2.0L ECM: Difference between revisions
From OpenGK
| (25 intermediate revisions by 2 users not shown) | |||
| Line 2: | Line 2: | ||
== Memory layout == | == Memory layout == | ||
Both units memory can be separated into 5 | |||
=== Memory offset & bin offset === | |||
Through OpenGK wiki and projects, you'll often find the terms memory offset, and bin offset. | |||
You might notice that memory offset is usually around 0x80000 larger than bin offset when referring to the same spot (such as the calibration zone). | |||
Bin offset is referring to the position in your .bin file - and the EEPROM. Memory offset is referring to the CPU offset - such as when reading using ReadMemoryByAddress. | |||
This is because of the c166 memory layout and DPP (Data Page Pointer) configuration. In general, on every c166 project, the memory offset will be at least 0x80000 higher than the bin offset - further description needed. | |||
=== Regions === | |||
Both units memory can be separated into 5 regions: | |||
* bootloader & UIF | * bootloader & UIF | ||
| Line 10: | Line 21: | ||
=== Memory layouts per ECU === | === Memory layouts per ECU === | ||
All provided offsets are in hex | |||
==== SIMK41 - 2mbit ==== | ==== SIMK41 - 2mbit ==== | ||
| Line 41: | Line 53: | ||
==== SIMK43 - 4mbit ==== | ==== SIMK43 - 4mbit ==== | ||
{| class="wikitable" | {| class="wikitable" | ||
! style="text-align: center; font-weight:bold;" | | !Memory start | ||
! style="text-align: center; font-weight:bold;" | | !Memory end | ||
! style="text-align: center; font-weight:bold;" | Bin start | |||
! style="text-align: center; font-weight:bold;" | Bin end | |||
! style="text-align: center; font-weight:bold;" | Section | ! style="text-align: center; font-weight:bold;" | Section | ||
! style="text-align: center; font-weight:bold;" | Size | ! style="text-align: center; font-weight:bold;" | Size | ||
|- | |- | ||
| style="text-align: center; background-color:#fe996b;" |0 | |||
| style="text-align: center; background-color:#fe996b;" |3FFF | |||
| style="text-align: center; background-color:#fe996b;" | 0 | | style="text-align: center; background-color:#fe996b;" | 0 | ||
| style="text-align: center; background-color:#fe996b;" | 3FFF | | style="text-align: center; background-color:#fe996b;" | 3FFF | ||
| Line 51: | Line 67: | ||
| style="text-align: center; background-color:#fe996b;" | 16 kByte | | style="text-align: center; background-color:#fe996b;" | 16 kByte | ||
|- | |- | ||
| style="text-align: center; background-color:#ff9797;" | | | style="text-align: center; background-color:#ff9797;" |C000 | ||
| style="text-align: center; background-color:#ff9797;" | | | style="text-align: center; background-color:#ff9797;" |FFFF | ||
| style="text-align: center; background-color:#ff9797;" | C000 | |||
| style="text-align: center; background-color:#ff9797;" | FFFF | |||
| style="text-align: center; background-color:#ff9797;" | Adaptive values | | style="text-align: center; background-color:#ff9797;" | Adaptive values | ||
| style="text-align: center; background-color:#ff9797;" | 16 kByte | | style="text-align: center; background-color:#ff9797;" | 16 kByte | ||
|- | |- | ||
| style="text-align: center; background-color:# | | style="text-align: center;" |E000 | ||
| style="text-align: center; background-color:# | | style="text-align: center;" |E7FF | ||
| style="text-align: center; background-color:# | | style="text-align: center;" |E000 | ||
| style="text-align: center; background-color:# | | style="text-align: center;" |E7FF | ||
| style="text-align: center;" |XRAM | |||
| style="text-align: center;" |2 kByte | |||
|- | |||
| style="text-align: center;" |EF00 | |||
| style="text-align: center;" |F000 | |||
| style="text-align: center;" |EF00 | |||
| style="text-align: center;" |F000 | |||
| style="text-align: center;" |CAN1 | |||
| style="text-align: center;" |256 bytes | |||
|- | |||
| style="text-align: center;" |F000 | |||
| style="text-align: center;" |F200 | |||
| style="text-align: center;" |F000 | |||
| style="text-align: center;" |F200 | |||
| style="text-align: center;" |ESFR | |||
| style="text-align: center;" |512 bytes | |||
|- | |||
| style="text-align: center;" |F600 | |||
| style="text-align: center;" |FBFF | |||
| style="text-align: center;" |F600 | |||
| style="text-align: center;" |FBFF | |||
| style="text-align: center;" |Internal RAM | |||
| style="text-align: center;" |1.5 kByte | |||
|- | |||
| style="text-align: center;" |FC00 | |||
| style="text-align: center;" |FFFF | |||
| style="text-align: center;" |FC00 | |||
| style="text-align: center;" |FFFF | |||
| style="text-align: center;" |Internal SFRs | |||
| style="text-align: center;" |1 kByte | |||
|- | |||
| style="text-align: center; background-color:#ff9797;" |FD00 | |||
| style="text-align: center; background-color:#ff9797;" |FF55? | |||
| style="text-align: center; background-color:#ff9797;" |FD00 | |||
| style="text-align: center; background-color:#ff9797;" |FF55? | |||
| style="text-align: center; background-color:#ff9797;" |INT_RAM_BIT | |||
| style="text-align: center; background-color:#ff9797;" |256 bytes | |||
|- | |||
| style="text-align: center; background-color:#bfbdbf;" |88000 | |||
| style="text-align: center; background-color:#bfbdbf;" |97FFF | |||
| style="text-align: center; background-color:#bfbdbf;" | 8000 | |||
| style="text-align: center; background-color:#bfbdbf;" | FFFF | |||
| style="text-align: center; background-color:#bfbdbf;" | Bootloader 2 | |||
| style="text-align: center; background-color:#bfbdbf;" | 32 kByte | |||
|- | |- | ||
| style="text-align: center; background-color:#9aff99; color:#000000;" |90000 | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" |AFFFF | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 10000 | | style="text-align: center; background-color:#9aff99; color:#000000;" | 10000 | ||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 1FFFF | | style="text-align: center; background-color:#9aff99; color:#000000;" | 1FFFF | ||
| Line 66: | Line 130: | ||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 64 kByte | | style="text-align: center; background-color:#9aff99; color:#000000;" | 64 kByte | ||
|- | |- | ||
| style="text-align: center; background-color:#fffc9e;" |A0000 | |||
| style="text-align: center; background-color:#fffc9e;" |11FFFF | |||
| style="text-align: center; background-color:#fffc9e;" | 20000 | | style="text-align: center; background-color:#fffc9e;" | 20000 | ||
| style="text-align: center; background-color:#fffc9e;" | 7FFFF | |||
| style="text-align: center; background-color:#fffc9e;" | Program Code | |||
| style="text-align: center; background-color:#fffc9e;" | 384 kByte | |||
|} | |||
==== SIMK43 - 8mbit ==== | |||
{| class="wikitable" | |||
! style="text-align: center; font-weight:bold;" | Start | |||
! style="text-align: center; font-weight:bold;" | End | |||
! style="text-align: center; font-weight:bold;" | Section | |||
! style="text-align: center; font-weight:bold;" | Size | |||
|- | |||
| style="text-align: center; background-color:#fe996b;" | 0 | |||
| style="text-align: center; background-color:#fe996b;" | 3FFF | |||
| style="text-align: center; background-color:#fe996b;" | Bootloader 1 | |||
| style="text-align: center; background-color:#fe996b;" | 16 kByte | |||
|- | |||
| style="text-align: center; background-color:#ff9797;" | C000 | |||
| style="text-align: center; background-color:#ff9797;" | FFFF | |||
| style="text-align: center; background-color:#ff9797;" | Adaptive values | |||
| style="text-align: center; background-color:#ff9797;" | 16 kByte | |||
|- | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 50000 | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 5FFFF | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | Calibration Zone 2 | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 64 kByte | |||
|- | |||
| style="text-align: center; background-color:#aadae3;"|82000 | |||
| style="text-align: center; background-color:#aadae3;"|87FFF | |||
| style="text-align: center; background-color:#aadae3;"|Recovery (RSW) | |||
| style="text-align: center; background-color:#aadae3;"|24 kByte | |||
|- | |||
| style="text-align: center; background-color:#bfbdbf;" | 88000 | |||
| style="text-align: center; background-color:#bfbdbf;" | 8FFFF | |||
| style="text-align: center; background-color:#bfbdbf;" | Bootloader 2 | |||
| style="text-align: center; background-color:#bfbdbf;" | 32 kByte | |||
|- | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 90000 | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 1FFFF | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | Calibration Zone 1 | |||
| style="text-align: center; background-color:#9aff99; color:#000000;" | 64 kByte | |||
|- | |||
| style="text-align: center; background-color:#fffc9e;" | A0000 | |||
| style="text-align: center; background-color:#fffc9e;" | 7FFFF | | style="text-align: center; background-color:#fffc9e;" | 7FFFF | ||
| style="text-align: center; background-color:#fffc9e;" | Program Code | | style="text-align: center; background-color:#fffc9e;" | Program Code | ||
| Line 77: | Line 186: | ||
This section is 16 kilobytes in size and contains the boot code that initializes the ECU and verifies that everything is ok before control is handed over to the program code section. | This section is 16 kilobytes in size and contains the boot code that initializes the ECU and verifies that everything is ok before control is handed over to the program code section. | ||
This section also contains one time writeable data such as hardware identifier, manufacturer information and user information fields (UIF). | This section also contains one time writeable data such as hardware identifier, manufacturer information and user information fields (UIF). | ||
Offsets and data structure in the table below are shared across all variants. | Offsets and data structure in the table below are shared across all variants. | ||
{| class="wikitable" | {| class="wikitable" | ||
| Line 87: | Line 195: | ||
!Example | !Example | ||
!Notes | !Notes | ||
|- | |||
|[[K-Line|KWP seed/key verification enabled flag]] | |||
|0x3E00 | |||
|1 | |||
| | |||
{{HexConverter|hex=00}} | |||
|Flag determining whether the ECU should ask for KWP authorization key. 0x00 - security access verification enabled, 0xFF - disabled | |||
|- | |- | ||
|[[K-Line|KWP seed/key]] | |[[K-Line|KWP seed/key]] | ||
| Line 92: | Line 207: | ||
|4 | |4 | ||
| | | | ||
{{HexConverter|hex=58D8C848}} | {{HexConverter|hex=58D8C848}} | ||
|Two bytes seed, followed by two bytes key | |Two bytes seed, followed by two bytes key | ||
| Line 106: | Line 220: | ||
|2 | |2 | ||
| | | | ||
{{HexConverter|hex=0x5539|default-display=ascii}} | |||
|Value from the small sticker usually located on the ECU socket. [[:File:Socket label example SIMK43 U9 5WY1923A.png|Click for example with "U9" label]] | |Value from the small sticker usually located on the ECU socket. [[:File:Socket label example SIMK43 U9 5WY1923A.png|Click for example with "U9" label]] | ||
|- | |- | ||
| Line 114: | Line 227: | ||
|8 | |8 | ||
| | | | ||
{{HexConverter|hex=0x3557593139323341|default-display=ascii}} | |||
|In short - ECU hardware variant from the main label. For more in-depth analysis, see [[ECU family]] | |In short - ECU hardware variant from the main label. For more in-depth analysis, see [[ECU family]] | ||
|- | |- | ||
| Line 122: | Line 234: | ||
|50 | |50 | ||
| | | | ||
{{HexConverter|hex=0x2D313038313033363236322D484D4330383033313030363039323931384B523737303237363034422D4B5237373032353036}} | {{HexConverter|hex=0x2D313038313033363236322D484D4330383033313030363039323931384B523737303237363034422D4B5237373032353036|default-display=ascii}} | ||
|This actually contains three separate (not all unique) identifiers and will be split into three sections - TODO. | |This actually contains three separate (not all unique) identifiers and will be split into three sections - TODO. | ||
|- | |- | ||
| Line 129: | Line 241: | ||
|6 | |6 | ||
| | | | ||
{{HexConverter|hex=0x303830333130|default-display=ascii}} | |||
( | (2008, March 31st) | ||
