HOME ARTICLES JOIN GALLERY STORE SPONSORS MARKETPLACE CONTACT US  
Register | FAQ | Search | Memberlist
Username:    Password:       Forgot your password?
BIKELAND > FORUMS > ZX12R ZONE.com > Thread: Hacking the Planet one ZX-12 ECU at a time. NEW TOPIC NEW POLL POST REPLY
ridgeracer


Pro
Posts: 1309
posted June 03, 2006 03:35 AM        Edited By: fish_antlers on 3 Dec 2006 18:35
UPDATE:

I didn't have any time to work on this project this week but this morning I made a hardware interface and wrote some simple interface software, just enough to validate the hardware design.

I asked the ECU to enter Background Debug Mode (BDM) by asserting the BKPT_ during reset. Then asserted BKPT_ a second time after reset to request a BDM session. The ECU asserted the Freeze line indicating it had suspended normal operation, entered BDM mode, and enabled the dedicated serial channel for BDM communication. I knocked, it answered.

It is now waiting for me to ask it a question, like "Hey, what's your program code look like?" Actually its a little more complicated than that. First I have write a serial program to communicate with it. I was going to use some SPI stuff I already had but the BDM uses 17 bit frames. My stuff can only do 16 or 24 So I'm just going to write something from scratch instead of cludging the stuff I have.

Once I start a conversation I can ask it for a byte of data at any address but the ECU has 1 meg of addressable space but only 48k of flash. So I will start by trying to find the memory manager registers to find out how the flash is paged. Also when I assert the BKPT it freezes the registers and I can read them, including the Program Counter. The PC may point me into the middle of the program space. The index registers may point to the the RAM/Data Space.

Unfortunately I have a more pressing Honey Do list I have to address first. But I hope to have some of the code out of the ECU by the end of the weekend...



  Ignore this member    Click here to visit RidgeRacer's homepage. 
frEEk


Administrator
ummm... yeah
Posts: 9650
posted June 03, 2006 04:39 AM        
man this takes me back...
  Ignore this member    Click here to visit frEEk's homepage. 
zxlnt


Needs a job
Kawpuke Extraordinare
Posts: 2851
posted June 03, 2006 09:23 AM        
In English please...


  Ignore this member   
Wideout


Expert Class
Posts: 300
posted June 03, 2006 12:15 PM        
w0w 48k of flash is small. Pretty awesome looking interface. Excellent breakthrough.

Wife comes first. Thanks for the update.


  Ignore this member   
ridgeracer


Pro
Posts: 1309
posted June 03, 2006 12:30 PM        Edited By: ridgeracer on 3 Jun 2006 20:32
quote:
In english please...



Inside the ECU is a virtual room, a library. There are 1024 books in this library. Each book has 1024 pages. In 48 or fewer of these books is written all the secrets of the ECU. All the rest of the books are either blank or have random charcters on the pages. I can't get in the front door of the library, in fact I don't even know where it is, what kind of door it is, or how its locked.

I found a back door in the alley and next to the door is an intercom. When I push the button the janitor answers. His initials are BDM. He is not very bright and doesn't know anything about the front door either. But he can read and said that he would read me any page from any book over the intercom. So if I ask him what it says in book 564 on page 339 he will read it to me.

Now some where in this library in addition to the secrets of the ECU are the secrets of the library itself including where the front door is, what kind of lock it has, and the home number of the librarian. I just need to find the right page and I would rather not look at them all. I found out that BDM not only has access to the shelves but to the librarian's desk.

The first question I plan to ask him is which book is on the librarian's desk right now and what page is it turned to. That should give me a clue where to start.

  Ignore this member    Click here to visit RidgeRacer's homepage. 
MadMike


Moderator
FEAR THE BLACK FLAG!!!!!!!!
Posts: 6577
posted June 03, 2006 12:40 PM        
i ran across a small problem with the connector. it was a Thomas & Betts connector, Well they sold their connector side of the business to Amp, and amp has discontinued most of the T&B line, But i have an email in to the on of the district sales guys... so we will see where it gets me...
MM
____________
200-MPH CLUB MEMBER!

  Ignore this member    Click here to visit MadMike's homepage. 
zxlnt


Needs a job
Kawpuke Extraordinare
Posts: 2851
posted June 03, 2006 01:27 PM        
Ridgeracer thanks. I was kind of trying to be funny.. I do understand what your doing, just not maybe all the technical terms.
  Ignore this member   
psycho1122


Pro
Posts: 1600
posted June 03, 2006 11:03 PM        
Good story! Reminds me of "CLUE"
____________
You say PSYCHO like it's a BAD thing!!

