Members Login
Username 
 
Password 
    Remember Me  
Post Info TOPIC: Background - The project so far


Guru

Status: Offline
Posts: 963
Date:
Background - The project so far


In this thread I will cover the progress so far. For the sake of brevity I will leave out some of the false turns and dead ends along the way and basically summarize what we have found so far. It may take a couple days to get caught up.


The ECU studied in this project is out of a 2002 Kawasaki ZX-1200B1/B2. The ECU is manufactured by Nippon Denso and is marked;

21175-1089
112100-1300
12V TBCF14 V

The 21175-1089 is the Kawasaki Part Number for this ECU.

Here is what the ecu looks minus its case and protective potting.







-- Edited by RidgeRacer at 17:40, 2006-12-19

__________________


Guru

Status: Offline
Posts: 963
Date:
CPU


The ECU CPU is a private labled Nippon Denso part. That is it is not manufactured by Denso but bears a Denso part number on it. The CPU is marked;

D151851-4410
sc505407vfc
185

I had no luck finding any refrence to that part on the internet. I did find some info about other Denso ECUs that indicated they favored Motorola CPU.

(Motorola Semiconductor is now known as Freescale)

I was told that the ECU was known to be a 16 bit. Given that it was a Motorola 16 bit and the chips relatively unique 132 pin PQFP package that kind of narrowed it down to something in the MC68HC16 series

While not knowing the pinout of the CPU I could identify which pins were connected to power, ground, the crystal etc. I eventually matched up the CPU to a Motorola MC68HC916R1

This is a discontinued part but I was able to find a data sheet on it.

MC68HC16R1UM.pdf

As the project progressed I found that the CPU is not an exact match for the MC68HC16R1. It has more Flash memory and some minor functional differences.

Here is the pinout of the R1 CPU





-- Edited by RidgeRacer at 19:01, 2006-12-19

__________________


Member

Status: Offline
Posts: 9
Date:
RE: Background - The project so far


Okay Ridge Im on..

__________________
Brian Crowell


Guru

Status: Offline
Posts: 963
Date:

Glad to see you here. Let me know if you have any suggestions.



__________________


Guru

Status: Offline
Posts: 963
Date:
CPU Memory



One place the ECU CPU is different from a standard MC68HC916R1 is in the amount of onboard flash memory. The ECU CPU has;

32k Flash @ 0000:0000 - 0000:7FFF for program code
32k Flash @ 0000:8000 - 0000:FFFF for program code
32k Flash @ 0001:0000 - 0001:7FFF for MAP data
2k Flash @ 0009:0000 - 0009:07FF for boot loader

The CPU also has 4k of internal Static RAM

The ECU has an additional 512 bytes of external Serial Flash or NVRAM. The NVRAM is used to store information like FI error codes even when the ECU power is removed. While the CPU can reprogram its own flash it first requires the entire flash section to be erased. The external serial flash allows a single byte to be changed.

The majority of the 512 bytes is used to store Mixture Adjustment values that can be changed with the Mixture Adjustment Device or MAD



__________________


Guru

Status: Offline
Posts: 963
Date:
Is the ECU reprogrammable?


Yes and No.

I orginally started this project because I believed it was very likely that the ECU was reprogrammable through the 2 main connectors using either the terminals marked Input Signal to Memory and/or Not Used.

Good News, Bad News

I found the terminals marked Not Used are in fact connected inside the ECU and after passing through a driver circuit end up wired to a CPU Serial Port. The Bad News is that that when they manufactured the ECU they did not install the parts used by this communications circuit.




The good news is that while I found the ECU was not user programmable I did discover it had a Mixture Adjustment Port that allows you to adjust the fuel injection in a limited way. (See the Mixture Adjustment Device or MAD Forum)

While we may not be able to truly reprogram the ECU without making any modifications there is still an option. The BDM Port (see below)


-- Edited by RidgeRacer at 21:14, 2006-12-19

__________________


Guru

Status: Offline
Posts: 963
Date:
The BDM Port


The BDM port is what allowed me to pull all the software out of the ECU and disassemble it.

The problem with Single Chip Microcontrollers is by having its RAM, ROM, Input / Output modules, etc inside a single chip there is no place to connect a probe or logic analyzer. If there is a problem with your software it might as well be a brick.

