RomRaider

Some time ago Colby over on openecu.org opened a thread with the same title as this one. http://forums.openecu.org/viewtopic.php?f=57&t=4405

Fair warning this thread doesn't relate directly to romraider. What this thread is about is standalone logging. Specifically enabling the logging of ram parameters via canbus. Can logging without Colby's patch logs at 50hz. Thats 50 rows per second. I have never thrown enough parameters at it to slow it down. The one caveat is that logging ram parameters is not supported.

In the above mentioned thread Colby found a way to enable the logging of ram parameters with canbus. Specifically he mentioned creating a patch for his 08 STi. Colby then released the patch within one of the ecuflash releases.

Since the patch is not available for my rom (08 Legacy GT) I got curious. I found an 08 STi rom and loaded it up in ecuedit. Sure enough the patch was in the list. It is a simple check box to enable the patch. However saving the rom after checking the box did not include the patch in the rom file (same md5sum as original rom sneaky sneaky).

I inspected the ecuedit program files and did not find anything that looked like a patch file. At some point I believe I read a post from Colby saying the patches were compiled into the ecuflash binary. I have yet to try spelunking inside the ecuflash binary but I digress.

Obviously Mr. Boles doesn't want to make this easy to reverse...

It might not be easy to reverse anyhow. Colby did mention the work he had done involved refactoring the logging code in his 08 STi rom to make room for his patch. Separating the refactored code from the additional code could prove interesting too.

He also added that the patch was applied in such a way that it would attempt a pattern match on your rom for the old logger function. That way it would only be available for your rom if it was compatible, but it was not rom specific. Unfortunately it seems my 08 Legacy uses a different logger function.

So with all of that said

Has anyone here enabled this feature on their ecu?
Have you analyzed the rom changes?

I would really like to see if the work Colby did can be ported to other cars.

Isn't this obsolete with RomRaider's new fast polling?

I'd imagine it's easy to reverse but I've never looked at it. Patch a 08STi rom, run a hex comparison against the original to find the patch, open it in IDA and see what's going on.

I wouldn't say fast poll makes this obsolete. Fast poll is still slower than what the openport is capable of standalone using canbus. Still, even without the speed difference it is nice to not have to use a laptop for some long term logging tasks.

I will try again to see if I can get the patch written to a romfile, but when I tried that in the past (without an ecu to flash and reread) simply enabling the patch, and saving the rom again did not seem to change the file. A second look won't hurt so I will do that.

I am really just curious if anyone has ever isolated the changes before.

Thank you for your time responding.

No problem. If I have some free time tonight I will try to isolate the code and check it out.

I talked to Colby today and he said he is going to check out the continuous push 'fast polling' mode as another option for faster logging.. IMO it's the way to go as it works on all models with a very easy firmware update on the OP2.0. Granted it's no CAN/patch speed, but it's still WAY better than standard logging and could be implemented in a matter of days.

That's certainly fair. I don't know that it is strictly necessary to see the kind of logging speeds that can provides. Fast poll has worked out very well. I just know that k-line doesn't cut it speed wise for the number of parameters I like to log. And since k-line is the only way to get ram parameters logged to SD at the moment I usually turn to romraider when I need to log ram parameters.

I am happy to spend time learning more about these ecus, and I have been digging through mine with IDA, but I tend to believe looking at what Colby had done would give a huge head start.

And of course if a solution can be presented that prevents the need to patch roms, I would agree that is preferable.

Can you point me to the where this fast polling mode is detailed? Is this simply the shift to 10400 baud or something else? I tried the shift to higher baud rates years ago with my 2002 WRX and the issue is that you quickly reach a point where the ECU just doesn't have time to service the requests. You don't notice that at 4800 baud because you cant ask for things fast enough.

Unless there's some limitation I don't see why this mode would not work via CAN too. Continues data once you've set the parameters you want.

I implemented it in RR Logger last June. In the SSM read request set the mode byte to '1' rather than '0'. The mode byte would be the byte after the command byte 'A8' in the request.
Send the request one time and then just listen to the K-line for data from the ECU. Data flow will continue until the ECU is interrupted. I use a "break" signal to stop the ECU before switching to a new query set or when shutting down the Logger (or the ECU will send till it is powered off).

First off, thank you all for taking some time to discuss this.

Secondly, I honestly don't know how I screwed it up last time I looked. But the patch most certainly does get applied to a saved rom file after it is enabled. I must have screwed that up a while ago. My apologies for making a false claim.

For grins I will probably look at what you did to the 08 STi rom Colby. But I assume you would prefer to make a change to the openport rather than have people hound you to patch hundreds of different roms. Seems like the path of least resistance to me. But I am not doing any of the work so it's easy to say things like that.

If you're curious about what a CAN implementation might look like, you might want to check out a Mazda rom. The RX-8 ecu, at least, is very similar to some of the Subarus I've looked at, same OS, etc, but Mazda jumped on the canbus/ISO14229 bandwagon earlier to stay on Fords diagnostic platform.

So, there are lots of interesting services:


Unfortunately, read by address requires going through security access. I don't have that figured out, so I have no idea how well it performs.

Subaru Diesel Crew did it with their patch V2 for the Diesel:

http://subdiesel.wordpress.com/2011/08/ ... -patch-v2/

But AFAIK noone every got this patch (see commants)

One other point:
AFAIR after patching RAM-parameter will be loggable via SSMviaCAN.
This is ISO15765 protocoll witch isn´t supported by RomRaider Logger jet.

Do RomRaider work on this allready ?
Or with way to you want to log CAN data ? Stande-alone Logger ?

The EURO5 Diesel chance protocoll for SSM-Logging to CAN, so this will be one of the sources how to chance

BR

That's interesting.

No the thread is not about RomRaider. I intended on researching this change for an improvement in standalone logging capability with the openport 2. This ecu analysis forum seems to be the most organized and active.

I do think that implementing faster kline logging on the device would have the widest reaching effect. That is probably the much more worthwhile pursuit.

Good to know, that someone still working on the stand-alone logger.
I myself sometimes also use that one too, but at the end RomRaider is still better solution, if you have a k-line based car.
But for EURO5 Diesel, k-line is no longer availible, so yet, stand-alone logger is the only chance to log them

Logging with stand-alone logger via CAN gives you a lot date, with only a few sampling-rates. So you´ve a lot constat values..

Same as for RomRaider, stand-alone logger needs IMO a reducing of logging rate..


I think it is the last active one, where there is still a devellopment going on.

openecu.org devellopment is dead.
Subaru Diesel Crew, FreeSSM etc also...