subarutech77

Not sure if this helps much, but awhile back dschultz suggested using the RR test app to read a block of memory from the tcu. Starting at address 0x040000 for 1024 bytes. Here is the raw data result of that read of an 05 OBXT 5eat: 6003F000A00DC8AD1FCEF0006004F000A00DC8AD1FCEF0006005F000A00DC8AD1FCEF0006000F000A00DC8AD1FCEF0006001F000A00DC8AD1FCEF0006002F000A00DC8AD1FCEF0006006F000A00DC8AD1FCEF0006007F000A00DC8AD1FCEF00084ADD5082094610100E120046204F000A20DC8AD1FCEF00084ADD5082094610100E12004A10DC8AD1FCEF00084ADD5082094610100E120046206F000A20DC8AD1FCEF00084ADD5082094610200E120046201F000A20DC8AD1FCEF000A09DCAD06101F000B011000484ADD5082194620201E221046001F000A00DC8AD1FCEF00081ADD4CCA0BDD4B4B0900003A29DD4BCB082000260007F1EA0BDD4B8B0800009A2BDD4B0B082000260007F052091505EB0B0000260017F026000F0007F14F0002091505DB0B0000260027F112091505EB0B00009A09DC8B66202F000B0120006E401D1C42294F000A39DC88702437D0260027F07A0BDD4B0B09000032291525EB0A2000260007F026001F000A00DC8B31FCEF0002E7F2A7F297F287F8AADD4CCA99DC887A09DCAFF6101F000B011000269FF5918A09DC8B3B0900022A29DC80A6100F000A0CDC9F4FE0013D1188011895158511880C000FF01407C0362FF5218B0120004209A610200E1200A7F04F000209AF00080C0FFFD200AF000A29DC80A6100F000A0CDC9ECFE0013C11880595859185058501809407C0361FF5118F000B0110004209A610400E1200A7F04F000209AF00080C0FFFB200AF0007F4BF0006101F000B00100076102F000B0110025219A515EB0B10023219A515DB0A10021A29DC80A6100F000A0CDC9F8FE0013A8188011895158511880C000FF01407C0662FF5218B0020004229AF00082C2FFFD220A7F03209A610200E1200AA29DC80A6100F000A0CDC9ECFE0013991880595859185058501809407C0361FF5118F000B0110004209A610400E1200A7F04F000209AF00080C0FFFB200AF0007F23F000A09DC8B36102F000B0110020A29DC80A6100F000A0CDC9F4FE001385188011895158511880C000FF01407C0362FF5218B0120004209A610200E1200A7F04F000209AF00080C0FFFD200AF000A29DC80A6100F000A0CDC9F0FE0013751880595859185058501809407C0661FF5118F000B0010004219AF00081C1FFFB210A7F03209A610400E1200A209A505EB0A00006209A505DB0A00004209A610100E1200A7F04F000209AF00080C0FFFE200AF00028EF29EF2AEF2EEF1FCEF00083ADD4B082ADD4B4A09DC7E791F00084B001000991F00084B001000791F0008CB0010005E401D1C52194F000A09DC80700417D0260017F09E401D1C6219400417C04F000E601D1C7259605407D02F00060027F026000F00081C000FF6401F000B11400062493F00084C4FFFE2403640125B205E425227F0D6002F000B110000620936401I also have a java command line app that parses this text representation into pure hex format courtesy of dschultz, but still can't wrap my head around any of it. Reading a datasheet for a processor is one thing, understanding what I've read is quite another.

Bummer Thanks again dschultz

I've figured out how to change the address that I want to end at in the program. This is a snippet from the original code found on the ECU Hacking site. ' addr 0000:0000 - 003F:FFFF ' A28=0 A24=0 FOR A20 = 0 TO 3 FOR A16 = $0 TO $F FOR A12 = $0 TO $F FOR A8 = $0 TO $F FOR A4 = $0 TO $FIt needs to be changed to this to read to 0007:FFFF ' addr 0000:0000 - 007F:FFFF '2/26/11 changed comment to reflect ending address change ' A28=0 A24=0 FOR A20 = 0 TO 7 '2/26/11 changed 3 to 7 as I want to read to 0007:FFFF FOR A16 = $0 TO $F FOR A12 = $0 TO $F FOR A8 = $0 TO $F FOR A4 = $0 TO $FConfirmed by this thread: http://ecuhacking.activeboard.com/forum.spark?aBID=99460&p=3&topicID=22449760 The checksum part of the code, from what I can gather, is only for the file that the hexdump is outputted into, s-mot I believe(.s19 extension). It is only used to verify that the transmission has no errors, and is not actually part of the rom. I've had the BasicStamp set-up running, and have had some repeatable results... What are the odds that the ROM has a big chunk of FF's at the beginning of the ROM? Slim to none? Also, when it does seem to be running correctly, it takes a really, really long time for it to output to the hyperterminal. In the thread referenced above, they quote 90min for reading to H'3FFFF and 2 1/2 hrs to read to H'5FFFF. I had it running 6hrs straight and it only made it to 0000:09C0. Here's a link: https://files.me.com/subarutech/6eiyqi S214 is the header of the line, then there are 32 characters which are supposed to be the ROM, and then the last 2 digits are the checksum that the program uses for communication verification. I've checked my wiring from the 7055 pins to the breadboard of the basicstamp board and they all seem good. However, my workspace is also the kitchen table, so everything has to be taken down every night, or morning before my son can get to it. And I've had to re-solder a few of the wires attaching to the TCM AUD ports(they are really small) a few times, but they ohm out ok from the pins of the 7055 to the other end of the wire. I also ended up using a car battery to power the TCM, it holds a rock steady 12.44V while connected. Either the AUD ports or the BasicStamp board seem to be really sensitive to voltage fluctuations and make the output all garbled. I'm thinking of trying to borrow a scope and see if the signals are getting to where they are supposed to be going.

Hey yeah, great if you guys want to have a look at this and let me know what you think, that'd be great! https://files.me.com/subarutech/2fhw4g - BS2 source code You can find the development software here: https://www.parallax.com/tabid/441/Default.aspx According to the activeboard forum where I found this code at, they only needed to read to address 0003:FFFF, I would like to read to address 0007:FFFF- does anything need to be changed in the source code to do this? Another question I have is about the checksum, is the equation the same for any ROM? or are they different from ROM to ROM? or processor to processor?

I believe so, I think Parallax tweaked BASIC for their needs and came up with PBASIC. I remember taking a BASIC programming course way back when in high school, as far as remembering the syntax of it though, I'm at a loss. I realize I have A LOT of reading to do Thanks

That's what I figured, I think the propeller chip felt sorry for me and just to get me excited, output something that looked like it could be code Thanks for taking a look at it

Thanks guys, that's a great idea. I think I know someone with some spares. I did try a smaller resistor on the RST line, but am still only getting 3.98-4V with the propeller activated. I also tried to retrace my changes with the source code to see if I couldn't get a repeatable output, but all I'm getting is 8's, 0's and C's (not in that order, and not in the same addresses) I was poking around RR today and the post by Sasha_A80 about halfway down the page kinda worries me- 10th post down 1st page http://www.romraider.com/forum/viewtopic.php?f=25&t=5825 Maybe this is all for moot anyways I'll probably pick up a BasicStamp kit tomorrow and try this with that just for fun, if it doesn't work the BOE_Bot looks cool, and I could bet money that my 20mo old's toys are controlled by variants of these chips Gotta start somewhere

I'm working with my stock TCM out of my 4EAT equipped 05 FXT. I have switched the transfer section of my stock trans which had a MPT clutch pack style to a VTD or planetary gear set out of a 07-08 FXT, much like the one in the 5EAT, if I remember right. I was able to plug in a TCM from a 05 Turbo Baja equipped with sportshift and the VTD transfer section, with no repercussions, solving the issue of my front/rear wheel speeds not reading the same, and even was able to get the sportshift function working adding a few wires into the connector of the TCM harness and a crude pushbutton shiftbox- that's how I am able to play with the stock TCM. Search MPT vs VTD at subaruforester.org, and it's all there, or I'm pretty sure I linked it in this thread earlier in the thread I believe the Sh7055 was used in the ECM's of the 04 FXT and some WRX's as well, from the datasheet the ROM should be 512Kb I did try to get EcuFlash to read the TCM on the bench, no go. Not sure if it's just an address change in EcuFlash that would enable that or not. @utc_pyro, if you know PBASIC, maybe I should get a BasicStamp2 chip and board and try that instead- from the wiring diagram from the sportbike forum it looks much simpler than that of the propeller board.. no voltage reducing resistors on the AUDATA lines and no pull-up resistor to set AUDRST high. In the forum link I posted above is the SPIN and PBASIC source code for the software they used to read the rom, the IDE's are available for free from the parallax website where the propeller and basicstamp chips are sold. I'll try to host them, as I can't attach a .txt file here https://files.me.com/subarutech/xpnrph - BS2 diagram https://files.me.com/subarutech/2fhw4g - BS2 source https://files.me.com/subarutech/x6a6ki - propeller diagram files.me.com/subarutech/iqcx8k - SPIN source code They only needed to read to 0003:FFFF, according to the 7055 datasheet, the ROM occupies 0000:0000 to 0007:FFFF(this assumes that H'7FFFF= 0007:FFFF) If you could take a look at the PBasic source code and let me know what would need to be changed, if anything, to read that much of the ROM space that would be great. the 7052 AUD section 17 and the 7055 AUD section 19 of the datasheets read word for word, so either of these methods should work. I think part of my problem is that for AUDRST to be set high it needs to see 4.5-5V which I am only seeing 4V, I wonder if I should try a smaller resistor to allow more voltage to get to the RST line to start the debug mode of the chip, also my power source is suspect as well, I'm using a car battery charger at the 2amp mode, the voltage varies between 10.5-12.5 volts according to the selectmonitor, if I set it to the 10amp mode, I see voltage spikes up to 15.5V, not sure if that's safe for the TCM or not. Either way Vcc is 5V on the TCM board. I'm also thinking of getting a amateur radio power source from Radio Shack.. should make the voltage signal really steady. So if I run the propeller chip with the software posted on the ECUHack site I get this output on the hyperterminal: Start... 00000000, error After playing with the propeller board source code and making it impossible for it to see a bus error thereby ending the program, it spit out a bunch of bytes at me, kind of like a byte dump for example: Start... 00000000,000000FC, 00000001,000000FF, 00000002,000000FF, 00000003,000000FF, 00000004,000000FF, 00000005,00000008, 00000006,00000000, I let it run all night, it went way after 0007:FFFF, so I'm not sure if what this is, is valid or not. I'll host that too https://files.me.com/subarutech/qzlquw - possible byte dump of 05 FXT 4EAT TCM the next day I decided to mess with the clk speed on the source code and changed some other stuff that I thought might help, but could not get the output to be repeatable, even after I loaded up the code that spit the above out. All it would do is this: Start... 00000000,00000000, 00000001,00000088, 00000002,000000CC, 00000003,0000008C, 00000004,00000088, 00000005,00000008, 00000006,00000000, I even tried to get it to do a longword read and the byte at 0000:0000 would always be different, this is what makes me believe that I'm not getting the AUD to start correctly on the 7055 chip Thoughts? Suggestions? Constructive Criticism? I'll be the first to tell you that I am probably one of the last people on earth that should be trying to do this as I have no background in electrical engineering or programming, I was just hoping to get lucky. However, this stuff interests me and if I can learn something about the magic black box that controls the car, great! If it ends up being unsuccessful, then I'm no worse off than I was before and the magic black box can still be magic

Welcome back utc, I'd be willing to donate to the TCM hack fund if that's the route it takes. I opened up my 4EAT TCM, and found 64f7055f40 on it, which leads me to believe that it is a SH7055 chip. Then I found this: http://www.activeboard.com/forum.spark?aBID=99460&p=3&topicID=14206571 The thread is old, but they were able to read the memory off of 7052 chips using the AUD. I've bought a propeller protoboard and wired it up and have run it a few times, but can't get it to output anything unless I trick the software to never see a bus error, and then the output is not consistent. Anyone familiar with SPIN, or PBASIC? I've read the Hardware manual of the SH7055 and the AUD function is identical to what they have in the thread above, I'll start a different thread later and see if it can't be troubleshooted. Thanks

It takes much longer than ECUflash does to flash a car, but usually it writes the changes and then does another pass to verify the changes, but I believe that it wipes the rom and writes all new.

to utc_pyro: you have a pm, let me know if you get it, it never shows the messages I send in the sent folder, so I have no idea if it actually gets sent or not. I've been meaning to take some pics of a spare 4EAT TCM that I have, but have to find the charger for the camera as my phone takes crappy pics

I'd be willing to install the resistor in my 05 OBXT, if you still need testers. How do you want it installed? parallel or in series? are you just looking for an increase in line pressure duty? I can get actual line pressures, but that may have to wait until later next week. I also have an 05 Baja sportshift TCU, that I was going to try in my Forester to help with the wheel speed difference issue, I can take pics of it tonight. I have opened it up and does not look anything like the 5eat tcu pictured in the 1st post of this thread or the earlier 4eat tcu's of the SVX pictured on Phil's site

I also pasted those values into the RR logger def .xml file, and they do show up in the table until the ECM connects then they are no longer there. But, I did get my Vag-com cable in and can log my TCM in either vehicle, however I cannot adjust anything for my 4eat- bummer I can reset the TCM and see live data, also with my 5eat, I am able to see live data and have the one adjustment that KYLegacy can get as well, the AWD correction adjustment. I did try to register at beliOS to be able to post in their forum, but never received a confirmation email, and from about 20min ago, it seems like the site is down Would the ROMid have anything to do with connecting to the TCM??

would something like this work to scan the can lines? http://intrepidcs.com/osc_store/product_info.php/cPath/37/products_id/130?gclid=CLWd-LSj16MCFRD75wodUVWVuA

Very cool, were you able to find the init command to talk to the TCM then? I have a vag-com cable on the way, but at this rate it might be ported over to RR before we know it. From the screenshots I see, it looks like freessm writes the changes to RAM or more like a realtime map like Cobb can to the ECU, is that right? I think I can get the .pak file for the TCM update, would that be any use to anyone? The rom has to be in there somewhere, right?