|
Title: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:14:59 AM Anyone interested ?
For various reasons (see below) the ArgDub tool was not sufficient for my requirements, I also didn't like that you had to specify which pins to use (when you can in fact automatically discover this, more to follow on how I accomplished this on my own implementation). While ArgDub's tool was free it was never open sourced (proprietary close source) and therefore nobody could improve on it or add new features so when the project stops getting supported its dead. Also I have never been truly satisfied with the reliability of it depending on the speed on your PC, etc. I suspect the timing accuracy isn't as good as it needs to be for the serial drivers. I had issues several times getting it to work. So I needed to do a clean room implementation which I did a while back ago now. I'm just tidying it up for public release but it is working very well so I will be releasing the full source-code to it very shortly on Github. Before I do that I just wanted to give you some technical details to how ArgDub's tool actually works. It may come as a surprise to some but his tool was very heavily influenced and indeed includes code derived from the free Minicom software from Siemens. Also I think probably some open sources available at the time for a published eeprom driver. Ofcourse getting this to work is a lot of work and reverse engineering of ME7.x rom's to see how Bosch integrated the gpio itself is obviously timing consuming (so thank you ArgDub for the release) but with effort anyone with embedded experience and appropriate documentation can write their own, its very doable (as I have done). The driver itself is pretty straight forward and the most important elements are how to configure the correct gpio pins so that its compatible with your pcb wiring. I'll post several posts now on the inner workings of how this all is done and show you the possibilities this opens up (like cheap Arduino's from ME7's :) Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:24:09 AM OK. So on to how the EEPROM Tool works.
It actually uses Bootmode to load a minimon app, then uploaded an eeprom driver (which is patched before upload for the appropriate gpio pins) and then runs the code with the pc app controlling the me7 app to download memory. Lets delve into how this all works in detail. First of all, lets start with the basics, Bootmode... What is it? It is basically a "special debugging/programming mode" built into the C16x Microcontroller series (a bit like a crude pre-cursor to JTAG) which allowed you to override the default booting behavior configured by board manufacturer (in this case Bosch or its affiliates). To activate it you simply short to ground the appropriate pin on the micro-controller and at this point an alternative boot loader inside the MCU (Microcontroller) is executed. Ever wondered what the internals of this bootloader looks like? Here it is... Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:31:18 AM I highlighted in Yellow the hex code, in this particular spin of the C167SR its going to send us 0xC5h back once serial comms are established.
