Pages: [1] 2 3 ... 5
Author Topic: Fully open source ME7 EEPROM tool :)  (Read 41392 times)
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« on: November 12, 2020, 05:14:59 AM »

Anyone interested ?

For various reasons (see below) the ArgDub tool was not sufficient for my requirements, I also didn't like that you had to specify which pins to use (when you can in fact automatically discover this, more to follow on how I accomplished this on my own implementation).
 
While ArgDub's tool was free it was never open sourced (proprietary close source) and therefore nobody could improve on it or add new features so when the project stops getting supported its dead. Also I have never been truly satisfied with the reliability of it depending on the speed on your PC, etc. I suspect the timing accuracy isn't as good as it needs to be for the serial drivers. I had issues several times getting it to work.

So I needed to do a clean room implementation which I did a while back ago now. I'm just tidying it up for public release but it is working very well so I will be releasing the full source-code to it very shortly on Github.
Before I do that I just wanted to give you some technical details to how ArgDub's tool actually works.

It may come as a surprise to some but his tool was very heavily influenced and indeed includes code derived from the free Minicom software from Siemens. Also I think probably some open sources available at the time for a published eeprom driver. Ofcourse getting this to work is a lot of work and reverse engineering of ME7.x rom's to see how Bosch integrated the gpio itself is obviously timing consuming (so thank you ArgDub for the release) but with effort anyone with embedded experience and appropriate documentation can write their own, its very doable (as I have done). The driver itself is pretty straight forward and the most important elements are how to configure the correct gpio pins so that its compatible with your pcb wiring.

I'll post several posts now on the inner workings of how this all is done and show you the possibilities this opens up (like cheap Arduino's from ME7's Smiley
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #1 on: November 12, 2020, 05:24:09 AM »

OK. So on to how the EEPROM Tool works.


It actually uses Bootmode to load a minimon app, then uploaded an eeprom driver (which is patched before upload for the appropriate gpio pins) and then runs the code with the pc app controlling the me7 app to download memory. Lets delve into how this all works in detail.


First of all, lets start with the basics, Bootmode... What is it?

It is basically a "special debugging/programming mode" built into the C16x Microcontroller series (a bit like a crude pre-cursor to JTAG) which allowed you to override the default booting behavior configured by board manufacturer (in this case Bosch or its affiliates). To activate it you simply short to ground the appropriate pin on the micro-controller and at this point an alternative boot loader inside the MCU (Microcontroller) is executed.
 
Ever wondered what the internals of this bootloader looks like?

Here it is...
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #2 on: November 12, 2020, 05:31:18 AM »

I highlighted in Yellow the hex code, in this particular spin of the C167SR its going to send us 0xC5h back once serial comms are established.

So once we have serial port opened this is what going's on..

{ Send BSL + Minimon Monitor Core
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (0.0000 seconds)

    <--- Send HELLO byte (i.e. the single byte 0x00, to internal bootmode loader of C16x)
 00

      Response:(+0.0300 seconds)

       00      <--- HELLO ::echo:: reply
       C5      which is :CPU_ID_C167   (see picture of the actual code running inside the microcontroller, highlighted in YELLOW this is the MCU's response)

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

If you analyze the bootloader running in boot mode you'll see it waits at this point for 32-bytes to be sent by the host to the ecu..

    <--- Send 32-byte Bootstrap Loader (BSL)
 E6 58 01 00 9A B7 FE 70 E6 F0 60 FA 7E B7 9A B7 FE 70 A4 00 B2 FE 86 F0 E9 FB 3D F8 EA 00 60 FA

(these hex codes are the machine code of the boot strap loader, i will include the source code )

      Response: (+0.0401 seconds)

               <--- Echo 32-byte Bootstrap Loader (BSL)
       E6 58 01 00 9A B7 FE 70 E6 F0 60 FA 7E B7 9A B7 FE 70 A4 00 B2 FE 86 F0 E9 FB 3D F8 EA 00 60 FA

               <--- Send I_LOADER_STARTED
       01     

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0200 seconds)

Next Minimon sends its application core which allows us to issue commands from the Host...

    <--- Send Minimon Monitor Core Application (copied by BSL loader to ram)
 7E B7 7E B6 E1 31 BB 6E BB 74 F1 B0 E7 F1 AA 00 BB 69 E7 F1 EA 00 47 FB 31 00 3D 03 B5 4A B5 B5 0D 5F 47 FB 93 00 3D 01 0D 5B 47 FB 32 00 3D 03 BB 59 B7 48 B7 B7 47 FB 33 00 3D 05 F1 1A BB 52
 E7 F1 EA 00 0D 4D 47 FB 84 00 3D 1E E1 0A BB 6B BB 72 A0 03 3D 01 0D 44 BB 4C F1 80 51 A8 BB 70 F0 C6 0E FC A8 7C 8A F6 04 00 66 F7 00 FF 71 E8 0D 03 66 F7 FF 00 71 F8 B8 7C A9 96 41 98 3D 01
 0D E8 E7 F1 11 00 0D E5 47 FB 85 00 3D 0D E1 0A BB 4A BB 51 A0 03 3D 03 E7 F1 EA 00 0D 21 BB 50 A9 16 51 A1 BB 1F 0D F6 47 FB 41 00 3D 05 BB 3B BB 19 EC F2 EC F1 DB 00 47 FB CD 00 3D 0A BB 33
 BB 3F A8 36 F1 16 BB 0E F1 17 BB 0C E7 F1 EA 00 0D 07 47 FB 82 00 3D 15 BB 26 BB 2D BB 31 B8 36 BB 01 0D 92 F7 F1 B0 FE 9A B7 FE 70 7E B7 7E B6 CB 00 A7 58 A7 A7 9A B7 FC 70 7E B7 F3 F0 B2 FE
 CB 00 47 FB 9F 00 3D ED BB 0E BB 29 BB 00 FC F7 06 F7 10 00 EC 04 EC F7 EC F2 EC F1 DB 00 BB 2A E7 F1 EA 00 0D DD BB E5 F1 20 BB E3 F1 30 BB E1 F1 40 E1 05 CB 00 BB DD F1 60 BB DB F1 70 CB 00
 F0 61 F0 72 7C E6 5C 27 70 76 F6 F7 04 FE F0 61 08 11 18 20 66 F6 FF 3F 76 F6 00 80 CB 00 F2 F6 10 FE 06 F6 10 00 E0 07 BB C4 B9 06 08 61 80 F7 3D FB CB 00 F2 F6 10 FE 06 F6 10 00 E0 07 A9 16
 BB B1 08 61 80 F7 3D FB CB 00 

      Response: (+0.3805 seconds)

               <--- Echo Minimon Application (copied by BSL loader to ram)
       7E B7 7E B6 E1 31 BB 6E BB 74 F1 B0 E7 F1 AA 00 BB 69 E7 F1 EA 00 47 FB 31 00 3D 03 B5 4A B5 B5 0D 5F 47 FB 93 00 3D 01 0D 5B 47 FB 32 00 3D 03 BB 59 B7 48 B7 B7 47 FB 33 00 3D 05 F1 1A BB 52
       E7 F1 EA 00 0D 4D 47 FB 84 00 3D 1E E1 0A BB 6B BB 72 A0 03 3D 01 0D 44 BB 4C F1 80 51 A8 BB 70 F0 C6 0E FC A8 7C 8A F6 04 00 66 F7 00 FF 71 E8 0D 03 66 F7 FF 00 71 F8 B8 7C A9 96 41 98 3D 01
       0D E8 E7 F1 11 00 0D E5 47 FB 85 00 3D 0D E1 0A BB 4A BB 51 A0 03 3D 03 E7 F1 EA 00 0D 21 BB 50 A9 16 51 A1 BB 1F 0D F6 47 FB 41 00 3D 05 BB 3B BB 19 EC F2 EC F1 DB 00 47 FB CD 00 3D 0A BB 33
       BB 3F A8 36 F1 16 BB 0E F1 17 BB 0C E7 F1 EA 00 0D 07 47 FB 82 00 3D 15 BB 26 BB 2D BB 31 B8 36 BB 01 0D 92 F7 F1 B0 FE 9A B7 FE 70 7E B7 7E B6 CB 00 A7 58 A7 A7 9A B7 FC 70 7E B7 F3 F0 B2 FE
       CB 00 47 FB 9F 00 3D ED BB 0E BB 29 BB 00 FC F7 06 F7 10 00 EC 04 EC F7 EC F2 EC F1 DB 00 BB 2A E7 F1 EA 00 0D DD BB E5 F1 20 BB E3 F1 30 BB E1 F1 40 E1 05 CB 00 BB DD F1 60 BB DB F1 70 CB 00
       F0 61 F0 72 7C E6 5C 27 70 76 F6 F7 04 FE F0 61 08 11 18 20 66 F6 FF 3F 76 F6 00 80 CB 00 F2 F6 10 FE 06 F6 10 00 E0 07 BB C4 B9 06 08 61 80 F7 3D FB CB 00 F2 F6 10 FE 06 F6 10 00 E0 07 A9 16
       BB B1 08 61 80 F7 3D FB CB 00

               <--- Send I_APPLICATION_STARTED
       03
}

At this stage we have a monitor loaded and can do many things...
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #3 on: November 12, 2020, 05:39:53 AM »

With the minimon core loaded we have several commands at our disposal..

Before we go delve into them lets look at the header file which is self documents them

Code:
C_WRITE_BLOCK		0x84 // Write memory block to target mem
C_READ_BLOCK 0x85 // Read memory block from target mem
C_EINIT 0x31 // Execute Einit Command
C_SWRESET     0x32 // Execute Software Reset
C_GO     0x41 // Jump to user program
C_GETCHECKSUM            0x33 // get checksum of previous sent block
C_TEST_COMM     0x93 // Test communication
C_CALL_FUNCTION 0x9F // Mon. extension interface: call driver
C_WRITE_WORD 0x82 // write word to memory/register
C_MON_EXT         0x9F // call driver routine
C_ASC1_CON       0xCC // Connection over ASC1
C_READ_WORD         0xCD // Read Word from memory/register
C_WRITE_WORD_SEQUENCE 0xCE // Write Word Sequence
C_CALL_MEMTOOL_DRIVER  0xCF // Call memtool driver routine
C_AUTOBAUD         0xD0 // Call autobaud routine
C_SETPROTECTION            0xD1 // Call security function
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #4 on: November 12, 2020, 05:42:19 AM »

Depending on the processor derivative of the C16x (x being any of them) you will have different response codes returned for the initial 'HELLO'..

Code:
#define CPU_ID_C165_OLD			0xA5
#define CPU_ID_C165 0xB5
#define CPU_ID_C166 0x55
#define CPU_ID_C167 0xC5
And ofcourse there are more.. But these are some of the common ones...
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #5 on: November 12, 2020, 05:44:09 AM »

When minimon acknowledges your commands having been sent it sends codes back

For a 1st acknowledgement its an 0xAA, second is a 0xEA

Code:
#define A_ACK1				0xAA  	// 1st Acknowledge to function code
#define A_ACK2 0xEA // 2nd Acknowledge (last byte)
#define A_ASC1_CON_INIT 0xCA // ASC1 Init OK
#define A_ASC1_CON_OK 0xD5 // ASC1 Connection OK

Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #6 on: November 12, 2020, 05:45:43 AM »

After getting a response back from uploading the minimon app we also get an acknowledgement byte...

Minimon authors defined 4 different apps

Code:
#define I_LOADER_STARTED	    0x01	// Loader successfully launched
#define I_APPLICATION_LOADED 0x02 // Application succ. loaded
#define I_APPLICATION_STARTED 0x03 // Application succ. launched
#define I_AUTOBAUD_ACKNOWLEDGE  0x04    // Autobaud detection acknowledge

Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #7 on: November 12, 2020, 05:47:33 AM »

I'll upload the source-code to minimon too into the github which generates the binary you see us sending after the 32-byte BSL (Boot Strap Loader).

Ok. Once its loaded its time to verify its working. One of the commands its called C_TEST_COMM

Lets see how this works...

Code:
//********************************************************************************************************************************************************************************************************//
{ Test Communications are working to Minicom Monitor Core
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

    <--- Send C_TEST_COMM
 93

Response: (+0.0200 seconds)

         <--- Echo C_TEST_COMM
93
         <--- Send A_ACK1
AA
         <--- Send A_ACK2
EA   
}

Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #8 on: November 12, 2020, 05:51:27 AM »

We can also read and write to CPU registers which allows us to easily configure the hardware registers to whatever we need to do...

In this case let us configure BUS CONTROL and SYSTEM CONTROL registers (refer to the C167 datasheet for details on their purpose and bits)

To accomplish this we can use the command C_WRITE_WORD..

Code:
//********************************************************************************************************************************************************************************************************//
{ Send/Verify BUSCON & SYSCON
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds) : Write 0xE604 to 0xFF12 (BUSCON Address Register)

    <--- Send C_WRITE_WORD
 82

Response: (+0.0200 seconds)

         <--- Echo C_WRITE_WORD
82
         <--- Send A_ACK1
AA

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

    <--- Send 0x00FF12 [Address to write 16-bits to - SYSCON ] - Register Address
 12 FF 00
    <--- Send 0xE604   [Address to write 16-bits to]           - Register value
 04 E6   

Response: (+0.0200 seconds)

         <--- Echo 0x00FF12 [Address to write 16-bits to - SYSCON ] - Register Address
12 FF 00
         <--- Echo 0xE604   [Address to write 16-bits to]           - Register value
04 E6
         <--- Send A_ACK2
EA

And we can then read it back (to verify it worked) by using the C_READ_WORD command
Code:
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds) : Read BUSCON and verify 0xE604

    <--- Send C_READ_WORD
 CD

Response: 92664 (+0.0200 seconds)

         <--- echo C_READ_WORD
CD
         <--- Send A_ACK1
AA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

    <--- Send 0x00FF12 [Address to read 16-bits from - SYSCON ] - Register Address
 12 FF 00   

Response: (+0.0100 seconds)

         <--- Echo 0x00FF12 [Address to read 16-bits from - SYSCON ] - Register Address
12 FF 00
         <--- Echo 0xE604   [Value read 16-bits]                     - Register value
04 E6
         <--- Send A_ACK2
EA
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #9 on: November 12, 2020, 05:57:52 AM »

So now we can load minimon and then after loading it we can send it commands which allows us to read and write registers AND memory. So yes its possible to READ the entire firmware out and send it chunk by chunk back to the HOST PC. We will do that exercise later for now lets continue with the eeprom reading/writing...

Lets also configure BUSCON0

Code:
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

    <--- Send C_WRITE_WORD
 82

Response: (+0.0200 seconds)

         <--- Echo C_WRITE_WORD
82
         <--- Send A_ACK1
AA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

    <--- Send 0x00FF0C [Address to write 16-bits to - BUSCON0 ] - Register Address
 0C FF 00
    <--- Send 0x04AE   [Value to write 16-bits]                 - Register value
 AE 04   

Response: 08664 (+0.0100 seconds)

         <--- Echo 0x00FF0C [Address to write 16-bits to - BUSCON0 ] - Register Address
0C FF 00
         <--- Echo 0x04AE   [Value to write 16-bits]                 - Register value
AE 04
         <--- Send A_ACK2
EA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

    <--- Send C_READ_WORD
 CD

Response: 12664 (+0.0200 seconds)

         <--- Echo C_READ_WORD
CD
         <--- Send A_ACK1
AA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

    <--- Send 0x00FF0C [Address to write 16-bits to - BUSCON0 ] - Register Address
 0C FF 00   

Response: 15664 (+0.0200 seconds)

         <--- Echo 0x00FF0C [Address to write 16-bits to - BUSCON0 ] - Register Address
0C FF 00
         <--- Echo 0x04AE   [Value to write 16-bits]                 - Register value
AE 04
         <--- Send A_ACK2
EA

Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #10 on: November 12, 2020, 06:05:15 AM »

Ok so far we've not touched on ArgDub's code.. This was all minimon...

ArdDub wrote a driver 'plug-in' for the Bosch series (probably heavily inspired by the rom code itself Smiley .

To upload 'custom' plug-in's Minimon provides is with a handy command, yes we using C_WRITE_BLOCK to send a whole block of binary data (the app or driver for eeprom in this case)...

Code:
{ Send EEPROM Driver to C16x memory
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

    <--- Send C_WRITE_BLOCK
 84

Response: (+0.0200 seconds)

         <--- Echo C_WRITE_BLOCK
84
         <--- Send A_ACK1
AA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

    <--- Send 24-bit address 00x0F600 (in target ram)
 00 F6 00
         <--- Send 16-bit length  035C
 5C 03   

Response: (+0.0200 seconds)

         <--- Echo 24-bit address 00x0F600 (in target ram)
00 F6 00
         <--- Echo 16-bit length  035C
5C 03   

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.3104 seconds)

    <--- Send EEPROM Driver Code (below) to 0xF600, len of 0x035C
 7E E4 CB 00 7F E4 CB 00 7F E5 CB 00 FF FF FF FF 48 81 3D 03 CA 00 FE F7 DB 00 48 82 3D 03 CA 00 E0 F7 DB 00 48 84 3D 03 CA 00 B6 F7 DB 00 48 85 3D 03 CA 00 5A F6 DB 00 48 86 3D 03 CA 00 40 F7
 DB 00 48 87 3D 03 CA 00 9C F6 DB 00 46 F8 93 00 3D 03 E6 FF 55 00 DB 00 DB 00 E6 00 00 02 E6 01 00 02 06 01 01 00 F2 F0 1C FF E6 F1 3E F9 F0 20 46 F1 5A F9 2D 0E 98 41 98 32 40 34 2D F9 96 F0
 FE 3F 3D F3 06 00 01 00 46 00 40 02 3D EA E0 1F CB 00 F0 D0 F2 FE 00 FE E0 0F CB 00 F0 6C F0 7D F0 8E F6 FB F0 FB F6 FF F2 FB CA 00 B6 F7 48 F1 2D 43 9A FD 41 10 CA 00 00 F6 F2 FB F0 FB F2 FF
 F2 FB E6 FD F0 FB E0 3E E0 21 F0 2B 48 F0 3D 08 4A F2 F1 83 DC 5E B9 2D E4 4D 01 00 E0 2C 0D 17 48 F1 3D 08 DC 6E B9 2D E4 5D 01 00 E4 4D 02 00 E0 3C 0D 0D 48 F2 3D 0A 4A F2 F1 83 4A F2 F1 94
 DC 5E B9 2D E4 4D 01 00 E0 2C 0D 01 0D 15 CA 00 7E F8 48 40 2D 11 F0 C6 F0 D7 F0 E8 CA 00 7E F8 CA 00 04 F6 48 40 2D 08 CA 00 B6 F7 48 F1 2D 04 8A FD FA 00 E0 0F CB 00 CA 00 04 F6 E0 1F CB 00
 CA 00 00 F6 F0 6C F0 7D F0 8E E0 31 F0 2B 48 F0 3D 08 4A FB F1 83 DC 5E B9 2D E4 4D 01 00 E0 2C 0D 17 48 F1 3D 08 DC 6E B9 2D E4 5D 01 00 E4 4D 02 00 E0 3C 0D 0D 48 F2 3D 0A 4A F2 F1 83 4A F2
 F1 94 DC 5E B9 2D E4 4D 01 00 E0 2C 0D 01 0D 0F CA 00 7E F8 48 40 2D 0B F0 C6 F0 D7 F0 E8 CA 00 D8 F8 48 40 2D 04 CA 00 04 F6 E0 0F CB 00 CA 00 04 F6 E0 1F CB 00 CA 00 00 F6 E0 5C CA 00 3C F8
 48 40 2D 0A E6 FC 55 00 CA 00 3C F8 48 40 2D 04 CA 00 04 F6 E0 0F CB 00 CA 00 04 F6 E0 1F CB 00 CA 00 00 F6 E0 6C CA 00 3C F8 48 40 2D 04 CA 00 04 F6 E0 0F CB 00 CA 00 04 F6 E0 1F CB 00 E0 1F
 CA 00 04 F6 CA 00 08 F6 CC 00 8F E2 8E E3 D1 80 8F E3 9F E2 9F E3 D1 80 9E E3 DF E2 DF E3 D1 80 DE E3 E6 A2 45 00 DE E2 FE D9 E6 D9 37 46 D1 80 E6 5A 0B 00 FF D9 DF E2 E0 0F CB 00 9A D9 02 C0
 E0 04 CB 00 66 D9 FF F0 7E BB F0 4C C0 84 F6 F4 B0 F0 F2 FF 44 FE F2 F4 44 FE 20 4F 42 F4 02 00 9D 02 8A D9 F8 C0 8A D9 02 C0 9A BB 02 70 E0 04 CB 00 F3 F8 B2 F0 C0 84 F0 D4 E0 14 CB 00 E0 09
 66 D9 FF F0 7E BB 9A D9 02 C0 E0 04 0D 24 F2 F4 B2 F0 0D 1A F0 49 08 91 F0 AD F0 BE 00 A4 DC 4B A9 8A C0 84 F6 F4 B0 F0 F2 FF 44 FE F2 F4 44 FE 20 4F 42 F4 02 00 9D 02 8A D9 F8 C0 F2 F4 B2 F0
 9A D9 02 C0 E0 04 0D 07 40 9C 8D E4 9A BB 02 70 E0 04 0D 01 E0 14 CB 00 E0 09 66 D9 FF F0 7E BB 48 C0 3D 02 E0 14 0D 2A 9A D9 02 C0 E0 04 0D 26 F2 F4 B2 F0 D1 80 E6 58 55 00 F2 FF 44 FE F2 F4
 44 FE 20 4F 42 F4 02 00 9D 02 8A D9 F8 C0 9A D9 02 C0 E0 04 0D 13 F3 F8 B2 F0 F0 59 08 91 F0 AD F0 BE 00 A5 DC 4B B9 8A 40 9C 8D E4 E1 08 4A BB F4 70 49 81 3D 02 E0 04 0D 01 E0 14 CB 00 CC 00
 8F E2 8E E3 D1 80 8F E3 9F E2 9F E3 D1 80 9E E3 DF E2 DF E3 D1 80 DE E3 DB 00 1C 00

Response: (+0.5308 seconds)

            <--- Echo EEPROM Driver Code (below) to 0xF600, len of 0x035C
7E E4 CB 00 7F E4 CB 00 7F E5 CB 00 FF FF FF FF 48 81 3D 03 CA 00 FE F7 DB 00 48 82 3D 03 CA 00 E0 F7 DB 00 48 84 3D 03 CA 00 B6 F7 DB 00 48 85 3D 03 CA 00 5A F6 DB 00 48 86 3D 03 CA 00 40 F7
DB 00 48 87 3D 03 CA 00 9C F6 DB 00 46 F8 93 00 3D 03 E6 FF 55 00 DB 00 DB 00 E6 00 00 02 E6 01 00 02 06 01 01 00 F2 F0 1C FF E6 F1 3E F9 F0 20 46 F1 5A F9 2D 0E 98 41 98 32 40 34 2D F9 96 F0
FE 3F 3D F3 06 00 01 00 46 00 40 02 3D EA E0 1F CB 00 F0 D0 F2 FE 00 FE E0 0F CB 00 F0 6C F0 7D F0 8E F6 FB F0 FB F6 FF F2 FB CA 00 B6 F7 48 F1 2D 43 9A FD 41 10 CA 00 00 F6 F2 FB F0 FB F2 FF
F2 FB E6 FD F0 FB E0 3E E0 21 F0 2B 48 F0 3D 08 4A F2 F1 83 DC 5E B9 2D E4 4D 01 00 E0 2C 0D 17 48 F1 3D 08 DC 6E B9 2D E4 5D 01 00 E4 4D 02 00 E0 3C 0D 0D 48 F2 3D 0A 4A F2 F1 83 4A F2 F1 94
DC 5E B9 2D E4 4D 01 00 E0 2C 0D 01 0D 15 CA 00 7E F8 48 40 2D 11 F0 C6 F0 D7 F0 E8 CA 00 7E F8 CA 00 04 F6 48 40 2D 08 CA 00 B6 F7 48 F1 2D 04 8A FD FA 00 E0 0F CB 00 CA 00 04 F6 E0 1F CB 00
CA 00 00 F6 F0 6C F0 7D F0 8E E0 31 F0 2B 48 F0 3D 08 4A FB F1 83 DC 5E B9 2D E4 4D 01 00 E0 2C 0D 17 48 F1 3D 08 DC 6E B9 2D E4 5D 01 00 E4 4D 02 00 E0 3C 0D 0D 48 F2 3D 0A 4A F2 F1 83 4A F2
F1 94 DC 5E B9 2D E4 4D 01 00 E0 2C 0D 01 0D 0F CA 00 7E F8 48 40 2D 0B F0 C6 F0 D7 F0 E8 CA 00 D8 F8 48 40 2D 04 CA 00 04 F6 E0 0F CB 00 CA 00 04 F6 E0 1F CB 00 CA 00 00 F6 E0 5C CA 00 3C F8
48 40 2D 0A E6 FC 55 00 CA 00 3C F8 48 40 2D 04 CA 00 04 F6 E0 0F CB 00 CA 00 04 F6 E0 1F CB 00 CA 00 00 F6 E0 6C CA 00 3C F8 48 40 2D 04 CA 00 04 F6 E0 0F CB 00 CA 00 04 F6 E0 1F CB 00 E0 1F
CA 00 04 F6 CA 00 08 F6 CC 00 8F E2 8E E3 D1 80 8F E3 9F E2 9F E3 D1 80 9E E3 DF E2 DF E3 D1 80 DE E3 E6 A2 45 00 DE E2 FE D9 E6 D9 37 46 D1 80 E6 5A 0B 00 FF D9 DF E2 E0 0F CB 00 9A D9 02 C0
E0 04 CB 00 66 D9 FF F0 7E BB F0 4C C0 84 F6 F4 B0 F0 F2 FF 44 FE F2 F4 44 FE 20 4F 42 F4 02 00 9D 02 8A D9 F8 C0 8A D9 02 C0 9A BB 02 70 E0 04 CB 00 F3 F8 B2 F0 C0 84 F0 D4 E0 14 CB 00 E0 09
66 D9 FF F0 7E BB 9A D9 02 C0 E0 04 0D 24 F2 F4 B2 F0 0D 1A F0 49 08 91 F0 AD F0 BE 00 A4 DC 4B A9 8A C0 84 F6 F4 B0 F0 F2 FF 44 FE F2 F4 44 FE 20 4F 42 F4 02 00 9D 02 8A D9 F8 C0 F2 F4 B2 F0
9A D9 02 C0 E0 04 0D 07 40 9C 8D E4 9A BB 02 70 E0 04 0D 01 E0 14 CB 00 E0 09 66 D9 FF F0 7E BB 48 C0 3D 02 E0 14 0D 2A 9A D9 02 C0 E0 04 0D 26 F2 F4 B2 F0 D1 80 E6 58 55 00 F2 FF 44 FE F2 F4
44 FE 20 4F 42 F4 02 00 9D 02 8A D9 F8 C0 9A D9 02 C0 E0 04 0D 13 F3 F8 B2 F0 F0 59 08 91 F0 AD F0 BE 00 A5 DC 4B B9 8A 40 9C 8D E4 E1 08 4A BB F4 70 49 81 3D 02 E0 04 0D 01 E0 14 CB 00 CC 00
8F E2 8E E3 D1 80 8F E3 9F E2 9F E3 D1 80 9E E3 DF E2 DF E3 D1 80 DE E3 DB 00 1C 00
EA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

    <--- Send C_GETCHECKSUM
 33

Response: 18864 (+0.0200 seconds)

         <--- Echo C_GETCHECKSUM
33
         <--- Send 16-Bit Checksum Value 0x6AAA (from target C16x)
AA 6A
         <--- Send A_ACK2
EA
}

I have reverse engineered ArgDub's driver and yes indeed a lot of that code is recognizable... I will again upload it to Github in due time...

At this point we've now uploaded the driver. There are some areas in the driver where we must write some hex values so it can use the correct gpio pins (the Bosch ecu's put the eeprom into different gpio pins depending on the ecu).

Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #11 on: November 12, 2020, 06:08:17 AM »

Argdub followed the same architecture as Minimon for his commands.

To use the loaded driver we use the Minimon C_CALL_FUNCTION command to setup the registers (prior to the call) and then jump into that code block, thereby executing it.

Code:
{ Read EEPROM
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

    <--- Send C_CALL_FUNCTION
 9F

Response: (+0.0200 seconds)

         <--- Echo C_CALL_FUNCTION
9F
         <--- Send A_ACK1
AA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

<--- Send C Call Address and Registers R8 to R15
 10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
 93 00    :  R8 = 0x0093   : Command ID - EEPROM_TEST_COMM
 A0 FC    :  R9
 BF 18    : R10
 C4 FF    : R11
 72 00    : R12
 30 24    : R13
 1A 00    : R14
 01 00    : R15

Response: (+0.0200 seconds)

    <--- Echo C Call Address and Registers R8 to R15 [before execution of call]
10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
93 00    :  R8 = 0x0093   : Command ID - EEPROM_TEST_COMM
A0 FC    :  R9
BF 18    :  R10
C4 FF    :  R11
72 00    :  R12
30 24    :  R13
1A 00    :  R14
01 00    :  R15

<--- Echo C Call Address and Registers R8 to R15 [after execution of call]
93 00    :  R8
A0 FC    :  R9
BF 18    :  R10
C4 FF    :  R11
72 00    :  R12
30 24    :  R13
1A 00    :  R14
55 00    :  R15           : <---- RETURN 0x55
         <--- Send A_ACK2
EA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

So before we run anything we EEPROM_TEST communications...
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #12 on: November 12, 2020, 06:13:37 AM »

The rest of the sequence is also straight forward...

We issue C_READ_BLOCK commands which tell his driver to read a block of eeprom into memory. and ofcouse C_WRITE_BLOCK to write. Only reading is show in this trace.
Once its in ram (we do it in small chunks due to limited resources on the C167) we can then issue the command to send that MEMORY block back to the host (our app running on whatever, pc. etc.). Depending on the type of eeprom and its size we have to iterate for the number of blocks (1k, 2k, 4k ) the eprom is in size..

Any questions just ask..

Before we do any of this we must Init registers (gpio etc.) required for eeprom access and then jump into the drivers main code block..

See below...

Code:
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

         <--- Send C_CALL_FUNCTION
 9F

Response: (+0.0200 seconds)

        <--- Echo C_CALL_FUNCTION
9F
        <--- Send A_ACK1
AA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

    <--- Send C Call Address and Registers R8 to R15
 10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
 01 00    :  R8 = 0x0001   : Command ID - EEPROM_INIT_REGISTERS
 30 24    :  R9
 1E 00    :  R10
 01 00    :  R11
 9C FD    :  R12
 00 04    :  R13
 E0 FF    :  R14
 94 5C    :  R15

Response: (+0.0200 seconds)

   <--- Echo C Call Address and Registers R8 to R15 [before execution of call]
10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
01 00    :  R8 = 0x0001   : Command ID  - EEPROM_INIT_REGISTERS
30 24    :  R9
1E 00    :  R10
01 00    :  R11
9C FD    :  R12
00 04    :  R13
E0 FF    :  R14
94 5C    :  R15

<--- Echo C Call Address and Registers R8 to R15 [after execution of call]
01 00    :  R8 = 0x0001  
30 24    :  R9
1E 00    :  R10
01 00    :  R11
9C FD    :  R12
00 04    :  R13
E0 FF    :  R14
00 00    :  R15
   <--- Send A_ACK2
EA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

    <--- Send C_CALL_FUNCTION
 9F

Response: (+0.0200 seconds)

   <--- Echo C_CALL_FUNCTION
9F
   <--- Send A_ACK1
AA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

<--- Send C Call Address and Registers R8 to R15
 10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
 04 00    :  R8 = 0x0004   : Command ID
 30 24    :  R9 = 0x2430
 24 00    : R10 = 0x0024
 01 00    : R11 = 0x0001
 9C FD    : R12 = 0xFD9C
 00 04    : R13 = 0x0400
 E0 FF    : R14 = 0xFFE0
 94 5C    : R15 = 0x5C94

Response: (+0.0300 seconds)

<--- Echo C Call Address and Registers R8 to R15 [before execution of call]
10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
04 00    :  R8 = 0x0004   : Command ID
30 24    :  R9 = 0x2430
24 00    : R10 = 0x0024
01 00    : R11 = 0x0001
9C FD    : R12 = 0xFD9C
00 04    : R13 = 0x0400
E0 FF    : R14 = 0xFFE0
94 5C    : R15 = 0x5C94

<--- Send C Call Address and Registers R8 to R15 [after execution of call]
04 00     :  R8 = 0x0004  
30 24     :  R9 = 0x2430
24 00     : R10 = 0x0024
01 00     : R11 = 0x0001
55 00     : R12 = 0x0055
80 00     : R13 = 0x0080
E0 FF     : R14 = 0xFFE0
00 00     : R15 = 0x0000

   <--- Send A_ACK2
EA
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #13 on: November 12, 2020, 06:14:42 AM »

We are now ready to read blocks and pull them back into host ram...


Code:
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

    <--- Send C_CALL_FUNCTION
 9F

Response: (+0.0200 seconds)

         <--- Echo C_CALL_FUNCTION
9F
         <--- Send A_ACK1
AA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: (+0.0100 seconds)

<--- Send C Call Address and Registers R8 to R15
 10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
 06 00   :  R8 = 0x0006   : Command ID
 A0 FC   :  R9 = 0xFCA0     
 BF 18   : R10 = 0x18BF
 00 00   : R11 = 0x0000   : Offset
 00 02   : R12 = 0x0200   : Length
 00 FC   : R13 = 0xFC00   : Copy to address
 03 00   : R14 = 0x0003
 01 00   : R15 = 0x0001

Response: (+0.0200 seconds)

<--- Echo C Call Address and Registers R8 to R15 [before execution of call]
10 F6 00 : Address = 0x00F610 - EEProm Driver code Entrypoint
06 00   :  R8 = 0x0006   : Command ID
A0 FC   :  R9 = 0xFCA0   : 
BF 18   : R10 = 0x18BF   :
00 00   : R11 = 0x0000   : Offset
00 02   : R12 = 0x0200   : Length
00 FC   : R13 = 0xFC00   : Copy to address
03 00   : R14 = 0x0003   :
01 00   : R15 = 0x0001   :

<--- Send C Call Address and Registers R8 to R15 [after execution of call]
03 00   :  R8 = 0x0003   :
00 02   :  R9 = 0x0200   :
FF FD   : R10 = 0xFDFF   :
03 00   : R11 = 0x0003   :
00 02   : R12 = 0x0200   :
00 FC   : R13 = 0xFC00   : 
03 00   : R14 = 0x0003   :
00 00   : R15 = 0x0000   :

         <--- Send A_ACK2
EA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: 58864 (+0.0100 seconds)

    <--- Send C_READ_BLOCK
 85

Response: 60864 (+0.0200 seconds)

         <--- echo C_READ_BLOCK
85
         <--- Send A_ACK1
AA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: 61864 (+0.0100 seconds)

    <--- Send : Address = 0x00FC00 - EEProm Memory
 00 FC 00
    <--- Send  : Length: 0x0200 (512 Bytes block size)
 00 02   

Response: 63864 (+0.0200 seconds)

         <--- Echo : Address = 0x00FC00 - EEProm Memory
00 FC 00
         <--- Echo  : Length: 0x0200 (512 Bytes block size)
00 02

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
01 01 00 00 00 00 00 00 00 00 00 00 00 00 FC FF
03 02 68 02 BD 01 04 00 25 04 06 0E 07 00 88 FE
00 00 B0 0D 5D 0E 00 00 00 00 00 00 00 00 D4 FE
FF FF FF FF FF FF FF FF FF FF FF FF FF FF 09 F2
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
05 00 02 05 00 00 00 00 00 00 00 00 00 00 DB FF
19 19 00 00 00 00 00 00 00 00 00 00 00 00 B4 FF
1A 1A 00 00 00 00 00 00 00 00 00 00 00 00 B1 FF
1B 1B 00 00 00 00 00 00 00 00 00 00 00 00 AE FF
1C 1C 00 00 00 00 00 00 00 00 00 00 00 00 AB FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

         <--- Send A_ACK2
EA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: 18964 (+0.0200 seconds)

    <--- Send C_GETCHECKSUM
 33

Response: 20964 (+0.0200 seconds)

         <--- Echo C_GETCHECKSUM
33
         <--- Send 16-Bit Checksum Value 0x91AA (from target C16x)
AA 91
         <--- Send A_ACK2
EA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: 22964 (+0.0100 seconds)

    <--- Send C_CALL_FUNCTION
 9F

Response: 24964 (+0.0200 seconds)

         <--- Echo C_CALL_FUNCTION
9F
         <--- Send A_ACK1
AA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: 25964 (+0.0100 seconds)

<--- Send C Call Address and Registers R8 to R15
 10 F6 00  : Address = 0x00F610 - EEProm Driver code Entrypoint
 06 00   :  R8 = 0x0006   : Command ID
 00 02   :  R9 = 0x0200
 FF FD   : R10 = 0xFDFF
 00 02   : R11 = 0x0200   : Offset
 00 02   : R12 = 0x0200   : Length
 00 FC   : R13 = 0xFC00   : Copy to address
 03 00   : R14 = 0x0003
 01 00   : R15 = 0x0001

Response: 27964 (+0.0200 seconds)

    <--- Echo C Call Address and Registers R8 to R15 [before execution of call]
10 F6 00  : Address = 0x00F610 - EEProm Driver code Entrypoint
06 00   :  R8 = 0x0006   : Command ID
00 02   :  R9 = 0x0200
FF FD   : R10 = 0xFDFF
00 02   : R11 = 0x0200   : Offset
00 02   : R12 = 0x0200   : Length
00 FC   : R13 = 0xFC00   : Copy to address
03 00   : R14 = 0x0003
01 00   : R15 = 0x0001

<--- Echo C Call Address and Registers R8 to R15 [after execution of call]
03 00
00 02
FF FD
03 00
00 02
00 FC
03 00
00 00

EA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: 32964 (+0.0100 seconds)

         <--- Send C_READ_BLOCK
 85

Response: 34964 (+0.0200 seconds)

         <--- Echo C_READ_BLOCK
85
         <--- Send A_ACK1
AA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: 35964 (+0.0100 seconds)

         <--- Send : Address = 0x00FC00 - EEProm Memory
 00 FC 00
         <--- Send  : Length: 0x0200 (512 Bytes block size)
 00 02   

Response: 37964 (+0.0200 seconds)

         <--- Echo : Address = 0x00FC00 - EEProm Memory
00 FC 00
         <--- Echo  : Length: 0x0200 (512 Bytes block size)
00 02

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

         <--- Send A_ACK2
EA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Request: 89064 (+0.0100 seconds)

         <--- Send C_GETCHECKSUM
 33

Response: 91064 (+0.0200 seconds)

         <--- Echo C_GETCHECKSUM
33
         <--- Send 16-bit checksum 0x00AA
AA 00
         <--- Send A_ACK2
EA
}
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #14 on: November 12, 2020, 06:16:56 AM »

I will document writing our OWN eeprom driver, rather than focus on ArgDubs as its pretty straight forward to do.

I will also show how to read and write to flash in boot mode if anyone is interested using the above method of loading a driver (again the source-code to all the AMD 512k/1mb/2mb flash drivers is available)...

Logged
Pages: [1] 2 3 ... 5
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.044 seconds with 18 queries. (Pretty URLs adds 0s, 0q)