Crack the stock ECU - Hyundai Genesis Forum
 29Likes
Reply
 
LinkBack Thread Tools
post #1 of 1897 Old 10-06-2010, 04:57 PM Thread Starter
Old Man Guru
 
Join Date: Oct 2010
Location: DFW, TX
Posts: 42
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
(Thread Starter)
Crack the stock ECU

Hello guys, I'm new here and don't have a GenCoupe . But I am very interested in it; to me it is a new Nissan Silvia with Mitsubishi Evolution heritage. And since I grew up on Evo's (and 4 Eclipse GSX's before that), and still have one as my daily driver...this new GenCoupe is interesting. The only thing that puts me off is the inability to fully tune the car by myself. I love what PowerAXEL has done, but sorry, nothing beats me spending hundreds of hours logging and tuning; no matter how good the tuner is a 1hr dyno tune still isn't close and certainly an off the shelf map can't come close.

In the Evo community this was once the same problem, but the community came together and cracked the ECU and now there are plugin mods for the stock ECU to make it do some crazy things. People are even hitting 800hp on the stock ECU !

So I decided to see if I could get the ball rolling on the same thing for the GenCoupe community. Now, I'm not a hacker or a programmer (though I do have an EE/ME background). And I have never done this before. But I decided to take a look at the problem and see what I could find. In 3 days I have found the following:
  1. The 2.0t Genesis Coupe is running the Siemens VDO 5WY5D75A SIM2K-141 ECU.
  2. To pull the ROM off the ECU you will need a K-Line compatible OBD2 reader and KWP2000 (Keyword Protocol 2000) software.
  3. To write the ROM back to the ECU you need a K-Line and L-Line compatible OBD2 reader and KWP2000 (Keyword Protocol 2000) software.

---The above is the easy part. There are plenty of KWP2000 software packages out there and plenty of K/L Line compatible OBD2 readers. I actually have the hardware here with me from using it on my Evo (Open Port 2.0x is KWP2000 and K/L line compatible)---
  1. I also found at least 2 other people have already started down this road, and both have successfully pulled their ROM's off the ECU via the OBD2 port.
  2. I obtained a copy of both ROM's, one 6sp and one 5sp auto.
  3. I have run an analysis on both raw .BIN files and they share 75% of the same code structure.
  4. I have run the 6sp ROM through a decompiler (IDA Pro), and an automated map identifier (WinOLS) and identified potentially 152 individual maps.
  5. I have a pretty good feeling I have found 4 fuel maps, looks like a "low octane" map for when you are detonating, 2 regular fuel maps, and 1 cold start fuel map. All 4 maps are scaled from 720rpm to 6000rpm by 0 - 870(something). The secondary scaling is definitely load, but I'm unsure of the ECU's raw measurement meathod yet (either Kpa, or MilliBar probably).
  6. I have also found that there is already a checksum definition out there...but it's behind lock and key (ie. $$$$). If you want to search for it via Warez it is "OLS298 - Siemens Simos HMC (Version 2.11)".

--------------------------------------------------------

Now that's what I have accomplished so far. I'll be glad to share all my work so you can see it too. I've never done this before so I'm very likely wrong on some of my above assumptions (only thing I know I got right for sure was RPM's on the scaling of the maps I have identified hahahahahah ).

This is what I need from the community to make the next big leaps:

1. Documentation on the coding language used for this ECU
2. Documentation on the hardware definitions used by Siemens

With those items we should be able to define the stock ROM in a couple months. We should then be able to see the stock ECU's maps and how it works for the most part. But the big part is Checksum's. I'm tired of typing but I'll explain Checksum's in a bit (after I go shoot someone on Counterstrike to let off some steam). But think of Checksum's as security built into the ROM to prevent anyone from changing anything.