So once we have serial port opened this is what going's on.. { Send BSL + Minimon Monitor Core -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Request: (0.0000 seconds) <--- Send HELLO byte (i.e. the single byte 0x00, to internal bootmode loader of C16x) 00 Response:(+0.0300 seconds) 00 <--- HELLO ::echo:: reply C5 which is :CPU_ID_C167 (see picture of the actual code running inside the microcontroller, highlighted in YELLOW this is the MCU's response) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Request: (+0.0100 seconds) If you analyze the bootloader running in boot mode you'll see it waits at this point for 32-bytes to be sent by the host to the ecu.. <--- Send 32-byte Bootstrap Loader (BSL) E6 58 01 00 9A B7 FE 70 E6 F0 60 FA 7E B7 9A B7 FE 70 A4 00 B2 FE 86 F0 E9 FB 3D F8 EA 00 60 FA (these hex codes are the machine code of the boot strap loader, i will include the source code ) Response: (+0.0401 seconds) <--- Echo 32-byte Bootstrap Loader (BSL) E6 58 01 00 9A B7 FE 70 E6 F0 60 FA 7E B7 9A B7 FE 70 A4 00 B2 FE 86 F0 E9 FB 3D F8 EA 00 60 FA <--- Send I_LOADER_STARTED 01 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Request: (+0.0200 seconds) Next Minimon sends its application core which allows us to issue commands from the Host... <--- Send Minimon Monitor Core Application (copied by BSL loader to ram) 7E B7 7E B6 E1 31 BB 6E BB 74 F1 B0 E7 F1 AA 00 BB 69 E7 F1 EA 00 47 FB 31 00 3D 03 B5 4A B5 B5 0D 5F 47 FB 93 00 3D 01 0D 5B 47 FB 32 00 3D 03 BB 59 B7 48 B7 B7 47 FB 33 00 3D 05 F1 1A BB 52 E7 F1 EA 00 0D 4D 47 FB 84 00 3D 1E E1 0A BB 6B BB 72 A0 03 3D 01 0D 44 BB 4C F1 80 51 A8 BB 70 F0 C6 0E FC A8 7C 8A F6 04 00 66 F7 00 FF 71 E8 0D 03 66 F7 FF 00 71 F8 B8 7C A9 96 41 98 3D 01 0D E8 E7 F1 11 00 0D E5 47 FB 85 00 3D 0D E1 0A BB 4A BB 51 A0 03 3D 03 E7 F1 EA 00 0D 21 BB 50 A9 16 51 A1 BB 1F 0D F6 47 FB 41 00 3D 05 BB 3B BB 19 EC F2 EC F1 DB 00 47 FB CD 00 3D 0A BB 33 BB 3F A8 36 F1 16 BB 0E F1 17 BB 0C E7 F1 EA 00 0D 07 47 FB 82 00 3D 15 BB 26 BB 2D BB 31 B8 36 BB 01 0D 92 F7 F1 B0 FE 9A B7 FE 70 7E B7 7E B6 CB 00 A7 58 A7 A7 9A B7 FC 70 7E B7 F3 F0 B2 FE CB 00 47 FB 9F 00 3D ED BB 0E BB 29 BB 00 FC F7 06 F7 10 00 EC 04 EC F7 EC F2 EC F1 DB 00 BB 2A E7 F1 EA 00 0D DD BB E5 F1 20 BB E3 F1 30 BB E1 F1 40 E1 05 CB 00 BB DD F1 60 BB DB F1 70 CB 00 F0 61 F0 72 7C E6 5C 27 70 76 F6 F7 04 FE F0 61 08 11 18 20 66 F6 FF 3F 76 F6 00 80 CB 00 F2 F6 10 FE 06 F6 10 00 E0 07 BB C4 B9 06 08 61 80 F7 3D FB CB 00 F2 F6 10 FE 06 F6 10 00 E0 07 A9 16 BB B1 08 61 80 F7 3D FB CB 00 Response: (+0.3805 seconds) <--- Echo Minimon Application (copied by BSL loader to ram) 7E B7 7E B6 E1 31 BB 6E BB 74 F1 B0 E7 F1 AA 00 BB 69 E7 F1 EA 00 47 FB 31 00 3D 03 B5 4A B5 B5 0D 5F 47 FB 93 00 3D 01 0D 5B 47 FB 32 00 3D 03 BB 59 B7 48 B7 B7 47 FB 33 00 3D 05 F1 1A BB 52 E7 F1 EA 00 0D 4D 47 FB 84 00 3D 1E E1 0A BB 6B BB 72 A0 03 3D 01 0D 44 BB 4C F1 80 51 A8 BB 70 F0 C6 0E FC A8 7C 8A F6 04 00 66 F7 00 FF 71 E8 0D 03 66 F7 FF 00 71 F8 B8 7C A9 96 41 98 3D 01 0D E8 E7 F1 11 00 0D E5 47 FB 85 00 3D 0D E1 0A BB 4A BB 51 A0 03 3D 03 E7 F1 EA 00 0D 21 BB 50 A9 16 51 A1 BB 1F 0D F6 47 FB 41 00 3D 05 BB 3B BB 19 EC F2 EC F1 DB 00 47 FB CD 00 3D 0A BB 33 BB 3F A8 36 F1 16 BB 0E F1 17 BB 0C E7 F1 EA 00 0D 07 47 FB 82 00 3D 15 BB 26 BB 2D BB 31 B8 36 BB 01 0D 92 F7 F1 B0 FE 9A B7 FE 70 7E B7 7E B6 CB 00 A7 58 A7 A7 9A B7 FC 70 7E B7 F3 F0 B2 FE CB 00 47 FB 9F 00 3D ED BB 0E BB 29 BB 00 FC F7 06 F7 10 00 EC 04 EC F7 EC F2 EC F1 DB 00 BB 2A E7 F1 EA 00 0D DD BB E5 F1 20 BB E3 F1 30 BB E1 F1 40 E1 05 CB 00 BB DD F1 60 BB DB F1 70 CB 00 F0 61 F0 72 7C E6 5C 27 70 76 F6 F7 04 FE F0 61 08 11 18 20 66 F6 FF 3F 76 F6 00 80 CB 00 F2 F6 10 FE 06 F6 10 00 E0 07 BB C4 B9 06 08 61 80 F7 3D FB CB 00 F2 F6 10 FE 06 F6 10 00 E0 07 A9 16 BB B1 08 61 80 F7 3D FB CB 00 <--- Send I_APPLICATION_STARTED 03 } At this stage we have a monitor loaded and can do many things... Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:39:53 AM With the minimon core loaded we have several commands at our disposal..
