This post kind of made me about the ECU and software versions, since software is my trade I want to think out loud about this.

ecuedit wrote:Hi,
for all information you would have to get source code for compiling sw to bin ;)
Thats's quite a top secret...

There is no easy way for sure.
Its bad that every sw no. has maps and data on different addresses.
But everything can be done.

It would be interesting to know if they intentionally make signature bytes different in different versions of SW, or is it just a consequence of evolving software?

Going out on a limb here, so bear with me ;)

At some point in time factory makes version 1 of software, compiles it, burns it to ECU, configures the parameters, tunes it and uses it in cars that come off the production line from day 0.
After some time passes, bugs are found either in software or hardware, maybe some hardware components need changing, or changes to car was made (face lift, whatever).
Now they are forced to make fixes to the software source code 1 and release it as 2. They want to do fixes at minimum as much as possible - solve the problem but do not introduce changes and new bugs to other functioning parts - don't fix it if it ain't broken. Maybe a function needed fixing, new constant added or removed, improve some algorithm, whatever. All these software changes in source code 2 result in the bin file changes. Offsets move, values are a bit different, etc. Usually executable and data parts of the binary are separated (this has to do with CPU - memory wiring and the way CPU works). Executable bits is what a CPU takes as commands to execute (load value, store value, add, subtract,..) and data bits are what gets loaded, stored, added, subtracted by those commands. Calculation results are temporary saved in the RAM memory not in EEPROM, which is not so important right now. If I wanted to know more, I would need CPU datasheet and wiring schematic to the ECU.

In my study I compared three bins from the same make, model, year, ecu BUT different software versions (I used 406 2.2 HDI EDC15C2 bins found on this forum)., SW versions 1037353776 vs. 1037364307 vs. 1037364397. I was examining WinOLS hexdumps and also dumped all bins to text file and compared three hexdumps as text one beside the other.

My view of EDC15C2 bin through 8-bit and 16-bit dumps

00000000 - 00007FF0 : empty markers (0xC3C3), this is also a good indicator to spot in the map area - you know it is not part of the map :)

00008000 - 0000FFFF : some executable code, no differences, most certainly some static executable code that is never(?) changed, could be bootloader that CPU uses, or some other auxiliary code.

00010000 - 00013FFF : some differences start to appear, looks like some kind of address table for CPU. 16-bit or 32-bit addresses come to mind, low at start, gradually increasing, no constant difference.
Last few words are checksum of this section - something(?)

00014000 - 00016FFF : differences in some lines, looks like executable data

00017000 - 00019FFF : 99% differences, looks like executable data

0001A000 - 0001A400 : 1 % differences, looks like executable data

0001A400 - 0005FFFF : 100% difference (ignoring padding with 0xC3C3 at the end). This is likely our executable code that is different among software versions. Almost every byte in this region is different from map to map. What backups up my theory about software versions is the fact that for each bin file compared, length of this region is different (when ignoring 0xC3C3 at the end of this region) - changes in software sources were made. So:
- 1037353776 ends at 00055420
- 1037364307 ends at 000575c0
- 1037364397 ends at 00058b80

I can see some pattern here ;) Each newer software version version has few bytes larger executable payload what would explain that somethings need fixing / adding / changing in later versions.

Lets try to correlate HW versions to see if we have some chronological order there, too:

Code: Select all

       SW           --          HW
1037353776 -- 0281010877
1037364307 -- 0281010876
1037364397 -- 0281011132


Almost... I'm not sure what the hardware version is meant to "version" exactly - ECU electronics / chips / PCB?

Last few words are checksum of this section - something(?)

