2.0L ECM: Difference between revisions
(10 intermediate revisions by 2 users not shown) | |||
Line 56: | Line 56: | ||
| style="text-align: center; background-color:#ff9797;" | 16 kByte | | style="text-align: center; background-color:#ff9797;" | 16 kByte | ||
|- | |- | ||
| style="text-align: center; background-color:# | | style="text-align: center; background-color:#bfbdbf;" | 8000 | ||
| style="text-align: center; background-color:# | | style="text-align: center; background-color:#bfbdbf;" | FFFF | ||
| style="text-align: center; background-color:# | | style="text-align: center; background-color:#bfbdbf;" | Bootloader 2 | ||
| style="text-align: center; background-color:# | | style="text-align: center; background-color:#bfbdbf;" | 32 kByte | ||
|- | |- | ||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 10000 | | style="text-align: center; background-color:#9aff99; color:#000000;" | 10000 | ||
Line 67: | Line 67: | ||
|- | |- | ||
| style="text-align: center; background-color:#fffc9e;" | 20000 | | style="text-align: center; background-color:#fffc9e;" | 20000 | ||
| style="text-align: center; background-color:#fffc9e;" | 7FFFF | |||
| style="text-align: center; background-color:#fffc9e;" | Program Code | |||
| style="text-align: center; background-color:#fffc9e;" | 384 kByte | |||
|} | |||
==== SIMK43 - 8mbit ==== | |||
{| class="wikitable" | |||
! style="text-align: center; font-weight:bold;" | Start | |||
! style="text-align: center; font-weight:bold;" | End | |||
! style="text-align: center; font-weight:bold;" | Section | |||
! style="text-align: center; font-weight:bold;" | Size | |||
|- | |||
| style="text-align: center; background-color:#fe996b;" | 0 | |||
| style="text-align: center; background-color:#fe996b;" | 3FFF | |||
| style="text-align: center; background-color:#fe996b;" | Bootloader 1 | |||
| style="text-align: center; background-color:#fe996b;" | 16 kByte | |||
|- | |||
| style="text-align: center; background-color:#ff9797;" | C000 | |||
| style="text-align: center; background-color:#ff9797;" | FFFF | |||
| style="text-align: center; background-color:#ff9797;" | Adaptive values | |||
| style="text-align: center; background-color:#ff9797;" | 16 kByte | |||
|- | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 50000 | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 5FFFF | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | Calibration Zone 2 | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 64 kByte | |||
|- | |||
| style="text-align: center; background-color:#aadae3;"|82000 | |||
| style="text-align: center; background-color:#aadae3;"|87FFF | |||
| style="text-align: center; background-color:#aadae3;"|Recovery (RSW) | |||
| style="text-align: center; background-color:#aadae3;"|24 kByte | |||
|- | |||
| style="text-align: center; background-color:#bfbdbf;" | 88000 | |||
| style="text-align: center; background-color:#bfbdbf;" | 8FFFF | |||
| style="text-align: center; background-color:#bfbdbf;" | Bootloader 2 | |||
| style="text-align: center; background-color:#bfbdbf;" | 32 kByte | |||
|- | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 90000 | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 1FFFF | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | Calibration Zone 1 | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 64 kByte | |||
|- | |||
| style="text-align: center; background-color:#fffc9e;" | A0000 | |||
| style="text-align: center; background-color:#fffc9e;" | 7FFFF | | style="text-align: center; background-color:#fffc9e;" | 7FFFF | ||
| style="text-align: center; background-color:#fffc9e;" | Program Code | | style="text-align: center; background-color:#fffc9e;" | Program Code | ||
Line 125: | Line 168: | ||
|6 | |6 | ||
| | | | ||
