MY99 2.5RS USDM Romid

[Hito]

All,

I have been hoping for a place to get involved in disassembly for a long time!  This is great!!

I have not seen anyone post this yet, so I am not sure if you know but it is very easy to get the ROM off MY99-01 2.5RS ecu with the latest 3.0.25 version of ecuexplorer that was posted just before the project got abandoned by its creator.  Lucky for us it is all on code.google.com now!!  Just before the end he implemented a function called ecuQuery where the program would query the ecu starting at an address of your choice and with a defined length.  I used this tool to extract the following ROM from my MY99 2.5RS.

I am using a tactrix cable openport 1.2 I believe.

You can find the 3.0.25 Ecuexplorer here: http://code.google.com/p/ecuexplorer/downloads/list

I queried the ECU from 0x0000 to 0xFFFF, but stopped at 0xA000 because I got all zeros from 0x5000 to 0xA000.

I also tried with the Polaris Select Monitor tool, but all I got was 32k of Zeros.

I am new at this but want to learn!  How does this compare to the datasheet mentioned M32 Processor for OBD2 Ecus?

I will get a picture of the ecu soon.  I also have a spare MY00 RS ecu that I will hook up and get a dump off asap.  From MY99 to MY00 the car changed from MAFS to MAP so it will be interesting.

Is there any need for me to continue from 0xA000 to 0xFFFF??

[Hito]

http://www.renesas.com/fmwk.jsp?cnt=m32r_family_landing.jsp&fp=/products/mpumcu/m32r_family/

??

[b3lha]

The software in the ECU blocks access to major areas of the ROM (namely the firmware) They don't however block the higher addresses. If you try and read memory above 0x700000 the cpu ignores the high address bits and returns the rom.

Read memory from 0x700000 to 0x740000

[Hito]

Working..  but it's going to take hours with ecuexplorer to get 256k

is the rom really that big?

[Hito]

Alright Here it is!!  Hopefully we can get orthomong to help us identify some of it!

the outside of the ECU reads

B5
22611  AE550
A18-000 D72 stamped 9304

[Hito]

And the rest

but its all zeros up until the last 3 bytes

9c 66 FF

[Hito]

I also have a MY00 RS ecu that I could hook up it it would be helpfull, but if we can flash one we can flash them all..

[Hito]

a couple questions?

Is what we have here a M32R as some a eluded to?  I have to pull my case off and see if its 144pin.  In that case M32R is supported by IDA Pro advanced?  If so where would the "entry point" be?  0x4000?

!!

Todd

[Hito]

Does this look right at all?  IDA Pro Advanced set to M32R : M32176F2
there is also the option for M32176F3,F4 as well

I chose F2 bc its the older model and has 256k ram 144pin slot.

so does the above code make any sense?

obviously I am a newb here

[oman]

That looks like a good rom dump to me. also the m32 code there that you disassembled seems to make sense.

Try using this pre-processing script that I wrote.

Start a new disassembly in IDA Pro...   
select CPU mitsubishi m32rx
don't add a ram segment or anything.. just load it with the default rom segment.
when it gives you a list of known m32 processors just select [cancel]

when the file is loaded then run this idc script.   It attempts to do some register tracing.  It's not perfect but it should still help a ton.

[Hito]

HOLY COW!!

thanks!

[myto8]

It looks like reference to dtc are located at 04185 -05030
 

[Hito]

Getting more and more into learning the m32 and assembler.

Some questions:

what are the named addresses that are shown in pink?

for example:
CAN0CNT
COGMSKS0

are the A/D inputs? or something?
did the script define these?

You mentioned that once we had the rom started you would point us towards the code that "does the flashing"  Is it not like the denso stuff where you have to write a kernal that gets loaded in?  Is the code already there?

Is it possible to flash just the calibration section of the rom rather than the entire code section as well?

[franck]

im interresed for read impreza 99/2000
Which connectors do I have to Swith on/off to let software down/up load the ECU maps?

blacks?
Greens?
Both?

ecuexplorer ,tools,ecuQuery

[franck]

im interresed for read impreza 99/2000
Which connectors do I have to Swith on/off to let software down/up load the ECU maps?

blacks?
Greens?
Both?

ecuexplorer ,tools,ecuQuery

up