Sorry if this information is spotty/incomplete... It's been a long time since I worked on any of it.
Ok. Most of the JECS subaru OBD-II ecus use the Mitsubishi M32R cpus.
I put a couple of pdfs on my personal web space:
http://mongo.ducker.org/~oman/M32150Manual.pdfhttp://mongo.ducker.org/~oman/rej09b0112_32fpusm.pdfRoms can be dumped off of these ECUs by using the normal memory read commands... just add 0x700000 to the address you want to read.
The 2.5 RS rom is 262,144 bytes long so valid memory ranges are from 0x0000 to 0x3FFFF (use 0x700000 to 0x73FFFF to dump)
I use IDA Pro to disassemble these files so be aware that the disassembly engine in IDA has a bug with this CPU.
(I think it's in the ld24 immediate instruction) It may be fixed in later versions of IDA so you might want to verify this.
For example: in the AF402-T3 rom at address
ROM:BCF0 ld24 R2, #byte_10C ; Load 24-bit immediate
IDA shows that you're loading the immediate value 0x10C in to register R2 but this is incorrect.
The instruction binary encoding is this
E2 01 01 0C
This is really loading the value 0x1010C So be aware.
Ok the magic Select Monitor command you need to know is
0xAF
0xAF 0x11 - Enter Flash Mode
0xAF 0x31 - Erase Flash
0xAF 0x61 - Program Data
To enter flash mode send the command
0xAF 0x11 0xP1 0xP2 0xP3 0xP4 0xP5 0xA1 0xA2 0xA3
the P bytes are the password and the A bytes are the address (size of flash)
use 0x04 0x00 0x00 for the address
The password is different for each ecu and is the ID that is read from Select Monitor parameters 1 - 5
Once the ECU enters flash mode the baud rate changes to 0x19200
NOTE: When you execute the Erase and Program commands the ECU may (will) come back with a "command not completed yet" error.
When you receive this just wait for a new response and when you get that it will either be another "command not completed yet" response
or "success" or "error" - This is behavior that is unique to flash mode and is something you won't see during normal select monitor commands
Program data command is like this:
0xAF 0x61 0xA1 0xA2 0xA3 0xDD 0xDD 0xDD 0xDD 0xDD 0xDD 0xDD 0xDD 0xDD 0xDD 0xDD 0xDD 0xDD 0xDD 0xDD 0xDD
A1 - A3 are the address and there are 16 data bytes.
Now inevitably you will kill the ECU even if you do everything correctly.
The first thing you need to get working before you try to erase an ECU through the select monitor commands is the reset serial flash.
check out the sections in the M32150 document on Operation modes, MOD0 and MOD1 pins, and "Programming of internal flash memory"
***
In the case of (1), first the software for programming the flash memory is transferred to the internal RAM
using the dedicated serial I/O, RSIF (RAM Serial InterFace). The RSIF becomes available by applying
+12 V (VPPH) to the MOD1 pin after the VPP pin (power supply to the flash memory) is pulled to VPPH.
This state is called the RSIF mode, for the period of which the M32150F4TFP is held reset.
After the software for programming is transferred to the RAM in the RSIF mode, VPPH is removed from
the MOD1 pin to allow the M32150F4TFP exiting the reset state. Then, the FENTRY bit of the flash control
register (FCNT) is set to 1, and the M32150F4TFP enters the flash mode. In this mode, the reset vector
entry moves into the starting address of the internal RAM (usually it is at the starting address of the flash
memory). Thus, the software for programming transferred to the RAM begins to program the flash memory.
***
This is how you will fix your broken ECU. You always want to learn to do this part first when cracking a new automotive platform.
