subarutech77
-
Posts
27 -
Joined
Content Type
Profiles
Forums
Gallery
Posts posted by subarutech77
-
-
For a 7055, none. The bytes 0x000 - 0x3FF contain the Exception Processing Vector Table Addresses.
Bummer
Thanks again dschultz
-
I've figured out how to change the address that I want to end at in the program. This is a snippet from the original code found on the ECU Hacking site.
' addr 0000:0000 - 003F:FFFF ' A28=0 A24=0 FOR A20 = 0 TO 3 FOR A16 = $0 TO $F FOR A12 = $0 TO $F FOR A8 = $0 TO $F FOR A4 = $0 TO $FIt needs to be changed to this to read to 0007:FFFF
' addr 0000:0000 - 007F:FFFF '2/26/11 changed comment to reflect ending address change ' A28=0 A24=0 FOR A20 = 0 TO 7 '2/26/11 changed 3 to 7 as I want to read to 0007:FFFF FOR A16 = $0 TO $F FOR A12 = $0 TO $F FOR A8 = $0 TO $F FOR A4 = $0 TO $FConfirmed by this thread:
http://ecuhacking.activeboard.com/forum.spark?aBID=99460&p=3&topicID=22449760
The checksum part of the code, from what I can gather, is only for the file that the hexdump is outputted into, s-mot I believe(.s19 extension). It is only used to verify that the transmission has no errors, and is not actually part of the rom.
I've had the BasicStamp set-up running, and have had some repeatable results... What are the odds that the ROM has a big chunk of FF's at the beginning of the ROM? Slim to none?
Also, when it does seem to be running correctly, it takes a really, really long time for it to output to the hyperterminal. In the thread referenced above, they quote 90min for reading to H'3FFFF and 2 1/2 hrs to read to H'5FFFF. I had it running 6hrs straight and it only made it to 0000:09C0. Here's a link: https://files.me.com/subarutech/6eiyqi
S214 is the header of the line, then there are 32 characters which are supposed to be the ROM, and then the last 2 digits are the checksum that the program uses for communication verification.
I've checked my wiring from the 7055 pins to the breadboard of the basicstamp board and they all seem good. However, my workspace is also the kitchen table, so everything has to be taken down every night, or morning before my son can get to it. And I've had to re-solder a few of the wires attaching to the TCM AUD ports(they are really small) a few times, but they ohm out ok from the pins of the 7055 to the other end of the wire.
I also ended up using a car battery to power the TCM, it holds a rock steady 12.44V while connected. Either the AUD ports or the BasicStamp board seem to be really sensitive to voltage fluctuations and make the output all garbled. I'm thinking of trying to borrow a scope and see if the signals are getting to where they are supposed to be going.
-
If you need some help, let me know. I'm not a basic expert, but I've had to work in Visual Basic and Visual Basic .Net in the past. My experience is more attuned to C, C++, C#, Java/Javascript, etc. But if you do run across something odd, we might be able to figure it out.I did my fair share of basic (TI Basic, TI Extended Basic, Atari Basic, Atari Basic XL, GFA Basic, Waterloo Structured Basic) back in the 80s and early 90s... Since then, mostly C/C++, Java, Tcl/Tk, shell and a bit of javascript. I'm sure I could figure out PBasic, if it's based on Basic..
Hey yeah, great if you guys want to have a look at this and let me know what you think, that'd be great!
https://files.me.com/subarutech/2fhw4g - BS2 source code
You can find the development software here: https://www.parallax.com/tabid/441/Default.aspx
According to the activeboard forum where I found this code at, they only needed to read to address 0003:FFFF, I would like to read to address 0007:FFFF- does anything need to be changed in the source code to do this?
Another question I have is about the checksum, is the equation the same for any ROM? or are they different from ROM to ROM? or processor to processor?
-
I was looking back at this right now. Is PBASIC anything similar to a regular basic programming language? Or is this something completely different?
I believe so, I think Parallax tweaked BASIC for their needs and came up with PBASIC.
I remember taking a BASIC programming course way back when in high school, as far as remembering the syntax of it though, I'm at a loss. I realize I have A LOT of reading to do
Thanks
-
That does not look like code to me. Too many similar sequences of only a few byte values.
That's what I figured, I think the propeller chip felt sorry for me and just to get me excited, output something that looked like it could be code
Thanks for taking a look at it
-
Or grab a power supply out of an old PC. They have 5 and 12 VDC lines.I second that. A PC's power supply is regulated voltage to very tight tolerances. To power one on while you're working, short the green wire (ps-on) to any ground wire (black). Better yet, make a switch for it.
Keep in mind that some power supply units won't power on unless they have a decent among of draw on them. If that's the case, hook up a spare hard drive or old motherboard first.
If you think they're well regulated....well....yeah....you don't want to see the data I have. (A lot of them are trash)They'll work well enough for a car, as your car varies between 11.6V and 14.4V.
To turn on a power supply like that, you have to ground PS_EN pin. There should be a ground right next to it on a standard ATX connector. There shouldn't be any current draw issues, just make sure you pick the +12 rail. Most of them have at least 10-20A ratings, which should be fine with any development work this needs.
Or just tap it off a powered computer, Molex connector
Thanks guys, that's a great idea. I think I know someone with some spares.
I did try a smaller resistor on the RST line, but am still only getting 3.98-4V with the propeller activated. I also tried to retrace my changes with the source code to see if I couldn't get a repeatable output, but all I'm getting is 8's, 0's and C's (not in that order, and not in the same addresses)
I was poking around RR today and the post by Sasha_A80 about halfway down the page kinda worries me- 10th post down 1st page
http://www.romraider.com/forum/viewtopic.php?f=25&t=5825
Maybe this is all for moot anyways
I'll probably pick up a BasicStamp kit tomorrow and try this with that just for fun, if it doesn't work the BOE_Bot looks cool, and I could bet money that my 20mo old's toys are controlled by variants of these chips
Gotta start somewhere
-
I'm working with my stock TCM out of my 4EAT equipped 05 FXT. I have switched the transfer section of my stock trans which had a MPT clutch pack style to a VTD or planetary gear set out of a 07-08 FXT, much like the one in the 5EAT, if I remember right.
I was able to plug in a TCM from a 05 Turbo Baja equipped with sportshift and the VTD transfer section, with no repercussions, solving the issue of my front/rear wheel speeds not reading the same, and even was able to get the sportshift function working adding a few wires into the connector of the TCM harness and a crude pushbutton shiftbox- that's how I am able to play with the stock TCM.
Search MPT vs VTD at subaruforester.org, and it's all there, or I'm pretty sure I linked it in this thread earlier in the thread
I believe the Sh7055 was used in the ECM's of the 04 FXT and some WRX's as well, from the datasheet the ROM should be 512Kb
I did try to get EcuFlash to read the TCM on the bench, no go. Not sure if it's just an address change in EcuFlash that would enable that or not.
@utc_pyro, if you know PBASIC, maybe I should get a BasicStamp2 chip and board and try that instead- from the wiring diagram from the sportbike forum it looks much simpler than that of the propeller board.. no voltage reducing resistors on the AUDATA lines and no pull-up resistor to set AUDRST high.
In the forum link I posted above is the SPIN and PBASIC source code for the software they used to read the rom, the IDE's are available for free from the parallax website where the propeller and basicstamp chips are sold. I'll try to host them, as I can't attach a .txt file here
https://files.me.com/subarutech/xpnrph - BS2 diagram
https://files.me.com/subarutech/2fhw4g - BS2 source
https://files.me.com/subarutech/x6a6ki - propeller diagram
files.me.com/subarutech/iqcx8k - SPIN source code
They only needed to read to 0003:FFFF, according to the 7055 datasheet, the ROM occupies 0000:0000 to 0007:FFFF(this assumes that H'7FFFF= 0007:FFFF) If you could take a look at the PBasic source code and let me know what would need to be changed, if anything, to read that much of the ROM space that would be great.
the 7052 AUD section 17 and the 7055 AUD section 19 of the datasheets read word for word, so either of these methods should work. I think part of my problem is that for AUDRST to be set high it needs to see 4.5-5V which I am only seeing 4V, I wonder if I should try a smaller resistor to allow more voltage to get to the RST line to start the debug mode of the chip, also my power source is suspect as well, I'm using a car battery charger at the 2amp mode, the voltage varies between 10.5-12.5 volts according to the selectmonitor, if I set it to the 10amp mode, I see voltage spikes up to 15.5V, not sure if that's safe for the TCM or not. Either way Vcc is 5V on the TCM board. I'm also thinking of getting a amateur radio power source from Radio Shack.. should make the voltage signal really steady.
So if I run the propeller chip with the software posted on the ECUHack site I get this output on the hyperterminal:
Start...
00000000, error
After playing with the propeller board source code and making it impossible for it to see a bus error thereby ending the program, it spit out a bunch of bytes at me, kind of like a byte dump
for example:
Start...
00000000,000000FC,
00000001,000000FF,
00000002,000000FF,
00000003,000000FF,
00000004,000000FF,
00000005,00000008,
00000006,00000000,
I let it run all night, it went way after 0007:FFFF, so I'm not sure if what this is, is valid or not. I'll host that too
https://files.me.com/subarutech/qzlquw - possible byte dump of 05 FXT 4EAT TCM
the next day I decided to mess with the clk speed on the source code and changed some other stuff that I thought might help, but could not get the output to be repeatable, even after I loaded up the code that spit the above out.
All it would do is this:
Start...
00000000,00000000,
00000001,00000088,
00000002,000000CC,
00000003,0000008C,
00000004,00000088,
00000005,00000008,
00000006,00000000,
I even tried to get it to do a longword read and the byte at 0000:0000 would always be different, this is what makes me believe that I'm not getting the AUD to start correctly on the 7055 chip
Thoughts? Suggestions? Constructive Criticism?
I'll be the first to tell you that I am probably one of the last people on earth that should be trying to do this as I have no background in electrical engineering or programming, I was just hoping to get lucky. However, this stuff interests me and if I can learn something about the magic black box that controls the car, great! If it ends up being unsuccessful, then I'm no worse off than I was before and the magic black box can still be magic
-
Welcome back utc, I'd be willing to donate to the TCM hack fund if that's the route it takes.
I opened up my 4EAT TCM, and found 64f7055f40 on it, which leads me to believe that it is a SH7055 chip. Then I found this: http://www.activeboard.com/forum.spark?aBID=99460&p=3&topicID=14206571
The thread is old, but they were able to read the memory off of 7052 chips using the AUD. I've bought a propeller protoboard and wired it up and have run it a few times, but can't get it to output anything unless I trick the software to never see a bus error, and then the output is not consistent.
Anyone familiar with SPIN, or PBASIC?
I've read the Hardware manual of the SH7055 and the AUD function is identical to what they have in the thread above, I'll start a different thread later and see if it can't be troubleshooted.
Thanks
-
I got it. I'm trying to figure out a program that can take that file and extract the raw rom from it. It's a lot bigger then the flash memory in the TCU, so I have to figure out what is the ROM.
How long does applying updates to transmissions take you all? I'm wondering if it's like ECUflash that only changed the parts that are needed, or if it dose a complete wipe and flash.
It takes much longer than ECUflash does to flash a car, but usually it writes the changes and then does another pass to verify the changes, but I believe that it wipes the rom and writes all new.
-
to utc_pyro: you have a pm, let me know if you get it, it never shows the messages I send in the sent folder, so I have no idea if it actually gets sent or not.
I've been meaning to take some pics of a spare 4EAT TCM that I have, but have to find the charger for the camera as my phone takes crappy pics
-
I'd be willing to install the resistor in my 05 OBXT, if you still need testers. How do you want it installed? parallel or in series? are you just looking for an increase in line pressure duty? I can get actual line pressures, but that may have to wait until later next week.
I also have an 05 Baja sportshift TCU, that I was going to try in my Forester to help with the wheel speed difference issue, I can take pics of it tonight. I have opened it up and does not look anything like the 5eat tcu pictured in the 1st post of this thread or the earlier 4eat tcu's of the SVX pictured on Phil's site
-
Anyone want to try it now?
<parameter id="P306" name="Beta - Front Wheel Speed" desc="" ecubyteindex="16" ecubit="7"> <address>0x000048</address> <conversions> <conversion units="km/h" expr="x" format="0" /> </conversions> </parameter> <parameter id="P307" name="Beta - ATF Temperature" desc="" ecubyteindex="16" ecubit="6"> <address>0x000049</address> <conversions> <conversion units="raw" expr="x" format="0" /> </conversions> </parameter> <parameter id="P308" name="Beta - Gear Position" desc="" ecubyteindex="16" ecubit="5"> <address>0x00004A</address> <conversions> <conversion units="gear" expr="x+1" format="0" /> </conversions> </parameter> <parameter id="P309" name="Beta - Line Pressure Duty Ratio" desc="" ecubyteindex="16" ecubit="4"> <address>0x00004B</address> <conversions> <conversion units="%" expr="x/2" format="0" /> </conversions> </parameter> <parameter id="P310" name="Beta - Lock Up Duty Ratio" desc="" ecubyteindex="16" ecubit="3"> <address>0x00004C</address> <conversions> <conversion units="%" expr="x/2" format="0" /> </conversions> </parameter> <parameter id="P311" name="Beta - Transfer Duty Ratio" desc="" ecubyteindex="16" ecubit="2"> <address>0x00004D</address> <conversions> <conversion units="%" expr="x/2" format="0" /> </conversions> </parameter> <parameter id="P312" name="Beta - Throttle Sensor Power" desc="" ecubyteindex="16" ecubit="1"> <address>0x00004E</address> <conversions> <conversion units="V" expr="x/45" format="0" /> </conversions> </parameter> <parameter id="P313" name="Beta - Turbine Revolution Speed" desc="" ecubyteindex="16" ecubit="0"> <address>0x00004f</address> <conversions> <conversion units="rpm" expr="x*32" format="0" /> </conversions> </parameter>That's based on NSFW's beta defs and the freessm defs.
I also pasted those values into the RR logger def .xml file, and they do show up in the table until the ECM connects then they are no longer there.
But, I did get my Vag-com cable in and can log my TCM in either vehicle, however I cannot adjust anything for my 4eat- bummer
I can reset the TCM and see live data, also with my 5eat, I am able to see live data and have the one adjustment that KYLegacy can get as well, the AWD correction adjustment.
I did try to register at beliOS to be able to post in their forum, but never received a confirmation email, and from about 20min ago, it seems like the site is down
Would the ROMid have anything to do with connecting to the TCM??
-
BIU? Hmm. Can we scan the CAN to see what commands it sends, and then send our own instead? :-)Easier said than done, I'm afraid...
would something like this work to scan the can lines?
-
I'm going to try that as on of my embeded systems class projects, but we'll see what happens.... I'm working to get these romradier deffs for the 5EAT working right now.
I'm working on converting that to XML
Very cool, were you able to find the init command to talk to the TCM then?
I have a vag-com cable on the way, but at this rate it might be ported over to RR before we know it. From the screenshots I see, it looks like freessm writes the changes to RAM or more like a realtime map like Cobb can to the ECU, is that right?
I think I can get the .pak file for the TCM update, would that be any use to anyone? The rom has to be in there somewhere, right?
-
Are you using the HEX+CAN cable or the KKL Vag-Com cable?
-
IT WORKS!!!!!!!!!!!!!!!! But, it looks like they don't have much information on the 5EAT. There are a lot of logging parameters but only one adjustment parameter. Take a look at the attached screen shots. Even though all of the values are in metric, the program seems easy to use. It recognizes the VAG COM cable immediately and it also connects right up to the car. I didn't have much time to mess with it (since I have company in from out of town) but I will definitely look into it later. Check these out and let me know your thoughts.
Oh, by the way, what is AWD Clutch Torque?????????????
Sweet!! looks like I need a vag-com cable:icon_razz
-
I was able to get a look at my wife's 05 obxt today with the ssm3. The cal id of her TCM is: MB436G
And the cal id of the reflash is MB436M
So it looks like I could reflash the TCM. I haven't done it yet, and not sure it would help the cause without some sort of monitoring device when it's being reflashed
Otherwise, what else would be helpful?
A datasheet for the processor chip? That would tell you what the pads are for to use a debugger? And/or the correct init command and address in the TCM to be able to talk to the TCM? Possibly you've made some progress over at RR?
-
Alright, so I tried the beta logger defs that NSFW posted, with the logger not connected to the vehicle I get most of the beta parameters listed- like this:
files.me.com/subarutech/q00bpw
Sorry, I'm lazy, and it's already midnight, so rather than convert the files to ones that the forum likes, it's easier for me just to host them on mobileme
With both my 05 OBXT 5AT and 05 FXT 4AT connected to the logger, only the beta A/F Correction #3 connects as shown here:
files.me.com/subarutech/u7zck5
So, I have the LV Comm logs from both cars if that helps decipher the bytes/bits here:
files.me.com/subarutech/41dfg4 - OBXT 5AT
files.me.com/subarutech/d0biq5 - 05 FXT 4AT
I really want to understand the posts above, but it's still a bit martian to me. If I get a few free hours someday, I may be able to begin to get it.
-
If could be very interesting to put a recording device on the OBD port during TCU operations. Plus whatever other neat tricks the SSM3 can do.
Does such a device exist? If one would need to be built, what components would be needed?
To utc_pyro: I tried to send a couple of PM's to you but not sure if they went through or not, as it does not show in the sent folder, can you PM me an email address, so I can send you some documentation
-
Ok, well the wiring diagram for the 5AT just shows all the wires going to a box(the valve body), but if you use both the TCM pinout and wiring diagram, you should be able to figure out which wire goes for what.
I'm about 30min- 1hr North of Chicago, IL, depending on traffic and how fast you drive:lol:
I've sent you a PM
B54 is white in color, ATF temp sensor 1 should be a white with green stripe wire at the TCM, sensor 2 is a light green with white stripe
-
connector B54 of TCM pin #2 = ATF sensor 1, measures temp of fluid in pan. should get approx 2.5V when fluid is approx 68deg F, approx 1V when fluid is 176deg F
Same connector of TCM pin #11 ATF sensor 2, measures fluid temp of torque converter outlet. 2.3V cold, .6V hot
Both sensors are attached to valve body
I have the TCM pinouts if anyone is interested, I'll try getting the wire colors later as both connectors to TCM are the same(05 Legacy anyways), will require more digging in service manual
Google: "techinfo subaru" and subaru's tech information site should come up. For a fee, depending on how long you want access, you can see service manuals and download pages. I can't remember if there's a download limit or not
Or let me know what you guys need, and I'll try to get it for you
I haven't been able to get the wife's car and the ssm3 in the same spot to check her TCM cal id. Would the program you are trying to use to scan for the TCM help if it can use the reflash?
-
Hmm. Didn't someone make a "shift-kit" for the 4EAT, where you can pick any gear you want at will with a joystick-like 4-position shifter?
All the shift kits, and stand alone control boxes that I can find are for the earlier 4EAT's without direct control valve bodies, mine has a direct control valve body, like the one in the 5AT
How new (or old) is the update? As in release date or something?Not sure how long the 05 flash has been out, but the 08-09 one has been out for at least a year if not longer, and there is only one update for each
They don't mention it unless you have issues related to what it fixes.Correct, if your car had a DTC that the reflash fixed in the TCU, they would flash the TCU
-
Also, check this thread out. It's 4EAT based, but he put a 10W 6ohm resistor parallel with the line pressure solenoid to boost pressure, I haven't done that yet, but am really thinking about it
http://www.subaruforester.org/vbulletin/f89/tc-lockup-mod-06-fxt-38281/
-
Well, if some one has a contact there familiar with the SSM III tool, I have a few questions that could help us... It's a $3000+ piece of equipment, so I dont think they'll be lending it to us. That said, they could tell us if any updates are avalibel for ANY of the TCU's. If we can find one that has an update, I can get the equipment to "sniff" the flashing of one. That will give us the ROM and how to flash it.
I can help you with this if your local dealers are unwilling.
There is a 5EAT update for the 05 LGT and OBXT for DTCs, none for 06-07, and there is one for the 08-09 LGT and OBXT for shifting issues. I wouldn't know how to get just those files, but if you have a sniffer program, that might work. However, you would only be able to reflash a TCM with an older Calibration ID, if the TCU that you are trying to flash with the update already has the latest calibration for that TCU, it will not flash it, but you may be able to get the access address.
My wife drives an 05 OBXT, I'll see if hers has the latest update.
I really need the 4EAT TCU hacked, I've installed a VTD center diff in my 05 FXT, it originally came with a MPT center diff, and the rear speed sensor now reads wrong because of different number of teeth on the sensor wheel. If I was able to procure a donor 4EAT TCU and followed the same steps that you've done in this thread, but in a different thread, would you guys be willing to help or at least point me in the right direction. I have no problem doing the footwork and reading and researching, but I have no background in this kind of stuff, and would most likely need help with the software end of things
Also did your class have a textbook? does it have an ISBN number? Or, can anyone recommend a book on assembly language, micro-controller programming? That I could try to wrap my head around.
Thanks
5EAT TCU Reverse Engineering
in Transmissions
Posted
Not sure if this helps much, but awhile back dschultz suggested using the RR test app to read a block of memory from the tcu. Starting at address 0x040000 for 1024 bytes.
Here is the raw data result of that read of an 05 OBXT 5eat:
I also have a java command line app that parses this text representation into pure hex format courtesy of dschultz, but still can't wrap my head around any of it. Reading a datasheet for a processor is one thing, understanding what I've read is quite another.