2.0L ECM: Difference between revisions
From OpenGK
No edit summary |
|||
| (34 intermediate revisions by 2 users not shown) | |||
| Line 9: | Line 9: | ||
* program code | * program code | ||
=== | === Memory layouts per ECU === | ||
=== | ==== SIMK41 - 2mbit ==== | ||
{| class="wikitable" | |||
! style="text-align: center; font-weight:bold;" | Start | |||
! style="text-align: center; font-weight:bold;" | End | |||
! style="text-align: center; font-weight:bold;" | Section | |||
! style="text-align: center; font-weight:bold;" | Size | |||
|- | |||
| style="text-align: center; background-color:#fe996b;" | 0 | |||
| style="text-align: center; background-color:#fe996b;" | 3FFF | |||
| style="text-align: center; background-color:#fe996b;" | Bootloader & UIF | |||
| style="text-align: center; background-color:#fe996b;" | 16 kByte | |||
|- | |||
| style="text-align: center; background-color:#ff9797;" | 4000 | |||
| style="text-align: center; background-color:#ff9797;" | 7FFF | |||
| style="text-align: center; background-color:#ff9797;" | Adaptive values | |||
| style="text-align: center; background-color:#ff9797;" | 16 kByte | |||
|- | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 8000 | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | FFFF | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | Calibration Zone | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 32 kByte | |||
|- | |||
| style="text-align: center; background-color:#fffc9e;" | 10000 | |||
| style="text-align: center; background-color:#fffc9e;" | 3FFFF | |||
| style="text-align: center; background-color:#fffc9e;" | Program Code | |||
| style="text-align: center; background-color:#fffc9e;" | 192 kByte | |||
|} | |||
==== SIMK43 - 4mbit ==== | |||
{| class="wikitable" | {| class="wikitable" | ||
! style="text-align: center; font-weight:bold;" | Start | ! style="text-align: center; font-weight:bold;" | Start | ||
| Line 24: | Line 51: | ||
| style="text-align: center; background-color:#fe996b;" | 16 kByte | | style="text-align: center; background-color:#fe996b;" | 16 kByte | ||
|- | |- | ||
|4000 | | style="text-align: center; background-color:#ff9797;" | 4000 | ||
|7FFF | | style="text-align: center; background-color:#ff9797;" | 7FFF | ||
|Adaptive values | | style="text-align: center; background-color:#ff9797;" | Adaptive values | ||
|16 kByte | | style="text-align: center; background-color:#ff9797;" | 16 kByte | ||
|- | |- | ||
| style="text-align: center; background-color:# | | style="text-align: center; background-color:#bfbdbf;" | 8000 | ||
| style="text-align: center; background-color:# | | style="text-align: center; background-color:#bfbdbf;" | FFFF | ||
| style="text-align: center; background-color:# | | style="text-align: center; background-color:#bfbdbf;" | Bootloader 2 | ||
| style="text-align: center; background-color:# | | style="text-align: center; background-color:#bfbdbf;" | 32 kByte | ||
|- | |- | ||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 10000 | | style="text-align: center; background-color:#9aff99; color:#000000;" | 10000 | ||
| Line 39: | Line 66: | ||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 64 kByte | | style="text-align: center; background-color:#9aff99; color:#000000;" | 64 kByte | ||
|- | |- | ||
|20000 | | style="text-align: center; background-color:#fffc9e;" | 20000 | ||
|7FFFF | | style="text-align: center; background-color:#fffc9e;" | 7FFFF | ||
|Program Code | | style="text-align: center; background-color:#fffc9e;" | Program Code | ||
|384 kByte | | style="text-align: center; background-color:#fffc9e;" | 384 kByte | ||
|} | |||
==== SIMK43 - 8mbit ==== | |||
{| class="wikitable" | |||
! style="text-align: center; font-weight:bold;" | Start | |||
! style="text-align: center; font-weight:bold;" | End | |||
! style="text-align: center; font-weight:bold;" | Section | |||
! style="text-align: center; font-weight:bold;" | Size | |||
|- | |||
| style="text-align: center; background-color:#fe996b;" | 0 | |||
| style="text-align: center; background-color:#fe996b;" | 3FFF | |||
| style="text-align: center; background-color:#fe996b;" | Bootloader 1 | |||
| style="text-align: center; background-color:#fe996b;" | 16 kByte | |||
|- | |||
| style="text-align: center; background-color:#ff9797;" | C000 | |||
| style="text-align: center; background-color:#ff9797;" | FFFF | |||
| style="text-align: center; background-color:#ff9797;" | Adaptive values | |||
| style="text-align: center; background-color:#ff9797;" | 16 kByte | |||
|- | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 50000 | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 5FFFF | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | Calibration Zone 2 | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 64 kByte | |||
|- | |||
| style="text-align: center; background-color:#aadae3;"|82000 | |||
| style="text-align: center; background-color:#aadae3;"|87FFF | |||
| style="text-align: center; background-color:#aadae3;"|Recovery (RSW) | |||
| style="text-align: center; background-color:#aadae3;"|24 kByte | |||
|- | |||
| style="text-align: center; background-color:#bfbdbf;" | 88000 | |||
| style="text-align: center; background-color:#bfbdbf;" | 8FFFF | |||
| style="text-align: center; background-color:#bfbdbf;" | Bootloader 2 | |||
| style="text-align: center; background-color:#bfbdbf;" | 32 kByte | |||
|- | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 90000 | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 1FFFF | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | Calibration Zone 1 | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 64 kByte | |||
|- | |||
| style="text-align: center; background-color:#fffc9e;" | A0000 | |||
| style="text-align: center; background-color:#fffc9e;" | 7FFFF | |||
| style="text-align: center; background-color:#fffc9e;" | Program Code | |||
| style="text-align: center; background-color:#fffc9e;" | 384 kByte | |||
|} | |} | ||
=== Description of memory sections === | |||
==== Bootloader & UIF ==== | |||
This section is 16 kilobytes in size and contains the boot code that initializes the ECU and verifies that everything is ok before control is handed over to the program code section. | |||
This section also contains one time writeable data such as hardware identifier, manufacturer information and user information fields (UIF). | |||
Offsets and data structure in the table below are shared across all variants. | |||
{| class="wikitable" | |||
|+ | |||
!Name | |||
!Offset | |||
!Size (bytes, decimal) | |||
!Example | |||
!Notes | |||
|- | |||
|[[K-Line|KWP seed/key]] | |||
|0x3E01 | |||
|4 | |||
| | |||
{{HexConverter|hex=58D8C848}} | |||
|Two bytes seed, followed by two bytes key | |||
|- | |||
|[[Vehicle identification number (VIN)|VIN]] | |||
|0x3E22 | |||
|17 | |||
| | |||
|2.0 ECUs don't store VIN. Instead, sometimes there's a [[Vehicle identification number (VIN)|wildcard that narrows the VIN down to Tiburon models]], sometimes it's just 'xxxxxxxxxxxxxxxxx' | |||
|- | |||
|Socket | |||
|0x3F70 | |||
|2 | |||
| | |||
{{HexConverter|hex=0x5539|default-display=ascii}} | |||
|Value from the small sticker usually located on the ECU socket. [[:File:Socket label example SIMK43 U9 5WY1923A.png|Click for example with "U9" label]] | |||
|- | |||
|[[ECU family]] | |||
|0x3F80 | |||
|8 | |||
| | |||
{{HexConverter|hex=0x3557593139323341|default-display=ascii}} | |||
|In short - ECU hardware variant from the main label. For more in-depth analysis, see [[ECU family]] | |||
|- | |||
|Serial number | |||
|0x3F8A | |||
|50 | |||
| | |||
{{HexConverter|hex=0x2D313038313033363236322D484D4330383033313030363039323931384B523737303237363034422D4B5237373032353036|default-display=ascii}} | |||
|This actually contains three separate (not all unique) identifiers and will be split into three sections - TODO. | |||
|- | |||
|Date (YYMMDD) | |||
|0x3F98 | |||
|6 | |||
| | |||
{{HexConverter|hex=0x303830333130|default-display=ascii}} | |||
(2008, March 31st) | |||
|Production/first flash date. This '''might'''/should be updated after flashing, might be updated after flashing with an official dealer tool - to be verified. | |||
|} | |||
==== Adaptive values ==== | |||
This section potentially acts as RAM? It also stores adaptive values - short/long range fuel trims and other adjustments. This section has not been analyzed in depth yet, but there's a high possibility the data inside is [https://github.com/Dante383/siemens-simk43-decrypt scrambled (crossed EEPROM lines, resulting in swapped bits in every pair of bytes)] | |||
==== Bootloader 2 (32 kByte) ==== | |||
This section has not been analyzed in depth yet. It's not present on SIMK41 ECUs or SIMK43's running less than ca663056. | |||
ca663056 locations: | |||
* 0xC000 - INT_RAM [15872] | |||
* 0xFD00 - INT_RAM_BIT [256] | |||
* 0xFF800 - RAM [2048] | |||
* 0xCA4E - CCP Seed/key e.g. DEET (within RAM) | |||
* 0xEE00 - CCP Registers | |||
ca663057/58+: | |||
* 32kb data block for CCP within bootloader 2 | |||
* 0x3000000 - FLASH_DR [65520] | |||
==== Calibration zone ==== | |||
Calibration zone contains all the calibration data and maps used for managing the engine. | |||
Position and structure varies depending on the calibration version, but the structure of first 96 (0x60) bytes is standarized. | |||
"start" refers to the calibration zone offset (SIMK41 - 0x8000, SIMK43 - 0x10000) | |||
{| class="wikitable" | |||
|+ | |||
!Name | |||
!Offset | |||
!Size | |||
!Example | |||
!Notes | |||
|- | |||
|Chassis identifier | |||
|start | |||
|8 | |||
| | |||
{{HexConverter|hex=0x4B394E3756533041|default-display=ascii}} | |||
|Siemens calls it "calibration version" (confusing, I know) | |||
|- | |||
|Calibration version (#1 occurence) | |||
|start + 0x8 | |||
|6 | |||
| | |||
{{HexConverter|hex=0x363535303239|default-display=ascii}} | |||
| | |||
|- | |||
|Calibration [[Checksum|checksum initial value]] | |||
|start + 0xC | |||
|2 | |||
| | |||
{{HexConverter|hex=0x3239}} | |||
|Overlap of offsets isn't a typo here - last two digits of the first occurence of calibration version are also the [[Checksum|initial value for the calibration zone checksum]] | |||
|- | |||
|Calibration version | |||
(#2 occurence) | |||
|start + 0x40 | |||
|12 | |||
| | |||
{{HexConverter|hex=0x63613635353032392E444154|default-display=ascii}} | |||
|Siemens calls it "description identifier". | |||
Notice the "ca" prefix and ".DAT" suffix - this is likely the filename from proprietary OEM software that was used to compile the EEPROM image. | |||
'''While not confirmed''', it appears that lowercase 'ca' suffix was used through the SIMK4x series, with uppercase 'CA' first appearing in SIM2K series | |||
|} | |||
==== Program code ==== | |||
This section contains the program code used for operating the engine. | |||
Latest revision as of 16:33, 5 January 2025
Vehicles equipped with the 2.0L Beta used the 2mbit SIMK41 up until the first facelift model (2005), when CVVT was introduced and 4mbit SIMK43 was used.
Memory layout
Both units memory can be separated into 5 sections:
- bootloader & UIF
- adaptive values
- calibration zone
- program code
Memory layouts per ECU
SIMK41 - 2mbit
| Start | End | Section | Size |
|---|---|---|---|
| 0 | 3FFF | Bootloader & UIF | 16 kByte |
| 4000 | 7FFF | Adaptive values | 16 kByte |
| 8000 | FFFF | Calibration Zone | 32 kByte |
| 10000 | 3FFFF | Program Code | 192 kByte |
SIMK43 - 4mbit
| Start | End | Section | Size |
|---|---|---|---|
| 0 | 3FFF | Bootloader & UIF | 16 kByte |
| 4000 | 7FFF | Adaptive values | 16 kByte |
| 8000 | FFFF | Bootloader 2 | 32 kByte |
| 10000 | 1FFFF | Calibration Zone | 64 kByte |
| 20000 | 7FFFF | Program Code | 384 kByte |
SIMK43 - 8mbit
| Start | End | Section | Size |
|---|---|---|---|
| 0 | 3FFF | Bootloader 1 | 16 kByte |
| C000 | FFFF | Adaptive values | 16 kByte |
| 50000 | 5FFFF | Calibration Zone 2 | 64 kByte |
| 82000 | 87FFF | Recovery (RSW) | 24 kByte |
| 88000 | 8FFFF | Bootloader 2 | 32 kByte |
| 90000 | 1FFFF | Calibration Zone 1 | 64 kByte |
| A0000 | 7FFFF | Program Code | 384 kByte |
Description of memory sections
Bootloader & UIF
This section is 16 kilobytes in size and contains the boot code that initializes the ECU and verifies that everything is ok before control is handed over to the program code section. This section also contains one time writeable data such as hardware identifier, manufacturer information and user information fields (UIF).