00060000 - 0006FFFF : First map area. This what we are here for. Data here is more or less different, except for axis values nad maybe some other things (maps?). For example near address 00061300 all bins have a same set of data 9x9 - what appears to be a map. Changes in the software also affected offsets in map area. This could be due to new map, axis, switch, etc. data was added / removed to / from the map area. Minor differences in map values itself might be caused by the factory reconfiguration / tunning of the ECU after software was updated. Signature byte differences are interesting, too:

Code: Select all

       SW           -- RPM        IQ 1       IQ 2      ???
1037353776 -- 50222  50826   50850  53248
1037364307 -- 50232  50834   50856  53248
1037364397 -- 50242  50840   50864  53248


Signature Byte seem to follow some kind of a pattern in terms of offsets, eg. offset among bins for a given S.B seems to be constant: RPM = 10, IQ1 = 6, IQ2 = 6, .. others need checking..

It would be interesting to see if there could be same S.B. value for different axis in two different bins :?:
But, I spotted this strange S.B. 53248 (if that is what it is :?:) in all three bins, two occurrences one on each map area start ..

00070000 - 0007FFFF : Second map area. Why do we have two map areas? Redundancy maybe?
There are some differences between the first and this map area - first has SVBLs between SOI and Injection Duration, the other has Pilot Injection map.


I this makes some sense.. feel free to correct me where I'm wrong :)

I'll keep an eye on this thread, which is very interesting. Although I see something in the above post that is not 100% correct, that could very much be due to my lack of knowledge of something.

It is very common for a maker to provide new SW numbers for cars in production, as an example if you have an RCZ HDi you ow can go the the dealers to have a free software update done. I wonder if this kind of software update updates only SW or also HW numbers - this'd be very strange, but I also noticed the HW numbers on similar-aged 406s vary wildly. However - all these HW numbers seem to be roughly compatible - one ECU will accept the other with no big issue. This of course is "very bad tuning practice" and is dagerous, but the interesting thing is that some HW numbers may actually be compatible.
I also wonder if it would be possible to find out which kind of program makers (or is it the ECU builder?) use to program ECUs, and which kind of programming language that is - of course it'll be dedicated to that only. There are many "upgraded" ECU available on the net that can go in place of a standard ECU, so it is possible to replicate (reverse-engineering?) the working of the ECU SW and HW, in fact it's not a very complicated device, if one can reverse-engineer very complicated software stacks (see NTFS drivers for instance) then it would not be too hard to RI an ECU map!

OdinEidolon wrote:I'll keep an eye on this thread, which is very interesting. Although I see something in the above post that is not 100% correct, that could very much be due to my lack of knowledge of something.

I made a lot of assumptions above. So this info needs to be tuned.. Stay tuned for more, I need to verify few things. :lol:

OdinEidolon wrote:It is very common for a maker to provide new SW numbers for cars in production, as an example if you have an RCZ HDi you ow can go the the dealers to have a free software update done.

Having a SW introduced during production makes sense, too. Actually its quite natural if you think about it. But I guess it does not really matter at which point in time did we see SW version bump as long their version number is incremented.

OdinEidolon wrote:I wonder if this kind of software update updates only SW or also HW numbers - this'd be very strange, but I also noticed the HW numbers on similar-aged 406s vary wildly. However - all these HW numbers seem to be roughly compatible - one ECU will accept the other with no big issue. This of course is "very bad tuning practice" and is dagerous, but the interesting thing is that some HW numbers may actually be compatible.

Q: Looking at the list here peugeot-406-hdi-2-2-all-known-ecu-sw-and-hw-versions-t199 I can see that many HW version are supported in different SW versions. For obvious reasons it is easier to change SW than HW, if possible.

Lets assume that HW version is related only to ECU PCB, chips, wiring and connector. Not every change in HW would "break" software - eg. resistor or capacitor replacement could affect HW version, but SW is not concerned with this change. Resulting in many version of SW that are "compatible" with different versions of HW and/or a given SW version might be successfully used on two or more HW versions.

OTOH, if an active component (chip) would be replaced due to obsolescence HW change would result a SW change for sure.

It works the other way around, too. SW can be changed many times and HW can remain intact.

OdinEidolon wrote:I also wonder if it would be possible to find out which kind of program makers (or is it the ECU builder?) use to program ECUs, and which kind of programming language that is - of course it'll be dedicated to that only.

