360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« on: January 11, 2022, 05:18:13 PM »
|
|
|
As I'm sure most of you know the ME7's have >2< C167 microcontrollers per ecu. So if you have 2 ecu's your in effect a "Quad core" Beat that Tricore! sorry bad joke. Too much beer My question really is has someone dumped the Internal flash from the Port Expander (ie second) C167 (the Internal mask rom). I'm using a die substrate ecu so it makes it pretty hard to access the very thin lines to put the thing in boot mode but I'm sure on a IC version its possible and someone must have done it?!?! If so anyone got any more detailed information about it? And possible a dumped binary?
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #1 on: January 25, 2022, 05:44:05 PM »
|
|
|
The < 32Kbytes ASIC (gpio expander) firmware is structured into: 1. Initialization 2. General background program 3. A 2ms time task with the collection of all information to be transmitted to the FR 4. Interrupt processing of information to be transmitted and output from the FR to the ASIC-mC (this corresponds to the 10ms task of the FR) - Event-driven interrupt processing of the capture-compare units
Furthermore it seems there are actually at least 4 different hardware variants around of these GPIO extender/Port expanders (maybe more); 1. 80C167CR-LM 4RM 2. 80C167CR-LM 16RM 3. 80C167CR-AB with flash memory 256K flash memory and 20MHz clock frequency ( MCM Multi-Chip Module ) 4. 80C167CR with external 64K/32k EPROM/FLASH-EPROM(8/16Bit-MUX-Bus), 1Mbaud
And at least 8 different variants of the Mask-rom firmware; Program version 7x0000 Program version 7x00001 Program version 7x00002 Program version 7x000021 Program version 7x00003 Program version 7x000031 Program version 7x00004 Program version 7x00005
Here's a detailed breakdown of the firmware;
ERCOS V8 Real Time Operating system files used, about 4kbytes used (same as for Motronic ME7.x itself); - ERCDL00.C Services for deadline checks - ERCDP00.C Dispatcher - ERCET00.C Timer services - ERCIR00.C Interrupt masking - ERCRS00.C Services for resource handling - ERCSC00.C SW scheduling - ERCTM00.C Provides ERCOS system time - ERCTT00.C Time table services
ERCOS header files: - ERCIN.H in the ERCOS folder - ERCOS00.H in the header folder
ERCOS definition files in the main folder: - 7x000c.c ERCOS configuration - 7x000t.c ERCOS task definitions
Program modules in the ASIC folder: - cstart1.asm Startup changed for MCM module - iniasic1.c Basic initialization ASIC-mC - sscasic1.c Operation SSC interface - asicini1.c Ini.ASIC-mC with values from FR - asicupd1.c Update routines ASIC - asicnew1.c Routines for 2ms value acquisition - asicisr1.c Interrupt service routines - asicpwm1.c Input/output config. CAPCOM channels - asicsrv1.c ASIC sub-programs - watchdog.c Watchdog program for ASIC - asicid3.c ASIC identification number - asicref1.c Refresh of DirectionPort registers - ascasic1.c Immobilizer (BMW and PSA Only) - romc1.c ASIC ROM test
Program modules in the UMKOM folder: -umkomu02.c monitoring communication
Header files in the header folder: - asicdef1.h hardware definitions ASIC-mC - asicbit1.h bit definitions - asicnew1.h definitions for asicnew1.c - ascasic1.h definitions for WFS module (BMW) - updblk1.h block definitions ASIC-mC and FR - ercos00.h Header file for ERCOS general headers - reg167.h SFR definitions of the controller - stddef.h standard definitions
Project specific Configuration and control files in the main folder: - 7x000.mak makefile - 7x000.inv invocation file (order file) - 7x000.h header file - 7x000.pjt configuration file (for editing in CodeWrite IDE Project)
Output hex file in the main folder: - 7x00004.hex - 7x00004.bin (< 32 kbytes binary)
Find attached a copy of 7x00004.bin pulled from ecu with 8D0907551M.
Hope this is useful to someone...
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #2 on: January 25, 2022, 05:45:44 PM »
|
|
|
Firmware attached
|
|
|
Logged
|
|
|
|
Neuss
Newbie
Karma: +0/-0
Offline
Posts: 8
|
|
« Reply #3 on: February 09, 2022, 09:06:14 AM »
|
|
|
Why do you need to flash the second processor? Direct access to ports?
|
|
|
Logged
|
|
|
|
prj
|
|
« Reply #4 on: February 09, 2022, 11:26:39 AM »
|
|
|
Why do you need to flash the second processor? Direct access to ports?
You can't flash it, it's OTP.
|
|
|
Logged
|
|
|
|
Neuss
Newbie
Karma: +0/-0
Offline
Posts: 8
|
|
« Reply #5 on: February 12, 2022, 07:51:18 AM »
|
|
|
I ask what is the purpose?
|
|
|
Logged
|
|
|
|
prj
|
|
« Reply #6 on: February 12, 2022, 11:00:02 AM »
|
|
|
I ask what is the purpose?
No, you asked why you want to flash, I am telling you, your question is wrong because it is not possible to flash anything in this processor. The purpose to look at the code is not to modify it, it is to understand how it works.
|
|
|
Logged
|
|
|
|
Neuss
Newbie
Karma: +0/-0
Offline
Posts: 8
|
|
« Reply #7 on: February 14, 2022, 01:26:32 AM »
|
|
|
The main processor reads from the coprocessor words (2 bytes each) about the state of the ADC and inputs. And writes the same words to control the outputs. There is also a function that sends settings to the coprocessor. In fact, the content of the coprocessor firmware is not important. It was of interest to me to find a function for exchanging data with a coprocessor to control it. After that, it became possible to control the inputs and outputs of the Motronic.
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #8 on: February 16, 2022, 02:10:04 PM »
|
|
|
The main processor reads from the coprocessor words (2 bytes each) about the state of the ADC and inputs. And writes the same words to control the outputs. There is also a function that sends settings to the coprocessor. In fact, the content of the coprocessor firmware is not important. It was of interest to me to find a function for exchanging data with a coprocessor to control it. After that, it became possible to control the inputs and outputs of the Motronic.
I found it VERY useful as you can see exactly what pins are connected to each IC by looking at the connected ports. This information is of particular importance if your working on a die substrate ecu... Also if you know what your doing you can always "frankenstein" the ecu and get it to boot from external flash or even boot strap it over k-line. By the way not all ecu's are maskrom, some variants have flash so they can in fact be re-flashed.
|
|
|
Logged
|
|
|
|
flamy
Full Member
Karma: +6/-0
Offline
Posts: 56
|
|
« Reply #9 on: October 10, 2022, 05:32:47 AM »
|
|
|
Could anybody be so kind and give a hint how to read the ROM of the ASIC? Based on the known schematics K-Line is connected surprisingly to the ASIC - but when reading the IROM via MiniMon, instead of the ASICSs one the one from the CPU is transmitted. So maybe it is only a lack of address-space?
|
|
|
Logged
|
|
|
|
flamy
Full Member
Karma: +6/-0
Offline
Posts: 56
|
|
« Reply #10 on: October 10, 2022, 11:14:39 PM »
|
|
|
Found some information from Tony how to read the IROM from the ASIC: For the main CPU you can read the internal ROM through the K-line interface. For the secondary CPU, I soldered some wires to the TX/RX lines of the CPU and then ran that through a max232 to convert TTL to RS232.
|
|
|
Logged
|
|
|
|
Blazius
|
|
« Reply #11 on: October 11, 2022, 04:24:20 AM »
|
|
|
Found some information from Tony how to read the IROM from the ASIC:
But why exactly youd wanna do this ? The 3 irom's for the different cpus for me7.5 are already out there.
|
|
|
Logged
|
|
|
|
flamy
Full Member
Karma: +6/-0
Offline
Posts: 56
|
|
« Reply #12 on: October 11, 2022, 08:08:14 AM »
|
|
|
But why exactly youd wanna do this ? The 3 irom's for the different cpus for me7.5 are already out there.
Also for ME7.1 / 551K ?
|
|
|
Logged
|
|
|
|
Blazius
|
|
« Reply #13 on: October 11, 2022, 09:08:42 AM »
|
|
|
Also for ME7.1 / 551K ?
What is the marking on the CPU?
|
|
|
Logged
|
|
|
|
flamy
Full Member
Karma: +6/-0
Offline
Posts: 56
|
|
« Reply #14 on: October 13, 2022, 11:07:57 AM »
|
|
|
What is the marking on the CPU?
|
|
|
Logged
|
|
|
|
|