Members Login
Username 
 
Password 
    Remember Me  
Post Info TOPIC: Can the current generation of ECUs be hacked?


Guru

Status: Offline
Posts: 963
Date:
Can the current generation of ECUs be hacked?


UPDATE: I will leave this post for historical reasons but the short answer to the question is YES!  smile  -RR


As we start to look at the newer more current bike ECUs we are starting to see the M32R family CPUs being used. The 2007 GSXR1000 uses the 32196. Some of the newer Denso equiped Yamaha's I've heard use them too.

So the question is can they be downloaded and flashed as easily as the previous generation of 32bit 7052/4  CPUs?

Here is the pdf datasheet for the M32196.pdf 

There is no AUD port, at least by that name on this chip. It does however have the following interfaces;

JTAG (Joint Test Action Group)

The M32R/ECU contains a JTAG (Joint Test Action Group) interface compliant with IEEE Standard Test Access Port and Boundary-Scan Architecture (IEEE td. 1149.1a-1993). This JTAG interface can be used as an input/output path for boundary-scan test (boundary-scan path). For details about IEEE 1149.1 JTAG test access ports, see IEEE Std. 1149.1a-1993 documentation.

The JTAG interface in the M32R/ECU is used to connect a JTAG emulator during debugging as well. In this chapter, the JTAG interface is explained assuming its use as an input/output path for boundary-scan test.

For those of you not familiar with JTAG and boundry-scan let me explain what it does. The 32196 is an MCU (Micro Controller Unit) not a CPU (Central Processing Unit). An MCU has a CPU inside it but it also has internal RAM, ROM, and I/O all package into a single chip.

One drawback of this design is that when things go wrong you have no way of isolating the problem. In a CPU system where all the individual components are seperate you can place test equipment on the various data bus and signal lines to monitor what is happening. In an MCU if you power it up and nothing happens then what do you do? That is where JTAG comes in.

JTAG sits between an MCU's CPU and it's input/output pins. It allows you to read the signals comming into the MCU inputs and set the output pins. It is kind of a manual override that allows you to disconnect the CPU core and take over the chip from the inside. Usually this is used to test the MCU and circuit board after it has been manufactured, a functional connection test.

On some chips with external address and data buses the JTAG can be used to read the RAM and ROM which is what we need to do to hack the ECU. From what I see so far the JTAG on the 32196 is not going to be much help.

RTD Real Time Debugger

The Real-Time Debugger (RTD) is a serial interface through which to read or write to any location in the entire area of the internal RAM by using commands from outside the microcomputer. Because data transfers between the RTD and internal RAM are performed via a dedicated internal bus independently of the M32R-FPU, RTD operation can be controlled without the need to stop the M32R-FPU.
This interface allows you to read or write the ram while the MCU is running. This is similar to what the AUD does on the other chips only using a serial line instead of a parallel interface. The big problem here is that it does not have access to the Flash memory bus meaning you would not be able to use it directly to download the ECU software and map.

NBD Non-Break Debugging

Non-Break Debug (NBD) has the RAM monitor and event output functions. A dedicated DMA is incorporated in NBD, so that accesses to the internal RAM, etc. are accomplished using this DMA.

RAM monitor function:

This function is provided for reading and writing to and from all resources connected to the internal/external buses mapped in the address space. It allows the RAM data, etc. to be referenced and altered. Furthermore, accesses to the address space used exclusively for NBD (i.e., NBD space) are accomplished using this function.

This interface seems to have everything we want. It access all the address space which I assume includes Flash memory where the software is. Also if you look at the physical interface it looks very much like the AUD. It uses 4 bidirectional data lines, a clock and sync. The timing waveforms also look very much like the AUD.

Unfortunately unlike the AUD the NBD has an enable / disable register that is disabled out of reset. This means when you power up the MCU the default is for the NBD to be turned off. The only way to turn it on is for software to change the values of the registers.  bleh

It seems to me that a more involved approach is going to be needed. I'm thinking that what we need to do is use the RTD to write some code into an unused section of RAM and then find and overwrite the stack with the address of our code to trick the MCU into running it. This segment of code could turn the NBD on or even start copying the flash memory contents to ram so we can read it out using RTD

While the RTD is enabled out of reset it is possible to disable the write function in software meaning this plan would not work either.  We could spend a lot of time and effort on this just to find we have been locked out by the software.

Time will tell. At this point I'm waiting to get my hands on a M32R family ECU.
















-- Edited by RidgeRacer at 00:41, 2008-11-14

-- Edited by RidgeRacer at 17:53, 2009-02-14

__________________


Veteran Member

Status: Offline
Posts: 37
Date:

RR,
I have been looking for a spare ECU for the new 1250 Bandit. These ECU's are proving very hard to find. I have however seen an ECU for the 1250's smaller brother, the 650, for sale at a reasonable price. I am kinda guessing that the ECU's are the same as the bikes themselves are almost identicle.
I'm not sure the Bandits ECU's are using the latest chips as the Bandits aren't built to be 'leading edge' sports bikes. However they do use secondary throttle blades and O2 sensors so anything could be inside the ECU. If I win the auction I will take a peek inside and let everyone know what I find.




__________________

'Started out with nuthin' and I still got most of it left"



Senior Member

Status: Offline
Posts: 123
Date:

Geoff, the 1250 Bandit uses the 7052 CPU. I've opened one. Now, if I can only get the AUD port to work....

__________________


Veteran Member

Status: Offline
Posts: 74
Date:

Curious as to which Yamaha's might have this chip. I have access to ECU spares and might be able to contribute....

__________________


Guru

Status: Offline
Posts: 1344
Date:

rr,i may have a 07-1000 ecu to open,when it gets here i will verify that it indeed a 07,are you interested in opening it up?  let me know and if so it is yours.

