Project: 'ECU'

[clsmooth]

This is the other project I'd like to do to the bike; the part finally showed up today! Here again, with my experiment reasons...

Theory: There's no point in doing other mods if you can't control/adjust the fuel and/or ignition.

Reason: Cause it needs to be hacked, damn it!

I found a spare ECU for 30 GBP shipped, from a guy in the UK who was parting out an SR50 via eBay.



I've read the other posts on other people's plans on hacking the ECU. I've also shown this and the Aprilia Gameboy cartridge to my friend J, the smartest man I know. We tune fuel injected cars all the time, so this can't be that much more difficult. My own car as well is running on a Link+ stand alone engine management that we've tuned.

http://www.linkecu.com

I downloaded the service manual and showed him the wiring schematic for the DiTech, that due to the amount of sensors (or lack thereof) we agreed that the SR50 is considered "Just barely fuel injected"

So I showed J the Aprilia Gameboy cartridge...

Me: So this is what's used to connect to the ECU *pointing to the screen*
J: What the hell is that?
Me: For whatever reason, you need a Gameboy for it.
J: So... what exactly does it do?
Me: It can scan error codes and clear them... and load pre-done factory maps if you have a Gameboy you can connect USB.
J: So... it's a scantool ... ?
Me: Yes...
J: ...and how much is it?
Me: 230 Euro...
J: Well... fuck that shit.

So our motto now is, 'Fuck the Gameboy!' We're gonna do this Honda style. If it's 'barely' fuel injected, it should be a very simple design, with average to low-end computer components in the ECU.

By Honda style, we're going to de-saulder the main chip and saulder in a socket in its place. Our chip burner not only burns data onto chips but also reads data off of it. We're gonna make several copies of whatever maps' on there, and I also have the newer versions downloaded to, and see if we can make anything from the data.

Now... the hard part, where to find software that turns a fuel and ignition map into a .DCB file... hmmm...

Oh, and here's a side of the ECU no one shows. There's a rubbery cover siliconed (or something) to the casing to keep debris out. I predict it will not be fun, nor clean, taking that off.

[THE MAX]

Theory: There's no point in doing other mods if you can't control/adjust the fuel and/or ignition.

Thats no theorie but a fact .......but as long that aint happend we are stucked with the mod's

.

Oh, and here's a side of the ECU no one shows. There's a rubbery cover siliconed (or something) to the casing to keep debris out. I predict it will not be fun, nor clean, taking that off.

Did you actually read the 'techrat topic' ??

[clsmooth]

Did you actually read the 'techrat topic' ??

I haven't actually. I'm going to attack this with a clean slate...
But by the looks of that pic, I can tell that I'll be removing #8

[clsmooth]

I was able to bring the ECU itself by to that friend of mine today. And in the spirit of staying away from the Gameboy route, we did some searching.

Turns out the chip that we thought would be the one that holds the ROM wasn't. It's not the one refered to above, but actually the 4-side chip of doom that says Motorola on it. That chip can't be sauldered out...

So... how to write to the chip with it still in there... well, the Gameboy does it (with 3 wires), so it is possible.

We searched online, and found the datasheet for that chip. Although there are several variations of the chip, it's part of Motorola's 908 type design. The chip itself being MC58HC908AZ followed by a G or C. It's basically an 8-bit, 32kb chip. I joked saying that the ECU is based on cell phone technology and about as powerful as one

After more searching, we actually came across 2 devices that can program this chip. We found this first:

http://www.madeinchina.com/2743643/t...ogrammer.shtml

These things connect via the LPT1 port on your computer, and found one that was a serial connection, but ended up being useless. The socketed portion of that writer is too large for the chip in the ECU. The chip must first be sauldered or socketed onto a larger piece of circuit board. The writer's socketed part for the chip is about one inch sqaure and the chip in the ECU's about one centimeter square.

