I need a couple of aftermarket ECU's for some project cars and engine swaps. I've been using older Delco ECU's in the past with modified firmware but I'm looking for something a little more capable.

Why the ME7.4.4?
They are the cheapest OEM ECU available ($50 shipped, new) with no apparent limit in availability (alibaba/aliexpress/ebay/amazon).
New ECU connectors and looms are available just as readily ($50 shipped, 3plugs with labeled wiring/pigtails included).

End goal?
Real time tunable ECU with loom for under $100. GUI front end for tuning/logging.
VAG-KKL or similar interface for PC connection
Speed Density preferred but MAF isn't a deal-breaker.

The bare minimum:
Remove all IMMO code and any CANbus dependencies usually required to keep the ECU happy.
Remove any security/seed/key code to make flashing easy.
Identify all maps, RAM variables and tables.
Real time tunable - Depending on RAM availability, copy a target map to RAM to allow changes in real time. If we're short on RAM, we can always add FRAM to the motherboard and map it into the address space (as done in the older Delco ECU's for real time tuning)

Qualifications:
My day job is working with 8bit and 32bit assembly on various CPU families and reverse engineering hardware and firmware. I have no experience with the C167 but glancing over the instruction set, it's nothing too out of the ordinary. Some experience with Windows GUI/CPP programming. I've got a chassis dyno in the shed and have a bit of experience with tuning.

Where I'm at:
I've ordered a K-tag, VAG-KKL, 2 new ME744's (chinese manufactured), and one used ME744(German manufactured). I'm waiting on a quote for the ECU connectors with a 2meter loom so I can bench test full I/O, injectors, spark, etc. K-tag and ecu's should arrive in around 2 weeks.

I've found multiple flash dumps online but as these are all missing the CPU's boot-rom, there's not a lot of work I can do in IDA until I get hold of the ECU. Unless someone here has a Ktag and ME744 they could dump the bootrom/flash/eeprom out of?

The hard parts:
Identifying functions - There's some great tools in this forum to help with this, hopefully 360trev's ME7RomTool will help here.
Identifying RAM Variables - reversing the diagnostics protocol the ECU usually uses will help find the basics. Finding RAM references from the various functions will fill in the gaps.
Reverse engineering the CC650 Knock IC ASIC. To make good use of the hardware we really need a full understanding of how to tune the center freq and bandwidth.
Map out all available IO - I've read in some threads here that the narrowband input is wideband compatible (0-5v). The SpeedDensity thread is interesting too.

So that's the plan! I'll keep you updated with any progress. If anyone has a dump of the bootrom, or info on functions, memory maps, variable addresses, CC650, the bosch comms protocol or anything else that could make this project easier please send it over!

I'd strongly recommend you start with a slightly newer ECU for this, because you can get an A2L (all RAM and calibration variables) a leaked ELF with DWARF (all function symbols), or in some cases all source code. Also newer ECUs generally offer much higher flexibility in terms of knock calibration so you don't need to reverse the sensor acquisition and could probably just calibrate the knock model.

CAN with CCP/XCP, your own patched UDS handlers, or custom-handler based logging like prj's infamous tool will be significantly faster and better for logging and live tuning than KWP serial, even with DDLI hacks (ME7Logger/APR) or McMess.

On the flip side with a newer ECU comes more complexity in number of maps and overall control model, but I'd rather have more complex models to short circuit than be stuck tediously reversing map addresses any day of the week. Just an idea, if you are serious about trying to make your own software.

If you aren't serious about trying to make your own software, you could also just find a hardware/software version of ME7 that is already properly defined and you're set, no RE work needed, just edit the calibration. I think Marty, nameless_, and many others have used ME7 as standalone in the past on all kinds of cars using just calibration changes.

Or just flash ME7.1 with the Bosch MS4 stuff.
It talks CCP, the A2L came with the software if you can dig it out.

After that it is possible to use CCP for both live tuning and data logging.

http://nefariousmotorsports.com/forum/index.php?topic=15215.0title=

Here is some info.

Not sure if it is possible to get the files anywhere. And you will need INCA probably.

Thanks for the input guys, you've given me a fair bit to consider.

I was leaning towards the 7.4.4 mainly due to price and availability (~$35 brand new, with $50 brand new looms available too). Newer ECU's have a better selection of decompilers/debugging/compilers but over here (Australia) they're not all that common or cheap. I'll look into the 7.5.10, if it's more suitable then I'll probably go with that instead. There's a dozen secondhand units overseas for about the same price as a 7.4.4 plus shipping. Thanks for the suggestion!

I've found an A2L file for this ecu and it's largely all mapped out in terms of maps and ram variables. That should make tuning and replacing functions a little easier.

Time=Money, I completely agree but at the same time this is a hobby and we (mostly) never get back what we pour into a hobby so I'm not too worried about this taking longer than expected.

A complete recode vs just tuning the maps... I've been reading up about the torque based strategy these use and it's looking like there will be a lot of back and forward through different maps during tuning. Not ideal, especially with the limited RAM and the requirement of real time tuning. I'm leaning towards a full re-write of the code, just simple speed density.

I've read conflicting specs about the internal ram. The datasheets suggest 2k SRAM, 2k XRAM. Some forums suggest 64kbytes or even as much as 128kbytes of SRAM hidden away in there. I guess I won't know until I get an ECU here and code up a read/write test throughout the full memory map to see what is inside.

The Delco I'm using now is pretty basic, speed density, a dozen maps. It shouldn't take too long to port that code over once the basic IO's are all reversed. The Delco is slow, has limited resolution on injection and timing control, no knock support and is batch fire with a single spark output (dizzy). Even just getting this Delco code running on a newer CPU (with hardware division), 60-2 trigger wheel support, sequential injection, coil on plug etc I'll be happy. Add in a nice GUI front end for real time tuning and it'll be a pretty handy cheap aftermarket setup.

The Keil C166 IDE has a few nice examples for C167 CPU's including a simple monitor to read/write IO and read ADC values. That should make RE of the port IO a lot faster though I suspect a few analog signals are going through the Knock IC. Once I have the port address of the IC it shouldn't be too hard to reverse the Init code for the knock variables and the ADC channels.

Yes, the so-called "MCU" aka Mask ROM aka onboard OTP is, indeed, not reprogrammable. You can definitely hack around this if you're building your own thing from scratch.

But, you just discovering this raises some questions in my mind... you are also aware of the port expander and how it works? It seems like you haven't dug all the way into ME7 before deciding to use it. I'm questioning your approach more the more I read, honestly - porting another OEM firmware across seems both overly ambitious and probably not efficient time wise, for a lot of reasons.

I've been interested in the idea of building a full standalone ECU software for cheap OEM ECUs for years, but there's a lot more to it than meets the eye, and it's so hard to actually follow through with this kind of idea when the shiny working OEM software is sitting right there. I'd really love to see an open source ECU firmware (RusEFI type thing) running on OEM hardware, but unfortunately the OEM hardware is always quite complicated and uses some undocumented hardware or another that becomes a very thorny RE effort to understand. I think the RusEFI folks were looking at some point at some unbelievably cursed Russian OEM ECUs which use Chinese knockoff STM32s (Artery, Nations, etc...) to repurpose, but that's the most work I've really seen in that direction.

It's actually another C167. This is why I was asking. Since you didn't look, here you go.

https://nefariousmotorsports.com/forum/index.php?action=printpage;topic=20322.0

On ME7.5/ME7.1 etc there are 2x C167 on the board.