I learned the reflash commands from reverse engineering the actual ecu code.
I believe I got the manual from a link on the openecu forums? It's been a long time but I've grabbed info from renaesas's website. Who knows what's available anymore... these chips are ancient.
You need to get the RSIF stuff working because these chips often just fail during the flash process and there's not much you can do about it except try and repair them afterwards. These chips/ECUs kind of suck for that reason. I'm sure you could probably just upload the same flash program that subaru uses internally with perhaps some extra initialization code if you didn't want to write your own from scratch.
One thing that might be worth doing is coming up with an alternative flash method. perhaps by "taking over" the ecu or just flashing in a small replacement stub that allows you to upload something more robust.
I've had luck in the past uploading arbitrary code on a subaru ecu and overwriting the stack with a bogus return address to get the code to execute. That's how I managed to first dump the code off of my 2002 wrx. It's kind of hacky but since we're not likely to see any new JECS ecus you can probably make it pretty reliable/transparent and make a more robust flash program with some real error correction capabilities and speedups.
Oman:
What you've said makes reasonable sense. I'd be interested to know where you got the user manual from since I can't find it anywhere else on the internet!
Anyway... Are you saying we need to read up about the MOD0 and MOD1 pins in order to use the RSIF interface in order to reflash OR only that we need to because we are very likely to damage the flash on attempting to reflash it meaning we can't use the bootloader present and have to resort to the RSIF interface to get the original rom back in?
My understanding is that you do not need to use the RSIF functionality if there is a bootloader in there already (which there is, and copies itself to ram to execute)
How did you find out the flash mode select monitor commands? from the disassembly??
If anyone has the full IDA pro disassembler output I'd be very interested to help out. I have a spare AE801 ecu. 160pin MCU i.e. 32150.
I'm an electronics engineer so I vaguely understand whats required but its tricky without the tools. It looks like disassembling the existing boot loader should be the next step but I don't have a disassembler.