Before we go delve into them lets look at the header file which is self documents them Code: C_WRITE_BLOCK 0x84 // Write memory block to target mem Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:42:19 AM Depending on the processor derivative of the C16x (x being any of them) you will have different response codes returned for the initial 'HELLO'..
Code: #define CPU_ID_C165_OLD 0xA5 Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:44:09 AM When minimon acknowledges your commands having been sent it sends codes back
For a 1st acknowledgement its an 0xAA, second is a 0xEA Code: #define A_ACK1 0xAA // 1st Acknowledge to function code Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:45:43 AM After getting a response back from uploading the minimon app we also get an acknowledgement byte...
Minimon authors defined 4 different apps Code: #define I_LOADER_STARTED 0x01 // Loader successfully launched Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:47:33 AM I'll upload the source-code to minimon too into the github which generates the binary you see us sending after the 32-byte BSL (Boot Strap Loader).
Ok. Once its loaded its time to verify its working. One of the commands its called C_TEST_COMM Lets see how this works... Code: //********************************************************************************************************************************************************************************************************// Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:51:27 AM We can also read and write to CPU registers which allows us to easily configure the hardware registers to whatever we need to do...
In this case let us configure BUS CONTROL and SYSTEM CONTROL registers (refer to the C167 datasheet for details on their purpose and bits) To accomplish this we can use the command C_WRITE_WORD.. Code: //********************************************************************************************************************************************************************************************************// And we can then read it back (to verify it worked) by using the C_READ_WORD command Code: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:57:52 AM So now we can load minimon and then after loading it we can send it commands which allows us to read and write registers AND memory. So yes its possible to READ the entire firmware out and send it chunk by chunk back to the HOST PC. We will do that exercise later for now lets continue with the eeprom reading/writing...
Lets also configure BUSCON0 Code: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:05:15 AM Ok so far we've not touched on ArgDub's code.. This was all minimon...
ArdDub wrote a driver 'plug-in' for the Bosch series (probably heavily inspired by the rom code itself :) . To upload 'custom' plug-in's Minimon provides is with a handy command, yes we using C_WRITE_BLOCK to send a whole block of binary data (the app or driver for eeprom in this case)... Code: { Send EEPROM Driver to C16x memoryI have reverse engineered ArgDub's driver and yes indeed a lot of that code is recognizable... I will again upload it to Github in due time... At this point we've now uploaded the driver. There are some areas in the driver where we must write some hex values so it can use the correct gpio pins (the Bosch ecu's put the eeprom into different gpio pins depending on the ecu). Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:08:17 AM Argdub followed the same architecture as Minimon for his commands.
