Pages: [1]
Author Topic: How to identify candidate for reverse engineering/flashing in circuit  (Read 15947 times)
thenextdon13
Newbie
*

Karma: +4/-1
Offline Offline

Posts: 20



I'm trying to get a handle on how this all works, and at the same time document it for placement into the wiki on this site (as more understanding is built)

As more of a general info thread than an ME7 specific thread.  And hopefully folks don't find this type of thread or questioning a waste of time.

How do you go about identifying a candidate ECU for flashing in circuit, through ODB port or other method?

I am assuming you have to open ECU and identify memory chip.

look up datasheet on memory chip to find out if it is re-flashable or not.

Identify if chip can be flashed in circuit (called out somewhere on datasheet?)

Identify if pins required to flash chip in circuit are taken out anywhere on circuitboard.


Are there standard symbols and specification that should be looked for in terms of the communication and boot setting pins?

For example the AM29F800BB-70SI that was in my 2001 a4 b4 1.8t box.  Datasheet http://pdf1.alldatasheet.com/datasheet-pdf/view/55524/AMD/Am29F800BB-70SI.html

The datasheet indicates it can be flashed in-system...
Code:
This device is designed to be programmed in-
system with the standard system 5.0 volt VCC supply."
Ok, there's one answer... but now we need to be sure the board has been made to allow this... as well as better understand the protocol...


Is this an important hint?
Code:
The device is entirely command set capatible with the JEDEC single-power-supply Flash standard.'

It appears from the datasheet that the 'CE' (Chip Enable), 'OE' (Output Enable) and 'WE' (Write Enable) are particularly important for reading from or writing to the chip. 
Code:
                                                    DQ8–DQ15
                                                         BYTE#
                                                  BYTE#
                                                          = VIL
      Operation CE# OE# WE# RESET# A0–A18 DQ0–DQ7  = VIH
Read             L   L   H    H      AIN    DOUT   DOUT  High-Z
                                             DIN    DIN  High-Z
Write            L   H   L    H      AIN


These appear to control the chip state or expectancies, i.e. prepare to write or prepare to read from the memory.

If I am reading this correctly, the following pin(s) are actually used for the data transfer...
Code:
DQ15/A-1 = DQ15 (data input/output, word mode),
           A-1 (LSB address input, byte mode)

So, in order to program this chip in circuit, the CE, WE and OE have to be manipulated correctly, and then the DQ15/A-1 is passed data.  Is that accurate?

Is there generally some device such as a max232 which sits between the USB Dongle and the flash chip itself to change the level to 0-5v?  Or do the dongles themselves put out 0-5 volts for communication?

Is there generally some other logic device between the dongle and the chip to control the CE, WE and OE pins after taking input from the dongle?

And, what pin is used to get into boot mode (for the folks that have been using Galletto with other vehicles)-- is this the 'RESET' pin which does the following?
Code:
The hardware RESET# pin terminates any operation
in progress and resets the internal state machine to
reading array data. The RESET# pin may be tied to the
system reset circuitry. A system reset would thus also
reset the device, enabling the system microprocessor
to read the boot-up firmware from the Flash memory.'


Thanks for any insight that can be given...  and if these are mundane questions with answers easily availabe through other documentation, please point toward some.. Smiley

Camden
Logged
Tony@NefMoto
Administrator
Hero Member
*****

Karma: +130/-4
Offline Offline

Posts: 1389


2001.5 Audi S4 Stage 3


« Reply #1 on: October 15, 2009, 04:30:24 PM »

Every step you have listed is exactly how you do it. And yes it really is that tedious.

This is how I did it myself when I started working on this stuff in 2005.

One thing you have missed though, is that you can use the processor in the ECU to flash the memory chip for you. Since the processor is already connected to all of the pins on the flash memory chip.

Just do some searching for "bootstrap mode" in the the C166/C167 processor documentation. There are a number of free programs out there that let you use bootstrap mode in the processor to load any code you want into the RAM of the processor. The trick then is getting code loaded into RAM to actually flash the memory chip.

Many ecu tuners call bootstrap mode "boot mode", but bootstrapping is a common computer science term that most technical documentation refers to.

For the record, the official Bosch flashing protocols have nothing to do with boot strap mode. And to use boot strap mode you need to remove the ecu from the car, open it up, connect wires to the circuit board, etc. If your like me, this is also when you make a wrong connection and fry one or more ECUs. Cheesy
« Last Edit: October 15, 2009, 04:32:59 PM by Tony@NefMoto » Logged

Remember you have to log in if you want to see the file attachments!
Info or questions, please add to the wiki: http://www.nefariousmotorsports.com/wiki
Follow NefMoto developments on Twitter: http://twitter.com/nefmoto
thenextdon13
Newbie
*

Karma: +4/-1
Offline Offline

Posts: 20


« Reply #2 on: October 15, 2009, 08:57:18 PM »

OK, good to know i'm on the right track-- kinda heh.

So, this brings up another question: Identification of CPU.  When i first opened the case of my 1.8t a4 AWM ecu ( 4b0 906 018 m / 0 261 206 875 ) months and months ago, i couldn't find a datasheet or information on the internet regarding the part numbers on the CPU itself.  (attaching a picture)... or for that matter virtually anything else on the board aside from the flash chip.  Bosch must be very closed about their components. 

The other day i started searching again for it... using b59233 and 1037350115 as shown on the chip.

