Announcement

Collapse
No announcement yet.

Documentary - Motronic 1.7 DIY Reverse Engineering

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #46
    If you wanted to check out a DIY opensource EFI look into Speeduino.

    I've started working on one for myself and my M60 V8, it's an Arduino based standalone EFI that uses TunerStudio. The developer is working on a Teensy board version for increased processor speed, but that's quite a ways away and still in development.

    Speeduino enthusiasts are openly working on the source code themselves and an updated firmware version gets released every month or so. I'm currently adapting mine to the BMW 88 pin DME connector on my M3.3 system in my 540i for a "Plug'n'play" with a few modifications to the ignition system on the engine side for the waste spark.

    Best of all, the end user financial commitment to get the system going is very low. Especially compared to other standalone EFI systems.
    Last edited by Mykk540i/6; 01-26-2018, 04:21 PM.

    Comment


      #47
      Originally posted by bmwman91 View Post
      I absolutely want to add knock sensors, and probably the IAC valve since the E30 idle stability is not the best sometimes.
      2 wire IAC is absolutely piece of crap, its 90% of problem with M40, M42, M43 engines. What you need for add it to M42 is buy throttle body from M44 and pass one wire with 3-pol connector. And M1.7.3 will not working with 2 wire IAC without software settings.

      Originally posted by bmwman91 View Post
      Also, I have a couple of M1.7.3 units on order from eBay Germany. Thankfully they seem to be common and not too expensive!
      In future try to buy from Poland, not from Germany, its more cheapest.

      Originally posted by bmwman91
      Is there any possibility (or benefit) of running M1.5.4 or M5.2 on the M42/43, or is there not point to it? Just curious since you mentioned M1.5.x being much more advanced than any other M1.x systems, and I would assume that M5.2 is also a lot more advanced.
      This does not make sense, in view of the complexity of work. In M1.7.3 you can just take Fuel and Ignithion values from M1.7, knock sensor sensibility from M1.7.2, disable DISA, EWS and use IAT lineralization both for IAT and CTS and everything is ready. For M43 you need to do even less. What to do with M1.5.4 from Opel which has custom tables and routines for this engine? Many things in modern software implemented in next integration level, in which it is difficult to understand without DAMOS and Funktionsrahmen (M1 BMW more relies on data and not on complex calculations, because it hasnt MDU). Also he has 55 pin main connector and own diagnostic.

      M5.2 based on Intel 196 CPU and CC460 flash, software looks like compiled from high-level language, but exist DAMOS for another M5.2 BMW engine. I think its more hard work with an incomprehensible result.

      Comment


        #48
        Originally posted by Mykk540i/6 View Post
        If you wanted to check out a DIY opensource EFI look into Speeduino.
        Ardruino-based systems is not recomended for automotive for a many restrictions :) MS systems too, even after 10 years they will not grow on performance level of software and hardware like Motronic M1.1. All that is for today is a large community and a bunch of wrong working engines.

        Comment


          #49
          Originally posted by Rasp View Post
          2 wire IAC is absolutely piece of crap, its 90% of problem with M40, M42, M43 engines. What you need for add it to M42 is buy throttle body from M44 and pass one wire with 3-pol connector. And M1.7.3 will not working with 2 wire IAC without software settings.


          In future try to buy from Poland, not from Germany, its more cheapest.



          This does not make sense, in view of the complexity of work. In M1.7.3 you can just take Fuel and Ignithion values from M1.7, knock sensor sensibility from M1.7.2, disable DISA, EWS and use IAT lineralization both for IAT and CTS and everything is ready. For M43 you need to do even less. What to do with M1.5.4 from Opel which has custom tables and routines for this engine? Many things in modern software implemented in next integration level, in which it is difficult to understand without DAMOS and Funktionsrahmen (M1 BMW more relies on data and not on complex calculations, because it hasnt MDU). Also he has 55 pin main connector and own diagnostic.