To use the loaded driver we use the Minimon C_CALL_FUNCTION command to setup the registers (prior to the call) and then jump into that code block, thereby executing it. Code: { Read EEPROMSo before we run anything we EEPROM_TEST communications... Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:13:37 AM The rest of the sequence is also straight forward...
We issue C_READ_BLOCK commands which tell his driver to read a block of eeprom into memory. and ofcouse C_WRITE_BLOCK to write. Only reading is show in this trace. Once its in ram (we do it in small chunks due to limited resources on the C167) we can then issue the command to send that MEMORY block back to the host (our app running on whatever, pc. etc.). Depending on the type of eeprom and its size we have to iterate for the number of blocks (1k, 2k, 4k ) the eprom is in size.. Any questions just ask.. Before we do any of this we must Init registers (gpio etc.) required for eeprom access and then jump into the drivers main code block.. See below... Code: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:14:42 AM We are now ready to read blocks and pull them back into host ram...
Code: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:16:56 AM I will document writing our OWN eeprom driver, rather than focus on ArgDubs as its pretty straight forward to do.
I will also show how to read and write to flash in boot mode if anyone is interested using the above method of loading a driver (again the source-code to all the AMD 512k/1mb/2mb flash drivers is available)... Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:33:40 AM Forgot to mention the minimon stuff is entirely MCU architecture (Micro-controller) related. It has nothing to do with Bosch. You can use this approach on ANY C16x derived architecture including ST derivatives etc.
Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:54:24 AM As promised here's a BSL (Boot Strap Loader) to understand..
Code: ;---------------------------------------------------------------------------------------------------------------------- Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:57:32 AM Hope this mini tutorial was useful to someone :)
Source code will be uploaded soon to GitHub.. Title: Re: Fully open source ME7 EEPROM tool :) Post by: gremlin on November 12, 2020, 07:19:07 AM I have reverse engineered ArgDub's driver and yes indeed a lot of that code is recognizable... Why going such a long and difficult way? 18 years ago it takes me half hour to patch free source code example for X25160 eepom from minimon driver directory and compile new driver for 95040. Now I looked for and found it in my archive... Code: ; My driver to work with SPI EEPROM in ECUs Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 07:32:36 AM All you guys looking at this when it was new had access to the a lot of the manufacturer SDK's and documentations, source-codes, etc. I didn't spot that code! Most of this is rapidly dissappearing off the web as these 16-bit cpu's have long reached end of life. Any source-code contributions are indeed welcome. Finding stuff on these older mcu's isn't so easy these days and yet they are still quite capable processors and good for teaching.
I thought it would be a good example for people to work through from 1st principals. I.e. understand exactly all the details by actually building code that runs on the actual microcontroller. I've built my own assembler, dissassembler and C compiler for the C16x series now too. (Yes I know others exist) and soon I plan to integrate the Arduino IDE so that you can build apps which can manipulate the gpio's etc. directly from the ide... I took a look quick look at your driver, the only recommendation I would have would be to use a hardware timer for your delay as running on a 20MHz vs 40MHz device will yield different times for your nop's... Title: Re: Fully open source ME7 EEPROM tool :) Post by: gremlin on November 12, 2020, 08:29:22 AM All you guys looking at this when it was new had access to the a lot of the manufacturer SDK's and documentations, source-codes, etc. I didn't spot that code! When I was working on this driver, I did not have any non-public documents or special access to professional ide / sdk. Only minimon, which has not disappeared anywhere and is still freely available on the Internet. All sources texts present now. http://www.perschl.at/minimon.html As for the driver's optimality, was say that this is a "five-minute soup" and no one bothers to improve it. In my opinion, the time for such a program has gone like the last train. Everything has already been done and more than once. It can be interesting only for educational purposes. Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 08:58:15 AM I hear you...
