cracking the ecu....
#1
Registered User
Thread Starter
iTrader: (1)
Join Date: Dec 2003
Location: Nebraska
Posts: 310
Likes: 0
Received 0 Likes
on
0 Posts
cracking the ecu....
you all know how the ecu has a long term fuel map right?
CZ has proven this... I don't know the details... is it a combination of A/F ratio and timing, over a range or who knows?
instead of trying to crack the ecu... why not just get the flash in code form... edit with a hex editor, and change the long term fuel map to run where you want it to run at?
Wouldn't that in essence crack the ecu for everyone? while keeping what it is supposed to do?
Seems overly simplistic, yes?
I haven't heard of anyone looking at it from this perspective though...
K.I.S.S.
Thoughts, ideas welcomed.
CZ has proven this... I don't know the details... is it a combination of A/F ratio and timing, over a range or who knows?
instead of trying to crack the ecu... why not just get the flash in code form... edit with a hex editor, and change the long term fuel map to run where you want it to run at?
Wouldn't that in essence crack the ecu for everyone? while keeping what it is supposed to do?
Seems overly simplistic, yes?
I haven't heard of anyone looking at it from this perspective though...
K.I.S.S.
Thoughts, ideas welcomed.
#3
www.evoperform.com
Originally Posted by Hskr8
you all know how the ecu has a long term fuel map right?
CZ has proven this... I don't know the details... is it a combination of A/F ratio and timing, over a range or who knows?
instead of trying to crack the ecu... why not just get the flash in code form... edit with a hex editor, and change the long term fuel map to run where you want it to run at?
Wouldn't that in essence crack the ecu for everyone? while keeping what it is supposed to do?
Seems overly simplistic, yes?
I haven't heard of anyone looking at it from this perspective though...
K.I.S.S.
Thoughts, ideas welcomed.
CZ has proven this... I don't know the details... is it a combination of A/F ratio and timing, over a range or who knows?
instead of trying to crack the ecu... why not just get the flash in code form... edit with a hex editor, and change the long term fuel map to run where you want it to run at?
Wouldn't that in essence crack the ecu for everyone? while keeping what it is supposed to do?
Seems overly simplistic, yes?
I haven't heard of anyone looking at it from this perspective though...
K.I.S.S.
Thoughts, ideas welcomed.
#4
Registered
iTrader: (25)
they didn't crack it, they just circumvented the factory PCM control of the fuel tables with their own,. It's essentially a mini-piggyback except that instead of being external to the ECU they fit it inside the factory PCM box where it resides with the rest of the PCM internals.
#5
Originally Posted by Hskr8
instead of trying to crack the ecu... why not just get the flash in code form... edit with a hex editor, and change the long term fuel map to run where you want it to run at?
#6
Administrator
ok so lets say you aquired the flash and opened it in a hex editor like the image below
now just how does one go about finding the timing tables and the fuel maps and the etc etc in the thousands of lines of hex?
now just how does one go about finding the timing tables and the fuel maps and the etc etc in the thousands of lines of hex?
#8
Administrator
well some people do it
The flash is made up of execution code and data. Although I have made some half-hearted efforts to look at the code, so far we have been content to only change the data, and that has been quite enough. We recently found the section that has the "target oxygen", a crutial component. We have not had enough time to try to modify that section, but we intend to. We can also change all timing, all open loop fuel, rev limiter, MOP, APV, fans,etc.
#10
Compare one flash to another. The data areas are generally at the beginning or end of the file, and the execution segments are generally contiguous. With memory being as cheap as it is, the data areas usually are not. There are usually gaps between logical sets of data. And as you can see in your hex editor, ASCII strings and the like are sometimes still visible. Often, debug symbols are still present in the production code.
As I understand it, Denso writes many of the basic subroutines for the device, leaving Mazda to deal with application-specific details like fueling, etc. The Denso code is unlikely to change from flash to flash, so those areas should be easy to identify. With knowledge of the processor's opcodes, its easy to rule out what is and is not a valid instruction. Data sets like fuel tables typically have ascending patterns.
But you're right, its certainly not easy.
As I understand it, Denso writes many of the basic subroutines for the device, leaving Mazda to deal with application-specific details like fueling, etc. The Denso code is unlikely to change from flash to flash, so those areas should be easy to identify. With knowledge of the processor's opcodes, its easy to rule out what is and is not a valid instruction. Data sets like fuel tables typically have ascending patterns.
But you're right, its certainly not easy.
Last edited by tuj; 01-30-2006 at 11:57 PM.
#11
Originally Posted by lurch519
i am sure that is entirely possible, but how would you upload it to the ecu. i believe thats the real issue
The basic upload, as I understand it, can be done with a CAN-compliant pass-thru programmer. You can actually download the flashes online for a nominal fee. I do not know the technical details of the flashing procedure, but its my understanding that there is nothing sinister, like encryption, involved in the transaction to accept a new flash.
Last edited by tuj; 01-30-2006 at 11:58 PM.
#12
Administrator
Originally Posted by tuj
Compare one flash to another. The data areas are generally at the beginning or end of the file, and ...
ok so you weed out the data areas- now how do you know which data is which? it doesnt just say "fuel table 1"
again obviously some people do it- i just have never done this. the first time i ever looked at hex was when i opened that flash i attached the pic of above. ive looked at several for several models since. 6,3,8. dont have an MX-5 to look at yet.
#13
Registered User
Join Date: May 2004
Location: toronto, canada
Posts: 477
Likes: 0
Received 0 Likes
on
0 Posts
Is there anywhere to actually download one of these flashes? I wouldn't mind taking a look at it in a hex editor..
If only someone could make an emulator for the ECU code.. then you can make changes to the code on the fly and test it out. If you could determine what all the sensors are feeding into the ECU you could potentially mimic what the car tells it and modify those fake variable to see how the ECU reacts to certain conditions. But good luck making that happen we need game console hackers in here!
MrJynx
If only someone could make an emulator for the ECU code.. then you can make changes to the code on the fly and test it out. If you could determine what all the sensors are feeding into the ECU you could potentially mimic what the car tells it and modify those fake variable to see how the ECU reacts to certain conditions. But good luck making that happen we need game console hackers in here!
MrJynx
#14
Administrator
Originally Posted by tuj
Yes, this is the issue the Honda guys have had to deal with. Most devices like this calculate checksums for areas like the fueling tables.
*snip*
The basic upload, as I understand it, can be done with a CAN-compliant pass-thru programmer.
*snip*
The basic upload, as I understand it, can be done with a CAN-compliant pass-thru programmer.
two issues but both can be done.
1. Astra racing dealt with the check sum issue. They had to get someone outside their company to do it but the did it. Find out who did it for them and your golden
2. They way the Mazda reflashing software works is that it checks the Flash of the vehicle then looks to see if there is a newer one for your vehicle. there are a few ways around this.
a. get a copy of the next newer flash (wait for one to come out), modify it then replace the one in the database with your modified one or tell the software a new place to look for the updates. sounds difficult but could be done. of course you could be waiting along time for a newer one to come out. unless you find a way to convince the software that your older flash is a new one. you would still need a pass thru device along with the oem software. and a laptop or pda.
b. Astra takes the PCM out of the car, opens it, removes a chip, changes a jumper, connects to the chip and changes the hex with a program which you can download from their website. then replaces the chip and puts the pcm back in the car. sounds easy i suspect to computer types. however this is not esily done but alot of endusers. you'd have to send your pcm to someone if you didnt know how to do it yourself. they do this in japan. but really this becomes a real bottleneck-how long do you want your pcm out of your car?
c. modify the flash. then write or have written your own J2354 compliant(Make sure its compliant with the correct ISOs) pass thru programming software that doesnt look for a newer one. it just asks "which flash should i upload" then all you need is a J2354 compliant pass thru device and a laptop/pda and a good power source and a good charge on the battery.
now c sounds an awful lot like the flash tuning that fastsvtss's company is working on (see this thread https://www.rx8club.com/series-i-aftermarket-performance-modifications-23/rx8-hand-held-flash-tuner-79650/) as well as several others (see my interview with Racing Beat's Jim Mederer in the next issue of RXTuner- not the one that is on its way now, the one after that)
#15
Administrator
Originally Posted by MrJynx
Is there anywhere to actually download one of these flashes? I wouldn't mind taking a look at it in a hex editor..
If you could determine what all the sensors are feeding into the ECU you could potentially mimic what the car tells it
MrJynx
If you could determine what all the sensors are feeding into the ECU you could potentially mimic what the car tells it
MrJynx
read up on Jim Mederer's ecu bench. he did just what you suggested.
#16
Originally Posted by MrJynx
Is there anywhere to actually download one of these flashes? I wouldn't mind taking a look at it in a hex editor..
#17
Originally Posted by zoom44
ok so you weed out the data areas- now how do you know which data is which? it doesnt just say "fuel table 1"
-look through the execution segment and try to figure out what the code does. The things to look for here will be the injector hooks, as that code will then go to an interpolation routine that will look up two points in the fuel maps.
-trial and error / comparing flashes. Like I said, generally speaking, data tables are going to be bounded with empty space, so identifying logical sets of data isn't so hard. There are only so many array's that would be the size of the fueling table, so there should only be a few suspects.
There actually might be another option if you are a Ford/Mazda employee and hacker. As I understand it, the WDS can actually modify the fuel tables and such while its hooked up for the vehicle. I wonder if they guys who are talking about their hand-held 'flasher' unit are doing something like that.
Last edited by tuj; 01-31-2006 at 01:18 PM.
#18
Administrator
grabbing from mazdatechinfo isnt as easy as it first would seem.
flash tuning companies can hook up and get a rom dump etc. i dont think they can change parameters on the fly while hooked up. but fastsvtss suggested it might be possible.
wouldnt it be nice if the companies just labeled everything?
timing table 1
knock retard table
fuel map
would make it all much easier
flash tuning companies can hook up and get a rom dump etc. i dont think they can change parameters on the fly while hooked up. but fastsvtss suggested it might be possible.
wouldnt it be nice if the companies just labeled everything?
timing table 1
knock retard table
fuel map
would make it all much easier
#20
Administrator
Hitachi SuperH processor by Renesas.
Specs are-
High-performance single-chip RISC with SH-2E core
52 MIPS/40 MHz/3.3 V
High-speed multiplication/accumulation operations
Built-in 32-bit multiplier
Built-in single-precision floating-point operation unit
Built-in large capacity flash memory with a single power supply and large capacity RAM
Write and erase operations available with the single power supply 512 kB Flash ROM/32 kB RAM
Powerful peripheral functions
Timer: ATU-II (a maximum of 65 input and output process) Compare-match timer 2 ch
A/D: 10 bit x 32 ch
Serial: 5 ch DMAC: 4 ch
HCAN: 2 ch (1 ch is shared with a serial interface)
Package QFP-256
http://www.renesas.com/fmwk.jsp?cnt=...family/&site=i
Specs are-
High-performance single-chip RISC with SH-2E core
52 MIPS/40 MHz/3.3 V
High-speed multiplication/accumulation operations
Built-in 32-bit multiplier
Built-in single-precision floating-point operation unit
Built-in large capacity flash memory with a single power supply and large capacity RAM
Write and erase operations available with the single power supply 512 kB Flash ROM/32 kB RAM
Powerful peripheral functions
Timer: ATU-II (a maximum of 65 input and output process) Compare-match timer 2 ch
A/D: 10 bit x 32 ch
Serial: 5 ch DMAC: 4 ch
HCAN: 2 ch (1 ch is shared with a serial interface)
Package QFP-256
http://www.renesas.com/fmwk.jsp?cnt=...family/&site=i
#22
Excellent. Renesas has all of the SDK stuff available on their site, which is great. Any ideas as to the exact chip number?
Probably the SH7050 or SH7055.
Probably the SH7050 or SH7055.
Last edited by tuj; 01-31-2006 at 02:04 PM.
#24
As I thought, the ECU is running Hiatchi's Vehicle Operating System, ver. 2.1. Identifying strings are at 03f18h. 001e20 is the end of something called SBL. Not sure what that is. Some interesting stuff at 80fdbh. Everything from there to the end looks to be data structures. Next step is to find a disassembler and see what its really doing.