A step forward in hacking the 2gr-fe ECU - MR2 Owners Club Message Board
Reply
 
LinkBack Thread Tools
post #1 of 38 (permalink) Old October 30th, 2013, 14:53 Thread Starter
Gold Level
 
Join Date: Sep 2005
Location: Fort Wayne, IN
Age: 37
Posts: 3,421
OldTrader Rating: (14)
A step forward in hacking the 2gr-fe ECU

the unintended acceleration fiasco has resulted in this article: http://www.edn.com/design/automotive...s-consequences

the important bit is that it mentions the CPU is just a rebadged Renesas V850 microcontroller.

this means we still don't know what flavour of the V850 it is, it may not even be a publicly available version, but we now know what all the peripherals on the chip could be and with some tracing we can probably figure out what port on the board is the JTAG port.

anyways, i know this information means nothing to most of you, but it's a good step for someone with more free time than i have at the moment.
Gouky is offline  
Sponsored Links
Advertisement
 
post #2 of 38 (permalink) Old October 30th, 2013, 15:37
Registered User
 
Join Date: Apr 2004
Location: Palmdale, CA Home of LACR
Age: 45
Posts: 1,637
OldTrader Rating: (6)
interesting read. thanks for posting. I did a paper in my masters program on toyota reliability and there was tons of information about how Toyota had NASA evaluate their circuitry and code and no problems were found. This new information is troubling.


I do want to make 2 things clear, while its terrible that lives were lost from UA, I find it upsetting that people lack the common sense to just shift to neutral or turn off the engine or just hit the freaking brakes.
Smaay is offline  
post #3 of 38 (permalink) Old October 30th, 2013, 16:12
Registered User
 
Join Date: Apr 2006
Location: The Nasty Nati
Age: 36
Posts: 483
OldTrader Rating: (3)
So NASA didn't do a good enough job evaluating it then I guess? And yes, tragic lives were lost and people should have used common sense. though I dunno if apply the brakes would have had any effect. I recently was driving a 2009 F150 that decided to keep accelerating after I let off the throttle and using the brakes did absolutely nothing. However, before going the route of selecting neutral or trying to shut off the truck I decided to try tapping the accelerator pedal again and it disengaged. A lil nerve wrecking but no harm done.
Cincy Toy is offline  
Sponsored Links
Advertisement
 
post #4 of 38 (permalink) Old October 30th, 2013, 18:55
Registered User
 
Join Date: Sep 2005
Location: Montreal, Canada
Age: 37
Posts: 838
OldTrader Rating: (9)
How many pins is the MCU ?
I don't want to open my ECU right now ... maybe someone has one laying around and can count
Trying to find which model of the V850 it is ...
The closest match so far Sx2 or SG1 or SX3, based on the date they would begin development (2004, 2GRFE released in what ... 2007 earliest?)
http://am.renesas.com/products/mpumc...essx/index.jsp
torn81 is offline  
post #5 of 38 (permalink) Old October 30th, 2013, 19:20 Thread Starter
Gold Level
 
Join Date: Sep 2005
Location: Fort Wayne, IN
Age: 37
Posts: 3,421
OldTrader Rating: (14)
it started in 2006 but the ECU is used in other vehicles as early as 2004 i've seen when digging for pigtails so it would be something that existed in 2000 likely.

the CPU has 208 pins.

acording to the product selector, all 208 pin packages are not in current production yet. so this is a custom package for Toyota.

but that's ok, the V850 family started right around the same time this product started so it'll have a similar memory map to the early ones, it should be possible to map how the address ranges are used to determine which of the possible peripherals are at what address. the only thing that would be hard to document is the I/O multiplexer, it'll likely be custom for this application.

If i pull up a calibration file from toyota it's just an SRecord file with a header, here is the header:

Code:
[Format]
Version=2

[Vehicle]
Number=1
DateOfIssue=2007-03-15
VehicleType=-
EngineType=2GR-FE
VehicleName=AVALON(05-07MY)
ModelYear=5
ContactType=CAN
KindOfECU=ENG & ECT
NumberOfCalibration=1

[CPU01]
CPUImageName=307071.xx
NewCID=30707100
LocationID=0002000100010720
ECUType=32BH 768K
NumberOfTargets=5
01_TargetCalibration=30701000
01_TargetData=443245333B464838
02_TargetCalibration=30701100
02_TargetData=443745373B48484A
03_TargetCalibration=30705000
03_TargetData=444744363B493A49
04_TargetCalibration=30705100
04_TargetData=444433463B4B4B4B
05_TargetCalibration=30707000
05_TargetData=424335453A354A39
notice this bit: ECUType=32BH 768K

also, the CPU is running with a 16Mhz external oscillator but i have no idea what the PLL is set to.
Gouky is offline  
post #6 of 38 (permalink) Old October 30th, 2013, 19:32 Thread Starter
Gold Level
 
