RomRaider Logo

RomRaider

Open Source ECU Tools
 FAQ •  Register •  Login 

RomRaider

Documentation

Community

Developers

It is currently Wed May 18, 2022 3:41 am

All times are UTC - 5 hours [ DST ]





Post new topic Reply to topic  [ 472 posts ]  Go to page Previous  1 ... 17, 18, 19, 20, 21, 22, 23 ... 32  Next
Author Message
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Thu Dec 05, 2013 5:03 am 
Offline
Newbie

Joined: Thu Oct 24, 2013 4:34 am
Posts: 27
Had a chance to play around with sniffing Techstream to get SSM over CAN with the Tactrix OP2.0 and USBTrace

Interesting CAN Diesel background info here:

http://subdiesel.wordpress.com/2011/05/ ... -tutorial/
http://subdiesel.wordpress.com/ecu-anal ... -messages/

When using Techstream in Live Data mode, it seems that when you update your live data list, an instruction is sent to the ECU to send a line of values back which keeps on getting sent out without repeated requests. Setting one parameter at a time gives you an idea of where that is located - sniff USB connection at the point in time when you update the live data list.
Tester ID 0x00 00 07 E0
ECU ID 0x00 00 07 E8


Initial USB sniffs:

Display RPM Data
OUT 61 74 74 36 20 35 20 36 34 0D 0A 00 00 07 E0 3E
?Init 3E
OUT 61 74 74 36 20 36 20 36 34 0D 0A 00 00 07 E0 10 5F
?Init 10 5F
OUT 61 74 74 36 20 31 33 20 36 34 0D 0A 00 00 07 E0 A1 06 01 02 0B 0C E1 01 01
Command A1 ?Set buffer
?Buffer 06
CAN-ID 01
# of Bytes to read 02
Bytes to read 0B 0C (16 bit MAF data)
?Term E1 01 01
OUT 61 74 74 36 20 36 20 36 34 0D 0A 00 00 07 E0 A2 06
Command A2 ?Read buffer
?Buffer 06
IN 61 72 36 09 10 16 6B 4A 48 00 00 07 E0
?Ack
IN 61 72 6F 0D 0A
?Ack
IN 61 72 36 0E 40 14 66 53 66 00 00 07 E8 E2 06 00 00 00
Command E2 ?Buffer return (A2+40(frame buffer))
?Buffer 06
Data 00 00 (RPM 0)
Term 00

Display MAF Data
OUT 61 74 74 36 20 35 20 36 34 0D 0A 00 00 07 E0 3E
?Init 3E
OUT 61 74 74 36 20 36 20 36 34 0D 0A 00 00 07 E0 10 5F
?Init 10 5F
OUT 61 74 74 36 20 31 33 20 36 34 0D 0A 00 00 07 E0 A1 06 01 02 04 05 E1 01 01
Command A1 ?Set buffer
?Buffer 06
CAN-ID 01
# of Bytes to read 02
Bytes to read 04 05 (16 bit MAF data)
?Term E1 01 01
OUT 61 74 74 36 20 36 20 36 34 0D 0A 00 00 07 E0 A2 06
Command A2 ?Read buffer
?Buffer 06
IN 61 72 36 09 10 16 6B 4A 48 00 00 07 E0
?Ack
IN 61 72 6F 0D 0A
?Ack
IN 61 72 36 0E 40 16 6B 51 82 00 00 07 E8 E2 06 00 55 00
Command E2 ?Buffer return
?Buffer 06
Data 00 55 (MAF 0.85 g/s)
Term 00

