3P's TCCS Disassembly/Analysis

[3p141592654]

Don't worry, we've thought this through and have a good solution. The only wire coming out of the ECU is the USB cable, and even that could be replaced with bluetooth at some point down the road. From a cost perspective, piggybacking on the ECU 5V rail is best, but then power consumption needs to be managed and that involves moving away from 5V components altogether.

There are some nice single chip power conditioning chips out now specifically addressing the automotive environment (ISO / DTR 7637 ). By the way IGSW won't work because after the ignition is turned off the ECU stays awake to do some housekeeping. Also, the MCU ground is isolated form the case ground. Denso did a lot of homework on this design.

 

[Kai]

...damn, all that pencil & paper scribbling for nothing

Whats the finalised chip list for this? Xilinx CPLD and an AVR and...a flash E2PROM?

 

[3p141592654]

and some SRAM.

 

[Manianac]

A couple of questions for you guys:

1. How is the new revision of the board coming along? I saw your posts above, but I was just curious what specifically are you still working on. Still power supply related?

2. I'm interested in the separate reader for the CPU until you (hopefully) post up the schematic for your latest board. I can't seem to download the attachment back on post #2. Can you by chance post it up elsewhere by chance or PM it to me?

3. I'm a little confused about the 0x77 SETB opcode.
At $F116 I see:

ROM:F116 77 7A                    setb    bit3, byte_4A

which I figured, using the TASM file you posted, that since the bit mask 0x60 was set, that is how it determined to set bit 3, and then uses 0x1A to determine the location in ram. Now going over the uses for this opcode, I see it just adds 0x30 to the value, in this case determining to set BIT3 of $004A.

Now At $F06C I see:

ROM:F06C 77 4B                    setb    bit2, SSD ; SSD Serial Data Register

Now this has the 0x40 Mask set, which I can see means to set bit 2, but what I don't understand is how the address is determined. Given above, I thought it would be $003B, given 0x30 + 0x0B. Instead it points to SSD, which is at $002B.

So please help me, what am I misunderstanding?

 

[3p141592654]

The board is finished. I am waiting for the board vendor to return a quote. Once the quote is done, I should get boards in a week I hope. In the mean time I need to order some parts so I can put one together when the boards arrive.

Unfortunately I am out of reader boards. However, the link still works for me, I just tried it.

The bit commands are tricky. I was stumped for a while but ran some experiments and eventually figured it out.

The code packs the bit and the variable address in one byte. This limits the address to 5 bits and means that the maximum accessible address range is 1Fh. This would prevent bit operations on RAM since that starts at 40h. To get around this, the MCU translates the 5 bit address to cover both port i/o and the first 16 bytes of RAM. You've correctly figured out that the translation is non-linear, because there is a gap between the i/o variables and the start of RAM.

For 5 bit addresses from 00h to 0Fh, the MPU adds 20h to the 5 bit address stored in opcode 1, so 06h becomes 26h. This allows access to I/O registers from 20h to 2Fh.
For 5 bit addresses from 10h to 1Fh, the MPU adds 30h to the 5 bit address stored in opcode 1, so 10h becomes 40h. This allows access to RAM from 40h to 4Fh.

ROM:F116 77 7A setb bit3, byte_4A

so in the above example the 7Ah = 01111010b
the first three bit are 011 -> bit 3
the remaining 5 bits are 11010 -> 1A + 30h = 4Ah

 

[Manianac]

Ah must obliged sir. So will you only be selling the boards, or will you put up a schematic for those that wish to make their own?

 

[3p141592654]

The schematic would not really be helpful. It took a lot of hours to get the layout done, it almost didn't fit, and then you need the VHDL code for the CPLD chip, not to mention debugging and so on. We decided that we would offer it for sale when it is proven out. Also, it takes some decent equipment to solder TQFP chips and other fine pitch SMD components. Most people aren't setup to handle this stuff.

In the meantime, the microcode for the AVR chip and the PC GUI are both open-source (GPL'd), available on Assembla. Improving that is a far better use of everyone's time. The ECU code, disassembler, assembler are all also openly available to everyone, along with ROM dumps from whatever ECUs we can get our hands on. That's more stuff than you'll find anywhere else for these ECUs.

 

[mkiii222]

2. I'm interested in the separate reader for the CPU until you (hopefully) post up the schematic for your latest board. I can't seem to download the attachment back on post #2. Can you by chance post it up elsewhere by chance or PM it to me?

I've got a reader board (SOLD) that I never even bought the components for sitting at the house. PM me if you want it and we can work something out (I'll let it go for the cost of shipping, still new in the packaging 3p sent it in).

Great work btw. It looks like the boards will be ready by the time I need something more than the stock ECU.

Any ballpark on a final price now that the components have been pretty much finalized?

 

[Inygknok]

I've been trying to source a yellow plug, GTE, Manual JDM ECU so I could send it to 3P and then have him send it back to me after he's done but no dice.

Does anyone here have one for sale? Everything I find is either grey plug or USDM :/

 

[3p141592654]

Board were ordered today. Should have them early next week.

 

[bk_]

To convert from Toyota ROM address to TechTom ROM address, first swap the bits (0->4, 1->2, 2->5, 3->1 etc) than apply XOR AAh. The descrambled rom is posted on Assembla.

I managed to dump (using a PIC) the ROM from a Toyota JZX90 MT (1JZ-GTE) ECU with a TY64A daughterboard. MCU is D151803-6980

I did attempt a descramble but not really sure what I should be looking for.

Here's a sample of the dump, scrambled, last 256 bytes:

00003f00  5f 5f 5f 5f c0 ea 5f 5f  5f 5f 5f 5f 82 82 5f 5f  |____..______..__|
00003f10  5f 5f 5f 5f e1 c0 82 82  5f 5f 5f 5f c5 ef 5f 5f  |____....____..__|
00003f20  5f 5f 5f 5f e9 c0 5f 5f  5f 5f 5f 5f 82 82 5f 5f  |____..______..__|
00003f30  5f 5f 5f 5f c0 c0 82 82  5f 5f 5f 5f 82 75 5f 5f  |____....____.u__|
00003f40  5f 5f 5f 5f 03 fa 5f 5f  5f 5f 5f 5f 67 6e 5f 5f  |____..______gn__|
00003f50  5f 5f 5f 5f 63 05 64 63  5f 5f 5f 5f f7 59 5f 5f  |____c.dc____.Y__|
00003f60  5f 5f 5f 5f 4d 03 5f 5f  5f 5f 5f 5f 62 73 5f 5f  |____M.______bs__|
00003f70  5f 5f 5f 5f 03 03 71 60  5f 5f 5f 5f 6c 54 5f 5f  |____..q`____lT__|
00003f80  5f 5f 5f 5f c0 c0 5f 5f  5f 5f 5f 5f 82 20 5f 5f  |____..______. __|
00003f90  5f 5f 5f 5f ea c0 5f 5f  5f 5f 5f 5f 99 82 5f 5f  |____..______..__|
00003fa0  5f 5f 5f 5f f0 c0 5f 5f  5f 5f 5f 5f 82 82 5f 5f  |____..______..__|
00003fb0  5f 5f 5f 5f ef c0 5f 5f  5f 5f 5f 5f 82 82 5f 5f  |____..______..__|
00003fc0  5f 5f 5f 5f 03 03 5f 5f  5f 5f 5f 5f 6d 82 5f 5f  |____..______m.__|
00003fd0  5f 5f 5f 5f 74 03 5f 5f  5f 5f 5f 5f 20 64 5f 5f  |____t.______ d__|
00003fe0  5f 5f 5f 5f 47 03 5f 5f  5f 5f 5f 5f 68 66 5f 5f  |____G.______hf__|
00003ff0  5f 5f 5f 5f d9 03 5f 5f  5f 5f 5f 5f 82 73 5f 5f  |____..______.s__|

And here's the attempt at descramble:

00003f00  5f 5f 5f 5f 5f 5f 5f 5f  5f 5f 82 82 5f 5f 82 99  |__________..__..|
00003f10  5f 5f 5f 5f 5f 5f 5f 5f  5f 5f 68 82 5f 5f 6d 20  |__________h.__m |
00003f20  5f 5f 5f 5f 5f 5f 5f 5f  5f 5f 82 82 5f 5f 20 82  |__________..__ .|
00003f30  5f 5f 5f 5f 5f 5f 5f 5f  5f 5f 66 73 5f 5f 82 64  |__________fs__.d|
00003f40  5f 5f 5f 5f 5f 5f 5f 5f  5f 5f 82 82 5f 5f 82 c5  |__________..__..|
00003f50  5f 5f 5f 5f 5f 5f 5f 5f  5f 5f 62 6c 5f 5f 67 f7  |__________bl__g.|
00003f60  5f 5f 5f 5f 5f 5f 5f 5f  5f 5f 82 75 5f 5f 82 ef  |__________.u__..|
00003f70  5f 5f 5f 5f 5f 5f 5f 5f  5f 5f 73 54 5f 5f 6e 59  |__________sT__nY|
00003f80  5f 5f 5f 5f 5f 5f 5f 5f  5f 5f f0 ef 5f 5f c0 ea  |__________..__..|
00003f90  5f 5f 5f 5f 5f 5f 5f 5f  5f 5f 47 d9 5f 5f 03 74  |__________G.__.t|
00003fa0  5f 5f 5f 5f 5f 5f 5f 5f  5f 5f c0 c0 5f 5f c0 c0  |__________..__..|
00003fb0  5f 5f 5f 5f 5f 5f 5f 5f  5f 5f 03 03 5f 5f 03 03  |__________..__..|
00003fc0  5f 5f 5f 82 5f 5f 5f 82  5f 5f e9 c0 5f 5f c0 e1  |___.___.__..__..|
00003fd0  5f 5f 5f 71 5f 5f 5f 64  5f 5f 4d 03 5f 5f 03 63  |___q___d__M.__.c|
00003fe0  5f 5f 5f 82 5f 5f 5f 82  5f 5f c0 c0 5f 5f ea c0  |___.___.__..__..|
00003ff0  5f 5f 5f 60 5f 5f 5f 63  5f 5f 03 03 5f 5f fa 05  |___`___c__..__..|

 

[3p141592654]

The bit scrambling order of the address bits varies from vendor to vendor. This allowed Techtom to maintain some control of their vendors back in the day.

Jon Sole has made available his descrambling code on the public Assembla site. You will want to compile the brute force code to decode your example above.
http://subversion.assembla.com/svn/3SGTE_ECU/

Note that the data 5F is the NMI operand, and was used by toyota to fill up dead space. The last 32 bytes of code should never have 5F, because that is where all the interrupt address vectors are located.

Please consider making the code publicly available on assembla. We have no 1JZ info at this time.
http://svn.assembla.com/svn/7M_TCCS/

 

[bk_]

The vendor is called IMEC (International. Meiwa Evolutionary. Cabin)

I'll post up as much info as possible once I have access to do so.

I had quite a few 1JZ-GTE ECUs (JZX90 AT, 2x JZX90 MT, 2x JZZ30 AT, JZZ30 MT, JZA70 Mines) but I got rid of them all since I had no use. Funnily enough, I initially got them to do ROM reverse engineering and chipping but gave up pretty much instantly. That was 4 years ago.

What's the preferred way of obtaining the original ROM? I dont have the kashima rom reader. I do have a logic analyzer but not a super fast one. What about over the 1MHz serial comms? MCU coding / interfacing is no problem for me.

 

[3p141592654]

Well, I desolder the chips and plug them into a reader board. I sold all the reader boards I had made, but one was available recently (see post 268). In the 7M, there is a diagnostic mode that will dump the ROM out the serial port, but I have not pursued trying to do that. It involves inputting a weird combination of signals (NSW STA, TE1, etc.) that would not happen normally during use. I bet it is different for other engines.

If your LA can decode a serial stream at 1MHz then by all means use it. You can also use a single-chip CPU like an AVR or PIC and some custom code to read the data from the serial line. A PC is useless since the UART tops out well below the 1MHz rate of the ECU.

 

[JonS]

It may be possible to descramble a TechTom ROM image without having the original ROM image. As Jon said, every ROM image must have a valid vector table in the last 32 bytes, so each address in the vector table must be in the D000-FFFF range (or C000-FFFF for later chips). In addition there are a number of other requirements that a valid image must have:

1. The first two instructions of the reset code are always ld #02h, $1fh; di. The reset code address can be found via the reset vector at 0xFFFE & 0xFFFF.
2. Immediately before the vector table is the software build ID (at 0xFFDC & 0xFFDD), this is also stamped onto the Denso chip. For example, on the 3S ECU the Denso IC has 5A41C-1-8646 stamped on it below the main part number. In the ROM image, location 0xFFDC contains 0x86 and 0xFFDD has 0x46.
3. TechTom ROM images have the same sequence of 34 bytes towards the end of the ROM image. This sequence is in 2 out of 3 of the TechTom images I have. The image without the sequence has no space for the 34 bytes, it only has about 4 bytes spare in the whole image.

