300D50

Just getting a feel for how many people this would benefit, given everyone seems to be going with an apexi/afc/mafterburner setup right now.



I'm at the stage where I have the raw rom code, and a partial schematic of the ecu.

Threw the code into IDA and uVision, working out the idiosyncrasies of the startup sequence right now.



Anyone familiar with Intel 8051 MCU programming/architecture who wants to help can feel free to contact me.

The MCU that runs the show is an Infineon C509-LM, with a 128K AMD flash chip hanging off of it. Only 64K at a time is used, and each half has a complete program with slightly different code.

Near as I can tell pin 72 on the ecu connector selects which one runs. That's listed as the MT/AT program selection pin in the HMA ETM.



No maps/lookup tables have been found as of yet, but I haven't looked.



There's ~2k of code space that's unused, so there's room for additional features to be added in as well.



Everything is in place from the factory to do a reflash, but the interface used is unknown as of now. I suspect it's using the onboard boot rom in the C509-LM, but have yet to trace the wiring. Serial port 0 is in use for com, so there is a good chance it's doing duty as the OBDII interface, in which case that seems more likely. Chiptune should be easy enough to do if it proves to be too difficult.



Sorry for the rambling brain dump, phone was closer than my notebook and pencil.

SpoolinShark

I do recall a member on here way back when had the stock ecu tuned. He didn't really share how his ecu was flashed and I even tried to ask him but with no answers. But I would like to know how this would work and am intrigued since I'm going to school for computers and such. Not quite into programming but I do find it interesting.

wheel_of_steel

Excellent work man. There is a company here in australia that is able to do reflashes. Afaik they gain entry via the OBD-II port. Most ecus have a security code built in to prevent tampering though, so unless they purchased the code from hyundai, you might be able to get some advice from them.



That said, I'd imagine their lips would be pretty tightly sealed. The company is 'Silverwater auto services'

zero_gravity

wow....impressive! keep us updated, and best of luck. i'm rather clueless to most of what you said lol.

300D50

I have full access to the actual program memory, so most software security measures can be reverse engineered.



The "security code" on ecu's this old is usually just a CRC of the program memory, that detects tampering/program code anomalies and throws a MIL/CEL light.



Some of the newer ones use an actual cryptographic hash...



My plan is to get the spare ECU I have wired up to the point it can be flashed out of the car, and use the Hyundai reflash tool to update it (if there IS an update...) while sniffing the OBD K and L lines on the OBD connector.

300D50

Hm, seems that the 1.8 ECU is physically the same as the 2.0 version, with only firmware differences!



That means if I can get enough ecu samples, I can start doing a more thorough comparison between them.



Anyone have a spare 1.8 ECU kicking around that they could loan out, in case the local yard doesn't have one?



The worst that will happen to it is it gets a socket added to the motherboard to hold the flash after it's been removed for a read-out. In the future that hopefully won't be needed...



And anyone looking to help with the effort of documenting the disassembly listing, please let me know.



The more people working at this, the sooner we have an open source ECU tuning suite.

zero_gravity

if i had a 1.8 ECU sitting around i'd send it your way free of charge. i might have a 1.6L from an LC2 accent to spare however....someone help this guy out!

300D50

As long as it uses the same connector as an RD/RD2, it could help.



Any 2.0 beta ecu's older than 2000 or newer than 2000 model year could help as well.



I can get them from the yard, but the selection is sporadic andthey're $40 each after tax/fees/core charge, so it's not as cost effective as some of you guys getting them for $15 or less!



Just bought a "real" prom/flash burner so I don't have to keep building my own all the time, and second guessing my bin dumps because of it...

wheel_of_steel

sh*t man, I wish I could help. I've got an X3 DOHC ecu and an LC 1.5 DOHC ecu, if you want to use them, no worries!

Stocker

FWIW a 2.0L will run with the computer from a 1.8L with no apparent difficulties