Display MAF+RPM
OUT 61 74 74 36 20 35 20 36 34 0D 0A 00 00 07 E0 3E
?Init 3E
OUT 61 74 74 36 20 36 20 36 34 0D 0A 00 00 07 E0 10 5F
?Init 10 5F
OUT 61 74 74 36 20 31 35 20 36 34 0D 0A 00 00 07 E0 A1 06 01 04 04 05 0B 0C E1 01 01
Command A1 ?Set buffer
?Buffer 06
Can-ID 01
# of Bytes to read 04
Bytes to read 04 05 0B 0C
?Term E1 01 01
OUT 61 74 74 36 20 36 20 36 34 0D 0A 00 00 07 E0 A2 06
Command A2 ?Read buffer
?Buffer 06
IN 61 72 36 09 10 16 6B 4A 48 00 00 07 E0
?Ack
IN 61 72 6F 0D 0A
?Ack
IN 61 72 36 10 40 14 DC FF 56 00 00 07 E8 E2 06 00 55 00 00 00
Command E8 ?Buffer return
?Buffer 06
Data 00 55 (MAF 0.85g/s)
Data 00 00 (RPM 0)
Term 00

Only the first sniffed data but now have:

CAN-ID 01
Bytes 04,05 MAF
Bytes 0B,0C Engine RPM

CAN-ID 41
Bytes 06,07 Accelerator position

CAN-ID 22
Byte 12 - Rear defogger button (0x80 or 0b10000000 when on)

Haven't tried yet, but there is a good chance we can get VSC related data like yaw angle/rates this way also.
If you have the chance to do some sniffing and post data back, please do so.


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Thu Dec 05, 2013 10:15 pm 
Offline
Newbie

Joined: Thu Oct 24, 2013 4:34 am
Posts: 27
Lots of potential being seen:

ECU 0x07E8

CAN-ID 0x01
01 Calculated load
04 05 MAF
0B 0C Engine speed
0D Vehicle speed
32 Oil Temp

CAN-ID 0x03
07 Ignition advance

CAN-ID 0x37
09 0A FLKC
0B 0C FBKC

CAN-ID 0x41
06 07 Accel position

VSC module 0x07B8

CAN-ID 0x05
0B 0C Real engine torque

CAN-ID 0x47
01 Lateral G
02 Front/Rear G
03 Yaw rate
04 05 Steering wheel angle

Is it possible to get standalone engine + VSC logging with the OP2.0?


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Mon Dec 09, 2013 5:40 pm 
Offline
Newbie

Joined: Thu Mar 23, 2006 5:17 am
Posts: 26
Location: support@tactrix.com
Here is a another version to try.

I have made a couple of improvements to the "OEM" reflash process to make it more robust if there are any missing responses on the CAN bus (I'm making the ECU very busy trying to run as fast as possible, which can lead to it dropping commands sometimes).

This version also has firmware that supports logging, using UDS mode 0x23 requests which read from RAM directly. There is a sample of how to do this at

C:\Program Files (x86)\OpenECU\EcuFlash\samples\logging\subaru brz uds.txt

in your installation. You will need to use the OP2 once in EcuFlash (you can even just go to the Help | Licensing page) to get the OP2 firmware update to happen first. The you can copy subaru brz uds.txt as logcfg.txt on your microSD card and you should be good to go. You will probably want to add some trigger conditions - you can look at some of the other examples to see how that is done if you don't know already.

The good news is that this form of logging is pretty fast (> 1000 32-bit parameters / second), so I might not add a custom mod to do any special new logging method. The only downside of this method is that you need to know all of the RAM addresses of the parameters in order to use it - there are no common SSM-style PIDs here. I have automated ways of finding all of the common parameters, so if we run into any new ROMs, this shouldn't be much of a problem anyways.

One important thing to note is that these mode 0x23 requests allow you to read large blocks of memory at once, so the OP2 tries to take advantage of this by sorting your parameters by address and figuring out when it is quicker to request many parameters at once (when their addresses are close enough together). This is also means that sometimes logging additional parameters comes at virtually no speed expense if their addresses are right next to the other parameters. If you look at my sample file, you will see that many RAM parameters are in fact right next to each other, which is good news.

Unless there are some problems with this beta, this will probably be the last version before I switch everyone over to using a Tactrix flashing kernel instead of the OEM flashing method. This will make the flashing considerably faster as it won't be rewriting the entire code/data calibration area with each flash.

Let us know if you are having any problems with this.

http://www.tactrix.com/downloads/ecuflash_brz_beta_1444040.exe

Colby


Last edited by cboles on Tue Dec 17, 2013 3:50 am, edited 3 times in total.

