Mazda 6 Forums banner

1 - 20 of 30 Posts

·
Registered
Joined
·
40 Posts
Discussion Starter #1
Sorry if this is the wrong place for this but I'm new here.
My past is in building and tuning Honda's with many different Ems systems like Hondata,Crome, AemEms, some Neptune,DFI..
I was wondering if anyone has even tried to crack the code for our speed 6's? The dealer can reflash our Ecm's so theres no reason why we cant build something to do the same. I have some very computer savy programmers who crack codes all day long and even wrote some of the popular honda stuff and Wv stuff.
Anyone explore this yet, if so link me to the discussion.
 

·
Registered
Joined
·
2,371 Posts
Cobb and CP-E are in the races right now.
 

·
Registered
Joined
·
820 Posts
dont' forget our buddies at TurboXS


If i had some spare cash lying around I'd look into this myself. I think with a few hundred dollars and a friend at a dealership you could get started. You need to buy a FORD VCM and get some factory .bin files from the tech computer to start doing analysis.
 

·
Registered
Joined
·
40 Posts
Discussion Starter #4
dont' forget our buddies at TurboXS
If i had some spare cash lying around I'd look into this myself. I think with a few hundred dollars and a friend at a dealership you could get started. You need to buy a FORD VCM and get some factory .bin files from the tech computer to start doing analysis.
[/b]
Thanks guy's..
So basicly if the dealer is reflashing the speed6 with the recall stuff then the bin file is right there in the dealer database. Whats the Ford VCM? is the reflash device? Vehicle command module? or something?lol

What is turbo xs doing? I have seen it mentioned by 1 othere here. I know these are newb questions and I'm a newb to Mazda. But I have been building and blueprinting hondas for over 10 years now and I know the line Do a search..lol it sucks because theres to many opinions and not facts.
 

·
Registered
Joined
·
1,809 Posts
Thanks guy's..
So basicly if the dealer is reflashing the speed6 with the recall stuff then the bin file is right there in the dealer database. Whats the Ford VCM? is the reflash device? Vehicle command module? or something?lol

What is turbo xs doing? I have seen it mentioned by 1 othere here. I know these are newb questions and I'm a newb to Mazda. But I have been building and blueprinting hondas for over 10 years now and I know the line Do a search..lol it sucks because theres to many opinions and not facts.
[/b]
Nah... they are going to be using a Mazda service/reflash device. They just recently upgraded it. There is a good thread on cracking the RX-8 ECU which might hold some information that'll also be useful for this application... http://www.rx8club.com/showthread.php?t=81...ht=Cracking+ECU and http://www.rx8club.com/showthread.php?t=79...ht=Cracking+ECU
 

·
Registered
Joined
·
322 Posts
Actually, the first step what be:

1) Getting ahold of a few bin files.

2) If encrypted, figuring out the encryption scheme used and cracking.

3) Figuring out the microprocessor that's used to run it. This will describe the machine language format.

4) Decoding the machine language into readable logic (if, then, else, etc)

5) Figuring out each register/memory location and which parameter it refers too.

6) Reprogramming and fix the checksum, etc.

My understanding is that CP-E, Cobb, etc use something called "piggy-back" ECUs. I'm very new to cars but I figured that meant that they grab the data themselves from the car's sensors and override anything the ECU is telling the car. Essentially they are just emulating the ECU rather than actually figuring out how it works.

Edit:

Either way, step 1 will probably be the trickiest, although p5freek claims to be very buddy-buddy with a dealer. If he can get them to download us all the available bin's, we can start doing hex compares. That should identify the data chunks from the code chunks and give us a good start :). I'm willing to help out on this but again, I'm new to cars and learning as I go.
 

·
Registered
Joined
·
366 Posts
Actually, the first step what be:

1) Getting ahold of a few bin files.

2) If encrypted, figuring out the encryption scheme used and cracking.

3) Figuring out the microprocessor that's used to run it. This will describe the machine language format.

4) Decoding the machine language into readable logic (if, then, else, etc)

5) Figuring out each register/memory location and which parameter it refers too.

6) Reprogramming and fix the checksum, etc.

My understanding is that CP-E, Cobb, etc use something called "piggy-back" ECUs. I'm very new to cars but I figured that meant that they grab the data themselves from the car's sensors and override anything the ECU is telling the car. Essentially they are just emulating the ECU rather than actually figuring out how it works.

Edit:

Either way, step 1 will probably be the trickiest, although p5freek claims to be very buddy-buddy with a dealer. If he can get them to download us all the available bin's, we can start doing hex compares. That should identify the data chunks from the code chunks and give us a good start :). I'm willing to help out on this but again, I'm new to cars and learning as I go.
[/b]

How much to finance somethign like this? Anyone interested in creating a product?
 

·
Registered
Joined
·
329 Posts
My understanding is that CP-E, Cobb, etc use something called "piggy-back" ECUs. I'm very new to cars but I figured that meant that they grab the data themselves from the car's sensors and override anything the ECU is telling the car. Essentially they are just emulating the ECU rather than actually figuring out how it works.

