Ferrari Life Forum banner
21 - 40 of 54 Posts

·
Premium Member
Joined
·
11,887 Posts
Fromage- Show us some of the work you have done with Ferrari remotes and ECUs/TCUs. I have seen Trev's and Eric's work, but not yours.
 

·
Registered
Joined
·
356 Posts
Discussion Starter · #23 ·
Does this make it possible to re-flash an ECU to the latest F1 tranny software?
We are talking about different ecu's here. This thread is about ignition computers, not transmission computers!

The TCU (Transmission Control Unit) has already been done by Eric. Unfortunately there exists quite a few hardware revisions so not all software is compatible (the software has been written/compiled for a specific revision of board).

The one we have a virgin CS TCU dump for is the later revision which is sadly only compatible with later CS TCU's h/w (and by happy coincidence of chance the F430 TCU boards too, as Eric discovered).

What all this means is you can indeed convert a CS TCU to work in a F430 F1 (however that way around it is not all that useful (!), especially considering how rare CS TCU's are) or more usefully, you can convert a F430 F1 TCU into a CS F1 TCU, which confusingly can then be used in any flappy paddles 360 to benefit from faster shifts, improved clutch wear, etc.

Sadly it is not plug in and play upgrade at this state. Without reverse engineering the firmware to understand the protocol (which is possible but I don't think anyone has bothered to do fully yet - its written in Motorola MC680x0 assembly language - which I just happened to write for a decade a very long time ago so actually I know it very well,.... so one day! ha!), you need to physically open the TCU unit, de-solder a small flash chip, reprogram a new one on an eeprom tool and then re-solder the said chip again. Once all this is done you've got yourself a F430 TCU that thinks its a CS TCU! Eric is an expert on this! :thumbsup: Its time consuming though so until someone comes up with a plug-in OBD-II software only upgrade its not going to happen for most people.

Also early TCU's didn't have self upgrade either so they won't work either. Unless you somehow managed to reverse engineer all the code and understand it enough to be able to graft the fast shifting routines out of the newer firmware and patch them into the old firmware and then recalculate all the checksums. (a big effort to do) they will never support CS TCU upgrades. Ofcourse Ferrari (or more correctly, Magneti Marelli could release a software upgrade) but this will most likely never happen - in order to help preserve the differentiation of the CS over the 'lesser' models. The only one addition to this is that I recall there may actually be a few early CS's with an older h/w revision of TCU, dumping these could yield the possibility to reflash many of the original 360 (later rev) TCU's but again all this is time consuming and nobody is really that bothered about it. Hell, I don't even have flappy paddles!!!
 

·
Registered
Joined
·
75 Posts
Also early TCU's didn't have self upgrade either so they won't work either. Unless you somehow managed to reverse engineer all the code and understand it enough to be able to graft the fast shifting routines out of the newer firmware and patch them into the old firmware and then recalculate all the checksums. (a big effort to do) they will never support CS TCU upgrades. Ofcourse Ferrari (or more correctly, Magneti Marelli could release a software upgrade) but this will most likely never happen - in order to help preserve the differentiation of the CS over the 'lesser' models. The only one addition to this is that I recall there may actually be a few early CS's with an older h/w revision of TCU, dumping these could yield the possibility to reflash many of the original 360 (later rev) TCU's but again all this is time consuming and nobody is really that bothered about it. Hell, I don't even have flappy paddles!!!
Never say never Trev ;-)
I made some progress recently, I can now reflash CS software and parameters in the CFC201F.05 and CFC201F.50 hardware configurations. So, early (but not the very early) 360 and Maserati TCUs can be converted to CS spec.
 

·
Registered
Joined
·
356 Posts
Discussion Starter · #25 ·
Never say never Trev ;-)
I made some progress recently, I can now reflash CS software and parameters in the CFC201F.05 and CFC201F.50 hardware configurations. So, early (but not the very early) 360 and Maserati TCUs can be converted to CS spec.
Well done! I really must set some time aside to fully reverse that code ;)
 

·
Registered
Joined
·
356 Posts
Discussion Starter · #26 ·
Back on topic you can find a setting EEPROM read/write tool here;
ME7_95040 - EEPROM programmer
which is handy!

... It dumps the 512byte 94050 EEPROM from Bosch ME7 ecu's and allows re-writing them. Very clever. This is very different to the FIRMWARE, its the settings memory, its also checksummed too. Its where the immobilizer is paired and other settings too so Eric this is specifically aimed at you (!) since you've already dumped the little IC from the keyfob's.

This allows a couple of things, firstly you can get used ECU's to become 'virgin' ones again so they will be accepted by any 360. Currently only one bank ECU is un-coded to the car with the other one paired to the immobilizer. With this trick you can make both virgin!

