Members Login
Username 
 
Password 
    Remember Me  
Post Info TOPIC: '07+ 600rr M32R Keihin Hacking


Newbie

Status: Offline
Posts: 3
Date:
'07+ 600rr M32R Keihin Hacking


I was able to get an exceptionally cheap ECU from a 2007 cbr600rr late last week and decided it would be a perfect side project to try and reverse it. I know I do not have the skill to do it alone, so I hope I can get some help from this community! First, a couple pictures:

How I received it:

Not sure what this designation is for:

After removing some of that devil potting material:

And the juicy m32r (specifically a M32176F2VFP):

 

After looking at all of the VSS/VCCE connections and looking right on the chip, I would agree that it is properly labeled. I was able to determine that pin 91 (Reset# pin) goes to a yet to be identified 100 pin QFP chip (the only things on it are 3690b82fzv b82 al14907 0649 je) but the ECU can be reset alternatively by bringing pin B15 on the ecu plug to low (ground state), and also an EEPROM chip (93A66) is interfaced 3-wire style with pin 39 on the m32r.

 

I have left my usb-ttl converter and soldering tools in an inaccessible location until next week so I will not be able to make too much headway until then. My plan once I get a hold of them is to desolder the 93A66 and read everything that is on it, and then try to access the m32r through its RTD circuit. I cannot find any trace coming off of the tx or rx of the RTD pins so my first attempt might be soldering directly to the chip. There is a 14+2 set of pads on the back that could be used to access it, but I have been unable to identify anything but grounds.

 

I notice that ECUnleashed is offering a reflashing service (only one I know of for 07+ 600rr's) but I'm pretty sure they cannot flash through the plug yet and must do some sort of hardwire work first. All that I know is the following quote. Has anyone else done Honda Keihin work yet that they are willing to share?

Honda locked-down their ECU like it was holding national secrets; it's been a bear to get consistent results simply by re-programming. What we are doing now is opening the ECU and making physical changes. The results are fantastic, but it is a little more intricate.



-- Edited by imprez55 on Friday 9th of March 2012 10:10:38 AM

__________________


Senior Member

Status: Offline
Posts: 350
Date:

Good work! Keep at it! Good news its a M32R, just an easy try before soldering too much. FDT/EE and FTDI cable or EE interface. (If you find FWE/CNVss pin)
Probably not same passwords as with suzuki but to see if you get any connectivity. But backdoor is probably safest way when possible for a first time read, and you get the password.

Only done some digging in Suzuki Dirtbike/Atv Keihin ECU`s. But let me know if i can help!

Good luck man!



-- Edited by Twice on Sunday 11th of March 2012 12:19:35 AM

__________________


Senior Member

Status: Offline
Posts: 116
Date:

I am working on CB 1000 F Ecu right now, its almost identical. Have same idea to read straight from MCU first and cant find any crossings on pins in connectors...

__________________


Member

Status: Offline
Posts: 6
Date:

I have also opened the CBR600RR box and have started looking into this. I know the K line is coming out of the box and there is a connector available for it on the wire harness. It is called the DLC connector. Pin 30 on the black connector is the the K line.





__________________


Senior Member

Status: Offline
Posts: 350
Date:

Anyone know more in depth about Read/Write procedure via K-Line?
Gonna make an attemp on a other model Keihin ECU in next couple of days.



-- Edited by Twice on Sunday 11th of March 2012 12:23:16 AM

__________________


Member

Status: Offline
Posts: 6
Date:

I believe the K line is read only

__________________


Senior Member

Status: Offline
Posts: 350
Date:

That's not a problem, but TuneECU writes via K-Line also?
Should be able to write with serial. But will need stock bin before i attempt writing. Should be able to read with serial also, but have not located FWE pin in the connector. But i have it located on a pad on a scrapped opened ECU, but rather avoid cut up one more if i can. Suggestions? :)

Im also having some issues with powering up ecu on bench. Denso/Trionic works like a charm but not this Keihin. Have any of you tried to hook it up to a power supply? And do it start up good and draws +12V?



-- Edited by Twice on Sunday 11th of March 2012 12:24:51 AM

__________________


Member

Status: Offline
Posts: 6
Date:

I have one opened also. I will see if I can trace out the FWE pin to the connector.

I have powered one up on the bench. I will check my notes on which pins need power and gnd and let you know.

