cracking the ecu....
#51
Registered User
Join Date: Jun 2005
Location: Bellevue, WA
Posts: 134
Likes: 0
Received 0 Likes
on
0 Posts
Anyway of obtaining the flasher and images for the 8? If the OEM uses this, we need to find out how to leverage it. If we're able to flash the latest OEM image on it, we should be able to reverse engineer at least some parts to it. I don't know if the image is digitally signed; does anyone know?
-jc
-jc
#52
Int'l Man of Mystery
Join Date: Jan 2004
Location: Central Florida
Posts: 3,651
Likes: 0
Received 0 Likes
on
0 Posts
Ok... my turn.
First... the info on Mazda tech. After checking out that site (http://www.mazdatechinfo.com/home/ecmDetail.asp), the Lexus system (http://www.clublexus.com/index.php/a...iew/108/1/296/) and info on CarDAQ-Plus (http://www.drewtech.com/products/cardaqplus.html) I'm almost positive that this isn't going to help us much if at all. The hardware... yes. The software... nope. Check this out...
http://www.cytiva.com/cejobs/DetailMazda.asp?mazda389 This person's job is to maintain the internal Mazda servers that are used for the ECU flashes. Basically the MazdaTech stuff and what they do at the dealer with the WDS system is hook the flasher hardware up to a PC. That PC is connected to the internet and checks for the latest flash on the MNAO servers, downloading one if available to the flasher hardware. The flasher hardware then uploads it to the PCM. If we already have a copy of a flash, then it isn't going to be a lot of help. Basically only useful for getting copies of the latest flashes.
What we need to be able to do is decode the data stream... reverse engineer the format of the data. As one may note from the Lexus system, the PCM likely contains several "flashes" for each of the subsystems... something else to consider. So who here is good at hacking software/firmware?
SAE Standards J2534
http://www.sae.org/servlets/productD...D=J2534_200202
This hardware kit looks pretty comprehensive too... http://www.hickok-inc.com/ngs/ngscan.html
As many probably know... I'm a big advocate of ECU flashing vs standalone or supplemental ECU. I'd love to see this happen... let's keep at it guys!
First... the info on Mazda tech. After checking out that site (http://www.mazdatechinfo.com/home/ecmDetail.asp), the Lexus system (http://www.clublexus.com/index.php/a...iew/108/1/296/) and info on CarDAQ-Plus (http://www.drewtech.com/products/cardaqplus.html) I'm almost positive that this isn't going to help us much if at all. The hardware... yes. The software... nope. Check this out...
http://www.cytiva.com/cejobs/DetailMazda.asp?mazda389 This person's job is to maintain the internal Mazda servers that are used for the ECU flashes. Basically the MazdaTech stuff and what they do at the dealer with the WDS system is hook the flasher hardware up to a PC. That PC is connected to the internet and checks for the latest flash on the MNAO servers, downloading one if available to the flasher hardware. The flasher hardware then uploads it to the PCM. If we already have a copy of a flash, then it isn't going to be a lot of help. Basically only useful for getting copies of the latest flashes.
What we need to be able to do is decode the data stream... reverse engineer the format of the data. As one may note from the Lexus system, the PCM likely contains several "flashes" for each of the subsystems... something else to consider. So who here is good at hacking software/firmware?
SAE Standards J2534
http://www.sae.org/servlets/productD...D=J2534_200202
This hardware kit looks pretty comprehensive too... http://www.hickok-inc.com/ngs/ngscan.html
As many probably know... I'm a big advocate of ECU flashing vs standalone or supplemental ECU. I'd love to see this happen... let's keep at it guys!
#55
Int'l Man of Mystery
Join Date: Jan 2004
Location: Central Florida
Posts: 3,651
Likes: 0
Received 0 Likes
on
0 Posts
Did a little more research... I've only skimmed most of it thus far, but it is all good stuff.
SH7055 SuperH RISC CPU
http://www.renesas.com/fmwk.jsp?cnt=.../sh7055_group/
Vehicle Operating System for SH-2 Operating System Manual
http://documentation.renesas.com/eng...256_sh2ope.pdf
Vehicle Operating System for SH-2 Communication Manual
http://documentation.renesas.com/eng...257_sh2com.pdf
Since "This document is described on the assumption that OSEK specification is understood."
