roadie08

Think I got my M32176F4V into bootmode correctly now.

Thought it would be uart tx/rx to sio1 as in the renesas manual but I dont get any response.

Tried with the sync bytes and commands like ufla32 program.

Also tried sio3 and sio0/k-line without any luck.

What method did you use to pull it?

Ecumem

Will try to do it in bootmode later.

If its a renesas as Sasha wrote on rr, it should be easy to flash in bootmode.

Just got a 2007 JDM LGT TCU.

Doesnt say UJ on this one. Will look at it more as soon as I have time.

M32R/ECU

M32176F4

31711AK570 on the cover. 2006/02-2007/04

http://i.imgur.com/3gKbo6Q.jpg?2

Reading through the entire thread just now, no one has cracked the requested upshift delay yet?

No, I dont think so..

Dont know if I get it into bootmode correctly.

Power on -> pull mod0 high -> pull reset low

Then reset should go high as in normal mode but it does not. I can pull it high but not sure if thats correct.

Any ideas?

Roadie: Are you digging into 91FE207100?

I have looked at the rom in winols demo but dont understand the table layout...

Also trying to connect directly to the mcu in bootmode but no luck yet.

Roadie, just curious as to what you found on the rom raider forums. What is it?

25A7C

I think its where the SSM response message is put together.

One thing is that if we can identify where the unique address is for the rom we could use ecuflash and view some stuff in there

I think the ecuid is at 802A to 802E

0000802A .byte 0x91

0000802B .byte 0xFE

0000802C .byte 0x20

0000802D .byte 0x71

0000802E .byte 0

roadie, you have ubuntu on any of your computers? for the life of me i cannot try to disassemble the .bins into plain text so we can read them.

 

ive looked at this website which is an evo forum and they have already disassembled the code.

 

take a look for yourself and see

 

https://www.evolutionm.net/forums/ecuflash/564101-rom-disassembly-raw-text-file.html

Havent tried that, but onlinedissasembler will probably have similar output.

which cpu is it so I know what im looking for. Im going toi see if I can find some hex editor that supports our cpu. so far I am able to open the files but from there i dont know since I know nothing when it comes to programing

m32r

'05 USDM ROM is up thanks to the OP donors that bought the thing, ClimberD, and Sasha.

 

http://www.romraider.com/forum/viewtopic.php?f=40&t=13725&p=128168#p128168

Found some SSM commands BF, A0, A8, B0, B8.... and 81,83,27?

00026580 push lr

00026582 push R10

00026584 push R9

00026586 push R8

00026588 add3 R10, fp, #-0x2EF8

0002658C ldi8 R9, #0

0002658E ldi8 R8, #0

00026590 bl.s sub_266E8 || nop

00026594 ldub R0, @(4, R10)

00026598 ldi16 R1, #0xBF ; '+'

0002659C beq R0, R1, loc_265E0

000265A0 ldi16 R1, #0xA0 ; 'á'

000265A4 beq R0, R1, loc_265E0

000265A8 ldi16 R1, #0xA8 ; '¿'

000265AC beq R0, R1, loc_265E0

000265B0 ldi16 R1, #0xB0 ; '¦'

000265B4 beq R0, R1, loc_265E0

000265B8 ldi16 R1, #0xB8 ; '©'

000265BC beq R0, R1, loc_265E0

000265C0 ldi16 R1, #0x81 ; 'ü'

000265C4 beq R0, R1, loc_265E0

000265C8 ldi16 R1, #0x83 ; 'â'

000265CC beq R0, R1, loc_265E0

000265D0 ldi8 R1, #0x27 ; ''' || nop

000265D4 beq R0, R1, loc_265E0

000265D8 ldi8 R1, #0x10 || nop

000265DC bne R0, R1, loc_26680

Hooked up a spare TCU to see what would happen on the canbus.

http://i.imgur.com/EwEI9vC.jpg?1

Didnt expect this, maybe something was wrong. Had to select "listen only" in settings instead of "active" as last time in the car. Will have to try "listen only" in the car to verify. Period=0 ?

http://i.imgur.com/AYTlNmV.png

roadie, i think i had a little ah ha moment. For the ID, it might be 410 because the hex values match to the link i shared

Yeah. I saw that the second byte at 410 was increasing while I accelerated.

Alright.

Will log the 42x ids next time and try to find the tcu shift message bit for ignition retard

Did some more canbus logging today.

Shifter P,D,R,N doesent make any messages.

D

Shiftup 51482

Shiftdown 51484

Sportmode 51481

Shiftup 51483

Shiftdown 51485

Brakepedal 514808

Ecomode 514802

Anyone know tcus canid?

http://i.imgur.com/6CxQD5D.png

Is that a conector that's just hanging there, or is it unplugged from the BIU?

 

 

 

Yep, it spat out something but it didnt look like a valid ROM. I had the same results back in 2010/2011 when NSFW wrote a program that works the same way. They could have started at some odd point in the rom and put something else in the first few pages of flash though, I didn't dig too far into it.

Yes it is just hanging there. Look for twisted red and blue wires.

Ok. Iam interested to take a look at your rom when you get it

Did you observe how changing calculated torque effected messages sent by 0x410?

 

Also where did you tap into the CAN bus for your USBtin? Mine got here yesterday and I want to dig into the messages between the TCU and ECU.

Canbus logger was not connected.

In my 2005 RHD JDM can connectors is next to the BIU.

White connector with red and blue wires.

Red=CANH

Blue=CANL

http://i.imgur.com/hJJvsCS.jpg?1

In newer cars its probably in the obd port.

Try what hadvw and pyro suggested. Im curious what we can pull from that

I will try, just need to find something that I understand in the rom

Thanks to ClimberD the '05 TCU in OP is currently on it's way to Russia to have it's ROM pulled so we can start picking at it.

Great.

Did you try to pull your rom with ecumem?

Any updates roadie? Just curious since how it has been quiet for the last few days

No, havent had any time for canbus logging lately. I will probably log all shiftmessages this weekend.

Only thing I have done is changing the "Calculated torque" table. I feel difference at part throttle but hard to say if it is a difference at WOT.

Anyone getting anywhere with the dissassembly?

I dont have SI/S/S# but I have the beep when downshift too fast.

Yes BIU sends the message directly. If you press the button it will generate shiftmessages as long as it is pressed.

When I shifted from my computer it was exactly as slow as from BIU.

Need to find the canmessage input in tcu rom.

Yes my lights where off!

I will log some downshift later.

I think downshift starts with

51484 drive

51485 sport

Great info roadie08. So is each CAN message an upshift or was that just the data sent by the BIU (0x514) over some time period (including a shift)?

 

Looks like some of the frames have been decifered already:

https://subdiesel.wordpress.com/ecu-analysis/can-messages/#x514

 

Also I'm having a hard time figuring out those messages, they seem too long. Does the USBtin parce out some of the fields for you?

Yes its only upshifts when the button or paddle is pressed and they look diffrent from the ordinary BIU messages described on subdiesel. I havent checked any other messages from the BIU yet.

I think the lenght is correct. 514 (sender BIU) 8 (the message is 8 bytes) 2000730048931500 (8 byte message)

Did some more canbus logging today.

D mode upshift starts with 51482

Sport mode upshift starts with 51483

Engine on D mode

t51482000730048931500

t51482000730048931700

t51482000730008921900

t51482000730008921B00

t51482000730048911D00

t51482000730048911F00

t51482000730088911100

Driving slow in D mode

t514820007300C8A41D00

t514820007300C8A41F00

t51482000730088A31100

t51482000730088A31300

t51482000730008A31500

t51482000730008A31700

t51482000720088A81B00

t514820007200C8A31D00

WOT in Sport mode

t514830006F0008EB1300

t514830006F0008EC1500

t514830006F0008EC1700

t514830006F0048EA1900

t514830006F0048EA1B00

t514830006F0088EA1D00

t514830006F0088EA1F00

t514830006F0048D21B00

t514830006F0008D41D00

t514830006F0088CD1100

I copied one message and changed some of the last digits. It shifts at the same speed, but it was a copied message and I dont know what the last bytes is. Looks like some kind of timestamp but dont know if it is something more than that. I could only use one message for one shift then I had to change some digit.

So back to the disassembly of the TCU. Anynone had any luck?

I have a bluetooth obd reader with capability of sniffing the can system. Will try with one of my family's newer vehicles first to see then i will try on mine. Do you think the car needs to run to see any data or no? its right now out of commission where I cannot turn or drive the vehicle cause i need to rebuild the engine:spin:

 

Edit: I tried with what I have and nothing is working. I have this exact OBD Reader I have with a Raspberry Pi 3 and my Windows 10 laptop. Anyone know of any free software to read any CAN bus codes?

Ignition on and the canmessages will start.

Maybe it will work with socketcan?

In my 2005 the canbus wires are not connected to the obd2 port.

Cool - looks like a CAN-bus sniffer. But it also seems to have an "active" mode? Does that mean you could SEND CAN-bus commands?

 

If so, rig up a button to send a shift command, see how fast the TCU responds..

I will