Doing a brute force descramble of the TechTom image (40320 possible combinations) and checking against the above requirements would narrow down the number of possible valid combinations to make checking by hand possible.

 

[Nick M]

The We decided that we would offer it for sale when it is proven out.

Just let me know when you can up the fuel cut to 90% duty on the 550cc injectors.

 

[JonS]

I've knocked up a quick application that does a brute force descramble using the heuristics listed in my previous post. It correctly descrambles 2 of the TechTom images I have access to.

The source code is available from http://subversion.assembla.com/svn/3SGTE_ECU/techtom-tools/descramble_brute2/

 

[bk_]

I've knocked up a quick application that does a brute force descramble using the heuristics listed in my previous post. It correctly descrambles 2 of the TechTom images I have access to.

The source code is available from http://subversion.assembla.com/svn/3SGTE_ECU/techtom-tools/descramble_brute2/

Cool. I've ran it successfully on the scrambled image, after a few compile and runtime tweaks

Couple of small tweaks:

• I had to comment out the line 'long xor = 0xAA', and change 'long temp_addr = scrambled_addr ^ xor;' to 'long temp_addr = scrambled_addr ^ 0xaa;' in order to compile on g++
• change 'if (sw_id)' to 'if (0 && sw_id)' since build ID is unknown.
• print sw/build id if candidate is found.

Output from command:

$ ./descramble_brute2 ../jza90.scramble.bin 4000 8195 
Signature found at ffb8
Build ID: 7554
Candidate 1 descramble code: 26753104
Created file rom_candidate_1.bin

Finished, 1 candidate descrambled ROM image(s) found

descrambled hexdump:

$ hexdump -C rom_candidate_1.bin | tail -6
00003fb0  5f 5f 5f 5f 5f 5f 5f 5f  82 71 82 64 82 60 82 63  |________.q.d.`.c|
00003fc0  82 68 82 6d 82 66 20 82  82 82 99 20 82 73 82 64  |.h.m.f .... .s.d|
00003fd0  82 62 82 67 82 73 82 6e  82 6c c5 f7 75 54 ef 59  |.b.g.s.n.l..uT.Y|
00003fe0  f0 47 c0 03 c0 03 c0 03  ef d9 ea 74 c0 03 c0 03  |.G.........t....|
00003ff0  e9 4d c0 03 c0 03 ea fa  c0 03 e1 63 c0 03 c0 05  |.M.........c....|
00004000

Look OK? If so, I'll add it to the svn tree.

 

[JonS]

Cool. I've ran it successfully on the scrambled image, after a few compile and runtime tweaks

$ hexdump -C rom_candidate_1.bin | tail -6
00003fb0  5f 5f 5f 5f 5f 5f 5f 5f  82 71 82 64 82 60 82 63  |________.q.d.`.c|
00003fc0  82 68 82 6d 82 66 20 82  82 82 99 20 82 73 82 64  |.h.m.f .... .s.d|
00003fd0  82 62 82 67 82 73 82 6e  82 6c c5 f7 75 54 ef 59  |.b.g.s.n.l..uT.Y|
00003fe0  f0 47 c0 03 c0 03 c0 03  ef d9 ea 74 c0 03 c0 03  |.G.........t....|
00003ff0  e9 4d c0 03 c0 03 ea fa  c0 03 e1 63 c0 03 c0 05  |.M.........c....|
00004000

Look OK? If so, I'll add it to the svn tree.

If the application only found one candidate then it's pretty certain the image will be OK. The 34 byte TechTom signature starts at 0x3FB8, which is the usual place.

The vector table also looks OK. 0xC003 will be the address of unhandled interrupt handler, this is the same address as the 3S-GTE ECU. 0xC005 is a bit unusual for the reset vector though, but since the application checks the first 2 instructions it must be correct.

The software build is 7554, stored at 0x3BDC. Does that match up with a number stamped on the MCU?

 

[bk_]

The software build is 7554, stored at 0x3BDC. Does that match up with a number stamped on the MCU?

No. MCU says:

D151803-6980
5A41A-2-8195
JAPAN 3B1833