{{HexConverter|hex=0x303830333130}} | {{HexConverter|hex=0x303830333130|default-display=ascii}} | ||
(2008, March 31st) | (2008, March 31st) | ||
|Production/first flash date. This '''might'''/should be updated after flashing, might be updated after flashing with an official dealer tool - to be verified. | |Production/first flash date. This '''might'''/should be updated after flashing, might be updated after flashing with an official dealer tool - to be verified. | ||
Line 133: | Line 176: | ||
This section potentially acts as RAM? It also stores adaptive values - short/long range fuel trims and other adjustments. This section has not been analyzed in depth yet, but there's a high possibility the data inside is [https://github.com/Dante383/siemens-simk43-decrypt scrambled (crossed EEPROM lines, resulting in swapped bits in every pair of bytes)] | This section potentially acts as RAM? It also stores adaptive values - short/long range fuel trims and other adjustments. This section has not been analyzed in depth yet, but there's a high possibility the data inside is [https://github.com/Dante383/siemens-simk43-decrypt scrambled (crossed EEPROM lines, resulting in swapped bits in every pair of bytes)] | ||
==== | ==== Bootloader 2 (32 kByte) ==== | ||
This section has not been analyzed in depth yet. It's not present on SIMK41 ECUs | This section has not been analyzed in depth yet. It's not present on SIMK41 ECUs or SIMK43's running less than ca663056. | ||
ca663056 locations: | |||
* 0xC000 - INT_RAM [15872] | |||
* 0xFD00 - INT_RAM_BIT [256] | |||
* 0xFF800 - RAM [2048] | |||
* 0xCA4E - CCP Seed/key e.g. DEET (within RAM) | |||
* 0xEE00 - CCP Registers | |||
ca663057/58+: | |||
* 32kb data block for CCP within bootloader 2 | |||
* 0x3000000 - FLASH_DR [65520] | |||
==== Calibration zone ==== | ==== Calibration zone ==== | ||
Line 141: | Line 197: | ||
Position and structure varies depending on the calibration version, but the structure of first 96 (0x60) bytes is standarized. | Position and structure varies depending on the calibration version, but the structure of first 96 (0x60) bytes is standarized. | ||
"start" | "start" refers to the calibration zone offset (SIMK41 - 0x8000, SIMK43 - 0x10000) | ||
{| class="wikitable" | {| class="wikitable" | ||
|+ | |+ | ||
Line 154: | Line 210: | ||
|8 | |8 | ||
| | | | ||
{{HexConverter|hex=0x4B394E3756533041}} | {{HexConverter|hex=0x4B394E3756533041|default-display=ascii}} | ||
|Siemens calls it "calibration version" (confusing, I know) | |Siemens calls it "calibration version" (confusing, I know) | ||
|- | |- | ||
Line 161: | Line 217: | ||
|6 | |6 | ||
| | | | ||
{{HexConverter|hex=0x363535303239}} | {{HexConverter|hex=0x363535303239|default-display=ascii}} | ||
| | | | ||
|- | |- | ||
Line 176: | Line 232: | ||
|12 | |12 | ||
| | | | ||
{{HexConverter|hex=0x63613635353032392E444154}} | {{HexConverter|hex=0x63613635353032392E444154|default-display=ascii}} | ||
|Siemens calls it "description identifier". | |Siemens calls it "description identifier". | ||
Notice the "ca" prefix and ".DAT" suffix - this is likely the filename from proprietary OEM software that was used to compile the EEPROM image. | Notice the "ca" prefix and ".DAT" suffix - this is likely the filename from proprietary OEM software that was used to compile the EEPROM image. | ||
Line 184: | Line 239: | ||
==== Program code ==== | ==== Program code ==== | ||
This section contains the program code used for operating the engine | This section contains the program code used for operating the engine. |
Latest revision as of 16:33, 5 January 2025
Vehicles equipped with the 2.0L Beta used the 2mbit SIMK41 up until the first facelift model (2005), when CVVT was introduced and 4mbit SIMK43 was used.
