Connor McMillan

connor@mcmillan.website – http://github.com/mibs510

SIEMENS 7508145 GS20

Siemens GS20 and the MS43 have very close similarities. The biggest is the processor and the EEPROM. Traditionally on the MS43 to read and write we use JMFlasher. Since both have the same processor and the same EEPROM, booting the GS20 into boot mode is just like the MS43, by shorting pin 104 as shown below.

5th pin from the left corner.

Unfortunately, the GS20 has different echo bytes which aren’t recognized by JMFlasher and thus writing to the EEPROM is not possible yet. I have sniffed the packets that were sent in and out on different scenarios with sharkwire in hopes that someday the authors of JMFlasher will find some use for them to support this unit.

CONNECT.pcapng — No issue

READ.pcapng — No issue

READ_2.pcapng — No issue

WRITE.pcapng — “Wrong echo bytes”

In order to access the EEPROM you will need to carefully drill out the rivets to release the board from the chassis.

Jpeg

WBADS43411GD84493_SIEMENS_GS20_5WK33502AG_AM29F400BB.BIN – A full 512kb read out of my unit.

In the near future I will attempt to sniff CAN BUS data and perhaps interpreting it as well.

6 Comments

    1. Connor

      Unfortunately no. I gave up on this project a while. Got the opportunity to obtain a copy of a Dinan tuned version which basically has modified shift points set to much lower than stock. The whole purpose of this was to study and learn how to disassemble/reverse engineer firmware. Will put that to good use on a upcoming project (hopefully).

      Reply
      1. Jordan

        Any chance you could post a copy of the modified file? Or could you email it to me. I’m interested in playing with it as well myself.

        Reply
    1. Connor

      I did, at lower RPM. You’d need to have other mods, such as cold air intake, catless headers, etc in order to fully utilize its potential. It’s also more noticeable with a 3.0.

      Reply

DROP A COMMENT

Your email address will not be published. Required fields are marked *