The other advantage is there are some settings for immobilizer OFF, haven't yet playeed with any of this yet but it looks interesting.

In preparation I've written a 94050 check-summing tool (again open source BSD), see;
https://github.com/360trev/ME7_95040sum

So in practice you dump the data EEPROM, hex edit it to adjust settings (I'll write a nice gui for this once we've identified all the values we can tweak...) and then use the checksum corrector on it before uploading it back to the chip.
 

·
Registered
Joined
·
212 Posts
Fromage- Show us some of the work you have done with Ferrari remotes and ECUs/TCUs. I have seen Trev's and Eric's work, but not yours.[/QUOTE

I don't have a Ferrari or any collector car that knows what a computer chip is, however, have had input on design and produced computer boards by the 10s of thousands... my dealer updated the software on a daily driver recently... unfortunately didn't spend a night at the correct motel
 

·
Premium Member
Joined
·
11,887 Posts
So, does that mean you can add something to what they are doing?
 

·
Registered
Joined
·
2,543 Posts
Back from holidays, I discover some excellent posts here ;) Great job Trev! I had a look to your code and yes, I have seen some of these snippets in Andy's code. Thanks very much for sharing your work to the community! Checksum recalculation is indeed vital even if only one byte must be changed. In addition to Eric's expertise in the 360 TCU field, we'll have now Trev coming in the ECM field. I've been playing quite a lot with the 7.1.1 on different cars (430, Porsche, Golf V6) and its is quite a complex piece of software. Just understanding fully their ERCOS real time OS is already a challenge ;)

Although, reversing a 512k firmware is almost mission impossible even if you can spend 24h per day on it. Little Endian encoding doesn't make the job easier too. But whatever can be discovered can be enriching.

Trev, what reversing software are you using?
 

·
Registered
Joined
·
356 Posts
Discussion Starter · #31 ·
Back from holidays, I discover some excellent posts here ;) Great job Trev! I had a look to your code and yes, I have seen some of these snippets in Andy's code. Thanks very much for sharing your work to the community! Checksum recalculation is indeed vital even if only one byte must be changed. In addition to Eric's expertise in the 360 TCU field, we'll have now Trev coming in the ECM field. I've been playing quite a lot with the 7.1.1 on different cars (430, Porsche, Golf V6) and its is quite a complex piece of software. Just understanding fully their ERCOS real time OS is already a challenge ;)

Although, reversing a 512k firmware is almost mission impossible even if you can spend 24h per day on it. Little Endian encoding doesn't make the job easier too. But whatever can be discovered can be enriching.

Trev, what reversing software are you using?
In a former life I had a lot experience writing dissemblers so I've began writing my own in C which I will github. This has multiple benefits since I can configure it to auto identify 'code blocks' it pattern recognizes. I downloaded the C16x instruction set guide from here..
http://www.keil.com/dd/docs/datashts/infineon/c166ism.pdf and begun from that. I don't like the generic tools like IDA, never feel like your really understanding fully whats going on then!

PS. On a different subject a great board I'm currently playing with is this;
FPGA ARM core board STM32 Cyclone IV 4 Development board stm32f103VC EP4CE6E144 | eBay
 

·
Registered
Joined
·
2 Posts
Hello Trev,

great DIY, because both Galletto, MPPS and even new Galletto 2 does not work out of the box on the 360. Pin 20 to ground did the trick with boot mode?

I have the old 178765 on my 360 F1, does any later soft work on this car because of the Euro2 -> Euro3 changes? Or the other way around, is it better to remap the original 178765 or take the stock CS soft instead?

I have a 18254 Challenge version handy here, do you think this will work or does any better version exist? Offset 1015E-101AA: 0691175H 069117/15H52CE F131 CHALLENGE c 0261204841 000000000 182542 000.

Best wishes,

Mark
 

·
Registered
Joined
·
356 Posts
Discussion Starter · #33 ·
Hello Trev,

great DIY, because both Galletto, MPPS and even new Galletto 2 does not work out of the box on the 360. Pin 20 to ground did the trick with boot mode?

I have the old 178765 on my 360 F1, does any later soft work on this car because of the Euro2 -> Euro3 changes? Or the other way around, is it better to remap the original 178765 or take the stock CS soft instead?

I have a 18254 Challenge version handy here, do you think this will work or does any better version exist? Offset 1015E-101AA: 0691175H 069117/15H52CE F131 CHALLENGE c 0261204841 000000000 182542 000.

Best wishes,

Mark
Sorry Mark, been away for a while... Would be interested to see the Challenge dump to compare the maps.

