I'm working on Nissan ECUs that can be reflashed through OBD2, in my case a QR25DE Denso ECU on a 04 Sentra SpecV (uses an SH7055). I'm more or less cross-posting on another forum (RomRaider), but I wanted to tap into this forum's experience with SH70xx mcus... I know there's been some success using the AUD port, but I'm not sure I want to split open my ECU just yet.
The Nissan J2534 software can reflash these ECUs through the OBD K-line, it goes something like this:
- Connect to the ECU on the K-line @ 10.4kbps, ISO14230 protocol with fast init
- Do a few things I haven't finished reversing (get ECUID + version + prepare a RAMjump, etc)
- Do a SecurityAccess seed/key exchange (with the standard ISO14230 SID 27), I've reversed this and it works at least on one vehicle. But it requires knowing the 32-bit encoding key (found in the ROM dump, or inside official Nissan .dat reflash files)
- Do the actual reflashing with SIDs 34 (RequestDownload), 36 (TransferData), and BF (RamJump???). I'm not quite sure how this works; it seems to load some code to RAM and runs from there at some point (PC software refers to "ReqRamJumpCheck" and "requestJump").
Since I'm the current maintainer of freediag (freediag.sourceforge.net , an interactive command-line program designed to do pretty much anything OBD2, except CAN for lack of development), I'm using it to test different SIDs on my ECU. So far I can:
- read ECUID (SID 1A 81)
- read memory bytes (both ROM and RAM), and dump a ROM (mfg-specific SID A4 and SID AC)
- compute SID27 SecurityAccess key (I even put some source code on the other forum I linked to)
- calculate, and find the location of the checksum bytes (also documented on the other forum)
Is anyone else hacking Nissan Consult-II ECUs of this generation ? I'd love to think I'm not the only one working on this and not buying expensive closed-source "tuner" software...
For your DIY or Professional tuning needs be sure to check outPVTech ECU Research & Development
Ah yes, I took a quick look at the 23710-EB310 ROM you (I think?) posted a while ago. I assumed it runs an SH7058, and did a bit of disassembly, but I didn't recognize a lot of stuff... For one thing my checksum algo doesn't work on your ROM. And I had trouble finding ISO14230 code in there... On the 3 ROMs that I have on hand, the checksum is in two parts; a 32-bit sum of all dwords, and a 32-bit XOR of all dwords. How does it work on your ROM ?
Have you reversed any other SIDs ? Any info on the Local / Common Identifiers used by SID 21 and SID 22 ? They're not related to flashing, but interesting nonetheless.
If you need some stock rom file for the work you are doing, i can help you out.
as i know older work by K-line pin 7 on the obd port, new model by can-bus pins 6(H) and 14(L)
sure, if you have stock Nissan ROMs I'd be interested to see them !
My target vehicle (04 sentra spec-V, QR25DE) doesn't have the CANH and CANL pins on the OBD2 connector, so I'm focusing on K-Line reflashing for the moment.
I made some progress reversing the NERS software, I've discovered there's another layer of "encryption" when the PC sends SID 36 (TransferData) blocks. Luckily it's the same algo
as the SID 27 key exchange, but it uses a different encoding number. I think it decrypts whatever data was in the SID 36 request, and writes it to RAM. Kind of like an encrypted bootloader,
and then SID BF does something related to "RequestRAMjump"... I'm still fuzzy on the details.
What I'd really like to see is an original Nissan .dat reflash file - one of those would tell me precisely what gets transfered to the ECU... I'm almost tempted to spend 19.95$ to buy one.
Hi Fenugrec, please send me your email adress, so i can send you the files of few Sentra 2.5L 2005 with SH7055 i have.my email is christian.piasiniengineering.it
waiting your email
ecu number i have is MEC110-182, and for that one I have two calibrations numbers
Well, I'm a bit stuck. I can see when and how the data is transfered to the ECU : - SID 27 exchange : state=2 - SID 34 80 RequestDownload; does a weird thing with interrupts and some ports, and enables SID 36 (state=3) - SID 36 TransferData: decrypts incoming data (with the same algo as SID27 exchange, easy) and copies to RAM @ FFFF8438 - SID 37 TransferExit, state=4 - SID BF 00 ReqRamJumpCheck, doesn't seem to do much - SID BF 01 ReqRamJump, state=5 - ??? - SID 34 81, - SID 34 82 (requestdownload for "CPU1 area" -- probably to prepare the actual "bitstream" to be flashed. - Actual ROM bitstream; unknown format and probably not iso14230 any more but a custom bootloader protocol. At this point, I'm screwed because : 1) I don't know what code has been loaded at FFFF8438, but I know we "jsr FFFF8438" to there at some point so it has to be a type of bootloader 2) I don't know at what time the bootloader in RAM takes over the control of serial comms, and how. It can't be interrupt-driven since the IVT could be written at any point during reflashing... 3) If I don't have the bootloader code, I can't guess how to send it ROM data because that info isn't included in the NERS software. (Factory Nissan reflash files have the bootloader and programming "bitstream" inside them) 4) If there are a few different versions of bootloaders (for different ECU hardware, CPU etc) I'm not sure how to handle that. It can probably be position-independant code to some extent, but it has to take into account different CPUs (sh7055, 7058 at least), and possibly different wiring (i.e. same comm interface) 5) There is no way I'm going to write and test a bootloader. I have only 1 ECU and I kind of need it, so any experimentation has to be relatively safe. That excludes trying to roll my own BL. Christian: thanks, I got your files, but they are quite different from the QR25DE ROMs I have: different CPU, code structure, and checksum algos ! I'm not sure what to make of this. So, given the lack of interest and help, I'm taking another break from this.
Twice wrote:fenugrec, you can use my car as test for your loader. i can back everything up (just not immo chip yet), and was thinking of putting external programming connector through case from PCB.
fenugrec, you can use my car as test for your loader. i can back everything up (just not immo chip yet), and was thinking of putting external programming connector through case from PCB.
Thanks for the brave offer ! But you may have misunderstood, I am *NOT* making a bootloader ! I don't have time to make one from scratch.
Possible options I see :
#1 is probably what Uprev Osiris did. They seem to have a few different bootloaders; they select the correct one and then transmit the BL + new firmware.
*** Twice: I'd like more details about your car:
1- Which OBD2 pins are connected ? (K only ? CAN ?)
2- Did you dump your ROM ? If yes, how ?
3- What is the CPU? SH7055 or SH7058 ?
I'm making a list of stock ROMs here, if you can add information that would be nice.
fenugrec wrote:Thanks for the brave offer ! But you may have misunderstood, I am *NOT* making a bootloader ! I don't have time to make one from scratch.Possible options I see :find or buy (20$) a real Nissan reprogramming file. They include the bootloader + firmware in one file. Then, either a) extract + reuse the BL, b) overwrite the original firmware payload and use the standard Nissan NERS software with this customized repro file.Capture data during a real Nissan reflashing process (i.e. capture the K-line (iso14230) or CAN traffic between the dealer's tool and the car), and get a bootloader from there. I would expect to see the exact same data (BL + firmware payload) as contained in a repro file.#1 is probably what Uprev Osiris did. They seem to have a few different bootloaders; they select the correct one and then transmit the BL + new firmware.*** Twice: I'd like more details about your car:1- Which OBD2 pins are connected ? (K only ? CAN ?)2- Did you dump your ROM ? If yes, how ?3- What is the CPU? SH7055 or SH7058 ?I'm making a list of stock ROMs here, if you can add information that would be nice.
I have NERS software and probably a stock file, but more like setting files encrypted i think. But it is Psyche that have worked on exactly what you describe for a while between projects. So i must ask him first if it is OK to send it to you since it's not mine to "give". Stock tools did not do a full reflash of my spare ecu, why it has taken so much time. Problem after problem :)Contacted UpRev, they only support the USA models (Frontier), they are Petrol and use a Hitachi ECU instead. So no support for our's...1. CAN lines are there, So is K-Line. And L-Line or if that is used for something else.2. I dumped my spare, 7058MCU. Need to open case, AUD just like on GSXR. Just add watchdog ticker at 125hz on reset pad. (Contact me for pinouts) # 23710-EB310.3. Might remember wrong, but 1mb file and think 7058. 190hp update at 2009 they updated ECU slightly, also other MCU with 1.5mb files. V6 2011- uses a Bosch EDC if i got it right.Wil take a look at the list and add what i have.
Small big update, I've progressed a lot on this, and I have the method of transferring + executing a small kernel in the ECU RAM . This is how Nissan does the reflash; the kernel takes over serial communications and takes care of the actual erase + reflash commands.
Most of this is documented on a RomRaider forum thread,
I've also created a wiki documenting these ECUs and the reflashing process :
Nissan ECU wiki
So, the next step is the comparatively easy task of writing a reflash kernel. At this point I've invested considerable effort and published a lot of information... I'm not really interested in developping a kernel good enough to publish as open source. I'll probably make one for my own use and that's it. It seems nobody is really interested in working on this except 2-3 people on the RR forums...
I'm probably talking into a vacuum by now, but for anyone remotely interested - I finally kicked myself hard enough and wrote a reflashing kernel. Which, by the way, was the final piece for a 100% open source ECU tuning workflow : )))
If you feel like contributing to the cause, stay tuned to that thread on RR !
it's on !! crowdsupply funding campaign