Help reversing ECU
Help reversing ECU
TL;DR version: I'm trying to reverse engineer the X ecu so I can do custom rom development. To get much farther, I need more info about the operating environment. If you know what the EFI ECU microcomputer hardware is based on, please share 
I know its a M32R-FPU processor on a Renesas 32XXX series microcomputer, but I need to be more specific than that.
The long version: (please correct me if I'm wrong about any of this, just started digging this afternoon)
I've been trying to gather some information relating to the hardware used by the Evo X EFI ECU. From what I've gathered so far, it appears the MCU is a Mitsubishi M32R-based microcomputer, but from a technical standpoint, thats doesn't get me too far. It doesn't even tell me what CPU is used, so I can't be sure of the instruction set or the virtual memory layout. M32R boards are available with SH4, MIPS, ARM, PPC processors and more.
Based on the research others have done, it appears that the M32R implementation in the ECU is using a Hitachi/Renesas SuperH-based processor. A Mitsubishi press release from around the time X development began also suggests this. It also suggest that the chip used includes and FPU. This really isn't a surprised, since the Evo VII, VIII & IX also used SuperH2-based CPUs (SH/7052F for the VII/VIII, and SH/7055F for the IX). Previous generations all used H8/300L processors, if i recall correctly. Just by looking at the roms, it appears that the also uses the SH2 instruction set, or at least something comparable with SH2.
Again, knowing its a SH2-based M32R-FPU only tells us a bit. There are several variations of this MCU available, as well. The specifications of each variant dictates a ROM size between 256k to 1MB. Since we know the Evo X ECU ROM is 1MB, this eliminates half the options, leaving us with the 32196, 32186, and 32192 groups (and their predecessors). There's been one report of it being a 32196, but I can't confirm that. The press released I linked earlier suggests it may be a 32182 (also 1mb). Can anyone confirm with MCU group our ECU uses? And would anyone happen to have the user manual as well?
Regardless of which class it is, there are 3 option in each group to narrow down the exact end product used. I think I can proceed with just the MCU group, but if anyone knows the exact part number, I'd be grateful if you would share It saves me some guess work.
Right now I'm basing all my research off the 32170-group MCU user manual and trying to look at the ROM files and find out what changes. It gives me an idea of what the virtual address layout looks like, how the boot-up sequence may work, where the interrupt tables are, how the can bus is interfaced, etc... but for a 32170. So mapping to <unknown> is difficult
Thanks!
I know its a M32R-FPU processor on a Renesas 32XXX series microcomputer, but I need to be more specific than that.The long version: (please correct me if I'm wrong about any of this, just started digging this afternoon)
I've been trying to gather some information relating to the hardware used by the Evo X EFI ECU. From what I've gathered so far, it appears the MCU is a Mitsubishi M32R-based microcomputer, but from a technical standpoint, thats doesn't get me too far. It doesn't even tell me what CPU is used, so I can't be sure of the instruction set or the virtual memory layout. M32R boards are available with SH4, MIPS, ARM, PPC processors and more.
Based on the research others have done, it appears that the M32R implementation in the ECU is using a Hitachi/Renesas SuperH-based processor. A Mitsubishi press release from around the time X development began also suggests this. It also suggest that the chip used includes and FPU. This really isn't a surprised, since the Evo VII, VIII & IX also used SuperH2-based CPUs (SH/7052F for the VII/VIII, and SH/7055F for the IX). Previous generations all used H8/300L processors, if i recall correctly. Just by looking at the roms, it appears that the also uses the SH2 instruction set, or at least something comparable with SH2.
Again, knowing its a SH2-based M32R-FPU only tells us a bit. There are several variations of this MCU available, as well. The specifications of each variant dictates a ROM size between 256k to 1MB. Since we know the Evo X ECU ROM is 1MB, this eliminates half the options, leaving us with the 32196, 32186, and 32192 groups (and their predecessors). There's been one report of it being a 32196, but I can't confirm that. The press released I linked earlier suggests it may be a 32182 (also 1mb). Can anyone confirm with MCU group our ECU uses? And would anyone happen to have the user manual as well?
Regardless of which class it is, there are 3 option in each group to narrow down the exact end product used. I think I can proceed with just the MCU group, but if anyone knows the exact part number, I'd be grateful if you would share
It saves me some guess work.Right now I'm basing all my research off the 32170-group MCU user manual and trying to look at the ROM files and find out what changes. It gives me an idea of what the virtual address layout looks like, how the boot-up sequence may work, where the interrupt tables are, how the can bus is interfaced, etc... but for a 32170. So mapping to <unknown> is difficult
Thanks!
Last edited by blk-majik; Apr 19, 2011 at 07:20 PM.
Awesome, thanks tephra! And just my luck, I have manuals for M32170F6, F4 and F3, but not F8.
F6 seems close to what you're saying (memory starting at 0x00804000), but the size is 0xA000, so it doesn't look like it'll be of that much use.
I think I found the right Renesas manual now. Good-bye productive work day
http://documentation.renesas.com/eng...67_32176hm.pdf
edit: woops, this one only has F2 - F4, but again, no F8. Could you please hook me up with the correct manual if you have it?
F6 seems close to what you're saying (memory starting at 0x00804000), but the size is 0xA000, so it doesn't look like it'll be of that much use.
I think I found the right Renesas manual now. Good-bye productive work day
http://documentation.renesas.com/eng...67_32176hm.pdf
edit: woops, this one only has F2 - F4, but again, no F8. Could you please hook me up with the correct manual if you have it?
Last edited by blk-majik; Apr 20, 2011 at 07:06 AM.
But the address space layouts are a little different, right? 32176F4 has a 512k ROM, for example. And F32170F6 uses a 768k ROM. Our chip (32176F8) uses a 1MB ROM.
So the address layout has to be somewhat different. Do you have the manual for the 32176F8? My goal is to write a disassembler for the M32R ECU ROM, similar to the one that Logic created for the SH2 version. I'll be a lot easier with the right manual
So the address layout has to be somewhat different. Do you have the manual for the 32176F8? My goal is to write a disassembler for the M32R ECU ROM, similar to the one that Logic created for the SH2 version. I'll be a lot easier with the right manual
Newbie
Joined: Sep 2010
Posts: 9
Likes: 0
From: Valencia, CA
I would suggest getting ida pro and start looking at the dissasembly, and invest some time into it. (eg months...)
What exactly is your game plan, do you wish to write alternate functiions, and build extra functionality on top of the HAL, or are you hoping to write from scratch.
I know both are tempting, the later I would take seriously thought to, I know our platform that we use @ work for our ECU's have ~ 16 man years built into in coding and test.
You may consider purchasing either the m32r dev kit, or getting the jtag tool and setting yourself up with a compilation license, I have looked at both and thei cost ~ $5k to kit up your toolchain and debugger.
Ren offers a free code simulator which works well with the assembly code, as long as you can pad a ram section into an s19/mot style of file.
PM me if you want specifics, I am just starting at this as well, obviously Tephra is one of the founders and masters at this as well.
What exactly is your game plan, do you wish to write alternate functiions, and build extra functionality on top of the HAL, or are you hoping to write from scratch.
I know both are tempting, the later I would take seriously thought to, I know our platform that we use @ work for our ECU's have ~ 16 man years built into in coding and test.
You may consider purchasing either the m32r dev kit, or getting the jtag tool and setting yourself up with a compilation license, I have looked at both and thei cost ~ $5k to kit up your toolchain and debugger.
Ren offers a free code simulator which works well with the assembly code, as long as you can pad a ram section into an s19/mot style of file.
PM me if you want specifics, I am just starting at this as well, obviously Tephra is one of the founders and masters at this as well.
Trending Topics
I used IDA at work almost daily, but the problem is that I only have access to the advanced SDK in my lab. I can't take the PC's home to do stuff on my own time, and I can't afford to do all my hobby work using work's resources. I spend enough time there as it is I'm also not willing to pay the $3k or whatever Ilfak is charging these days. It's not worth risking my career to pirate it.
So that's my first goal: try to provide a free disassembler for the m32r rom. Hence why I'm interested in knowing exact locations of all code and data sections in the rom. Thats the first step. Like I said before, with an accurate user manual for the hardware, I'm not sure how accurate I can be.
If I can manage that, I'd like also to be able to reverse the processes and assemble the object code based on an altered version of the disassembly.
I think I'm going to use Logic's sh2dism project as a starting point. I'm playing with it to understand the evo8/9 ECU a little better and see what works on that platform.
I'm also not willing to pay the $3k or whatever Ilfak is charging these days. It's not worth risking my career to pirate it.So that's my first goal: try to provide a free disassembler for the m32r rom. Hence why I'm interested in knowing exact locations of all code and data sections in the rom. Thats the first step. Like I said before, with an accurate user manual for the hardware, I'm not sure how accurate I can be.
If I can manage that, I'd like also to be able to reverse the processes and assemble the object code based on an altered version of the disassembly.
I think I'm going to use Logic's sh2dism project as a starting point. I'm playing with it to understand the evo8/9 ECU a little better and see what works on that platform.
I can't find any m32r F8-chip manuals for that matter. oh well, moving on Are the I/O registers all at 0x80000 - 0x803fff as far as you can tell?
And the ROM itself is 0x0 - 0x10000? Does this corresponds to the flash image ECUFlash gives us?
And the vector table is inside the ROM, starting at 0x0?
Newbie
Joined: Sep 2010
Posts: 9
Likes: 0
From: Valencia, CA
I have a big collection of manuals on a dropbox share if you want to join, pm me for access. I don't think it is much differnt than what you can download from the ren site, or the tech details in the evoscan site
Thread
Thread Starter
Forum
Replies
Last Post
evo4mad
ECU Flash
1880
May 5, 2015 06:22 PM
