PDA

View Full Version : /* ECU hacko-tech discussion */



v01d
01-15-2019, 03:30 AM
===== THIS THREAD IS NOT HOW-TO-FLASH ECU (With Guzzi or anything else), AND OFFERS NO HOW-TO STEPS, RELATED HELP =====
** IN FACT, ANYTHING YOU MAY HAVE READ HERE IF FOLLOWED, MAY BRICK / BURN / VOID YOUR ELECTRONICS ** (if not brain ...)

For how-to-flash Race maps & related, see GuzziDiag thread. Thanks.

@@ This thread is to have curious discussion of technical nature, about the RSV4 ECU : what's inside it, the external interfaces, communication protocols, etc ...
Topics may cover how GuzziDiag works, covering communication, and how the 'flashing' works, and what's being flashed. @@

I hope some people will join into the exploration... ('m bout crack open first ECU.. see ya ! :D )

Stretch
01-17-2019, 08:38 AM
Following - keen to find out what the command is to clear the internal fault counter/ can line data buffer

v01d
01-19-2019, 01:13 AM
Following - keen to find out what the command is to clear the internal fault counter/ can line data buffer

Lekka, we need more interested members here :P

plocky
01-19-2019, 01:24 AM
I'm very interested, been doing a lot of learning on the map part of the ECU. >> https://www.apriliaforum.com/forums/showthread.php?341800-Open-source-mapping-for-iawdiag-etc
I have not enough skill to know how the rest of the ECU operates or how to hack it as yet. I'm willing to learn though.:)

v01d
01-20-2019, 05:27 AM
I'm very interested, been doing a lot of learning on the map part of the ECU. >> https://www.apriliaforum.com/forums/showthread.php?341800-Open-source-mapping-for-iawdiag-etc
I have not enough skill to know how the rest of the ECU operates or how to hack it as yet. I'm willing to learn though.:)

Cool, nice to have someone with good understanding of maps and what they do to the engine. :)

v01d
01-20-2019, 10:41 PM
Did a quick scan through this :https://www.magnetimarelli.com/business_areas/powertrain/motorbikes/ecu

A (top-level) overview of primal functions of Marelli ECU for motorbikes. (it would have some marketing highlighters which are un-necc. (like, SMD technology . ("wow", bold it..)).

If you like me and never read it, it may be informative ...

(See any familiar ECU model? )

plocky
01-21-2019, 01:07 AM
Hahaha, I like the 'HGS' = 'Hand Gas Sensor' or as we call it Demand Sensor.;)

Interesting read, but just some basic hooha really.
Check your PM.

999Nocturne
01-22-2019, 06:47 AM
Hello, there is a way to customize the logo inside the map?

v01d
01-23-2019, 07:07 AM
Hello, there is a way to customize the logo inside the map?

999Nocturne,
Hey, that's a nice starter question to investigate, and, if it is inside the map binary, awesome.
Good idea ..
I know someone has done it, I've seen custom logo on the dash. ( I don't know if he will share how here, but if not we should get there too )
(edit: it was old dash type though, not latest or tft one)

EDIT: what I saw was a custom startup splash screen, not the "race" icon you might be referring too ... anyway

Gabro
01-24-2019, 12:49 AM
https://www.facebook.com/gabroracingteam/videos/950706028370671/

dtich
01-24-2019, 02:46 AM
well, the splash page for the magneti marelli site may be full of sales gibber jabber, but there are myriad fascinating things on their site. to me anyway. not knowing much about it all, it was very revealing to read the catalog, i didn't realize they make many of the engine control and fueling components likely used in aprilia engines. certainly makes sense.
https://www.magnetimarelli.com/sites/default/files/Catalog_MagnetiMarelli_2018_WEB.pdf
coincidentally, there's also a page for a video camera, which might explain why there's a video interface icon on the dash..?
373735

plocky
01-24-2019, 02:58 AM
https://www.facebook.com/gabroracingteam/videos/950706028370671/
If I remember correctly, androidx did that for you by hacking the Dashboard software, yes?

Gabro
01-24-2019, 03:09 AM
Yep, Androidx is the dash-master :D

999Nocturne
01-24-2019, 09:26 AM
https://www.facebook.com/gabroracingteam/videos/950706028370671/

exactly what I wanted to understand.
I think the logo is in the dashboard firmware, and no inside the map.

v01d
01-30-2019, 01:53 AM
exactly what I wanted to understand.
I think the logo is in the dashboard firmware, and no inside the map.

