title: Re: How to identify candidate for reverse engineering/flashing in circuit Post by: Tony@NefMoto on October 15, 2009, 04:30:24 PM Every step you have listed is exactly how you do it. And yes it really is that tedious.
This is how I did it myself when I started working on this stuff in 2005. One thing you have missed though, is that you can use the processor in the ECU to flash the memory chip for you. Since the processor is already connected to all of the pins on the flash memory chip. Just do some searching for "bootstrap mode" in the the C166/C167 processor documentation. There are a number of free programs out there that let you use bootstrap mode in the processor to load any code you want into the RAM of the processor. The trick then is getting code loaded into RAM to actually flash the memory chip. Many ecu tuners call bootstrap mode "boot mode", but bootstrapping is a common computer science term that most technical documentation refers to. For the record, the official Bosch flashing protocols have nothing to do with boot strap mode. And to use boot strap mode you need to remove the ecu from the car, open it up, connect wires to the circuit board, etc. If your like me, this is also when you make a wrong connection and fry one or more ECUs. :D Title: Re: How to identify candidate for reverse engineering/flashing in circuit Post by: thenextdon13 on October 15, 2009, 08:57:18 PM OK, good to know i'm on the right track-- kinda heh.
So, this brings up another question: Identification of CPU. When i first opened the case of my 1.8t a4 AWM ecu ( 4b0 906 018 m / 0 261 206 875 ) months and months ago, i couldn't find a datasheet or information on the internet regarding the part numbers on the CPU itself. (attaching a picture)... or for that matter virtually anything else on the board aside from the flash chip. Bosch must be very closed about their components. The other day i started searching again for it... using b59233 and 1037350115 as shown on the chip. This time i got a hit on b59233 at http://s4wiki.com/wiki/Bosch_ME7.1 .. which indicates.. "The Bosch ME7.1 Engine Control Unit (ECU) appears to use two 16bit Infineon B59233-FA (aka SAK-C167CR-4RM) CPUs. " How did Nye T. Liu figure out what this processor was when searches for the part numbers online don't give any seemingly useful results? I searched for hours at some point for the datasheet for it and kept getting spam searches with things like diodes and such. Are there any secrets to identifying CPUs aside from googling the part numbers and digging through the results looking for a hit? Back on topic... Hmmm so, i suppose to see if you can use the CPU to communicate with flash you will have to trace the 'chip enable' and 'write enable' pins and insure they are hooked up to some output ports on the CPU. The bootstrap mode is something that i have been more recently getting a grasp of. My understanding is that bootstrapping is basically the handoff of hardware control from the bootloader to a secondary piece of software. The bootloader takes care of communication to/from the CPU until this handoff is made. What we do by removing the ecu from the car and enabling boot mode is essentially stop the auto-booting that is programmed in at the end of the device initialization by the bootloader. The bootloader generally includes some communications protocols to allow management of hardware. In large devices (such as home routers) it even has built in command line interface and commands to report things such as memory use or variable/environment information. Not sure if this is the case with ECU CPUs. Title: Re: How to identify candidate for reverse engineering/flashing in circuit Post by: ArgDub on October 17, 2009, 08:18:45 AM First post so hello to all... Quote Form C166 Family User's Manual The built-in bootstrap loader of the C167CR provides a mechanism to load the startup program, which is executed after reset, via the serial interface. With the BSL it is possible to load a program of 32 bytes into the internal RAM of the C165/C167 via the Serial Port 0 (ASC0), even if there is no internal or external program memory available. This short program can be used to load extensive user software to internal RAM or external memory…. …note that the BSL is not a Flash EPROM programming algorithm. The BSL is a program which can be used to load the Flash EPROM programming algorithm. Does that mean you can always recover from a wrong flash? Or you can read by obd even the protected chips? Title: Re: How to identify candidate for reverse engineering/flashing in circuit Post by: thenextdon13 on October 18, 2009, 08:54:02 PM I am no expert, but i would say that sounds right.
Provided you had the right program written to do it. 30 Bytes isn't much space... But as i read it, you could write a program that then turns and loads an eeprom flashing program, which in turn could flash something i.e. the default image back off of the flash. Again, i am no expert and don't really know what i'm talking about here :P c Title: Re: How to identify candidate for reverse engineering/flashing in circuit Post by: Tony@NefMoto on October 19, 2009, 01:50:13 PM Does that mean you can always recover from a wrong flash? Or you can read by obd even the protected chips? That is exactly what it means. Here is a big hint: http://www.perschl.at/minimon.html Title: Re: How to identify candidate for reverse engineering/flashing in circuit Post by: Tony@NefMoto on October 19, 2009, 01:51:59 PM So, this brings up another question: Identification of CPU. When i first opened the case of my 1.8t a4 AWM ecu ( 4b0 906 018 m / 0 261 206 875 ) months and months ago, i couldn't find a datasheet or information on the internet regarding the part numbers on the CPU itself. (attaching a picture)... or for that matter virtually anything else on the board aside from the flash chip. Bosch must be very closed about their components. The other day i started searching again for it... using b59233 and 1037350115 as shown on the chip. This time i got a hit on b59233 at http://s4wiki.com/wiki/Bosch_ME7.1 .. which indicates.. "The Bosch ME7.1 Engine Control Unit (ECU) appears to use two 16bit Infineon B59233-FA (aka SAK-C167CR-4RM) CPUs. " If I recall correctly, I figured out the processor type using the number b59233. I just kept searching using the different subsets of the part number on the chip. Title: Re: How to identify candidate for reverse engineering/flashing in circuit Post by: RaraK on October 27, 2009, 03:25:35 PM AUDI A4 18T 4B0906018M 170HP 5 SPEED ME75 CHK:0C89 BOSCH 29F800 0261206875 1037354803
AUDI A4 18T 4B0906018M 170HP 5 SPEED ME75 CHK:0D89 BOSCH 29F800 0261206875 1037354721 theres your software number one or the other, two versions for your ecu. if you didnt find it. all cpu's are seimens 167cr's right? oops, thought you were looking for software numbers in first post, guess not. where is my head today Title: Re: How to identify candidate for reverse engineering/flashing in circuit Post by: thenextdon13 on October 27, 2009, 04:11:39 PM Thanks, RaraK :) its all good, i need to look more into that...
Probably auto vs manual... i would imagine.. or maybe not Thanks Camden |