rangerovers.pub
The only place for a coil spring is up Zebedee's arse
Member
Joined:
Posts: 805

Well I've already done most of the Ensoniq Mirage boot ROM and OS disk, and that's a 68C09... :-)

Member
Joined:
Posts: 1307

I am also now not 100% sure about whether it has OTPROM or standard EPROM - the datasheet I have shows the 68HC711 as being OTPROM, but I think the 68HC11 which the BECM uses might still be normal EPROM. It is a KA4 version (again from what I've previously found on the web from prior research) and one of the chips I have on a logic board shows CFN3 at the end of the string of digits printed on it. Which would then make the details MC68HC11KA4CFN3, which is a 3MHz chip with 24K of Custom ROM.

From what I was looking at, it looks like it might be a viable option to use bootloader code into the RAM to then be able to have access to the rest of the memory, which sounds like it is viable from what jacckk mentions.

The ROM appears to be in the memory addressing of $A000 to $FFFF. I have a document which has the memory mapping if that's useful to anyone? Assembly code and programming things like that is a bit beyond my skillset at the moment!

Regarding the EEPROM and vehicle data... I am somewhat hesitant to share a lot of that at the moment, as the last time I shared BECM info that I had spent a lot of time working out an researching - it was supposedly in exchange for some information back my way.. which, you guessed it... never materialised...

I am happy to share if others have something to share (like a usable ROM dump from the BECM...) as the work on decoding how the BECM stores the vehicle data took me a LONG time to work out. I am all for demystifying things, but if there is an aim there to build a cheap way of programming BECMs - then it isn't really in my interest to just hand over what I've worked hard on, especially when I spent the money on the Faultmate/BECM CPU modules - which is ultimately how I worked out the coding for vehicle info. What I will say though (and the biggest reason it took so long to work out how it's all stored) is that most of the vehicle options are stored in 5 Hex Bytes, and each bit of binary (40 binary bits / 10 Hex Nibbles) modifies part of the overall vehicle settings. Other parameters such as mileage, build date, EKA, immobiliser code, and fob codes are all stored separate to the vehicle information, and are also stored in different formats, depending on what piece of information it is...

You also don't technically need to put it back in the vehicle to read the changes (on nanocom for example) as it is possible to power the BECM up on the bench and connect to it using a nanocom out of the vehicle. It's how I bench test any BECM's I've worked on before they get shipped back to owners.

I doubt asking Land Rover about any secret BECM info will do any good... other than the blunt 'NO' I imagine that they would give, I doubt they actually have any plans/info/code kicking about anymore - especially as I would imagine that the BECM was designed, build, programmed etc externally to Land Rover themselves - with the production line programming probably being done to vehicle specification by the BECM manufacturers, or by a Testbook on the production line.

I'm interested to see if the ROM can be read - and if someone is able to dump that, and willing to share that, then I'm happy to send a copy of the disassembler/macro assembler programs over which I managed to find online..

Member
avatar
Joined:
Posts: 8080

Martyuk wrote:

I am somewhat hesitant to share a lot of that at the moment, as the last time I shared BECM info that I had spent a lot of time working out an researching - it was supposedly in exchange for some information back my way.. which, you guessed it... never materialised...

Yeah but that was with the Doctor, not nice friendly, reliable, non-US citizens, on here........

Member
Joined:
Posts: 1307

That is also true.. But you know what they say: "Once Bitten, Twice Shy"

Member
Joined:
Posts: 736

Hmmm... sounds less like a Doctor and more like a Disease then ?

That's appalling, sorry to hear that Marty: Looks like a BeCM guru like you can get a good handle on the hardware/contents but it could still stall for firm/software reasons unfortunately

I will (try to !) open a dialogue with LR anyway and report back; A while back (when I was trying to develop a cheap SRS-resetting tool) I had a dialogue with some non-LR folks who indicated that LR sometimes sell proprietary protocol etc data to third parties. Obviously this is not much use if LR ask for £££ for BeCM secrets etc but as they have not made these for 15 years maybe they will be more 'understanding' now (but don't hold your breaths !)

Member
Joined:
Posts: 805

The ROM appears to be in the memory addressing of $A000 to $FFFF. I have a document which has the memory mapping if that's useful to anyone? Assembly code and programming things like that is a bit beyond my skillset at the moment!

That would be right; the last 64 bytes of ROM are used as the interrupt and reset vectors (eight bytes, on 6809, which doesn't have all the extra goodies). So they're placed in ROM and when the chip is reset it looks at the 16-bit value at $FFFE to work out where to start running code. From there you just set up your disassembler to break it down into blocks.

Marty - I'm guessing your magic tool for poking values in the chip uses the on-chip debugger? What happens if you try to read values from $A000 to $FFFF, do you get anything sensible out?

Member
Joined:
Posts: 1307

My 'magic tool' at the moment is just the BBS Faultmate, with the BECM CPU module licence. Awhile ago I noticed that it had a window for 'Coding Info' which brought up lines and lines of hex... when I started digging into the chips and found the datasheets, programming sheets and specifications, I found that there was the 640 bytes of EEPROM - which happened to co-incide with the amount of 'coding' data that the faultmate would read.

The fact that it will power the chip, and communicate with it, with no external software or bits being loaded to me says that it must be using the on-chip debugger, or maybe the inbuilt serial link that the chip has to read that memory section.

I don't have the option in the faultmate software to be able to read anything other than the BECM settings/EEPROM memory.. but I do wonder if I could use external software to talk to the chip through the faultmate - since it is effectively acting as a serial EEPROM programmer.

I'll see if I can dig out some other software that will supposedly talk to the 6811 and try talking to the chip thru the faultmate...

I've been busy today crimping wires for DSP amp replacement boards - but after I've been out to the supermarket, I'll see about bringing a board inside and hooking it up...

Member
Joined:
Posts: 129

Totally understand Marty. I would think the same.

Member
Joined:
Posts: 487

davew wrote:

Hmmm... sounds less like a Doctor and more like a Disease then ?

Ah, but a much loved disease in some circles!

Member
Joined:
Posts: 736

GeorgeB wrote:

davew wrote:

Hmmm... sounds less like a Doctor and more like a Disease then ?

Ah, but a much loved disease in some circles!

Probably 'a matter of opinion' then George - and my opinion would only be changed if he now actually did what he said he would do !
And we all know that same circle includes the 'ever-reliable' Carl C. of course.....
The 'mystery' of the P38/BeCM will not be resolved by being anal (literally) !

Member
Joined:
Posts: 487

my opinion would only be changed if he now actually did what he said he would do !

I don't think you ever have to worry about the doctor actually doing as promised. He's never bothered so far!

Member
Joined:
Posts: 805

Mod Note: Let's maybe ease up a bit on the character assassination, eh?

Member
Joined:
Posts: 736

Apologies, Gordon; Probably my fault as I did not explain my ‘Doctor/Disease’ comment well - but it was just intended as a criticism of the other site. Time was this had a flourishing ‘Diagnostics’ section of course, with regular/excellent contributions from Storey Wilson and Colin from BBS etc. The latter also offered a discount to members (but Toad/Carl scuppered all that due to the ‘disease’ - self-interest.- once he ‘misappropriated’ some P38 test equipment). I was actually a little surprised that this has now apparently spread to Doctor/Scotty.

All we want to do is keep our rigs on the road of course…… and if I do manage to get some BeCM Information from LR this will go straight to the real gent here, Marty !

Member
Joined:
Posts: 487

Understood.

Character rifle now back in its case and am evacuating the grassy knoll!