Members Login
Username 
 
Password 
    Remember Me  
Post Info TOPIC: cbr1000rr8 ECU Hacking Project


Member

Status: Offline
Posts: 5
Date:
cbr1000rr8 ECU Hacking Project


Hi all am a uk electronic engineer and have started what seems increasingly to be an ambitious project of cracking the Keihin ECU on a 2008 fireblade.
Has anyone got any data that could at all help?
Having read some of the posts on de-potting im prob going to have to do just that at some point, but for the moment am experementing with the odb-type port, since it is just that port that is used to prog the HRC ECU version.
Like said ANY!!!! help or ideas would be most appreciated

__________________


Guru

Status: Offline
Posts: 964
Date:

All I know about honda's is in the 03/04 600 thread you've already found. They use a JTAG interface that goes to some Test Point holes randomly distributed around the board.

I don't think there is any way your going to get around opening up at least one example.

__________________


Member

Status: Offline
Posts: 5
Date:

hmm, thats about what i thought. At the end of the day am wandering what im going to be able to learn once in there. Im going to be able to identify the microcontroller, associated system chips, and an idea of the architecture IF its a 2 layer pcb, 4 or more layers and your really screwed finding what goes where !!, prob going to be able to jtag any code of the chip. But that leaves me with an intel hex file and one muther of a disassembly/ code backward engineering, job. You guys seem to have done just this ( obviously without the jtag ) but seems a tad daunting to me !
I was hoping for a inbuilt boot-loader accessable through the odb connector, which i have a hunch is there, but hunch also tells me its access restricted in some way , codes or enable or some **** !
I can comms to/from the odb, have suitable circuit, checked, was going to brute force attack the port with a term prog from laptop till i got interesting results, but this could well screw the ecu, if i hit the right code and have no idea what data comes next could be grim !
I will let you know how things progress, either here or pm

__________________


Guru

Status: Offline
Posts: 964
Date:

I went at my first ECU, the ZX-12 with the same thinking; I'll just figure out the comms protocol. Ended up doing it the hard way.

The hardway is not as bad as it sounds. First you need to get your self a copy of a good interactive disassembler like IDApro. It does a lot of the work for you. Second you don't need to trace out all the pins to find out where they are connected.

Take for instance all the analog inputs like TPS, IAP, IAT, ECT, SAP, etc. Once you identify the CPU then you will know which addresses are the analog data registers. You can then scan all the analog registers with JTAG, change the TPS input, scan again. The one that changed is the TPS. Other pins you can figure out by looking at the code.


If it was easy everyone would be doing it smile

The ZX-12 was very hard because I went in totally blind. What I did on the 12 made it a little easier for PetriK to do the Busa. What Petrik did on the Busa made it easier for me to do the ZX-6 and GSXRs. I am now righting map definitions for ECUs I've never actually seen, let alone opened up and traced out.

If you get the code and identify the CPU then it is a fairly easy thing to find the Serial UART registers, find the baud, and which routines use the serial data registers in the disassembled code.

__________________


Member

Status: Offline
Posts: 5
Date:

now thats good sense and good advice mate!!
At the end of this comming week will have a HRC ecu to fit in my bike, then will have the original ECU to excavate, will read a little more on the site to see what the best way to do that. With a bit of luck may be able to save it and re-pot when done ( but not holding breath !! ) Not seen any way of PM ing people on the site, so my mail is zz.gemma@gmail.com.
Thanks for sharing your experience, hopefully we can add the fireblade to the list of sucesses!!

__________________
748


Newbie

Status: Offline
Posts: 1
Date:

Hi!

I am ne member, I have 08 1000 RR and I would like to know did you manage to progress with cbr ecu ? if you have information about cpu type mode I could also try find information. I do not know how much I could help but I would like to learn, I have been working programming embedded, but never working with hardware at the low level...


__________________


Newbie

Status: Offline
Posts: 1
Date:

Hi,
New guy to the ecu hacking world
Does anyone have any info on honda ecu's ,
I need to get into the CBR1100xx Fi ecu to over ride the fuel based rev limiter on the turbo bike I'm building. The ecu tries to lean out the motor at full throttle. I have been trying to get around it with a powercommander map but it would be much better to just remove the problem.
Cheers Graham

__________________
Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.

Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse
Powered by ActiveBoard