5EAT TCU Reverse Engineering

Welcome back utc, I'd be willing to donate to the TCM hack fund if that's the route it takes.

 

I opened up my 4EAT TCM, and found 64f7055f40 on it, which leads me to believe that it is a SH7055 chip. Then I found this: http://www.activeboard.com/forum.spark?aBID=99460&p=3&topicID=14206571

 

The thread is old, but they were able to read the memory off of 7052 chips using the AUD. I've bought a propeller protoboard and wired it up and have run it a few times, but can't get it to output anything unless I trick the software to never see a bus error, and then the output is not consistent.

 

Anyone familiar with SPIN, or PBASIC?

 

I've read the Hardware manual of the SH7055 and the AUD function is identical to what they have in the thread above, I'll start a different thread later and see if it can't be troubleshooted.

 

Thanks

I've posted this question before, but does anyone here think it might be worth contacting the guy developing FreeSSM? Obviously he must have paved some way towards communicating with the TCU, or is the ability to program the thing radically different?

I've posted this question before, but does anyone here think it might be worth contacting the guy developing FreeSSM? Obviously he must have paved some way towards communicating with the TCU, or is the ability to program the thing radically different?

 

I tried sending him an email, pointing him to this thread about a year ago, but never heard back. However, it probably wouldn't hurt to try again..

What's the odds of asking Cobb Tuning about working on this if we are able to take up donations and provide some kickstart funding? Like others, it would be worth pitching in $200 to me to get TCU tuning capability (if it was on an AP or similar interface that would be even better). Does anyone have any contacts at Cobb, ie not just for a generic email request but someone that would at least listen to the proposal? In the end, I'm open to any effective tuning setup. Edited February 22, 2011 by rubberman

What's the odds of asking Cobb Tuning about working on this if we are able to take up donations and provide some kickstart funding? Like others, it would be worth pitching in $200 to me to get TCU tuning capability (if it was on an AP or similar interface that would be even better). Does anyone have any contacts at Cobb, ie not just for a generic email request but someone that would at least listen to the proposal? In the end, I'm open to any effective tuning setup.

 

I pretend to be a decent businessman, so just doing a very quick number crunch, they will have to define 5 or 6 TCUs for the 05-09 crowd, in uncharted ROM logic territory, and trust me the logic is NOT very intuitive. Then they will have to write and push the firmware updates, and all 20 of us wanting to pay for it will have the typical Cobb partial list of definitions. People like Merchgod are working for Cobb, so it certainly can be done, but I cannot see how it will be worth their while, when they can instead put their resources to cracking the ECUs of new markets (more BMWs, etc.)

ClimberD - I agree about the economics making this a long shot... the number of folks both interested in this & willing to donate $ is a big question. So how do we identify the demand, are we talking 20, 30, or more people willing to donate (perhaps a poll thread to get a rough idea)?

 

Assuming it isn't interesting for Cobb business-wise, then who else might be a candidate that funding would motivate? I saw over on nasioc that Grimmspeed was asking about potential interest in the Forester 4EAT tuning, maybe this is an opportunity?

 

I'm not trying to be a pita with all the questions, I'm just genuinely interested in seeing a solution. My future power upgrade plans are on hold pending this final TCU piece of the 5EAT upgrade puzzle. Since the IPT build fulfills the mech upgrade part...a combination of the TCU tuning and that could really open new doors for the 5EAT.

 

I'm a mechanical, so I don't play with electricity (isht that is invisible & bites is off limits) & I have zero programming expertise so this is just a hunch regarding TCU complexity (# of diff units to hack). There would be TCU unit differences, but logically there's probably majority similarities with subtle changes in the latter year models?

 

I'm already asking questions to various colleagues to see if anyone has contacts at an OEM level, i.e. Nissan, etc. since my company doesn't actively develop products for Subaru at the moment.

As time goes by, cracking the TCU becomes more and more of an esoteric projects and the law of diminishing returns kicked in full speed the day the 2010 Legacy rolled out, from a business perspective. So at this point the best chance of it ever happening would be coming from a hobbyist, not a business. Cobb released AP for the Mini and BMW not long ago. They are stretched thin as it is.

Here's my position regarding this:

-if I was 15 years younger (just out of university), I'd be all over this project, trying all kinds of things to help this along (I'm a programmer). Of course, I probably wouldn't own an LGT either Demographic for the LGT seems to be a bit older, more established than, say, WRX...

 

-if I had embedded experience in this area, I'd contribute it

 

-learning all the embedded stuff might not be as hard as I think, but I'd rather OVERestimate the difficulty than promise stuff and never get anywhere..

 

-as it is, I'm a husband/father of 2 young kids (2 and 4), and while I'd pay $250-500 for a good shift control system, these days, time is at an absolute premium, even moreso than $$$ (this was NOT the case 15 years ago)

-I suspect there are several people in similar shoes: willing to pay, having skills that, while somewhat related, aren't an exact fit and don't have huge amounts of time to donate in order to improve the skills needed for this project

 

-I know that GIAC tuning reverse-engineered the Passat Tiptronic shift system a few years ago (see here:

http://www.giacusa.com/programs.php?mpid=222 ). Perhaps we can pay them a few $K to do one for us?

 

Bottom Line: I'm VERY interested in a solution, and might be willing to kick in $200 to a fund (or pay more for a finished system), but I don't have time day-in, day-out to contribute to this. At least not without neglecting stuff that needs my attention much more. At the end of the day, my car still drives, and I NEED it as a daily driver.

Demographic for the LGT seems to be a bit older, more established than, say, WRX...

 

Speak for yourself

 

But you are correct

 

 

 

 

BTW I want to say it now so false assumptions are not made later. I support this effort, and I hope this project brings success. But for the short term, for the sake of my needing a comprehensive solution soon, I am in the aftermarket stand-alone and piggyback TCU camp as well. This effort here with the stock TCU will be a better option once finished, and I do not want to distract anyone from pursuing stock TCU hacking. Have at it!

Welcome back utc, I'd be willing to donate to the TCM hack fund if that's the route it takes.

 

I opened up my 4EAT TCM, and found 64f7055f40 on it, which leads me to believe that it is a SH7055 chip. Then I found this: http://www.activeboard.com/forum.spark?aBID=99460&p=3&topicID=14206571

 

The thread is old, but they were able to read the memory off of 7052 chips using the AUD. I've bought a propeller protoboard and wired it up and have run it a few times, but can't get it to output anything unless I trick the software to never see a bus error, and then the output is not consistent.

 

Anyone familiar with SPIN, or PBASIC?

 

I've read the Hardware manual of the SH7055 and the AUD function is identical to what they have in the thread above, I'll start a different thread later and see if it can't be troubleshooted.

 

Thanks

 

EPIC POST!

 

I have some PBASIC experience if you need help. If I can find the time this week I'll see if I can get at that bus with the bench/test tcu. I have a TI dev board I've been itching to use....

 

You may have done it

 

I'm already asking questions to various colleagues to see if anyone has contacts at an OEM level, i.e. Nissan, etc. since my company doesn't actively develop products for Subaru at the moment.

 

That might be a good idea. Subaru is small, so they tend to modify off the shelf stuff. The ECU is a good example.

Edited February 23, 2011 by utc_pyro

I might have a connection at Renesas and a few other places (Tyco, etc), if there's a need for specific info that's not readily available. I work for Synopsys, and we sell our software to a bunch of the companies that make these chips...

In Nepean?

Eh, we got a problem.... No AUD bus on the M32R (2005-2006), it's an NDB bus that may be disabled unless the program starts it up.

 

http://www.activeboard.com/forum.spark?aBID=99460&p=3&topicID=22307899

 

That said, it might be possible to use the RTD bus to turn on the NDB bus. I;;m looking right now if the pins to do this are wired out.....

 

subarutech77, That CPU is the one I think the newer cars use, and if we can hack it we might be able to get the "info" needed to get into the older ones via k-line. What year is it off?

 

The 2007-2009 guys: Go hit up the Germans, they found a way in via CAN . Coby should be able to implement this in ECU flash no problem, it's almost identical to how you get into the ECU. I don't have a way to test it so I cant support .

 

 

 

Update: The four pins on the right of the JTAG header are the RTD/NDB/serial flashing pins. Apparently the same block can be used for ether function.

 

Update2: RTD cannon write to the control register for NDB directly. One could inject code via the RTD that goes something like this:

 

<injected code start>

Set <output pin> = 1 ; lets us know code has run, switch to NDB mode

Set intruptcontroller = off

Set H'E000004 = B'00000010

Set H'E000004 = B'00000000

Set H'E000004 = B'00000001

NOP for 20 cycles

Set H'E000000 = B'00000010

Set H'E000000 = B'00000000

NOP for 20 cycles

Set H'E000000 = B'00000001

End ; kills CPU execution, no need for it to run while we dump the flash

<end injected code>

 

Then just issue the commands via the NBD interface (what the RTD just became) to read out the flash.

 

To inject the code, one would need to get the TCU into a "stable" state where it's not changing the ram out quickly (might freak out and do this on a bench), and then dump the contents of RAM. You'll need to decompile this and try to find where the CPU will execute code on a regular interval. Then just write in what you want and it's party time. You'd probably want to write in a "jump" command though, as if it hit this code before you got the entire thing it it would crash.

 

Though, this is all MUCH easier said than done.....

Edited February 23, 2011 by utc_pyro

I'm working with my stock TCM out of my 4EAT equipped 05 FXT. I have switched the transfer section of my stock trans which had a MPT clutch pack style to a VTD or planetary gear set out of a 07-08 FXT, much like the one in the 5EAT, if I remember right.

 

I was able to plug in a TCM from a 05 Turbo Baja equipped with sportshift and the VTD transfer section, with no repercussions, solving the issue of my front/rear wheel speeds not reading the same, and even was able to get the sportshift function working adding a few wires into the connector of the TCM harness and a crude pushbutton shiftbox- that's how I am able to play with the stock TCM.

 

Search MPT vs VTD at subaruforester.org, and it's all there, or I'm pretty sure I linked it in this thread earlier in the thread

 

I believe the Sh7055 was used in the ECM's of the 04 FXT and some WRX's as well, from the datasheet the ROM should be 512Kb

 

I did try to get EcuFlash to read the TCM on the bench, no go. Not sure if it's just an address change in EcuFlash that would enable that or not.

 

@utc_pyro, if you know PBASIC, maybe I should get a BasicStamp2 chip and board and try that instead- from the wiring diagram from the sportbike forum it looks much simpler than that of the propeller board.. no voltage reducing resistors on the AUDATA lines and no pull-up resistor to set AUDRST high.

 

In the forum link I posted above is the SPIN and PBASIC source code for the software they used to read the rom, the IDE's are available for free from the parallax website where the propeller and basicstamp chips are sold. I'll try to host them, as I can't attach a .txt file here

 

https://files.me.com/subarutech/xpnrph - BS2 diagram

 

https://files.me.com/subarutech/2fhw4g - BS2 source

 

https://files.me.com/subarutech/x6a6ki - propeller diagram

 

files.me.com/subarutech/iqcx8k - SPIN source code

 

They only needed to read to 0003:FFFF, according to the 7055 datasheet, the ROM occupies 0000:0000 to 0007:FFFF(this assumes that H'7FFFF= 0007:FFFF) If you could take a look at the PBasic source code and let me know what would need to be changed, if anything, to read that much of the ROM space that would be great.

 

the 7052 AUD section 17 and the 7055 AUD section 19 of the datasheets read word for word, so either of these methods should work. I think part of my problem is that for AUDRST to be set high it needs to see 4.5-5V which I am only seeing 4V, I wonder if I should try a smaller resistor to allow more voltage to get to the RST line to start the debug mode of the chip, also my power source is suspect as well, I'm using a car battery charger at the 2amp mode, the voltage varies between 10.5-12.5 volts according to the selectmonitor, if I set it to the 10amp mode, I see voltage spikes up to 15.5V, not sure if that's safe for the TCM or not. Either way Vcc is 5V on the TCM board. I'm also thinking of getting a amateur radio power source from Radio Shack.. should make the voltage signal really steady.

 

So if I run the propeller chip with the software posted on the ECUHack site I get this output on the hyperterminal:

 

Start...

 

00000000, error

 

After playing with the propeller board source code and making it impossible for it to see a bus error thereby ending the program, it spit out a bunch of bytes at me, kind of like a byte dump

 

for example:

 

Start...

 

00000000,000000FC,

00000001,000000FF,

00000002,000000FF,

00000003,000000FF,

00000004,000000FF,

00000005,00000008,

00000006,00000000,

 

I let it run all night, it went way after 0007:FFFF, so I'm not sure if what this is, is valid or not. I'll host that too

 

https://files.me.com/subarutech/qzlquw - possible byte dump of 05 FXT 4EAT TCM

 

the next day I decided to mess with the clk speed on the source code and changed some other stuff that I thought might help, but could not get the output to be repeatable, even after I loaded up the code that spit the above out.

 

All it would do is this:

 

Start...

 

00000000,00000000,

00000001,00000088,

00000002,000000CC,

00000003,0000008C,

00000004,00000088,

00000005,00000008,

00000006,00000000,

 

I even tried to get it to do a longword read and the byte at 0000:0000 would always be different, this is what makes me believe that I'm not getting the AUD to start correctly on the 7055 chip

 

 

Thoughts? Suggestions? Constructive Criticism?

 

I'll be the first to tell you that I am probably one of the last people on earth that should be trying to do this as I have no background in electrical engineering or programming, I was just hoping to get lucky. However, this stuff interests me and if I can learn something about the magic black box that controls the car, great! If it ends up being unsuccessful, then I'm no worse off than I was before and the magic black box can still be magic

Edited February 24, 2011 by subarutech77

Nice work so far!

 

I'll be watching this thread closely as I'm interested in exploring the TCU for the 2011 Legacy CVT, may be even picking up a spare one to play with. Firmwares, programming ports, and soldering tools, oh my!

I'm using a car battery charger at the 2amp mode, the voltage varies between 10.5-12.5 volts according to the selectmonitor, if I set it to the 10amp mode, I see voltage spikes up to 15.5V, not sure if that's safe for the TCM or not. Either way Vcc is 5V on the TCM board. I'm also thinking of getting a amateur radio power source from Radio Shack.. should make the voltage signal really steady.

Or grab a power supply out of an old PC. They have 5 and 12 VDC lines.

Or grab a power supply out of an old PC. They have 5 and 12 VDC lines.

 

I second that. A PC's power supply is regulated voltage to very tight tolerances. To power one on while you're working, short the green wire (ps-on) to any ground wire (black). Better yet, make a switch for it.

 

Keep in mind that some power supply units won't power on unless they have a decent among of draw on them. If that's the case, hook up a spare hard drive or old motherboard first.

I second that. A PC's power supply is regulated voltage to very tight tolerances. To power one on while you're working, short the green wire (ps-on) to any ground wire (black). Better yet, make a switch for it.

 

Keep in mind that some power supply units won't power on unless they have a decent among of draw on them. If that's the case, hook up a spare hard drive or old motherboard first.

 

If you think they're well regulated....well....yeah....you don't want to see the data I have. (A lot of them are trash)

 

They'll work well enough for a car, as your car varies between 11.6V and 14.4V.

 

To turn on a power supply like that, you have to ground PS_EN pin. There should be a ground right next to it on a standard ATX connector. There shouldn't be any current draw issues, just make sure you pick the +12 rail. Most of them have at least 10-20A ratings, which should be fine with any development work this needs.

Or just tap it off a powered computer, Molex connector

Or grab a power supply out of an old PC. They have 5 and 12 VDC lines.

 

I second that. A PC's power supply is regulated voltage to very tight tolerances. To power one on while you're working, short the green wire (ps-on) to any ground wire (black). Better yet, make a switch for it.

 

Keep in mind that some power supply units won't power on unless they have a decent among of draw on them. If that's the case, hook up a spare hard drive or old motherboard first.

 

If you think they're well regulated....well....yeah....you don't want to see the data I have. (A lot of them are trash)

 

They'll work well enough for a car, as your car varies between 11.6V and 14.4V.

 

To turn on a power supply like that, you have to ground PS_EN pin. There should be a ground right next to it on a standard ATX connector. There shouldn't be any current draw issues, just make sure you pick the +12 rail. Most of them have at least 10-20A ratings, which should be fine with any development work this needs.

 

Or just tap it off a powered computer, Molex connector

 

Thanks guys, that's a great idea. I think I know someone with some spares.

 

I did try a smaller resistor on the RST line, but am still only getting 3.98-4V with the propeller activated. I also tried to retrace my changes with the source code to see if I couldn't get a repeatable output, but all I'm getting is 8's, 0's and C's (not in that order, and not in the same addresses)

 

I was poking around RR today and the post by Sasha_A80 about halfway down the page kinda worries me- 10th post down 1st page

 

http://www.romraider.com/forum/viewtopic.php?f=25&t=5825

 

Maybe this is all for moot anyways

 

I'll probably pick up a BasicStamp kit tomorrow and try this with that just for fun, if it doesn't work the BOE_Bot looks cool, and I could bet money that my 20mo old's toys are controlled by variants of these chips

 

Gotta start somewhere

If you think they're well regulated....well....yeah....you don't want to see the data I have. (A lot of them are trash)

 

They'll work well enough for a car, as your car varies between 11.6V and 14.4V.

 

Not sure where you get your "data".

 

PC power supplies can be exponentially more stable than any automotive environment. But as with any electronics, you get what you pay for. Still, ATX specification calls for no more than 5% fluctuation of voltage, which means 12V would be in the 11.4 to 12.6V range both idle and under load. So for any PC power supply to be sold as an ATX power supply (pretty much the most common type), it has to adhere to these standards within its rated load.

 

An el-cheapo model scavenged from a cheap case would be a POS, but still within this range. And a third-party power supply from say Seasonic, PC Power & Cooling (OCZ), Enermax, or top-end of the Asus line would be extremely stable. As an example, here's a review they did of the power supply I use in my PC: http://www.guru3d.com/article/pc-power-cooling-silencer-910-psu-review/7. This power supply hardly moved voltage at all when going from idle to load (about 0.1V change for 12V).

Decent power supplies ftw! I love my Enermax Modu82+ power supply.

Not sure where you get your "data".

 

PC power supplies can be exponentially more stable than any automotive environment. But as with any electronics, you get what you pay for. Still, ATX specification calls for no more than 5% fluctuation of voltage, which means 12V would be in the 11.4 to 12.6V range both idle and under load. So for any PC power supply to be sold as an ATX power supply (pretty much the most common type), it has to adhere to these standards within its rated load.

 

An el-cheapo model scavenged from a cheap case would be a POS, but still within this range. And a third-party power supply from say Seasonic, PC Power & Cooling (OCZ), Enermax, or top-end of the Asus line would be extremely stable. As an example, here's a review they did of the power supply I use in my PC: http://www.guru3d.com/article/pc-power-cooling-silencer-910-psu-review/7. This power supply hardly moved voltage at all when going from idle to load (about 0.1V change for 12V).

 

I work for a computer company. If you think 5% is all you'll see, you've got another thing coming. The consumer brands you quote are all commodity vendors, and their names mean nothing. The real names are companies like Etasis, Delta and Aztek to name a few.

 

Just because ATX calls for it does not mean everything behaves nicely. The brand names you list do not produce power supplies. They OEM them from one of the big vendors, and cost is a big concern. You have no validation that they can support the wattage they claim, or that they didn't underspec parts in critical areas.

 

Just as an example, I've seen power supplies (not mentioning vendor to protect the guilty) where the standby power was rated for a certain amount, but if you looked at the design, the parts were rated for half current required. This means that early power supply failure on 5v standby is/was common on that design. I'm in the server space, where things are far more expensive than the consumer.

 

Bottom line, for automotive, a PC supply will probably be fine for development, but don't think they're that accurate until you make your own measurements under idle and load. Also don't expect that in the consumer space you'll have any consistency between supplies, you pay a lot of money, and have to buy large quantities to get anything like that.

Decent power supplies ftw! I love my Enermax Modu82+ power supply.

 

The truth is, coming from a computer hardware engineer (EE) is this: virtually all consumer supplies are junk. You buy something that claims 25-50% more power than you need, and forget about it. Brand is almost irrelevant. Just make sure you get something with a big fan that doesn't sound like a jet plane.

 

All those fancy supplies are rolling the dice. Just get one that has the features you need (modular is nice to prevent extra cabling littering a build, low noise etc), and make sure it's the cheapest that meets your requirements. Any other money spent is wasted.

Actually I just wanted it because it was quiet, and it was rated more efficient than others - at the time.