Yea would we weird if it's inside that firmware... Well, dash is another story. I would like to get a spare >17 dash to play with ...

v01d
01-30-2019, 02:05 AM
Ok, had a first look inside a '14 ECU I had. Not too much magic, and I struggle to find datasheets for components which looks like outdated mostly.

ID'ed the main micro controller at least, family and close enough datasheet. Even on that model, I see no EEPROMs, I found none. If that's so, then any map read/write actually reads/writes the MCU's flash.
Judging at least by the dump size I did (but on incompatible later model ... ) with Guzzi, that's a pretty large file.. Which may be most if not all of the flash content. It would be strange if they would allow you to read/write entire thing.. (bah).

If there is no separate mem (and I havent found one) for a 'map' (engine map) , then it's actually is inside the same flash memory with rest of data and code. In principle, the MCU family contains internal serial bootloader which allows you to write the entire thing.
( Which I wonder if that's how that weird ass K+L fiat comm proto works, for Guzzi. )

From what Paul was saying, that Guzzi is "safe" in terms of "bricking" ECU with wrong "map" file, I would say, likely that bootloader is in fact used. But if so, that's not a "map" file ... more like the whole damn image blob.
(That wouldn't be a safe design, so I may be seeing it wrong for now)
But also, in that "map" which Guzzi writes, I see something which looks like a boot signature.. Would need to scan it more

On the other hand I see something which looks like a secondary much smaller sub-controller, but I cannot ID it .. Will try some automotive groups, see if someome shares. They are all over web, again, dated, eBay china sales copies I guess, and alibaba.. But no fkn datasheet.

Next I would sniff on Guzzi talk I guess.

plocky
01-30-2019, 02:42 AM
There is an IAW7SM Eeprom tool, not sure what it reads or writes, I was going to play around with it next chance for some spare time in the shed, maybe you know enough to play around with it.
This link >>https://www.von-der-salierburg.de/download/GuzziDiag/IAW7SMEEPROMTool_V0.01.zip

Or; It's just below the IAW7SM writer on the GuzziDiag page. https://www.von-der-salierburg.de/download/GuzziDiag/

v01d
01-30-2019, 03:46 AM
There is an IAW7SM Eeprom tool, not sure what it reads or writes, I was going to play around with it next chance for some spare time in the shed, maybe you know enough to play around with it.
This link >>https://www.von-der-salierburg.de/download/GuzziDiag/IAW7SMEEPROMTool_V0.01.zip

Or; It's just below the IAW7SM writer on the GuzziDiag page. https://www.von-der-salierburg.de/download/GuzziDiag/

The main chip supports emulating (pretending to have) EEPROM, as I see, for flash read/write. I'm yet to discover one actual EEPROM on this board.

v01d
01-30-2019, 04:14 AM
Ok, as from Guzzi forum, they all (map files) are 704 KB. Ok, so that's same as my dump of the '17 ECU, exact size 704 KB (to be anally exact, 720,896 bytes on disk).
And that is 128KB short of full image dump, on my quick check ... I wonder if there are some juicy data details in those extra KBs :D
( Probably stores ECU local variables in that mem, just my guess ).

Now I guess I would need to learn something about OBD and the diag port that Guzzi uses. Anyone knows is read/write ECU EEPROM is part of "standard" OBD ? (or whatever automotive protocol applies here .. ).

v01d
01-30-2019, 04:27 AM
...
This link >>https://www.von-der-salierburg.de/download/GuzziDiag/IAW7SMEEPROMTool_V0.01.zip
...