There are still however millions of cars on the road with these ecu's inside them and millions more in scrap yards. There is still value there if you care to look hard enough. The concepts of these old obsolete 16-bit microcontroller are still alive and kicking and found in modern applications. Even modern cars can still use them, just likely with a different instruction set driving them which is probably arm based. Your soft close door locks on a 2020 MY car very likely have a modernized NXP 16-bit MCU driving them. SPI, I2C, PWM, GPIO, Serial, CAN, DMA, etc. all used today in pretty much same way except hidden behind layers of API's. If you extrapolate away from bare metal assembly you find you can still write a lot of the code in a portable way in C, then that inself can be transferred across to current soc's like infineon tricore's and such via cross compilation (even in the eeprom is now emulated in flash :). The biggest problem with these obscure instruction sets like C16x is lack of good tooling, the code optimization of those proprietary (very old GCC based!) C compilers is frankly shocking, no wonder so much was written in assembly at the time... -T Title: Re: Fully open source ME7 EEPROM tool :) Post by: Blazius on November 12, 2020, 10:04:58 AM Terrific job! Thanks for all your contributions.
Title: Re: Fully open source ME7 EEPROM tool :) Post by: DT on November 12, 2020, 12:43:36 PM Thank you for this write up. Always nice to see custom code.
Title: Re: Fully open source ME7 EEPROM tool :) Post by: nyet on November 12, 2020, 03:05:29 PM Amazing. Any chance I can get you to finish the bootmode flash stuff in the nef flasher?
or even better, integrate eeprom access into the nef flasher? Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 04:19:10 PM Nyet, DT and Blazius,
Thank you so much for the nice comments. I was beginning to think nobody cared anymore. I'm determined to get an Arduino IDE running on Bosch ME7 hardware, it will be called the ME7duino :) And yes I can take a look soon... Title: Re: Fully open source ME7 EEPROM tool :) Post by: nyet on November 12, 2020, 05:02:59 PM While im here, the nef flasher shouldn't require ftdi cables anymore either... its been on my list to fix but i dont have a functional non-ftdi cable to test on.
I assume none of your routines strictly depend on the ftdi dll either. Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 05:34:39 PM Nothing that's talking over K-Line serial alone requires anything at USB level.
I've written a Serial UART abstraction api, this means you can indeed cross compile all the higher level code to run across any OS. I.e. on OSX, Linux and any other embedded mcu. Technically you can re-flash or read eeprom from a simple microcontroller with an SD card attached or Wifi connection to your mobile hotspot. Your not strictly limited to just UART serial as a means of communication either, as long as you software bridge the connection api's you can even re-direct read/writes over tcp/ip (internet) and on the device side flash receive data over CAN at 1Mbps. Its something I would like to implement a driver for along with differential flashing capability, so if you've previously flashed the same image and want to make incremental changes to just some maps like KFZW, checksums etc. your "update" is going to be pretty much instantaneous rather than minutes. The bottleneck for boot flashing is the relatively slow uart uplink speed. Title: Re: Fully open source ME7 EEPROM tool :) Post by: nyet on November 12, 2020, 05:44:45 PM Differential flashing still sucks in Nef because you have to erase/write the whole affected block.
It is already implemented. back on topic: the only reason it used the ftdi dll was for licensing against fdti serial number, which is no longer a requirement. In this case (coincidentally) on the topic of differential flashing. Or are you talking about bootmode differential flashing? Because that would be amazing. Still, it suffers from the block issue. Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 06:28:00 PM Yes I'm talking about differential flashing in bootmode and also download of the data via high speed CAN driver. This obviously means you cannot just have a dumb K-Line serial to uart IC. You also need a CAN ic too. These however are less than $1 these days and the big benefit is dramatically faster downloads. The flashing isn't really the slowest part, its the download speeds, 1mbps is multiple times quicker than serial uart can do it. Did you know on these AMD flash devices that even if you don't erase a sector you can still write to it too? You can just OR each byte. @Fluke9 explained the trick to me. You can flip the bit to a high in a write but never to a low, so you can do bitwise changes and not disturb the whole byte. Title: Re: Fully open source ME7 EEPROM tool :) Post by: nyet on November 12, 2020, 06:35:53 PM Yes. Unfortunately most of the changes (in small changes to maps/code) are in checksums (even worse, often spread across many blocks), and because of the nature of checksums (and crcs) the odds of having only bit sets (or clears) is nearly zero.