Here you go...
http://www.renesas.com/fmwk.jsp?cnt=...e/osek/&site=i
http://www.osek-vdx.org/
Tools
IDA Pro Disassembler and Debugger
http://www.datarescue.com/idabase/
Renesas SuperH Flash Development Toolkit Ver.3 (HS6400FDIW3SR)
http://www.renesas.com/fmwk.jsp?cnt=hs6400fdiw3sr.htm&fp=/products/tools/flash_prom_programming/fdt/child_folder/&title=Ver.3%20(HS6400FDIW3SR)
http://en.etasgroup.com/catalog/pdf_05/3_3.pdf
http://www2.eu.renesas.com/products/...w/support.html
http://www.lauterbach.com/frames.html?firesh2.html
SH7055 SuperH RISC CPU
http://www.renesas.com/fmwk.jsp?cnt=.../sh7055_group/
Vehicle Operating System for SH-2 Operating System Manual
http://documentation.renesas.com/eng...256_sh2ope.pdf
Vehicle Operating System for SH-2 Communication Manual
http://documentation.renesas.com/eng...257_sh2com.pdf
Since "This document is described on the assumption that OSEK specification is understood."
Here you go...
http://www.renesas.com/fmwk.jsp?cnt=...e/osek/&site=i
http://www.osek-vdx.org/
Tools
IDA Pro Disassembler and Debugger
http://www.datarescue.com/idabase/
Renesas SuperH Flash Development Toolkit Ver.3 (HS6400FDIW3SR)
http://www.renesas.com/fmwk.jsp?cnt=hs6400fdiw3sr.htm&fp=/products/tools/flash_prom_programming/fdt/child_folder/&title=Ver.3%20(HS6400FDIW3SR)
http://en.etasgroup.com/catalog/pdf_05/3_3.pdf
http://www2.eu.renesas.com/products/...w/support.html
http://www.lauterbach.com/frames.html?firesh2.html
#56
The flash contains both executable code and data. There is only 1 flash, not multiple flashes. Updating subsystems occurs via the main flash. Renesas has complete hardware and programming documents for the SH-2E on their site.
The flash cannot be simply disassembled with a SH-2E disassembler; I already tried that. I tried every combination of offsets and couldn't get a string of at most 10 opcodes without an unrecognized instruction. Granted, I used a free SH-2E disassembler, so without IDA pro I don't if the results would be better.
If you pm me, I can send you a copy of the flash that I got from a forum member and you can examine. I'll send it to anyone, just give me an email that can handle a big file.
The flash cannot be simply disassembled with a SH-2E disassembler; I already tried that. I tried every combination of offsets and couldn't get a string of at most 10 opcodes without an unrecognized instruction. Granted, I used a free SH-2E disassembler, so without IDA pro I don't if the results would be better.
If you pm me, I can send you a copy of the flash that I got from a forum member and you can examine. I'll send it to anyone, just give me an email that can handle a big file.
Last edited by tuj; 02-08-2006 at 09:43 AM.
#57
Originally Posted by TeamRX8
the checksum is usually available on the web if you know where to look
#58
Originally Posted by Japan8
Basically the MazdaTech stuff and what they do at the dealer with the WDS system is hook the flasher hardware up to a PC. That PC is connected to the internet and checks for the latest flash on the MNAO servers, downloading one if available to the flasher hardware. The flasher hardware then uploads it to the PCM. If we already have a copy of a flash, then it isn't going to be a lot of help. Basically only useful for getting copies of the latest flashes.
My understanding of the J2534 pass-thru device is that as long as you have a valid flash, the ECU doesn't care what version it is. This makes sense, as if something went terribly wrong, you might want to revert to a previous version. The WDS front-end controls keeping it up to date, but it doesn't prevent old versions being loaded.
#59
Originally Posted by tuj
...
My understanding of the J2534 pass-thru device is that as long as you have a valid flash, the ECU doesn't care what version it is. This makes sense, as if something went terribly wrong, you might want to revert to a previous version. The WDS front-end controls keeping it up to date, but it doesn't prevent old versions being loaded.
