NefMoto

Hi, I have a chipped ECU sitting on my table. Finally I thought, I can see what is changed, compare to stock. Well I opened it up and to my dismay here's what I found:

2001 A4 1.8t
4B0 906 018 CH

Image_4064 is one I pulled from a listing on Audizine and is not the actual underside of my chip, however I'm assuming they look identical. If any one has any info on this it'd be great. If I need to desolder the eeprom to read ok, but what is the other chip for? I don't want to try something for nothing. Thanks, took me a while to post pics, but they should all work.

I think the chip on the underside is for simple encryption. Probably swapping address lines. If you read the flash IC it'll probably be scrambled but if you read the module as a whole with a suitable reader it should read out like a normal flash because that's how the MCU has to read it.

I was looking at this to be able to read:

http://www.mcumall.com/comersus/store/comersus_viewItem.asp?idProduct=4312

along with:

http://www.mcumall.com/comersus/store/comersus_viewItem.asp?idProduct=4406

Would this do the trick, or do I need something different? Thanks for the reply. I was all geared to read this out too, but if I need something else in my setup so be it.....

So I had a simplified thought, and it would be nice to get some feed back- is there/could there be anything preventing me from reading it in boot mode? I mean, I saw the extra hardware and got startled, but would boot mode work on this monstrosity? I'm sorry to sound so scattered, but I have read nothing on here, or elsewhere about this particular setup. I have read of certain companies implementing device s to change the code if its trying to be read, but never any facts or pictures, just talk. I just want to get it right. ;)

You have already tried NefMoto, Galletto, etc...?

No sir, I saw diifferent hardware and stopped there. I would love to bench flash with nefmoto, I have to wait for the cable to come in the mail, and wanted everyone's opinion on the hardware. If you can tell, I'm not exactly computer savvy, but times are changing. Time to get with the program, I saw the extra chip and just figured it would lock me out somehow? I have Read Tony's post somewhere that said boot mode should bypass anything a company may put to block from reading, I just didn't expect all of that!

OK- so just an update, I am going to try nefmoto and bench flashing. I don't believe it will work but I did get news there is a way to do it from a gentlemen on another site. Quote:

"29f800 has got 19 Adress pins, 15 Data pinsand one CE(CHip enable) pin.
So you need a microcontroller with at least 35 I/O pins. Therefore I would take a seeeduino mega or arduino mega developement board. The trick is to set first adress with atmeg, read it and then toggle chip select. after that, the memory in the addidional chip on your board is cleared and cant remeber the last read out. after that you can read the second adress with again toggeling CE after that.
Normal Programmers read straight through, so it is recognized by the additional chip. With this method your chip cant recognize anything, because e cant remember the last adress."

Thought this may be interesting for some. Looks like I have some reading to do. The more I learn, it's obvious, the less I know... :-\

FYI- That ATMEL PLD is a commercial grade part. The temp range is only 0 to +70 degree C. Sure hope whoever designed this didn't expect things to work when it's COLD out.

I don't plan on putting it in the car, I'm hoping to read it in boot mode and send it on its way if the damn cable ever gets here. Good info though, thanks.

Any update on this? The only encryption board I have messed with detected boot mode and disabled the flash. I bypassed that detection and was then able to read the flash no problem. The boot mode detection was done using a PIC microcontroller, the board also had a PLD on it but it appears to be straight through and unused. Yours is most likely used and if whoever programmed was smart will detect sequential reads and disable the flash. It may also only accept a certain start address for the first read and not work if you start at zero, such as a boot mode read does.

@ rob.mwpropane :

Do you have a KWP2000+ ecu flasher interface ?

If so, there might be a way to get the flash readed out.

Cheers,

PvL

hello

i cant understand why you cant read the flash !! my optican read it without problems !!

the only problem is to write !!

you cant !!!!


you must desolder the chip from the base copy  !! its easy than you can read and write !!

Well I hope that they were not smart enough, it was flashed in 06, date on the outside. I was going to try nefmoto/bench to try to read. Thoughts? What is the worst that could happen?

I can share why I can't read the flash:

     1. Contrary to what you may think, I'm quite handicapped when it comes to computers!

     2. I own a VCDS and a ebay  409.1 kkl cable from ebay, not an optican.

I was told if I desolder the chip to read that it would probably be encrypted and look like garbage. Hey I'm all ears for suggestions, but you may have to spell it out a little more clear. Why would optican be able to read it out, and not nefmoto software?

Just for the record, if I do get this read I plan on posting it. I bought it used, I don't plan to name the company and it's my ECU. So when the gentlemen in the earlier post stated that it would "disable" the flash, what did he mean?

The Atmel chip on the board may detect boot mode and disable the flash or it may detect a sequential address read and disable the flash. In both cases I believe it would only disable reading for that one session, a power cycle should allow the ECU to boot again.

So you can try a read in boot mode and see what it does, I suspect you'll just get garbage in the file, but you never know. I have one hardware encryption board that just does pass through, it seems the encryption code was never added to it.

hello i dont know why optican reads it !!!

i had this problem by myselfe with this base copy shit !!


looks like MTM or ABT

i had this on audi s3 8l year 2000

to read the software is possible but write is impossible !!

what did you do now ???

did you desolder the chip from the base copy ???

you can solder this chip on the ori base !! desolder the complete shit of base copy !!

it works !! i have done many of this ecu

I have not done a thing to the ECU yet, I'm trying to find some time. I don't plan to desolder it, I've changed my mind on that. If anything I'll just re-sell it at some point. I hope I'll get some in the next couple days. If I remeber correct, optican isn't cheap. Are you using a clone by chance? If so, where did you purchase it?  ;DThank you for the advice, I will have to look into that route after my first read, which most likely will in fact be "shit".

hi

if you dont want to desolder you cant read/write the ecu !!

i think there is no optican clone !!


i have a genuine optican dual master system !! this tool is expensive !! 4500 for the master version !! but i think its a very good tool !!!

did you try it with a MPPS ?? maybe this tool will do it !!

you can send this ecu to me and i can read it for you if you want !!


king regards

Pull a good bin off chipped ECU, sell chipped ECU, flashed tuned bin to stock ECU.

Well this is what it says when I try to read it on the bench:

ECU reports programming session preconditions have been met.
Negotiating communication timings.
Successfully changed to new communication timings.
Requesting security access.
ECU reports that security access request was rejected.
Starting diagnostic session.
Disconnecting because no response was received for the Tester Present message.
Disconnected
100% complete.
Validating memory layout failed.
Restoring Windows sleep mode.

This is what it says in the car:

Requesting security access.
Security access granted.
Validating flash memory starts at 0x00800000 and ends at 0x00900000.
Memory layout is valid.
Starting to read data block.
Calculating flash checksum to determine if reading is necessary for range: 0x00800000 to 0x00810000
Flash checksum does not match, reading flash data is necessary.
Requesting upload from ECU for address range 0x00800000 to 0x0080FFFF.
Request upload from ECU succeeded.
Starting data transfer.
1% complete.
2% complete.
3% complete.
4% complete.
5% complete.
6% complete.
Data transfer failed.
100% complete.
Reading ECU flash memory failed. ??? ???

I'm assuming that nefmoto can not read this, but I switched over to my stock ECU, and couldnt read that in the car either? What the heck am I doing wrong? It validates memory layout, but only gets to about 6% done and then fails on both chipped and stock ECU's. I'm at a loss, but after all attempts I'm still able to start the car with both ECU's. :-[

indeed, nefmoto will not do benchreads (yet)

Tony .... when will this be possible, please ???

For the meantime, try it with kwp2000+ on the bench.

It does not cost a arm or leg that interface...

Ok so now I've got a galletto cable. The software says boot mode for 29f800BB, but as you can see in the previous pictures (if you looked!) that the chip inside my ecu is a 29f800BT. Will this cause a problem? Does that have a different memory layout? Thanks for everybody's help, I'm pretty close to either a total failure, or total success. Either way it's been a real learning experience. Thanks to everybody for their help. Lots of people have pm'ed me and what not pointing me in the right direction. Great site, good people...

Check both VW and Audi for their options. There have been a time or two where I had to use a different manufacturer to get the correct chip layout. I don't remember whether BB and BT are interchangeable, but remember seeing reference to this somewhere on this forum..Maybe search?

So I did search...duh!! Thank you for the suggestion. This is what I found posted by Tony:


So I'm going to assume that to read I could just use the 29f800bb to read!! Will try Tuesday or Wednesday when I have some more time. Thanks!

Its not an issue at all with Gelletto, read away!

I am really looking forward to the results as I received a similar type board today and I plan to read the flash on it. Mine is a little different in that the flash chip is socketed and the PAL has the part # sanded off. There is also a glop of epoxy covering a bunch of the pins. I already traced the connections and have determined the following on mine:

6 data lines are remapped via PCB traces and not the PAL
6 address lines are processed/rerouted by the PAL
1 additional address line is processed but not rerouted
CE# and OE# are also connected to the PAL
based off the Vcc input and the fact that the PAL has 20 pins I am sure its the same as yours - a 16V8

I can't help but wonder if I will be able to just dump the flash through the PCB in boot mode, it seems like they would have protected against that but based on the address lines monitored it may not be possible to stop it. They are not monitoring the boot pin (DQ4) at all with the PAL.
If they were looking for a read to start at zero I was just going to start the boot mode dump and then plug the flash in hot a second later.

I would have tried reading it in boot mode already but the unit needs to be plugged into an ECU so I need to order some header pins and solder them into a spare ECU.

Well, I planned to do this to get into boot:

http://nefariousmotorsports.com/forum/index.php/topic,104.0.html

As soon as I find time! Hopefully later today, but with it being a BT and not BB I think the above thread should work for me? Wish me luck ;D

There are many alternate boot points, I haven't ever had pin 3 of the eeprom work for me though. There are valid points to enter boot mode on the flash chip, the ram chip, the CPU and at least one test point on the bottom of the PCB.

No sir, I was going to go for pin 27 on ram like in the picture at the top of that thread...

Ok, just an update. I got everything hooked up right.... just to find out I didn't  install the drivers correctly and then researched to find galletto works better on xp.... damn vista. Oh well, I guess it has to wait for this weekend... unless someone has driver to get gilletto to work on vista? If not, no big deal, just have  to wait :-\

I believe Galletto just uses standard FTDI usb to serial converter drivers, the interface looks like a regular com port to the computer, the software verifies a stored serial #.

I got my board which is similar to yours soldered into an ECU and read it out using boot mode. The dump appears to work fine in a stock ECU but does fail one checksum. Its likely one that isn't checked as I've run the ECU on the bench for several days now with no checksum faults appearing(I've also rebooted it many time)

edit - two pics of the board I have:

Thanks for the reply. It seems when getting a friend to help with computers for free it takes twice as long than paying someone. It's no big deal. I'm just waiting to be able to read this thing. What do you mean you had the eeprom desoldered off the board and soldered into another ecu? I thought it needed the smaller chip to go through to get a viable read? But you say the bin looked fine? I'm just curious, thanks.

NefMoto software should be able to read this ECU. The log output you posted indicates a communication error and not a tune that prevents reading over OBD. Can you post a log file?

Boot mode reading is coming, and I already have the basics working. I need to release my data logger and support Windows XP first though.

Sorry for the delayed response, I didn't notice anyone had posted in this thread. I found what my problem was, dead battery, and my eBay cable wouldn't stay connected. It was driving me nuts. After I put a battery charger on it, and changed to a rosstech cable it worked beautifully. Thanks.

Good to know. Thanks for letting us know what fixed your problem.

To confrim, Nefmoto read it?

Yes sir it did. I was astonished and very excited.