Welcome to the 2GNT Forum! Interested In Advertising with 2GNT?
Home | Site Background| Info&Specs| Mods & Tech Info | CAPS | Part Reviews | Donate | 2GNT Stickers |
Search Printer-friendly copy Email this topic to a friend 2 Users in Chat
Top 2GNT Technical Performance/Engine topic #138748
View in linear mode

Subject: "Fun ECU facts and developments" Previous topic | Next topic
Global Ruler Of All ThingsDarkOneMay-20-22 01:23 PM
Donating 2GNT member
14938 posts, 		Click to send email to this author Click to send private message to this author Click to view this author's profile Click to add this author to your buddy list
#138748, "Fun ECU facts and developments"
Jan-26-24 11:09 AM by DarkOne



          

The ECU in the 2GNT / Avenger / Sebring / Stratus / Cirrus / Breeze / Neon and almost every other passenger car Chrysler made from 1996 to 2005 is an SBEC3. It's powered by a Motorola M68HC16Z2 or Z3 chip, with 2KB (Z2) or 4KB (Z3) of RAM. MOst early models appear to be 16.7MHz, but the chip can run as fast as 25MHz in later variants.

The flash chip is a 256KB M28F200 or one of the many electrically compatible variants. These were originally a TI chip, I think. The one I have is a SGS-Thompson.

The ECU requires a 12V+ signal on the SCI RX line at power-on to enter bootstrap mode. In the 2G, SCI RX is in the 12-pin diagnostic port next the the OBD2 plug, and SCI TX is in the OBD2 plug itself. These are pins 65 and 75 on the 80pin ECU harness (and may be the same across all years, I'm not sure - I've only checked 98 & 99 which are the same anyway). When 12v+ is applied to SCIRX at power-on, the processor sees CSBOOT asserted and switches to an alternate set of boot parameters. RAM is assigned to 0x00000 address (instead of 0xF8000 in normal operation) and the Masked ROM module is exposed at 0XE0000. it is 8KB long, and burned into the processor during manufacture. The code appears to have been written by Unique Design Systems in 1994 (there's a copyright string in the binary). This code defines the expected requests and responses while operating in bootstrap mode. It also negotiates baud rate based on a magic byte. Preferred rate is 62500 baud (normal speed is 7800).

Bootstrap sequence goes like:
TX 7F
RX 06 (speed is now 62500)
TX 24 D0 27 C1 (give me a security seed)
RX 26 D0 67 C1 XX XX (here, have a seed)
Solve the seed
TX 24 D0 27 C2 XX XX (seed solution)
RX 26 D0 67 C2 1F (Solution accepted)

The ECU then waits for a privileged command. The code required to initialize the ECU doesn't exist in the ECU itself and has to be supplied from an external source. The one I wrote is here: https://github.com/dino2gnt/SBECBootLoader

4C 01 00 XX XX starts the process to upload a bootloader to the ECU, where XX XX is the end address, e.g the size of the bootloader image + 256 bytes (because it starts at 0x100). When the image is completely send, 47 01 00 tells the bootstrap code to JMP to 0x100 and execute the code there. If the transition is successful, we echo back 47 01 00 22. Now the ECU is running your bootstrap code.

The "stock" bootstrap process uses a small bootloader to provide initialization and a running environment, but itself contains no functionality. It relies on small binary "workers" that are uploaded separately to do the real work, for example to read back, erase and rewrite the firmware, or to reset the VIN, or to fetch the part number.

I wrote a small kernel that can initialize the ECU and dump the firmware from the flash chip. Here's a manual '99 Eclipse ECU firmware:
https://nawdu.de/files/bins/05293190AC.bin
And one from my '97 manual Talon:
https://nawdu.de/files/bins/05293013AC.bin

Reprogramming requires providing +20V on SCI RX, which overcomes an internal Zener diode to switch on an SMT power regulator chip, which provides the +12V reprogramming voltage to the flash chip controller. In Chrysler's patent docs, they lay out requirements for fast < 1mS switching times and fast voltage stabilizations for the supply voltage, but I think it's all nonsense. I'm providing power with a 24V DC PoE injector turned down to 20V with a Chinesium buck converter board and switching it with an honest to god mechanical relay board from Amazon off the UART's rts pin. It works ¯\_(ツ)_/¯

Here's the processor datasheet:
https://www.2gnt.com/documents/DarkOne_MC68HC16Z4UM.pdf

The flash chip datasheet:
https://www.2gnt.com/documents/DarkOne_flash-chip-datasheet-2.pdf

The CPU16 reference manual:
https://www.2gnt.com/documents/DarkOne_CPU16RM-1.pdf

______________________________
If a sentence found online has 35% misspellings or greater and includes at least two racially charged expletives, chances are it is a YouTube comment.

'95 Eclipse TurboGS (garage deco)
'95 TSi AWD (restoring a survivor)
'97 Talon ESi-T (poor impulse control)
'99 Eclipse RS-T (daily beater)
'13 Evo X (mostly stock)
'17 Sienna (Middle Aged Dad Mobile)



Factory Service Manuals: http://nawdu.de/files/

  
Report This Post to Admin Printer-friendly copy | Reply | Reply with quote

Fun ECU facts and developments [View all] , Global Ruler Of All ThingsDarkOne, May-20-22 01:23 PM
  RE: Fun ECU facts and developments, Global Ruler Of All ThingsDarkOne, Jun-01-22 12:45 PM, #1
RE: Fun ECU facts and developments, 420agreenvilleSC, Apr-08-24 11:32 AM, #2
      RE: Fun ECU facts and developments, Global Ruler Of All ThingsDarkOne, Apr-08-24 11:37 AM, #3
           RE: Fun ECU facts and developments, 420agreenvilleSC, Apr-08-24 11:42 AM, #4

Top 2GNT Technical Performance/Engine topic #138748 Previous topic | Next topic
   

Powered by DCForum+ Version 1.2
Copyright 1997-2003 DCScripts.com

I generated this page in 0.086607933044434 seconds, executing 13 queries.