Motronic 2.8.1 code disassembly and custom code

Bosch Motronic etc ECUs and PCMs
Post Reply
tjwasiak
Posts: 16
Joined: Sat Jun 06, 2015 6:17 am
cars: '94 Opel Omega MV6
'98 Opel Omega Sport
...
Location: Warsaw, Poland

Motronic 2.8.1 code disassembly and custom code

Post by tjwasiak »

I am working on disassembly of M2.8.1 code (you can find stock file here). It is used in X30XE powered Opel Omega (V6 engine, MAF based, sequential injection organized in 2 banks, wasted spark ignition, 2 narrowband oxygen sensors, EGR and SAI). I am not sure but I suppose also Cadillac Catera uses same ECU (maybe running different software). This ECU (like other MLx.y/M1.x/M4.x Motronics) uses microcontroller derived from original Intel 8051 design. I believe it is Siemens/Infineon 80C517A. Unfortunately my disassembly skills are poor but after many hours I properly labelled at least map lookup and mathematical functions. I hope I will understand and label other functions but in the mean time I would like to add some functionality. The most important thing for me is custom logging routine as OEM protocol is just too slow (9600bps and 68 parameters to send, it seems ECU is to busy to send any data around 3800 RPM at WOT so it is really hard to get meaningful data). I am quite confident I will be able to write logging routine on my own but I faced another problem. It have taken me nearly a week to find a way to communicate with ECU over serial connection through K-Line. For now it is rather dirty way as I have just replaced stock serial communication interrupt routine (located @0x0410) with my own function. For now I just would like to be able to send to ECU a command and receive requested data in response (RAM dump, XRAM dump, current data from all 12 ADC channels in full 10 bit resolution). I have to admit it is sort of working as I am able to get response from the ECU (to simplify my tests I set it so it just acknowledge receiving a command but I have full routine ready) but I have to send at least 2 bytes to the ECU to get any response. Is it because first received byte just triggers serial interrupt? Is there any way not to loose this data?
For the tests I am using such a code:

Code: Select all

PUSH ACC
SETB BD ; use dedicated serial0 baud rate generator
MOV S0CON, #0x50 ; mode1 <=> 8bit UART, receive enabled
MOV S0RELH, #0x3
MOV SORELL, #0xE6
ORL PCON, #0x80 ; use 19200bps data rate, also tested 9600bps and 38400bps to
                           be working over MAX232 based RS-232 KKL cable, 62500bps
                           tested to be working over genuine Ross-Tech VCDS HEX-USB KKL
                           cable, unfortunately 125000bps is not working
JNB RI0, $
CLR RI0
MOV A, S0BUF
CLR REN0 ; K-Line is half duplex line
CLR TI0
MOV S0BUF, #0x41 ; letter A
FD JNB TI0, $
CLR TI0
MOV S0BUF, #0x43 ; letter C
JNB TI0, $
CLR TI0
MOV S0BUF, #0x4B ; letter K
JNB TI0, $
CLR TI0
MOV S0BUF, #0x20 ; space
JNB TI0, $
CLR TI0
MOV S0BUF, A ; data send by user
FD JNB TI0, $
CLR TI0
SETB REN0 ; reenable receive
POP ACC
RETI ; this routine replaced normal serial communication interrupt routine
I believe there are people with much better 8051 assembly skills here at PCMHacking forum so perhaps someone could help me with those small issues I am facing. Most important questions (at least for now) are already asked above. Next biggest problem is where should I insert lcall to my code so it would be executed at every ECU loop (I already tried "a few" places but were unable to communicate with ECU - I am not sure if my code was ever run or if it was a problem with OEM serial code interference as I do not understand how is serial communication working in stock form - Bosch/GM serial interrupt routine does more or less nothing related to communication - it kicks in if RAM_29.2 bit is set (otherwise it just disables serial interrupt) and just moves some data to and from XRAM, including received byte. I hoped it should be sufficient to CLR RAM_29.2 together with 4th bit of IEN0 not to get any issues with normal communication routines (which still might be true as I am not sure if my code had been run at least once despite trying to lcall it from different places). I am going to use a routine (based on idea and code from M4.4 enhancement described here) which will let you switch between OEM diagnostics and my custom logging routines.
For now my logging routine would be quite poor as I have not located many parameters which are stored in XRAM so I hope I will be able to extend it when my disassembly will get further.
tjwasiak
Posts: 16
Joined: Sat Jun 06, 2015 6:17 am
cars: '94 Opel Omega MV6
'98 Opel Omega Sport
...
Location: Warsaw, Poland

Re: Motronic 2.8.1 code disassembly and custom code

Post by tjwasiak »

I do not know if anyone is interested but got some positive results.
I have dumped RAM, XRAM and double checked ADC channels. Unfortunately still using a routine which replaces stock serial interface interrupt code as I did not find any other way to be able to communicate with ECU.

Code: Select all

ADC channel 0x00 - MAF
                  0x01 - power supply voltage (used in injector deadtime and coils dwell time calculations)
                  0x02 - IAT
                  0x03 - coolant temperature - both IAT and CLT have same
				                characteristics and they use same map to correct
				                raw data read from ADC to something which is
				                similar to what one would expect from NTC resistors
                  0x04 - TPS
                  0x05 - oxygen sensor (still not sure which one)
                  0x06 - ? with ignition switched I get constant 5V reading (255 or 1023 from ADC in 8 or 10 bit resolution)
                  0x07 - ? 
                  0x08 - oxygen sensor (still not sure which one)
                  0x09 - ?
                  0x0A - oxygen sensor (still not sure which one)
                  0x0B - EGR valve position sensor
Car has only 2 oxygen sensors so why are they are connected to 3 ADC channels? I hope I will find an answer when I will understand more code from this ECU.
tjwasiak
Posts: 16
Joined: Sat Jun 06, 2015 6:17 am
cars: '94 Opel Omega MV6
'98 Opel Omega Sport
...
Location: Warsaw, Poland

Re: Motronic 2.8.1 code disassembly and custom code

Post by tjwasiak »

I spend few hours trying to find all XRAM locations in use. Up to now it is 70% done (70% of code checked). It surprised me very much how not efficient and unreadable Bosch code is. There are even functions reading from XRAM how many bytes of data should be copied between 2 other XRAM locations :(
It seems microcontroller running at 16MHz and equipped with so huge EEPROM and RAM made Bosch not worry about code optimization...
ASM
Posts: 17
Joined: Thu Dec 18, 2014 3:52 am
cars: Opel

Re: Motronic 2.8.1 code disassembly and custom code

Post by ASM »

Hallo,

i can not help you. Do you know this website? http://carlton24v.co.uk/aldl.htm
This guy has listen to Opel Tech 1 communication on his C30SE with M1.5.
Maybe this can help you. I have no skills to this.
tjwasiak
Posts: 16
Joined: Sat Jun 06, 2015 6:17 am
cars: '94 Opel Omega MV6
'98 Opel Omega Sport
...
Location: Warsaw, Poland

Re: Motronic 2.8.1 code disassembly and custom code

Post by tjwasiak »

Have not seen it before, thank you ASM!
Unfortunately it will not be helpful for me as it seems it should describe older communication protocol (maybe KWP71?) while mine uses newer (KWP1281). 9600 bps is just too low for good resolution data logging and that is why I would like to try custom routine (another speed up would be because I am not going to waste time asking for specific data, ECU will just send in loop predefined set of parameters). Despite many different controllers sharing same OBD pin I found I can use 62500 bps over USB/FTDI (or 38400 bps over real serial port using MAX232 - it is limited by microcontroller frequency, 57600 bps could not be achieved when running 8051 @16MHz)...
For now I am still digging in (and trying to understand) the code so no more tries to even communicate with ECU (I had to find proper place for jump to my routine as I do not like to use serial interface interrupts which I did up to now to get data from ECU - I got complete RAM and XRAM dumps that way but did not want to try it with engine running).
ASM
Posts: 17
Joined: Thu Dec 18, 2014 3:52 am
cars: Opel

Re: Motronic 2.8.1 code disassembly and custom code

Post by ASM »

i use OPCOM USB Interface to connect my m1.5.4. The OPCOM software says: protokol KW82. When i say in OPCOM: Omega 2,5L or 3,0L it connect with success on my M1.5.4.

2,5L+3,0L have M2.8.1, OPCOM display KW82. You say KWP1281. What is the right?
tjwasiak
Posts: 16
Joined: Sat Jun 06, 2015 6:17 am
cars: '94 Opel Omega MV6
'98 Opel Omega Sport
...
Location: Warsaw, Poland

Re: Motronic 2.8.1 code disassembly and custom code

Post by tjwasiak »

ASM wrote:i use OPCOM USB Interface to connect my m1.5.4. The OPCOM software says: protokol KW82. When i say in OPCOM: Omega 2,5L or 3,0L it connect with success on my M1.5.4.

2,5L+3,0L have M2.8.1, OPCOM display KW82. You say KWP1281. What is the right?
Good question :D I might be wrong and it may be KW82 in fact... Unfortunately logging with OPCOM is big nono - resolution is too low even for 5th gear pulls and what is worst it is just loosing communication around peak torque engine speed (in logs there is no data between ~3500 and 5500 RPM).
V6er
Posts: 1
Joined: Mon Jun 27, 2016 12:09 am

Re: Motronic 2.8.1 code disassembly and custom code

Post by V6er »

Hello!
I am very glad that googling on ecu tuning on those lovely v6 engines showed this topic.
Are there any news here?
Diegogsi
Posts: 4
Joined: Mon Sep 04, 2017 9:42 pm
cars: Vectra GSI and Civic VTI

Re: Motronic 2.8.1 code disassembly and custom code

Post by Diegogsi »

Good morning

I have a Vectra GSI 2.0 16v c20xe engine, Bosch Motronic 2.8, anyone have a xdf file this ECU?

Thanks
Post Reply