For this reason the chip mfg's started adding dedicated development ports like JTAG to their CPUs so that developers could get 'inside' the chip and see what was going on.

The motorola CPU used by the has such a port. Its called a Breakpoint Debug Mode or BDM port. Better yet the folks at nippon denso left the port connections on the ECU circuit board even though it isn't used on production units.

I built a simple interface that allowed me to access this port and download all the code and data in the flash memory of the ECU onto my PC. Having all the software is what has allowed me to find out so much about the ECU.



While I orginally hoped to be able to reprogram the ECU from the main connectors with no modifications as it turns out the factory disabled that feature by not stuffing the required parts on the circuit board. However it should be possible to reprogram the ECU via the BDM port. Of course this would require access to the CN3 connector on the ECU. Because the connector is on the back edge of the board I think it would be possible to just create a small opening in the back and solder in a plug. Here is a photoshoped pic of what it would look like.



The black potting material that surrounds the board would keep the rest of the board safe and water tight.

I have not actually tried reprogramming the ECU through the BDM port yet. The first step of that process would be to erase the current flash and I want to make sure I don't need the ECU functional anymore before I start experimenting with reprogramming. I don't want to accidentally lobotimize it before I've had my way with it.

Stay tuned to see how it turns out.

-- Edited by RidgeRacer at 21:18, 2006-12-19

__________________


Member

Status: Offline
Posts: 13
Date:
Background - The project so far


So you can edit any of the runtime you like? If that's the case, these ECUs would be a really hot ticket for adding EFI to non-EFI bikes, or replacing non-editable ECUs with one that can be tuned with a bunch of switches and resistors, after setting an initial tune and making any changes to the code for different engine configurations and/or EFI hardware. This could be a Big Fat Hairy Deal (tm). :D

I look forward to seeing where this goes. Thanks for taking the initiative!

__________________


Guru

Status: Offline
Posts: 963
Date:

AWade wrote:

So you can edit any of the runtime you like?




Yes, but edit is such a small word for whats involved.

The CPU has several FLASH banks and the runtime code is in one bank and the fuel map in another. All can be reprogrammed. Of course the FLASH banks have no page or byte erase which means step one of reprogramming is to erase the entire bank. To change a single byte you would need to download the entire code, edit your byte, burn the entire code back in. Basically the same way you do with a fuel map.

Now if your just looking to change some limits its not a big deal. For example if you find the place in the code where it says:

if( RPM > 12500) { redline_limit(); }

and you want to change it to RPM > 13000 then you just change the value of the limit bytes the way you would a fuel map data point.

However if you want to rewrite the code to say:

if( RPM > 13000 ) { RPM /= 1000; mycustom_limit(RPM); }

then its a whole other ball game, actually its a whole other sport.  You would have to disassemble the code to the point that you could convert it into a source file. Add your new/modified code to the source, reassemble it and then download it. I'm not saying its impossible but its a several levels above just changing a fuel map.

Having said that I'm happy to report that the fuel map flash bank has a lot more in it than just fuel maps.  Almost any where the code makes an important decision dependent on a some constant value, like RPM limit, that value is located in the fuel map area. There are whole sections of the code that are never used because a fuel map byte turned it off. It really looks to me like Denso didn't design the zx-12 ecu from scratch but modified an existing design by changing what I would call 'personality' data in the fuel map area.

I guess the long and short of what I'm saying is that there is some flexibility already built into the design using the personality data if you wanted to try and use this ECU on some other bike.  And at this point we are very close to being able to re-FLASH the fuel map area of the ECU, including the personality bytes. On the other hand we our a couple hundred man hours away from doing something like getting this ecu to work on an engine that has a crank sensor that pulses 16 times per rev instead of 8 like a -12 motor.


__________________


Member

Status: Offline
Posts: 13
Date:

Thankfully, there are a lot of engines that could easily work with the basic physical parameters dictated by the baseline code; an inline 4 with a MAP sensor, a TPS, a Hall-effect cam sensor, a VR crank sensor, maybe a knock sensor, and a narrow-band O2 sensor, and COP. Making a crank rotor with the correct teeth is just a matter of making sure that the leading and trailing edges of the "fingers" are the same number of degrees apart, whatever the physical diameter of the rotor itself.