          M5.2 based on Intel 196 CPU and CC460 flash, software looks like compiled from high-level language, but exist DAMOS for another M5.2 BMW engine. I think its more hard work with an incomprehensible result.
          Alrighty, M1.7.3 it is then. I wish I had known about this sooner since I spent a lot of time on the M1.7 hardware, but I will just consider it practice for when I reverse engineer the M1.7.3 board. Really, it sounds like doing much more work with the M1.7 stuff would not have really given me all that much benefit, versus M1.7.3 that has more evolved software and improved functionality while still requiring minimal changes to the wiring.

          I ended up going with the ones from the German guy because he had much cheaper shipping. The few I saw in Poland had $$$ shipping!

          Can you post up a stock 64K BIN for M1.7.3? I would like to start getting a look at it.


          Originally posted by Rasp View Post
          Ardruino-based systems is not recomended for automotive for a many restrictions :) MS systems too, even after 10 years they will not grow on performance level of software and hardware like Motronic M1.1. All that is for today is a large community and a bunch of wrong working engines.

          Comment


            #50
            Originally posted by bmwman91 View Post
            Alrighty, M1.7.3 it is then.
            Its not a best choice, but the easiest to get the maximum benefits, thats I mean.

            Originally posted by bmwman91 View Post
            Can you post up a stock 64K BIN for M1.7.3? I would like to start getting a look at it.
            https://mega.nz/#!6AlTCKgB!c01P63xH9...l7-aizrxKJhjLg

            Comment


              #51
              I don't know why people insist on ragging on the MS system itself when the myriad poor results are completely due to the fact that it's the cheapest DIY system out there and thus it attracts users who are (understandably) completely ignorant when they start out, and only minimally informed at best when they get their cars on the road. It's pointless, stupid even, to compare the results of average people who are reading "how tos" on forums to the results of teams of professionals and I'd argue that anyone making such a comparison is being willfully obtuse. People who know what they're doing and have been doing it for years get perfectly usable results out of it and are essentially doing a job completely alone that cost the car's manufacturer millions to do. Like I always tell people I tune for; it's not going to be perfect, if you want perfection either keep it stock or buy a new car that's as fast as you want to go.
              Last edited by varg; 01-27-2018, 08:48 AM.
              @turbovarg
              '91 318is, M20B25, T3/T04E 60 trim (15psi), megasquirt, coilovers, Z3 rack, cold AC
              [b u i l d]
              [Car of the month: April 2018]

              0c8b7c9527af628a346878feb14bf757

              Comment


                #52
                I don't think I'd call his statement "ragging" necessarily, just a very blunt statement about the current state of things. I'm on the MSExtra forums a lot, and a huge number of users have chronic "not running super nice" issues. Naturally some of that is because the people who are running well aren't posting looking for assistance; they are out driving. MS absolutely has a place in the engine management world and it is impressive all on it's own considering that it is open source.

                Also agreed that many people who lack the discipline and budget to do custom management right are also likely to go for MS without fully thinking it through since it looks like the "cheapest way to get more power" when in fact an off-the-shelf chip from a reputable tuner is the "real" answer in these cases. Still, respect to anyone who can even follow through enough to get a car to start on a stand alone system.

                BUT, let's get this back on topic. This rabbit hole is waaaaay too easy to go down and end up with everyone fuming mad! No more mention of MS or other systems unless it pertains directly to this RE effort (please?).

                Comment


                  #53
                  A couple of the eBay M1.7.2 units showed up today, so I took a little time to get photos of these just for purposes of documenting rough hardware differences. The 990 and 282 ECUs are not identical, with the most notable (to me) change being that the 282 unit eliminates all silkscreen reference designators. The M5.2 unit I have is also this way, so I guess that around the mid-90's Bosch decided to make things even harder to reverse engineer. If someone can think of a better reason why, I am all ears. Also, there are PCB layout differences between 990 and 282, with differences in components and the copper layers, although the layers do look ~90% the same.

                  When I receive the M1.7.2 0261203277 unit, I will add the same photos/views to this post.

