Alfa bin files

Bosch Motronic etc ECUs and PCMs
User avatar
DieselBob
Posts: 164
Joined: Sun Mar 28, 2010 5:43 pm
cars: Vr SII Ute
Location: Brisbane QLD

Re: Alfa bin files

Post by DieselBob »

Thanks for the help just went through the 7000h and looked for the MAPS got a good result now to reverse it out..
:D alot happier...
User avatar
DieselBob
Posts: 164
Joined: Sun Mar 28, 2010 5:43 pm
cars: Vr SII Ute
Location: Brisbane QLD

Re: Alfa bin files

Post by DieselBob »

Okey good progress :D finally...
Any suggestions on why the main subroutines start at the x2000h address?????
It appears that the generic bosch code lives in the first 8k and then the manufacturers code?
User avatar
festy
Posts: 1039
Joined: Sat Apr 30, 2011 6:27 pm
cars: Alfa Romeos
Location: Narellan, NSW

Re: Alfa bin files

Post by festy »

That's a left-over from the first generation Motronics, where the Bosch code ran from internal ROM and the customer code/maps ran from eprom.

This is a very high level overview of the ML4.1 eprom layout (no internal rom on these)
ML41_eprom_map.jpg
ML41_eprom_map.jpg (23.1 KiB) Viewed 7201 times
User avatar
DieselBob
Posts: 164
Joined: Sun Mar 28, 2010 5:43 pm
cars: Vr SII Ute
Location: Brisbane QLD

Re: Alfa bin files

Post by DieselBob »

That's pretty much where I'm at now.
IDA likes a program start from X2000h if I run a procedure decode from x20e0h it decodes most of the program leaving the calibration area as uncoded.
The first lcall after x2000h is to x8000h changed it to x0000h and it decodes :-).
There's still some wired stuff but getting closer all the time.
User avatar
DieselBob
Posts: 164
Joined: Sun Mar 28, 2010 5:43 pm
cars: Vr SII Ute
Location: Brisbane QLD

Re: Alfa bin files

Post by DieselBob »

Ok with some help from europe...
Heres where its at

The bin code from 0000h to 2000h is really 8000h to 10000h.
The missing 2k is in a seperate location probibly on the daugter board over the MCU and RAM chips.
Using the ROM image from a M1.3 the EPROM code dissassembles in one run with IDA.
There are multiple entry points into the first 2k that are all FFh so it appears that the M1.7 has a larger program than the M1.3.
Have asked and hoping someone has the ROM image and can forward it to me as i no longer have access to the ecu :(
Going to keep going with the code i have that is complete and leave the bad references until i get a better ROM image.

Its been a massive learning curve and time consuming, :) both i was warned about at the begining.
However i now have a deeper understanding of the operation which allows better "guesses" LOL.
User avatar
antus
Site Admin
Posts: 8239
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Alfa bin files

Post by antus »

Well done, there are few who can stick at it and get the results! Top effort :thumbup:
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
festy
Posts: 1039
Joined: Sat Apr 30, 2011 6:27 pm
cars: Alfa Romeos
Location: Narellan, NSW

Re: Alfa bin files

Post by festy »

DieselBob wrote:Ok with some help from europe...
Heres where its at

The bin code from 0000h to 2000h is really 8000h to 10000h.
The missing 2k is in a seperate location probibly on the daugter board over the MCU and RAM chips.
I'm fairly sure the missing 2k is masked rom on the mcu.
With A15 being tied low, accessing external program space at 9xxxH will really read from external 1xxxH, but accessing program space below 2000H will read from the internal rom and not external program memory (providing /EA is high).
So the lower 2k really must be on chip, because without /CS lines there'd be a conflict between the two external program memories, and the 1xxx->9xxx mapping would appear to be pointless...
Also, I'm reasonably sure that the daughter board is a knock filter. It doesn't have enough pins to be a 2k parallel rom anyway ;)
Using the ROM image from a M1.3 the EPROM code dissassembles in one run with IDA.
There are multiple entry points into the first 2k that are all FFh so it appears that the M1.7 has a larger program than the M1.3.
Considering how generic the Bosch code is, you could disassemble the M1.3 bin along with it's masked 2k rom then locate the functions >2k that call the masked routines - then find the corresponding functions in the M1.7 eprom, and work it out that way.
The function offsets in the M1.7's rom are obviously different to the M1.3, but the functions themselves are probably all-but identical.
For example I disassembled a BMW E30 bin the other day, and identified about a dozen of the more interesting routines just by eye because they were so similar to the Alfa bins I've been working on.
The data memory addresses might be different, but generally the registers used will be the same.
User avatar
DieselBob
Posts: 164
Joined: Sun Mar 28, 2010 5:43 pm
cars: Vr SII Ute
Location: Brisbane QLD

Re: Alfa bin files

Post by DieselBob »

And away we go.... :-D
Thanks festy
User avatar
DieselBob
Posts: 164
Joined: Sun Mar 28, 2010 5:43 pm
cars: Vr SII Ute
Location: Brisbane QLD

Re: Alfa bin files

Post by DieselBob »

Ok big day today...
With an amazing amount of help from Festy I now have access to the first 8K of ROM.
It would appear that the processor is not a 80535 but a masked 80515.
This means an onboard ROM image that is a pain in the butt to get access to.
Now to go back and lookl at mnemonics again for 2 weeks and then maybe change the world. LOL
Thanks Festy :D
User avatar
DieselBob
Posts: 164
Joined: Sun Mar 28, 2010 5:43 pm
cars: Vr SII Ute
Location: Brisbane QLD

Re: Alfa bin files

Post by DieselBob »

Been a while so heres the story....

After some major upheaval in the home life and now being in my 3rd job in 8 months :D I finally got back to the Motronic.....

Have a good amount of the code labeled and have the main algorythms sorted out.
ADC code is labelled need live inputs to confirm RAM locations.
Serial Comms is labelled, including Hardware/Software transmission code.
All Tables Labelled and Most entry points - including offsets found.

Working my way through the main fuel/timing correction code...
Temperature offsets
Battery voltage adjustments
Still working on the AFM which is the first reason I started......
Have the table lookup sorted out.

Need to hook it all back up on the bench to log the ADC inputs and their RAM locations, trigger the switched inputs to locate bitflags.
LED the outputs to find their bitflags.
Try to work out the XRAM locations to PCM functions.

Festy's rig's about to get another workout :D
Post Reply