ECU

[CodeDog]

Hi all, I am new here & would like to share one of my current projects, which I have now been working at on and off for almost 4 years ...

I am working at hacking the engine control unit (ECU) of my Suzuki SV1000 (V-twin motorcycle) - with the ultimate goal
of reflashing it with modified fuel injection and ignition maps.

The ECU is made by Denso, and uses a Renesas 7052 processor. It's all encased in potting and a hard
plastic shell, and had to be soaked in acetone for a few days to reveal the board ...


Using a parallax propeller I managed to interrogate the processor via the back door - Denso kindly wired the AUD (advanced user debug) port to a set of pads near the edge of the board - and I downloaded the full ECU code to my laptop ...


since then it has been a matter of slowly disassembling the code to work out what the ECU was doing. In the process I've found in excess of 170 separate maps in there, and I have probably disassembled only 20% of the total code.

The good news is that I have managed to reflash the unit with modified code. Not quite game enough to plug it into my bike and test it just yet. So part two of this project is to build a motorcycle emulator that I can plug the ECU into, and fully test before risking life and limb ... here's prototype#1


I've since pulled the prototype apart and am rebuilding it into the carcass of an old desktop PC ...


it's a time-hungry project ... hope you like it - a nice mix of analog & digital electronics, microprocessors, hardware, software, and automotive engineering!

cheers,

[ToBeFrank]

Interesting. I've been doing the same thing with the Harley ECU.

[CodeDog]

Cool. What processor is in the HD ECU? And how far have you got with it?

The biggest hurdle I found was in disassembling the binary. The Renesas chip uses a reduced instruction set and it took quite some time to become fluent in it. I used a program called IDA to convert the binary into assembler, and then I started to convert the assembler into higher level descriptions plus flow charts.

On the emulator side of things, the biggest hurdle (aside from all the wiring) was generating the proper pulse sequence to simulate a crankshaft sensor and fool the ECU into thinking that it was connected to a real engine. My bike uses a set of 22 magnets on the crankshaft at 15 degree intervals, and there's a space of 30 degrees between two of the magnets to indicate the absolute position of the crank. The waveform from the transducer on the bike goes +ve and -ve, and the ECU uses the zero-crossings to determine what position the crank is in.

On my emulator, I have a micro generating the crankshaft pulse stream and feeding it into a transistor that controls a small audio transformer. The output of the transformer then connects to the ECU, and it seems to work fine.

Interestingly, the emulator has to have real coils and fuel injectors on it because the ECU can detect if there's the right inductive load on its outputs. I tried using normal transformer windings and they work to some extent but usually they end up causing the ECU to throw a check engine light after continued operation.

There have been lots of other interesting discoveries along the way - happy to discuss them if anyone's interested. Likewise I'm keen to hear about others' experiences in this field ...

cheers,

[ToBeFrank]

Cool. What processor is in the HD ECU? And how far have you got with it?

It runs a Motorola/Freescale HCS12 and uses the J1850 VPW protocol as it's vehicle bus. I reverse engineered their bootloader so I am able to flash it over the J1850 bus. I figured out the proprietary PIDs so I can data log, and I have also identified many of the tables that are used for tuning.

The biggest hurdle I found was in disassembling the binary. The Renesas chip uses a reduced instruction set and it took quite some time to become fluent in it. I used a program called IDA to convert the binary into assembler, and then I started to convert the assembler into higher level descriptions plus flow charts.

Yes, this is definitely the hardest part. I also use IDA. The code can be a maze with flags all over the place, etc. I've spent hours and hours doing this.

On the emulator side of things

Are you using the emulator so you can run the code and debug it in IDA? I suppose that would make the reverse engineering much easier. I should look into that.

On a side note, I'm amazed that they don't use any of the flash protection on these ECUs. I guess they assume no one will go to the trouble of getting the code and disassembling it.

[vl400]

Interesting read I have just embarked on a new project trying to get the code out of a Yamaha Waverunner ECU. Its made by Mitsubishi Electric and was also coated in polyurethane but mixed with crushed quartz (well it looks like that anyway). I used Methyl Ethyl Ketone to break it down and then used a small screwdriver to carefully scrape it all away.

So am now trying to get the hard plastic cover off so I can get to the underside of the board, did you have to destroy the cover or after a few days of soaking was the PCB able to be removed?

[Frangible]

Awesome!  I did something like that for an old GM ECU (6803 based) in the 90's.  Lots of fun - please post lots more on this subject!

[vl400]

Ended up breaking the case apart, there was no way it was ever going to release the PCB. Used some fishing line to cut the case away from the polyurethane before soaking it in MEK to remove the final 5mm or so.

Some pics of the ECU can be found here .. http://yamahaecu.wikispaces.com/ECU+Hardware+Information

[PIC18F2550]

Hi all, I am new here & would like to share one of my current projects, which I have now been working at on and off for almost 4 years ...

I am working at hacking the engine control unit (ECU) of my Suzuki SV1000 (V-twin motorcycle) - with the ultimate goal
of reflashing it with modified fuel injection and ignition maps.

The ECU is made by Denso, and uses a Renesas 7052 processor. It's all encased in potting and a hard
plastic shell, and had to be soaked in acetone for a few days to reveal the board ...


Using a parallax propeller I managed to interrogate the processor via the back door - Denso kindly wired the AUD (advanced user debug) port to a set of pads near the edge of the board - and I downloaded the full ECU code to my laptop ...


since then it has been a matter of slowly disassembling the code to work out what the ECU was doing. In the process I've found in excess of 170 separate maps in there, and I have probably disassembled only 20% of the total code.

The good news is that I have managed to reflash the unit with modified code. Not quite game enough to plug it into my bike and test it just yet. So part two of this project is to build a motorcycle emulator that I can plug the ECU into, and fully test before risking life and limb ... here's prototype#1


I've since pulled the prototype apart and am rebuilding it into the carcass of an old desktop PC ...


it's a time-hungry project ... hope you like it - a nice mix of analog & digital electronics, microprocessors, hardware, software, and automotive engineering!

cheers,

helo

you use the jtag port ,or other protocol for programming this mcu ?

[Circlotron]

Some like minded people here -> https://pcmhacking.net/forums/

[Mr. Scram]

Impressive. I'd love to see how this ends up.

[mikerj]

On the emulator side of things, the biggest hurdle (aside from all the wiring) was generating the proper pulse sequence to simulate a crankshaft sensor and fool the ECU into thinking that it was connected to a real engine. My bike uses a set of 22 magnets on the crankshaft at 15 degree intervals, and there's a space of 30 degrees between two of the magnets to indicate the absolute position of the crank. The waveform from the transducer on the bike goes +ve and -ve, and the ECU uses the zero-crossings to determine what position the crank is in.

Rather than a set of magnets, it will be a toothed steel wheel (usualy called a 'reluctor ring', 'tone wheel' or 'phonic wheel') and a single permanent magnet within the variable reluctance sensor.  This scheme is used by almost every modern ECU control engine for crank position sensing, apart from the few that use biased hall sensors instead (which are much easier to interface to, but more expensive and less robust).  The number teeth, and missing teeth patterns vary greatly between manufacturers however.

The forum you should join is http://www.ecuhacking.activeboard.com which is dedicated to reverse engineering and modifying motorcycle ECUs, including the SV1000.

[Theboel]

I never think some one will do this,
I just "remap" what ever thats mean for my Toyota 2KD-FTV engine much cheaper than buy a piggy back module but still I need Throttle module.