                  The units next to one another. Bosch decided not to use thermal gap pads on the mid-current drivers in the 282 ECU, which is interesting to me (left to right: 175, 990, 282, 661)


                  Top view 1
                  M1.7 - 0261200175


                  M1.7.2 - 0261200990


                  M1.7.2 - 0261203282


                  M1.7.3 - 0261203661


                  Top view 2
                  M1.7 - 0261200175


                  M1.7.2 - 0261200990


                  M1.7.2 - 0261203282


                  M1.7.3 - 0261203661


                  Bottom view
                  M1.7 - 0261200175


                  M1.7.2 - 0261200990


                  M1.7.2 - 0261203282


                  M1.7.3 - 0261203661
                  Last edited by bmwman91; 02-07-2018, 03:22 PM.

                  Comment


                    #54
                    Good comparsion!

                    The M5.2 unit I have is also this way, so I guess that around the mid-90's Bosch decided to make things even harder to reverse engineer
                    Perhaps there it was no longer necessary to publish somewhere schematic (maybe partially) for repair and no need make reference designators.
                    It's unlikely that a monopolist like Bosch would have to be afraid of competitors (in mid-90's there only Siemens could be considered as same, today, however, nothing has changed)
                    especially reverse engineers, which even after 30 years is not so much.
                    Although some communities of open systems would do well to simply "take and copy" proven solutions of those years...

                    Also, there are PCB layout differences between 990 and 282, with differences in components and the copper layers, although the layers do look ~90% the same.
                    I think is just for saving money, with a layman's eye (me :) ) PCB looks like same (software too, without any serious changes).

                    Comment


                      #55
                      True, at that point maybe they finally had digital schematics and did not need big hand-drawn papers anymore. Are all of the M1.7.3 units made with no component references printed on the board? It's OK if they are, but it will make reverse engineering them a little bit harder since I will have to guess / invent reference numbers.

                      The differences in the PCB are in a few places. M1.7 and M1.7.2/990 have jumpers tying different ground networks together (metal enclosure, ignition drivers, everything else) and M1.7.2/282 has just joins the copper layers entirely. In the case of the older Motronics, this would actually make for separate ground terminals on the 88 pin connector, and I assume that they did this to leave themselves the option of using multiple ground points if ignition currents caused signal issues. But, since by the mid-90's they must have realized that this would not be an issue, they just tied everything together in copper. That is just one difference, there are others. The images I posted are less than half the size of my originals, and I also spent a little time holding the boards to look for differences.

                      Ultimately, it is not important since it sounds like all of the functional bits are effectively the same. Firmware from any M1.7.2 can be used on any hardware version and still work properly, correct? I know that there is not much use to documenting this, but since there has been so little information posted on these units for so long, I feel like now is the time to shine light on it once and for all. The 6-cylinder BMW's have had 90% of the attention (for obvious reasons), but I am into the 4 cylinder cars, and a little crazy, so it's time to open this stuff up for the community.

                      Comment


                        #56
                        Originally posted by bmwman91
                        Are all of the M1.7.3 units made with no component references printed on the board?
                        Yes, I'm never saw M1.7.3 with component references printed on board.

                        Originally posted by bmwman91
                        Firmware from any M1.7.2 can be used on any hardware version and still work properly, correct?
                        Seems like all M1 BMW firmwares looks pretty same (and yes all M1.7.2 firmwares is can be changed vise versa), excluding the processing of missing equipment of course. It can be some differences in processing IO ports (you noticed that pinout of DME is little different, but it can be, because of different board design), so real difference will be clear only after comparing the schematics.

                        Originally posted by bmwman91
                        The 6-cylinder BMW's have had 90% of the attention (for obvious reasons), but I am into the 4 cylinder cars, and a little crazy, so it's time to open this stuff up for the community.
                        Undeservedly forgotten, although this is one of the best 4-cylinder engines :) by the way M1.7.3 can be used for 6 cylinders with two banks of injection and 3 paired ignithion coils, or leave distributor.

                        Comment


                          #57
                          I loaded the 64K BIN into IDA. It seems that there is a lot of clean-up to do with code/data mix-ups and such. It is a little hard to tell with some of the red no-Xref code sections whether those are actually orphan code or data constants, and the addresses seem to be in "not data" areas in many cases. Admittedly, I am not great with IDA and I am not anywhere near familiar with the way that old Motronic firmware was structured. Still, it's interesting.

                          There are 3 places where the disassembly has MOV instructions from RESERVED memory addresses. 232Bh, 66EBh and 6ACEh. The functions are IEX3_0 (first one) and RESET_0 (last two), so it seems like this is not orphan code?

                          Do you change any of the extra options/setting when initially loading the project and selecting the processor? I have played with those a little, but I am not familiar enough with what they do to know which ones might be beneficial.

                          Comment


                            #58
                            Originally posted by bmwman91 View Post
                            I loaded the 64K BIN into IDA. It seems that there is a lot of clean-up to do with code/data mix-ups and such. It is a little hard to tell with some of the red no-Xref code sections whether those are actually orphan code or data constants, and the addresses seem to be in "not data" areas in many cases. Admittedly, I am not great with IDA and I am not anywhere near familiar with the way that old Motronic firmware was structured. Still, it's interesting.
                            In M1.7.3 is a lot of orphan code because its based on M1.7.2, but programmers dont clean previous code, just put above nop and lcall to new code.

                            Originally posted by bmwman91
                            There are 3 places where the disassembly has MOV instructions from RESERVED memory addresses. 232Bh, 66EBh and 6ACEh. The functions are IEX3_0 (first one) and RESET_0 (last two), so it seems like this is not orphan code?
                            See my first message, its stack initalization.

                            Originally posted by bmwman91
                            Do you change any of the extra options/setting when initially loading the project and selecting the processor?
                            See my first message, you need select 515 CPU and do not touch everything else.

                            Comment


                              #59
                              Ah, right. OK yeah if it is initializing data memory then the code makes sense.

                              Also...I know it does not matter to functionality, but leaving old unused code in there is super annoying lol.

                              I set this one to the 535...but that should not make a difference (since all code is external and in the correct order already)?


                              But basically, the summary from your nice first post is that as long as you get the data segments marked as data/undefined, all of the code that actually matters will be identified and traced properly by IDA on the first-pass?

                              Also, the ECUs that I ordered on eBay have shipped and I am hoping to get them next week. It should be easy enough to assign component references based on my existing M1.7 schematic and the M1.7.2/990 unit which I have as a reference. With all of the stuff I learned taking the first one apart, I think that I can do this one faster and better than the previous one. I am going to find a super cheap toaster oven on Craigslist (local-version of eBay) and basically use that to get the whole PCBA to reflow temperature slowly and evenly so that I can just "wipe" components off and pull them out of their holes. This should eliminate the issues I had with the soldering iron tip digging into the board, ripping the hole plating and bubbling apart the FR4 layers.
                              Last edited by bmwman91; 01-29-2018, 10:01 AM.

                              Comment


                                #60
                                Originally posted by bmwman91
                                Also...I know it does not matter to functionality, but leaving old unused code in there is super annoying lol.
                                Looks like after M1.7 software developed negligently, because a lot of debug code is include in release M1.7.2 and M1.7.3.


                                Originally posted by bmwman91
                                I set this one to the 535...but that should not make a difference (since all code is external and in the correct order already)?
                                Yes, its one family of cpu and in software decompilation there is no difference.

                                Originally posted by bmwman91
                                But basically, the summary from your nice first post is that as long as you get the data segments marked as data/undefined, all of the code that actually matters will be identified and traced properly by IDA on the first-pass?
                                Yes, except jmp @A+DPTR code blocks.

                                Originally posted by bmwman91
                                I am going to find a super cheap toaster oven on Craigslist (local-version of eBay)
                                Maybe, better to use building dryer?

                                Comment

                                Working...
                                X