|
Post by dino2gnt on Jan 20, 2022 23:29:24 GMT
Took quite a long time to pull this out, and I had to piece it together from a couple failed attempts, but I verified the offsets were correct when I concatenated everything back together.
This is a '98 Dodge Stratus 2.4L ECU from a junkyard car. It is currently bare, unpotted, and sitting on my desk wired to the ccd/sci scanner.
Hopefully you find this useful and informative.
Attachments:04896004.bin (127.99 KB)
|
|
|
Post by admin on Jan 21, 2022 23:10:37 GMT
Thank you! Looks like 1 byte (FF) is missing from the end but otherwise looks intact. Something you should know, there's a widespread "bug" in the SBEC3 flash files that prevent reading them fully.
That ECU you have has 256k flash memory and the ROM reading command is limited to 128k. They probably forgot to broaden this reader backdoor. The function that actually returns ROM values are nowhere to be found in the first 128k, that's why I'm sure it's 256k.
We have tested a patched flash file with a 1-bit modification and the SBEC3 allowed to read the whole 256k. It's kind of a bummer. No easy way around this other than re-flashing the ECU with the patched flash file or uploading a custom worker function to read the full ROM. This involves the first few steps of the re-flashing procedure which is out of the scope of this scanner.
What were the reasons that made the flash reading sessions fail for you? Timeouts? Wiring issues?
|
|
|
Post by dino2gnt on Jan 22, 2022 1:47:58 GMT
Thank you! Looks like 1 byte (FF) is missing from the end but otherwise looks intact. Something you should know, there's a widespread "bug" in the SBEC3 flash files that prevent reading them fully. That ECU you have has 256k flash memory and the ROM reading command is limited to 128k. They probably forgot to broaden this reader backdoor. The function that actually returns ROM values are nowhere to be found in the first 128k, that's why I'm sure it's 256k. We have tested a patched flash file with a 1-bit modification and the SBEC3 allowed to read the whole 256k. It's kind of a bummer. No easy way around this other than re-flashing the ECU with the patched flash file or uploading a custom worker function to read the full ROM. This involves the first few steps of the re-flashing procedure which is out of the scope of this scanner. What were the reasons that made the flash reading sessions fail for you? Timeouts? Wiring issues? So far both of the 128k bins I've been able to read out have been missing the last byte; it appears the scanner never requests it: Command: 26 Start offset: 01 35 06 End offset: 01 FF FF Increment: 00 00 01 Output: ROMs/PCM/pcm_eprom_20220121_145810.bin Binary size: 51962 bytes = 50.74 kilobytes. Memory reading session is ready to start. Start memory reading session. TX: 26 01 35 06 RX: 26 01 35 06 FF | ok <...> TX: 26 01 FF FD RX: 26 01 FF FD FF | ok TX: 26 01 FF FE RX: 26 01 FF FE FF | ok Output: ROMs/PCM/pcm_eprom_20220121_145810.bin Memory reading session finished.
All the ECUs I have in front of me use a TMS28F200AZ flash chip, 256K divided into banks of 16k, 8k, 96k, and 128k. Perhaps command 26 will only read from one bank, I don't know. I don't have a way to disassemble HC16 yet. I do have a PSOP44 compatible flash chip reader and a 05293190 ECU that won't boot, so I may desolder the chip off that one and try to read it outside the ECU.
I'm exploring using your scanner to interact with the ECU via SCI while in bootstrap. I thought I could get it into bootstrap with 12V+ on the SCIRX pin, but when it comes up that way, it appears there is no one home to talk to. Your blog post on the reflash procedure details a different method I haven't seen before, so I'm going to try that next. I have a stack of junkyard ECUs here, so I'm not worried about damaging them. I do wonder how picky it is about that stabilization time, though. I had thought the 20V requirement was only to overcome some internal Zener and get the 12v+ programming voltage to the Vpp pin on the 28F200 and not required for bootstrap but it appears things changed. I can tell you that Vpp is only ~4.3V with 12V on SCI RX.
If you're doing any work on reflashing, I'd love to be involved.
The flash reading failures, no telling. I have a factory 80pin ECU harness wired (poorly) into a female OBD pigtail, and the USB device passed through to a Windows 10 virtual machine running the software. It's failures all the way down.
I managed to get 128K of this dump from a working 05293190 with only one timeout. It's also missing the last byte.
Attachments:05293190.bin (127.99 KB)
|
|
|
Post by admin on Jan 22, 2022 7:59:57 GMT
Right, this was a bug in the earlier versions of the GUI. Please update to the latest one. It includes a fix that makes the reading session more stable as well.
That was my first impression too but I couldn't find another command to read the second portion of the flash chip.
Please don't do that, the scanner pins are not protected above 5V logic voltage, so 12V and 20V will damage them!
Will reply to this later, I just wanted to warn you about the unprotected nature of the scanner first.
Edit:
I don't know about +12V bootstrapping, SBEC3's only seem to have +20V programming voltage.
The blog post doesn't mention this because I didn't know at that time, but you should apply +20V to RX-pin while key is off, then turn key on and the ECU will start up in boot mode at 62500 baud. At this point remove +20V from RX-pin.
Stabilization time of the +20V programming voltage, according to the SCI-bus paper, must be 1 ms or less, so you can say the ECU is picky about this. The DC-DC boost circuit must be strong.
Then you must upload a bootloader function to take control of the ECU. This is a overly simplified function similar to what runs in the original firmware, it's just limited to very basic features. After that the bootloader function can be instructed to accept a worker function that does actual work.
I have a few example reverse engineered binaries for the bootloader function and worker functions. I'll start a thread for them.
|
|
|
Post by dino2gnt on Jan 22, 2022 15:10:14 GMT
I didn't expect them to be, the scanner gets disconnected first. That's my understanding as well, with the caveat that the 20V+ has to be reapplied to unlock the flash chip for write between sending a data block and the bootloader writing it. I assume part of the write function is "sit and spin until the flash CSM says Vpp went high, then write" By the by, would you be interested in sharing the 01_LdBoot.bin bootloader binary from your blog post? In the post the first line appears to be missing the 16th byte. Confirmed tonight for my own edification that 20V+ on SCIRX does indeed get me 12V+ at the 28F200's Vpp pin. It also brings CSBOOT high on the MCU, which if I've read the datasheet right means it should be looking for reset vectors in internal memory instead of external (flash). Maybe I just need to put something in memory before resetting. (that is close to my understanding of how the early aughts WRX process works, which uses the same processor family but not external flash)
|
|
|
Post by admin on Jan 22, 2022 15:14:03 GMT
Posted all the binaries in the new thread. In the re-flashing logs the first block was always 15 bytes long. I don't know the reason behind this. Rest assured all bytes are there. First 2 bytes tell the length of the binary.
Thank you for investigating the programming voltage!
Edit: fyi block length could be anywhere between 1-256 bytes, and can vary between blocks, it depends on the buffer sizes. SEBC3 computers must be able to buffer max 256 bytes of data. Bootloader app and worker functions tend to be transmitted in 16-byte blocks and flash data in 128-byte blocks. It's a matter of choice really.
|
|
|
Post by dino2gnt on Jan 22, 2022 19:18:06 GMT
Forgot: this is running 0.7.1 downloaded from Github. Is there a newer version than this, or was the issue fixed but not packaged for release?
|
|
|
Post by admin on Jan 22, 2022 20:37:33 GMT
Got the same bug... I thought I fixed this earlier. Released 0.7.2 just now.
|
|