Title: Re: Fully open source ME7 EEPROM tool :) Post by: Blazius on November 12, 2020, 06:42:58 PM Unfortunately the cheap Ch340 cables dont come with a can chip(if i remember right), so if you do precompile this for public it would be nice to have the option to "choose".
(Tried using ch340 cable with argdubs tool a while back , and I couldnt not get it working for the life of me for some reason [through OBD bootmode that is, could've been many things]) And yes technically nef should work on ch340 or cheaper usbtoserial chips without serial number id's if not for the dll, I am sure it would be nice for some people. Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 07:28:27 PM Unfortunately the cheap Ch340 cables dont come with a can chip(if i remember right), so if you do precompile this for public it would be nice to have the option to "choose". (Tried using ch340 cable with argdubs tool a while back , and I couldnt not get it working for the life of me for some reason [through OBD bootmode that is, could've been many things]) And yes technically nef should work on ch340 or cheaper usbtoserial chips without serial number id's if not for the dll, I am sure it would be nice for some people. Well with a good serial port abstraction interface your really just talking about 2 way streams i/o... You can do multiple different things here and it really is up to your imagination how much support you add... 1. Search via linking against the the FDTI lib for Unique named devices or serial's (ugh!), this could also read eeprom and determine if the device supports CAN, If that fails to find any ; 2. Search for USB attached serial devices by looking for compatible VID/PID's in the registry entries, 3. If none exist, search for any other attached USB devices which are of type serial port, 4. If that fails try to fallback to Auto-discovery of regular good old fashioned serial attached to non (virtual) com ports and if multiple serial devices are present allow you to choose which one to use. 5. Override with ability to choose com port number manually. 6. Override with ability to redirect and tunnel serial traffic over TCP/IP. This allows you to run a client/server over the internet and read from a remote serial port attached, i.e. flash over the internet. The only challenge is to do a speed test on setup to determine if your speed and latency is good enough. To make it all encompassing its quite a lot of work but you get the most flexibility.. Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 07:33:51 PM Yes. Unfortunately most of the changes (in small changes to maps/code) are in checksums (even worse, often spread across many blocks), and because of the nature of checksums (and crcs) the odds of having only bit sets (or clears) is nearly zero. True, checksums however are not scattered everywhere, typically the multipoints are all in one location and the shadow and main sums can be done but even so, 95% of the rom is going to be the same so it can yield big benefits still for speed. Title: Re: Fully open source ME7 EEPROM tool :) Post by: nyet on November 12, 2020, 07:54:56 PM True, checksums however are not scattered everywhere, typically the multipoints are all in one location and the shadow and main sums can be done but even so, 95% of the rom is going to be the same so it can yield big benefits still for speed. I have yet to see a change that is entirely bit sets in a given block .. ymmv ... At 16 blocks (or even 32), its never going to be 95% Again, i have written flash drivers (unrelated to car tuning) that attempt to do this. They don't work as well as you'd think. There are filesystems though (back when this sort of flash was popular) that attempt to do this with set-only bits baked into the format (e.g. jffs). They're long dead. If Bosch had cared, they could have written their checksum system to take advantage of this. They did not, since they no doubt never used an ECU with flash during ECU tuning/mapping/calibration Title: Re: Fully open source ME7 EEPROM tool :) Post by: 360trev on November 12, 2020, 08:19:30 PM I'm still using JFFS in some Linux project today :)
My observation is that the writing time is a smaller proportion of the overall re-flashing time. The vast majority is the bottleneck of the download itself. So if you remove the downloading time by only downloading the differential data then read back into ram, erase and individual sector, merge differences in ram and write back you should see a big improvement in speed. I will test this shortly and give you some figures... Title: Re: Fully open source ME7 EEPROM tool :) Post by: d3irb on November 12, 2020, 08:54:00 PM With respect to CAN, it's unfortunate there is no standard (or even de facto standard like FTDI ended up being for bitbang+UART) driver interface for CAN. SocketCAN on Linux and J2534 on Windows seem to be the closest to dominant standards, but J2534 is a mess of expensive and non-compliant "compliant" vendor devices and SocketCAN requires being a bit of a Linux nerd to deal with (finding hardware, configuring the interface, adding isotp kernel module if necessary, and so on). And then there are all of the weird serial<->CAN devices which all seem to implement different little wire protocols. A higher-level abstraction would be truly amazing but also quite a lot of work since there is a fair amount of nuance (between baud rate, filters/interrupt setup, padding, ISOTP framing, etc.).