Great, need to see it. :cheers:

pauldayona
01-30-2019, 04:57 AM
In the 5am maps there is a text for display, that says something like "Superbike" or Hypermotard at the(Ducati) display. But this is primitive so they let that go for the 7sm. Now it only sends the signal to show the race logo on the dash over CAN. But that logo is available in the dash.

v01d
01-30-2019, 05:34 AM
well, the splash page for the magneti marelli site may be full of sales gibber jabber, but there are myriad fascinating things on their site. to me anyway. not knowing much about it all, it was very revealing to read the catalog, i didn't realize they make many of the engine control and fueling components likely used in aprilia engines. certainly makes sense.
https://www.magnetimarelli.com/sites/default/files/Catalog_MagnetiMarelli_2018_WEB.pdf
coincidentally, there's also a page for a video camera, which might explain why there's a video interface icon on the dash..?
373735

Nice one, I need to check the camera out. Probably horribly expensive . I would really like cam footable with all that RSV4 data on it, or at least speed, throttle, gear, TC, etc ...

pauldayona
01-30-2019, 06:32 PM
The marelli racing department has nice things costing 10 times more then you think.

v01d
01-31-2019, 09:44 PM
Cool thing I can now read the map version from the binary dump file :) So don't rely on file name.

I would probably next see what I can get with that Guzzi eeprom reader .. Ultimately, one way I could dump the whole chip is with hardware flasher, but this is really crude, me thinks .. No one would like to crack open their ECUs.

v01d
01-31-2019, 09:47 PM
@Gabro, @pauldaytona :

Do you know what this chip is? Can you share info on it if you have? ( i hope you wouldn't mind really ..)

(Bunch of copy cats selling it on eBay, but it's so bad with these Chinese makers, they don't even know what they selling..)

374217

22div7
02-01-2019, 12:36 AM
Super interesting!

v01d
02-01-2019, 07:21 AM
Super interesting!

Yes me bruu, let's just not setup Ape ECU cloning in Gaguletu somewhere :D :D (just kiddin.. )

plocky
02-01-2019, 09:07 PM
There is an IAW7SM Eeprom tool, not sure what it reads or writes, I was going to play around with it next chance for some spare time in the shed, maybe you know enough to play around with it.
This link >>https://www.von-der-salierburg.de/download/GuzziDiag/IAW7SMEEPROMTool_V0.01.zip

Or; It's just below the IAW7SM writer on the GuzziDiag page. https://www.von-der-salierburg.de/download/GuzziDiag/


Great, need to see it. :cheers:

OK so I did the eeprom read; it's a 4KB hex file labeled anything-you-want.eep.

It has some interesting information in text strings & some unknown data.
The text strings, give the ECU serial number, the Bikes VIN number (this surprised me that it had my VIN inside).
Also has current map number & the author that loaded it (Wload1).

Happy to send it to you for your investigation, after I edit my serial & VIN for privacy. ;)
PM an email address & I'll attach it to reply.:)

v01d
02-02-2019, 09:25 PM
OK so I did the eeprom read; it's a 4KB hex file labeled anything-you-want.eep.
....


Well that's interesting indeed. ( share on your g-drive as you did with other file ). As I still haven't found eeprom on the board, it could be inside that flash section that GuzziDiag does not dump. My guess is that's the section or part of it, emulated as if EEPROM, which is unique to your bike, and among the static/not changing data (like your vin, serials, etc) it could store the more juicy stuff like run-time stats like that race usage counter for example.

I do want to repeat your experiment on my bike's ECU too. ( I relate more to things like EEPROM reader, etc.. then a 'map' reader)

Side track question: why are these ECU dumps called 'map' files? I thought, because those are engine maps (I know very little off) , but looking as far as I did, these dumps seem not limited to these ignition (or whatever) engine maps only..

plocky
02-03-2019, 01:26 AM
I didn't set up that google drive, that belongs to Paul Daytona.
I've pm'd you my email address, so email me & I'll reply with the file.

Why called maps, don't know really, it's just what everyone has been calling them.
They mostly contain engine mapping (look up tables) & aPRC (look up tables).

pauldayona
02-03-2019, 11:14 AM
Side track question: why are these ECU dumps called 'map' files? I thought, because those are engine maps (I know very little off) , but looking as far as I did, these dumps seem not limited to these ignition (or whatever) engine maps only..

Maps might not be the correct definition, but everyone knows what you mean. The whole bin has more then the individual maps. The map part starts around 8FF62 in the 7SM bins. From that address the settings start, one time a complete fuel map other time one bit settings, like lambda on or off.

fostytou
02-04-2019, 05:21 PM
coincidentally, there's also a page for a video camera, which might explain why there's a video interface icon on the dash..?


I guess the solution would be pretty common, but these look like the onboard non-360 cams that I saw last time I got to look at a MotoGP bike up close. I guess MotoGP uses Vislink for their video systems - though I'm not sure if that is just for transmission, a certain specific camera (like onboard 360), etc. These cameras could also be for other racing series or just a prototype to have so they can try to sell it.


Ok, had a first look inside a '14 ECU I had. Not too much magic, and I struggle to find datasheets for components which looks like outdated mostly.

ID'ed the main micro controller at least, family and close enough datasheet. Even on that model, I see no EEPROMs, I found none. If that's so, then any map read/write actually reads/writes the MCU's flash.
Judging at least by the dump size I did (but on incompatible later model ... ) with Guzzi, that's a pretty large file.. Which may be most if not all of the flash content. It would be strange if they would allow you to read/write entire thing.. (bah).

If there is no separate mem (and I havent found one) for a 'map' (engine map) , then it's actually is inside the same flash memory with rest of data and code. In principle, the MCU family contains internal serial bootloader which allows you to write the entire thing.
( Which I wonder if that's how that weird ass K+L fiat comm proto works, for Guzzi. )

From what Paul was saying, that Guzzi is "safe" in terms of "bricking" ECU with wrong "map" file, I would say, likely that bootloader is in fact used. But if so, that's not a "map" file ... more like the whole damn image blob.
(That wouldn't be a safe design, so I may be seeing it wrong for now)
But also, in that "map" which Guzzi writes, I see something which looks like a boot signature.. Would need to scan it more

On the other hand I see something which looks like a secondary much smaller sub-controller, but I cannot ID it .. Will try some automotive groups, see if someome shares. They are all over web, again, dated, eBay china sales copies I guess, and alibaba.. But no fkn datasheet.

Next I would sniff on Guzzi talk I guess.

I'm a little late to the party here but it is good to see you've gotten the whole ROM read! In the Mitsubishi Evo ECUs for the last couple of generations there were protected flash areas. The bootloader would only allow you to flash one area so that it was recoverable if something happened (much like 7SM writer appears to be). For flashing protected parts of the memory you'd have to remove the ECU and build a bench harness: https://www.evolutionm.net/forums/evo-x-engine-management-tuning-forums/485309-how-bench-ecu-w-pictures.html

I can't recall if it was the fact that it was connected in the CANBUS or just that you needed to provide voltage to a certain pin to allow the full write, however no one would do this flash with the unit plugged in to the vehicle. Aside from being recoverable for "normal" flashes it may be designed this way so something doesn't trigger in the ECU while the flash is occurring and break or fry a different module. Of course it also protects other things in other memory areas from being overwritten like learned timing chain stretch, VIN, country coding, etc etc. We'd need to bench to install on-the-fly switchable maps, live tuning, and a few other more advanced mods.

I'd guess were in an era where we know EEPROMs are a quick vector to breaking into a chip - so system on chip with EEPROM emulation is probably the standard for modern ECUs now once they reach production. Even the old OBDII DSM cars only had an actual EEPROM for a year until they got wise to it. SOCs are probably also much cheaper and easier to prototype with these days.

pauldayona
02-04-2019, 05:42 PM
These ecu's are not made for lots of tuning. It takes a lot of time. If you have a race ecu you can alter things on the fly. Way easy on the dyno. Look at Motec. Or what is sold for racecars. But different price level. And to complicated for most here who.

it gets you to those things:

http://durbahn.de/Durbahn%20V2%20rebuild%20March%202007%20Pic2.jpg

Thosten Duhrbahn is not famous in Aprilia corner, but he dis fantastic work on radicaly rebuilds that were much lighter then anything else. The website isn't maintained anymore. But documents a lot. Take some time to see what he has done: http://durbahn.de/Desmoweb.htm

v01d
02-09-2019, 09:29 PM
There is an IAW7SM Eeprom tool, ...

Cool, got to dump mine EEPROM off the Race ECU. So I can poke into my own file too.

plocky
02-10-2019, 12:42 AM
Cool, got to dump mine EEPROM off the Race ECU. So I can poke into my own file too.
Assume that was you that just sent me an email to load file to an RSV4_Tuono Google drive share? :confused:

fostytou
02-10-2019, 02:22 AM
These ecu's are not made for lots of tuning. It takes a lot of time.

That's definitely a big shortcoming for iawwriter vs other tools I've used. I'm not sure if it's an ecu feature but ecuflash will do a checksum on blocks of the Mitsubishi Evo map and only write changed blocks. So you still have to shut down the car but the flash takes about 10 seconds to initiate and about 30s or less to flash for small changes (fuel/timing). A full map read/write still takes 10-30 minutes.

It's a game changer for general tuning when you can make changes that quick and do another pull with everything warm though.

The next evolution of that was live tuning. Really amazing stuff from the disassembly guys on that one.

plocky
02-10-2019, 02:30 AM
Yes but the RSV4 is awesome without tuning, right. :burnout:

pauldayona
02-10-2019, 08:19 AM
That's definitely a big shortcoming for iawwriter vs other tools I've used. I'm not sure if it's an ecu feature but ecuflash will do a checksum on blocks of the Mitsubishi Evo map and only write changed blocks. So you still have to shut down the car but the flash takes about 10 seconds to initiate and about 30s or less to flash for small changes (fuel/timing). A full map read/write still takes 10-30 minutes.

It's a game changer for general tuning when you can make changes that quick and do another pull with everything warm though.

The next evolution of that was live tuning. Really amazing stuff from the disassembly guys on that one.

Well the idea is nice, but the 7sm (or other consumer Marelli ecu's)is not really made to read maps quick. We have to use a workaround to get maps read at all. So the idea would be to read a mpa first, compare to the upload map, and only write differences. That would take more time then now. You have to deal with communication speed that the 7sm dictates. Only thing to speed up, would be to write only the part where maps are, but that can only when writing the same map as what is in the ecu. And then to make it foolproof.

fostytou
02-10-2019, 01:23 PM
Well the idea is nice, but the 7sm (or other consumer Marelli ecu's)is not really made to read maps quick. We have to use a workaround to get maps read at all. So the idea would be to read a mpa first, compare to the upload map, and only write differences. That would take more time then now. You have to deal with communication speed that the 7sm dictates. Only thing to speed up, would be to write only the part where maps are, but that can only when writing the same map as what is in the ecu. And then to make it foolproof.It is definitely a difficult process - but I don't think it was meant to be easy on that other ECU either. It was just recognized as a workaround and implemented. I'm far too disconnected from making the sausage now but it's one reason that I mentioned integration for ecuflash a couple of times. I'm not sure how much of that is core development (where only the protocol needs to be added to ecuflash) and how much is ECU type specific.

The main problem is you need a $180 tactrix cable to work with ecuflash, but they are so common you can find them cheaply used and their ability to log to SD card (and add a wideband channel) would really help tuning also.

v01d
02-11-2019, 10:12 PM
Well the idea is nice, but the 7sm (or other consumer Marelli ecu's)is not really made to read maps quick. We have to use a workaround ...

Care to share .. ? Or do I email your Sw department? :)



communication speed that the 7sm dictates. ...

That was my next question : the speed. I wanted to make CAN bus Guzzi -like version, as I saw K&L (or what was that old Fiat 2 wire thing called .?) as potential bottleneck.
But you saying , MCU actually requires such slow speed? I mean, 704KB for ~ 15 mins or so, what can require this to be so slow.



And then to make it foolproof...


How does this Guzzi fool proof work? Does it communicate with the SoC bootloader or you have to use & abuse some special part of the ECU comm protocol to read/write the memory?(ies)

pauldayona
02-16-2019, 09:24 AM
When you want to do something for the community: find out what is needed to reset the service over the can bus for the >2017 bikes. Over Can I don't think that all things are available there to make a CAN bus IAWdiag clone.

v01d
04-06-2019, 07:58 PM
When you want to do something for the community: find out what is needed to reset the service over the can bus for the >2017 bikes. ..

Yes would be nice, unless someone else gets first. Been crazy busy with work, no time for personal stuff.



Over Can I don't think that all things are available there to make a CAN bus IAWdiag clone.

Paul, I'm asking ( ~ few times:)) if you would share details on the IAWdiag protocol (is it all OBD/II based, do you have a proprietary protocol doc? Or was it all sniffed on pads.. ?) ?
I will be honest: lazy to read all details on OBD, when someone got the right request/replies already...