Memory layout
Both units memory can be separated into 5 sections:
- bootloader & UIF
- adaptive values
- calibration zone
- program code
Memory layouts per ECU
SIMK41 - 2mbit
Start | End | Section | Size |
---|---|---|---|
0 | 3FFF | Bootloader & UIF | 16 kByte |
4000 | 7FFF | Adaptive values | 16 kByte |
8000 | FFFF | Calibration Zone | 32 kByte |
10000 | 3FFFF | Program Code | 192 kByte |
SIMK43 - 4mbit
Start | End | Section | Size |
---|---|---|---|
0 | 3FFF | Bootloader & UIF | 16 kByte |
4000 | 7FFF | Adaptive values | 16 kByte |
8000 | FFFF | Bootloader 2 | 32 kByte |
10000 | 1FFFF | Calibration Zone | 64 kByte |
20000 | 7FFFF | Program Code | 384 kByte |
SIMK43 - 8mbit
Start | End | Section | Size |
---|---|---|---|
0 | 3FFF | Bootloader 1 | 16 kByte |
C000 | FFFF | Adaptive values | 16 kByte |
50000 | 5FFFF | Calibration Zone 2 | 64 kByte |
82000 | 87FFF | Recovery (RSW) | 24 kByte |
88000 | 8FFFF | Bootloader 2 | 32 kByte |
90000 | 1FFFF | Calibration Zone 1 | 64 kByte |
A0000 | 7FFFF | Program Code | 384 kByte |
Description of memory sections
Bootloader & UIF
This section is 16 kilobytes in size and contains the boot code that initializes the ECU and verifies that everything is ok before control is handed over to the program code section. This section also contains one time writeable data such as hardware identifier, manufacturer information and user information fields (UIF).
Offsets and data structure in the table below are shared across all variants.
Name | Offset | Size (bytes, decimal) | Example | Notes |
---|---|---|---|---|
KWP seed/key | 0x3E01 | 4 |
58D8C848
|
Two bytes seed, followed by two bytes key |
VIN | 0x3E22 | 17 | 2.0 ECUs don't store VIN. Instead, sometimes there's a wildcard that narrows the VIN down to Tiburon models, sometimes it's just 'xxxxxxxxxxxxxxxxx' | |
Socket | 0x3F70 | 2 |
0x5539
|
Value from the small sticker usually located on the ECU socket. Click for example with "U9" label |
ECU family | 0x3F80 | 8 |
0x3557593139323341
|
In short - ECU hardware variant from the main label. For more in-depth analysis, see ECU family |
Serial number | 0x3F8A | 50 |
0x2D313038313033363236322D484D4330383033313030363039323931384B523737303237363034422D4B5237373032353036
|
This actually contains three separate (not all unique) identifiers and will be split into three sections - TODO. |
Date (YYMMDD) | 0x3F98 | 6 |
0x303830333130
|
Production/first flash date. This might/should be updated after flashing, might be updated after flashing with an official dealer tool - to be verified. |
Adaptive values
This section potentially acts as RAM? It also stores adaptive values - short/long range fuel trims and other adjustments. This section has not been analyzed in depth yet, but there's a high possibility the data inside is scrambled (crossed EEPROM lines, resulting in swapped bits in every pair of bytes)
Bootloader 2 (32 kByte)
This section has not been analyzed in depth yet. It's not present on SIMK41 ECUs or SIMK43's running less than ca663056.
ca663056 locations:
- 0xC000 - INT_RAM [15872]
- 0xFD00 - INT_RAM_BIT [256]
- 0xFF800 - RAM [2048]
- 0xCA4E - CCP Seed/key e.g. DEET (within RAM)
- 0xEE00 - CCP Registers
ca663057/58+:
- 32kb data block for CCP within bootloader 2
- 0x3000000 - FLASH_DR [65520]
Calibration zone
Calibration zone contains all the calibration data and maps used for managing the engine.
Position and structure varies depending on the calibration version, but the structure of first 96 (0x60) bytes is standarized.
"start" refers to the calibration zone offset (SIMK41 - 0x8000, SIMK43 - 0x10000)
Name | Offset | Size | Example | Notes |
---|---|---|---|---|
Chassis identifier | start | 8 |
0x4B394E3756533041
|
Siemens calls it "calibration version" (confusing, I know) |
Calibration version (#1 occurence) | start + 0x8 | 6 |
0x363535303239
|
|
Calibration checksum initial value | start + 0xC | 2 |
0x3239
|
Overlap of offsets isn't a typo here - last two digits of the first occurence of calibration version are also the initial value for the calibration zone checksum |
Calibration version
(#2 occurence) |
start + 0x40 | 12 |
0x63613635353032392E444154
|
Siemens calls it "description identifier".
Notice the "ca" prefix and ".DAT" suffix - this is likely the filename from proprietary OEM software that was used to compile the EEPROM image. While not confirmed, it appears that lowercase 'ca' suffix was used through the SIMK4x series, with uppercase 'CA' first appearing in SIM2K series |
Program code
This section contains the program code used for operating the engine.