The other device, which I can't seem to find the link for at the moment was a box about the size of a VHS tape. My friend searched at his place and I'm back home now. I'll find out tomorrow or so how he found it. Some site name Vektor? Victer? Can't remember...

On one end of the box was an output for a 3-wire connector (like the Gameboy), and on the other was a serial cable. This box also came with software and claimed that the decompilers for these chips are available off Motorola's website for download. You could also buy this box off their site for about $60 USD and they were located somewhere in California, I think.

The software that came with it though, was very basic. So much so, it didn't do anything else but transfer information from computer to chip and back. It basically could send and write whatever data you choose to send to it, and read whatever's on it. You still need some soft of software to format your data correctly before sending it to the chip.

I showed J the updated firmwares that you can download and their different versions. They were all 256 KB in size. Not all the data could even fit on the 32 KB chip in the ECU. The rest of the data in those firmware files must be for the Gameboy. The key would be to isolate what's on the chip itself.

We based our theory on how Honda car's have been hacked. The first time the data was pulled off a Honda ECU, no one knew what to make of the data. Even when ran through a Hex reader (turning everything into that 1001FF801 type of data) people went through the process of trial-and-error until each part of the ROM was decifered. Thing is, that's only do-able now cause there's been 100 or so people working at it, worldwide, for that past 10 years or so. There's also quite a bit of a market for Honda's too.

For SR50's... not so much, and 32 KB of data is still a lot of text to go through. To do this on a trail-and-error basis would take an extremely long time. Even if the data was pulled straight off the chip, we wouldn't know what anyone would be looking at. If we changed something from, say 1001FF801 to 1001FF901 not knowing what it'd do, it might start, might not idle, might not run, who knows. He had a good point too, if we changed something and then the oil injector stopped injecting...

I brought up the question of how Molassi did it for their 70cc kit and we're pretty sure they didn't. They most likely have a deal with Aprilia to do it for them and paid them a lot of money, or have to pay them with each sale.

Personally, within a span of 30 minutes, I lost all motivation to continue on with this project. It's probably for the best as I don't feel like doing anything to this bike that would cause it to not be on the road. My ultimate goal in the future is a comfortable, 2-seater scooter I can safely take on the highway. I'm thinkin Piaggio MP3... but until the car's paid off the SR50's an excellent, quick gas saver. I might do some basic, bolt-on mods down the road and some cosmetic stuff, but I don't think I'll be doing anything requiring cracking the engine open to warrant modding the ECU. Oh well... more time to devote to Project: 'Exhaust' instead...

Conclusion: This method can only be accomplished by potentially risky trial-and-error, or breaking into Aprilia's manfacturing facility in Italy and acquiring their in-house created software that writes all this. Other options are a stand-alone or piggy-back engine management system... if you can find out for single cylinder 2-strokes...

Anyone want an ECU? The rubber's already off ...

[muchacho]

Can you get the data/programming of the ECU and pass it to me?

[clsmooth]

Can you get the data/programming of the ECU and pass it to me?

The data off the chip?

[muchacho]

The first time the data was pulled off a Honda ECU, no one knew what to make of the data. Even when ran through a Hex reader (turning everything into that 1001FF801 type of data) people went through the process of trial-and-error until each part of the ROM was decifered.

Give me the data so that I can get to this stage.

[clsmooth]

Give me the data so that I can get to this stage.

I'll find out what that 2 piece of equiprment was.

[muchacho]

If you are able to read the data on the chip, it would be a starting point to pull the data before and after running developer mode. The data should then be different. Also between different maps, I am thinking about the map that changed the fuel pump priming time. If you know that a certain change/input brings on a certain output, then that should be helpful as a starting point, for trying to understanding the programming code. Just a taught.

[clsmooth]

If you are able to read the data on the chip, it would be a starting point to pull the data before and after running developer mode. The data should then be different. Also between different maps, I am thinking about the map that changed the fuel pump priming time. If you know that a certain change/input brings on a certain output, then that should be helpful as a starting point, for trying to understanding the programming code. Just a taught.