__________________

09 busa.????? now what....still got what it takes.......!

I got what you need...!
www.poweredbyford.com

www.marc@poweredbyford.com

 



Guru

Status: Offline
Posts: 963
Date:

I've seen pictures of an opened Euro K7 1000 and I'm pretty sure the hardware is the same as the K8 busa I'm looking at now. So I'd rather wait to see if these newer ECUs can be hacked before I rip open a perfectly good ECU.

Assuming I figure out these new units then I would only need to cut a hole big enough to access the CN501 pads which means I would be able to download the code then seal the ECU back up and it would still be usable.

__________________


Guru

Status: Offline
Posts: 1344
Date:

no problem,theese bike were turned into prostreet turbo bikes with standalone.The ecu's are being donated to me from exoticycle out of florida.   let me know.

__________________

09 busa.????? now what....still got what it takes.......!

I got what you need...!
www.poweredbyford.com

www.marc@poweredbyford.com

 



Guru

Status: Offline
Posts: 1344
Date:

petrik,do you have any interest in one of these ecu's?I have been trying to locate a 08 busa for you,still no luck,maybe you and rr,can colborate and make this work,since rr has a 08 busa maybe i could send you a 07 1000 ecu so the both of you could get this done since the two of you are the only ones that get this figured out. let me know if you are interested.

-- Edited by stocker at 01:03, 2009-02-01

__________________

09 busa.????? now what....still got what it takes.......!

I got what you need...!
www.poweredbyford.com

www.marc@poweredbyford.com

 



Guru

Status: Offline
Posts: 963
Date:

How many do you have?

Here is the thing. With only the one hard to get Busa ECU I have I am approaching this very conservatively.

Rule number one is first do no harm.

There is a possibility however that these M32 ECUs can be read from the wire harness. As most of you know the mantra for the 7052 ECUs is You can write the flash thru the harness, but you can't read it that way. The reason for that is the first thing the 7052 boot loader does when you connect to it is bulk erase the entire flash.

In reading thru the M32 manual flash procedure about the boot loader there is no mention of the automatic bulk erase and it mentions a boot loader command called 'Read Array' It may be possible to simply read the contents out thru the harness with a USB cable. It would be a very simple matter to try. But what if I'm wrong?

If I have to operate as if this busa ECU is the last one on earth then the prudent course of action is to exhaust all other possibilities first before trying to read out thru the harness. I have three possible scenarios for trying to read it out thru the CN501. The first two are fairly straight forward, but if they fail the 3rd will take many many hours of work. I'd rather not spend hours and hours trying to do something that may only take an hour done the easy way. But again the last busa on earth scenario dictates I take that approach.

On the other hand if you have two GSXR1000 ecus that changes everything. Then it would be worth the risk to try the easy route first. If I am wrong and accidentally erase the first one well then we still have one to work on the old fashioned way.

I still have some research to do before I would greenlight trying the 'easy' way but provided I can find no reason not to try it would you be willing to risk on of your ECUs?

BTW maybe PetriK or one of you other micro savy guys can read Section 6.6 of the manual and give me your opinion of what it says. I have to warn you though, be ready to wade thru the typically bad Japanese - English techno translation....


-- Edited by RidgeRacer at 02:01, 2009-02-01

__________________


Veteran Member

Status: Offline
Posts: 72
Date:

RR, the 1000 K7 ECU I sent to you should arrive the next days....
Good luck with it!
By the way: Seems, that they did a reflash on the K7 EU ECUs at the factory.
The K7 EU ECUs I have seen have two labels.
The first says 32920-21H00 and over this label sticks a second one with 32920-21H50 printed on it.



__________________


Guru

Status: Offline
Posts: 1344
Date:

rr,there are several ecu's available. A friend of mine and i are going to pick-up his engine on wednesday,when we are there i will talk to jt the owner and see how many he wants to contribute to the cause.He already said that "we" could have one to operate on. 

__________________

09 busa.????? now what....still got what it takes.......!

I got what you need...!
www.poweredbyford.com

www.marc@poweredbyford.com

 



Guru

Status: Offline
Posts: 963
Date:

Well that was anti-climactic....

I'm downloading the Busa. I still have to check some stuff and work out some details but it looks good. Apparently while Denso's new MCU has a back door with a lock it looks like some one left the key in it.

__________________


Guru

Status: Offline
Posts: 1344
Date:

great job as always rr,this news will make many 08 busa owners very happy.........smile

__________________

09 busa.????? now what....still got what it takes.......!

I got what you need...!
www.poweredbyford.com

www.marc@poweredbyford.com

 



Guru

Status: Offline
Posts: 1344
Date:

rr,do you still want to download the k7,usa .bin,all i need is a adress to send it to.

__________________

09 busa.????? now what....still got what it takes.......!

I got what you need...!
www.poweredbyford.com

www.marc@poweredbyford.com

 



Guru

Status: Offline
Posts: 963
Date:

Yes I still want it. It will probably be a couple weeks till I get around to it.

Why don't you email me at  info@bikeland.info

__________________


Guru

Status: Offline
Posts: 1344
Date:

no problem for me when you get to it,i have a 05 busa,i just want to help.I sent you a e-mail.

__________________

09 busa.????? now what....still got what it takes.......!

I got what you need...!
www.poweredbyford.com

www.marc@poweredbyford.com

 



Guru

Status: Offline
Posts: 1344
Date:

rr,i got the 07 ecu-32920-21h10,i will forward it to you by usps.

__________________

09 busa.????? now what....still got what it takes.......!

I got what you need...!
www.poweredbyford.com

www.marc@poweredbyford.com

 

Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.

Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse
Powered by ActiveBoard