[/b]
Just to clarify the CP-E and Turbo-XS units are "piggy-back" style. They intercept the signals from the sensors and adjust them on the fly to fool the ECU into allowing more boost/timing/etc. The Cobb unit actually flashes a new map onto the ECU. Because they have to crack the encryption on the stock unit their solution will take much longer to get finished.
 

·
Registered
Joined
·
322 Posts
How much to finance somethign like this? Anyone interested in creating a product?
[/b]
Assuming there's nothing illegal about it, I would imagine there's enough smart people here to work on it together as a group. The only expenses I would surmise would be for any hardware needs such as the Ford VCM that fgraziano mentioned.

Based on my understanding of encryptions and such in the PC world, it's a dangerous ground. While one could probably argue in court that we as owners have the right to do anything we want with the ECU's on our own car, including looking at the (encrypted) code, we could get in big trouble if we were to start posting it on the web. Even more so if we were able to unencrypt it since we would be dealing with copyrighted/patented code and the like. Our only real defense would be that we wanted to create "backups" in the event of an ECU failure but since Warranty would handle that... hehe... I'm sure you catch my drift.

I would imagine that the legit aftermarket companies are required to sign NDA's or perhaps don't even bother since a "piggyback" solution avoids messing with the ECU.

Now... all that done and said. The one thing we COULD do is write our own version from scratch, opensource it (to avoid legal battles), and then attempt to flash and run with that. But that would be a large undertaking, require some extremely smart engineers, and require some very brave individuals willing to put their baby "under the knife" so-to-speak.
 

·
Registered
Joined
·
322 Posts

·
Registered
Joined
·
788 Posts
I would be willing to help in this venture...I've done plenty of assembly programming and vhdl coding as well...I'll help anyway I can from that side of things...
 

·
Registered
Joined
·
76 Posts
I plan on going to the dealership tomorow to have oil changed and tires balance and rotated. I have become really good friends with the head mazdaspeed tech at the dealership. I will see about getting the reflash files for you guys. I do know for a fact that the dealership i go to uses a palm pilot with special type of cord that connects to the car. I will see what i can do.

If he is willing to "donate" his time for us, what all would you guys want?
 

·
Registered
Joined
·
820 Posts
refer to my ebay link, it's the ford VCM system, pda diagnostics link. basically we just a few .bin files preferebly a pre-reflash and the reflash, you can start to compare the two files and zone in on some of the PID's.
 

·
Registered
Joined
·
788 Posts
I have Ultraedit32 which will take two files binary, text, whatever you want and it will highlight and break down the differences and similarities of the two files...I'm sure there are other programs like that, but that one should work...
 

·
Registered
Joined
·
820 Posts
probably not that easy, i'm sure the bins are encrypted. Each file is most likely VIN coded as well. You will have to break the encryption first, then find out where the VIN locks are, Then you can start making other changes. It's not by any means a quick or easy process. This will take some time unless we get some real insider information. you don't just stumble across this stuff.
 

·
Registered
Joined
·
788 Posts
Well hopefully we can get some files, I have a lot of resources at my disposal to accomplish something like this...
 

·
Registered
Joined
·
322 Posts
I would be willing to help as well.
 

·
Registered
Joined
·
1,809 Posts
I have Ultraedit32 which will take two files binary, text, whatever you want and it will highlight and break down the differences and similarities of the two files...I'm sure there are other programs like that, but that one should work...
[/b]
I've used UltraEdit32 alot at work... and I wonder if this is really the tool needed here. Most seem to use a disassembler like IDA Pro.

Various disassemblers... http://www.rx8club.com/showpost.php?p=1393...p;postcount=231

Hymee sCANalyser
http://www.performancedesign.com.au/?content=scanalyser


Cracking the ECU from RX8club.com... follows the progress in cracking the RX-8 ECU.
http://www.rx8club.com/showthread.php?t=81...ht=Cracking+ECU

Chip Tuning Fundamentals
http://www.europeancarweb.com/tech/0507ec_chip_tuning/

BLACK-BOX REVERSE ENGINEERING OF AUTOMOTIVE ECUS: A PRACTICAL APPROACH
http://www.jacobsschool.ucsd.edu/ResearchR...ndex.sfe?id=377

Reverse Engineering the 1986-1991 Mazda ECU
http://www.16paws.com/ECU/index.html

Bosch Motronic Reverse Engineering Project
http://www.stealyourface.net/bosch/

The D-Jetronic Electronic Control Unit (ECU)
http://members.rennlist.com/pbanders/ecu.htm


Reverse Engineering Team Forums
http://www.reteam.org/board/index.php?

“Hacking the Xbox: An Introduction to Reverse Engineering” by Andrew “bunnie” Huang.
http://bunniestudios.com/



probably not that easy, i'm sure the bins are encrypted. Each file is most likely VIN coded as well. You will have to break the encryption first, then find out where the VIN locks are, Then you can start making other changes. It's not by any means a quick or easy process. This will take some time unless we get some real insider information. you don't just stumble across this stuff.
[/b]
From what I've read on a couple different ECU's... there don't seem to be VIN locks in use in general. It makes sense when you consider that the same flash files have to be used on all cars in a region (e.g. North America). Rather for security, a checksum bit is used.

Anyway some of the links I posted should prove helpful in getting started on this project...
 
1 - 20 of 30 Posts
Top