Bootloader Stuff

Fact: Because of ROM differences diesel ECUs need a special bootloader!
Popular EcuFlash software (commercial, USA) won’t work, I think no one ever has reported success on a diesel with it. There does not seem to be active EcuFlash development for some time either.

So we are trying to build our own bootloader, open source – yeah!

It’s a pitty, after so many (gasoline) years, there does not seem to be an open bootloader (+ PC reflash software) for modern Subaru ECUs. Naturally I would expect most code to be identical.

Just a couple of hints and details:
All diesel ROMs seen so far expect bootloader based on RAM address 0xFFFF4000.
If you do everything required – challenge response, crypto etc. – the ROM code will accept your bootloader upload via CAN messages, decrypting and storing it at 0xFFFF4000+. There’s also a checksum to match. Then via CPU instruction “jmp FFFF4000” the bootloader gets called and takes over entirely.
A few gasoline ROMs I looked into needed 0xFFFF3000 so that’s one major difference to comply with.

Microcontroller architecture is Renesas (former Hitachi) SuperH, “SH” for short. It’s a 32 bit RISC chip, same as gasoline.
A must-have download from www.renesas.com :
Look for “SH-2E SH7059 F-ZTATTM SH7058S F-ZTATTM Hardware Manual” on http://www.renesas.eu/products/mpumcu/superh/Documentation.jsp
(PDF, around 1000 pages, very technical, not Subaru specific of course)
The standard method is called “User Program Mode”. Other modes (useful for ECU recovery) I don’t care much about yet.

Couple things already tested working:

  • Whole process of uploading bootloader via CAN. We’ve got easy-to-maintain C# code for everything needed (challenge-response, encryption, decryption, checksum).
  • CAN communication (needs more testing, very important – if you can’t communicate with the bootloader during reflash you’re screwed…)
  • Downloading on-chip subroutines (doing the actual erase and reprogramming, copied from chip into RAM, so these we don’t have to write but saves only a small part of the code required)
  • ROM access and building CAN messages (I’d like to add some compression algorithm to get even more speed)

Anyone wants to join our crew, somewhat being part of open source history?
Obviously we need extra ECUs for testing dangerous things (reflashing).
Could we raise donations to buy ourselves ECUs? Used diesel ECUs are hard to find. Any thoughts?

Update 2011/07: CAN-reflash collaboration possibilities timed out as we completed most of the work ourselves by now. Unfortunately, no one cared till very recently. Due to huge amount of work required, open-sourcing our solution is rather unlikely, without any sponsorship at least. Thanks for understanding!

Advertisements

One response to “Bootloader Stuff

  1. Pingback: Diesel FTW: Throw the Book at Clean Cheaters – flyingpenguin

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s