__________________


Senior Member

Status: Offline
Posts: 350
Date:

It's a completely different keihin ecu, not for a honda even, Suzuki ATV :)

Thanks anyway!



-- Edited by Twice on Sunday 11th of March 2012 12:25:50 AM

__________________


Member

Status: Offline
Posts: 6
Date:

Sorry, was not paying attention to your posts.



__________________


Newbie

Status: Offline
Posts: 3
Date:

After looking at the wiring harness, it seems I was mistaken when I mentioned the MOD2 pin and have edited my original post. With that and the FWE pin (actually labeled FP now on pin 94) at ground, it is difficult for me to trace as I just use a continuity tester.

21racing - Yes, I am familiar with the DLC connector and K-line, however I have that listed as pin 26 on the black connector and it seems I have reversed the order the manual presents them in. Thank you for brining that to my attention and I will revise my notes and post within the coming days to coincide with the proper labeling (I did trace it to pin 41 of a Keihin kt2011sa 100pin QFP chip) . Although Twice is not interested, I would be very interested in seeing what pins you used to power it up on the bench and if you could trace the FWE pin. I was planning on just using a spare lead-acid battery and the stock wiring harness, but having a proper lab power supply would mean one step closer to making a model bike to test changes on.



-- Edited by imprez55 on Friday 9th of March 2012 10:46:03 AM

__________________


Guru

Status: Offline
Posts: 963
Date:

imprez55 wrote:
...

I notice that ECUnleashed is offering a reflashing service (only one I know of for 07+ 600rr's) but I'm pretty sure they cannot flash through the plug yet and must do some sort of hardwire work first. All that I know is the following quote. Has anyone else done Honda Keihin work yet that they are willing to share?

Honda locked-down their ECU like it was holding national secrets; it's been a bear to get consistent results simply by re-programming. What we are doing now is opening the ECU and making physical changes. The results are fantastic, but it is a little more intricate.



 I've heard the same thing. The one place I know that will flash hondas requires that you send them a minimum of 5 ECUs at a time.

The ECUunleased stuff is Piasini stuff. If you look at his pinout diagrams for Keihin equipped Honda Cars you see some interesting similarities with the Honda bike ECUs.

Unlike denso that runs the AUD/NBD/JTAG debug ports to an organized connector it appears Keihin likes to use test pads scatered around the board. Also many of the cars require a jumper to be installed before they can be flashed.

This one is typical. Notice there is one connection to read, another to write.

Honda Civic Flash Connections

I would start tracing the square test pads on the bottom back edge of your board to see if they go to any CPU debug port pins.

I would forget looking for the front door without the password. Trace the pads out, find the back door, get the password, and then go in thru the front.

It help to trace out pins if you clean off all the potting. Soak it in Methyl Ethyl Ketone (MEK) and go at it with a tooth brush.



__________________


Guru

Status: Offline
Posts: 963
Date:

imprez55 wrote:

...I was planning on just using a spare lead-acid battery and the stock wiring harness, but having a proper lab power supply would mean one step closer to making a model bike to test changes on.


 I would caution against using a battery without some kind of fuse in it. Even small motorcycle batteries have such relativly huge current potentials that any small connection mistake instantly blows ECU parts. 

Even the cheapest lab supply will have a current limiting feature.



__________________


Senior Member

Status: Offline
Posts: 350
Date:

Thats why im currently do all my testing in bike for now with Keihin ECU.
Cannot get it to power on supply, wants more ampere. At about 250 mA ECU only draws about 2-5V there, should be way more voltage there.
Dont dare to go any higher, if i would have connected a spare battery that would probably fried my ECU as Ridge say they can give a real kick for a short time :)

Ridge how do they do on the cars? Via Serial Programming?
You got any insight for a dumbass on K-Line read/writing?



__________________


Newbie

Status: Offline
Posts: 3
Date:

RidgeRacer wrote:
 I've heard the same thing. The one place I know that will flash hondas requires that you send them a minimum of 5 ECUs at a time.

The ECUunleased stuff is Piasini stuff. If you look at his pinout diagrams for Keihin equipped Honda Cars you see some interesting similarities with the Honda bike ECUs.

Unlike denso that runs the AUD/NBD/JTAG debug ports to an organized connector it appears Keihin likes to use test pads scatered around the board. Also many of the cars require a jumper to be installed before they can be flashed.

This one is typical. Notice there is one connection to read, another to write.

Honda Civic Flash Connections

I would start tracing the square test pads on the bottom back edge of your board to see if they go to any CPU debug port pins.

I would forget looking for the front door without the password. Trace the pads out, find the back door, get the password, and then go in thru the front.

It help to trace out pins if you clean off all the potting. Soak it in Methyl Ethyl Ketone (MEK) and go at it with a tooth brush.


 

Thank you for responding RidgeRacer! Your posts on the zx12 and eventually to here and other boards are what got me motivated enough to try my own hack; hopefully I have not gone in over my head. I also hope that with the groundwork you and others laid, it would not be an unreasonable timeframe to successfully flash and start on the definitions file by May.

That example flashing pinout seems to be quite scattered. I guess the best would be to do just as you said and try to trace as many pads close to the uC that I can. That would certainly be preferable to trying to solder directly to the M32R. I was looking for the front door as the primary means for flashing once I read the entire ROM, but that seems foolish if a jumper will need to be soldered in place anyway. I will have to see if I can determine if the FEW or MOD0 pins terminate to a bare pad, which would indicate a jumper being necessary like the car example you provided. I will run the board through some MEK or similar this Monday then, thank you for the recommendation.

 

I did not know that Piasini engineering was the same as ECUnleashed, I had thought they were an offshoot of SuperBike Toy Store acutally. I saw here that Piasini was going to try and be one of the first to crack the Honda ECU, however I did not hear anything further. Is there a thread I missed on his accomplishment or is his efforts purely commercial?



__________________


Newbie

Status: Offline
Posts: 4
Date:

Hi! I have cracked CBR1000RR 08-11 ecu. So, it has such MCU as CBR600RR 07-. I will receive a pair of CBR600RR ecus from UK for experiments in about two weeks.



-- Edited by Mef_agan on Wednesday 14th of November 2012 12:11:36 PM

__________________


Senior Member

Status: Offline
Posts: 350
Date:

Did you power it up successfully by one +12V and one Ground?

__________________


Newbie

Status: Offline
Posts: 4
Date:

I have powered up +12V 4 and 5 pins of black connector and grounded 23, 24, 25 pins of black connector.



__________________


Guru

Status: Offline
Posts: 963
Date:

Mef_agan wrote:

Hi! I have cracked CBR1000RR 08-11 ecu. So, it has such MCU as CBR600RR 07-. It is Renesas M32R 32176 series. I will receive a pair of CBR600RR ecus from UK for experiments in about two weeks.


 Did you get the NBD port working and uploaded it or did you read/write it through the serial port?



__________________


Newbie

Status: Offline
Posts: 4
Date:

No.



-- Edited by Mef_agan on Wednesday 30th of May 2012 11:08:21 AM



-- Edited by Mef_agan on Wednesday 14th of November 2012 12:10:50 PM

__________________


Guru

Status: Offline
Posts: 1233
Date:

Mef_agan wrote:

No. I have opened plastic case of ECU and connect flash programmer to MCU's JTAG pins directly.



-- Edited by Mef_agan on Wednesday 30th of May 2012 11:08:21 AM


I would be interested in finding out some more info about this, would you mind emailing me on ECUDataLogger@gmail.com 

or by all means share some more information up here on the forum :)

Cheers

-Justin.



__________________

site_logo_small.png

www.WoolichRacing.comTune your bike to the Limit with our Advanced ECU Flashing Products



Senior Member

Status: Offline
Posts: 350
Date:

Me too :)
Dont got an JTAG ecu to test on but im sure i will stumble upon one sooner or later so always good to learn.

__________________


Member

Status: Offline
Posts: 14
Date:

Any update about this?

I would love to see the connections diagram of the PCB (schematic), or at least some HD photos.

Also, if you could provide the .bin file, I could start looking into it.

Thanks.



-- Edited by mobyfab on Saturday 30th of June 2012 02:50:25 PM

__________________


Senior Member

Status: Offline
Posts: 350
Date:

Anyone got anywhere with this?
Got a similar ecu as above, did the serial lines go to connector?
Or do i need to cut a hole to the TPīs? Also, the opening on the top side Piasini does is it for the HRC mod?
Or is something needed to be able to program without cutting?

Anyone have a Honda bin to share so i can get the password?

Any tips arewelcome!

__________________


Senior Member

Status: Offline
Posts: 179
Date:

No Password at the File.



__________________

http://motorsport-brix.de/



Senior Member

Status: Offline
Posts: 350
Date:

Please elaborate,

All "00" or "FF" on the password address?
Or can you not use the serial interface on the Keihin ECU?