  Ignore this member   
swft


Needs a life
Full throttle!
Posts: One MEEEEEELLION
posted June 04, 2006 01:20 AM        
Does the librarian put out?
  Ignore this member   
ridgeracer


Pro
Posts: 1309
posted June 04, 2006 02:40 AM        
I wondering if any of you in the software field or anyone actually has any opinions about the current state of intellectual property law as it relates to the ECU?

Maybe it would be best to outline my thinking on the issue and those who know more about it than me can correct it.

Kawasaki/Denso owns the software rights. And even though I never signed a software agreement....

I can not post it in whole or in part on the intenet or otherwise distribute or share it.
I can not modify it and distribute it.
And I certianly can't sell it.

I do own my copy that came with the ECU. I can modify it, erase it, do what ever I want, I just can't share it. So what good does that do anyone? Well when I disassemble the code and find out how to reprogram it I can describe that reprogramming operation, or function of the software and share it with others. Posting a Tips and Tricks of winXP page full of undocumented operational details is not a copyright violation. How to program the ECU in my mind is an undocumented operational feature.

Later when I get to the point of writing software to change the maps I will write it so it only changes your exisiting data, adds or subtracts from it. The 'maps' you will share will not be modified copies of kawi maps but a data file that is a list of instructions on how to modify the kawi map in your ECU.

I won't be distributing modified kawi code but instructions on how to modify your copy of kawi code that you own. For example it is my position that telling people that address 007F:0085 is the rev limit value is not copyright infringment; Telling you that the bike comes from the factory with that byte set to 0x7a is. (not real values)

Any source code I post for discussion will be similar to the ECU code but never the actual code.

So what is your opinion is my ass covered? Do you really care if MY ass is covered as long as you get the benefit? How nervous should Fish be?

  Ignore this member    Click here to visit RidgeRacer's homepage. 
frEEk


Administrator
ummm... yeah
Posts: 9650
posted June 04, 2006 03:20 AM        
i suspect it may be a little more open than that. consider all the ECUs out there tthat ARE programmable. i believe suzukis can all be reprogarmmed with a Yosh box. Certainly many diesel trucks can be reprogrammed. Since none of us ever signed a software agreement as you mentioned, i woudl assume the rules would be the same as for any other vehicle (liek the ones jsutmentioned). hell, i didnt sign ANYTHING when purchasing my bike, not even a standard "you may not reverse engineer this" clause, so i'd think it's just abotu wide open. _maybe_ there's something in the owner's manual that says you can't do this and that, but i seriously doubt thats enforceable when there's no agreement/signature.

all that aside tho, i would be a bit concerned about modifying and reselling the "software" too. if this because a commercial venture tho, i'd take a more technical approch to your "describe how to change the software" theory buy creating a reprogrammer box that makes the changes for you. the box (akin to the Yosh box, with all the hardware to reprogram the ECU) doesn't have to contain a copy of the software, just the knowledge on which bits to change.

  Ignore this member    Click here to visit frEEk's homepage. 
swft


Needs a life
Full throttle!
Posts: One MEEEEEELLION
posted June 04, 2006 03:40 AM        
Ah, but you won't be touching the SOFTWARE, per se. None of the chip companies touch the SOFTWARE. What they do touch (and legally so) is touch the PARAMETERS. Note, I said LEGALLY. I didn't say that it wouldn't void a warranty.
  Ignore this member   
ridgeracer


Pro
Posts: 1309
posted June 04, 2006 04:00 AM        
UPDATE

Good News;
I wrote some code to simultaneously read/write 17 bits from the BDM serial port. The first command I tried was RPCSP, Read Program Counter, Stack Pointer. I got back some non zero results that looked like valid addresses. Next I tried RPMEM, Read Program MEMory starting at the address in the Program Counter. And I found what looked like code. I read out data back from that position to the nearest 0x0000 boundry and found below that page there was only 0xFF fill.

So I got a bunch of numbers. Is it really code? Maybe my code is bit shifted or something. Only one way to find out, grab a CPU16 instruction set and start disassembling.

First couple of lines modify the Condition Codes register disabling interrupts. Good way to start.
Then it sets an index extended address, sets the index then starts loading/ modifying/ saving data index addressed off the same index register it previously defined. Perfect. There is no way you disassemble that far into random data with no anomolies.

Then things got interesting......Some one left me a subtle "keep out, this means you message"

BAD News

Check out the following (not actual code );

LDD #0xB004
STD 8,x
LDD 8,x
ANDD #0xFEE7
CPD #0xB004
BNE ????

