Reverse Engineering Generic Guide

From Nefmoto

Jump to: navigation, search

Contents

ECU_Hardware

Pinout & Schematic Creation

To understand what the code is doing, you have to know what devices attach to which CPU ports. You do not need to know all inputs/outputs, but the more you know the more you will know about the code itself.

This means that you will need to make some type of schematic or lookup chart to identify CPU pin assignment.

A good place to start is the factory service manual ECU wiring schematic. Create a spreadsheet similar to this one to track what each ECU pin does

The next step can be to remove the cover from the ECU and identify as many of the chips on the board as you can, through Google searches. Download the datasheets for as many of these as you can as well. This can be problematic as sometimes it can be VERY hard to find datasheets or additional information on certain chips. Do the best you can to begin with, and you can always fill more in later.

Once know the use of each ECU pin, trace each input/output (i.e. injectors/sensors) pin as far into the ECU as you can using a multi-meter on continuity test mode (beep!!). An easy way to do this is to hook up a clamp to the ECU pin and run the other probe accross the pins on each of the ICs on the board. Many of the pins will 'disappear' by this method because of resistors, capacitors, etc in the traces. Some will not. Focus on those to begin with.

The following thread includes an example of what I have found so far with an ME7.5 from a 2001 AWM 1.8t a4 quattro: http://nefariousmotorsports.com/forum/index.php?topic=65.0 http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=65.0;attach=79

Flashable Via OBD or In-Circuit?

what makes a readable flash chip what makes an in-circuit writeable flash chip Identify flash chip identify pin that controls boot mode ??? of flash chip how to identify if the flash can be done via odb or other


Communication

Hardware Used

?Basically any eobdII flasher? (indicated galletto 1250 worked as sold on ebay) KWP2000 via odb port possibly with boot jumper Boot jumper is on flash pin 24 (look up what this is) BOOT_1.jpg for 1.8t? check my ecu .. power up and then remove jumper 'bench flash harness', bench flash how-to http://audizine.com/forum/showpost.php?p=3465984&postcount=3 NefMoto's New software -- uses FTDI 232 USB chip, so it will work with any cable containing that chip. Other devices using this chip? With the VAG KWP2000 protocol you can flash a sector at a time or the entire flash chip. As long as you only erase and flash a sector at a time, the ecu will still boot after a failed flash. Your car will not start due to checksum errors, but you will be able to restart the flash KWP1281 and KWP2000 communication protocols

Software Used

Software used to communicate with flash chip (from http://www.audizine.com/forum/showthread.php?t=269322) -WinOLS (HEX based map editing that will allow you to display them in various ways, will auto find maps but not tell you what they are. There are files called DAMOS files which are 'key' files which contain the info to reveal maps in WinOLS and other tuning software) -- seems to be standard one to use (Notorious vr)

-Galletto (allows the reading and writing of flashes/files to and from the ECU using a KWP2000 cable. So yes you can 'copy' entire ECU's this way.)

-VAG EEPROM Programmer (not quite sure yet, seems like this software lets you directly HEX edit the program in the ECU (be it for mileage changes or otherwise related to tuning)

-KWP2000/KWP2000-ME7 (Flashing of KWP2000 protocol ECU's - ie. Motronic)

-ECM2001 (Tuning of ECU files, checksum correction, plotting of graphs etc. I've read that this software is out dated and is not the best to use, but it will allow you to 'find' maps and possibly even have something similar to DAMOS files where it already knows and points out what areas of the maps do what)

-ECUFix (allows the correction of checksums of edited flashes so the ECU will accept the files and run them).

- MPPS flash tool (pricy) to flash from the OBD port. -- new kwp2000 tool from amt cartech.

- CMD- BDM tool used to connect to ecu pads to flash mk v?

the dog - i do not trust galletto or KWP2000 to do a obd flash...I have seen them to many times crashing and locking ecus....With galleto I only use bench flash.......

ECU_Software

Decompiling Software

IDA Pro disassembler from Data Rescue in Belgium http://andywhittaker.com/ECU/DisassemblingaBoschME755/tabid/96/language/en-GB/Default.aspx Plugin for CPU (in case of me7.1 should be Infineon B59233-FA (aka SAK-C167CR-4RM ... http://s4wiki.com/wiki/Bosch_ME7.1 here, maybe i can redeem myself with this one. ida plugin for bosch me7 files. http://rapidshare.com/files/21381198...hme7x.rar.html edit: make sure you have your file split in to the 2 files. 1 file = first 64kb (bootloader ? it must be. the first set of instructions in an embedded system is always the bl). 2nd file = rest of file. andy shows you how to load them in to ida in his videos. (videos here? http://andywhittaker.com/ECU/DisassemblingaBoschME755/tabid/96/language/en-GB/Default.aspx)


ive got a cracked ecux on my laptop but its in the car and im on my pc. Things to look for in the code -- i.e. tables Things to look for on the internet i.e. definitions files?

Checksums? WinOLS told me 5 checksums were incorrect when I first loaded the file that I modified from TunerPro. After opening the file though, WinOLS verified and reported that all the checksums were OK, at that point I then saved the .bin file from WinOLS and used that file to flash the ECU

Identifying Ports

Identifying Variables

Retrieved from "http://www.nefariousmotorsports.com/wiki/index.php/Reverse_Engineering_Generic_Guide"
Personal tools
About Disclaimer
All Rights Reserved 2010 Nefarious Motosports