|
Post by dino2gnt on Feb 23, 2022 21:31:01 GMT
They stepped on their own balls.;-) Read page 0 must be passed minus 4. I said "bootloader" earlier, but meant "writer function". I'm sure the intention in that case was that it should never touch anything less than 4, but I totally understand why we might want to dump the entire memory content.
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Feb 23, 2022 21:52:42 GMT
There is logic in this, but there is no defense against a fool. Example with minus 4.
|
|
|
Post by dino2gnt on Mar 31, 2022 4:09:37 GMT
I managed to fully reprogram my test ECU tonight with a firmware image I copied from another (dead/damaged) ECU with a chip reader. Used a cp2102 for comms and a relay board to switch +20V on and off. Used the reflash bootloader in my github (I may need to check in the latest minor changes) and a Python script that does the heavy lifting and toggles the relay on and off via rts. It booted on the new firmware and I was able to connect the SCI scanner and pull codes. Now I need to work on my SBEC3 firmware reverse engineering.
|
|
ddex
New Member
Posts: 3
|
Post by ddex on Nov 10, 2022 17:31:42 GMT
Man, If you make normal reverse engineering for any tuning programm (best option I believe MPtune) You can count for a beer donation from me and a lot of others))
|
|
|
Post by dino2gnt on Nov 10, 2022 17:59:53 GMT
Unless the original authors of MPtune want to make it work with the SBEC3 ROMs, I don't expect it will ever support them. it's not something I'm personally interested in; I rolled my own table editor.
The latest ChryslerScanner hardware can do the read and write operations, don't even need to cobble your own hardware together like I did. Support Daniel and buy a scanner www.2gnt.com/viz.phpnawdu.de/files/05293190AC.bin Here's a firmware you can play with. 0x1FAF, type A, Dec. WOT spark table. 0x1BFA, type A, Dec. Part throttle spark table Table locations can vary across part numbers, so I wouldn't expect those to work on any random firmware. Are you a Neon guy or something else?
|
|
|
Post by admin on Nov 10, 2022 18:08:02 GMT
Man, If you make normal reverse engineering for any tuning programm (best option I believe MPtune) You can count for a beer donation from me and a lot of others)) In 2016 I ran the current MPTune and MPScan version trough ILSpy and it produced a readable source code. Still got them if you are interested. You can read off lots of procedures and stuff. And it can be loaded into Visual Studio, modified, re-compiled. SBEC2 is similar to SBEC3 diagnostics-wise. They share most of the diagnostic SCI-bus commands between 0x10-0x1F. It's early SCI-bus protocol is kind of messed up (inverted logic, last 4 bits coming first, then first 4 bits last), but it is what it is. The V2 CCD/PCI/SCI scanner that I currently develop has a special function just for SBEC2 in case someone wants to use it that way.
|
|
ddex
New Member
Posts: 3
|
Post by ddex on Dec 6, 2022 21:11:57 GMT
Unless the original authors of MPtune want to make it work with the SBEC3 ROMs, I don't expect it will ever support them. it's not something I'm personally interested in; I rolled my own table editor.
The latest ChryslerScanner hardware can do the read and write operations, don't even need to cobble your own hardware together like I did. Support Daniel and buy a scanner www.2gnt.com/viz.phpnawdu.de/files/05293190AC.bin Here's a firmware you can play with. 0x1FAF, type A, Dec. WOT spark table. 0x1BFA, type A, Dec. Part throttle spark table Table locations can vary across part numbers, so I wouldn't expect those to work on any random firmware. Are you a Neon guy or something else? Own a 96 MT neon... Planning some boost to it ) Any way, we need something to easily edit the bins... fuel/spart tables, coding mt/at cooling fan on/off temp e.t.c.... P.S. Bought the cable on tindie... But not all of us can afford it (even for me 200 bucks is not a cola bottle price xD ), so simple cable with some GUI to up and download the bin is still can be a good idea...
|
|
ddex
New Member
Posts: 3
|
Post by ddex on Dec 6, 2022 21:17:02 GMT
Man, If you make normal reverse engineering for any tuning programm (best option I believe MPtune) You can count for a beer donation from me and a lot of others)) In 2016 I ran the current MPTune and MPScan version trough ILSpy and it produced a readable source code. Still got them if you are interested. You can read off lots of procedures and stuff. And it can be loaded into Visual Studio, modified, re-compiled. SBEC2 is similar to SBEC3 diagnostics-wise. They share most of the diagnostic SCI-bus commands between 0x10-0x1F. It's early SCI-bus protocol is kind of messed up (inverted logic, last 4 bits coming first, then first 4 bits last), but it is what it is. The V2 CCD/PCI/SCI scanner that I currently develop has a special function just for SBEC2 in case someone wants to use it that way. I'm not a software guy (learning in small steps but understanding the logics in others code), more hardware knowledge both mech. and electronics. But yeah, send it.
|
|
|
Post by dino2gnt on Dec 6, 2022 21:57:07 GMT
not all of us can afford it (even for me 200 bucks is not a cola bottle price xD ), so simple cable with some GUI to up and download the bin is still can be a good idea... The scanner isn't the only way, it's just the best way. You can make your own interface for about $45 US in Amazon parts (cp2102, relay board, something for 20V+ DC). See the readme @ github.com/dino2gnt/SBECBootLoader for some vague instructions and a working bootloader. You can probably skip the dc-dc buck and just use a straight 20V DC power supply instead. I only run it under Linux, which for most people probably means a virtual machine that can do USB passthrough. But you don't get any of the awesome current or future features from the scanner this way, it's not very portable, and there's no GUI. (i only use it on the bench) $ ./ecuwriter.py --bootloader bootloader-reflash.bin --flash-size 128 --read 05269995AC.bin Using device /dev/ttyUSB0 at 62500 baud, 8N1 Will apply 20V+ to SCI RX for bootstrap. Ready? y/n/s(kip): y 20V+ ON for 10 seconds. Turn key on now! 20V+ OFF! Trying Magic Byte... 06 Synced at 62500 baud Seed: 8512 Solution: 777f 26d067c21f Solution accepted!!! Uploading reflash kernel... Booting reflash kernel... 47010022 Kernel running! 11 Kernel alive! Running bootloader bulk dump command, saving to 05269995AC.bin Wrote 131071 bytes to 05269995AC.bin $
|
|
|
Post by darkcorp on Feb 15, 2023 10:25:23 GMT
Hi dino2gnt! Could you please upload it once again?
|
|
|
Post by dino2gnt on Feb 15, 2023 14:16:21 GMT
Could you please upload it once again? It's browseable nawdu.de/files/All the bins moved into the bins/ subdirectory.
|
|
|
Post by darkcorp on Feb 15, 2023 14:37:46 GMT
dino2gnt, that looks cool! Where can I find maps (table locations) for my part number? Make a step-by-step guess generator?
|
|
|
Post by dino2gnt on Feb 15, 2023 14:41:38 GMT
I have a couple things documented for 05293190AC: www.2gnt.com/index.php?d=05293190ACAnything you're curious about, let me know and I can probably tell you the offset / update the documentation.
|
|