RE5R05A TCM Analysis

MPC555 Information

 * Disassemble via PowerPC (PPC - MCP555)
 * Array Sizes of 256kb (CMF A) and 192kb (CMF B) for a total size of 448kb. (Flash EEPROM Non-volatile Memory)
 * Erase Block Size = 32kb

Datasheet; https://www.nxp.com/docs/en/data-sheet/MPC555UM.pdf

Bosch GS19 // Manufacturer and name of TCM maybe? MPC555 CC_OFF // Processor CC_OFF means Censorship OFF? CBBB0202 BB020209 BDM_RBWerk g // BDM = Background Debug Mode. RBWerk g is somehow related. 1270H00114 // Probably HWID or something similar? ERCOSEK V3.0.11 OAK (C) ETAS Feb-25-2000 // Programming software / company I presume  RX1596  // ATCUNO aka TCM Number. Found both in the ECU's RAM area as well as within the TCM's ROM. The ECU RAM area also stores a checksum for the TCM, interestingly enough.

MPC555 Initialization
This example uses a start (execution) address of 0x3F9800 (the start of the MPC555 internal SRAM). • Turn off software watchdog (if needed) — Set 0x2FC004 = 0x0000FF80 • Change clock frequency (if needed) — Set 0x2FC284 = 0x00400000 (for 40 MHz with 4 MHz in) — Set 0x2FC284 = 0x00100000 (for 40 MHz with 20 MHz in) • Download code to the target microcontroller • Set DER to allow all exceptions to return to BDM mode — Set SPR_149 (DER) = 0x7FE7540

Read current value of the MSR to determine IP (instruction pointer) setting • Set SRR1 to desired MSR register (Floating Point enable, Machine Check enable, Recoverable Interrupt Enable - other options if needed, set IP as read in previous step). — Write SRR1 = 0x000003002 • Set the program counter by setting SRR0 — Write SRR0 = execution address • Read the ECR register to clear out any exceptions — Read SPR_148 (ECR) • Set up the stack by setting the PPC General Purpose register 1 to a valid SRAM location — Set R1 = some free area of internal SRAM (for example 0x3FFFF0) • Enter run mode by inputting an RFI instruction to begin execution. This loads the MSR and IP to the values from SRR0 and SRR1. — RF

Generic
0x00000-0x6FFFF are the CMF Flash Areas. Blocks are 32kb-erasable. First module is 256kb, second module is 192kb. IMPORTANT; FLASH CONTROL IS NOT HANDLED VIA CMF FLASH AREAS! The full ROM dump obtained ends at 0x6FFFA, signifying that reflashing will potentially be non-fatal in the event of bad data.

Reflashing Procedure (So Far)
(After reprogramming you need to do Throttle valve closed position, idle air volume learn, accelerator closed position, and DTC erase) - 10 minute drive to reach engine coolant temp 158-212*F, More than 12.9V on battery at idle, and transmission is warmed up -Recommended to use a battery charger? (BATTERY VOLTAGE NEEDS TO STAY BETWEEN 12.0V-15.5V DURING REPROGRAMMING) -Ignition ON engine OFF -Turn off all electrical load -Start reprogramming/Reflashing

Notes; "Reprogramming function cannot be executed until the data in VI is erased." "If you don't want to erase the data, please retry Reprogramming function after uploading VI data with [DataControl] function in [SubMode]"

VPP – Input. Flash supply voltage (5-V supply) used during program and erase operations of the CMF.

Section of code from CF40A (TCM ROM); ROM:00000000000122EC loc_122EC:                             # CODE XREF: sub_127C0+8C↓p ROM:00000000000122EC                li        r3, 0 ROM:00000000000122F0                mtspr     tblw, r3 # Time base facility for writing (lower) ROM:00000000000122F4                mtspr     tbuw, r3 # Time base facility for writing (upper) ROM:00000000000122F8                lis       r3, 0x30 # '0' ROM:00000000000122FC                addi      r3, r3, -0x3E00 # TBSCR ROM:0000000000012300                lhz       r11, 0(r3) ROM:0000000000012304                ori       r11, r11, 3 ROM:0000000000012308                sth       r11, 0(r3) ROM:000000000001230C                blr ROM:0000000000012310

\\ ROM:0000000000000104                .long 0 ROM:0000000000000108 aBb020209:     .string "BB020209" ROM:0000000000000108                .byte 0 ROM:0000000000000111                .byte 0, 0xFF, 0xEC, 0xFF, 0xFF, 0x23, 0xF0 \\

ROM:0002F858                ori       r12, r12, 0xFFFF # 0x7FFFFF

MPC555 Basic Instruction Set

 * addi - Add immediately
 * mtspr - Move to special Register
 * lhz - load half word and zero
 * ori - OR immediate
 * sth - Store half word
 * blr - branch to link register (probably)
 * eid - External interrupt disable
 * lwz - load word and zero
 * stmw - store multiple word
 * lmw - load multiple word
 * stw - store word
 * lbz - load byte and zero
 * stb - store byte
 * sth - store halfword
 * li - load immediate maybe??

Interesting Bits from Code
0x2FB30 (0x0002FB30)

These are probably important;

Function at 0x39544 could potentially be flashing/connecting to TCM related! COBB0202 (No clue) DAC14932 23173 RX1595 @54CB5 CF40A RX1596 @0x54D12 23173 RX1595 @0x54D6D 149C32149149C3232    @LHNLT 1270H00029 3434343434 P222222222 0303

149C32149149C3232

Bosch GS19 MPC555 CC_OFF BB020209 BDM_RBWerk g 1270H00114 000000000000000000000000 ERCOSEK V3.0.11 OAK (C) ETAS Feb-25-2000 Inside the Motorola MPC555 + external Eeprom- memory M95160

B0202BB020209 at 0xFFE0 CBBB0202 @0x10080

BB020209 @0x100

8BGl19 @0xD470 and @0xD6E0

COBB0202 DAC14932 @0x105b0

B0202 @0X107C0

C0BB0202 @0X107D0

ERCOSEK V3.0.11 OAK (C) ETAS Feb-25-2000 @0x10820

149C32.b @0x11460

149C32 @0x11E20

RX 1596

23173RX1595

1270H00029 @0x5fbbf + COBB0202 @0x5ff6c

DAC14932 @0x60080

149c3214 9149c3232 @0x602a8

CB00 @0x5FF68ish WinOLS DC43 @0x60078ish WinoLS

193194C22 @0x602A8ish WiNOLS

General Information from Datasheets
8.9.2.6 VPP VPP supplies the programming and erase voltage for the CMF flash modules. It is nominally 5.0 V for program or erase operations and can be lowered to a nominal 3.3 V for read operations. 8.9.2.7 VDDF, VSSF VDDF provides internal power to the CMF flash module; it should be a nominal 3.3 V. VSSF provides an isolated ground for the CMF flash module.

Programming uses a set of program buffers of 64 bytes each to store the required data, an address offset buffer to store the starting address of the block(s) to be programmed and a block select buffer that stores information on which block(s) are to be programmed. Any number of the array blocks may be programmed at one time.

Do not program any page more than once after a successful erase operation. While this will not physically damage the array it will cause an increased partial disturb time for the unselected bits on the row and columns that are not programmed. If this happens, a full erase of all blocks being programmed must be done before the CMF EEPROM can be used reliably.

If block M of the CMF EEPROM is protected (PROTECT[M] = 1), it will not be programmed. Also, if EPEE = 0, no programming voltages will be applied to the array. Software should verify the state of EPEE prior to programming (programming will fail if EPEE = 0). The user should also insure that the programming voltage (5.0 ± 0.25 volts) is applied to VPP

The CMF EEPROM module requires a sequence of writes to the high voltage control register (CMFCTL) and to the programming page buffer(s) in order to enable the high voltage to the array or shadow information for program operation. See Table 19-4 for the programming algorithm bit settings. The required program sequence follows. 1. Write PROTECT[0:7] to disable protection on blocks to be programmed. 2. Write PAWS to 0b100, write NVR = 1, write GDB = 1. 3. Using 19.7.6 A Technique to Determine SCLKR, CLKPE, and CLKPM, program the following fields: — Pulse width timing control fields for a program pulse — BLOCK[0:7] to select the array blocks to be programmed — PE = 0 in the CMFCTL register 4. Write SES = 1 in the CMFCTL register. NOTE Step 4 can be accomplished with the same write as that in step 3. It is listed as a separate step in the sequence for looping.

MPC555 / MPC556 CDR MoneT FLASH EEPROM MOTOROLA USER’S MANUAL Rev. 15 October 2000 19-19 5. Write to the 64-byte array locations to be programmed. This updates the programming page buffer(s) with the information to be programmed. The last write to a word within the program page buffer will be saved for programming. All accesses of the array after the first write are to the same block offset address (ADDR[17:25]) regardless of the address provided. Thus the locations accessed after the first programming write are limited to the page locations to be programmed. Off-page read accesses of the CMF array after the first programming write are program margin reads. (See section 19.5.2 Program Margin Reads.) To select the CMF EEPROM array block(s) to be programmed, the program page buffers use the CMF EEPROM array configuration and BLOCK[0:7]. Subsequent writes fill in the programming page buffers using the block address to select the program page buffer and the page word address (ADDR[26:29]) to select the word in the page buffer. 6. Write EHV = 1 in the CMFCTL register. NOTE If a program buffer word has not received a programming write no programming voltages will be applied to the drain of the corresponding word in the array. Also, at this point writes to the program page buffers are disabled until SES has been cleared and set. 7. Read the CMFCTL register until HVS = 0. 8. Write EHV = 0. 9. To verify the programming, read the words of the pages that are being programmed. These are program margin reads. (See 19.5.2 Program Margin Reads.) If any bit is a 1 after reading all of the locations that are being programmed, then another pulse needs to be applied to the these locations. If all the locations verify as programmed go to step 11. WARNING After a program pulse, read at least one location with ADDR[26] = 0 and one location with ADDR[26] = 1 on each programmed page. Failure to do so may result in the loss of information in the CMF EEPROM array. While this will not physically damage the array a full erase of all blocks being programmed must be done before the CMF EEPROM can be used reliably. For more information see 19.5.3 Over-Programming. To reduce the time for verification, read two locations in each program page that is being programmed after reading a non-programmed bit. The first location must be a location with ADDR[26] = 0, while the second must use ADDR[26] = 1. In addition, after a location has been fully verified (all bits are programmed) it is not necessary to verify the location again, since no further programming voltages will be applied to the drain of the corresponding bits. This will reduce the time required to program the array.

MPC555 / MPC556 CDR MoneT FLASH EEPROM MOTOROLA USER’S MANUAL Rev. 15 October 2000 19-20 10. If the margin read is successful, then write SES = 0 in the CMFCTL register, otherwise do the following: a. Write new pulse width parameters (if required per Table 19-4) - SCLKR, CLKPE, CLKPM. b. Write new values for PAWS, NVR, and GDB (if required per Table 19-4). c. Go back to step 6 to apply additional programming pulses. 11. If more information needs to be programmed, go back to step 2