Announcement

Collapse
No announcement yet.

SMG2 potential checksum delete and flash content questions

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    SMG2 potential checksum delete and flash content questions

    Hi!

    I recently jumped into GDSMG2 and desoldered the AM29F400BB flash chip to hook up my emulator and read the content off the flash.

    Here is a picture of the flash how I was expecting it for the C167 CPU to interpret the code conectly:
    Click image for larger version

Name:	smg_valid_flash.png
Views:	1190
Size:	51.5 KB
ID:	144845

    But here is what I got:
    Click image for larger version

Name:	smg_invalid_flash.png
Views:	627
Size:	18.0 KB
ID:	144846


    The flash chip was read with a clone TL866 that works great on every other ECU that I used it with, but here, the adress or data lines seem to be shuffled.

    The good thing is, it works with the CobraRTP flash emulator, the bad thing is, I dont understand how the data lines are twisted on the PCB.


    If someone could help me out with this, I'd be very thankful! In return I will show you my first approach of a checksum delete.


    Thankfully I got a corrected read from Martyn(?) the other day that I could use to start my disassembly on.

    After comparing the code to some better known BMW ECUs, I figured out, that many routines are hardcopies from MS43. This makes sense, because its both Siemens and the same development time.

    So it was kind of easy to figure out how the DS2 communication works, how the checksums are calculated and where they are stored. They even kept the bypass for the calibration data area that was used by BMW during pre-production time.
    Click image for larger version

Name:	smg_checksum_bypass.png
Views:	618
Size:	32.0 KB
ID:	144847


    So to disable the checksum check for calibration data in both boot and program code execution you need to change the following two constants:

    Set lc_swi_cal_cks_1 at 0x3209E to FFFFh
    Set lc_swi_cal_cks_2 at 0xC0E8 to A8h

    This way has been proven to work on MS43 and was confirmed by looking at some earlier development firmwares that BMW used for testing purposes. Meanwhile we also found a way to correct all the checksums, but reading and writing to it is still outstanding.

    lc_swi_cal_cks_1 is located in the calibration data, but lc_swi_cal_cks_2 is located in program code, so its a bit more difficult to change.

    Maybe there are some people interested in going forward with this, my biggest pain point is to get the binary right, so please take a look at the content in the upper half of this post.

    Regards,
    Rob

    #2
    After checking the DS2 memory read routine a bit more, I was able to read out the flash and that looks more like instruction code for a C167 CPU.

    Click image for larger version

Name:	smg_manual_read.png
Views:	602
Size:	551.5 KB
ID:	144941

    I also discovered, that the user information field (UIF) area has place for 14 entries. So if you write the UIF after flashing with WinKFP, you either need a new one, or reset the UIF data.

    At the moment I have no idea if that is possible without putting the CPU into boot mode.

    Click image for larger version

Name:	smg_uif.jpeg
Views:	568
Size:	284.7 KB
ID:	144942

    I'll keep you updated. Still, if anyone knows about the adress or data line shifts, let me know.

    Comment


      #3
      Very nice to see you here Robin!

      The only one I know, that could have some knowledge about the SMG2 CPU is
      olza

      As I know what you have achieved on the Ms4x platform, I really like to know what you want to do with the SMG2?
      …under construction.

      Comment


        #4
        Hi! Yeah I'm doing a friend a favour and started looking into SMG2 as he donated me a control unit. Then I met NZ_M3 and now I'm here

        Good news! I measured through the data lines that connect the AM29F400BB flash chip to the C167 CPU and found out that they shuffled the connection quite strong, propably to ensure better traces on the PCB, but who knows...

        On the left you find the normal setup for this combination, all the AD# lines from the CPU match up the DQ# on the flash chip. But on the right there is the shuffled layout from SMG2 TCU.

        Click image for larger version

Name:	gdsmg2_flash_data_lines.png
Views:	610
Size:	6.6 KB
ID:	145034

        So with this information and some python code that a friend quickly hacked together, we are atleast able to convert raw flash content to valid code and data. Back and forth. You will find the converter attached to this post.

        You need to install Python 3 and "numPy" module. Then you can simply drag&drop the binary onto it and it will convert it. It has a basic detection of whether its a CPU read, or a flash read based on the first byte being 0xFA (CPU read) or not (flash read).


        Next stop, making an easy way of correcting checksums and flashing, and maybe we can get JMGarage folks to add bootmode code to their flasher, so we can reset the "flash counter".

        The SMG2 does not have the same flash counter like MSS54 has, but only writes UIF data. Once 14 slots are full, you can no longer read it, resetting this either need bootmode, or desoldering the flash chip. So if you flash the SMG2 over WinKFP, make sure to disable UIF writes.

        Comment


          #5
          Very usefull information! Thanks for sharing this.

