[Diy_efi] Re: Motronic checksum
alexis.pavlov at st.com
Tue Jun 15 15:36:04 GMT 2004
Hi Nick, and Henrik :-)
Currently there is a very interesting subject on the Yahoo alfa75
Nick, I can send you the disassm I use. It requests entry points
and then follows the program path, thus eliminating the data.
It's a C source , I use it under Unix.
Except if there are branch tables. In old Motronics there is no
branch tables, but I was told the newer use them to elude hackers
like you :-)
Send me a mail if you want the source.
glogovacs at yahoo.co.uk wrote:
> Hello Henrik,
> Yes, I was wrong, I wanted to say last 12 bits.
> Which motronic are you reversing? I was looking into versions 1.3 and 2.5.
> Can you send me the bin?
> A saw a message on this forum, where a guy compared stock and aftermarket
> performance motronic bins. There were only two locations different in data
> area (rev limiter and something he couldn't identify), and last two bytes.
> I've also seen a few chips that had only a couple of bytes different, and
> of course the last two bytes.. That's why I made a conclusion that checksum
> is stored in last two bytes.
> As far as disassembler is concerned, I was wondering if there is an
> 'intelligent' one, that can distinguish between code and data. I have a
> disassembler for 68HC11, that works flawlessly when it comes to recognition
> of code/data (that's easy because vector addresses are known from bin
> file). As for motronic, I couldn't really tell where the code 'starts'. I
> expected to find a LJMPs and beginning of the file that would point to
> code, but that was not the case. How come??
> I am sure my boxes have a 8051 derivative CPU, since WinOLS software
> recognized the bins and stated the processor is 8051.
> At which address the EPROM file starts, is it 0, or not?
> Can you point out the code that is making the checksum calculation, so I
> can try to identify it in my EPROMs?
> At 19:03 11-06-04 +0000, you wrote:
> >Send diy_efi mailing list submissions to
> > diy_efi at diy-efi.org
> >To subscribe or unsubscribe via the World Wide Web, visit
> > http://lists.diy-efi.org/mailman/listinfo/diy_efi
> >or, via email, send a message with subject or body 'help' to
> > diy_efi-request at diy-efi.org
> >You can reach the person managing the list at
> > diy_efi-owner at diy-efi.org
> >When replying, please edit your Subject line so it is more specific
> >than "Re: Contents of diy_efi digest..."
> >Today's Topics:
> > 1. 1989 tpi help (laurieandmike)
> > 2. Re: Motronic checksum (Henrik Johnsson)
> > 3. Re: Motronic checksum (glogovacs at yahoo.co.uk)
> >Message: 1
> >Date: Thu, 10 Jun 2004 18:48:54 -0300
> >From: "laurieandmike" <lauriecorbett at ns.sympatico.ca>
> >Subject: [Diy_efi] 1989 tpi help
> >To: "A list for Do-It-Yourself EFI" <diy_efi at diy-efi.org>
> >Message-ID: <00c301c44f34$b9f436e0$a306260a at wolf>
> >Content-Type: text/plain; charset="iso-8859-1"
> >hi there i put a tpi in my 56 chevy truck
> >its a 350 with a mild cam headers turbo 400 tranny
> >my ? is when i start the truck up there is no trouble codes it starts
> >right up but dont want to idle untill it is warm
> >and it seems it is running real rich like burn the eyes out of your head lol
> >but when i unplug maf it runs ok
> >what is the problem?
> >can anyone help?
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >Message: 2
> >Date: Fri, 11 Jun 2004 1:10:45 +0100
> >From: "Henrik Johnsson" <henrik_j at bigfoot.com>
> >Subject: Re: [Diy_efi] Motronic checksum
> >To: A list for Do-It-Yourself EFI <diy_efi at diy-efi.org>
> >Message-ID: <20040610231059.3952137E44 at smtp3-1-sn1.fre.skanova.net>
> >Content-Type: text/plain; charset="us-ascii"
> >Hello, glogovacs
> >======= At 2004-06-10, 00:07:00 you wrote: =======
> > >I am trying to figure out how a checksum on older Motronic eproms is
> > >formed. I am targeting last 2 bytes on 32kb eproms (actualy, it is last
> > >24bits, since the highest 4 bit nibble is always 0000). I was lucky enough
> > >to have access to eproms for the same car that only had a few different
> > >locations, and of course the checksum.