About speed: still don't understand why it is this slow. Is it using the commands which are meant for updating, or only writing specific sections of the "map"?

v01d
04-06-2019, 08:04 PM
That's definitely a big shortcoming for iawwriter vs other tools I've used. I'm not sure if it's an ecu feature but ecuflash will do a checksum on blocks of the Mitsubishi Evo map and only write changed blocks. So you still have to shut down the car but the flash takes about 10 seconds to initiate and about 30s or less to flash for small changes (fuel/timing). A full map read/write still takes 10-30 minutes.

....

If you already know where , in the "map" ( I prefer call it binary dump) , the CRC is store, and which section of the map it covers, than it should be trivial to just update the right bytes, provided, you know where each parameter is stored.
But way I understand with Guzzi, it only can do complete "maps", i.e. entire firmware (well , not whole of that flash as I checked , unfortunately) read/write, as I saw.
And what is available by the protocol i'm still to check : is it only supported to read/write "maps" / firmware as whole, or you can read/write sections of, or even better, words.

If anyone wants to sponsor me with PADS & license, and some time, I'll crack that mafaka like a peanut :D :D

pauldayona
04-07-2019, 02:52 AM
IAWdiag was made to do the whole thing,, so it does not matter what was first on the ecu. It could have been made for partial maps. But with that you would have to know what is on the ecu first, else chance of a bricked ecu or other wrong things. For knowing what is on the ecu, reading it takes to long. so then you have to trust that the owner knows it is the same content. And what he is doing. Checksum is not the problem.
When having a PADS we could have done more, and more easy. The license is only for dealers, payment per year. Unit has to be registered on the dealers name, and then pay a yearly fee for it.

But having PADs could only give some extra settings we still not have like reading and resetting the race parameters, resetting service on the >2017, and for the last, the KKL adapter is not the right tool. It can't do CAN bus. For mapping I see nothing PADS can learn us we don't know yet.

Eliclarke72
04-07-2019, 10:33 AM
Hi there Paul through what method can I send you my stock ECU map file as I want to flash my bike to the race ECU, do you have an email address so i can send the file over. Thanks in advance

Eliclarke72
04-08-2019, 08:00 AM
IAWdiag was made to do the whole thing,, so it does not matter what was first on the ecu. It could have been made for partial maps. But with that you would have to know what is on the ecu first, else chance of a bricked ecu or other wrong things. For knowing what is on the ecu, reading it takes to long. so then you have to trust that the owner knows it is the same content. And what he is doing. Checksum is not the problem.
When having a PADS we could have done more, and more easy. The license is only for dealers, payment per year. Unit has to be registered on the dealers name, and then pay a yearly fee for it.

But having PADs could only give some extra settings we still not have like reading and resetting the race parameters, resetting service on the >2017, and for the last, the KKL adapter is not the right tool. It can't do CAN bus. For mapping I see nothing PADS can learn us we don't know yet.

Eliclarke72 is online now
apriliaforum newb
Join Date
Apr 2019
Location
London
Posts
1
Hi there Paul through what method can I send you my stock ECU map file as I want to flash my bike to the race ECU, do you have an email address so i can send the file over. Thanks in advance
Edit / Delete Edit Post Quick reply to this message Reply Reply With Quote Reply With Quote Multi-Quote This Message
+ Reply to ThreadPage 3 of 3FirstFirstPrevious123

v01d
04-09-2019, 12:02 AM
Hi there Paul through what method can I send you my stock ECU map file as I want to flash my bike to the race ECU, do you have an email address so i can send the file over. Thanks in advance

Eliclarke72 & others :

Please do NOT use this thread to ask for Guzzi maps , use the large & broad dedicated thread for it - the Guzzi thread. See pinned thread on the forum.

This thread is not for that, thank you.

v01d
04-29-2019, 06:06 PM
Anyone knows if someone made the pit-limiter for RSV4 that works as the APX ECU does? I think it works by alternating which cylinder is firering, rather than just doing cruise-control as >= 17's do ... (lame).

v01d
05-06-2019, 08:35 AM
Woow, that K - line is a beatch slow ass line upto 10kb baud ..? and bi-directional .. And I wonder if L line is actually used on Ape for comm or just signaling.

Still doesn't explain the ~15mins to transfer 704KB.. Need to sniff.