|Production/first flash date. This '''might'''/should be updated after flashing, might be updated after flashing with an official dealer tool - to be verified. | |Production/first flash date. This '''might'''/should be updated after flashing, might be updated after flashing with an official dealer tool - to be verified. | ||
|- | |||
|ECU lock status flag | |||
|1 | |||
|{{HexConverter|hex=0x00|default-display=hex}} | |||
|Flag determining whether the ECU is locked. 0x00 by default, setting it to 0xFF will allow to read the whole ECU including bootzone over KWP2000 | |||
|} | |} | ||
| Line 137: | Line 254: | ||
This section potentially acts as RAM? It also stores adaptive values - short/long range fuel trims and other adjustments. This section has not been analyzed in depth yet, but there's a high possibility the data inside is [https://github.com/Dante383/siemens-simk43-decrypt scrambled (crossed EEPROM lines, resulting in swapped bits in every pair of bytes)] | This section potentially acts as RAM? It also stores adaptive values - short/long range fuel trims and other adjustments. This section has not been analyzed in depth yet, but there's a high possibility the data inside is [https://github.com/Dante383/siemens-simk43-decrypt scrambled (crossed EEPROM lines, resulting in swapped bits in every pair of bytes)] | ||
==== | ==== Bootloader 2 (32 kByte) ==== | ||
This section has not been analyzed in depth yet. It's not present on SIMK41 ECUs | This section has not been analyzed in depth yet. It's not present on SIMK41 ECUs or SIMK43's running less than ca663056. | ||
ca663056 locations: | |||
* 0xC000 - INT_RAM [15872] | |||
* 0xFD00 - INT_RAM_BIT [256] | |||
* 0xFF800 - RAM [2048] | |||
* 0xCA4E - CCP Seed/key e.g. DEET (within RAM) | |||
* 0xEE00 - CCP Registers | |||
ca663057/58+: | |||
* 32kb data block for CCP within bootloader 2 | |||
* 0x3000000 - FLASH_DR [65520] | |||
==== Calibration zone ==== | ==== Calibration zone ==== | ||
| Line 145: | Line 275: | ||
Position and structure varies depending on the calibration version, but the structure of first 96 (0x60) bytes is standarized. | Position and structure varies depending on the calibration version, but the structure of first 96 (0x60) bytes is standarized. | ||
"start" | "start" refers to the calibration zone offset (SIMK41 - 0x8000, SIMK43 - 0x10000) | ||
{| class="wikitable" | {| class="wikitable" | ||
|+ | |+ | ||
| Line 158: | Line 288: | ||
|8 | |8 | ||
| | | | ||
{{HexConverter|hex=0x4B394E3756533041|default-display=ascii}} | |||
|Siemens calls it "calibration version" (confusing, I know) | |Siemens calls it "calibration version" (confusing, I know) | ||
|- | |- | ||
| Line 166: | Line 295: | ||
|6 | |6 | ||
| | | | ||
{{HexConverter|hex=0x363535303239|default-display=ascii}} | |||
| | | | ||
|- | |- | ||
| Line 174: | Line 302: | ||
|2 | |2 | ||
| | | | ||
{{HexConverter|hex=0x3239}} | |||
|Overlap of offsets isn't a typo here - last two digits of the first occurence of calibration version are also the [[Checksum|initial value for the calibration zone checksum]] | |Overlap of offsets isn't a typo here - last two digits of the first occurence of calibration version are also the [[Checksum|initial value for the calibration zone checksum]] | ||
|- | |- | ||
| Line 183: | Line 310: | ||
|12 | |12 | ||
| | | | ||
{{HexConverter|hex=0x63613635353032392E444154|default-display=ascii}} | |||
|Siemens calls it "description identifier". | |Siemens calls it "description identifier". | ||
Notice the "ca" prefix and ".DAT" suffix - this is likely the filename from proprietary OEM software that was used to compile the EEPROM image. | Notice the "ca" prefix and ".DAT" suffix - this is likely the filename from proprietary OEM software that was used to compile the EEPROM image. | ||
| Line 191: | Line 317: | ||
==== Program code ==== | ==== Program code ==== | ||
This section contains the program code used for operating the engine | This section contains the program code used for operating the engine. | ||
Latest revision as of 20:10, 26 March 2025
Vehicles equipped with the 2.0L Beta used the 2mbit SIMK41 up until the first facelift model (2005), when CVVT was introduced and 4mbit SIMK43 was used.
Memory layout
Memory offset & bin offset
Through OpenGK wiki and projects, you'll often find the terms memory offset, and bin offset.
You might notice that memory offset is usually around 0x80000 larger than bin offset when referring to the same spot (such as the calibration zone).
Bin offset is referring to the position in your .bin file - and the EEPROM. Memory offset is referring to the CPU offset - such as when reading using ReadMemoryByAddress.
This is because of the c166 memory layout and DPP (Data Page Pointer) configuration. In general, on every c166 project, the memory offset will be at least 0x80000 higher than the bin offset - further description needed.
Regions
Both units memory can be separated into 5 regions:
- bootloader & UIF
- adaptive values
- calibration zone
- program code
Memory layouts per ECU
All provided offsets are in hex
SIMK41 - 2mbit
| Start | End | Section | Size |
|---|---|---|---|
| 0 | 3FFF | Bootloader & UIF | 16 kByte |
| 4000 | 7FFF | Adaptive values | 16 kByte |
| 8000 | FFFF | Calibration Zone | 32 kByte |
| 10000 | 3FFFF | Program Code | 192 kByte |
SIMK43 - 4mbit
| Memory start | Memory end | Bin start | Bin end | Section | Size |
|---|---|---|---|---|---|
| 0 | 3FFF | 0 | 3FFF | Bootloader & UIF | 16 kByte |
| C000 | FFFF | C000 | FFFF | Adaptive values | 16 kByte |
| E000 | E7FF | E000 | E7FF | XRAM | 2 kByte |
| EF00 | F000 | EF00 | F000 | CAN1 | 256 bytes |
| F000 | F200 | F000 | F200 | ESFR | 512 bytes |
| F600 | FBFF | F600 | FBFF | Internal RAM | 1.5 kByte |
| FC00 | FFFF | FC00 | FFFF | Internal SFRs | 1 kByte |
| FD00 | FF55? | FD00 | FF55? | INT_RAM_BIT | 256 bytes |
| 88000 | 97FFF | 8000 | FFFF | Bootloader 2 | 32 kByte |
| 90000 | AFFFF | 10000 | 1FFFF | Calibration Zone | 64 kByte |
| A0000 | 11FFFF | 20000 | 7FFFF | Program Code | 384 kByte |
SIMK43 - 8mbit
| Start | End | Section | Size |
|---|---|---|---|
| 0 | 3FFF | Bootloader 1 | 16 kByte |
| C000 | FFFF | Adaptive values | 16 kByte |
| 50000 | 5FFFF | Calibration Zone 2 | 64 kByte |
| 82000 | 87FFF | Recovery (RSW) | 24 kByte |
| 88000 | 8FFFF | Bootloader 2 | 32 kByte |
| 90000 | 1FFFF | Calibration Zone 1 | 64 kByte |
| A0000 | 7FFFF | Program Code | 384 kByte |
Description of memory sections
Bootloader & UIF
This section is 16 kilobytes in size and contains the boot code that initializes the ECU and verifies that everything is ok before control is handed over to the program code section. This section also contains one time writeable data such as hardware identifier, manufacturer information and user information fields (UIF).
Offsets and data structure in the table below are shared across all variants.
| Name | Offset | Size (bytes, decimal) | Example | Notes |
|---|---|---|---|---|
| KWP seed/key verification enabled flag | 0x3E00 | 1 |
00
|
Flag determining whether the ECU should ask for KWP authorization key. 0x00 - security access verification enabled, 0xFF - disabled |
| KWP seed/key | 0x3E01 | 4 |
58D8C848
|
Two bytes seed, followed by two bytes key |
| VIN | 0x3E22 | 17 | 2.0 ECUs don't store VIN. Instead, sometimes there's a wildcard that narrows the VIN down to Tiburon models, sometimes it's just 'xxxxxxxxxxxxxxxxx' | |
| Socket | 0x3F70 | 2 |
0x5539
|
Value from the small sticker usually located on the ECU socket. Click for example with "U9" label |
| ECU family | 0x3F80 | 8 |
0x3557593139323341
|
In short - ECU hardware variant from the main label. For more in-depth analysis, see ECU family |
| Serial number | 0x3F8A | 50 |
0x2D313038313033363236322D484D4330383033313030363039323931384B523737303237363034422D4B5237373032353036
|
This actually contains three separate (not all unique) identifiers and will be split into three sections - TODO. |
| Date (YYMMDD) | 0x3F98 | 6 |
0x303830333130
|
Production/first flash date. This might/should be updated after flashing, might be updated after flashing with an official dealer tool - to be verified. |
| ECU lock status flag | 1 |
0x00
|
Flag determining whether the ECU is locked. 0x00 by default, setting it to 0xFF will allow to read the whole ECU including bootzone over KWP2000 |
Adaptive values
This section potentially acts as RAM? It also stores adaptive values - short/long range fuel trims and other adjustments. This section has not been analyzed in depth yet, but there's a high possibility the data inside is scrambled (crossed EEPROM lines, resulting in swapped bits in every pair of bytes)
Bootloader 2 (32 kByte)
This section has not been analyzed in depth yet. It's not present on SIMK41 ECUs or SIMK43's running less than ca663056.
ca663056 locations:
- 0xC000 - INT_RAM [15872]
- 0xFD00 - INT_RAM_BIT [256]
- 0xFF800 - RAM [2048]
- 0xCA4E - CCP Seed/key e.g. DEET (within RAM)
- 0xEE00 - CCP Registers
ca663057/58+:
- 32kb data block for CCP within bootloader 2
- 0x3000000 - FLASH_DR [65520]
Calibration zone
Calibration zone contains all the calibration data and maps used for managing the engine.
Position and structure varies depending on the calibration version, but the structure of first 96 (0x60) bytes is standarized.
"start" refers to the calibration zone offset (SIMK41 - 0x8000, SIMK43 - 0x10000)
| Name | Offset | Size | Example | Notes |
|---|---|---|---|---|
| Chassis identifier | start | 8 |
0x4B394E3756533041
|
Siemens calls it "calibration version" (confusing, I know) |
| Calibration version (#1 occurence) | start + 0x8 | 6 |
0x363535303239
|
|
| Calibration checksum initial value | start + 0xC | 2 |
0x3239
|
Overlap of offsets isn't a typo here - last two digits of the first occurence of calibration version are also the initial value for the calibration zone checksum |
| Calibration version
(#2 occurence) |
start + 0x40 | 12 |
0x63613635353032392E444154
|
Siemens calls it "description identifier".
Notice the "ca" prefix and ".DAT" suffix - this is likely the filename from proprietary OEM software that was used to compile the EEPROM image. While not confirmed, it appears that lowercase 'ca' suffix was used through the SIMK4x series, with uppercase 'CA' first appearing in SIM2K series |
Program code
This section contains the program code used for operating the engine.