Judging from the pictures I've seen of EDC15C2 we have a 16bit Infineon B59233 CPU - more precisely SAK-C167CR-4RM, in short c167. The same CPU is used in ME7.1 and ME7.5 - http://s4wiki.com/wiki/Bosch_ME7.1.

Is the picture of EDC15C2 we have here resources/peugeot-406-2002-2-2-hdi-manual-edc15c2/thumb/116 from a forum member or from the Internet?

Development in probably done in C and assembler. Several companies provide toolchains can be used to produce runnable code for c167. I believe that Keil c166 toolchain is used in ECUs. I've tried disassembling the bin using IDA and information found here http://www.nefariousmotorsports.com/wik ... /Main_Page. What we need is internal ROM dump from one of the EDC15C2 ECUs to get things rolling in the right direction - any volunteers? ;) Then someone needs to sit down for a few days and spent sometime with the disassembler :ugeek: ..

OdinEidolon wrote:There are many "upgraded" ECU available on the net that can go in place of a standard ECU, so it is possible to replicate (reverse-engineering?) the working of the ECU SW and HW, in fact it's not a very complicated device, if one can reverse-engineer very complicated software stacks (see NTFS drivers for instance) then it would not be too hard to RI an ECU map!

What do you mean by "upgraded"? Like old HW with some newer SW that someone flashed?

It is possible. It was done before. Nothing gets away from reverse engineers :lol: Those guys are doing it on ME7.1.
To reverse engineer a hex dump, we need to know:
- CPU type and make
- CPU instruction set
- CPU toolchain
- disassembler that can work with our CPU
- memory type, size, organization
- ECU schematics or at least CPU <--> memory wiring, peripheral wiring

I've got most of the stuff nailed, but I lack of internal ROM of c167 for EDC15C2. Those guys have it from ME7.1 but I doubt strongly it is the same.

Q: Anyone got EDC15C2 on a bench that could try this out?

Then the goal is to understand the operation of the ECU - in turn this could lead to universal bin -> damos conversion. :twisted:, theres more, for example monitoring utility exists that can display CPU operations that is c167 currently carrying out.. in real-time 8-)

All your considerations above make very much sense.
I'm sure providing a ROM dump could be possible for some member.

By "upgraded" I mean aftermarket - ECUs that get used in highly tuned engines where the standard ECU would not be able to cope with all the modifications.

If it's programmed in C and assembler, that's amazing. It could be easily understandable and, more importantly, modified.

One could also purchase a fried ECU hoping the ROM and CPU are still fine, just to experiment on it.

Your long and detailed post would deserve a more articulated answer but I'm in a hurry right now, sorry ;)

OdinEidolon wrote:
If it's programmed in C and assembler, that's amazing. It could be easily understandable and, more importantly, modified.

I would leave out "easily understandable" bit out here :lol:. Once we get ECU bin disassembled we only get assembler instructions, still pretty low level - no C here. But it is definitively easier to find a solution if there a more people looking at the problem.

My first goal would be to locate all the checksum functions and the locations from where they are called. Andy (http://andywhittaker.com) did a great job with ME7.1 and he also provided info and some videos on how he did it. Not a complete work but definitely on the right track. Needless to say, if we know how to calculate checksums in the ECU bin, no-one needs to buy WinOLS to produce checksummed maps 8-).

OdinEidolon wrote:One could also purchase a fried ECU hoping the ROM and CPU are still fine, just to experiment on it.

I know some dude in UK that breaks 406 coupes for spare parts.. I'll ask him how much would it cost get a working EDC15C2.

hinkxx wrote:

OdinEidolon wrote:
If it's programmed in C and assembler, that's amazing. It could be easily understandable and, more importantly, modified.

I would leave out "easily understandable" bit out here :lol:. Once we get ECU bin disassembled we only get assembler instructions, still pretty low level - no C here. But it is definitively easier to find a solution if there a more people looking at the problem.