Agreed. But 32 KB still require a lot of time and manpower to figure out which digit within 32 000 does what.

[muchacho]

Agreed. But 32 KB still require a lot of time and manpower to figure out which digit within 32 000 does what.

Just get information and I will try. I need the information.

[clsmooth]

Just get information and I will try. I need the information.

My friend told me he was just googling '908 programmer' and it came up. I've been googling variations of that and the number on the chip and all I seem to find is the LPT/Serial card thing. Yarrrr, it's driving me nuts...

[muchacho]

If you are able to read the data on the chip, it would be a starting point to pull the data before and after running developer mode. The data should then be different. Also between different maps, I am thinking about the map that changed the fuel pump priming time. If you know that a certain change/input brings on a certain output, then that should be helpful as a starting point, for trying to understanding the programming code. Just a taught.

Agreed. But 32 KB still require a lot of time and manpower to figure out which digit within 32 000 does what.

That's not a problem. I just need to get the program from both a restricted, de-restricted ECU and compare. It would be even better if I got the program from the malossi ECU in addition to the other two programs and compare that as well.

I can get a bunch of engineering and computer science students to mull over they will figure it out.

Give a thousand monkeys a thousand years and they will write the worlds greatest novel.

[williamr]

Techrat seems to have failed after a lot of effort - or at least given up.

Your chip burner can only change map and program data. What you're going to de-solder is the ROM - probably an EPROM or EEPROM, not the main chip (the cpu).

If you take a hex dump of the ROM content, and if you know the order code for the processor used and if you know the internal format of the dcb file, then you can decipher it. The trick is identifying the code segment and re-writing it in pseudo code so that you see what it's doing and how it accesses the map(s). The processor manual will explain the boot process, which will help you find the start of the boot code in the ROM. Be aware that this may include initial parameters for some of the cpu registers as well as code.

It'll take you a long time.

To write to the ROM while in situ, you initialse the cpu and use that to take the data from the GB and push it out to the ROM. You need to know how the ecu is built. It may well have a second ROM, like the BIOS on a pc to boot up the cpu. As it's a small simple job to control an engine it may hold all the operating code here and use the other ROM only as a MAP store. It may use the single ROM chip to hold boot, program and map, in which case the gameboy data will only be the map. and only overwrite part of the ROM chip. The chip can be removed from the pcb unless it's a bga mount. This is very unlikely. You just need good soldering skills and the right equipment to remove and replace fine pitch ics.

For the record, frequency hopping mobile 'phone technology is much more complex and needs much more processing power than any engine control system

Tip - the first hex byte at the beginning of the code segment will decode as an order code instruction. From the decode you'll know the instruction length. Go from instruction to instruction to instruction using the length of the previous one to get the start position of the next. The first byte of the instruction is usually the instruction code, depending on the processor used. It may take bits from the 2nd byte, or may only use 6 or 7 bits instead of all eight. Then write out the assembley level mnemonic for each instruction, including addresses, literals and register pointers. If you search Google you may be able to find a software disassembler for the processor chip being used. As the ecu S/W is proprietory, it may be encrypted, but you can't encrypt boot code.

2nd tip - you need the internal format of the .dcb file.

Rob

[muchacho]

Techrat seems to have failed after a lot of effort - or at least given up.

Your chip burner can only change map and program data. What you're going to de-solder is the ROM - probably an EPROM or EEPROM, not the main chip (the cpu).

If you take a hex dump of the ROM content, and if you know the order code for the processor used and if you know the internal format of the dcb file, then you can decipher it. The trick is identifying the code segment and re-writing it in pseudo code so that you see what it's doing and how it accesses the map(s).

It'll take you a long time.

Rob

I don't care... why wont people just give me the files so I can start failing?

I keep asking for these files and people just keep telling how long it takes. If I would have got them when techrat was working on this more than a year ago, I would have had that much time to let you know if it was looking hopeless.