And remember 2 things:

1. Other people have done this before and they started out not knowing anything.
2. PowerAXEL has this all figured out (though they purchased a solution)...so the knowledge on this particular ECU is already out there, we just got to figure it out.
EvoMR is offline  
Sponsored Links
Advertisement
 
post #2 of 1897 Old 10-06-2010, 05:00 PM
Member
 
Join Date: Aug 2010
Location: NC
Posts: 45
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)

i can't really help but this is awesome.

gj op
lucky l3fty is offline  
post #3 of 1897 Old 10-06-2010, 05:01 PM Thread Starter
Old Man Guru
 
Join Date: Oct 2010
Location: DFW, TX
Posts: 42
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
(Thread Starter)

Saved spot for explaining Checksums.
EvoMR is offline  
post #4 of 1897 Old 10-06-2010, 05:01 PM
If u don't kno, now u kno
 
DPaik's Avatar
 
Join Date: Nov 2009
Location: Warren, NJ
Posts: 1,605
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)

dang son...can you crack the stock 3.8 ECU? i heard it's a beetch....Delphi unit

50/50

'10 NoGrey 3.8 ZF-Track/Nav

Diagnosis:
Snow Boots: Enkei RS6 18" 7.5" wide +38 offset
DIY Intake Filter(cone)/Stock Tube
HiPro Power 5900K Fogs
SilverStar 4100K Halogen Hi Beam
Red LED Taglights
Plasti-dipped E&G upper/lower Grill


Prognosis:
n/a
DPaik is offline  
post #5 of 1897 Old 10-06-2010, 05:03 PM
Senior Member
 
renzo088's Avatar
 
Join Date: Feb 2009
Location: Tennessee
Posts: 1,617
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)

I am willing to donate to this cause.

This is some good news.
Sam Klein likes this.
renzo088 is offline  
post #6 of 1897 Old 10-06-2010, 05:17 PM
Retired Staff
 
I Drive Naked's Avatar
 
Join Date: Aug 2010
Location: Baton Rouge, LA
Posts: 2,303
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 21 Post(s)
Garage

Ok.... I don't speak computers or tuning, but anything I can to help, I will.

Major hats off to you sir.


2011 Tsukuba Red 2.0T RSpec
Enkei / KDM-Racing / Eibach / GTSpec / TurboXS / StopTech / ISC Suspension / TrackKing Racing / HPS
SCCA Autocrosser. Slow car, fast driver
I Drive Naked is offline  
post #7 of 1897 Old 10-06-2010, 05:22 PM
Senior Member
 
briansol's Avatar
 
Join Date: Jul 2009
Location: central CT, USA
Posts: 2,854
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 1 Post(s)

I also wish you luck and look forward to a user-tunable device as well.

briansol is offline  
post #8 of 1897 Old 10-06-2010, 05:23 PM
It is not red. Not red..
 
satheian's Avatar
 
Join Date: May 2009
Location: Lake Stevens, Wa
Posts: 5,706
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)

This thread has potential win.


http://www.gencoupe.com/general-discussion/56608-north-american-genesis-coupe-meet.html
http://www.williamworley.com/nitrogen.php
Quote:
Originally Posted by 2.0T Mirabeau: I am beginning to wonder about almost all these Vendors..
.
Genracer~Tom@G&M~Grimmspeed~Beyond Redline
Have had NO complaints to my knowledge.
~Havoc - new, but desperate to keep their Customer Service name 100%
~Diode Dynamics - Paul always takes care of his customers
These are vendors I recommend. PM me if you think differently.
satheian is offline  
post #9 of 1897 Old 10-06-2010, 05:37 PM Thread Starter
Old Man Guru
 
Join Date: Oct 2010
Location: DFW, TX
Posts: 42
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
(Thread Starter)

Since I can't post pictures until I hit 10 posts, please consider this gratuitous post whoring. A lot of what I want to explain and show are easier to explain with pictures so . Also, I have *NOT* cracked anything. I have simply looked at a raw file, and using pattern recognition, identified some *potential* maps. *Cracking* a ROM is more along the lines of cracking the Checksum algorithm...

And remember, this thread is for you guys to get interested in how this all works and to contribute . As I say at work, "I hope I'm not the smartest guy in the room, cause if I am then we are all screwed".
Sam Klein likes this.
EvoMR is offline  
post #10 of 1897 Old 10-06-2010, 05:38 PM
It is not red. Not red..
 
satheian's Avatar
 
Join Date: May 2009
Location: Lake Stevens, Wa
Posts: 5,706
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)

Just FYI.. You suck at post-whoring.


http://www.gencoupe.com/general-discussion/56608-north-american-genesis-coupe-meet.html
http://www.williamworley.com/nitrogen.php
Quote:
Originally Posted by 2.0T Mirabeau: I am beginning to wonder about almost all these Vendors..
.
Genracer~Tom@G&M~Grimmspeed~Beyond Redline
Have had NO complaints to my knowledge.
~Havoc - new, but desperate to keep their Customer Service name 100%
~Diode Dynamics - Paul always takes care of his customers
These are vendors I recommend. PM me if you think differently.

Last edited by satheian; 10-06-2010 at 07:30 PM.
satheian is offline  
post #11 of 1897 Old 10-06-2010, 05:40 PM Thread Starter
Old Man Guru
 
Join Date: Oct 2010
Location: DFW, TX
Posts: 42
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
(Thread Starter)

I really want to explain Checksums, I'm not trying to put it off...but I need motivation. Off to the ColdStone for a quick Ice Cream and then a post about this crazy lock and key on the ROM.

(and yes, more post whoreing)
EvoMR is offline  
post #12 of 1897 Old 10-06-2010, 05:43 PM
Senior Member
 
BlueRB240's Avatar
 
Join Date: Nov 2008
Location: Socal
Posts: 290
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
.............................

Quote:
Originally Posted by EvoMR View Post
Hello guys, I'm new here and don't have a GenCoupe . But I am very interested in it; to me it is a new Nissan Silvia with Mitsubishi Evolution heritage. And since I grew up on Evo's (and 4 Eclipse GSX's before that), and still have one as my daily driver...this new GenCoupe is interesting. The only thing that puts me off is the inability to fully tune the car by myself. I love what PowerAXEL has done, but sorry, nothing beats me spending hundreds of hours logging and tuning; no matter how good the tuner is a 1hr dyno tune still isn't close and certainly an off the shelf map can't come close.

In the Evo community this was once the same problem, but the community came together and cracked the ECU and now there are plugin mods for the stock ECU to make it do some crazy things. People are even hitting 800hp on the stock ECU !

So I decided to see if I could get the ball rolling on the same thing for the GenCoupe community. Now, I'm not a hacker or a programmer (though I do have an EE/ME background). And I have never done this before. But I decided to take a look at the problem and see what I could find. In 3 days I have found the following:
  1. The 2.0t Genesis Coupe is running the Siemens VDO 5WY5D75A SIM2K-141 ECU.
  2. To pull the ROM off the ECU you will need a K-Line compatible OBD2 reader and KWP2000 (Keyword Protocol 2000) software.
  3. To write the ROM back to the ECU you need a K-Line and L-Line compatible OBD2 reader and KWP2000 (Keyword Protocol 2000) software.

---The above is the easy part. There are plenty of KWP2000 software packages out there and plenty of K/L Line compatible OBD2 readers. I actually have the hardware here with me from using it on my Evo (Open Port 2.0x is KWP2000 and K/L line compatible)---
  1. I also found at least 2 other people have already started down this road, and both have successfully pulled their ROM's off the ECU via the OBD2 port.
  2. I obtained a copy of both ROM's, one 6sp and one 5sp auto.
  3. I have run an analysis on both raw .BIN files and they share 75% of the same code structure.
  4. I have run the 6sp ROM through a decompiler (IDA Pro), and an automated map identifier (WinOLS) and identified potentially 152 individual maps.
  5. I have a pretty good feeling I have found 4 fuel maps, looks like a "low octane" map for when you are detonating, 2 regular fuel maps, and 1 cold start fuel map. All 4 maps are scaled from 720rpm to 6000rpm by 0 - 870(something). The secondary scaling is definitely load, but I'm unsure of the ECU's raw measurement meathod yet (either Kpa, or MilliBar probably).
  6. I have also found that there is already a checksum definition out there...but it's behind lock and key (ie. $$$$). If you want to search for it via Warez it is "OLS298 - Siemens Simos HMC (Version 2.11)".

--------------------------------------------------------

Now that's what I have accomplished so far. I'll be glad to share all my work so you can see it too. I've never done this before so I'm very likely wrong on some of my above assumptions (only thing I know I got right for sure was RPM's on the scaling of the maps I have identified hahahahahah ).

This is what I need from the community to make the next big leaps:

1. Documentation on the coding language used for this ECU
2. Documentation on the hardware definitions used by Siemens

With those items we should be able to define the stock ROM in a couple months. We should then be able to see the stock ECU's maps and how it works for the most part. But the big part is Checksum's. I'm tired of typing but I'll explain Checksum's in a bit (after I go shoot someone on Counterstrike to let off some steam). But think of Checksum's as security built into the ROM to prevent anyone from changing anything.

And remember 2 things:

1. Other people have done this before and they started out not knowing anything.
2. PowerAXEL has this all figured out (though they purchased a solution)...so the knowledge on this particular ECU is already out there, we just got to figure it out.
You bought the IDA pro? holy crap never knew there was something like this out there. and OLD school Counter Strike! bring back the bunny hop lol.
PaulAlex16 likes this.

OSRdyno.com
BlueRB240 is offline  
post #13 of 1897 Old 10-06-2010, 05:48 PM
Senior Member
 
xbeyong's Avatar
 
Join Date: Mar 2009
Location: Puerto Rico
Posts: 352
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)

Are you use the Tactrix Openport or any other solution?

Silverstone 2.0T
xbeyong is offline  
post #14 of 1897 Old 10-06-2010, 06:01 PM Thread Starter
Old Man Guru
 
Join Date: Oct 2010
Location: DFW, TX
Posts: 42
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
(Thread Starter)

Quote:
Originally Posted by BlueRB240 View Post
You bought the IDA pro? holy crap never knew there was something like this out there. and OLD school Counter Strike! bring back the bunny hop lol.
I have the Trial of IDA Pro. And yes, I have been playing counterstrike since 1998 (to give away my age a bit ). And nobody does the running man like me...but usually I'm running from the cops .
EvoMR is offline  
post #15 of 1897 Old 10-06-2010, 06:02 PM Thread Starter
Old Man Guru
 
Join Date: Oct 2010
Location: DFW, TX
Posts: 42
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
(Thread Starter)

Quote:
Originally Posted by xbeyong View Post
Are you use the Tactrix Openport or any other solution?
I use the Tactrix OpenPort 2.0x with ECUFlash and EVOScan to tune my Evo.

And bingo...there's 10 posts.
EvoMR is offline  
post #16 of 1897 Old 10-06-2010, 06:10 PM
Senior Member
 
AKGC's Avatar
 
Join Date: Jul 2009
Posts: 13,313
Mentioned: 1 Post(s)
Tagged: 0 Thread(s)
Quoted: 260 Post(s)

Thought the 2.0T ecu uses a CAN bus data line.

It's how the ECU communicates with all the other modules.

BTW checksum is a form of error correction.
AKGC is offline  
post #17 of 1897 Old 10-06-2010, 06:23 PM Thread Starter
Old Man Guru
 
Join Date: Oct 2010
Location: DFW, TX
Posts: 42
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
(Thread Starter)

Ok, since I'm now over 10 posts I can share some of what I have found. Directly below you will see the first definite map I have pulled out of the ROM. This appears that it could be a fuel map, but after looking at it a little more it's definitely not. No fuel map would have the same value at full load across all RPM points. Regardless this is definitely a map from a GenCoupe 6mt ROM. I did identify that one axis is RPM, and one axis is LOAD; though I don't know the load value. I have found 5 more similar maps to this.



Now that we know that is a map the next step is finding the next two major data points. What is the map for, fuel, timing, VVT, etc.....and what is the Z value. Knowing all four items (X,Y,Z and map type) will allow us to finally know what that particular section of the ROM is for.

If you are interested this map is at address 4E2B2 in the .BIN file. This is what the raw part of this file looks like before definition and adding pretty graphics:



CHECKSUM INFORMATION BELOW:

Now, you *could* edit the values of this map and effectively "tune" that map. However there are these things called Checksums. What they are is a cross referenced value to determine if the values in the map are valid or if they are corrupt (hacked). This is an algorithm where the ECU sees at Load 870 and RPM 6000 it needs to give 8000 something according to this map. So the ECU then takes that value of 8000, it's address space, and runs it through a mathematical formula (algorithm). That formula spits out a value, say for example "FE" and the ECU then goes to a specific location in the ROM, another address, and see's if that address equals "FE". If the address equals "FE" then the Checksum has passed and the ECU moves forward. If the Checksum doesn't pass then several things could happen but it all boils down to one final outcome...your modified map doesn't work (and worse you could brick your ECU).

So you can see that identifying the maps are the easy part...cracking the ROM is the hard part.
EvoMR is offline  
post #18 of 1897 Old 10-06-2010, 06:24 PM
Senior Member
 
raybuck's Avatar
 
Join Date: Sep 2009
Posts: 914
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Garage

Subscribed. I really wish I could help, but I can't. But props for working towards cracking the ECU!



StayClassyAtlanta.com
Twitter: @StayClassyATL
facebook.com/StayClassyAtlanta


raybuck is offline  
post #19 of 1897 Old 10-06-2010, 06:28 PM
Senior Member
 
BlueRB240's Avatar
 
Join Date: Nov 2008
Location: Socal
Posts: 290
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)

The load on that map could be how the ecu reads the map sensor.

OSRdyno.com
BlueRB240 is offline  
post #20 of 1897 Old 10-06-2010, 06:31 PM Thread Starter
Old Man Guru
 
Join Date: Oct 2010
Location: DFW, TX
Posts: 42
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
(Thread Starter)

Quote:
Originally Posted by AKGC View Post
Thought the 2.0T ecu uses a CAN bus data line.

It's how the ECU communicates with all the other modules.

BTW checksum is a form of error correction.
Yes, the 2.0t does use a CAN bus, and you are correct, it's for communicating with other modules. You can also tap into this CAN bus and log what is going on. You can use a Tactrix Open Port 2.0x cable and EVOScan, set the scanner to CAN BUS and then you can datalog your 2.0t. You can't use CAN to flash your car however. It doesn't have the ability to write or read the ROM. Only monitor communications.

To actually flash your ECU you have to use KPW2000 protocol over the ODB2 K-Line and L-Line. Most KPW2000 ECU's can be flashed solely over the K-Line because it is bi-directional serial communication, but some newer ECU's require the use of the unidirectional (inbound to the ECU) L-Line. Since I don't have a GenCoupe I can only guess that L-Line is required since this ECU is so new.

As a side note: There is a LOT of empty space in this ROM. Which is not surprising. But interesting for those of us who have seen what Tephra was able to do with the freespace in the Evo VIII and IX ROM's.
mrjohnnyeven likes this.
EvoMR is offline  
Sponsored Links
Advertisement
 
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the Hyundai Genesis Forum forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in









Human Verification

In order to verify that you are a human and not a spam bot, please enter the answer into the following box below based on the instructions contained in the graphic.



User Tag List

Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome