utc_pyro

Opps, that's what I ment . I had been up almost 22 hours and was a bit out of it at time of posting.

Edit: If this is going to be done JTAG, it looks like there are OEM tools, but pricy.

M32100T-EZ-E

It's a bit over a grand. Maybe there is 3rd party support?

Also there is a chance the rom is "password protected" as seen here:

http://www.renesas.eu/support/faqs/faq_results/Q101901-Q102000/m32r_101982_en_GL.jsp

It might be possible to bypass that if we can inject code to read that address block via JTAG. Or if Subaru is lazy and uses the same "password" for all the roms, we can pull it from a '99 RS ECU rom. This one is also not an issue if there is a way to inject enough of our own code into the RAM to serve as the entire itnerface (how ECUFlash does it). I think it's just the factory (hatachi) boot-loader ROM serving as a flashing interface that actually cares.

I need to go read into the flashing via K-line done on the older drive by cable roms. Maybe it's simular.

Edit 2: Figured out what at least ONE of the other chips are. The small one right above the M32R microcontroller is a watchdog timer. The other one (that has it's own clock) is itentical to some on other ECU's. I have no clue what it does, they didn't mention what it does, so I'm going to stop looking at it. Not much of it's I/O goes to the main core any way.

Also this: http://www.activeboard.com/forum.spark?aBID=99460&p=3&topicID=25151801

Other have stated that the CAN ECU/TCU's initilize in a simular way to each other.

And this shows the init stuff is about the same between the Subaru computers: http://forums.nasioc.com/forums/showpost.php?p=14204135&postcount=73

And the init code for the old 68HCXXX ECU's is in here some where: http://ecuexplorer.googlecode.com/svn/trunk/

It would be interesting to try sending the raw SSM commands directly, and studying the output directly. That would shed some light on whether it's the TCU or the test utility that's causing the weird responses.

I'm thinking it's the cable unless the program filters out responses until it sees "80 f0". I'll see if I can find something to send them with.

Any 2007 5EAT owners reading this? If so, does your car up-shift rev-match?

Looking at the list of TCU update files for the various 5EAT's, I noticed the Tribeca 3.0 '06 and '07 files were the same, but with an "A" and "B" suffix respectively. All of the '08-'09 files are the same file inside each model, so they appear to share the same ROM. Thus I wonder if the '07's have the older TCU, but updated to flash/respond via CAN. If so, pulling a '07 rom via CAN would help figure out the structure of the '05-'06 serial ROM's.

@utc_pyro: Nice try but ...

 

First you need to understand (standard) SSM/SSM2 addresses are sort of fake or virtual as they don't represent real hardware addresses the processor uses. Think of them like defined IDs. The ROM includes SSM subroutines that handle incoming SSM requests and generate a response packet.

 

Example: on most ECUs requesting byte at 0x00001C yields battery voltage (value/12.5 = volts).

Address/ID 0x00001C tells it what you want. So far I've seen the ROM code uses either redirection table or function table lookup to generate the corresponding answer byte.

 

The virtual SSM address space is limited as this thing needs extra space and there's a limited number of measuring blocks than it supports anyway. Rather new ECUs limit addresses to being smaller than 0x350. Older ECUs have smaller address spaces like 0x200 or 0x150 bytes etc. If you request addresses above the limit, you just get constant fake byte 'FF' for these. SSM2 over CAN would tell you an error, SSM over serial line doesn't tell errors, reporting fake content instead or ignoring the entire request.

 

Another thing: Block read command A0 may not work for standard range e.g. 0x000000..0x00034F like on my ECU. I only get FFs by doing this. I've also heard some people get inconsistent data. In that case you'll have to use (slow) A8 messages. Again, that's a deliberate limitation compiled into the ROM software.

 

 

RAM case exception: Specific to firmware/model some RAM ranges are allowed which map almost directly to hardware addresses.

Example for 32bit control units: an SSM2 address like 0xFF1234 is a RAM address, highest address byte is FF, far beyond normal address range. It will be translated internally to 0xFFFF1234 which now is a real 32bit hardware address the CPU works with. One can dump real RAM by A8 or better A0 commands with this but only from the ranges that the firmware code allows. Outside valid range(es) you probably get fake FFs again.

 

SSM message length in general is limited, too. Modern ECUs take up to 255 bytes limiting the number of data bytes one can request/get per single message. Older units may use smaller buffers.

 

I think with your fubar TCU responses there must be something wrong with your tool. If there's not even a valid response header you should not even touch the msg with a stick.

 

IMHO there is NO way you can dump ROM using standard SSM2 commands like 'A8' or 'A0'.

 

If you want to know inner workings of SSM2 protocol you can disassemble available ROMs and see for yourself.

 

Flashing/dumping ROM is a different story. Sniffing a flash is a good idea but Subaru dealer tools transfer all data in encrypted form.

 

Makes sense? Haven't played with a TCU yet but it seems same SSM principles apply.

NesCar, that makes sence. That's the cearist explination of how SSM handels the request that I've ever seen. Thanks for the detailed information. I guess I didn't read enough into SSM past that PDF that list the basic commands. I got the idea to use SSM to read the address from work on the late '90s roms that use the same M32R core. Apparently the flash memory was accessible over SSM starting at 0x700000 in those ECU's (it was remapped), and they were able to SLOWY dump the rom.

Any suggesting on how to get started on these serial cars with the M32R core? Am I just going to have to figure out the JTAG interface, or is there a know way to take the dealer .pak files and extract the ROM?

I guess CAN may be a little easier, but I dont have access to anything there to start with .

Just tap into it were the Subaru kit does. There is a port on the bottom of it. Check the service manual for were they talk about checking the pressure.

The only bad thing about the location is it's right on the bottom, so any road hits would rip it out, along with your fluid and possibly a chunk of the casing. Might be OK for short term testing, but I would not want to drive around like that in the long run.

Ok, the responses I'm getting from the TCU are STRANGE....

for example:

Sending A0 to 18 with payload of 4 bytes:
00 00 00 FA

Received 2000 bytes total, 1989 after subtracting echo, 1983 payload bytes.
Response packet:
43 FF 00 00 42 FF 00 00 41 FF 00 00 40 FF 00 00 3F FF 00 00 3E FF 00 00 24 00 00 01 01 00 00 00 10 00 00 00 01 00 00 00 01 00 02 00 00 00 02 00 04 00 02 00 08 00 02 00 0C 00 02 00 10 00 02 00 14 00 02 00 18 00 02 00 1C 00 02 00 20 00 02 00 24 00 02 00 28 00 02 00 2C 00 02 00 30 00 02 00 34 00 02 00 38 00 02 00 3C 00 02 00 40 00 02 00 44 00 02 00 48 00 02 00 4C 00 02 00 50 00 02 00 54 00 02 00 58 00 02 00 5C 00 02 00 60 00 02 19 80 F0 18 FB E0 E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 46 80 F0 18 FB E0 E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 73 80 F0 18 FB E0 E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 A0 80 F0 18 FB E0 E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 CD 80 F0 18 FB E0 E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 FA 80 F0 18 FB E0 E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 27 80 F0 18 FB E0 E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 54 80 F0 18 FB E0 E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0

Response payload:
Header: 43
Dest: FF
Source: 00
DataSize: 00
Command: 42
Checksum: F0
Payload: FF 00 00 41 FF 00 00 40 FF 00 00 3F FF 00 00 3E FF 00 00 24 00 00 01 01 00 00 00 10 00 00 00 01 00 00 00 01 00 02 00 00 00 02 00 04 00 02 00 08 00 02 00 0C 00 02 00 10 00 02 00 14 00 02 00 18 00 02 00 1C 00 02 00 20 00 02 00 24 00 02 00 28 00 02 00 2C 00 02 00 30 00 02 00 34 00 02 00 38 00 02 00 3C 00 02 00 40 00 02 00 44 00 02 00 48 00 02 00 4C 00 02 00 50 00 02 00 54 00 02 00 58 00 02 00 5C 00 02 00 60 00 02 19 80 F0 18 FB E0 E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 46 80 F0 18 FB E0 E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 73 80 F0 18 FB E0 E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 A0 80 F0 18 FB E0 E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 CD 80 F0 18 FB E0 E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 FA 80 F0 18 FB E0 E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 27 80 F0 18 FB E0 E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 54 80 F0 18 FB E0 E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0 F0 18 FB E0

I'm getting different payload sizes for the SAME command. So ether the test software does not like what I'm doing of the TCU is finicky about things.

I'm also getting non-sencicle responses, like the following asking for the "SRF area"

Sending A0 to 18 with payload of 4 bytes:
80 00 00 7F

Received 148 bytes total, 137 after subtracting echo, 131 payload bytes.
Response packet:
07 07 02 01 07 07 07 07 07 05 07 07 07 07 02 07 00 E6 80 18 F0 06 A0 00 80 00 00 7F 2D 80 F0 18 81 E0 00 94 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 07 07 07 07 07

Response payload:
Header: 07
Dest: 07
Source: 02
DataSize: 01
Command: 07
Checksum: 07
Payload: 07 07 07 07 05 07 07 07 07 02 07 00 E6 80 18 F0 06 A0 00 80 00 00 7F 2D 80 F0 18 81 E0 00 94 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 07 07 07 07

So ether my cable is bad, laptop messed up, or there is other gibberish going on that is comfusing the program I'm using.

FreeSSM wont talk to my ECU, so it may very well be noise and the cable.

Another oddity (when it works), I'm getting diffrent data from indifidual address read request and block read request. For instance, here is the request for 0x000000 to 0x000007 one bite at a time:

Sending A8 to 18 with payload of 24 bytes:
00 00 00 00 00 01 00 00 02 00 00 03 00 00 04 00 00 05 00 00 06 00 00 07

Received 45 bytes total, 14 after subtracting echo, 8 payload bytes.
Response packet:
80 F0 18 09 E8 00 AB FE 20 31 00 00 00 73

Response payload:
Header: 80
Dest: F0
Source: 18
DataSize: 09
Command: E8
Checksum: 73
Payload: 00 AB FE 20 31 00 00 00

And here is is with a 8 byte block read request:

Sending A0 to 18 with payload of 4 bytes:
00 00 00 08

Received 26 bytes total, 15 after subtracting echo, 9 payload bytes.
Response packet:
80 F0 18 0A E0 FF 00 00 5E 00 00 00 00 00 CF

Response payload:
Header: 80
Dest: F0
Source: 18
DataSize: 0A
Command: E0
Checksum: CF
Payload: FF 00 00 5E 00 00 00 00 00

Doing it byte by byte is givng me the same thing as the ROM id and then a bunch of zeros .

Just got a hit on 0x18

Sending BF to 18 with payload of 0 bytes:


Received 68 bytes total, 62 after subtracting echo, 56 payload bytes.
Response packet:
80 F0 18 39 FF A6 10 22 AB FE 20 31 00 01 00 80 04 00 00 00 00 A1 46 2C 00 08 00 00 00 00 00 00 00 DC 06 00 0B 29 C0 04 7E 01 1E 00 3E 00 00 00 00 00 00 80 A2 00 00 FE FE 00 00 00 00 05

Response payload:
Header: 80
Dest: F0
Source: 18
DataSize: 39
Command: FF
Checksum: 05
Payload: A6 10 22 AB FE 20 31 00 01 00 80 04 00 00 00 00 A1 46 2C 00 08 00 00 00 00 00 00 00 DC 06 00 0B 29 C0 04 7E 01 1E 00 3E 00 00 00 00 00 00 80 A2 00 00 FE FE 00 00 00 00

Compare the payload with what FreeSSM's got for the ID and number of supported parameters.

http://legacygt.com/forums/attachment.php?attachmentid=91318&stc=1&d=1287286283

We got it, now to see if I can do a read block from the flash memory space.

Edit: Oldr subaru ECU's used the same M32R processor. They managed to make a bump, so I'll try based on what they did.

http://www.subiesmart.com/forum/index.php/topic,62.0.html

to utc_pyro: you have a pm, let me know if you get it, it never shows the messages I send in the sent folder, so I have no idea if it actually gets sent or not.

 

I've been meaning to take some pics of a spare 4EAT TCM that I have, but have to find the charger for the camera as my phone takes crappy pics

I got it. I'm trying to figure out a program that can take that file and extract the raw rom from it. It's a lot bigger then the flash memory in the TCU, so I have to figure out what is the ROM.

How long does applying updates to transmissions take you all? I'm wondering if it's like ECUflash that only changed the parts that are needed, or if it dose a complete wipe and flash.

Edit: DOH! I just realized how to pull the flash off this thing. The data sheet has the memory map. I just need to use that and this SSMIII tool that a generous member sent me to read the entire flash memory. Then I can decompile the damn thing, and see what we need to do to update the maps. That is if they don't block any address ranges. Does IDA Pro 4.9 support the M32R or do I need to shell out for IDA Pro 6.0?

If it works houw we think it does, it should be instant. It may be less of an effect then we think.

I'm working on getting a dump of an earlyer TCU. Both '05-'07 and '07+ have cores that support IDA.

That's just how the ECU figures out what gear it's in. It does not mess with the TCU at all.

Still cant figure out what that second controller is. I was thinking 78K0, but the Cristal is in the wrong place. Hum.... Do I2C flash memories normally have there own clock?

There's a bit of info here on the M32R.

jackpot

The 4 pads on the right of the JTAG are the real-time debug ports. Subaru/Hatachi left us most of the tools we'll need to get serrious with this thing.

I'd be willing to install the resistor in my 05 OBXT, if you still need testers. How do you want it installed? parallel or in series? are you just looking for an increase in line pressure duty? I can get actual line pressures, but that may have to wait until later next week.

In series for now. This is really a mod untill we figure out something else and long term as just a "budget" mod.

Well, I'll see if the wiring is still in place, if so what size resistor would you recommend? I think the code was High Duty Cycle Solenoid C or something along those lines.

If you can measure the resistance I can give you a suggestion. i dont have the wiring diagram on hand for the Forister, if you PM me a link I'll let you know a suggested value.

Guess what I found thanks to a tip:

http://www.renesas.com/media/products/mpumcu/m32r/m32r_ecu/32185/child_folder/e32185_pinar.pdf

Compare that to the pics in post 1. We got JTAG

My Torque table is maxed out at 400, again I can't tell if it really makes that much of a difference.

The 4eat has a direct input from the throttle, so you may be out of luck on that one. If you scale your torque request and throttle angle tabels up or down by 30% you could test if it changes anything.

On the resistor throwing CEL's, you might want to try putting one back in with a smaller value. If it was too high, the TCU will think the solonoid has failed. It works opposit of how you'd think, the less power going to it, the more pressure you get.

I'm fairly certain all you need to do is scale up your Requested Torque table in Romraider. It tells the TCU how much line pressure to apply at any given mph and rpm per reasonable and unreasonable trans fluid temp.

Give it a shot. Every one seems to cap out at 320(?) on the request torque, I've never seen someone take it higher*. I'm hesitant to going to 100% uncharted teratory with my only way to work .

With a stage 2 tune, scaling it up in the lower revs will probably help duribility. We have a LOT more torque down there than stock. Even if you dont go past 320, you'll get more pressure.

*I'm fairly new to all this, maybe someone tested this in the past?

Its ok, its not that expensive to do

Ill be delayed again cause I have to go to Colorado next week:redface: Unless I do it by the end of this week

Anyone else want to try it? Again, I'll make you a quick install one if you promis to install it within a few days of delivery.

So anyway good luck on the project, if you need donations i'd be happy to contribute!

There is enough funding in the fund still to cover more test equipment. We need someone that knows some one at Hatachi that can tell us what the heck the chips are.

though that said, if some oen chan crack open a newer forster TCU and post pics it could be helpful. Maybe they use some normal braded components?

I was looking at my SpartinIII board (FPGA running a microblaze core for a class I'm in), and NSFW's thinking it's a FPGA agin is looking quite possible. The smaller chip on the right only has a few wires going to the main processor, and nothing else. The layout is quite simular to flash arangment to program the FPGA on my devboard. If this is the case, it may take some one FAR smarter then me to take the bitstream and create a netlist. That or pay a reverse engineering house in China to take it, but I think Cobb would be the only ones with the budget to do that.

Oct bump!!

 

I kind of forgot about the resistor mod, Ill check and see if my local audio shop has one for cheap and may try it out.

 

A nabisco guy with 4eat said he was having cel with the ipt resistor (he had full ipt trans built) so ipt removed it and he said that made the most difference (that he can feel)

If you want to try it, I'll buy and ship you the resistor out of the TCU test fund.

PM me with shipping info and how agressive you want to go for. If you're hesitant on soildering I can prep it to be a quick cut-and-crimp install.

I've found nothing but I haven't finished scanning all the address and commands yet. I'm about 1/2 done.

A generous dev gave me a tool to rapidly scan SSMII a few months back. It just never worked well with my OpenPort 2.0. Just got my VAG-COM cable a few days ago, so I'll do a complete scan of it.

You don’t think it's the airbag computer do you? I have this strange fear of doing a sweep, hitting a command that’s mapped to “Fire” on the airbag computer. The video of Mazda firing off the airbags in those cars from the capsized ships a few years ago keeps flashing through my head…

Hi there!

I've got lots of experience in SSM2 (SSM for short as there are older SSM protocols too). I don't own a TCU model though.

I think to access the TCU, you'll just have to swap SSM destination address 0x10 (ECU) with 0x18 (seems standard for TCU). Everything else exactly or very similar to ECU stuff - the init, reading/writing addresses etc.

Makes sense to share most code, that's what FreeSSM appears to do. AFAIK it does everything using SSM, like dealer software or 3rd party diagnostic apps would do. No ROM flashing or what not!

AFAIK ECU and TCU are the only control modules speaking SSM. Other control modules speak protocols more difficult than SSM.

The main problem lies in definitions, what addresses to read (and write to make actions, adjustments, ...) and how to interprete. The control modules themselves don't provide any help except SSM-Init-Info. All apps need their own sort of database.

 

Here's some SSM-Init payload data I got from somewhere. According to

http://subdiesel.wordpress.com/2010/09/12/system-names-by-ssmid/

it's from an E-5AT:

[color=darkred][font=Verdana]A6 10 22[/font][/color][color=purple][font=Verdana]91 E0 20 74 00[/font][/color][color=black][font=Verdana] 01 00 80 04 00 00 00 00 A1 46 2C 00 08 00 00 00 00 00 00 00 DE 06 00 0B 29 C0 04 7E 01 1E 00 3E 00 00 00 00 00 00 80 A2 00 00 FE FE 00 00 00 00[/font][/color]

NesCar, 0x18 matches what some scans over on RR found. Do you know where the definitions used in FreeSSM were derived from? There is a TON of great info in the source code that appears well advance of anything but the SSMIII tool.

Hi, I am very interested in this thread.

 

A couple of years ago I cracked the SVX 4EAT TCU. Some of the details about how it works can be found on my website and there's more buried in various threads on the SVX World Network. I expect some of the control algorithms I've reverse-engineered will help with understanding the 5EAT. Most likely they used the 4EAT software as a starting point for 5EAT development.

 

I have done custom remapping on SVX TCUs for various people and it's certainly possible to improve upon the factory calibrations. IMHO it's much better to remap properly in software than try to frig the computer's inputs and outputs with resistors or other circuitry.

 

I not in a position to help with your project, other than to offer words of encouragement. But I'm very interested and will be following your progress. Keep up the good work.

 

Phil Skuse

http://www.alcyone.org.uk/ssm [/quote]

 

Wow, the ledged of TCU hackin. Your page has a TON of great info on it, and if you look at the documents for the 5EAT the shift maps look quite similar to the ones you found. They don’t go into much detail in that documentation as it is just ment for people fixing them, but the shape is the same.

 

The issues we’re facing for re-mapping are still early: What is the CPU? What type of co-processor/flash memory is that attached to it? What standard (if any) are those test points at the top of the board?

 

Unlike the ECU and the old TCU’s, Hatachi (or Urasia Jsecs) used a proprietary chip of some sort. It may be a rebranded FPGA, it may be an ASIC, or it might be as simple as an off-the-shelf Hatachi microcontroller with a different label

It must be a direct to TCU thing as Dschults stated... that kills RR support unless a Java dev wants to hack it in. I don't do well with Java....

What can you get to on 0x40?

Looks like I'm re-inventing the wheel.....

http://subdiesel.wordpress.com/2010/08/23/logger-definition-formats/

Looks like he drives a legacy though

http://translate.google.com/translate?hl=en&sl=de&u=http://www.motor-talk.de/forum/subaru-diagnose-software-t2104152.html&ei=JFmKTMvZOoWE8wT88LT_BQ&sa=X&oi=translate&ct=result&resnum=8&ved=0CDIQ7gEwBzgK&prev=/search%3Fq%3Dfreessm%2Bsubaru%26start%3D10%26hl%3Den%26safe%3Dactive%26sa%3DN

Are you going to build a custom RR Logger app with the TCU as the destination byte in the SSM read command (0x40 right)?

I think the data we can log is requested from the ECU from what I can tell in FreeSSM. I'm still trying to trace were the definitions are called through his code to see how the data string is used. Other commands (like setting the pressure) look like they talk direct to the TCU. I'm going to be putting some time in this weekend to try and get it going. This is a good C refresher any way.

Were did the get the 0x40 from BTW? I've not seen any one talk about it before....

Looking at his definition, they read something like this:

<< "9;5;0;1;00004B;;Line Pressure Duty Ratio;%;/2;1"

Translate those varibles into the RomRaider XML names....

<< "ecubyteindex 9offset by -7?);ecubit (offset by -1?);?;?;address;?;name;units;expr;?"

I dont know what the "?" are yet, but we can make some guesses.

If it does request the inf fromt he TCU directally (I dont think so, but key word is THINK) the first two "?"'s would be switches to change what it reads from. In his SSM commands file, he has a switch that changes the destination address to the TCU, but again I have not fully tranced how this is set. i've found were soem commands do it (like the ones to reset the TCu memory), but not on the "logger" yet.

Also, just looking at the above code snippet, the definitons may not be dead on scaling wise... I need to look into that. I have my VagCOM cable now, so I can see what it's doing tonight.

Anyone want to try it now?

               <parameter id="P306" name="Beta - Front Wheel Speed" desc="" ecubyteindex="16" ecubit="7">
                   <address>0x000048</address>
                   <conversions>
                       <conversion units="km/h" expr="x" format="0" />
                   </conversions>
               </parameter>
               <parameter id="P307" name="Beta - ATF Temperature" desc="" ecubyteindex="16" ecubit="6">
                   <address>0x000049</address>
                   <conversions>
                       <conversion units="raw" expr="x" format="0" />
                   </conversions>
               </parameter>
               <parameter id="P308" name="Beta - Gear Position" desc="" ecubyteindex="16" ecubit="5">
                   <address>0x00004A</address>
                   <conversions>
                       <conversion units="gear" expr="x+1" format="0" />
                   </conversions>
               </parameter>
               <parameter id="P309" name="Beta - Line Pressure Duty Ratio" desc="" ecubyteindex="16" ecubit="4">
                   <address>0x00004B</address>
                   <conversions>
                       <conversion units="%" expr="x/2" format="0" />
                   </conversions>
               </parameter>
               <parameter id="P310" name="Beta - Lock Up Duty Ratio" desc="" ecubyteindex="16" ecubit="3">
                   <address>0x00004C</address>
                   <conversions>
                       <conversion units="%" expr="x/2" format="0" />
                   </conversions>
               </parameter>
               <parameter id="P311" name="Beta - Transfer Duty Ratio" desc="" ecubyteindex="16" ecubit="2">
                   <address>0x00004D</address>
                   <conversions>
                       <conversion units="%" expr="x/2" format="0" />
                   </conversions>
               </parameter>
               <parameter id="P312" name="Beta - Throttle Sensor Power" desc="" ecubyteindex="16" ecubit="1">
                   <address>0x00004E</address>
                   <conversions>
                       <conversion units="V" expr="x/45" format="0" />
                   </conversions>
               </parameter>
               <parameter id="P313" name="Beta - Turbine Revolution Speed" desc="" ecubyteindex="16" ecubit="0">
                   <address>0x00004f</address>
                   <conversions>
                       <conversion units="rpm" expr="x*32" format="0" />
                   </conversions>
               </parameter>

That's based on NSFW's beta defs and the freessm defs.

BIU? Hmm. Can we scan the CAN to see what commands it sends, and then send our own instead? :-)

I'm going to try that as on of my embeded systems class projects, but we'll see what happens.... I'm working to get these romradier deffs for the 5EAT working right now.

<< "9;1;0;1;00004F;;Turbine Revolution Speed;rpm;*32;0"

<< "9;2;0;1;00004E;;Throttle Sensor Voltage;V;/45;2"

<< "9;3;0;1;00004D;;Transfer Duty Ratio;%;/2;1"

<< "9;4;0;1;00004C;;Lock Up Duty Ratio;%;/2;1"

<< "9;5;0;1;00004B;;Line Pressure Duty Ratio;%;/2;1"

<< "9;6;1;1;00004A;;Gear Position;gear;+1;0"

<< "9;7;0;1;000049;;ATF Temperature;°C;0=-60,1=-60,2=-51,3=-45,4=-40,5=-37,6=-34,7=-31,8=-29,9=-27,10=-25,11=-23,12=-22,13=-20,14=-19,15=-17,16=-16,17=-15,18=-14,19=-13,20=-12,21=-10,22=-9,23=-9,24=-8,25=-7,26=-6,27=-5,28=-4,29=-3,30=-2,31=-2,32=-1,33=0,34=1,35=1,36=2,37=3,38=3,39=4,40=5,41=5,42=6,43=7,44=7,45=8,46=8,47=9,48=10,49=10,50=11,51=11,52=12,53=12,54=13,55=13,56=14,57=15,58=15,59=16,60=16,61=17,62=17,63=18,64=18,65=19,66=19,67=20,68=20,69=21,70=21,71=22,72=22,73=23,74=23,75=23,76=24,77=24,78=25,79=25,80=26,81=26,82=27,83=27,84=28,85=28,86=29,87=29,88=29,89=30,90=30,91=31,92=31,93=32,94=32,95=33,96=33,97=33,98=34,99=34,100=35,101=35,102=36,103=36,104=37,105=37,106=37,107=38,108=38,109=39,110=39,111=40,112=40,113=41,114=41,115=41,116=42,117=42,118=43,119=43,120=44,121=44,122=45,123=45,124=45,125=46,126=46,127=47,128=47,129=48,130=48,131=49,132=49,133=50,134=50,135=50,136=51,137=51,138=52,139=52,140=53,141=53,142=54,143=54,144=55,145=55,146=56,147=56,148=57,149=57,150=58,151=58,152=59,153=59,154=60,155=60,156=61,157=61,158=62,159=62,160=63,161=63,162=64,163=65,164=65,165=66,166=66,167=67,168=67,169=68,170=68,171=69,172=70,173=70,174=71,175=71,176=72,177=73,178=73,179=74,180=75,181=75,182=76,183=77,184=77,185=78,186=79,187=79,188=80,189=81,190=81,191=82,192=83,193=84,194=84,195=85,196=86,197=87,198=88,199=88,200=89,201=90,202=91,203=92,204=93,205=94,206=95,207=96,208=97,209=98,210=99,211=100,212=101,213=102,214=103,215=104,216=105,217=107,218=108,219=109,220=110,221=112,222=113,223=115,224=116,225=118,226=119,227=121,228=123,229=125,230=127,231=129,232=131,233=133,234=135,235=138,236=140,237=143,238=146,239=149,240=152,241=156,242=159,243=164,244=168,245=173,246=179,247=186,248=193,249=202,250=212,251=225,252=241,253=264,254=300,255=373;0"

<< "9;8;0;1;000048;;Front Wheel Speed;km/h;*1;0"

<< "10;1;0;1;000057;;Low Clutch Duty;%;/2;1"

<< "10;2;0;1;000056;;ATF Temperature;°C;-50;0"

<< "10;3;0;1;000055;;Lateral G Sensor Voltage;V;/50;2"

<< "10;4;1;0;000054;;Air/Fuel Sensor #2 Heater Current;A;/10;1"

<< "10;5;1;0;000053;;Air/Fuel Sensor #1 Heater Current;A;/10;1"

<< "10;6;0;1;000052;;Manifold Pressure Sensor Voltage;V;/50;2"

<< "10;7;0;1;000051;;Rear Wheel Speed;km/h;*1;0"

<< "10;8;0;1;000050;;Brake Clutch Duty Ratio;%;/2;1"

<< "11;1;0;1;00005F;;Center Differential Indicate Current;A;/32;2"

<< "11;2;0;1;00005E;;Center Differential Real Current;A;/32;2"

<< "11;3;0;1;00005D;;AT Turbine Speed 2;rpm;*32;0"

<< "11;4;0;1;00005C;;AT Turbine Speed 1;rpm;*32;0"

<< "11;5;0;1;00005B;;Voltage Center Differential Switch;V;/51;2"

<< "11;6;0;1;00005A;;ATF Temperature 2;°C;-50;0"

<< "11;7;0;1;000059;;Load & Reverse Brake (L&R B) Duty;%;/2;1"

<< "11;8;0;1;000058;;High Clutch Duty;%;/2;1"

I'm working on converting that to XML. I cant figure otu what a few of his varibles are yet though, as I have not found the function that calls the definitions. My roomate has visual studios on his computer, I may try and load it into that.

The dev just has the full specks on SSM (or figured them out), he has not reverse-engineered the TCU to reflash it (the original intent of this thread, and what they did to the ECU). Thus, he can just get to what Subaru offers us without a flash.

The tool he provides is very similar to the VAG-COM tool the VW guys have. That tool can change some things via ODB-II and the VW protocol, but it cant flash or change the way the computers thinks. It's not ECU flash for the other computers in the car, it's closer to a SSMIII without the ability to flash.

Thus, all we're going to get is the same options the 4eat has but with a few more clutches. There isn’t a "shift time" parameter to change, that's more a function of the pressure going to the clutches at time of shift. Thus, increase the line pressure to each clutch, indirectly increase shift time. I think that's about all we're going to get out of this, but it should be a big help.

Romraider support is doable, but we should not push that with the dev. He made a tool for people to use, thus he probably prefers people to use it insted of hacking his stuff into another tool . It's open source though, you can open up his definitions files and it shows the SSM lookup command to read those parameters. Translate those into XML and you have RomRaider support. We can do that our selves, I actually have a rough beta on my hoem comptuer.

KY...also when you tell the car to upshift (manual mode), shorten the time when you tell it to upshift to when it upshifts.

 

That may live in the BIU instead of the TCU. The BIU reads the buttons and transmits the command to the TCU via high-speed CAN.

I can not find out what P/L stands for though....

That's the line pressure if I remember correctly The list I made is on another computer...

It shouldn't be that hard to modify the program to work with the 5eat. It's just a matter of updating the definitions. I'm not sure were the Dev got the info on how to adjust those values (the US SSMIII cant even do that!), but they probably are not that different for us.

An one email him yet?

Well, you could be a beta tester too :-)

Heh, I'm planing on it (for this one at least). I just have to wait for my cable to get here....

Like RIPjeep2002 said, if you can at least hook up and see if it talks it would be helpful.

Hmm. I have a TCU, and a cheap VAG-COM cable I bought off Ebay..

 

If only I had spare time..

Get on it man! I think we need to modify it a little to work with the 5eat, but you can be a beta tester .

We have more clutches then they have, and these settings are NOT in the SSMIII. Thus we may be a little blind here unless the Dev wants to support us.

I took a look at the valve body. there is nothing to indicate a certain kind of chip. Once I get back from my honeymoon I can perhaps risk taking it apart and seeing if I can put it back together without bricking it. And getting more pics for you. Perhaps. Turns out it's easy to take apart. I just don't know anything about it except what it does and generally how.

That black box in the middle is what we need for the electronics side. Should be fairly easy to crack open. For the Hydraulic side, we need the rest . (replying to post in other thread) It's probably best if you keep the valve body, as I wont have any way to trace the Hydraulic lines into the transmission to see where they go.

If there looks to be hope on messing with the stuff in the black box (need high-res pic of circuit board), you can send that to me to fiddle with. I'll send it back after I'm finished or can't get any where with it.

Congrats on getting married!