Any New Break-throughs With Ecu Hacking?

[uwackme]

Ill have to keep an eye out for a R model 1998 ECU... working. Ill then reverse engineer it. It's just a baby computer based on the 8051? That's a piece of cake. There are plenty of tools for 8051 based industrial computer development.... public domain stuff. Combined with ID'ing all the chips on board the basic design can be worked out.

Then altered as desired.

Even if it's a fixed flashrom, the rom can be pulled, a socket installed and a small board built with three roms on it. One to hold the stock unmodyfied rom (Fallback), and two used to change/tweak settings on the fly by simply switching between them on the fly.

The computer may be fast enough to allow alot of realtime things, that simply aren't programmed into the software. Wont know till it's reverse engineered.

[BlackT5]

Ill have to keep an eye out for a R model 1998 ECU... working. Ill then reverse engineer it. It's just a baby computer based on the 8051? That's a piece of cake. There are plenty of tools for 8051 based industrial computer development.... public domain stuff. Combined with ID'ing all the chips on board the basic design can be worked out.

Then altered as desired.

Even if it's a fixed flashrom, the rom can be pulled, a socket installed and a small board built with three roms on it. One to hold the stock unmodyfied rom (Fallback), and two used to change/tweak settings on the fly by simply switching between them on the fly.

The computer may be fast enough to allow alot of realtime things, that simply aren't programmed into the software. Wont know till it's reverse engineered.

Why do you need an R ecu specifically?

[uwackme]

Two reasons, I have a nonR ecu.... my own, so I can suck the rom out of it later. And I wanted an R to have contrast proramming as to table values for higher boost, etc.

I also wanted to test the dropin ability of the R ECU to improve the XC's performance. But which ever, it'll get pulled apart and reverse engineered as best can be done. Hopefully they didn't go using unmarked chips to keep thier design secret, etc.

[Chris Taylor]

what ever happened to EOBD?

http://volvospeed.com/vs_forum/lofiversion...p/t14325-0.html

This is a clip from a current pm with him from July 23rd.

I did a lot of work on this but gave up. It was too much for one person. . . removed the between bits. .

I lost interest and moved away from the forum. I only look in now and then

I was hoping he would stop in and provide some more info for us. Perhaps we can get this ball rolling again?

[EricF]

This is a clip from a current pm with him from July 23rd.

I was hoping he would stop in and provide some more info for us. Perhaps we can get this ball rolling again?

He'd moved on some years back, I think he may have gone to Subaru but my PM conversations with him were so long ago that they've been lost. Hopefully all is well with him these days.

[Guest Guest_Tadek_*]

Send me a PM, I can send you the bin.file from my '96 850 R (manual) ECU.

Cheers,

Tadek

[leurven]

EPLabs.net will custom tune 4.3 motronic if that's any help... He is in CT though but may be able to do an ECU mail in etc... He will tune to whatever specs you want basically. I believe he can work on your TCU also.

[BlackT5]

EPLabs.net will custom tune 4.3 motronic if that's any help... He is in CT though but may be able to do an ECU mail in etc... He will tune to whatever specs you want basically. I believe he can work on your TCU also.

Back when I was inquiring, Tony wasn't doing mail in ecus

[Jaxx]

i am very interested in this just for doing the research -- I'd like to help. This will also help me in the field I'm going into, electrical engineering.

I'm gonna start reading up.

[Chris Taylor]

Here is another thread to tickle everyone's noggin.

http://volvospeed.com/vs_forum/index.php?showtopic=27494

For anyone wanting to dig into the .bin file let me know and I'll pass it on. Anyone want to host a 96r file and a 98?

[drlava]

I have been looking at a ROM dump for an 850r.

Tools used: WinOLS, Hex Workshop, notepad, IDAPro 5.0

There are MANY maps to go through.

WinOLS finds a FEW of the 2D maps automatically, and they are pictured here.

If you look into the binary, this is how the maps are defined:

A two dimensional map looks like this:

the first number is the RAM (not ROM) offset in the computer where the current rpm value is read from. Following that is the number of RPM values (x-axis) that the map uses, followed by the values which will be used to calculate the x-axis labels (they are calculated by the program). Next, the same format is followed for the %throttle values: the RAM location where the current %throttle can be read from, followed by the number of throttle (y-axis) values, followed by the values which will be used to calculate the y-axis labels. Following the x-y data is the actual map. The first location of the map, the one containing the RPM RAM offset, is the offset for that map. You can then search the map for this value to see all the candidates for the map pointer which is stored as two consecutive bytes.

One dimensional maps work similarly, but with only one set of axis representing RPM values as the %throttle is known (either WOT or Idle).

You can narrow down what you are looking for once you have several map candidates by saying, for instance, only show me maps which use (for example) RAM location 64 for RPM and RAM location 128 for %throttle, or by using a narrower/broader range of potential fuel or timing values.

based on that, I analysed a few of the locations in the ROM, here are my notes:

RAM_3B is probably RPM, ram location 40 is probably % throttle.

A main program loop is at 0x8A73-0x8CDE

ram 3B is set at 0x8D22
ram 40 is set at 0x8D45

Location,size,mem refs, WinOLS reported location,length
0xEDBB 0x0C by 0x0C ref 3B and 6F OLS:EDD7 length 0xAC
0xEFAA 0x10 by 0x10 ref 3B and 40 OLS:EFCE
0xF1BD 0x10 by 0x02 ref 3B and 40 OLS:F1D3
0xF1F3 0x10 by 0x10 ref 3B and 40 OLS:F217
0xF317 0x10 by 0x10 ref 3B and 40 OLS:F33B
0xF43B 0x10 by 0x10 ref 3B AND 40 OLS:F45F
0xF875 0x10 by 0x05 ref 3B and 40 OLS:F88E
0xF8DE 0x10 by 0x05 ref 3B and 40 OLS:F8F7
0xF947 0x10 by 0x05 ref 3B and 40 OLS:F960
0xF9B0 0x10 by 0x05 ref 3B and 40 OLS:F9C9
0xFA19 0x10 by 0x05 ref 3B and 40 OLS:FA32
0xFAD3 0x08 by 0x08 ref 3B and 40 OLS:FAE7
0xFC29 0x08 by 0x08 ref 40 and 3B OLS:FC3D
0xFD99 0x07 by 0x06 ref 3B and 40 OLS:FDAA
0xFDD4 0x07 by 0x06 ref 3B and 40 OLS:FDE5
0xFE0F 0x07 by 0x08 ref 3B and 40 OLS:FE20
0xFEAC 0x08 by 0x08 ref 3B and 40 OLS:FEC0


more maps that OLS didn't find:
0xEE67
0xFA82 0x05 by 0x05 ref 40 and 3B
0xFB7D 0x08 by 0x10 ref 31 and 3B
.
.
. many maps in:
map lookup table in double-byte words from 0xE320 on:
0xE328 - E438

Here is the disassembled ROM in 8051 assembly code.

Some good info on the older motronic 3.1 system

In order to change the maps, we need to know what each map is, and how to update the ROM checksum once the map is changed. There is a plugin for WinOLS somewhere that will update the checksum, I just haven't located that plugin yet.

If anyone can find info on updating the checksum, and identify the maps, and identify which CPU Analog to Digital converter input pin is what (throttle position, colant temp, etc), it would help a lot.

[drlava]

Oh, and Here are the instructions of the 8051, for looking at the assembly.

[ACES70]

Nice going guys, thats really cool.

[Chris Taylor]

You could probably cross reference this between various ecu's and different years and figure out how to adjust boost along with turning the EGR off for those of us who have that as well. I'd imagine there would be more changes than just the EGR though. I have a lot of reading to keep me entertained for a while.

[bum2kev]

how would I be able to help? I have an IPD flashed ecu that i might be able to pull them off. just tell me what I need... Im not the best at electrical engineering, but i have programmed and I work as support for SAP AG. so i can learn pretty quickly