My first goal would be to locate all the checksum functions and the locations from where they are called. Andy (http://andywhittaker.com) did a great job with ME7.1 and he also provided info and some videos on how he did it. Not a complete work but definitely on the right track. Needless to say, if we know how to calculate checksums in the ECU bin, no-one needs to buy WinOLS to produce checksummed maps 8-).

OdinEidolon wrote:One could also purchase a fried ECU hoping the ROM and CPU are still fine, just to experiment on it.

I know some dude in UK that breaks 406 coupes for spare parts.. I'll ask him how much would it cost get a working EDC15C2.

Sure, Adrian (Ade1122). If you buy from him tell him I (Adriano from Italy) sent you, he may give you a discount ;)

hinkxx wrote:It would be interesting to know if they intentionally make signature bytes different in different versions of SW, or is it just a consequence of evolving software?

I think I have the answer to this now.
They just number the damn things in sequence.. single SW number can be found in combination with many HW numbers, I'm not sure if other around also holds true.

hinkxx wrote:Going out on a limb here, so bear with me ;)

At some point in time factory makes version 1 of software, compiles it, burns it to ECU, configures the parameters, tunes it and uses it in cars that come off the production line from day 0.
After some time passes, bugs are found either in software or hardware, maybe some hardware components need changing, or changes to car was made (face lift, whatever).
Now they are forced to make fixes to the software source code 1 and release it as 2. They want to do fixes at minimum as much as possible - solve the problem but do not introduce changes and new bugs to other functioning parts - don't fix it if it ain't broken. Maybe a function needed fixing, new constant added or removed, improve some algorithm, whatever. All these software changes in source code 2 result in the bin file changes. Offsets move, values are a bit different, etc. Usually executable and data parts of the binary are separated (this has to do with CPU - memory wiring and the way CPU works). Executable bits is what a CPU takes as commands to execute (load value, store value, add, subtract,..) and data bits are what gets loaded, stored, added, subtracted by those commands. Calculation results are temporary saved in the RAM memory not in EEPROM, which is not so important right now. If I wanted to know more, I would need CPU datasheet and wiring schematic to the ECU.

Everything about the SW and HW versions is probably straight through wrong.
Another argument to falsify version blaber above is what we know already: It is not advisable to put SW from another ECU with different HW. Why? Well, Bosch would never tell us when they changed HW, SW,.. most likely not implicitly by releasing only few SW and HW versions.

See the memory map I've managed to construct below - still work in progress.

hinkxx wrote:00000000 - 00007FF0 : CPU Internal ROM
00008000 - 0000FFFF : CPU RAM, registers

I was quite close with this two ;)
This area is reserved for CPU registers, RAM, ROM.. First 32 kB is CPU Internal ROM, where boot loader resides. We do not see the actual code here. It needs to be downloaded from the CPU while it is in boot mode (the CPU not the external FLASH). When we download bin using Galetto or similar tools, this CPU Internal ROM can not be accessed hence the 0x3C3C dummy values.. One needs to bench an ECU, start it up with CPU in boot mode and then read the Internal ROM using a SW utility available from Infenion.

hinkxx wrote:00010000 - 00013FFF : code / data
00014000 - 00016FFF : code / data
00017000 - 00019FFF : code / data
0001A000 - 0001A400 : code / data
0001A400 - 0005FFFF : code / data
00060000 - 0006FFFF : First map area. Data only?
00070000 - 0007FFFF : Second map area. Data only?

This is the rest of the code. It is located in the external ROM - FLASH memory. This is valid 16-bit code / data, AFAIK data can be interleaved between code sections. We can have up to 512kB of data here.

Placing boot loader and this chunk of code on correct addresses in IDA along with some DPP fiddling should yield a complete picture of what CPU sees. Disassemble that, and new world opens 8-)

hinkxx wrote:What backups up my theory about software versions is the fact that for each bin file compared, length of this region is different (when ignoring 0xC3C3 at the end of this region) - changes in software sources were made. So:
- 1037353776 ends at 00055420
- 1037364307 ends at 000575c0
- 1037364397 ends at 00058b80

I can see some pattern here ;) Each newer software version version has few bytes larger executable payload what would explain that somethings need fixing / adding / changing in later versions.