Offsets and data structure in the table below are shared across all variants.
| Name | Offset | Size (bytes, decimal) | Example | Notes |
|---|---|---|---|---|
| KWP seed/key | 0x3E01 | 4 |
58D8C848
|
Two bytes seed, followed by two bytes key |
| VIN | 0x3E22 | 17 | 2.0 ECUs don't store VIN. Instead, sometimes there's a wildcard that narrows the VIN down to Tiburon models, sometimes it's just 'xxxxxxxxxxxxxxxxx' | |
| Socket | 0x3F70 | 2 |
0x5539
|
Value from the small sticker usually located on the ECU socket. Click for example with "U9" label |
| ECU family | 0x3F80 | 8 |
0x3557593139323341
|
In short - ECU hardware variant from the main label. For more in-depth analysis, see ECU family |
| Serial number | 0x3F8A | 50 |
0x2D313038313033363236322D484D4330383033313030363039323931384B523737303237363034422D4B5237373032353036
|
This actually contains three separate (not all unique) identifiers and will be split into three sections - TODO. |
| Date (YYMMDD) | 0x3F98 | 6 |
0x303830333130
|
Production/first flash date. This might/should be updated after flashing, might be updated after flashing with an official dealer tool - to be verified. |
Adaptive values
This section potentially acts as RAM? It also stores adaptive values - short/long range fuel trims and other adjustments. This section has not been analyzed in depth yet, but there's a high possibility the data inside is scrambled (crossed EEPROM lines, resulting in swapped bits in every pair of bytes)
Bootloader 2 (32 kByte)
This section has not been analyzed in depth yet. It's not present on SIMK41 ECUs or SIMK43's running less than ca663056.
ca663056 locations:
- 0xC000 - INT_RAM [15872]
- 0xFD00 - INT_RAM_BIT [256]
- 0xFF800 - RAM [2048]
- 0xCA4E - CCP Seed/key e.g. DEET (within RAM)
- 0xEE00 - CCP Registers
ca663057/58+:
- 32kb data block for CCP within bootloader 2
- 0x3000000 - FLASH_DR [65520]
Calibration zone
Calibration zone contains all the calibration data and maps used for managing the engine.
Position and structure varies depending on the calibration version, but the structure of first 96 (0x60) bytes is standarized.
"start" refers to the calibration zone offset (SIMK41 - 0x8000, SIMK43 - 0x10000)
| Name | Offset | Size | Example | Notes |
|---|---|---|---|---|
| Chassis identifier | start | 8 |
0x4B394E3756533041
|
Siemens calls it "calibration version" (confusing, I know) |
| Calibration version (#1 occurence) | start + 0x8 | 6 |
0x363535303239
|
|
| Calibration checksum initial value | start + 0xC | 2 |
0x3239
|
Overlap of offsets isn't a typo here - last two digits of the first occurence of calibration version are also the initial value for the calibration zone checksum |
| Calibration version
(#2 occurence) |
start + 0x40 | 12 |
0x63613635353032392E444154
|
Siemens calls it "description identifier".
Notice the "ca" prefix and ".DAT" suffix - this is likely the filename from proprietary OEM software that was used to compile the EEPROM image. While not confirmed, it appears that lowercase 'ca' suffix was used through the SIMK4x series, with uppercase 'CA' first appearing in SIM2K series |
Program code
This section contains the program code used for operating the engine.