Do you have any pinouts for the TPīs or Connector? From any model with this similar Keihin ecu?

__________________


Veteran Member

Status: Offline
Posts: 30
Date:

I have worked with FI Setting Tool for Honda HRC CRF250/450 OEM Keihin ECU and ECU HRC Racing CBR1000 (Keihin also) and software HRC Data Setting Tool.
Connecting the cable diagnosis with 4 wires (12V - Ground - K-Line and L-Line). Read and Write and Boot need by emergency button ignition power cuts - OFF at the beginning of connection, and on.
The USB interface chip is Silicon Lab - CP210xVCP driver.

Kit HRC has harness racing too, but I think it is only by adaptations of a street bike to race. I do not think miss any wire communication.
I will try to connect to interface with the ECU street and see if it works.


Cable here:
http://www.ukroadandrace.co.uk/HRC-USB-COMMUNICATION-CABLE

Software and manual free download here:
http://www.factorypro.com/manuals/index_manual.htm

sorry bad english



__________________


Senior Member

Status: Offline
Posts: 350
Date:

Thanks Breno!

ECU cut down to TPīs and will continue as i have time.
Can anyone confirm what backdoor to attack?




-- Edited by Twice on Monday 20th of January 2014 03:26:10 PM

__________________


Senior Member

Status: Offline
Posts: 350
Date:

ECU is cut to tpīs and to mcu... Bootmode solved and confirmed.
Does anyone have any hintīs or are willing to help with the custom bootloader?
Or are knowledgeable enough to upload read kernel in ram via JTAG/RTD an run?



Attachments
__________________


Member

Status: Offline
Posts: 24
Date:

is anyone still working on these ecu's and/or willing to share what they have found?

__________________


Senior Member

Status: Offline
Posts: 144
Date:

Swami wrote:

is anyone still working on these ecu's and/or willing to share what they have found?


 Yes i am still working on these ECUs. I have developed a master tool for these ECUs and now i am working on the newer generation ECUs, which have a different processor.

Those ECUs use a honda specific protocol for reflash and datalogging also. You can read/write them from the main connector using this protocol.



__________________

For your DIY or Professional tuning needs be sure to check out
PVTech ECU Research & Development



Member

Status: Offline
Posts: 24
Date:

when will your software package be available for purchase psyche?
i also sent you an email

__________________


Member

Status: Offline
Posts: 14
Date:

Interceptor wrote:

I have worked with FI Setting Tool for Honda HRC CRF250/450 OEM Keihin ECU and ECU HRC Racing CBR1000 (Keihin also) and software HRC Data Setting Tool.
Connecting the cable diagnosis with 4 wires (12V - Ground - K-Line and L-Line). Read and Write and Boot need by emergency button ignition power cuts - OFF at the beginning of connection, and on.
The USB interface chip is Silicon Lab - CP210xVCP driver.

Kit HRC has harness racing too, but I think it is only by adaptations of a street bike to race. I do not think miss any wire communication.
I will try to connect to interface with the ECU street and see if it works.


Cable here:
http://www.ukroadandrace.co.uk/HRC-USB-COMMUNICATION-CABLE

Software and manual free download here:
http://www.factorypro.com/manuals/index_manual.htm

sorry bad english


The HRC interface is different from the OEM diagnostic interface, on the software side.

There is no L-line on any of them. The have a SCS pin that is not used on CBRs but must be tied to ground on CRFs to enable programming.

It's basically just a LIN BUS with variable bitrate, so a USB to serial (FTDI) and a serial to LIN transceiver is all you need. Very simple.

No special init, it runs at 9600 or 19200 Bps depending on the version of the ECU, speed is set by the HRC software.



__________________


Newbie

Status: Offline
Posts: 4
Date:

Hi guys,
I've implemented a little gadget based on Arduino that let me communicate with my Honda CB1000R ABS 2016 via DLC connector (k-line).
I'm able to retrieve some diagnostic data (RPM, ECT, SPEED, INJ....) and now I'd like to read/write the other ECU parameters (Injection maps, rev limiter, speed limiter, OS ecc..).
Can you please help me with Honda protocol? I know for sure that we can read/write the entire ECU content via DLC but I don't know the command to send via k-line, I just know how to retrieve some diagnostic data/table.


Thanks!

__________________
Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.

Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse
Powered by ActiveBoard