I had the opportunity to scan in a Ferrari 348 aftermarket performance chip for Motronic 2.7 today. I'm going to do a bit more research before I name the firm and bash them publicly, as what I saw on my first glance must either be me making an error in my review or else a very, very bad chip was being sold to fchatters. Lets start with the hex file compare of the 3rd party aftermarket performance chip versus a stock Ferrari 348 Spider chip. The first 4k of code/data are identical. Copyright issues aside, that is actually a good thing compared to what is to come. At 4004h, however, we start to see the aftermarket chip make changes to Ferrari's programming code itself. Not to the fuel/air data, mind you (as would be typical on a modified chip), but to the code...and to my eye, not in a good way. Here's the original Ferrari assembly language subroutine: L3FFC: CJNE A,#005H,L4019 ;;;3FFC B4 05 1A ... CPL B.1 ;;;3FFF B2 F1 .. MOV DPTR,#L0162 ;;;4001 90 01 62 ..b MOVX A,@DPTR ;;;4004 E0 . MOV C,B.1 ;;;4005 A2 F1 .. Notice that at 4004h that Ferrari has an "E0" command (which means do a register memory MOVX operation). ...but the aftermarket chip changes that single "E0" command to "80" (an SJMP) which to me will cause a software error that will cascade until the Motronic watchdog timer kicks in. Now, the aftermarket chip doesn't change another byte of code or data after that one "E0" to "80" at 4004h until we get to 4604h...this address is in the middle of an existing Ferrari 8051 routine that starts as: L4600: MOV DPTR,#L649D ;;;4600 90 64 9D .d. MOV R1,#0AFH ;;;4603 79 AF y. MOV A,#003H ;;;4605 74 03 t. MOVX @R1,A ;;;4607 F3 . So instead of putting "AF" into R1, the aftermarket chip inserts "A1". At least this one small change doesn't scream out as an obvious software error waiting to be executed. The aftermarket chip leaves all of the rest of the original Ferrari program intact, save for changing the following 8 bytes: 00460D | 83 < F3 004804 | 80 < 98 004A04 | 00 < 75 004E04 | 00 < 08 004E0C | 80 < 93 004F0C | 00 < 75 004F0D | 80 < A0 004F0F | 80 < D2 Anyway, I'm going to investigate further to see if my initial thought (that the aftermarket changes to the OEM Ferrari program are in error and bad) is misguided. Perhaps a deeper analysis of the aftermarket program will reveal something that my superficial review missed. What I *expected* to see on the aftermarket chip was mere data being changed, such as the rev limiter, ignition timing, and a few fuel/air maps. I didn't expect to see ten bytes of Ferrari programming code changed (both code and data reside on our M2.7 chip). Also, the aftermarket chip *did* make changes to fuel maps on the chip, so I'll post a graph or two of those (what I would label "more traditional") changes later in this thread.
INC R1 ;;;4608 09 . INC 02EH ;;;4609 05 2E .. MOV A,02EH ;;;460B E5 2E .. MOVX @R1,A ;;;460D F3 . INC R1 ;;;460E 09 . MOV A,#009H ;;;460F 74 09 t. MOVC A,@A+DPTR ;;;4611 93 . ; At 460D, the aftermarket chip changes Ferrari's "F3" to "83"
L4801: CLR ES ;;;4801 C2 AC .. MOV SCON,#090H ;;;4803 75 98 90 u.. JNB 29.2,L480C ;;;4806 30 4A 03 0J. MOV SCON,#0FAH ;;;4809 75 98 FA u.. ;
L49FE: MOV A,#00AH ;;;49FE 74 0A t. MOVC A,@A+DPTR ;;;4A00 93 . CJNE A,B,L4A0A ;;;4A01 B5 F0 06 ... MOV 034H,#000H ;;;4A04 75 34 00 u4. LJMP L4BC4 ;;;4A07 02 4B C4 .K.