My understanding of the J2534 pass-thru device is that as long as you have a valid flash, the ECU doesn't care what version it is. This makes sense, as if something went terribly wrong, you might want to revert to a previous version. The WDS front-end controls keeping it up to date, but it doesn't prevent old versions being loaded.
Fabrice
#60
Originally Posted by Rasputin
My unnderstanding is that you can't go back and flash an older version than the one that's in your PCM. Correct?
On the MazdaTechInfo site, the 'downloaded application' interrogates the ECU and determines if you need a new flash or not. But, there is nothing apart from a few lines in that application that is stopping the ECU from receiving an old flash.
#61
Int'l Man of Mystery
Join Date: Jan 2004
Location: Central Florida
Posts: 3,651
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by tuj
No, I don't think that is exactly right. The dealers get the newest 'calibration' of the WDS, either via download or on CD. The WDS itself interrogates the flash level of the car, and then initiates reflashing if a newer version is available in the WDS calibration. This means if your dealer doesn't keep their WDS up to date, you don't get the new flash.
My understanding of the J2534 pass-thru device is that as long as you have a valid flash, the ECU doesn't care what version it is. This makes sense, as if something went terribly wrong, you might want to revert to a previous version. The WDS front-end controls keeping it up to date, but it doesn't prevent old versions being loaded.
My understanding of the J2534 pass-thru device is that as long as you have a valid flash, the ECU doesn't care what version it is. This makes sense, as if something went terribly wrong, you might want to revert to a previous version. The WDS front-end controls keeping it up to date, but it doesn't prevent old versions being loaded.
Well I wasn't entirely talking about the WDS unit, as more detailed information about isn't available. That software available through technet does work as I described. Between that and how it works at Lexus (and I read the manual... which is the tech/shop manual), I assumed that WDS would also be similar. In the case of Lexus, their diagnostic/andheld unit can only hold x number of different flashes total at any one time. However, the PC it hooks up to can have all of them saved... which were downloaded from the net OR are from CD-ROM. You delete from the diagnostic/andheld unit as needed and just reload them from the PC.
#62
Int'l Man of Mystery
Join Date: Jan 2004
Location: Central Florida
Posts: 3,651
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by tuj
Dude, I don't mean to be critical, but your research is stuff we've already turned up. The flash contains both executable code and data. There is only 1 flash, not multiple flashes. Updating subsystems occurs via the main flash.
The flash cannot be simply disassembled with a SH-2E disassembler; I already tried that. I tried every combination of offsets and couldn't get a string of at most 10 opcodes without an unrecognized instruction. Granted, I used a free SH-2E disassembler, so without IDA pro I don't if the results would be better.
If you pm me, I can send you a copy of the flash that I got from a forum member and you can examine. I'll send it to anyone, just give me an email that can handle a big file.
The flash cannot be simply disassembled with a SH-2E disassembler; I already tried that. I tried every combination of offsets and couldn't get a string of at most 10 opcodes without an unrecognized instruction. Granted, I used a free SH-2E disassembler, so without IDA pro I don't if the results would be better.
If you pm me, I can send you a copy of the flash that I got from a forum member and you can examine. I'll send it to anyone, just give me an email that can handle a big file.
I would need to read all the aforementioned documents I could really get in to it. I need to understand more about the architecture and API of the OS...
#63
Administrator
Originally Posted by TeamRX8
ooooh, that's new since I was last on their site
Harrison was working on getting the CANScan to also operate as a PassThru device,
Harrison was working on getting the CANScan to also operate as a PassThru device,
yep- all he needs is this cable and TA DA its a pass thru device or hymee for that matter.
#64
Administrator
Originally Posted by tuj
The flash contains both executable code and data. There is only 1 flash, not multiple flashes. Updating subsystems occurs via the main flash.
the dif folder just has a sort of text file that appears to be release notes of a sort.
the flash folder usually has at 3 other folders inside. one will be ladeled with the same flash number as the whole thing is "N3ZEL000" the others are usually quite different. I believe those to be updates for other systems like the TCM(transmission control module- shift points for autos) or other CAN systems. i base this on looking at soem flashes for the Mazda6 and looking thru the TSBs for that car. they had a TSB which gave a flash number for just the TCM which was similar to one I found in a Mazda6 flash.
of course i could be wrong they could be flashes for other countries or something i havent even guessed at.
#65
Administrator
Originally Posted by tuj
That is the intent of the WDS and/or part of the J2534 pass-thru device software. But what I am saying is that if you can communicate with the ECU via J2534, you should be able to upload whatever flash level you want. I believe the WDS can do this also; the tech's do have the ability put you back to flash K or whatever.
On the MazdaTechInfo site, the 'downloaded application' interrogates the ECU and determines if you need a new flash or not. But, there is nothing apart from a few lines in that application that is stopping the ECU from receiving an old flash.
On the MazdaTechInfo site, the 'downloaded application' interrogates the ECU and determines if you need a new flash or not. But, there is nothing apart from a few lines in that application that is stopping the ECU from receiving an old flash.
#67
Is this title ok?
The flash file is an intermediate format that is readable by the WDS system and the flasher software. Between Flash H & M level, the format change a little, that's why they have patches to the WDS system to take care of the Flash file format when new flash files were released. However, the internal raw EPROM datastream is the same once extracted from the flash file and are the actual application code & data that read and execute by the ECM base on the data alignment I've seen.
That's how I understand and I haven't have the time to do more investigate on the trying to dissamble the datastream. There are to method for this hacking approach:
1. Rewrite a new flasher/pass-through software by taking these new EPROM datastream and flash directly to ECM. You will need to figure our what command to send to the pass-through device in order to flash the correct power strain module. This might be something Mazda kept as secret or universal known as standard.
2. Re-package these new EPROM datastream into the flash file format that recognize by the WDS and Mazda flasher. This method will require figuring out the checksum algorithm.
Either way, there will be a lot of sweating and need some guinea pig...
Since there are different flashes between 2004 & 2005 cars, as well as Federal and California version. Comparing the same version level of the flashes between Federal & California might pretty much give you a lot of hint on where the application and data are resided within the EPROM datastream.
That's how I understand and I haven't have the time to do more investigate on the trying to dissamble the datastream. There are to method for this hacking approach:
1. Rewrite a new flasher/pass-through software by taking these new EPROM datastream and flash directly to ECM. You will need to figure our what command to send to the pass-through device in order to flash the correct power strain module. This might be something Mazda kept as secret or universal known as standard.
2. Re-package these new EPROM datastream into the flash file format that recognize by the WDS and Mazda flasher. This method will require figuring out the checksum algorithm.
Either way, there will be a lot of sweating and need some guinea pig...
Since there are different flashes between 2004 & 2005 cars, as well as Federal and California version. Comparing the same version level of the flashes between Federal & California might pretty much give you a lot of hint on where the application and data are resided within the EPROM datastream.
#69
Int'l Man of Mystery
Join Date: Jan 2004
Location: Central Florida
Posts: 3,651
Likes: 0
Received 0 Likes
on
0 Posts
Alrighty then... nothing concrete to give you guys, but some new (not been posted before) and useful reading...
OpenECU
http://openecu.org/index.php
Automotive Related Research Topics
http://www.hitachi.us/Apps/hitachico...opment/&nId=iD
IME3: Authoring Tool & Runtime Systems for the development of your diagnostic application
http://www.ime-actia.de/web_diag/swdiag.htm
All about J2534: Free Markets, Pollution and the Automobile industry
http://www.drewtech.com/support/j2534/intro.html
All about J2534
http://www.passthruxs.com/all_about_j2534.htm
Using DrewTech's v0202 PassThru (J2534) DLL
http://www.drewtech.com/support/j2534/index.html
Ford Motorcraft: Reprogramming & Initialization
http://www.motorcraftservice.com/vdi...&menuIndex1=63
Passthru+ XS
http://www.passthruxs.com/passthruxs.htm
Passthru+ XS API for Developers
http://www.passthruxs.com/dev_api.htm
EEPod
http://www.eepod.com/
EASE J2534 Universal Reprogrammer
http://www.obd2.com/J2534/index.html
EASE PC Scan Tool
http://www.obd2.com/scantool/scantool.htm
TARI Racing Software Forum
http://www.tari.co.za/cgi-bin/yabb2/...board=dl1about
ecuExplorer
http://www.tari.co.za/cgi-bin/yabb2/...cuexplorermain
EEC-V Calibration Memory Structure
http://www.hptuners.com/forum/showthread.php?t=85
How to FLASH EEC-V
http://www.hptuners.com/forum/showthread.php?t=85
By far openecu.org looks to be the most helpful in figuring out just how this is all done. They are talking about most Subi cars, but that doesn't change the strategy needed for the 8. I know we are missing something, but I don't know what exactly to call it... but it's the "missing link" to reading that hex data.
OpenECU
http://openecu.org/index.php
Automotive Related Research Topics
http://www.hitachi.us/Apps/hitachico...opment/&nId=iD
IME3: Authoring Tool & Runtime Systems for the development of your diagnostic application
http://www.ime-actia.de/web_diag/swdiag.htm
All about J2534: Free Markets, Pollution and the Automobile industry
http://www.drewtech.com/support/j2534/intro.html
All about J2534
http://www.passthruxs.com/all_about_j2534.htm
Using DrewTech's v0202 PassThru (J2534) DLL
http://www.drewtech.com/support/j2534/index.html
Ford Motorcraft: Reprogramming & Initialization
http://www.motorcraftservice.com/vdi...&menuIndex1=63
Passthru+ XS
http://www.passthruxs.com/passthruxs.htm
Passthru+ XS API for Developers
http://www.passthruxs.com/dev_api.htm
EEPod
http://www.eepod.com/
EASE J2534 Universal Reprogrammer
http://www.obd2.com/J2534/index.html
EASE PC Scan Tool
http://www.obd2.com/scantool/scantool.htm
TARI Racing Software Forum
http://www.tari.co.za/cgi-bin/yabb2/...board=dl1about
ecuExplorer
http://www.tari.co.za/cgi-bin/yabb2/...cuexplorermain
EEC-V Calibration Memory Structure
http://www.hptuners.com/forum/showthread.php?t=85
How to FLASH EEC-V
http://www.hptuners.com/forum/showthread.php?t=85
By far openecu.org looks to be the most helpful in figuring out just how this is all done. They are talking about most Subi cars, but that doesn't change the strategy needed for the 8. I know we are missing something, but I don't know what exactly to call it... but it's the "missing link" to reading that hex data.
#73
Is this title ok?
Look promising. And here is what I've found:
By looking for patterns in the ROM image (extracted from SW-N3Z2EP000.PHF file), I have seen these patterns word/int value offset at 0x078F44:
10000 7000 6500 6000 5500 5000 4000 3500 3000 2500 2000 1000 500
They look like the main map RPM values.
While there are 3 other location offset at 0x076EFC, 0x076F64, 0x076FCC that have the following values:
10423 10276 10128 10000 9876 9753 9645 9526 9408 9310 9211 9113 9013 8927 8871 8822 8773
They look like 3 separate Hi - RPM map values, does these have something to do with the peak TQ/HP value that we've seen in most of the dyno graph?
While looking at file: SW-N3Z2EM000, the patterns found at offset: 0x78F60, 0x76F18, 0x76F80, 0x76FE8
Needless to say, OpenECU link is very useful.
By looking for patterns in the ROM image (extracted from SW-N3Z2EP000.PHF file), I have seen these patterns word/int value offset at 0x078F44:
10000 7000 6500 6000 5500 5000 4000 3500 3000 2500 2000 1000 500
They look like the main map RPM values.
While there are 3 other location offset at 0x076EFC, 0x076F64, 0x076FCC that have the following values:
10423 10276 10128 10000 9876 9753 9645 9526 9408 9310 9211 9113 9013 8927 8871 8822 8773
They look like 3 separate Hi - RPM map values, does these have something to do with the peak TQ/HP value that we've seen in most of the dyno graph?
While looking at file: SW-N3Z2EM000, the patterns found at offset: 0x78F60, 0x76F18, 0x76F80, 0x76FE8
Needless to say, OpenECU link is very useful.
#75
Banned
iTrader: (3)
Originally Posted by Hskr8
if I am not mistaken, I believe there is 1 map for 1st-3rd gears, and another map for 4th-6th gears... something Maurice figured out I think.
The PCM has no way to figure out what gear you are in!
Stop repeating this.
There is, however, a time component to the calculation in addition to the usual load axis of RPM, air flow and TP.