5EAT TCU Reverse Engineering

I got the test TCU in today, here is what I found with about an hour of looking:

 

http://legacygt.com/forums/attachment.php?attachmentid=83858&d=1271995095

Figure 1. Outside

 

http://legacygt.com/forums/attachment.php?attachmentid=83859&d=1271995095

Figure 2. Connector

 

http://legacygt.com/forums/attachment.php?attachmentid=83860&d=1271995095

Figure 3. Warranties are for wusses

 

Cracked the thing open, and this is the main board. It's just two layers from what I can tell, but it's extreamly dense. I dont have the skills to even to design something like this! Unfortunatally they coated it in goo making it rather hard to read the IC numbers.

 

http://legacygt.com/forums/attachment.php?attachmentid=83862&d=1271995095

Figure 4. Board top

 

http://legacygt.com/forums/attachment.php?attachmentid=83861&d=1271995095

Figure 5. Board bottom

 

On the left side are the mosfets that drive the solenoids inside the valve body. There are seven that appear set up to handle PWM output, one that is a "digital" on or off only (lower left) and one that puts out an analog output. The analog (I think) one is a Inferon BTS716G, and based on the 4eat's diagrams, this would control the leaner solenoid used to regulate pressure.

 

http://legacygt.com/forums/attachment.php?attachmentid=83863&d=1271995095

Figure 6. Output section

 

Now this is our main target: The controller. Unfortunately we have a small (Er, ok, BIG) problem.

 

http://legacygt.com/forums/attachment.php?attachmentid=83864&d=1271995095

Figure 7. WTF is this thing?!

 

I cant figure out what on earth they are using controller wise. I can't even find a referance to a "uJ" that makes anything.... Maybe Hitachi is using an ASIC for this thing? Any help would be apreciated here.... BIG TIME. I also cant figure out what the IC on the right does. It has it's own oscillator, but it does not appear to have many lines going to the main controller.

 

On an good note, notice what's right above the "WTF" chip are what appear to be programing ports!

 

http://legacygt.com/forums/attachment.php?attachmentid=83866&d=1271995095

Figure 8. Top of ports

 

http://legacygt.com/forums/attachment.php?attachmentid=83865&d=1271995095

Figure 9. Bottom of ports

 

But, again, this gets back to I need to know what the heck this thing is and get a Datasheet before I can get into it... Time to sweep SSM I guess.

 

Edit: Doh.... Ok, progress on the controller.

 

uJ = Unisia Jecs

 

Unisia Jecs = Hitachi Automotive Products, Ltd.

 

See here: http://www.romraider.com/forum/viewtopic.php?f=3&t=1139&hilit=hitachi

 

or this picture here (from a OLD legacy gt):

http://i18.photobucket.com/albums/b141/PandaImpreza/IMG_1045.jpg

Note the icon in the upper left of the lable? It's the same between them!

 

Now take a look at this thread, there is an ECU with a very similar controller:

 

http://www.romraider.com/forum/viewtopic.php?f=14&t=3740&p=37081&hilit=hitachi#p37081

Edited April 23, 2010 by utc_pyro

Very nice first progress man. Keep up the good work!

On the big chip, I read:

 

WA12212963WWN

436B100

 

Is that correct?

 

Google found 12212963 in Digikey's catalog.

Looks like it's an FPGA, and there's a datasheet...

 

http://parts.digikey.com/1/parts/586239-ic-spartan-xl-fpga-30k-208-pqfp-xcs30xl-4pqg208c.html

XCS30XL-4PQG208C

Datasheet(s) Spartan and Spartan-XL Families

 

And it looks like this package:

http://www.xilinx.com/support/documentation/package_specs/pq208.pdf

Edited April 23, 2010 by NSFW

NSFW, you have saved the day! My google skills failed and I was starting to think we would not get in. I just finished a grad course on VSLI and the Spartin 3, and the professor has some experiance with FPGA security. Maybe he can help on this...

 

I wonder if there is a "digial" design in there or if they just implimented a processor + supporting hardware.

Edited April 23, 2010 by utc_pyro

utc_pyro, can I hug you?

Rad. Keep up the good work.

Getting very excited.

Great job guys!

NSFW, you have saved the day! My google skills failed and I was starting to think we would not get in. I just finished a grad course on VSLI and the Spartin 3, and the professor has some experiance with FPGA security. Maybe he can help on this...

 

I wonder if there is a "digial" design in there or if they just implimented a processor + supporting hardware.

 

If I built a TCU, I'd just put a state machine in there. But I have very little experience in this stuff, so take that with a large grain of salt.

 

For those of you to whom this is all greek, here's why utc_pyro is optimistic: FPGA stands for Field Programmable Gate Array. And basically what you guys want to do is program your TCUs out in the field. Not all FPGAs are field-reprogrammable, but many are.

 

Those solder pads next to the FPGA are also promising. It's possible that those were only for development, and the FPGA in the car has been locked down, but it's also quite possible that OEM felt that burying the thing in a plastic case provided sufficient tamper-resistance, so utc can party on it once he figures out which pins are connected to those solder pads.

 

Almost makes me wish I had a 5EAT.

Edited April 23, 2010 by NSFW

If I built a TCU, I'd just put a state machine in there. But I have very little experience in this stuff, so take that with a large grain of salt.

 

For those of you to whom this is all greek, here's why utc_pyro is optimistic: FPGA stands for Field Programmable Gate Array. And basically what you guys want to do is program your TCUs out in the field. Not all FPGAs are field-reprogrammable, but many are.

 

Those solder pads next to the FPGA are also promising. It's possible that those were only for development, and the FPGA in the car has been locked down, but it's also quite possible that OEM felt that burying the thing in a plastic case provided sufficient tamper-resistance, so utc can party on it once he figures out which pins are connected to those solder pads.

 

Almost makes me wish I had a 5EAT.

 

Thank you for the translation!!!

If I built a TCU, I'd just put a state machine in there. But I have very little experience in this stuff, so take that with a large grain of salt.

 

For those of you to whom this is all greek, here's why utc_pyro is optimistic: FPGA stands for Field Programmable Gate Array. And basically what you guys want to do is program your TCUs out in the field. Not all FPGAs are field-reprogrammable, but many are.

 

Those solder pads next to the FPGA are also promising. It's possible that those were only for development, and the FPGA in the car has been locked down, but it's also quite possible that OEM felt that burying the thing in a plastic case provided sufficient tamper-resistance, so utc can party on it once he figures out which pins are connected to those solder pads.

 

Almost makes me wish I had a 5EAT.

 

 

All of this looks sexual to me.......i like it!!!!

....this thread tickles me an a happy place.....

Eh, this may be harder then first thought.... being an FPGA, I can't find any good tools for taking the existing config and turning it back into VHDL/Veralog that I can work with. It might be possible to make get a gate level netlist, but that's going to be hard to figure out and modify.

 

Second, I need to figure out what the chips to the top and left of thd FPGA are. One is the memory that feeds the thing it's config upon power up (I think), but I don't know about the other...

 

This is all possible, but it may be WAYYYYY past what I can do alone. I think I'm going to back off this portion at the moment and try to probe it with SSM. Hopefully I won't kill my car doing a "port scan" on the thing... (read into the SSM protocal, I need to sweep the "address" untill I find the TCU)

How practical would it be to document all the I/O, and then write new control logic from scratch?

How practical would it be to document all the I/O, and then write new control logic from scratch?

 

That's what I'm leaning toward right now, but I still need to figure out what those other IC's are.

 

Here are the biggest hurtles for a comprlete rewrite:

 

1) The 5EAT is a quite advanved transmission, getting it as good as stock will be difficult with nothing more then the service manual documenting the mechanical side of it.

 

2) The center diff is controlled by the TCU, it's logic is not very well documented compared to the shifting logic.

 

3) The TCU talkes to the ECU and BIU via CAN, so all of those functions will need to be simulated. On our side though, we can use OpenCores for a working CAN bus module.

 

4) Any progress with talking to the TCU via SSM will be lost.

 

5) User level flashing of the TCU will be risky.

 

That said, I'm sure I could program it to be one heck of a race transmission . Getting it to be civil around town is the hard part.

If I may chime in on what I have experience with what I consider a great tranny, the Aisin TF60-SN 6-speed. Torque converter is locked up by default unless it is overcome by torque. Stall speed is way low, something which is mechanical and not so much TCU, so we'll glance over that. Let's also pretend we are going to glance over the gear ratios which will come into play later on with some experimentation on our tranny, should the TCU reflash become a reality.

The transmission does not upshift if this would cause the revs to be below 2000 RPMs in city traffic. I have NEVER been under 2200rpms in traffic. EVER. This means that in town most of the time the car will be in 4th gear at most. 5th will kick in if you are cruising at a reasonable speed for a while, the same goes for 6th. I think the biggest improvement for sedate city driving would come from the tranny not making it a goal out of getting into 5th as fast as possible. If it is 45mph or less, hold 4th unless throttle position hasn't changed for a while. The biggest hurdle by far IMHO is being in 5th gear at 40mph, torque converter locked up, 1500rpms and you're squeezing the pedal trying to pass or accelerate. The car feels like it's freakin' neutered. This is one of the reasons I sometimes switch over to manual mode and I will stay in 4th gear for the majority of time when the limit on the street is 40mph.

Edited April 26, 2010 by fishbone

^^I agree. Also, I drive in manual mode most of the time, and hold 4th until at least 70mph. Anything less than that, with the torque converter locked up it feels like you have to hold the pedal in far to accelerate.

 

With that said, I am all for faster shifting, firmer shifting to save clutchpacks, but also would like the gears to hold a bit more before rushing to the next one, and possibly have the torque converter not lock up as quickly as it does. More than once I have had to torque converter lock up, only to unlock and the tranny down shift less than 5 seconds later. That urks me.

I think I can see how the turn on this thing came about: some wanting it to run in sloppy non locked mode at high rpm, some wanting it sharp, locked at all times, and low rpm.

 

I don't think this uses a FPGA, or at least not a Spartin XL. The pins don't match up quite right... I'm going to look into Hatachi MCU's to see if any happen to fit. Needs to be a 144pin package and have CAN bus support. It looks like the numbers ligning up was a fluke.

 

I think going after this from the SSM side will help us more. If a rom can be pulled during a flash, that can be forwarded to the software guys at openecu, romraider, or a tuning house. Subaru has an update for the '05 5eat, I just need to buy the $75 cd to get it.

 

edit: Picutes have NOTHING to do with this. For another user.

Edited August 12, 2010 by utc_pyro

What is the CD called exactly?

nice. subscribed. this looks like it could get interesting. when i get some time, i'll try to look into the big chip...

 

have you determined what the IC on the right is?

 

my EE bone is itching for some action...

What is the CD called exactly?

 

J2534 Pass-thru Reprogramming CD-ROM

 

I just looked up what's in it, and I don't see any TCU updates at the moment. What I was thinking of was just ECU updates (already cracked)

 

when i get some time, I'll try to look into the big chip...

 

have you determined what the IC on the right is?

 

my EE bone is itching for some action...

 

NSFW found it to mostly match a part number on Digikey, but I'm starting to think it was just by chance. They do make a 144 pin version of the Spartin-XL, but the JTAG ports don't line up properly. If you can figure out what it is, or the two other ones next to it, let me know.

 

The other 44 pin IC has it's own oscillator (~1/2 the frequency of the bigger one) and talks to the bigger between pin 20 and 36.

 

I need to find the pinout of this thing and trace the K-Line and CAN interfaces... That might lead to ID'ing the parts.

Edited April 26, 2010 by utc_pyro

you think someone like 'freadbeansparts' can help us? just saying because they are a dealership and they do sell some aftermarket/performance stuff. they could prob help with us with the cables (excluding scan tool or whatever subaru uses) and any programing/information if they are generous. no harm right? the most you get is no.

Well, if some one has a contact there familiar with the SSM III tool, I have a few questions that could help us... It's a $3000+ piece of equipment, so I dont think they'll be lending it to us. That said, they could tell us if any updates are avalibel for ANY of the TCU's. If we can find one that has an update, I can get the equipment to "sniff" the flashing of one. That will give us the ROM and how to flash it.

Well, if some one has a contact there familiar with the SSM III tool, I have a few questions that could help us... It's a $3000+ piece of equipment, so I dont think they'll be lending it to us. That said, they could tell us if any updates are avalibel for ANY of the TCU's. If we can find one that has an update, I can get the equipment to "sniff" the flashing of one. That will give us the ROM and how to flash it.

 

When you show up at the dealer 20 minutes before closing, ask for the resident electronics guy, pull him aside, and offer cash and a case of beer for a "one-time" after hours thing, it's a win. When I worked in a shop, people would show up and ask small favors and we would turn them away. Smart people would offer to buy a $30 rack of beer and we would do A-grade work. Small money for how much you could learn from it.

utc_pyro, my 2005 5EAT was flashed with an update at one point in time by the dealer. There is one out there that is supposed to cure a couple programming issues.

Eh, this may be harder then first thought.... being an FPGA, I can't find any good tools for taking the existing config and turning it back into VHDL/Veralog that I can work with. It might be possible to make get a gate level netlist, but that's going to be hard to figure out and modify.

 

That was kinda my assumption as soon as I saw (if I was right) that this is an FPGA. The ECU tweaking the RomRaider and EcuFlash do is only possible because of a lot time (largely Merchgod's) spent on reverse engineering.

 

I still think the part number isn't a coincidence, but I do wonder if Xilinx makes customized versions of their chips for customers like Unisia Jecs. That could really make this hard.