boot mode reading flash 98-03 international ECU?

[vwnut8392]

First off im not talking about any of this so that anyone can circumvent whatever security measures that the fine people here at power hungry performance have put on their performance software or anyones hard work at getting around the super security clusterf*#k navistar put into these ECU's. the people who did this very hard work deserve what they charge when they provide you with a finished tuning product. dont be a ****.....

i have a background with tuning german IE bosch and siemens ECU's. i was asked to look at an ECU from my friends 1999 international DT466 tow truck because he said its slow and sucks to drive plus even worse to haul anything on.

so a little bit of info for those who are not sure what boot mode is. its essentially a back door into the the processor put there by the manufacturer so that they can force firmware ware upgrades to the ECU if they have reading/writing via the data port (Front door) blocked. This is also how the firmware is normally loaded into them on the assembly line if the flash chip doesnt have the firmware flashed to it externally prior to being installed on to the board.

so i took the liberty with taking one of these ECU's apart and discovered that it does share a ton of hardware similarities with several bosch and siemens ECU's. 1 similarity is that it has x2 siemens SAK-C167CR-LM processors which im pretty sure is a competitor version of the infineon C167CR processor used in a lot of early 2000's german car ECU's which means they most likely use the same or extremely similar assembler code. the other is the intel AM29F400BB flash chip.

after a little research the closest thing i can find that uses a similar processor and flash is a BMW MS42 ECU. it uses the same processor but an AMD flash chip that is AM29F400BB as well. if my suspicion falls true than using what methods and hardware out there to read/write the flash in boot mode for the MS42 ECU should work with this one as well.

The program used would be JMgarage flasher software and a BMW K+DCAN cable. you woudnt necessarily follow the instruction on connecting to the ECU in the JMgarage software as thats for the MS42 ECU. you would however follow the instruction when the software says to ground pin 104 of the processor than remove it after 6 seconds.

As i said im not trying to circumvent the hard work of the people here, i was simply given a mission to figure something out with an automotive ECU and my OCD forces me to complete that mission. if i wanted the information from the flash really bad i would just lift it from the board and read it in a chip reader but its much cleaner plus easier to read it in boot mode if possible. lastly even if i do manage to get the data from the flash i can run it through a disassembler but im still in the dark because i have absolutely no idea what anything is doing in the disassembly and thats a huge pile of work in its own to figure that stuff out like populate the RAM and than use that as hints to figure out what its doing where to populate what routines are what, what maps/constants affect what and how etc. too much work for me just to make my friends tow trucks more powerful when the people here have already created a finished solution to do what i need to do.