~)(

Anyway of obtaining the flasher and images for the 8? If the OEM uses this, we need to find out how to leverage it. If we're able to flash the latest OEM image on it, we should be able to reverse engineer at least some parts to it. I don't know if the image is digitally signed; does anyone know?

-jc

Japan8

Ok... my turn.

First... the info on Mazda tech. After checking out that site (http://www.mazdatechinfo.com/home/ecmDetail.asp), the Lexus system (http://www.clublexus.com/index.php/a...iew/108/1/296/) and info on CarDAQ-Plus (http://www.drewtech.com/products/cardaqplus.html) I'm almost positive that this isn't going to help us much if at all. The hardware... yes. The software... nope. Check this out...
http://www.cytiva.com/cejobs/DetailMazda.asp?mazda389 This person's job is to maintain the internal Mazda servers that are used for the ECU flashes. Basically the MazdaTech stuff and what they do at the dealer with the WDS system is hook the flasher hardware up to a PC. That PC is connected to the internet and checks for the latest flash on the MNAO servers, downloading one if available to the flasher hardware. The flasher hardware then uploads it to the PCM. If we already have a copy of a flash, then it isn't going to be a lot of help. Basically only useful for getting copies of the latest flashes.

What we need to be able to do is decode the data stream... reverse engineer the format of the data. As one may note from the Lexus system, the PCM likely contains several "flashes" for each of the subsystems... something else to consider. So who here is good at hacking software/firmware?

SAE Standards J2534
http://www.sae.org/servlets/productD...D=J2534_200202

This hardware kit looks pretty comprehensive too... http://www.hickok-inc.com/ngs/ngscan.html

As many probably know... I'm a big advocate of ECU flashing vs standalone or supplemental ECU. I'd love to see this happen... let's keep at it guys!

california style

yeah reflash for the win!

Atarax

Might i add u guys blow my mind at your knowledge of these things.

Japan8

Did a little more research... I've only skimmed most of it thus far, but it is all good stuff.

SH7055 SuperH RISC CPU
http://www.renesas.com/fmwk.jsp?cnt=.../sh7055_group/

Vehicle Operating System for SH-2 Operating System Manual
http://documentation.renesas.com/eng...256_sh2ope.pdf

Vehicle Operating System for SH-2 Communication Manual
http://documentation.renesas.com/eng...257_sh2com.pdf

Since "This document is described on the assumption that OSEK specification is understood."
Here you go...
http://www.renesas.com/fmwk.jsp?cnt=...e/osek/&site=i
http://www.osek-vdx.org/


Tools
IDA Pro Disassembler and Debugger
http://www.datarescue.com/idabase/

Renesas SuperH Flash Development Toolkit Ver.3 (HS6400FDIW3SR)
http://www.renesas.com/fmwk.jsp?cnt=hs6400fdiw3sr.htm&fp=/products/tools/flash_prom_programming/fdt/child_folder/&title=Ver.3%20(HS6400FDIW3SR)


http://en.etasgroup.com/catalog/pdf_05/3_3.pdf
http://www2.eu.renesas.com/products/...w/support.html
http://www.lauterbach.com/frames.html?firesh2.html

tuj

The flash contains both executable code and data. There is only 1 flash, not multiple flashes. Updating subsystems occurs via the main flash. Renesas has complete hardware and programming documents for the SH-2E on their site.

The flash cannot be simply disassembled with a SH-2E disassembler; I already tried that. I tried every combination of offsets and couldn't get a string of at most 10 opcodes without an unrecognized instruction. Granted, I used a free SH-2E disassembler, so without IDA pro I don't if the results would be better.

If you pm me, I can send you a copy of the flash that I got from a forum member and you can examine. I'll send it to anyone, just give me an email that can handle a big file.

tuj

There are MANY possible checksum algorithms, although you're right that most of them are on the web. However, the guys hacking the Honda ECU found out that that unit used 3 different checksum algorithms, one of which was non-standard and they had to reverse engineer.

tuj

No, I don't think that is exactly right. The dealers get the newest 'calibration' of the WDS, either via download or on CD. The WDS itself interrogates the flash level of the car, and then initiates reflashing if a newer version is available in the WDS calibration. This means if your dealer doesn't keep their WDS up to date, you don't get the new flash.

My understanding of the J2534 pass-thru device is that as long as you have a valid flash, the ECU doesn't care what version it is. This makes sense, as if something went terribly wrong, you might want to revert to a previous version. The WDS front-end controls keeping it up to date, but it doesn't prevent old versions being loaded.

Rasputin

My unnderstanding is that you can't go back and flash an older version than the one that's in your PCM. Correct?

Fabrice

tuj

That is the intent of the WDS and/or part of the J2534 pass-thru device software. But what I am saying is that if you can communicate with the ECU via J2534, you should be able to upload whatever flash level you want. I believe the WDS can do this also; the tech's do have the ability put you back to flash K or whatever.

On the MazdaTechInfo site, the 'downloaded application' interrogates the ECU and determines if you need a new flash or not. But, there is nothing apart from a few lines in that application that is stopping the ECU from receiving an old flash.

Japan8

Well I wasn't entirely talking about the WDS unit, as more detailed information about isn't available. That software available through technet does work as I described. Between that and how it works at Lexus (and I read the manual... which is the tech/shop manual), I assumed that WDS would also be similar. In the case of Lexus, their diagnostic/andheld unit can only hold x number of different flashes total at any one time. However, the PC it hooks up to can have all of them saved... which were downloaded from the net OR are from CD-ROM. You delete from the diagnostic/andheld unit as needed and just reload them from the PC.

Japan8

Someone might have posted a link to the Renesas site and you mentioned the name of the OS, but nobody has posted direct links to the OS and communication manuals. Nor has anyone posted links to OSEK/VDX. Assuming that people would have found it on their own... well we all know what they say about assumptions.

I would need to read all the aforementioned documents I could really get in to it. I need to understand more about the architecture and API of the OS...

zoom44

yep- all he needs is this cable and TA DA its a pass thru device or hymee for that matter.

zoom44

well.... as i mentioned before the actual flash file downloade by the techs is larger. inside is the executable plus 2 folders. one folder is titled "DIF" and one is titled "FLASH".

the dif folder just has a sort of text file that appears to be release notes of a sort.
the flash folder usually has at 3 other folders inside. one will be ladeled with the same flash number as the whole thing is "N3ZEL000" the others are usually quite different. I believe those to be updates for other systems like the TCM(transmission control module- shift points for autos) or other CAN systems. i base this on looking at soem flashes for the Mazda6 and looking thru the TSBs for that car. they had a TSB which gave a flash number for just the TCM which was similar to one I found in a Mazda6 flash.

of course i could be wrong they could be flashes for other countries or something i havent even guessed at.

zoom44

thats correct- its the way the Mazda software works. if you're programmign your own pass thru software you just have it upload whatever file you point to.

zoom44

tuj check your email.

seikx8

The flash file is an intermediate format that is readable by the WDS system and the flasher software. Between Flash H & M level, the format change a little, that's why they have patches to the WDS system to take care of the Flash file format when new flash files were released. However, the internal raw EPROM datastream is the same once extracted from the flash file and are the actual application code & data that read and execute by the ECM base on the data alignment I've seen.

That's how I understand and I haven't have the time to do more investigate on the trying to dissamble the datastream. There are to method for this hacking approach:

1. Rewrite a new flasher/pass-through software by taking these new EPROM datastream and flash directly to ECM. You will need to figure our what command to send to the pass-through device in order to flash the correct power strain module. This might be something Mazda kept as secret or universal known as standard.

2. Re-package these new EPROM datastream into the flash file format that recognize by the WDS and Mazda flasher. This method will require figuring out the checksum algorithm.

Either way, there will be a lot of sweating and need some guinea pig...

Since there are different flashes between 2004 & 2005 cars, as well as Federal and California version. Comparing the same version level of the flashes between Federal & California might pretty much give you a lot of hint on where the application and data are resided within the EPROM datastream.

zoom44

read http://forum.mazda6tech.com/viewtopi...er=asc&start=0

Japan8

Alrighty then... nothing concrete to give you guys, but some new (not been posted before) and useful reading...

OpenECU
http://openecu.org/index.php

Automotive Related Research Topics
http://www.hitachi.us/Apps/hitachico...opment/&nId=iD

IME3: Authoring Tool & Runtime Systems for the development of your diagnostic application
http://www.ime-actia.de/web_diag/swdiag.htm

All about J2534: Free Markets, Pollution and the Automobile industry
http://www.drewtech.com/support/j2534/intro.html

All about J2534
http://www.passthruxs.com/all_about_j2534.htm

Using DrewTech's v0202 PassThru (J2534) DLL
http://www.drewtech.com/support/j2534/index.html



Ford Motorcraft: Reprogramming & Initialization
http://www.motorcraftservice.com/vdi...&menuIndex1=63
Passthru+ XS
http://www.passthruxs.com/passthruxs.htm
Passthru+ XS API for Developers
http://www.passthruxs.com/dev_api.htm
EEPod
http://www.eepod.com/

EASE J2534 Universal Reprogrammer
http://www.obd2.com/J2534/index.html
EASE PC Scan Tool
http://www.obd2.com/scantool/scantool.htm

TARI Racing Software Forum
http://www.tari.co.za/cgi-bin/yabb2/...board=dl1about
ecuExplorer
http://www.tari.co.za/cgi-bin/yabb2/...cuexplorermain

EEC-V Calibration Memory Structure
http://www.hptuners.com/forum/showthread.php?t=85
How to FLASH EEC-V
http://www.hptuners.com/forum/showthread.php?t=85

By far openecu.org looks to be the most helpful in figuring out just how this is all done. They are talking about most Subi cars, but that doesn't change the strategy needed for the 8. I know we are missing something, but I don't know what exactly to call it... but it's the "missing link" to reading that hex data.

TeamRX8

iTrader: (25)

the missing link, found ...

MazdaManiac

iTrader: (3)

^^ OK, that was useful, Mr. Frodo.

TeamRX8

iTrader: (25)

seikx8

Look promising. And here is what I've found:

By looking for patterns in the ROM image (extracted from SW-N3Z2EP000.PHF file), I have seen these patterns word/int value offset at 0x078F44:
10000 7000 6500 6000 5500 5000 4000 3500 3000 2500 2000 1000 500

They look like the main map RPM values.

While there are 3 other location offset at 0x076EFC, 0x076F64, 0x076FCC that have the following values:
10423 10276 10128 10000 9876 9753 9645 9526 9408 9310 9211 9113 9013 8927 8871 8822 8773

They look like 3 separate Hi - RPM map values, does these have something to do with the peak TQ/HP value that we've seen in most of the dyno graph?

While looking at file: SW-N3Z2EM000, the patterns found at offset: 0x78F60, 0x76F18, 0x76F80, 0x76FE8

Needless to say, OpenECU link is very useful.

Hskr8

iTrader: (1)

if I am not mistaken, I believe there is 1 map for 1st-3rd gears, and another map for 4th-6th gears... something Maurice figured out I think.

MazdaManiac

iTrader: (3)

No.
The PCM has no way to figure out what gear you are in!
Stop repeating this.

There is, however, a time component to the calculation in addition to the usual load axis of RPM, air flow and TP.