Page 8 of 10 FirstFirst 12345678910 LastLast
Results 141 to 160 of 186

Thread: Funny adventures in electrical engineering

  1. #141
    Join Date
    Jan 2016
    Location
    Russia
    Posts
    17
    Sparkie, do you ever plan to work on newer ECUs?
    I have factory tuned 1UZ VVTi ECU (1997-2000), it's still based on Toshiba 9000 series CPU, which is still mask ROM based, I believe (though I may be wrong here)
    The add-on board found in the ECU seems to have the Toshiba processor, two UV EPROM chips (one being removable) and a FPGA
    There's also a jumper which enables the CPU to run off ints internal memory
    I dumped both memories just incase
    The removable one is connected to FPGA and it seems to have maps only
    The fixed one's content looks more like some code

  2. #142
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,465
    I'll work on anything!

    Put up some pictures, maybe we can figure it out. I'll go look up the toshiba 9000

    Also which EPROM memories does the computer use? the TLCS9000 series has a 16 bit wide data bus, so if those are 8-bit ROMs they are used in parallel and you'll need to interlace their data to get coherent code from it.
    Last edited by Sparkie; 01-14-2016 at 12:18 PM.

  3. #143
    Join Date
    Jan 2016
    Location
    Russia
    Posts
    17
    Quote Originally Posted by Sparkie View Post
    Put up some pictures, maybe we can figure it out.




    The ECUs of interest typically run a couple of 9000 series CPUs and one another CPU unknown to me
    Newer ECUs start to use NEC v850 CPUs with built-in flash
    Some 'transitional' ECUs would use NEC for a/t and Toshiba for fuel and spark

    Regarding the EPROMs on the add-on board, these are 27C1024 or 27S1024 can't recall exactly, by Hitachi, with 85 nS access time

  4. #144
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,465
    Allright, rad! the eproms are 16 bit, so no interlacing required.

    Can you get the actual part number off the micro? I can't make out squat on the chip. That would help reverse engineering the system. The CPLD isn't as important - they all do the same thing anyways.

    I would guess that the code eprom (fixed, right side) resides at the top of memory (where the interrupt vector table must reside) and the tables reside somewhere lower than that. They could be adjacent in memory or if someone needed to save money/CPLD space they could be located at large boundries (16MB for one, 8MB for the other? who knows).

    Pulling the code chip off and reading out the data would be a good start - it will make reference to table addresses outside of it's own scope and that's where the other eprom will reside.

    Is this board a 3rd party modification or a toyota thing?

  5. #145
    Join Date
    Jan 2016
    Location
    Russia
    Posts
    17
    Well the part numbers on the two "big" chips are grinded
    However I have a collection of photos for JDM ECUs of this type

    Such ECUs are not Toyota thing but rather a small-scale production of third party companies.
    Tom's , Blitz , Mines produced same looking board back in the days

    Interestingly, I have read somewhere on the web that earlier Tom's or Blitz add-on boards would use CPLD to encode/decode the address bus as a protection from reverse-engineering.

    This particular ECU outputs model # 89661-50450 over J-OBD interface, though its part # of the third-party company suggests that it must replace 89661-50522 unit
    According to some signs I can judge it's rather based on 89661-50450 unit, I can explain that in details later if that's important

    Anyway, all the CPUs that can be found in place of this add-on board begin with 97PW42AF
    Examples are
    97PW42AF-7349
    97PW42AF-7350
    97PW42AF-7352
    97PW42AF-E073

    I can work out more numbers later if it's needed

  6. #146
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,465
    the TMP97PW42AF seems to exist, but there't not much information about specific features of the chip. Obviously its a TLCS-9000/16 series 16 bit microcontroller. you should be able to reverse engineer 50 to 75% of the pinout from the board given (pins that divert from the CPU to the CPLD/ROM are bus pins, etc) The datasheets i've checked for TMP95 micros should be pretty relevant with regard to peripheral configuration, though if past experience indicates anything it's that toyota got a few extra goodies crammed in there.


    Click image for larger version. 

Name:	tmp97.JPG 
Views:	361 
Size:	43.9 KB 
ID:	14725

    Other crackers were able to reverse 3rd party encryption by looking to a specific location where toyota stored the mask rom variant, which was written on the outside of the chip. just some brute forcing and the job was done. here we could still crack it with some knowledge of how the micro reads data from the ROM and chasing pins down.

    Before we go further lets talk about how comfortable you are cracking these computers: you got an oscilloscope and an eprom reader, breadboarding and basic PCB fabrication skills? if you were to desolder any of those chips would you be able to do so without damage and be able to reinstall them likewise? This kind of task is labor intensive and time consuming. Your profile indicates you're an engineer, I assume electrical?
    Last edited by Sparkie; 01-15-2016 at 01:45 AM.

  7. #147
    Join Date
    Jan 2016
    Location
    Russia
    Posts
    17
    Oscilloscope - yes, 2-channel, but it's only 20MSamples/sec, without storage
    Logic analyzer - 8channels, up to 20M samples/s
    EPROM reader - yes, I have already read the non-soldered chip, but I yet have to figure out how to undo the other one without damaging it
    It's filled with silicone so I can't unscratch it completely, and that's why I can't just undo it with hot air. In addition to that, I have no UV lamp so I can't reprogram these chips, though I can buy a bunch of OTP chips

    I will not be able to desolder any of the "big" chips (which I assume are 97PW42 and some CPLD), however I can source extra ECU in fine condition solely for testing purpose, and I can even send some ECUs over to you

    I can route PCBs in PCAD , and I have small experience with Altium. I only routed 2-layer PCBs so far though as my main activity relates to firmware creation and debugging

    I also have small experience in completely disassembling PIC18 code but of course it's way more simple than this CPU

  8. #148
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,465
    Boom! sounds like you're up to the task. Your logic analyzer will fill in the blanks where the scope lacks in storage (though very clever triggering setups can alleviate a lot of that)

    Quote Originally Posted by disco_cat View Post
    I also have small experience in completely disassembling PIC18 code but of course it's way more simple than this CPU
    Regardless of complexity it takes a special person to look at assembler and 1) keep looking at it, and 2) get something meaningful out of it.

    --- now all snuggles aside ---

    You should be able to remove the conformal coat around the code rom using a little bit of heat and acetone. pick at it with tweezers a little and it should peel up. Then you can use hot air to desolder the code prom and get it's goodies. I would recommend picking up a PLCC44 socket to solder down onto the board so you're not constantly soldering it. Once we have the code from it there wont be much reprogramming until we know what the ecryption is (none is an option) and what the instruction set is (should be tlcs9000) and finally disassembly (you know how long this takes).

    your reprogramming options are: ebay a chinese uv tank (I have one, it works):
    http://www.ebay.ca/itm/Ultraviolet-L...-/370641662641
    or use a M28F102 flash chip, which is a drop in replacement for the 27c1024.

    edit: also post an image of your table eprom to some file sharing site so I can have a look at it.

    edit: also that plastic frame around the micro appears to be held in with little more than wishful thinking. Can you pry that up and get a picture showing the trace connections in detail?

    last edit i swear: If you're keep on shipping one of these modded PCM's out to me we can arrange that in a PM. I'd love to have a look at it in person!
    Last edited by Sparkie; 01-15-2016 at 01:09 PM. Reason: cause I'm excited.

  9. #149
    Join Date
    Jan 2016
    Location
    Russia
    Posts
    17
    well I could only figure out that 28F102 's vendor is STM, and that it can be replaced with 29F102, no much luck after that moment

    PLC44 cradle: turned out extremely hard to find one with proper pin configuration (so it would fit the pcb). I placed order for one though. Plan to backup current firmwares to OTP memories and then mess with UV things

    The rest is in PM

  10. #150
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,465
    Looks like the code prom may even be a 27c2048, it has a A16 pin (NC on the 1024) connected that runs up into the uP area.

    for plcc sockets the newer SMT offerings solder down directly to the PLCC land pattern, so anywhere a PLCC did fit the new socket fits as well, try this one from digikey for instance:
    http://www.digikey.ca/product-detail...1CT-ND/1026500

    3 dollars and 11 cents (canadian!) well spent.

  11. #151
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,465
    Update: A source on the internet managed to scan some TMP97 / TLCS-9000 information for me and I have the files. With the data from that code chip we could move forward (slowly) on testing for encryption and identifying what the tables in the rom chip do.

    I also have a pinout for a qfp120 device so we can check the assignment of data lines from memory to CPU.

  12. #152
    Join Date
    Jan 2016
    Location
    Russia
    Posts
    17
    ok, sorry I can sometime response slowly due to my main activities
    Currently I'm waiting for the socket that I ordered from my local supplier
    Will try to read the other chip later this week

    p/s 1st chip's content is in PM
    Last edited by disco_cat; 01-19-2016 at 12:47 AM.

  13. #153
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,465
    here's a pinout, trying to get the datasheets uploaded but work network wont let me.


    Click image for larger version. 

Name:	RMP97c241.jpg 
Views:	344 
Size:	183.2 KB 
ID:	14733

  14. #154
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,465
    And here's the datasheets, courtesy of archive.org

    TMP97C241 microcomputer prelim. datasheet (20 MB)
    https://archive.org/download/tmp97c241/tmp97c241.pdf

    TLCS-9000/16 instruction set (232 MB)
    https://archive.org/download/tlcs900...00_instman.pdf

  15. #155
    Join Date
    Jan 2016
    Location
    Russia
    Posts
    17
    Wow that's already quite something!
    I'm temporarily busy with my main activities, but I still wait for the order of EPROM socket to arrive soon.
    I may be slow at reading the 2nd chip but I'll absolutely do that as soon as I have some spare time

    p/s looks like archive.org is THE place to look for the NEC upd76f00xx details

  16. #156
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,465
    Right on, take your time! this thread itself is 2 1/4 years old, there's no rush.

    I'll start poking around archive.org for the NEC information. I've also got the guys at datasheetarchive downloading the datasheets I uploaded so this information is starting to spread out.

  17. #157
    Join Date
    May 2006
    Location
    Campbell River
    Posts
    3,156
    Bringing this back becuase it's sweet. It should be moved to Tech reference IMO.

    Question:
    ITA (my yellow car) allows for aftermarket ECU and ECU tuning. Probably best to just buy a DIYPNP setup for $425 than try to correspond with you and tune the stock calculator, no?

    Also, Do you have injector deadtime values for the stock bluetop? That would be super handy!
    Last edited by clay72; 06-10-2016 at 08:55 AM.
    1JZ 1984 Celica GTS
    1UZ 1981 Corolla sedan
    ? 1972 Celica race car

  18. #158
    Join Date
    Nov 2012
    Location
    Brampton, Ontario
    Posts
    1,465
    Quote Originally Posted by clay72 View Post
    Probably best to just buy a DIYPNP setup for $425 than try to correspond with you and tune the stock calculator, no?

    Also, Do you have injector deadtime values for the stock bluetop? That would be super handy!
    probably, the bluetop PCM is rather limited, and I must be one of the few people still alive who enjoys programming it. The DIYPNP is going to give you tons more configurability at a easier entry point.

    for deadtime I've plotted/tabulated it in this post:
    http://www.dorikaze.net/showthread.p...228#post459228

    there's also a graphical timing map a few posts up.

  19. #159
    Join Date
    Jul 2016
    Location
    Rockwall Tx
    Posts
    8
    Sparkie, disco_cat, where are you all at on decoding the 1UZ ECU.. I have a 1999 SC400 that I would love to mod the ECU for better throttle response. Let me know where your at in the project.

  20. #160
    Join Date
    Jan 2016
    Location
    Russia
    Posts
    17
    MarkT
    ECU dead, putting effort to newer toyota/lexus models
    The ECU is like to have been dead all the time we tried to figure out how to go on with the firmware

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •