MBE ECU Analyzer // Intel 8096

Serial Diagnostic Protocol // demo firmware (MBE 9A4)

Back to analysis | Run Emulator

Probed all 256 command bytes to reverse-engineer the ECU's serial diagnostic protocol. No intel_8096 code was harmed in the making of this analysis.

Serial Port Configuration

PropertyValue
Mode1 - 8-bit UART
Baud Rate~9,689 baud (register 0x80, assuming 20 MHz crystal)
Receive EnabledYES
ParityNone
SP_CON Register0x09

Firmware Identification

PropertyValue
Command0x0D (Carriage Return)
Response#92810270
Raw Bytes23 39 32 38 31 30 32 37 30 00
Length10 bytes

Protocol

Send a single byte (register address) to read the ECU RAM value at that address. Most addresses 0x00-0xFF respond with a single byte. SFR addresses (hardware I/O registers) are filtered out. Command 0x0D (CR) returns the firmware ID string.

CommandFunctionResponse
0x0D Read firmware ID #92810270
0x00 Sync/ACK 0x55
0x00-0xFF Read RAM register Single byte value

Address Scan (256 probes)

57 responding | 199 silent

x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 xA xB xC xD xE xF
0x 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
1x 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
2x 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F
3x 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F
4x 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F
5x 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F
6x 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F
7x 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F
8x 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
9x 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F
Ax A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF
Bx B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF
Cx C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
Dx D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF
Ex E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF
Fx F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF

Green = known register | Blue = responds (unknown) | Dark = no response

Known Data Channels (5)

AddressNameResponseRAM Match
0x49 Lambda 1 0x4B (75) no (value changed)
0x4A Lambda 2 0x4B (75) no (value changed)
0x50 Baro 0x4B (75) YES
0x58 Status Bits 1 0x11 (17) no (value changed)
0x76 Inj Bank 2 0x4C (76) no (value changed)
Show all 57 responding channels
AddressNameResponseRAM ValueMatch
0x00 - 0x55 0x00 no
0x03 - 0x46 0x4B no
0x05 - 0x4D 0xAE no
0x06 - 0x42 0x10 no
0x40 - 0x45 0xE2 no
0x46 - 0x1C 0x2A no
0x47 - 0x01 0x01 YES
0x48 - 0x4B 0xFF no
0x49 Lambda 1 0x4B 0xFF no
0x4A Lambda 2 0x4B 0xFF no
0x4B - 0x4B 0xFF no
0x4C - 0x4B 0xFF no
0x4D - 0x4B 0xFF no
0x4E - 0x4B 0x03 no
0x4F - 0x4B 0x60 no
0x50 Baro 0x4B 0x4B YES
0x51 - 0x4B 0x4B YES
0x52 - 0x4B 0x4B YES
0x53 - 0x4B 0x4B YES
0x54 - 0x4B 0x4B YES
0x55 - 0x4B 0x4B YES
0x56 - 0x4B 0x4B YES
0x57 - 0x4B 0x4B YES
0x58 Status Bits 1 0x11 0x53 no
0x59 - 0x18 0x48 no
0x5A - 0x82 0x11 no
0x5B - 0x28 0xFF no
0x5C - 0x0A 0x13 no
0x5D - 0x08 0x00 no
0x5E - 0xFF 0x01 no
0x5F - 0x70 0xFF no
0x60 - 0xED 0x00 no
0x61 - 0x18 0x00 no
0x62 - 0x0E 0xFF no
0x63 - 0xFF 0xFF YES
0x64 - 0x00 0x06 no
0x65 - 0x00 0x01 no
0x66 - 0x00 0x08 no
0x67 - 0x00 0x01 no
0x68 - 0x00 0x08 no
0x69 - 0x00 0x04 no
0x6A - 0x00 0x00 YES
0x6B - 0x00 0x80 no
0x6C - 0x71 0x71 YES
0x6D - 0x02 0x02 YES
0x6E - 0x05 0x05 YES
0x6F - 0x4B 0x4B YES
0x70 - 0x22 0x2E no
0x71 - 0x00 0x00 YES
0x72 - 0x00 0x27 no
0x73 - 0x80 0xEE no
0x74 - 0x00 0x03 no
0x75 - 0x00 0x4B no
0x76 Inj Bank 2 0x4C 0x01 no
0x77 - 0x07 0x00 no
0x78 - 0x00 0x00 YES
0x79 - 0x00 0x00 YES

How to Connect

To read live data from a real MBE 9A4 ECU:
1. Connect a USB-to-serial adapter (3.3V TTL level) to the ECU diagnostic connector
2. Set baud rate to 9,689, 8N1
3. Send 0x0D to verify connection (expect: #92810270)
4. Send any address byte (0x40-0xBF) to read that RAM register
5. Poll at ~10Hz for live dashboard data