This time i got a hit on b59233 at http://s4wiki.com/wiki/Bosch_ME7.1 .. which indicates..
"The Bosch ME7.1 Engine Control Unit (ECU) appears to use two 16bit Infineon B59233-FA (aka SAK-C167CR-4RM) CPUs. "

How did Nye T. Liu figure out what this processor was when searches for the part numbers online don't give any seemingly useful results?  I searched for hours at some point for the datasheet for it and kept getting spam searches with things like diodes and such.  Are there any secrets to identifying CPUs aside from googling the part numbers and digging through the results looking for a hit?

Back on topic...

Hmmm so, i suppose to see if you can use the CPU to communicate with flash you will have to trace the 'chip enable' and 'write enable' pins and insure they are hooked up to some output ports on the CPU.

The bootstrap mode is something that i have been more recently getting a grasp of.  My understanding is that bootstrapping is basically the handoff of hardware control from the bootloader to a secondary piece of software.  The bootloader takes care of communication to/from the CPU until this handoff is made.

What we do by removing the ecu from the car and enabling boot mode is essentially stop the auto-booting that is programmed in at the end of the device initialization by the bootloader.

The bootloader generally includes some communications protocols to allow management of hardware.  In large devices (such as home routers) it even has built in command line interface and  commands to report things such as memory use or variable/environment information.  Not sure if this is the case with ECU CPUs.



Logged
ArgDub
Full Member
***

Karma: +60/-1
Offline Offline

Posts: 202


« Reply #3 on: October 17, 2009, 08:18:45 AM »


First post so hello to all...

Quote
Form C166 Family User's Manual

The built-in bootstrap loader of the C167CR provides a mechanism to load the startup program, which is executed after reset, via the serial interface. With the BSL it is possible to load a program of 32 bytes into the internal RAM of the C165/C167 via the Serial Port 0 (ASC0), even if there is no internal or external program memory available. This short program can be used to load extensive user software to internal RAM or external memory….

…note that the BSL is not a Flash EPROM programming algorithm. The BSL is a program which can be used to load the Flash EPROM programming algorithm.


Does that mean you can always recover from a wrong flash?  Or you can read by obd even the protected chips?


Logged
thenextdon13
Newbie
*

Karma: +4/-1
Offline Offline

Posts: 20


« Reply #4 on: October 18, 2009, 08:54:02 PM »

I am no expert, but i would say that sounds right.

Provided you had the right program written to do it.  30 Bytes isn't much space...

But as i read it, you could write a program that then turns and loads an eeprom flashing program, which in turn could flash something i.e. the default image back off of the flash.

Again, i am no expert and don't really know what i'm talking about here Tongue

c
Logged
Tony@NefMoto
Administrator
Hero Member
*****

Karma: +130/-4
Offline Offline

Posts: 1389


2001.5 Audi S4 Stage 3


« Reply #5 on: October 19, 2009, 01:50:13 PM »


Does that mean you can always recover from a wrong flash?  Or you can read by obd even the protected chips?


That is exactly what it means.

Here is a big hint:
http://www.perschl.at/minimon.html
Logged

Remember you have to log in if you want to see the file attachments!
Info or questions, please add to the wiki: http://www.nefariousmotorsports.com/wiki
Follow NefMoto developments on Twitter: http://twitter.com/nefmoto
Tony@NefMoto
Administrator
Hero Member
*****

Karma: +130/-4
Offline Offline

Posts: 1389


2001.5 Audi S4 Stage 3


« Reply #6 on: October 19, 2009, 01:51:59 PM »

So, this brings up another question: Identification of CPU.  When i first opened the case of my 1.8t a4 AWM ecu ( 4b0 906 018 m / 0 261 206 875 ) months and months ago, i couldn't find a datasheet or information on the internet regarding the part numbers on the CPU itself.  (attaching a picture)... or for that matter virtually anything else on the board aside from the flash chip.  Bosch must be very closed about their components. 

The other day i started searching again for it... using b59233 and 1037350115 as shown on the chip.

This time i got a hit on b59233 at http://s4wiki.com/wiki/Bosch_ME7.1 .. which indicates..
"The Bosch ME7.1 Engine Control Unit (ECU) appears to use two 16bit Infineon B59233-FA (aka SAK-C167CR-4RM) CPUs. "

If I recall correctly, I figured out the processor type using the number b59233. I just kept searching using the different subsets of the part number on the chip.
Logged

Remember you have to log in if you want to see the file attachments!
Info or questions, please add to the wiki: http://www.nefariousmotorsports.com/wiki
Follow NefMoto developments on Twitter: http://twitter.com/nefmoto
RaraK
Hero Member
*****

Karma: +58/-2
Offline Offline

Posts: 537


« Reply #7 on: October 27, 2009, 03:25:35 PM »

AUDI A4 18T 4B0906018M 170HP 5 SPEED ME75 CHK:0C89 BOSCH 29F800  0261206875 1037354803
AUDI A4 18T 4B0906018M 170HP 5 SPEED ME75 CHK:0D89 BOSCH 29F800  0261206875 1037354721

theres your software number one or the other, two versions for your ecu.  if you didnt find it.

all cpu's are seimens 167cr's right?



oops, thought you were looking for software numbers in first post, guess not.  where is my head today
« Last Edit: October 27, 2009, 03:44:43 PM by RaraK » Logged
thenextdon13
Newbie
*

Karma: +4/-1
Offline Offline

Posts: 20


« Reply #8 on: October 27, 2009, 04:11:39 PM »

Thanks, RaraK Smiley  its all good, i need to look more into that...

Probably auto vs manual... i would imagine.. or maybe not


Thanks
Camden
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.024 seconds with 18 queries. (Pretty URLs adds 0s, 0q)