2.0L ECM: Difference between revisions

From OpenGK
VisualWikitext
 
(20 intermediate revisions by 2 users not shown)
Line 56: Line 56:
| style="text-align: center; background-color:#ff9797;" | 16 kByte
| style="text-align: center; background-color:#ff9797;" | 16 kByte
|-
|-
| style="text-align: center; background-color:#fffc9e;" | 8000
| style="text-align: center; background-color:#bfbdbf;" | 8000
| style="text-align: center; background-color:#fffc9e;" | FFFF
| style="text-align: center; background-color:#bfbdbf;" | FFFF
| style="text-align: center; background-color:#fffc9e;" | Program Code
| style="text-align: center; background-color:#bfbdbf;" | Bootloader 2
| style="text-align: center; background-color:#fffc9e;" | 32 kByte
| style="text-align: center; background-color:#bfbdbf;" | 32 kByte
|-
|-
| style="text-align: center; background-color:#9aff99; color:#000000;" | 10000
| style="text-align: center; background-color:#9aff99; color:#000000;" | 10000
Line 67: Line 67:
|-
|-
| style="text-align: center; background-color:#fffc9e;" | 20000
| style="text-align: center; background-color:#fffc9e;" | 20000
| style="text-align: center; background-color:#fffc9e;" | 7FFFF
| style="text-align: center; background-color:#fffc9e;" | Program Code
| style="text-align: center; background-color:#fffc9e;" | 384 kByte
|}
==== SIMK43 - 8mbit ====
{| class="wikitable"
! style="text-align: center; font-weight:bold;" | Start
! style="text-align: center; font-weight:bold;" | End
! style="text-align: center; font-weight:bold;" | Section
! style="text-align: center; font-weight:bold;" | Size
|-
| style="text-align: center; background-color:#fe996b;" | 0
| style="text-align: center; background-color:#fe996b;" | 3FFF
| style="text-align: center; background-color:#fe996b;" | Bootloader 1
| style="text-align: center; background-color:#fe996b;" | 16 kByte
|-
| style="text-align: center; background-color:#ff9797;" | C000
| style="text-align: center; background-color:#ff9797;" | FFFF
| style="text-align: center; background-color:#ff9797;" | Adaptive values
| style="text-align: center; background-color:#ff9797;" | 16 kByte
|-
| style="text-align: center; background-color:#9aff99; color:#000000;" | 50000
| style="text-align: center; background-color:#9aff99; color:#000000;" | 5FFFF
| style="text-align: center; background-color:#9aff99; color:#000000;" | Calibration Zone 2
| style="text-align: center; background-color:#9aff99; color:#000000;" | 64 kByte
|-
| style="text-align: center; background-color:#aadae3;"|82000
| style="text-align: center; background-color:#aadae3;"|87FFF
| style="text-align: center; background-color:#aadae3;"|Recovery (RSW)
| style="text-align: center; background-color:#aadae3;"|24 kByte
|-
| style="text-align: center; background-color:#bfbdbf;" | 88000
| style="text-align: center; background-color:#bfbdbf;" | 8FFFF
| style="text-align: center; background-color:#bfbdbf;" | Bootloader 2
| style="text-align: center; background-color:#bfbdbf;" | 32 kByte
|-
| style="text-align: center; background-color:#9aff99; color:#000000;" | 90000
| style="text-align: center; background-color:#9aff99; color:#000000;" | 1FFFF
| style="text-align: center; background-color:#9aff99; color:#000000;" | Calibration Zone 1
| style="text-align: center; background-color:#9aff99; color:#000000;" | 64 kByte
|-
| style="text-align: center; background-color:#fffc9e;" | A0000
| style="text-align: center; background-color:#fffc9e;" | 7FFFF
| style="text-align: center; background-color:#fffc9e;" | 7FFFF
| style="text-align: center; background-color:#fffc9e;" | Program Code
| style="text-align: center; background-color:#fffc9e;" | Program Code
Line 75: Line 118:


==== Bootloader & UIF ====
==== Bootloader & UIF ====
This section is 16 kilobytes in size and contains the boot code that initializes the ECU and verifies that everything is ok before control is handed over to the program code section.  
This section is 16 kilobytes in size and contains the boot code that initializes the ECU and verifies that everything is ok before control is handed over to the program code section.
 
This section also contains one time writeable data such as hardware identifier, manufacturer information and user information fields (UIF).  
This section also contains one time writeable data such as hardware identifier, manufacturer information and user information fields (UIF).  