          Olza is the one who modified *.0da files and corrected them to flash them with WinKFP. Besides checksum calculations you need to alter some other files which are used by WinKFP. It is best to ask him. He has done a very good job at DKG transmission(s).

          In the past I compared the latest SMG2 0da files to the CSL variant but didn't continue much further. Would help for racing cars to delete the hood switches and error codes not relevant.
          What would be your main goal with this? Especially the live emulation?



          Comment


            #6
            Thanks for the kind words! I am in contact with olza, but since he moved on to DKG, I don't want to bother him too much.

            My main goal is to include the complete checksum and flashing (read/write) and maybe reset adaptation into our flasher ( https://www.ms4x.net/index.php?title..._Group_Flasher ). This should make the read, tune, write, drive circle a lot easier. Also, currently there is no solution available for free for reading and flashing these control units.

            There will be a point when these TCUs go up in price and its better to collectas much firmware and calibration data as possible before there is a short in hardware.

            I started preparing binaries for M3, M3 JAP, M3 US and M3 CSL, that can simply be flashed over any existing software present on the TCU, without the need of WinKFP even installed, just a K-Line USB interface.

            Once we sorted out the flashing and checksum part in our tool, I'll publish them on www.ms4x.net for download.


            Edit: The live tuning emulator makes development much easier, like defining the code segments for diagnostic, or DTC lookup etc. It not needed afterwards, even though it would be possible and propably a good thing for making these transmissions shift a bit more "2021" :P
            Last edited by sda2; 12-22-2021, 04:59 AM.

            Comment


              #7
              Good work!

              I wrote a flasher / modification tool back in 2000 but never released it as I got myself involved in the DCT swap.

              Click image for larger version

Name:	smg_flasher.png
Views:	555
Size:	36.0 KB
ID:	145244

              Comment


                #8
                Great content! If you Need a Python of Windows Developer please let me know :-)

                Comment


                  #9
                  Nice tool Martyn, I can see some functions that I also found in the code, that will be available once the flasher is finished

                  I knew that there had to be some kind of flasher because there is also a German guy that sells SMG tunes and rear axle adjustments.

                  Thank you Chris!

                  Comment


                    #10
                    Hey I’m here and glad to help. What we need to discover? Lets share data! Amen

                    ps. My smg2 project stopped, I’m able to recalculate checksums, but it throws some security error after some time, and I can not find out that it is because not having test car or tcu.

                    Comment


                      #11
                      In the meantime we managed to get SMG2 flashing integrated in our flasher including the correct checksum calculation and fast baudrate flashing. Reading or writing the calibration section now takes ~9seconds.

                      Im currently waiting for a new module being delivered because I converted mine to flash emulator. Happy to see you here olza without your work I would not have been able to dig this deep into it.

                      Comment


                        #12
                        If you guys figure this out, lighter flywheels will really become an option for SMG cars. There could be opportunities to just improve overall drivability for non CSL cars. The stock SMG tune is so bad. CSL SMG tune with non CSL tunes are also sketchy. It'll never be a DCT but this is greatness in the making.
                        This is my Unbuild Journal and why we need an oil thread
                        https://nam3forum.com/forums/forum/m...nbuild-journal

                        "Do it right once or do it twice"

                        Comment


                          #13
                          Does someone have the pinout description of the smg2 control unit ?
                          https://www.youtube.com/channel/UCwN...zf45mXp6PDOCzA

                          Comment


                            #14
                            Hello,

                            Small update, the new flash tool is now released for free: https://www.ms4x.net/index.php?title..._Group_Flasher

                            It is currently labled beta, because we didnt completely test all TCUs, but SMG2 and GS20 should be working. In any case, just make a full read (backup) before messing with it

                            If we find some people willing to test code changes, we can start a patchlist for functions that where not indended by BMW, like hood and door switch delete.

                            Also I made a logging list for Tuner Pro to log all parameters of the SMG2 and a code patch to increase DS2 logging rate to ~20hz.

                            Comment


                              #15
                              Originally posted by sda2 View Post
                              Hello,

                              Small update, the new flash tool is now released for free: https://www.ms4x.net/index.php?title..._Group_Flasher

                              It is currently labled beta, because we didnt completely test all TCUs, but SMG2 and GS20 should be working. In any case, just make a full read (backup) before messing with it

                              If we find some people willing to test code changes, we can start a patchlist for functions that where not indended by BMW, like hood and door switch delete.

                              Also I made a logging list for Tuner Pro to log all parameters of the SMG2 and a code patch to increase DS2 logging rate to ~20hz.
                              Sign me up for testing code changes.

                              XDF for tunerpro is also very interesting.

                              What is DS2 logging? Is there a way to bridge it to CAN. I use Racecapture to log data and it works exclusively on CAN.

                              Comment

                              Working...
                              X