It should also be possible, once we know the flavor of CPU we're dealing with, and the layout of other ECU components WRT the CPU, it is possible (although it would take a lot of debugging) to write all-new code from scratch, giving the ability to use certain ports for other things, taking advantage of disabled functionality that's built into the ECU, etc. That would be down the road a good bit, I am sure, but it might be a very cost-effective way of fuel injection a vehicle that's not already injected, or adding functionality to a vehicle already having EFI.

Thankfully, with the speed of serial devices these days, it's not much time we'd have to wait for U/L or D/L of code or maps, even if we have to suck it all out just to pipe it back in with one bit changed. :D

And also thankfully, with MCUs having such great capabilities, memory assets, and clock speed, very little of the code these days is hand-coded to take advantage of the in-built timing and memory limitations of the MCU as it was in the early days of digital ECUs. That should make it much easier to decompile the code, and/or to write fresh code from the ground up. As long as you have sufficient processing speed, RAM/EEPROM, I/O, A/D and D/A, you can write high-level code and just compile it, making it easier for us to reprogram as well; we needn't be so worried about efficient code and hardware speed limitations.

I look forward to seeing how much of the theory in that area plays out as practical in the real world. I love a good challenge. :D

__________________


Member

Status: Offline
Posts: 11
Date:

Hi to everyone,

I am Billy from the Philippines. I have been reading lots of posts in this site regarding how to hack the ECU and I've decided to post my concern here. I am working in a company that specializes on rebuilding of trucks. Our company buys surplus Isuzu trucks (basically a front-cut with engine and transmission only or a complete body unit) from Japan, make some modification to them and rebuild them as if theyre brand new trucks. Most of the units that come to us are N series trucks. These units come to us together with its ECU. Since our trucks are already remanufactured, we realized that our ECUs need to be reconfigured or reprogrammed since most trucks that weve already rebuilt have different specifications (like tire size and transmission) from the original to which the ECU is originally designed to perform normally and efficiently.

I have made a lot of researched in the internet how to reprogram the ECU but usually what I can find are diagnostic tools for vehicles which are being connected to the OBDII connector (SAE J1962) of the vehicle. This connector is connected to the ECU and provides access of the diagnostic tools to the ECU. Some of the diagnostic tools in the internet offers reprogramming of ECU but the problem is they do not support reprogramming of ECUs of Isuzu trucks from Japan or they do not cover the models that come to us. Also, as I have read the website of Isuzu in Japan, I have found out that they're already offering diagnostic and reprogramming services for Isuzu vehicles but they only support models from the year 2005 and up. The models that come to us are usually from 1999-2004. So I thought there's no way I can reprogram our ECUs here anymore. But thanks to this forum, which give me an idea that there's still a way to reprogram our ECUs and that is by hacking it through its microcontroller's pins.

I was very lucky to find this forum in the internet. Though I found out that many of the post here are concerned in ECU of bikes, I am still being positive that some guys here can help me. Ive read this particular post in this forum and realized that the microcontroller posted here is similar to what to the one used by the ECUs of the Isuzu trucks from Japan. Ive realized that ECUs of Isuzu trucks were manufactured by Denso and Transtron. And ECUs manufactured by Denso uses a Freescale microcontroller which is similar to the microcontroller of the ECU mentioned in this post.

I am a beginner. I am humbly asking anyone out there who could possibly assist me how to hack our ECUs. Please let me know what are the special softwares and hardwares that I need to possibly do it. Ive attached below several pictures of one of our ECUs including the close up image of its microcontroller. Its an ECU manufactured by Denso designed for a 4HF1-1 engine. Isuzu Part Number is 897217 6312, and Supplier Part Number is 275800-5245.

3.JPG

 

 

4.JPG

5a.JPG


10.JPG

Lastly, I want to know if someone here know some special softwares which can be used to reprogram the ECU through the SAE J1962 connector of the vehicle. Alex Eisenberg from Australia offers a software called TOAD which include functions like diagnostic, recalibration of fuel injections and even reflashing of ECUs through the SAE J1962 connector but still it doesn't cover the models that we have. Please check this site: http://www.totalcardiagnostics.com/toad/ . 



-- Edited by billjones on Tuesday 18th of December 2012 12:48:25 AM

__________________
Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.

Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse
Powered by ActiveBoard