Advertising:
WTF is boot mode?: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
Siemens MS42 and MS43 use an Infineon C167CR-LM as the main CPU. | |||
One of the key features of C166 and C167 processors is an on-chip bootstrap loader (BSL), often referenced as "boot mode". | |||
You can enter this operating mode of the CPU by pulling pin 104 (P0L.4) to ground. This pin is always connected to the flash chip because its part of the flash addressing pins. | |||
While the CPU is in the bootstrap loader, no code located on the flash will be executed and the CPU will only listen to serial commands. | |||
That means on one hand all of the protection methods used in the ECUs program code are useless, but on the other hand you have no simple DS2 read command available. | |||
You can still use this operating mode to completely read and write the flash like in an external programmer, if you transfer a small program into the CPUs RAM and execute it. | |||
This is what JMGarage flash tool does. In theory this could be expanded to C166 based MS41 and C167 based control units like | |||
Make sure to un-ground the pin before reading the flash, because it pulls one of the eight address lines low and this will result in a currupted read. | |||
You can identify such a bad file if bytes 0x00, 0x04, 0x08 or 0x0C read anything other than 0xFA. | |||
[[File:Bootmode bart.jpg]] | [[File:Bootmode bart.jpg]] | ||
Revision as of 11:18, 15 January 2021
Siemens MS42 and MS43 use an Infineon C167CR-LM as the main CPU.
One of the key features of C166 and C167 processors is an on-chip bootstrap loader (BSL), often referenced as "boot mode".
You can enter this operating mode of the CPU by pulling pin 104 (P0L.4) to ground. This pin is always connected to the flash chip because its part of the flash addressing pins.
While the CPU is in the bootstrap loader, no code located on the flash will be executed and the CPU will only listen to serial commands.
That means on one hand all of the protection methods used in the ECUs program code are useless, but on the other hand you have no simple DS2 read command available.
You can still use this operating mode to completely read and write the flash like in an external programmer, if you transfer a small program into the CPUs RAM and execute it.
This is what JMGarage flash tool does. In theory this could be expanded to C166 based MS41 and C167 based control units like
Make sure to un-ground the pin before reading the flash, because it pulls one of the eight address lines low and this will result in a currupted read.
You can identify such a bad file if bytes 0x00, 0x04, 0x08 or 0x0C read anything other than 0xFA.