L4DD1: LCALL L4116 ;;;4DD1 12 41 16 .A. MOV R0,#0C1H ;;;4DD4 78 C1 x. MOV A,#07AH ;;;4DD6 74 7A tz MOVC A,@A+DPTR ;;;4DD8 93 . MOVX @R0,A ;;;4DD9 F2 . MOV A,#064H ;;;4DDA 74 64 td INC R0 ;;;4DDC 08 . MOVX @R0,A ;;;4DDD F2 . INC R0 ;;;4DDE 08 . MOVX @R0,A ;;;4DDF F2 . MOV R0,#0C0H ;;;4DE0 78 C0 x. MOVX A,@R0 ;;;4DE2 E2 . CLR ACC.0 ;;;4DE3 C2 E0 .. CLR ACC.7 ;;;4DE5 C2 E7 .. CLR ACC.6 ;;;4DE7 C2 E6 .. CLR ACC.3 ;;;4DE9 C2 E3 .. MOVX @R0,A ;;;4DEB F2 . MOV R0,#08AH ;;;4DEC 78 8A x. CLR A ;;;4DEE E4 . MOVX @R0,A ;;;4DEF F2 . MOV R0,#0D0H ;;;4DF0 78 D0 x. MOV A,#078H ;;;4DF2 74 78 tx MOVC A,@A+DPTR ;;;4DF4 93 . MOVX @R0,A ;;;4DF5 F2 . MOV A,#064H ;;;4DF6 74 64 td INC R0 ;;;4DF8 08 . MOVX @R0,A ;;;4DF9 F2 . INC R0 ;;;4DFA 08 . MOVX @R0,A ;;;4DFB F2 . MOV R0,#0F0H ;;;4DFC 78 F0 x. MOV A,#072H ;;;4DFE 74 72 tr MOVC A,@A+DPTR ;;;4E00 93 . MOVX @R0,A ;;;4E01 F2 . MOV A,#00AH ;;;4E02 74 0A t. INC R0 ;;;4E04 08 . MOVX @R0,A ;4E05 F2 . INC R0 ;4E06 08 . MOVX @R0,A ;4E07 F2 . MOV R0,#0EDH ;4E08 78 ED x. MOV A,#070H ;4E0A 74 70 tp MOVC A,@A+DPTR ;4E0C 93 . MOVX @R0,A ;4E0D F2 . MOV A,#00AH ;4E0E 74 0A t. INC R0 ;4E10 08 . MOVX @R0,A ;4E11 F2 . INC R0 ;4E12 08 . MOVX @R0,A ;4E13 F2 . MOV P2,#001H ;4E14 75 A0 01 u.. MOV R0,#05BH ;4E17 78 5B x[ MOVX A,@R0 ;4E19 E2 . JNZ L4E22 ;4E1A 70 06 p. MOV P2,#000H ;4E1C 75 A0 00 u.. MOV R0,#0D4H ;4E1F 78 D4 x. MOVX @R0,A ;4E21 F2 . ;
After making the above-mentioned programming changes, the aftermarket chip made these 3 changes which I have not yet investigated: 00631A | D2 < F0 006352 | D2 < F0 00640C | 40 < C5
The aftermarket chip then makes much ado about almost nothing...changing a series of Ferrari "FF" commands to zeros...except the very last "FF" in the series is changed to a "CB". 006590 | 00 | FF 006591 | 00 | FF 006592 | 00 | FF 006593 | 00 | FF 006594 | 00 | FF 006595 | 00 | FF 006596 | 00 | FF 006597 | 00 | FF 006598 | 00 | FF 006599 | 00 | FF 00659A | 00 | FF 00659B | 00 | FF 00659C | 00 | FF 00659D | 00 | FF 00659E | 00 | FF 00659F | 00 | FF 0065A0 | 00 | FF 0065A1 | 00 | FF 0065A2 | 00 | FF 0065A3 | 00 | FF 0065A4 | 00 | FF 0065A5 | 00 | FF 0065A6 | 00 | FF 0065A7 | 00 | FF 0065A8 | 00 | FF 0065A9 | 00 | FF 0065AA | 00 | FF 0065AB | 00 | FF 0065AC | 00 | FF 0065AD | 00 | FF 0065AE | 00 | FF 0065AF | 00 | FF 0065B0 | 00 | FF 0065B1 | 00 | FF 0065B2 | 00 | FF 0065B3 | 00 | FF 0065B4 | 00 | FF 0065B5 | 00 | FF 0065B6 | 00 | FF 0065B7 | 00 | FF 0065B8 | 00 | FF 0065B9 | 00 | FF 0065BA | 00 | FF 0065BB | 00 | FF 0065BC | 00 | FF 0065BD | 00 | FF 0065BE | 00 | FF 0065BF | 00 | FF 0065C0 | 00 | FF 0065C1 | CB | FF
The rest of changes are probably all to fuel/air and/or spark advance data tables, so I'll use graphs until I'm too bored to go on with this point... 6BAC[]: = Ferrari Data Map dependant on Engine RPM RPM: 800 920 1280 1520 1720 1840 2000 2520 3520 4000 4520 5000 5520 6000 6520 7240 VAL: 21 22 25 28 2A 2D 31 36 3D 3F 42 42 42 41 3F 43 6BAC[]: = Aftermarket Data Map dependant on Engine RPM RPM: 800 920 1280 1520 1720 1840 2000 2520 3520 4000 4520 5000 5520 6000 6520 7240 VAL: 27 28 2D 30 32 37 3B 40 4A 4C 50 50 50 4F 4C 51
No, I think that's just a reserved memory area that Motronic overwrites on the fly (gives the programmer more "registers" to work with) and reads on the fly for later subroutines.
Here are the graphs for the first data table modified by the aftermarket chip. If that data table is for fuel, then the first picture is valid. If that data table is for ignition advance, then the second picture is valid. Image Unavailable, Please Login Image Unavailable, Please Login
OK, now I'm officially bored. I'll sign off for the moment with two parting graphs, first an OEM 348 partial throttle fuel map, then that same fuel map as modified on the aftermarket chip: Image Unavailable, Please Login Image Unavailable, Please Login
For years land shark AKA Jim Comforti has been telling us to watch out for aftermarket performance chips. I am sure you are discovering what he tried to tell us for years, in fact maybe back as far as F-list! Anyway, it appears that you are the only person who can understand and manipulate Ferrari code as evidenced by what has gone on with Plugzit. Others may be able to do it but either do not have the time or desire to make changes available to us 348 hotroders. Other ECU'ed Ferrari owners should be so lucky.
FBB, you are too kind...but I'm just some Alabama country boy...I am confident that many, many people know 8051 Assembler well enough to likewise (or better!) program our 2.7 ecus by using the simple shareware tools available via a dogpile.com search. The Porsche guys in particular have traveled this road quite well for years. But it wouldn't hurt my feelings if someone else weighed in on what the aftermarket guys were doing with the above chip! I just don't get it. You'd think that all of the aftermarket guys would use a shareware 8051 disassembler (hey, they are FREE!) to spot code and distinguish it from the data (i.e. the fuel maps). Why would you change a byte or two (or ten) of clearly working OEM code? Aren't aftermarket chips just about raising the rev limit, advancing the spark timing, and either enriching or leaning the fuel at wide open throttle?! That's all data. No reason at all that my little brain can see to be changing the OEM code (unless you want to write a little Assembler subroutine that flashes a CEL at a certain rpm in order to give you a built-in shift light).
It is like "pet rock". When people think you got something special like double secret monkey cam timing you can sell it.
Out of my league. Even back with 2.7 in the days of EPROMS, the Motronics ecu chips themselves have the ability to block out unauthorized readers. By the time 5.2 shipped with flash memory, I suspect that capability was both improved and better utilized.
Where can I get this done? My car runs great but I would pay thousands for this if someone says it is better.