[Diy_efi] Re: Motronic checksum (Alexis PAVLOV)

glogovacs at yahoo.co.uk glogovacs at yahoo.co.uk
Wed Jun 16 12:50:44 GMT 2004 

Alexis,

Thank you very much for pointing to Alfa75 discussion - I find it very 
informative on Motronic.

I would like to try the disassembler you mentioned.

As for entry points, that is a problem for me... I cannot find them - I 
expected a series of LJMPs at start of code, pointing to something 
reasonable... but no good. I can send you some bins if you want. The ones I 
am focusing now are from Opel Astra/Calibra with MAF instead of AFM.

Your tips are welcome,
Nick.


>Hi Nick, and Henrik :-)
>
>Currently there is a very interesting subject on the Yahoo alfa75
>group.
>Nick, I can send you the disassm I use. It requests entry points
>and then follows the program path, thus eliminating the data.
>It's a C source , I use it under Unix.
>Except if there are branch tables. In old Motronics there is no
>branch tables, but I was told the newer use them to elude hackers
>like you :-)
>
>Send me a mail if you want the source.
>
>Alexei
>
>
>glogovacs at yahoo.co.uk wrote:
> >
> > Hello Henrik,
> >
> > Yes, I was wrong, I wanted to say last 12 bits.
> >
> > Which motronic are you reversing? I was looking into versions 1.3 and 2.5.
> > Can you send me the bin?
> >
> > A saw a message on this forum, where a guy compared stock and aftermarket
> > performance motronic bins. There were only two locations different in data
> > area (rev limiter and something he couldn't identify), and last two bytes.
> > I've also seen a few chips that had only a couple of bytes different, and
> > of course the last two bytes.. That's why I made a conclusion that checksum
> > is stored in last two bytes.
> >
> > As far as disassembler is concerned, I was wondering if there is an
> > 'intelligent' one, that can distinguish between code and data. I have a
> > disassembler for 68HC11, that works flawlessly when it comes to recognition
> > of code/data (that's easy because vector addresses are known from bin
> > file). As for motronic, I couldn't really tell where the code 'starts'. I
> > expected to find a LJMPs and beginning of the file that would point to
> > code, but that was not the case. How come??
> >
> > I am sure my boxes have a 8051 derivative CPU, since WinOLS software
> > recognized the bins and stated the processor is 8051.
> >
> > At which address the EPROM file starts, is it 0, or not?
> >
> > Can you point out the code that is making the checksum calculation, so I
> > can try to identify it in my EPROMs?
> >
> > Nick.
> >
> > At 19:03 11-06-04 +0000, you wrote:
> > >Send diy_efi mailing list submissions to
> > >         diy_efi at diy-efi.org
> > >
> > >To subscribe or unsubscribe via the World Wide Web, visit
> > >         http://lists.diy-efi.org/mailman/listinfo/diy_efi
> > >or, via email, send a message with subject or body 'help' to
> > >         diy_efi-request at diy-efi.org
> > >
> > >You can reach the person managing the list at
> > >         diy_efi-owner at diy-efi.org
> > >
> > >When replying, please edit your Subject line so it is more specific
> > >than "Re: Contents of diy_efi digest..."
> > >
> > >
> > >Today's Topics:
> > >
> > >    1. 1989 tpi help (laurieandmike)
> > >    2. Re: Motronic checksum (Henrik Johnsson)
> > >    3. Re: Motronic checksum (glogovacs at yahoo.co.uk)
> > >
> > >
> > >----------------------------------------------------------------------
> > >
> > >Message: 1
> > >Date: Thu, 10 Jun 2004 18:48:54 -0300
> > >From: "laurieandmike" <lauriecorbett at ns.sympatico.ca>
> > >Subject: [Diy_efi] 1989 tpi help
> > >To: "A list for Do-It-Yourself EFI" <diy_efi at diy-efi.org>
> > >Message-ID: <00c301c44f34$b9f436e0$a306260a at wolf>
> > >Content-Type: text/plain; charset="iso-8859-1"
> > >
> > >hi there i put a tpi in my 56 chevy truck
> > >its a 350 with a mild cam headers turbo 400 tranny
> > >my ? is when i start the truck up there is no trouble codes it starts
> > >right up but dont want to idle untill it is warm
> > >and it seems it is running real rich like burn the eyes out of your 
> head lol
> > >but when i unplug maf it runs ok
> > >what is the problem?
> > >can anyone help?
> > >thanks
> > >mike
> > >-------------- next part --------------
> > >An HTML attachment was scrubbed...
> > >URL:
> > >http://lists.sytynationals.com/pipermail/diy_efi/attachments/20040610/d 
> 25cc163/attachment-0001.htm
> > >
> > >------------------------------
> > >
> > >Message: 2
> > >Date: Fri, 11 Jun 2004 1:10:45 +0100
> > >From: "Henrik Johnsson" <henrik_j at bigfoot.com>
> > >Subject: Re: [Diy_efi] Motronic checksum
> > >To: A list for Do-It-Yourself EFI <diy_efi at diy-efi.org>
> > >Message-ID: <20040610231059.3952137E44 at smtp3-1-sn1.fre.skanova.net>
> > >Content-Type: text/plain;      charset="us-ascii"
> > >
> > >Hello, glogovacs
> > >
> > >======= At 2004-06-10, 00:07:00 you wrote: =======
> > >
> > > >I am trying to figure out how a checksum on older Motronic eproms is
> > > >formed. I am targeting last 2 bytes on 32kb eproms (actualy, it is last
> > > >24bits, since the highest 4 bit nibble is always 0000). I was lucky 
> enough
> > > >to have access to eproms for the same car that only had a few different
> > > >locations, and of course the checksum.
> > > >
> > >
> > >That would actually be 12 bits, wouldn't it?
> > >
> > > >I tried 8 bit sum, 16 bit sum... xor etc, but no success :(. I can also
> > > >post examples... Any help is welcome.
> > > >
> > >
> > >The checksum isn't necessarily stored in the last 2 bytes. I'm
> > >disassembling an older Motronic EPROM which has the checksum in 0x7F00 and
> > >0x7F01. The checksum is calculated as the sum of all bytes in the address
> > >range 0x000 through 0x7EFF. Some Motronics allegedly has more than one
> > >checksum though.
> > >
> > > >Also, can you suggest some good 8051 disassembler? I have d51, but it
> > > >produces much garbage - considering I am dummy for i8051. I was 
> trying to
> > > >locate instruction that would access last two bytes of eprom, and I 
> failed.
> > > >Where in address space is eprom located?
> > > >
> > > >I am talking about boxes 0 261 200 087 (BMW), 0 261 200 185, 0 261 
> 200 190
> > > >(Opel) and similar.
> > > >
> > >
> > >It doesn't matter what disassembler you use, you will have to help it by
> > >identifying which portions of the EPROM is used for code and which is used
> > >for data. Also, make sure those ECUs really use an 8051-derivative.
> > >
> > >I believe I read in an old message on this list that the code in the EPROM
> > >may be "folded", you might have to rearrange the EPROM data before
> > >disassembly to get a useful result. I'm sorry I cant find that particular
> > >message right now.
> > >
> > >/Henrik
> > >
> > >
> > >
> > >------------------------------
> > >
> > >Message: 3
> > >Date: Fri, 11 Jun 2004 01:56:57 +0200
> > >From: glogovacs at yahoo.co.uk
> > >Subject: [Diy_efi] Re: Motronic checksum
> > >To: diy_efi at diy-efi.org
> > >Message-ID: <5.2.0.9.2.20040611014443.01baff00 at pop.mail.yahoo.com>
> > >Content-Type: text/plain; charset="us-ascii"; format=flowed
> > >
> > >Yes, I have an EPROM programmer... but all the software can do is 
> calculate
> > >the additive checksum of the bin file. Now, a question - is it enough to
> > >have additive checksum corrected to stock, to have bin file 'approved' and
> > >running? I;ve read somewhere that Motronic makes XOR checksum as well.. is
> > >that true?
> > >
> > >ECUs I am talking about have 27256 EPROMs... since they are considerably
> > >larger than 2732 chips used in older Motronic boxes, can I consider I am
> > >having post '88 units?
> > >
> > >With regards,
> > >Nick.
> > >
> > >
> > > >Date: Wed, 9 Jun 2004 16:41:39 -0700
> > > >From: "FR Wilk" <kd694j0538f at hotmail.com>
> > > >Subject: Re: [Diy_efi] Motronic checksum
> > > >To: "A list for Do-It-Yourself EFI" <diy_efi at diy-efi.org>
> > > >Message-ID: <BAY15-DAV2kRQq5xVz500039359 at hotmail.com>
> > > >Content-Type: text/plain;       charset="iso-8859-1"
> > > >
> > > >Do you have a EPROM programmer? The software that comes with it will 
> do the
> > > >checksum correctly.
> > > >
> > > >You have another problem. Half the code is stored in the 8051. You 
> have to
> > > >download that before you can try a disassembler.
> > > >
> > > >In about 88, BOSCH started putting the whole code into the EPROMs 
> and wiring
> > > >the 8051 to ignore its internal memory. This will save you from 
> trying to
> > > >download an 8051's ROM.
> > > >
> > > >FR Wilk
> > >
> > >
> > >------------------------------
> > >
> > >_______________________________________________
> > >diy_efi mailing list
> > >diy_efi at diy-efi.org
> > >http://lists.diy-efi.org/mailman/listinfo/diy_efi
> > >
> > >
> > >End of diy_efi Digest, Vol 9, Issue 10
> > >**************************************
> >
> > _______________________________________________
> > diy_efi mailing list
> > diy_efi at diy-efi.org
> > http://lists.diy-efi.org/mailman/listinfo/diy_efi
>
>------------------------------
>
>_______________________________________________
>diy_efi mailing list
>diy_efi at diy-efi.org
>http://lists.diy-efi.org/mailman/listinfo/diy_efi
>
>
>End of diy_efi Digest, Vol 9, Issue 12
>**************************************

_______________________________________________
diy_efi mailing list
diy_efi at diy-efi.org
http://lists.diy-efi.org/mailman/listinfo/diy_efi

More information about the Diy_efi mailing list