Line 92: Line 134:
|4
|4
|
|
0x58D8C848
{{HexConverter|hex=58D8C848}}
|Two bytes seed, followed by two bytes key
|Two bytes seed, followed by two bytes key
|-
|-
Line 105: Line 147:
|2
|2
|
|
0x5539
{{HexConverter|hex=0x5539|default-display=ascii}}
(ASCII: U9)
|Value from the small sticker usually located on the ECU socket. [[:File:Socket label example SIMK43 U9 5WY1923A.png|Click for example with "U9" label]]
|Value from the small sticker usually located on the ECU socket. [[:File:Socket label example SIMK43 U9 5WY1923A.png|Click for example with "U9" label]]
|-
|-
Line 113: Line 154:
|8
|8
|
|
0x3557593139323341
{{HexConverter|hex=0x3557593139323341|default-display=ascii}}
(ASCII: 5WY1923A)
|In short - ECU hardware variant from the main label. For more in-depth analysis, see [[ECU family]]
|In short - ECU hardware variant from the main label. For more in-depth analysis, see [[ECU family]]
|-
|-
Line 121: Line 161:
|50
|50
|
|
0x2D31303831303336
{{HexConverter|hex=0x2D313038313033363236322D484D4330383033313030363039323931384B523737303237363034422D4B5237373032353036|default-display=ascii}}
3236322D484D4330
3830333130303630
39323931384B5237
3730323736303442
2D4B523737303235
3036
|This actually contains three separate (not all unique) identifiers and will be split into three sections - TODO.
|This actually contains three separate (not all unique) identifiers and will be split into three sections - TODO.
|-
|-
|Date (YYMMDD)
|Date (YYMMDD)
|0x3F98
|0x3F98
|6?
|6
|
|
0x303830333130
{{HexConverter|hex=0x303830333130|default-display=ascii}}
(ASCII: 080310 - 2008, March 31st)
(2008, March 31st)
|Production/first flash date. This '''might'''/should be updated after flashing, might be updated after flashing with an official dealer tool - to be verified.
|Production/first flash date. This '''might'''/should be updated after flashing, might be updated after flashing with an official dealer tool - to be verified.
|}
|}
Line 142: Line 176:
This section potentially acts as RAM? It also stores adaptive values - short/long range fuel trims and other adjustments. This section has not been analyzed in depth yet, but there's a high possibility the data inside is [https://github.com/Dante383/siemens-simk43-decrypt scrambled (crossed EEPROM lines, resulting in swapped bits in every pair of bytes)]
This section potentially acts as RAM? It also stores adaptive values - short/long range fuel trims and other adjustments. This section has not been analyzed in depth yet, but there's a high possibility the data inside is [https://github.com/Dante383/siemens-simk43-decrypt scrambled (crossed EEPROM lines, resulting in swapped bits in every pair of bytes)]


==== Program code (32kByte) ====
==== Bootloader 2 (32 kByte) ====
This section has not been analyzed in depth yet. It's not present on SIMK41 ECUs
This section has not been analyzed in depth yet. It's not present on SIMK41 ECUs or SIMK43's running less than ca663056.
 
ca663056 locations:
 
* 0xC000 - INT_RAM [15872]
* 0xFD00 - INT_RAM_BIT [256]
* 0xFF800 - RAM [2048]
* 0xCA4E - CCP Seed/key e.g. DEET (within RAM)
* 0xEE00 - CCP Registers
 
ca663057/58+:
 
* 32kb data block for CCP within bootloader 2
* 0x3000000 - FLASH_DR [65520]


==== Calibration zone ====
==== Calibration zone ====
Line 150: Line 197:
Position and structure varies depending on the calibration version, but the structure of first 96 (0x60) bytes is standarized.  
Position and structure varies depending on the calibration version, but the structure of first 96 (0x60) bytes is standarized.  


"start" reefers to the calibration zone offset (SIMK41 - 0x8000, SIMK43 - 0x10000)
"start" refers to the calibration zone offset (SIMK41 - 0x8000, SIMK43 - 0x10000)
{| class="wikitable"
{| class="wikitable"
|+
|+
Line 163: Line 210:
|8
|8
|
|
0x4B394E3756533041
{{HexConverter|hex=0x4B394E3756533041|default-display=ascii}}
(ASCII: K9N7VS0A)
|Siemens calls it "calibration version" (confusing, I know)
|Siemens calls it "calibration version" (confusing, I know)
|-
|-
Line 171: Line 217:
|6
|6
|
|
0x363535303239
{{HexConverter|hex=0x363535303239|default-display=ascii}}
(ASCII: 655029)
|
|
|-
|-
Line 179: Line 224:
|2
|2
|
|
0x3239
{{HexConverter|hex=0x3239}}
(ASCII: 29)
|Overlap of offsets isn't a typo here - last two digits of the first occurence of calibration version are also the [[Checksum|initial value for the calibration zone checksum]]
|Overlap of offsets isn't a typo here - last two digits of the first occurence of calibration version are also the [[Checksum|initial value for the calibration zone checksum]]
|-
|-
Line 188: Line 232:
|12
|12
|
|
0x63613635353032392E444154
{{HexConverter|hex=0x63613635353032392E444154|default-display=ascii}}
(ASCII: ca655029.DAT)
|Siemens calls it "description identifier".
|Siemens calls it "description identifier".
Notice the "ca" prefix and ".DAT" suffix - this is likely the filename from proprietary OEM software that was used to compile the EEPROM image.  
Notice the "ca" prefix and ".DAT" suffix - this is likely the filename from proprietary OEM software that was used to compile the EEPROM image.  
Line 196: Line 239:


==== Program code ====
==== Program code ====
This section contains the program code used for operating the engine
This section contains the program code used for operating the engine.