> > >
> >That would actually be 12 bits, wouldn't it?
> > >I tried 8 bit sum, 16 bit sum... xor etc, but no success :(. I can also
> > >post examples... Any help is welcome.
> > >
> >The checksum isn't necessarily stored in the last 2 bytes. I'm
> >disassembling an older Motronic EPROM which has the checksum in 0x7F00 and
> >0x7F01. The checksum is calculated as the sum of all bytes in the address
> >range 0x000 through 0x7EFF. Some Motronics allegedly has more than one
> >checksum though.
> > >Also, can you suggest some good 8051 disassembler? I have d51, but it
> > >produces much garbage - considering I am dummy for i8051. I was trying to
> > >locate instruction that would access last two bytes of eprom, and I failed.
> > >Where in address space is eprom located?
> > >
> > >I am talking about boxes 0 261 200 087 (BMW), 0 261 200 185, 0 261 200 190
> > >(Opel) and similar.
> > >
> >It doesn't matter what disassembler you use, you will have to help it by
> >identifying which portions of the EPROM is used for code and which is used
> >for data. Also, make sure those ECUs really use an 8051-derivative.
> >I believe I read in an old message on this list that the code in the EPROM
> >may be "folded", you might have to rearrange the EPROM data before
> >disassembly to get a useful result. I'm sorry I cant find that particular
> >message right now.
> >Message: 3
> >Date: Fri, 11 Jun 2004 01:56:57 +0200
> >From: glogovacs at yahoo.co.uk
> >Subject: [Diy_efi] Re: Motronic checksum
> >To: diy_efi at diy-efi.org
> >Message-ID: <188.8.131.52.2.20040611014443.01baff00 at pop.mail.yahoo.com>
> >Content-Type: text/plain; charset="us-ascii"; format=flowed
> >Yes, I have an EPROM programmer... but all the software can do is calculate
> >the additive checksum of the bin file. Now, a question - is it enough to
> >have additive checksum corrected to stock, to have bin file 'approved' and
> >running? I;ve read somewhere that Motronic makes XOR checksum as well.. is
> >that true?
> >ECUs I am talking about have 27256 EPROMs... since they are considerably
> >larger than 2732 chips used in older Motronic boxes, can I consider I am
> >having post '88 units?
> >With regards,
> > >Date: Wed, 9 Jun 2004 16:41:39 -0700
> > >From: "FR Wilk" <kd694j0538f at hotmail.com>
> > >Subject: Re: [Diy_efi] Motronic checksum
> > >To: "A list for Do-It-Yourself EFI" <diy_efi at diy-efi.org>
> > >Message-ID: <BAY15-DAV2kRQq5xVz500039359 at hotmail.com>
> > >Content-Type: text/plain; charset="iso-8859-1"
> > >
> > >Do you have a EPROM programmer? The software that comes with it will do the
> > >checksum correctly.
> > >
> > >You have another problem. Half the code is stored in the 8051. You have to
> > >download that before you can try a disassembler.
> > >
> > >In about 88, BOSCH started putting the whole code into the EPROMs and wiring
> > >the 8051 to ignore its internal memory. This will save you from trying to
> > >download an 8051's ROM.
> > >
> > >FR Wilk
> >diy_efi mailing list
> >diy_efi at diy-efi.org
> >End of diy_efi Digest, Vol 9, Issue 10
> diy_efi mailing list
> diy_efi at diy-efi.org
diy_efi mailing list
diy_efi at diy-efi.org
More information about the Diy_efi