The operand for the Branch if Not Equal puts the PC at the operand data 0xB0 of the first LDD. And guess what, B0 04 decodes as BRA 04 causing the next instruction to be the ANDD followed by the compare, CPD. Since nothing changed it would loop again, forever.

This is a piece of bullshit, do nothing code that will never BNE and if it did would endless loop. So why put it in there?

To fuck up an automatic disassembler program!

If there are little pieces of crap like this all over the code then I will have to manually disassemble the whole 48k by hand! Normally on a project like this you download all the code into a file and feed it to a disassembler program that generates a program listing. You still need to fill in the blanks and figure out what the code is really doing but having the listing as a starting point is half the battle, more like 80% of it.

quote:
Does the librarian put out?


I thought so. I go all excited when she gave me her address but when I went to pick her up for our date it turned out to be a gay bar named BOO4.

Well I will continue to work towards pulling the whole code into a file. Maybe I can find a disassembler that can handle it. Or if I have to I will do it manually.

Fuck 'em

  Ignore this member    Click here to visit RidgeRacer's homepage. 
navpreet318


Expert Class
one crazy 12
Posts: 192
posted June 04, 2006 06:56 PM        
ok wanted to ask you a question...instead of reprogramming the stock ECU why can we use something like this.....

megasquirt....

http://www.bgsoflex.com/megasquirt.html


just check it out...its a programmable fuel injection control unit...its not like a power commander....its a real replacement ECU...except that we ahve to build it ourselves for our needs....


____________
2005 ZX-12R,Arata Full Ti, PC3,Gillis
Rearsets,Muzzy Velocity Stacks,BMC
Race filters.One Crazy 12

  Ignore this member   
tuusinii


Pro
Posts: 1016
posted June 04, 2006 10:34 PM        
Just so we wouldn't need to make it our self. Reprogramming needs (if it's goint to work) onlya device the connect to the current ECU and it costs only couple of $ not hundreds. And also all that epoxy isin't there just to make reverse engineering harder it also makes the ECU more tolerant to vibration etc...
  Ignore this member    Click here to visit tuusinii's homepage. 
ridgeracer


Pro
Posts: 1309
posted June 05, 2006 12:46 AM        
UPDATE

I scanned the entire address space to identify the areas of programmed space vs. empty space. I wrote some s/w to output the data as motorola S-records. I'm not yet at the point of dumping the entire programmed space as an .s19 file yet but I'm close.

I might sneek an hour in here and there but I'm probably done till the weekend.

I am however pretty sure I found the MAP. Its a big chunk of data where the numbers vary by plus or minus 1 or 2 and tends to increase as you go down the data. Once I download it all, find its boundries and structure I think it would be cool to throw into something like Excel and generate a 3D topo map of it.

Any way like I said don't expect much between now and Friday. From where I'm sitting things still look good, we're making progress.

  Ignore this member    Click here to visit RidgeRacer's homepage. 
deathpulse


Pro
Posts: 1688
posted June 05, 2006 01:01 AM        
WOW. Ridge - seems to be going FAST! The thing I can't understand is how can you figure out what each data point controls? Like - what is gas, what is timing etc. I guess you figure that out once you look at the data? Cool stuff bro - keep it up!
  Ignore this member   
ridgeracer


Pro
Posts: 1309
posted June 05, 2006 03:28 AM        
It's not the Map data but the program code that will tell me what is what. All the inputs to the ECU, the throttle position sensor, air temp and pressure, crank sensor gear position etc, are hardwired to a specific pin or I/O port on the ECU. These I/O ports have unique addresses in the chip. I also have the address of the Map.

Once I disassemble the code I will search it for instances of a specific port, say gear position, then I will look at the code to see what it does with this info. Eventually it should lead me to a part of the code that calculates a pointer into the Map data. Then I can try a different gear and see if points to a different part of the map for a different gear. Do the same thing for RPM, Throttle etc and eventually you build up a map of the map

This chip has an onboard DSP (Digital Signal Processor) a kind of high speed realtime calculator. Some of the inputs are probably run through it and combined before being applied to the map. I'm sure the air temp / pressures are turned into a single air density number for example.

Also things like the Rev limit and speed limit arn't in the map but likely single values stored around the code. You find those the same way. Find which port the speedo input goes to and then find it in the code. At some point its going to be compared to some value to decide if limiting is required. Change that value and you've changed the limit

  Ignore this member    Click here to visit RidgeRacer's homepage. 
blueford


Needs a job
Posts: 2984
posted June 05, 2006 12:21 PM        
Such bullshit, to be gullible and stupid we are not, you CAN NOT reverse engineer computer code people.

Experts have been trying with Microsoft's Windows for years.

Ridgy is a phony!

  Ignore this member   
deathpulse


Pro
Posts: 1688
posted June 05, 2006 01:03 PM        
uh... hey blueford... what about wine? Didn't they essentially reverse engineer windows?
  Ignore this member   
ridgeracer


Pro
Posts: 1309
posted June 05, 2006 02:28 PM        
Blueford your fishing in the wrong pond with the wrong bait.
  Ignore this member    Click here to visit RidgeRacer's homepage. 
ninja12


Needs a job
Posts: 3310
posted June 05, 2006 10:26 PM        
You're right Blueford, no such thing as reverse engineer .
Now go back to sleep, you have saved us from the mean man.

  Ignore this member   
blueford


Needs a job
Posts: 2984
posted June 05, 2006 11:26 PM        
quote:
uh... hey blueford... what about wine? Didn't they essentially reverse engineer windows?




No, Wine software implements a compatibility layer between Windows and GNU/Linux as a way to run Windows applications on Gnu/Linux.



OK back to Ridgeracer, if you're not a computer expert I will appeal to your common sense.

If he had the right disassembler and he received the code, so what? It not going to say "this does this" "this is for the stupid button" 01000101110001111000001010101011001010.

He's going reproduce an entire program from a binary? Please people! Yes it's possible, but with 20 people working full time, maybe.

THIS IS ABOUT RIDGY'S EGO



Look at his picture above, it's staged for effect, all that's missing are a magnifying glass and Sherlock Holmes' pipe.


Here read this from Page 2, Ridgy the genius states:


quote:
And again while I appreciate any suggestions or thoughts you may have it occurred to me that perhaps, to save time, I should tell you something of my background so that you have an idea of what kind of topics I may already be knowlgeable in.

For the last 20+ years I have be designing distributed processing industrial controls networked using RS-485 with RS-232 user interfaces. By design I mean write the initial spec, select components, draw the schematic, do the bill of materials, layout the Printed Circuit Board, and then write all the embedded software including all the interface drivers. I wrote my first assembly language program for a MC6800 when I was 17. We use codewarrior now, but the last machine language project I did which I still maintain is over 25,000 lines of code.

The design I'm currently working on is based around a 177MHz ARM9 core NS9360 and will have 8M of SDRAM, 8M of Flash, 10/100 Ethernet, USB Host, USB device, OptoIsolated RS-485, RS-232, LCD Interface, and JTAG for debugging. I'm responsible for all the software on this project including a realtime OS, and all the interface drivers and a TCP/IP suite for the LAN including a webserver with SSL. I've finished the board design and the 6 layer prototype boards are off being stuffed with the 40 ICs and 438 discrete components I selected for the design.

I work out of my home and have been telecommuting since 1990. To have a reason to get out of the house and socialize I also taught for 6 years part time at a local vocational school. I teach Computer Repair tech and Networking tech certification classes. I've also taught everything from High School Begining electronics to college level basic AC/DC theory class. ELI ICE anyone? anyone? Bueller......Bueller?

In other words I could design, build, and program my own ECU from scratch.

I don't wan't to discourage anyone from contributing, but to the gentlemen who feels it necessary to email me several times a day with advice that is the electronic equivalent of 'Left Loose, Right Tight, give it a rest.

I can't decide if your really trying to help in which case I apologize, or your just a smart ass.

Hey, perhaps Doug Meyer needs some advice on chain lube?





Perhaps Doug Meyer needs some advice on chain lube? SHIT, dripping with fucking EGO.

This is all about him, a transparent vehicle for touting his achievements and thumping his chest.

  Ignore this member   
psycho1122


Pro
Posts: 1600
posted June 05, 2006 11:45 PM        
Carefull!!

You don't want to spit into the wind.....................
____________
You say PSYCHO like it's a BAD thing!!

  Ignore this member   
supra5677


Pro
Posts: 1277
posted June 06, 2006 12:16 AM        
IMHO this type of back and forth should be in the smackhouse section...
  Ignore this member     
All times are America/Va [ This thread is 39 pages long: 1  2  3  4  5  6  7  8  9  -  10>  -  39   Next» ] < Previous Thread     Next Thread >
Quick Reply:

Email Notification: Send all replies to your email address.
BIKELAND > FORUMS > ZX12R ZONE.com > Thread: Hacking the Planet one ZX-12 ECU at a time. NEW TOPIC NEW POLL POST REPLY

FEATURED NEWS   Bikeland News RSS Feed

HEADLINES   Bikeland News RSS Feed


Copyright 2000-2015 Bikeland Media
Please refer to our terms of service for further information
0.54069900512695 seconds processing time