Correct. Its sometimes easier to re-use just the maps than entire firmware due to additional CEL triggers from missing components that where later fitted to newer cars.
 

·
Registered
Joined
·
1 Posts
Help please Trev

Hi Trev,

I see that you are an expert in this field. I have a ferrari 360 spider, which currently has one ignition ECU down. The lead time from Ferrari is October, and I am sending this message on 10th June. You will therefore understand my worry (and urgency) on this matter as I am facing a whole summer without my 360.

I therefore would like to request your assistance, for a fee to sold my problem. The garage my car is at has sourced 2 x second hand ECU's and these are the pair we would like to re-flash. Please can you respond to this thread and I will be in contact.
 

·
Registered
Joined
·
75 Posts
Back on topic you can find a setting EEPROM read/write tool here;
ME7_95040 - EEPROM programmer
which is handy!

... It dumps the 512byte 94050 EEPROM from Bosch ME7 ecu's and allows re-writing them. Very clever. This is very different to the FIRMWARE, its the settings memory, its also checksummed too. Its where the immobilizer is paired and other settings too so Eric this is specifically aimed at you (!) since you've already dumped the little IC from the keyfob's.

This allows a couple of things, firstly you can get used ECU's to become 'virgin' ones again so they will be accepted by any 360. Currently only one bank ECU is un-coded to the car with the other one paired to the immobilizer. With this trick you can make both virgin!

The other advantage is there are some settings for immobilizer OFF, haven't yet playeed with any of this yet but it looks interesting.

In preparation I've written a 94050 check-summing tool (again open source BSD), see;
https://github.com/360trev/ME7_95040sum

So in practice you dump the data EEPROM, hex edit it to adjust settings (I'll write a nice gui for this once we've identified all the values we can tweak...) and then use the checksum corrector on it before uploading it back to the chip.
Hi Trev,

not sure if you are still around, it's a long time now.
Have you tried to run ME7_95040 on a 360 ECU? I have a pair of 360 Challenge ECUs I was able to play with. No problem to dump the firmware but I can't read the 95040 (if any!).
The error message I got is on the picture below . Any idea or experience?

Thanks
Eric
 

Attachments

·
Premium Member
Joined
·
11,887 Posts
Eric- Sounds like you are making progress.
 

·
Registered
Joined
·
10 Posts
EEPROM Size 512 or 1024

Hi guys,

I got V1.40 to pull the data as 95040 chip but based on what the Alfa (also 7.3.1 H4)guys were saying I also tried setting the mem to 95080 (1024bit) and it appears that there is some more data in there. I have not been able to posted the files here as they are "invalid" file types.

Trev referenced an immo killer, I was looking for more info about that. Ferrari in their perfect wisdom used immobilizers on the challenge car even though there are no keys?!?! Now 13 years later the immo's are causing some of us issues. Does anyone know which bits turn them off? and which bits are the checksums?

Thanks
 

·
Registered
Joined
·
356 Posts
Discussion Starter · #39 · (Edited)
Finally, ME7_EEPROM ver 1.4 did the job!
Hi Guys,
Sorry, i've been out of the country working my a$$ off on other stuff. Good news about the eeprom dumper now fully supporting the 95040 and 95080 EEPROM IC's variants! My solution was much more complicated than this :)

I'm not sure if your aware but I originally wrote this simple check summer in C code which I open sourced 2 years ago now!

https://github.com/360trev/ME7_95040sum/blob/master/EEPROMsum.c

It only does ST IC 95040 re-summing on a 512 bytes [4096 bit] dump's. If there are ecu's with more data in then this will require some small updates to do the dumps from its bigger brother the, 95080 as its twice as big. This is because its a 1024 bytes (ie double the size found in other ME7.x ecu's).

Here's the data sheet.
http://www.st.com/web/en/resource/technical/document/datasheet/DM00043274.pdf

Q. Can someone send me the 1024 byte hex dump and I'll update the program and make a ME7_95080sum version...

Sounds like we already HAVE ENOUGH to FIX ECU's now!

How?

Well the easiest possible thing is to is to dump BOTH left and RIGHT ecu's as one is paired and one isn't.

Once you have both dumps binary compare the differences with the EEPROM dump from each other. Since one of them is 'unpaired' if you re-program the one with the unpairing information over to the other one, Bingo(!) even without my updated re-calc proggy you will have 'unlocked' your ECU and you can re-use it on other cars with appropriate SD2 Self learning. ofcourse, once we work out how to 'marry' over the specific details and re-calc the sum's we won't even need an SD2 to pair it to a car...

Basically, if you backup both EEPROM's when I update my checksum calc proggy we can work out the bits which disable IMMO and PAIR it to your car and then provide a special version of this tool, specific for Ferrari's, for both re-pairing and immo delete functions.

Makes sense?

-T
 

·
Registered
Joined
·
356 Posts
Discussion Starter · #40 ·
This is a dump of what my 512 byte 040 version looked like;;

--
--

EEPROM 95040 Checksum calculator 1.01

þ Opening '95040.bin' file
þ Getting length of '95040.bin' file
þ Allocating buffer of 512 bytes
þ Reading file to buffer
þ Validating size correct 512=512
þ Closing file

: 0-------------------1-------|----|
: 0 1 2 3 4 5 6 7 8 9 0 1 2 3 |4 5 |
Block 00: 20202020205aff40863037303230[325a] [email protected] 2Z Desc ff18, Checksum Skip
Block 01: 05010100cb280000000069c100a5[36fd] .....(....i... 6. Desc 0017, New Chksum [36fd]
Block 02: 05010100cb280000000069c100a5[35fd] .....(....i... 5. Desc 0117, New Chksum [35fd]
Block 03: 0401f3063611d83e6fea3a000100[0efc] ....6..>o.:... .. Desc 0207, New Chksum [efc]
Block 04: 0401f3063611d83e6fea3a000100[0dfc] ....6..>o.:... .. Desc 0307, New Chksum [dfc]
Block 05: 07027502010206001f04ad090700[92fe] ..u........... .. Desc 0437, New Chksum [92fe]
Block 06: 00007d0df20d0000810301000000[ecfd] ..}........... .. Desc 0533, New Chksum [ecfd]
Block 07: 0504007af800000500000a2d0000[42fe] ...z.......-.. B. Desc 06b7, New Chksum [42fe]
Block 08: 0504007af800000500000a2d0000[42fe] ...z.......-.. B. Desc 06f7, New Chksum [42fe]
Block 09: 0080808080000080008080ff0000[78fb] .............. x. Desc 07b3, New Chksum [78fb]
Block 10: 0080808080000080008080ff0000[78fb] .............. x. Desc 07f3, New Chksum [78fb]
Block 11: 0507000010544d42424c01000000[67fe] .....TMBBL.... g. Desc 08b7, New Chksum [67fe]
Block 12: 0507000010544d42424c01000000[67fe] .....TMBBL.... g. Desc 08f7, New Chksum [67fe]
Block 13: 3231553633383636373335325301[09fd] 21U638667352S. .. Desc 09b3, New Chksum [9fd]
Block 14: 3231553633383636373335325301[09fd] 21U638667352S. .. Desc 09f3, New Chksum [9fd]
Block 15: 4b5a375a30423134313435383101[e0fc] KZ7Z0B1414581. .. Desc 0ab3, New Chksum [e0fc]
Block 16: 4b5a375a30423134313435383101[e0fc] KZ7Z0B1414581. .. Desc 0af3, New Chksum [e0fc]
Block 17: 0000b3dcaa880000000000000000[1111] .............. .. Desc 0b32, Checksum Skip
Block 18: ffffffffffffffffffffffffffff[ffff] .............. .. Desc 0b10, Checksum Skip
Block 19: ffffffffffffffffffffffffffff[ffff] .............. .. Desc 0b10, Checksum Skip
Block 20: 0101202020202020202020202000[8afe] .. . .. Desc 0b10, Checksum Skip
Block 21: 0107000000000000000000000000[e3ff] .............. .. Desc 0c37, New Chksum [e3ff]
Block 22: 0000000000000000000000000000[eaff] .............. .. Desc 0d33, New Chksum [eaff]
Block 23: 0000000000000000000000000000[e9ff] .............. .. Desc 0e33, New Chksum [e9ff]
Block 24: 6d6d000000000000000000000000[0eff] mm............ .. Desc 0f33, New Chksum [eff]
Block 25: 0000000000000000000000000000[e7ff] .............. .. Desc 1033, New Chksum [e7ff]
Block 26: 0000000000000000000000000000[e6ff] .............. .. Desc 1133, New Chksum [e6ff]
Block 27: 0000000000000000000000000000[e5ff] .............. .. Desc 1233, New Chksum [e5ff]
Block 28: 0000000000000000000000000000[e4ff] .............. .. Desc 1235, New Chksum [e4ff]
Block 29: 0000000000000000000000000000[e3ff] .............. .. Desc 1235, New Chksum [e3ff]
Block 30: 0102000000000000000000000000[dfff] .............. .. Desc 13b7, New Chksum [dfff]
Block 31: 0102000000000000000000000000[dfff] .............. .. Desc 13f7, New Chksum [dfff]

No checksums where corrected, file is OK already, skipping save.

 
21 - 40 of 54 Posts
Top