oldhat 09-11-2008 11:31 PM
Guys, I popped open the box and I think I found the main microprocessor (on a Z4):
JECS (looks like the company logo)
A12-212 705
M37791E4TJ
102 502100
Plus the serial number on a sticker? F52RC0201
Based on some googlez, it looks like the A12-212 XXX chip is used in Nissans, but their last 3 digits are different than ours
http://eccs.hybridka.com/viewtopic.php?f=2&t=138I bet we could all swarm over to this messageboard and start picking their brains.
http://eccs.hybridka.com/There's also another chip of the same size that might work as a slave to the main one but that's a WAG (wild ass guess). Looks like a Jecs as well, based on the nomenclature printed on the chip:
A19-257 025
445101
Check this out though (warning, PDF):
http://www.calumsult.com/calumsu/dis...0interface.pdfThis is some kind of diagram from a GC8. Looks like this guy has been trying to disassemble Subie ECUs for a while. Check out this page:
http://www.calumsult.com/calumsu/disassembler/SVX/I already grabbed all of those files for safekeeping in case this goes away.
If you go higher up in the hierarchy, you can see he's been messing around with a bunch of different brains. S14s and S13s. Looks promising? But the top domain is forbidden for some reason. I want to email this dude!
PhyrraM 09-11-2008 11:36 PM
He is what I know. It's bits and pieces for now, but tomorrow I'll try to follow up with links.
The pre-OBDII Subaru ECUs can use eproms to store the program code and the data variables. Even if the original data is stored in the microcontroller itself, most of the ECUs can have that internal (to the controller chip)data "bypassed" by plugging eproms with new data into the sockets and cutting a jumper on the circuit board to "activate" the socket.
These pre-OBDII ecus had what Subaru called a Select Monitor Port. It was basically Subaru's diagnostic port before they were standardized by OBDII. There are a few guys out there that have been able to hack the Select Monitor protocol. Vikash on Legacy Central, the VWRX guy and a team on one of the SVX boards, to name a few. The SVX team is actually working on making the JECS SVX ecu into a programmable ECU of sorts by using an emulator instead of an actual eprom.
What we need to concern ourselves with is that the SVX guys (I think) know how to get the ECU to dump it's own code to us through the Select Monitor interface. That's the first step. Once you have a copy of the code, then you can go about the process of seperating the program from the tuning data. The program then gets decompiled/reverse engineered to figure out how the ecu works and possibly change subroutines and such. The tuning data/tables, once identified, can be immediatley changed to suit engine mods.
There are a few monkey wrenches. Early cars had both Hitachi and JECS ECUs. While both have Select Monitor interfaces, there appears to be a slight difference the actual protcols. And, while I've spent some time reading up on this stuff, I have zero programming skills. So, while I'm confident that I could get the ECU to dump it's data, I wouldn't have a clue how to start digging into it.
I'd start with a google search on SSM, Select monitor, VWRX, SVX ecu project, etc. I'm sure most of the sites I've been to will be uncovered pretty fast. If we get the RS25ers with the right skills to read them, I'm sure we could make alot of progress fast. Probably be just about caught up with others.
Hope this helps. And also subscribed.
oldhat 09-11-2008 11:42 PM
Quote:
Originally Posted by PhyrraM (Post 1461105)
Hope this helps.
You kidding? :banana: Please keep coming back to this thread!
I saw a bunch of SVX stuff when I was googling, any idea why the SVX guys are so into this kind of tuning?
PhyrraM 09-11-2008 11:42 PM
Here's the SVX site. Lots of links to peruse. The EJ20G and Early Legacy ECUs are supposedly very close to the SVX ECU.
http://www.alcyone.org.uk/ssm/PhyrraM 09-12-2008 12:01 AM
Quote:
Originally Posted by oldhat (Post 1461111)
......., any idea why the SVX guys are so into this kind of tuning?
Not really. I would guess that they are really into thier cars to the point that need engine management, but with only about 25K sold worldwide (14K in NA) the market for Link or Autonic isn't there.
It really only takes one motivated guy with the right background to get something like this off the ground. To bad that guy has an SVX instead of a V2 STI swap.
Of course once it's rolling, you get more help (and alot of waiters and wanters).
PhyrraM 09-12-2008 12:05 AM
One quick link before bed. Looks like the SVX site already has a EJ20G ECU dump. Looks to be a Z4 ECU dump. Last one in the ECU list. Anybody know machine language?
http://www.alcyone.org.uk/ssm/roms/index.htmlOlson 09-12-2008 12:29 AM
SO.... do the subies run an Eprom ecu?
if they do couldnt we make our own eprom chips for them like th dsm guys do??
oldhat 09-12-2008 01:21 AM
Yeah, from what little I've read, the early ECUs used EPROM but I don't know about the later ECUs. I don't see any reason why we couldn't write our own like the DSM guys.
I think we need to start by reading up on this thread and borrowing their techniques:
http://www.subaru-svx.net/forum/showthread.php?t=38685I sent an email to Phil, the guy who started that thread because he asked on his site for anyone with a new project to get in touch with him. Hopefully he'll respond, but for now, I'm going to start reading the thread and try to make sense of it. I'm not much of a programmer so this is pretty tough to understand on the first pass. Anyone with some programming experience want to take a look?
1999impeza2.5RS 09-12-2008 01:36 AM
subielink sounds good. lol. if you could do that I would deffinatly buy one. my buddy was showing me his dsmlink on his laser. that thing was awsome. he was turning the fuel pump on and off with one click of the mouse and stuff. it looks to be a very powerful tool. I guess he was saying you can install that on any eprom ecu. I guess there were people that installed it in other cars. you might want to look at dsmlink.com and check out what info they have on there.
bugman1964 09-12-2008 03:04 AM
easy they to are in need of tuning. there isn't a whole lot of support for those sex rockets. maybe we should try teaming up with them.
Does no one make a unit for the nissan that uses the same chips and maybe we could take a look at that unit?
We also need a unit that works on the stuff from obdII times ie: the 96-01 na's
b3lha 09-12-2008 03:41 AM
Hi from the SVX team!:)
Thanks for letting me know about your project. Maybe I can point you guys in the right direction to help you get started.
The first thing you need to do is build a cable to connect your PC to the yellow 9-pin select monitor plug on your car. Using the cable and various bits of software you can read and write data from the ECU (and TCU if you have an automatic gearbox).
The car talks over a serial protocol, like the 9-pin serial port on older computers. But the voltage levels are different. For this reason you need an "RS232 to 5V TTL converter". With a more modern computer you can use a "USB to 5V TTL converter". On the end of the cable, you put a radio harness connector for a 1st gen Legacy, it's a perfect match for the Select Monitor connector.
Having built or bought a suitable cable, you can amuse yourself by running various bits of datalogging software. Have a look at
www.limitless.co.nz or
www.vwrx.com.
For reverse engineering, you need to learn a bit about assember language programming. You also need to learn the principles of how engine management systems work. More than anything, you need a lot of time and patience.
You will need to download the ECU ROM to a file and disassemble the machine code into assembler langauge. Use the Polaris Snowmobile software from
www.rensu.net. These snowmobiles are made by Fuji Heavy Industries and they use the same type of ECU.
I'll do my best to answer any questions that you have. My website will be updated sometime in the next week or so and much of the information presented will be relevant to your project.
Phil Skuse.
offspringpunk14 09-12-2008 05:47 AM
This is kind of pointless but Ill say it anyways, I used to be into the dsm scene when i was younger. Well im only 18, but still a little bit ago. But dsmlink is an awesome program, I never had it on any of my cars but it is like stated a very powerful program and you get and eprom chips made for what mods you have like injector size and that. Its a very cool program. It would be awesome if we could get something like that!
squared away 09-12-2008 06:40 AM
There are plenty of piggyback and stand alone ECUs out there with more than enough clout to do what anyone is looking for. And much easier, might I add.
Build me a black box that will mimic the ECU and give any OBD-II reader an "ALL CLEAR" signal and allow me to pass through emissions/inspection testing without any problems, and I'll listen. Plug the black box into the OBD-II port and run whatever the hell you want underneath and program to your heart's content via 3D A/F maps, accurate datalogging and a host of other traits available with aftermarket ECUs.
The wheel rolls, why reinvent it?
Carisma 09-12-2008 06:43 AM
oldhat - Talk to member "rob". He could probably help you.
oldhat 09-12-2008 11:34 AM
Quote:
Originally Posted by squared away (Post 1461186)
The wheel rolls, why reinvent it?
Because we're nerds?
Also, like offspring said, DSMLink is powerful (I read more about it last night -- sounds basically like it turns you into a car God-- some guys were running 8s on it). Maybe we can write some software that would be even better than the standalones or reflashes on the market for free and we can get into uncharted territory as far as ECU tuning goes.
Big YES on trying to figure out how to crack the '96-'01 NA ECUs.
And thanks Phil for showing up and pointing us in the right direction. This is coming together real nicely for less than 24 hours into it. :banana:
oldhat 09-12-2008 11:53 AM
Oh my.
LOL. A very generous anonymous just sent me a very, very powerful piece of ECU tuning software that we can modify or just hack around through and steal ideas from. Heh, this is getting interesting.
Dudes, we're kinda getting right down to business here. PFC and ECUTek ain't got nothing on RS25.com. For real.
Skidd 09-12-2008 11:56 AM
The idea of working with the older Subaru Unisa/JECS ECU is not a new one
http://forums.openecu.org/viewforum....2ea288fdfdb745But, as you can see on that board, nobody actually made any head way. The 02+ guys all have the OpenSource flashable DENSO ECUs. Nobody has yet cracked the JECS one. Or atleast, cracked and made it public.
Talking the SSM protocol to our cars (00RS) is not new either. The Tactrix OBD2 cable is a RS232->TTL converter. I've myself already written software that can monitor engine sensor values through the SSM protocol. JDash. I'm currently working on a "Lite" version that runs on mobile devices JDashLite.
However, I know nothing about using the SSM protocol to extract the ROM data. The SSM protocol is not public domain, so what we know about it, is what's been figured out by the guys at VWRX and Colby (author of ECUExplorer). I used their reference material to write JDash. The Denso guys know the correct SSM protocol procedures required to do a ROM dump, and to re-write also. Nobody seems to have figured out how to do the same on the JECS ECUs.
I tried extracting all the data from my JECS ECU byte-by-byte with the basic SSM protocol. But, at 4800baud, it was taking a REALLY long time, so I gave up. Plus, I didn't know if it was even getting me anything usefull. It seemed to repeat the byte pattern every few thousand bytes. I'm pretty sure this was not the correct way to extract the ROM image.
As for I-Speed. As I understand it, they didn't crack the JECS ECU Either. They are using a bit of commercial hardware/software from a company out of the UK that can tweak the ECU ROM. I don't believe that company even sells it any more. So, I-Speed and Yoshi have a nice corner on the JECS market. I-Speed and Yoshi did however dyno-tune cars to create maps for this software.
Regardless of what worked or failed with our ECUs... I'm game to help out where/when I can!
oldhat 09-12-2008 12:04 PM
This piece of software that anonymous just sent me is a game changer as far as this project goes, I think.
Any programmers, please PM me so I can show you what it is.
http://i120.photobucket.com/albums/o...merman/22b.jpgSkidd 09-12-2008 12:27 PM
Here is a link to a guy what is/was working on decyphering the JECS SVX ECU. Which, "should" be compatible with our RS JECS ECU.
http://www.alcyone.org.uk/ssm/Looking at his findings, it appears that the tedious and slow process I was using to get each byte of ROM memory might have been correct.
And although its slow, I can try again for any of you assembly code guys.
jakeachy 09-12-2008 12:35 PM
wow this thread blew up fast.
oldhat 09-12-2008 12:37 PM
Quote:
Originally Posted by Skidd (Post 1461397)
Here is a link to a guy what is/was working on decyphering the JECS SVX ECU. Which, "should" be compatible with our RS JECS ECU.
http://www.alcyone.org.uk/ssm/Looking at his findings, it appears that the tedious and slow process I was using to get each byte of ROM memory might have been correct.
And although its slow, I can try again for any of you assembly code guys.
Yeah, I emailed him and he posted in the thread! His name is b3lha.
jakeachy 09-12-2008 12:38 PM
Quote:
Originally Posted by Skidd (Post 1461397)
Here is a link to a guy what is/was working on decyphering the JECS SVX ECU. Which, "should" be compatible with our RS JECS ECU.
http://www.alcyone.org.uk/ssm/Looking at his findings, it appears that the tedious and slow process I was using to get each byte of ROM memory might have been correct.
And although its slow, I can try again for any of you assembly code guys.
thanks alot for that link!!!
oldhat 09-12-2008 12:42 PM
Rob's PM inbox is full, if anyone sees him, please let him know about this thread. Also, if you know anyone on the forums who might be good with programming or decompiling or assembly, please let them know, too.
MattB 09-12-2008 12:44 PM
If there is anything I can do to help this along please let me know and I will do my best.
I have a Tactrix cable and can do any extraction/experiments we need.
As of now I am not very knowledgeable when it comes to ECU's and coding but I am working on my bachelors in Computer Science so I have some basic programming knowledge. This is definitely a project I am willing to work with.
Also if we do have a breakthrough here I think we all need to agree to keep this information PUBLIC! I want to make this available to anyone and everyone if we can figure this out.
oldhat 09-12-2008 12:47 PM
Quote:
Originally Posted by MattB (Post 1461417)
If there is anything I can do to help this along please let me know and I will do my best.
I have a Tactrix cable and can do any extraction/experiments we need.
As of now I am not very knowledgeable when it comes to ECU's and coding but I am working on my bachelors in Computer Science so I have some basic programming knowledge. This is definitely a project I am willing to work with.
Also if we do have a breakthrough here I think we all need to agree to keep this information PUBLIC! I want to make this available to anyone and everyone if we can figure this out.
Agreed, this should be 100% open source, it's not fair or ethical otherwise. Matt, send me your email, I have something to show you.
Skidd 09-12-2008 12:59 PM
Dang... There just might be something too all this!!
Could it be possible? OpenSource tuning on the older gen ECU? :clap:
Anybody here speak Assembler? My brain only seems to understand Java and C. :p
MattB 09-12-2008 01:00 PM
I am with you...JAVA and C...beyond that my brain hurts.
oldhat 09-12-2008 01:09 PM
Quote:
Originally Posted by Skidd (Post 1461428)
Dang... There just might be something too all this!!
Could it be possible? OpenSource tuning on the older gen ECU?
If we do it, let's do it RIGHT. Let's make the software look pretty when you fire it up instead of some ugly field with cells to put numbers into, let's make it basically rock solid as far as stability and let's make it support EVERY Subie ECU (both JDM and USDM) flawlessly. Let's aim for as close to perfect as possible. And fully open source so we don't get sued by Fuji Heavy Industries and their Fuji Heavy Lawyers! :lol:
I think supporting every ECU is a good goal so no one is left out of the fun.
Skidd 09-12-2008 01:16 PM
The good news is, we wouldn't have to write the tuning software. Thats what RomRaider does. And it does it well too. It takes ROM files combined with a definition file specific to the ROM, and allows you to tweak the values to your needs. What's missing for the JECS ECU is an accurate map of what the ROM file contains, and the ability to both download the stock ROM, and then upload the modified map.
So.. what's needed (simple version)?
1. Retreive ECU ROM bytes.
2. Reverse engineer ROM to identify parts (RAM, ROM, IO, Interrupts, etc)
3. Reverse Engineer operation codes to find maps in ROM (fuel map, ignition map, DTCs, etc)
4. Define RomRaider definition file to allow tweaks to ROM part.
5. Upload modified ROM map to ECU
Did I miss anything?
MattB 09-12-2008 01:17 PM
It looks like this anonymous software might not be the deal breaker we hoped for.
Under Supported ECU's I found:
http://lh6.ggpht.com/ImprezaSTi01/SM...w/s800/ECU.jpgjakeachy 09-12-2008 01:19 PM
Quote:
Originally Posted by MattB (Post 1461434)
It looks like this anonymous software might not be the deal breaker we hoped for.
Under Supported ECU's I found:
http://lh6.ggpht.com/ImprezaSTi01/SM...w/s800/ECU.jpgexactly what i got aswell.
oldhat 09-12-2008 01:21 PM
It's not the holy grail but it's a start...we can at least see what they were doing and borrow/modify. Can anyone decompile it so we can see the guts? We might be able to figure out the architecture of the chips if we can figure out what the software calls/interrupts/pwns, etc.
A huge head start for us is Phil and the SVX guys plus the Nissan Skyline guys have been hacking their Jecs for years. I'm sure they'd love to spread their knowledge. I'll start emailing the Nismo guys and see what they have to say.