Top
 Profile  
 
 Post subject: Re: EDM Forester13 SJ 2.0 turbo Hitachi ecu
PostPosted: Mon Dec 09, 2013 6:12 pm 
Offline
Newbie

Joined: Thu Mar 23, 2006 5:17 am
Posts: 26
Location: support@tactrix.com
I suspect what I have already done supports this. Have you tried the EURO4 and EURO5 subaru diesel options in this beta? I have no definitions for these yet, but you should be able to pull the ROM and post it up...

Sasha_A80 wrote:
td-d wrote:
What I'm curious about is whether this will also allow the tuning of the new Forester 2.0T DI engines. That would be fantastic...


SH7058S or SH7059 Renesas chip


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Tue Dec 10, 2013 12:44 am 
Offline
Moderator

Joined: Thu May 20, 2010 4:01 am
Posts: 3100
Location: Johannesburg, South Africa
Thanks Colby! I'll see if I can get my hands on a newer Forester and give it a bash.

_________________
He who dies with the most gadgets wins.

Please do not PM me - use the email option.


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Tue Dec 10, 2013 1:23 am 
Offline
RomRaider Donator

Joined: Wed May 22, 2013 4:29 am
Posts: 10
I have a US 2014 Forester 2.5i. I can see if it will read the ROM then post the results, if you would like me to.


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Tue Dec 10, 2013 1:29 am 
Offline
Newbie

Joined: Thu Oct 10, 2013 7:41 pm
Posts: 16
awesome, thanks!


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Tue Dec 10, 2013 1:30 am 
Offline
Senior Member

Joined: Mon Jan 19, 2009 2:31 pm
Posts: 1606
Location: Moscow, Russia
Are you talking about OEM bootloader substitution ?

There may be a problem - OEM bootloader reports to ( probably BodyIntergratedUnit ) that ecu is available and started when ignition is on.
New bootloader should do the same if OEM code does not run and\or removed.

This is correct for Denso MY07+.
Hitachi ecu bootloader did not do this upto MY12 but I have not checked recent ones.


cboles wrote:
Here is a another version to try.

Unless there are some problems with this beta, this will probably be the last version before I switch everyone over to using a Tactrix flashing kernel instead of the OEM flashing method. This will make the flashing considerably faster as it won't be rewriting the entire code/data calibration area with each flash.

Let us know if you are having any problems with this.

Colby


Last edited by Sasha_A80 on Tue Dec 10, 2013 3:47 am, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Tue Dec 10, 2013 1:40 am 
Offline
Newbie

Joined: Thu Oct 24, 2013 4:34 am
Posts: 27
Great work Colby.

Can we get RAM addresses for IAM, FBKC, FLKC and then generate addresses for A01G ROM?

I had a look at bin files with my eyes; no disassembly tools at my disposal - ?IAM at:
FFF816F4 for A01C
FFF8119C for A01G


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Tue Dec 10, 2013 2:54 am 
Offline
Newbie

Joined: Thu Oct 24, 2013 4:34 am
Posts: 27
A01G RAM addresses for what Colby has released + what I am using to pull CL_OL status and IAM below:

Code:
paramname=CL_OL_status
mode=0x01
paramid=0x03
databits=8
offsetbits=0
scalingrpn=x

paramname = IAM
paramid = 0xFFF8119C
isfloat = 1

paramname = load
paramid = 0xFFF8D248
isfloat = 1

paramname = cool_temp
paramid = 0xFFF8D24C
isfloat = 1

paramname = STFT
paramid = 0xFFF8D250
isfloat = 1

paramname = LTFT
paramid = 0xFFF8D254
isfloat = 1

paramname = MAP
paramid = 0xFFF8D258
isfloat = 1

paramname = RPM            
paramid = 0xFFF8D25C            
isfloat = 1            

paramname = speed
paramid = 0xFFF8D260
isfloat = 1

paramname = advance
paramid = 0xFFF8D264
isfloat = 1

paramname = IAT
paramid = 0xFFF8D268
isfloat = 1

paramname = MAF         
paramid = 0xFFF8D26C         
isfloat = 1            

paramname = TPS            
paramid = 0xFFF8D270      
isfloat = 1            

paramname = fuel_press            
paramid = 0xFFF8D27C
isfloat = 1            

paramname = lambda
paramid = 0xFFF8D280
isfloat = 1

paramname = O2_volt
paramid = 0xFFF8D284
isfloat = 1

paramname = evap
paramid = 0xFFF8D288
isfloat = 1

paramname = fuel_level
paramid = 0xFFF8D28C
isfloat = 1

paramname = amb_press
paramid = 0xFFF8D290
isfloat = 1

paramname = O2_curr
paramid = 0xFFF8D294
isfloat = 1

paramname = cat_temp
paramid = 0xFFF8D298
isfloat = 1

paramname = ECU_volt
paramid = 0xFFF8D29C
isfloat = 1

paramname = abs_load
paramid = 0xFFF8D2A0
isfloat = 1


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Tue Dec 10, 2013 5:06 am 
Offline
Experienced
User avatar

Joined: Wed Nov 10, 2010 7:56 am
Posts: 418
cboles wrote:
Here is a another version to try.


Hallo Cloby,

Is the hardware down-grade able, if I got any problems with the diesel flashing with this beta ?

Last BRZ-beta didn´t work propartly, so I need to down-grate to your lastes diesel-beta to be able to flash save again..

Any chance of this too, even with the update of the interface ?


Quote:
This version also has firmware that supports logging, using UDS mode 0x23 requests which read from RAM directly.


With "normal" CAN-protocoll I cannot log every PID at the EURO5 diesel ECU, some are supported, other not.
So I sniffed a workshop-CAN-communication with CANalyser and see every diagnostic setion starts with the string "02 3E 00 00 00 00 00 00" on ID 0x7E0, so tester can display all parameter with connot be logged in normal CAN-mode

It it possible that EURO5 Diesel ECU also uses USD protocoll for communictation to work shop tester ?



bwt.:

Thank for your great work ..

_________________
performence based on engineering..


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Tue Dec 10, 2013 8:25 am 
Offline
Senior Member

Joined: Sat Feb 12, 2011 7:27 pm
Posts: 1993
Location: Northern NSW
jsimon7777 wrote:
I have a US 2014 Forester 2.5i. I can see if it will read the ROM then post the results, if you would like me to.


NA motor should still be DENSO ECU on normal CANBUS flash

The DIT engine is Hitachi


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Tue Dec 10, 2013 9:55 am 
Offline
Newbie

Joined: Fri Sep 27, 2013 8:35 am
Posts: 2
Okay, I must be doing something horribly wrong here...

I installed the new beta over top of the old one, I copied in the files from TD-D's github for the Ecuflash definitions and the 32Bitbase.xml to the Ecuflash directory (replacing the original files). I started ecuflash with my OP2 connected and I saw that it updated the firmware to:

[08:41:23.748] J2534 API Version: 04.04
[08:41:23.748] J2534 DLL Version: 1.01.4014 Dec 9 2013 12:34:51
[08:41:23.748] Device Firmware Version: 1.14.4010

I selected BRZ from the vehicles list, left the car ON but not running for ~2 minutes or so and then attempted a read, and the result is the same as I always got with the previous beta. When I look at the tables in Ecuflash the data is all messed up, the numbers in the RPM and Load columns are all over the place.

I save as a BIN and it warns about padding the first 8000 bytes. I open in RomRaider and it doesn't match the definition. I open with a hex editor and I find everything is null up to address 32768, where it starts with:

ZA1J700CAS1 H4NA Tier2 6MT (Copr.DENSO2012 ˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇ


I tried re-installing the beta so I could use the included 32bitbase.xml and definition file, and the result is the same (except Ecuflash won't try to match the ROM to it's definition, it just says definition not found.)

I'm doing with with my Mac running EcuFlash in VMWare Fusion on Windows 7 32-bit, but I had exactly the same behaviour with the previous beta on a bare-metal laptop running windows 7 x64.

Any help or guidance is always appreciated.


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Tue Dec 10, 2013 5:29 pm 
Offline
Newbie

Joined: Thu Mar 23, 2006 5:17 am
Posts: 26
Location: support@tactrix.com
Are you referring to the firmware? There is not an easy downgrade for the firmware, but there is also nothing in the firmware related to flashing that his changed. The firmware changes here are to support new logging features. If there is something not working in this version of EcuFlash for you, let me know, but you can also use and older version of EcuFlash with this same firmware if need be.

Jochen_145 wrote:
cboles wrote:
Here is a another version to try.


Hallo Cloby,

Is the hardware down-grade able, if I got any problems with the diesel flashing with this beta ?

Last BRZ-beta didn´t work propartly, so I need to down-grate to your lastes diesel-beta to be able to flash save again..

Any chance of this too, even with the update of the interface ?


Quote:
This version also has firmware that supports logging, using UDS mode 0x23 requests which read from RAM directly.


With "normal" CAN-protocoll I cannot log every PID at the EURO5 diesel ECU, some are supported, other not.
So I sniffed a workshop-CAN-communication with CANalyser and see every diagnostic setion starts with the string "02 3E 00 00 00 00 00 00" on ID 0x7E0, so tester can display all parameter with connot be logged in normal CAN-mode

It it possible that EURO5 Diesel ECU also uses USD protocoll for communictation to work shop tester ?



bwt.:

Thank for your great work ..


Top
 Profile  
 
 Post subject: Re: Attempting to pull the rom on a BRZ Friday night.
PostPosted: Tue Dec 10, 2013 5:31 pm 
Offline
Newbie

Joined: Thu Mar 23, 2006 5:17 am
Posts: 26
Location: support@tactrix.com
Thanks. FYI, you will be better off using mode23 for the CL_OL_status if you know the address (I can find it for you if need be). It is ideal (= faster) to be running all mode 0x23 UDS requests.

ztan wrote:
A01G RAM addresses for what Colby has released + what I am using to pull CL_OL status and IAM below:

Code:
paramname=CL_OL_status
mode=0x01
paramid=0x03
databits=8
offsetbits=0
scalingrpn=x

paramname = IAM
paramid = 0xFFF8119C
isfloat = 1

paramname = load
paramid = 0xFFF8D248
isfloat = 1

paramname = cool_temp
paramid = 0xFFF8D24C
isfloat = 1

paramname = STFT
paramid = 0xFFF8D250
isfloat = 1

paramname = LTFT
paramid = 0xFFF8D254
isfloat = 1

paramname = MAP
paramid = 0xFFF8D258
isfloat = 1

paramname = RPM            
paramid = 0xFFF8D25C            
isfloat = 1            

paramname = speed
paramid = 0xFFF8D260
isfloat = 1

paramname = advance
paramid = 0xFFF8D264
isfloat = 1

paramname = IAT
paramid = 0xFFF8D268
isfloat = 1

paramname = MAF         
paramid = 0xFFF8D26C         
isfloat = 1            

paramname = TPS            
paramid = 0xFFF8D270      
isfloat = 1            

paramname = fuel_press            
paramid = 0xFFF8D27C
isfloat = 1            

paramname = lambda
paramid = 0xFFF8D280
isfloat = 1

paramname = O2_volt
paramid = 0xFFF8D284
isfloat = 1

paramname = evap
paramid = 0xFFF8D288
isfloat = 1

paramname = fuel_level
paramid = 0xFFF8D28C
isfloat = 1

paramname = amb_press
paramid = 0xFFF8D290
isfloat = 1

paramname = O2_curr
paramid = 0xFFF8D294
isfloat = 1

paramname = cat_temp
paramid = 0xFFF8D298
isfloat = 1

paramname = ECU_volt
paramid = 0xFFF8D29C
isfloat = 1

paramname = abs_load
paramid = 0xFFF8D2A0
isfloat = 1


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 472 posts ]  Go to page Previous  1 ... 17, 18, 19, 20, 21, 22, 23 ... 32  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style based on FI Subsilver by phpBBservice.nl