ECU disassembly/reverse engineering
12-20-2011, 10:57 AM
#22
Senior Member
Thread Starter
Join Date: Oct 2011
Location: CNY
Posts: 581
Likes: 0
Received 0 Likes
on
0 Posts
Vehicle: 2000 Hyundai Tiburon
So far it's just the very preliminary stuff, tracing program execution from a cold reset, the initialization of the registers/subsystems, etc.
Have yet to get to the engine management portion of the code, and likely won't for a while.
I'm cleaning up my notes and whatnot in anticipation of making them public, in hopes of having some help with the dissassembly effort.
While I can see the possibility for some serious income based on this, I can't bring myself to sit on all of it.
I want it to be as easy as tuning a 305 firebird, or a 90's DSM, no "buy our software! it's locked to a serial number! one credit is $99.99!" bullcrap, just a simple way to tune.
I'd rather tuners get paid to TUNE the car, not paid because they're the only ones who can afford the $1000.00 fee for the software/dongle/etc.
Lofty goal, a bit altruistic, I'll likely get screwed over, but I can't see keeping things behind a veil of secrecy and therefore back in the stone age. Our ECU's are freaking awesome, and deserve to have their full potential unlocked.
Call it my worst personality flaw, helping everyone at detriment to myself...
Have yet to get to the engine management portion of the code, and likely won't for a while.
I'm cleaning up my notes and whatnot in anticipation of making them public, in hopes of having some help with the dissassembly effort.
While I can see the possibility for some serious income based on this, I can't bring myself to sit on all of it.
I want it to be as easy as tuning a 305 firebird, or a 90's DSM, no "buy our software! it's locked to a serial number! one credit is $99.99!" bullcrap, just a simple way to tune.
I'd rather tuners get paid to TUNE the car, not paid because they're the only ones who can afford the $1000.00 fee for the software/dongle/etc.
Lofty goal, a bit altruistic, I'll likely get screwed over, but I can't see keeping things behind a veil of secrecy and therefore back in the stone age. Our ECU's are freaking awesome, and deserve to have their full potential unlocked.
Call it my worst personality flaw, helping everyone at detriment to myself...
12-20-2011, 09:44 PM
#24
Senior Member
Join Date: Dec 2008
Location: Floating around the AUDM
Posts: 3,837
Likes: 0
Received 0 Likes
on
0 Posts
Vehicle: X3 Sprint, S-Coupe Turbo
Yup, I can't really help you with any sort of code, but I do have some delicious AUDM ecus lying around. Just say the word.
12-26-2011, 06:52 PM
#25
Senior Member
Thread Starter
Join Date: Oct 2011
Location: CNY
Posts: 581
Likes: 0
Received 0 Likes
on
0 Posts
Vehicle: 2000 Hyundai Tiburon
https://docs.google.com/open?id=0B5C...I1Y2NjMTk3MDZk
That's the link to my notes, the disassembly listing isn't there yet, still have to clean it up.
I could use one of the "good" 1.8 ECU's, and any other ecu that fits a beta 1 engine with the same pinout.
I'd write down part numbers, take a few dozen photos, then pull the flash, read it, and either solder in a socket or solder the flash back down, then mail it back.
Hopefully I can get something going to read the ECU bin via the program mode (thus negating having to have the ECU mailed and/or de-soldering the flash memory), but that may take a little bit of time, as 8051 isn't my specialty...
That's the link to my notes, the disassembly listing isn't there yet, still have to clean it up.
I could use one of the "good" 1.8 ECU's, and any other ecu that fits a beta 1 engine with the same pinout.
I'd write down part numbers, take a few dozen photos, then pull the flash, read it, and either solder in a socket or solder the flash back down, then mail it back.
Hopefully I can get something going to read the ECU bin via the program mode (thus negating having to have the ECU mailed and/or de-soldering the flash memory), but that may take a little bit of time, as 8051 isn't my specialty...
12-26-2011, 10:10 PM
#27
Senior Member
Thread Starter
Join Date: Oct 2011
Location: CNY
Posts: 581
Likes: 0
Received 0 Likes
on
0 Posts
Vehicle: 2000 Hyundai Tiburon
Not really sure, I'll have to search the forums/internet/etc.
I know from researching it that one of the 1.8L ECU's is "the best", but I can't remember the part number off hand.
I know from researching it that one of the 1.8L ECU's is "the best", but I can't remember the part number off hand.
12-28-2011, 10:01 PM
#28
Senior Member
Thread Starter
Join Date: Oct 2011
Location: CNY
Posts: 581
Likes: 0
Received 0 Likes
on
0 Posts
Vehicle: 2000 Hyundai Tiburon
I currently have the bin for a 39100-23956 ecu from a 2000 Tib, I'm uploading it along with a very rough IDA assembly file and listing.
This was single pass through IDA, not everything has been explored, nothing has been commented except by IDA, and not everything is checked to see if it's correct.
I hope that someone else can help shed a bit more light into this, the more eyes and minds working on this the easier it will be.
Info should be up on the gdocs collection.
This was single pass through IDA, not everything has been explored, nothing has been commented except by IDA, and not everything is checked to see if it's correct.
I hope that someone else can help shed a bit more light into this, the more eyes and minds working on this the easier it will be.
Info should be up on the gdocs collection.
12-29-2011, 08:51 PM
#29
Super Moderator
You tread a lonesome path. Be prepared for zero assistance and next to zero thanks. Pro Bono Publico better be a good enough reward, or else find a way to market reflashing services. Still, we love you for trying!
(okay then, rocket surgeons of the world, prove me wrong!)
12-29-2011, 10:03 PM
#30
Senior Member
Thread Starter
Join Date: Oct 2011
Location: CNY
Posts: 581
Likes: 0
Received 0 Likes
on
0 Posts
Vehicle: 2000 Hyundai Tiburon
I could do reflash services I guess, been trying to do local cars, but everyone I know either A: has a place that tunes them already, B: doesn't want to tune their car, C: has a car that can't easily be tuned, D: doesn't trust it, or E: sold the car I was tuning.
So far progress is going well, swimming right along.
I've soldered direct to the serial port, bypassing the K-line transceiver, so I should be able to test some more stuff.
Still have my uber-skills when it comes to soldering.
Fleshed out the program enough that it should at least transfer data along to the MCU inside teh ECU, just wiring up the absurd number of wires required for this right now.
so far there's 3 grounds, 2 hot lines, a switched hot line, a program enable line, and the serial lines...
More in a half hour or so, when I'll either have it working or be screaming because something broke...
So far progress is going well, swimming right along.
I've soldered direct to the serial port, bypassing the K-line transceiver, so I should be able to test some more stuff.
Still have my uber-skills when it comes to soldering.
Fleshed out the program enough that it should at least transfer data along to the MCU inside teh ECU, just wiring up the absurd number of wires required for this right now.
so far there's 3 grounds, 2 hot lines, a switched hot line, a program enable line, and the serial lines...More in a half hour or so, when I'll either have it working or be screaming because something broke...