As for this bootloader work, amazing. It's great to see people still reversing stuff and rebuilding, even if it is for ancient ECUs. Title: Re: Fully open source ME7 EEPROM tool :) Post by: nyet on November 12, 2020, 10:30:40 PM I'm still using JFFS in some Linux project today :) My observation is that the writing time is a smaller proportion of the overall re-flashing time. The vast majority is the bottleneck of the download itself. So if you remove the downloading time by only downloading the differential data then read back into ram, erase and individual sector, merge differences in ram and write back you should see a big improvement in speed. I will test this shortly and give you some figures... This sounds totally doable and will almost certainly dramatically decrease flashing time. The Nef flasher already does this to some extent (but NOT bootmode!) Title: Re: Fully open source ME7 EEPROM tool :) Post by: Tohmerdis on December 09, 2020, 04:05:25 PM Wonderful work!
Do you put full source to Github or somewhere similar? Title: Re: Fully open source ME7 EEPROM tool :) Post by: darklet on September 11, 2022, 05:34:57 PM did the source code ever get made open, i cant see it on your github :(
Update: I reversed it, and added a me7.4.5 95320 read/write function... Well hardcode IMMO off write function that just updated bytes 40h-60h Switching it to use XSSC bus was a right pain. Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on January 29, 2023, 03:14:59 AM Hi to all!
I can´t find the source code for this tool and has there been work on integrating it into nefmoto flasher? Title: Re: Fully open source ME7 EEPROM tool :) Post by: fragolas on February 24, 2023, 07:35:29 PM @360trev Will you ever release the source code? Besides the me7/edc15 , I have a airbag ecu with c164 and I could use bsl to read and write the eeprom without desolder . I could probably write driver for minimon, but this would also be helpful.
Kwp services could also work, but that's beside the point. I also wonder which cpu does Bosch abs 5.7 uses... Enviado do meu M2102J20SG através do Tapatalk Title: Re: Fully open source ME7 EEPROM tool :) Post by: ecuprog7 on February 26, 2024, 09:31:05 AM Hi,
done a rework of argdubs tool, eeprom driver is a adapted version of post from gremlin. Tested on Me7.5 and ME7.1. The tool reconnects to running minimon core, so need to restart ecu after one operation (read or write). Source code of eeprom drivers are included. Eeprom read and write on C167 and St10 ( XSSC module ) for type 0 95080 - 95320 and type 1 95040 / 95p08 supported, type 2-4 are 93cxx versions, read internal Rom/IFlash . Read of ext Flash not working. Please try and report. update 28.2.2024: Now works with psa ME7.4.5 (ME745) with ST10 . Cs pin is P6.2 , XSSC module is used. update 09.3.2024: works now on Simos 3 with 93Cxx eeprom (only ssc module) |