Partially correct on this one.
SW changes are present - I will need to disassemble several bin to be sure what kind of changes.
But SW versions are more likely just sequentially numbered since there are more than 15k different ones. Also other threads here say something to support this new assumption.
Probably similar rules apply for HW numbers, too.

hinkxx wrote:Almost... I'm not sure what the hardware version is meant to "version" exactly - ECU electronics / chips / PCB?

It is a Bosch part number, not a version.

Checksums are present at multiple locations. Different algorithms were probably used to calculate these checksums. There probably exists several partial checksums and one that takes all the FLASH into account (at the end of FLASH).

This is our memory map as CPU sees it:

Sorry I gave up aligning these columns.. admin you need to set monospaced font for <code> tags, thats what makes it useful ;) I like the color though..

Code: Select all

Name               Start          End       R W X D L Align Base Type   Class AD DPP0 DPP1 DPP2 DPP3
ROM               00000000 00008000 ? ? ? . .     word 0002 public CODE 16 0204 0205 00E0 0003
MEM_EXT     00008000 0000E000 ? ? ? . .     word 0003 public CODE 16 0204 0205 00E0 0003
XRAM             0000E000 0000E800 ? ? ? . .    word 0004 public DATA  16 0204 0205 00E0 0003
RESERVED    0000E800 0000EF00 ? ? ? . .    word 0005 public BSS     16 0204 0205 00E0 0003
CAN1              0000EF00 0000F000 ? ? ? . .     word 0006 public DATA 16 0204 0205 00E0 0003
E_SFR             0000F000 0000F200 ? ? ? . .     word 0007 public DATA 16 0204 0205 00E0 0003
RESERVED    0000F200 0000F600 ? ? ? . .     word 0008 public BSS     16 0204 0205 00E0 0003
IRAM              0000F600 0000FE00 ? ? ? . .     word 0009 public CODE 16 0204 0205 00E0 0003
SFR                 0000FE00 00010000 ? ? ? . .      word 000A public DATA 16 0204 0205 00E0 0003
RAM               00380000 00390000 ? ? ? . .      word 0000 public              16 0204 0205 00E0 0003
FLASH            00000000 00080000 ? ? ? . .      word 000B public CODE 32 0204 0205 00E0 0003


What is not concrete is RAM and FLASH Start/End addresses, also DPPx values are probably wrong.

Everything else is per datasheet for SAK-C167CR-4RM CPU.

I do not have the actual readout of CPU Internal ROM from EDC15C2, so this information is subject to change.

Very nice research job there! I'll look into it later if I don't fall sleeping on the desk :lol:
Too much work, too much study ;)

OdinEidolon wrote:Very nice research job there! I'll look into it later if I don't fall sleeping on the desk :lol:
Too much work, too much study ;)

I hear you there m8, :D
I've got so much on the plate here that my dual core is constantly at 60% both cores :lol: I can't afford to close any tabs as the info is not digested yet, disk is piling up with stuff I'm afraid I'll never read, in between hundreds of questions seek the answer .. :roll: how long will this last.. :?

hinkxx wrote:

OdinEidolon wrote:Very nice research job there! I'll look into it later if I don't fall sleeping on the desk :lol:
Too much work, too much study ;)

I hear you there m8, :D
I've got so much on the plate here that my dual core is constantly at 60% both cores :lol: I can't afford to close any tabs as the info is not digested yet, disk is piling up with stuff I'm afraid I'll never read, in between hundreds of questions seek the answer .. :roll: how long will this last.. :?

That's why I got an SSD on this laptop, it's 64gb (10gb W XP for diag, the rest is Linux) so that I'm forced to read or trash most stuff immediately, or I run out of space :lol: