Pages: [1]
Author Topic: Weird looking flash content on BMW SMG2 TCU  (Read 2267 times)
sda2
Full Member
***

Karma: +19/-0
Offline Offline

Posts: 68


« on: December 21, 2021, 03:59:59 AM »

Hi Nefmoto,

I want to dig into the C167/AM29F400BB powered SMG (Alfa Selespeed derivate) transmission contro unit and started by unsoldering the flash and reading its content.

Unfortunately the flash content looks pretty weird, so I can't "read" it correctly, like the adress or data lines are shifted somehow when compared to ME7 or MS43.


Read from the flash chip:


Corrected read I was sent:



The flash content itself is correct, I loaded it into my emulator and the TCU works fine with that.

Maybe someone else had to deal with something like that in the past already and can help me with that.
« Last Edit: December 21, 2021, 04:02:09 AM by sda2 » Logged
prj
Hero Member
*****

Karma: +903/-420
Offline Offline

Posts: 5789


« Reply #1 on: December 21, 2021, 06:35:32 AM »

From looking at it some lines are swapped and that's it.
They probably did it to optimize PCB design.
Since it was never intended for the chip to be read in a programmer, you will just have to figure out what to swap where.

Look at every 16 bits in binary representation and it should be very easy to figure out what goes where.
Logged

PM's will not be answered, so don't even try.
Log your car properly.
sda2
Full Member
***

Karma: +19/-0
Offline Offline

Posts: 68


« Reply #2 on: December 22, 2021, 02:09:54 AM »

Thanks for the hint prj, I measured through the data lines that connect the AM29F400BB flash chip to the C167 CPU and found out that they shuffled the connections.

On the left you find the normal setup for this combination, all the AD# lines from the CPU match up the DQ# on the flash chip. But on the right there is the shuffled layout from SMG2 TCU.



So with this information and some python code that a friend quickly hacked together, we are atleast able to convert raw flash content to valid code and data. Back and forth. You will find the converter attached to this post.

You need to install Python 3 and "numPy" module. Then you can simply drag&drop the binary onto it and it will convert it. It has a basic detection of whether its a CPU read, or a flash read based on the first byte being 0xFA (CPU read) or not (flash read).
Logged
prj
Hero Member
*****

Karma: +903/-420
Offline Offline

Posts: 5789


« Reply #3 on: January 04, 2022, 02:06:35 AM »

Btw you can also do this in WinOLS.
Logged

PM's will not be answered, so don't even try.
Log your car properly.
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.013 seconds with 16 queries. (Pretty URLs adds 0s, 0q)