Overview
of Bosch Motronic Hardware
Please
read and understand the disclaimer before you go on.
Click here to view disclaimer
Getting inside
To assist in the explanation of what I have done, I took a number of digital images. This is because I am a great believer in the concept that 'a picture speaks a thousand words'. So firstly, lets look at some images showing the Bosch ECU once it has been removed from the vehicle, and continuing through to the removal of the casing etc;
 |
This is the ECU once it has been removed from the vehicle. You can clearly see that there is a Bosch label which identifies the variant number of the ECU. The ECU casing has a lever attached to it and this is so that the ECU can be locked in place when inserted back into the vehicle. You may find, depending on the make & model of the vehicle to which the ECU is fitted, that some other securing method is employed.
 |
This image shows the under side of the ECU casing. I have marked the image to identify the cover locking tabs. To remove the cover simple swing the ECU locking lever around and out of the way. Then bend the four tabs back and lift off the ECU cover.
 |
This is what you will find within. Quite a complex looking layout. The printed circuit board is tri-layer in design, uses surface mount components and looks very intimidating. This is where the fun starts. You will see that I have identified the Microcontroller and FLASH memory chips located on the board. In essence these are the only components that I am interested in respect of modifying the firmware.
Siemens Microcontroller
If you have got this far, then take a minute to
look carefully at the Siemens microcontroller as fitted to your ECU. You will
see that there are embossed letters & numbers on the chip surface. There
is also a reference to Bosch as well. These numbers, which identify the component,
are in-house only numbers between Siemens and Bosch. This is the first attempt
to stop anyone identifying the component. After much investigation I have
identified this component as being a Siemens SAB 80C537 8-bit CMOS Single-Chip
Microcontroller.
 |
The SAB 80C537 is one of Siemens high-ended members of the Siemens SAB 8051 family of microcontrollers. It is based on the SAB 8051 architecture, but with the addition of expanded arithmetic capabilities, 'fail-safe' characteristics, analog signal processing and timer capabilities. For those interested the features of this microcontroller are;
12 Mhz and 16 Mhz operating frequency
256 x 8 on-chip RAM
64 Kbyte external data and program memory addressing
4 x 16-bit timer/counters
Powerful 16-bit compare/capture unit with 21 x PWM outputs
Versatile "fail-safe" provisions
8-bit A/D converter with 12 multiplexed inputs
Two full duplex serial interfaces
Nine ports: 56 I/O lines, 12 input lines
FLASH Memory chip
This chip is designated the AM28F512. It is a 512K-bit
(64K x 8) CMOS FLASH Memory chip. It is ideally situated for applications
requiring in-system or after sales firmware updates. This device is designed
to endure over 100,000 program/erase cycles and has a data retention of 10
years. It is available in a 32 pin DIP package as shown in this application.
 |
Looking at the pin connections it is apparent that the FLASH chip has the capacity for In-situ programming. What stops this in respect of the Bosch Motronic ECU is the fact that it uses a tri-layer PCB. This makes it next to impossible to ascertain where all the PCB tracks lead once they pass through the board. Another 'problem' is that ISP is further compounded by the fact that like so many ECU manufacturers, BOSCH use a 'SEED KEY' system to facilitate ISP. In essence this means that without the correct unlock code, or ‘KEY’ the microcontroller will not allow the firmware to be downloaded or uploaded as the case may be. The implications of this is that we can either spend time trying to calculate this unlock code, or we ‘attack’ the ECU at a hardware level. It is this later option that I decided upon.