Join Date: Sep 2005
Location: Fort Wayne, IN
Age: 37
Posts: 3,421
OldTrader Rating: (14)
if anyone wants to see the calibration file: http://frankensteinmotorworks.com/2G.../T-0026-07.cuw

there's nothing special about that file it can be downloaded with a $15 TIS subscription, it's got a bit of binary at the top to make it load in their calibration update tool, but the actual data is all in plain text as an S-Record.

it would be pretty trivial to decipher the binary information at the top to get the calibration tool to program anything we could make, but we still have to know what to change in the file to get the desired results.
Gouky is offline  
post #7 of 38 (permalink) Old October 31st, 2013, 15:53
Registered User
 
Join Date: Mar 2006
Location: Bowie, MD
Age: 34
Posts: 2,477
OldTrader Rating: (17)
I wish all this wasnt going over my head.


For inspiration ive banged the 7k rev limit in second and it really makes a difference to rev higher. It for sure has power after stock redline. -emanage tune
walka is offline  
post #8 of 38 (permalink) Old November 5th, 2013, 10:50
Registered User
 
Join Date: Jul 2006
Age: 31
Posts: 1,151
OldTrader Rating: (2)
Would be awesome if we could crack the ecu and tune more comprehensively with a piggyback so there would be some middle ground between stock and a $2800 standalone.
DarkMousy is offline  
post #9 of 38 (permalink) Old November 5th, 2013, 12:43
Registered User
 
celicaguy13's Avatar
 
Join Date: Jun 2005
Location: M0desto, CA
Age: 34
Posts: 1,498
OldTrader Rating: (5)
Do any other car companies use this same chip for their ecm's?
celicaguy13 is offline  
post #10 of 38 (permalink) Old November 5th, 2013, 13:38 Thread Starter
Gold Level
 
Join Date: Sep 2005
Location: Fort Wayne, IN
Age: 37
Posts: 3,421
OldTrader Rating: (14)
I'm sure there are plenty, they make these chips for the automotive industry.

also, Toyota and Subaru share quite a few parts, i would not be surprised if they use the same chip.

but the part that matters is the bootloader and those will almost 100% likely be different.
Gouky is offline  
post #11 of 38 (permalink) Old November 5th, 2013, 14:17 Thread Starter
Gold Level
 
Join Date: Sep 2005
Location: Fort Wayne, IN
Age: 37
Posts: 3,421
OldTrader Rating: (14)
for what it's worth, i turned the binary into a heat map and played around a little with it. no maps jumped out at me immediately, but there were a few spots that looked like candidates.

I'll try to spend some time going through the binary and see if i can find some maps laying around in there.

i did run a text search and i did find the following string twice in the file:
89663-07071

it is in the format of a toyota part number, but it isn't valid. but the first part of a toyota part number is it's category, so some searching found this: "89663-YW201 SOFTWARE MODULE" apparently that is a different calibration for some scion. the number is irrelevant but that's probably just an internal part number for the software.

also, all the data may not be 32bit wide, but the patterns that emerged made it look like the CPU natively has a 32bit wide bus. I'll see about making a new heat map using 32bit wide data. hopefully it is word aligned.
Gouky is offline  
post #12 of 38 (permalink) Old November 5th, 2013, 20:39
Registered User
 
Join Date: Sep 2005
Location: Montreal, Canada
Age: 37
Posts: 838
OldTrader Rating: (9)
I wonder if the data, or some part of the data is encrypted?
Also, maybe searching for the RPM limit value could help in increasing it?
For example look for values such as 6300, 6325, 6350, 6375,6400,6425 .. ?
is that file the whole flash data? or just part of it?
so many questions!!
torn81 is offline  
post #13 of 38 (permalink) Old November 5th, 2013, 21:00 Thread Starter
Gold Level
 
Join Date: Sep 2005
Location: Fort Wayne, IN
Age: 37
Posts: 3,421
OldTrader Rating: (14)
Quote:
Originally Posted by torn81
I wonder if the data, or some part of the data is encrypted?
Also, maybe searching for the RPM limit value could help in increasing it?
For example look for values such as 6300, 6325, 6350, 6375,6400,6425 .. ?
is that file the whole flash data? or just part of it?
so many questions!!
without knowing the capacity of the chip we can't tell what that flash file is, but likely it is the entire calibration and program.

6300 shows up 4 times
6325 shows up 13 times
6350 shows up 1 time
6375 shows up 6 times
6400 shows up 13 times
6425 shows up 10 times
6450 shows up 9 times
6475 shows up 5 times
6500 shows up 9 times

so, about 70 options to choose from.

but beyond what the redline is, it would be nice to know what the tables go to. 7000? 7500?

from what i've heard from people that have used this ECU with the e-manage, the ECU keeps providing spark to at least 7200RPM, so likely the fuel table goes that high also.

by changing the redline limit, there should already be a tune there for higher RPMs.

Last edited by Gouky; November 5th, 2013 at 21:53.
Gouky is offline  
post #14 of 38 (permalink) Old November 5th, 2013, 21:58
Registered User
 
Join Date: Feb 2004
Location: Dallas TX.
Posts: 2,644
OldTrader Rating: (152)
Looks like you've made some educated guesses. From there, it sounds like you need to build a engine simulator. From there, tweak parameters to figure out what changed. DIY fuel injection might have something that's close to being ready to use.
Brad Bedell is offline  
post #15 of 38 (permalink) Old November 5th, 2013, 21:59 Thread Starter
Gold Level
 
Join Date: Sep 2005
Location: Fort Wayne, IN
Age: 37
Posts: 3,421
OldTrader Rating: (14)
yes, a simulator so we can see what the ECU does under high load without blowing some metal apart would be very nice.

heck,we could just throw 10lbs of boost at it and 60spi and see what happens, or even a rising rate regulator and fully virtually abuse the heck out of it.
Gouky is offline  
post #16 of 38 (permalink) Old November 5th, 2013, 23:52
Registered User
 
celicaguy13's Avatar
 
Join Date: Jun 2005
Location: M0desto, CA
Age: 34
Posts: 1,498
OldTrader Rating: (5)
I know the Lotus ecu's are different. But do you think they share anything with the Toyota units?
celicaguy13 is offline  
post #17 of 38 (permalink) Old November 6th, 2013, 03:10
Jon
Registered User
 
Join Date: Mar 2004
Location: Cambridge, UK
Age: 44
Posts: 22
OldTrader Rating: (0)
Toyota ECUs from the 90's calculated RPM internally to a higher resolution of RPM*5.12.
So 6300 would be 32256.
Jon is offline  
post #18 of 38 (permalink) Old November 6th, 2013, 05:49 Thread Starter
Gold Level
 
Join Date: Sep 2005
Location: Fort Wayne, IN
Age: 37
Posts: 3,421
OldTrader Rating: (14)
Quote:
Originally Posted by Jon
Toyota ECUs from the 90's calculated RPM internally to a higher resolution of RPM*5.12.
So 6300 would be 32256.
that's a good point, fixed point decimals are something i haven't considered yet.

I have been considering floating point numbers and I'm seeing a bunch of tabled data that appears to be 32bit floats.

as for the lotus ECU, it's completely different. it has been hacked but they aren't releasing anything. otherwise it could give us some good tables for a standalone ECU as a starting point.

and someone earlier asked if the file was encrypted. the data patterns shown in the file mean it absolutely isn't encrypted. but there may be a homebrew encoding.

i suspect the only thing to crack is the validation checksum of some kind in the file. we also have to get a hold of the calibration update wizard and figure out what needs to be done to keep it happy and willing to flash a homebrew file. probably something in the header i mentioned above.

but first things first, i'm seeing if i can spot an ignition and fuel table in the calibration, without those it is completely worthless being able to flash a custom file on the unit.
Gouky is offline  
post #19 of 38 (permalink) Old November 6th, 2013, 06:59
Registered User
 
Join Date: Mar 2004
Location: Raleigh / Durham NC
Age: 39
Posts: 4,919
OldTrader Rating: (12)
one of the open ecu subaru realm tools can identify maps for you iirc. IT will find them, but not be able to tell you what they are, then you config what they are in an xml file to go with the bin so you can edit all sorts of roms with the same rom editing tool. Then use the techstream system to reflash..
Megasquirt has something called the megastim - no need to re-invent an engnie simulator. IIRC it was under $100
Jared is offline  
post #20 of 38 (permalink) Old November 6th, 2013, 07:11 Thread Starter
Gold Level
 
Join Date: Sep 2005
Location: Fort Wayne, IN
Age: 37
Posts: 3,421
OldTrader Rating: (14)
megastim can't do four camshaft signals and simulate the MAF. it's really overly simple for this as it is designed to test that megasquirt is assembled properly, not to simulate a running engine.

if you can find the subaru map finding tool that would be great.
Gouky is offline  
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the MR2 Owners Club Message Board forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in











Currently Active Users Viewing This Thread: (0 members)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome