Welcome to the 2GNT Forum! Interested In Advertising with 2GNT?
Home | Site Background| Info&Specs| Mods & Tech Info | CAPS | Part Reviews | Donate | 2GNT Stickers |
Search Printer-friendly copy 7 Users in Chat
Top 2GNT Technical Performance/Engine topic #138748
View in linear mode

Subject: "Fun ECU facts and developments" Previous topic | Next topic
Global Ruler Of All ThingsDarkOneMay-20-22 01:23 PM
Donating 2GNT member
14935 posts,
Click to send email to this author Click to send private message to this author Click to view this author's profile Click to add this author to your buddy list
#138748, "Fun ECU facts and developments"
May-28-22 08:33 PM by DarkOne



          

The ECU in the 2GNT / Avenger / Sebring / Stratus / Cirrus / Breeze / Neon and almost every other passenger car Chrysler made from 1996 to 2005 is an SBEC3. It's powered by a Motorola M68HC16Z2 or Z3 chip, with 2KB (Z2) or 4KB (Z3) of RAM. MOst early models appear to be 16.7MHz, but the chip can run as fast as 25MHz in later variants.

The flash chip is a 256KB M28F200 or one of the many electrically compatible variants. These were originally a TI chip, I think. The one I have is a SGS-Thompson.

The ECU requires a 12V+ signal on the SCI RX line at power-on to enter bootstrap mode. In the 2G, SCI RX is in the 12-pin diagnostic port next the the OBD2 plug, and SCI TX is in the OBD2 plug itself. These are pins 65 and 75 on the 80pin ECU harness (and may be the same across all years, I'm not sure - I've only checked 98 & 99 which are the same anyway). When 12v+ is applied to SCIRX at power-on, the processor sees CSBOOT asserted and switches to an alternate set of boot parameters. RAM is assigned to 0x00000 address (instead of 0xF8000 in normal operation) and the Masked ROM module is exposed at 0XE0000. it is 8KB long, and burned into the processor during manufacture. The code appears to have been written by Unique Design Systems in 1994 (there's a copyright string in the binary). This code defines the expected requests and responses while operating in bootstrap mode. It also negotiates baud rate based on a magic byte. Preferred rate is 62500 baud (normal speed is 7800).

Bootstrap sequence goes like:
TX 7F
RX 06 (speed is now 62500)
TX 24 D0 27 C1 (give me a security seed)
RX 26 D0 67 C1 XX XX (here, have a seed)
Solve the seed
TX 24 D0 27 C2 XX XX (seed solution)
RX 26 D0 67 C2 1F (Solution accepted)

The ECU then waits for a privileged command. The code required to initialize the ECU doesn't exist in the ECU itself and has to be supplied from an external source. The one I wrote is here: https://github.com/dino2gnt/SBECBootLoader

4C 01 00 XX XX starts the process to upload a bootloader to the ECU, where XX XX is the end address, e.g the size of the bootloader image + 256 bytes (because it starts at 0x100). When the image is completely send, 47 01 00 tells the bootstrap code to JMP to 0x100 and execute the code there. If the transition is successful, we echo back 47 01 00 22. Now the ECU is running your bootstrap code.

The "stock" bootstrap process uses a small bootloader to provide initialization and a running environment, but itself contains no functionality. It relies on small binary "workers" that are uploaded separately to do the real work, for example to read back, erase and rewrite the firmware, or to reset the VIN, or to fetch the part number.

I wrote a small kernel that can initialize the ECU and dump the firmware from the flash chip. Here's a manual '99 Eclipse ECU firmware:
https://nawdu.de/files/05293190AC.bin
And one from my '97 manual Talon:
https://nawdu.de/files/05293013AC.bin

Reprogramming requires providing +20V on SCI RX, which overcomes an internal Zener diode to switch on an SMT power regulator chip, which provides the +12V reprogramming voltage to the flash chip controller. In Chrysler's patent docs, they lay out requirements for fast < 1mS switching times and fast voltage stabilizations for the supply voltage, but I think it's all nonsense. I'm providing power with a 24V DC PoE injector turned down to 20V with a Chinesium buck converter board and switching it with an honest to god mechanical relay board from Amazon off the UART's rts pin. It works ¯\_(ツ)_/¯

Here's the processor datasheet:
https://www.2gnt.com/documents/DarkOne_MC68HC16Z4UM.pdf

The flash chip datasheet:
https://www.2gnt.com/documents/DarkOne_flash-chip-datasheet-2.pdf

The CPU16 reference manual:
https://www.2gnt.com/documents/DarkOne_CPU16RM-1.pdf

______________________________
If a sentence found online has 35% misspellings or greater and includes at least two racially charged expletives, chances are it is a YouTube comment.

'95 Eclipse TurboGS (garage deco)
'95 TSi AWD (restoring a survivor)
'97 Talon ESi-T (poor impulse control)
'99 Eclipse RS-T (daily beater)
'13 Evo X (mostly stock)
'17 Sienna (Middle Aged Dad Mobile)



Factory Service Manuals: http://nawdu.de/files/

  

Report This Post to Admin Printer-friendly copy | Reply | Reply with quote | Top

Replies to this topic

Global Ruler Of All ThingsDarkOneJun-01-22 12:45 PM
Donating 2GNT member
14935 posts,
Click to send email to this author Click to send private message to this author Click to view this author's profile Click to add this author to your buddy list
#138749, "RE: Fun ECU facts and developments"
In response to Reply # 0




          

Added support for writing to the internal simulated EEPROM:


$ ./ecuwriter.py --debug True --write-vin True --read-vin True
Using device /dev/ttyUSB0 at 62500 baud, 8N1
Applying 20V+ to SCI RX. Ready? y/n: n
Provide a new 17 character VIN and press Enter:1B3EJ46X4WN322751
vinBytes:314233454a34365834574e333232373531ff
Command: 5500623142
Expected response: 56006231423142
Received response: 56006231423142
Command: 5500643345
Expected response: 56006433453345
Received response: 56006433453345
Command: 5500664a34
Expected response: 5600664a344a34
Received response: 5600664a344a34
Command: 5500683658
Expected response: 56006836583658
Received response: 56006836583658
Command: 55006a3457
Expected response: 56006a34573457
Received response: 56006a34573457
Command: 55006c4e33
Expected response: 56006c4e334e33
Received response: 56006c4e334e33
Command: 55006e3232
Expected response: 56006e32323232
Received response: 56006e32323232
Command: 5500703735
Expected response: 56007037353735
Received response: 56007037353735
Command: 55007231ff
Expected response: 56007231ff31ff
Received response: 56007231ff31ff
Wrote VIN 1B3EJ46X4WN322751 to EEPROM. Read VIN back to verify.
Sending command: 500062
Sending command: 500064
Sending command: 500066
Sending command: 500068
Sending command: 50006a
Sending command: 50006c
Sending command: 50006e
Sending command: 500070
Sending command: 500072
Vehicle Identification Number from EEPROM: 1B3EJ46X4WN322751

______________________________
If a sentence found online has 35% misspellings or greater and includes at least two racially charged expletives, chances are it is a YouTube comment.

'95 Eclipse TurboGS (garage deco)
'95 TSi AWD (restoring a survivor)
'97 Talon ESi-T (poor impulse control)
'99 Eclipse RS-T (daily beater)
'13 Evo X (mostly stock)
'17 Sienna (Middle Aged Dad Mobile)



Factory Service Manuals: http://nawdu.de/files/

  

Report This Post to Admin Printer-friendly copy | Reply | Reply with quote | Top

Top 2GNT Technical Performance/Engine topic #138748 Previous topic | Next topic
Powered by DCForum+ Version 1.2
Copyright 1997-2003 DCScripts.com

I generated this page in 0.34196209907532 seconds, executing 12 queries.