Hi, I have a problem with studying a board (BOSCH MP7.0 ECU). It seems to have AS87C196EN Intel MCS-96 CPU. The board also has 16 bit Flash and 8 bit RAM, both connected to CPU via some mysterious chip (AMI_CC581 / Motorolla_GSC38NG393CE11 specific chip depends on board, mine has Motorolla). I cannot find any documentation nor on Motorolla nor AMI. It seems to be some sort of South bridge since both Flash (am29f200) and RAM (U6264ASA) do not meet 8096 RAM I/O protocol thus it needs some bridge. I have also found that CE pins of both Flash and RAM are connected to this strange chip (different pins of course) so it really can select memory chip and CPU cannot. Does anybody have any information on this bridge/something?

I also have problem with disassembling binary codes (I know what firmware I have on my board and even downloaded it) but I always get to RST or Unknown opcode. Yet I see something that looks like interrupt table at 32000h, configure byte (CEh) at 32018h, suggested by Intel reserved byte (20h) at 32019h, but trying to manually follow the code starting from 32080h I am soon getting to unknown opcode (E6h) after ~3 first steps. 30000h does not bother me at all since after getting modulo of 64k I get expected 2000h, 2018h, 2080h. I cannot find documentation for 87C196EN with 160 pins all I have is 87C196KB/CB/anything(but not EN) and everywhere it is 48, 68, 80 pins package(twice less pins than mine CPU, what the heck? super secret chip in standard ECU for super cheap cars?)

I am not trying to make some profit of this abandoned board. All automotive experts suggest to throw it away. But it seems interesting to understand how it works and maybe run some code written from scratch on it.

 

Hi, I have a problem with studying a board (BOSCH MP7.0 ECU). It seems to have AS87C196EN Intel MCS-96 CPU. The board also has 16 bit Flash and 8 bit RAM, both connected to CPU via some mysterious chip (AMI_CC581 / Motorolla_GSC38NG393CE11 specific chip depends on board, mine has Motorolla). I cannot find any documentation nor on Motorolla nor AMI. It seems to be some sort of South bridge since both Flash (am29f200) and RAM (U6264ASA) do not meet 8096 RAM I/O protocol thus it needs some bridge. I have also found that CE pins of both Flash and RAM are connected to this strange chip (different pins of course) so it really can select memory chip and CPU cannot. Does anybody have any information on this bridge/something?

I also have problem with disassembling binary codes (I know what firmware I have on my board and even downloaded it) but I always get to RST or Unknown opcode. Yet I see something that looks like interrupt table at 32000h, configure byte (CEh) at 32018h, suggested by Intel reserved byte (20h) at 32019h, but trying to manually follow the code starting from 32080h I am soon getting to unknown opcode (E6h) after ~3 first steps. 30000h does not bother me at all since after getting modulo of 64k I get expected 2000h, 2018h, 2080h. I cannot find documentation for 87C196EN with 160 pins all I have is 87C196KB/CB/anything(but not EN) and everywhere it is 48, 68, 80 pins package(twice less pins than mine CPU, what the heck? super secret chip in standard ECU for super cheap cars?)

I am not trying to make some profit of this abandoned board. All automotive experts suggest to throw it away. But it seems interesting to understand how it works and maybe run some code written from scratch on it.

I have found very nice collection here http://datasheets.chipdb.org/Intel/MCS96/
there are few pdf-s regarding 160 pins 8XC196EA processors. they actually have E6h opcode which is extended jump. so keep working further. still in a great confusion about memory controller.

 

Hey have you gotten any further with this? I noticed similarities between what you have found and a DME I'm currently working on that has somewhat similar inner workings.

The bosch M5.2 with the 87C196KN? 84 pin plcc and a misterious CC460 flash ic 68pin plcc that contains all program code and calibration data.

It has a condiguration byte at 2018h
Entry point at 2080h I found somewhere information on the intel mcu that's kind of conflicting it says the replacement for that mcu is the 87C196EN however the number of pins is incorrect. 160 vs 84 so there's obviously something inaccurate. Maybe it's referring to new designs

I did however find that the code used is 8051 code i guess because I was able to decompile in ghidra using 8051 language. Even though this is a 16bit mcu, the op codes are 8bit

 

>I found somewhere information on the intel mcu that's kind of conflicting it says the replacement for that mcu is the 87C196EN however the number of pins is incorrect
I also saw that. it is very confusing.
So have you tried that link http://datasheets.chipdb.org/Intel/MCS96/ ?
I have not got any further yet. I stopped at developing emulator just to see if it can run the code.I also investigated automotive firmware and found a lot of long jumps over quite a big stride there.
It is quite strange that 8051 language can produce some code. Was it sensible part of code, have you tried to look it through and follow a short series of instructions?
In my firmware using instructions for very similar 8XC196EA I found a part that writes data to controller's peripherials memory area thus I would assume I got sensible code.

 

>I found somewhere information on the intel mcu that's kind of conflicting it says the replacement for that mcu is the 87C196EN however the number of pins is incorrect
I also saw that. it is very confusing.
So have you tried that link http://datasheets.chipdb.org/Intel/MCS96/ ?
I have not got any further yet. I stopped at developing emulator just to see if it can run the code.I also investigated automotive firmware and found a lot of long jumps over quite a big stride there.
It is quite strange that 8051 language can produce some code. Was it sensible part of code, have you tried to look it through and follow a short series of instructions?
In my firmware using instructions for very similar 8XC196EA I found a part that writes data to controller's peripherials memory area thus I would assume I got sensible code.

I was looking into figuring out the EWS (immo) routine but haven't looked any further into it after that. I ran through that chip database you referenced but couldn't find the specific mcu. The 84 pin is listed there somewhere but no pinout for it, it is just mentioned.


There is a tool that has information on that mcu it's called the Sprint programmer or something. It pretty much has every possible mcu ever produced in the list of supported chips. It has different adapters for whatever the pin layout is. The 87C196KN is listed there and I can confirm that the clock pin is in the correct location to what i have in front of me.

I'm curious about this misterious chip you speak of that interfaces flash and ram to the MCU. It might be what the cc460 can do all on it's own. In the OLS300 MANUAL this chip is shown as having multiple eeproms in one