Latest revision as of 16:33, 5 January 2025

Vehicles equipped with the 2.0L Beta used the 2mbit SIMK41 up until the first facelift model (2005), when CVVT was introduced and 4mbit SIMK43 was used.

Memory layout

Both units memory can be separated into 5 sections:

  • bootloader & UIF
  • adaptive values
  • calibration zone
  • program code

Memory layouts per ECU

SIMK41 - 2mbit

Start End Section Size
0 3FFF Bootloader & UIF 16 kByte
4000 7FFF Adaptive values 16 kByte
8000 FFFF Calibration Zone 32 kByte
10000 3FFFF Program Code 192 kByte

SIMK43 - 4mbit

Start End Section Size
0 3FFF Bootloader & UIF 16 kByte
4000 7FFF Adaptive values 16 kByte
8000 FFFF Bootloader 2 32 kByte
10000 1FFFF Calibration Zone 64 kByte
20000 7FFFF Program Code 384 kByte

SIMK43 - 8mbit

Start End Section Size
0 3FFF Bootloader 1 16 kByte
C000 FFFF Adaptive values 16 kByte
50000 5FFFF Calibration Zone 2 64 kByte
82000 87FFF Recovery (RSW) 24 kByte
88000 8FFFF Bootloader 2 32 kByte
90000 1FFFF Calibration Zone 1 64 kByte
A0000 7FFFF Program Code 384 kByte

Description of memory sections

Bootloader & UIF

This section is 16 kilobytes in size and contains the boot code that initializes the ECU and verifies that everything is ok before control is handed over to the program code section. This section also contains one time writeable data such as hardware identifier, manufacturer information and user information fields (UIF).

Offsets and data structure in the table below are shared across all variants.

Name Offset Size (bytes, decimal) Example Notes
KWP seed/key 0x3E01 4
58D8C848


 Two bytes seed, followed by two bytes key
VIN 0x3E22 17 2.0 ECUs don't store VIN. Instead, sometimes there's a wildcard that narrows the VIN down to Tiburon models, sometimes it's just 'xxxxxxxxxxxxxxxxx'
Socket 0x3F70 2
0x5539


 Value from the small sticker usually located on the ECU socket. Click for example with "U9" label
ECU family 0x3F80 8
0x3557593139323341


 In short - ECU hardware variant from the main label. For more in-depth analysis, see ECU family
Serial number 0x3F8A 50
0x2D313038313033363236322D484D4330383033313030363039323931384B523737303237363034422D4B5237373032353036


 This actually contains three separate (not all unique) identifiers and will be split into three sections - TODO.
Date (YYMMDD) 0x3F98 6
0x303830333130


(2008, March 31st)

Production/first flash date. This might/should be updated after flashing, might be updated after flashing with an official dealer tool - to be verified.

Adaptive values

This section potentially acts as RAM? It also stores adaptive values - short/long range fuel trims and other adjustments. This section has not been analyzed in depth yet, but there's a high possibility the data inside is scrambled (crossed EEPROM lines, resulting in swapped bits in every pair of bytes)

Bootloader 2 (32 kByte)

This section has not been analyzed in depth yet. It's not present on SIMK41 ECUs or SIMK43's running less than ca663056.

ca663056 locations:

  • 0xC000 - INT_RAM [15872]
  • 0xFD00 - INT_RAM_BIT [256]
  • 0xFF800 - RAM [2048]
  • 0xCA4E - CCP Seed/key e.g. DEET (within RAM)
  • 0xEE00 - CCP Registers

ca663057/58+:

  • 32kb data block for CCP within bootloader 2
  • 0x3000000 - FLASH_DR [65520]

Calibration zone

Calibration zone contains all the calibration data and maps used for managing the engine.

Position and structure varies depending on the calibration version, but the structure of first 96 (0x60) bytes is standarized.

"start" refers to the calibration zone offset (SIMK41 - 0x8000, SIMK43 - 0x10000)

Name Offset Size Example Notes
Chassis identifier start 8
0x4B394E3756533041


 Siemens calls it "calibration version" (confusing, I know)
Calibration version (#1 occurence) start + 0x8 6
0x363535303239
Calibration checksum initial value start + 0xC 2
0x3239


 Overlap of offsets isn't a typo here - last two digits of the first occurence of calibration version are also the initial value for the calibration zone checksum
Calibration version

(#2 occurence)

start + 0x40 12
0x63613635353032392E444154


 Siemens calls it "description identifier".

Notice the "ca" prefix and ".DAT" suffix - this is likely the filename from proprietary OEM software that was used to compile the EEPROM image. While not confirmed, it appears that lowercase 'ca' suffix was used through the SIMK4x series, with uppercase 'CA' first appearing in SIM2K series

Program code

This section contains the program code used for operating the engine.

Retrieved from "https://opengk.org:443/index.php?title=2.0L_ECM&oldid=628"