View The Full Version : disassemble a binary file ecu

munro

guys I always wondered, what is this operation, that is, dissasemblare a binary file to an ecu in order to understand exactly the operations provided by the program eprom in the operate via micro..
someone knows something? I understand that the thing is quite complex and more within the reach of a computer scientist/programmer....there is some good pious soul, that could also explain simplifying a lot, what is it?

munro

is there any programmer among us who are familiar with the C language/assembly, or the language to ASCII??

tranky

Ask and you shall receive!
I'm not really a programmer certificate, but I coddato a lot in various programming languages.
You have to realize?

tranky

Then to explain in the form of "drinking" the composition of a binary file is not readable we have a little step into what I am about to say..
We do realize that you and I (munro) there telefonassimo, between me and you, there is a "tunnel communication" in which transit through my voice messages and your.. if a third of all the contrasts between us 2 can listen quietly to the content of the "tunnel communication".
[I]----[te]
[I]---[and helpful]---[te]
these are the 2 examples as mentioned above.
now let's start with [I] that sending a message is encapsulated behind an algorithm definiamolo XYZ (just to stay in theme with the site, and ecm), which converts the sound into something not understandable to the receiving phase has 2 options:
1) if the sender has the same code as XYZ decrypts the signal and makes it original and "drinking"
2) if the sender or anyone intrude in the transmission does not have a way to listen to the content.
Let's say that this is worth more than the other for communications, but we say that the principle is the same, just the reverse with
[I] = original programming of the ecu
XYZ = the conversion of the file from human readable text (in any language it is expressed formerly always characters and languages must contain)
[tu] = interpreter as winols, ecm, etc, etc
At present I could not tell you with accuracy with which compiler has been created that file, but there are ways to decompile, but it takes time and effort to get the result because the file is in and of itself will be part of a suite alfa/bosch, which will certainly have the source interpreter.
Having that you have the world of tuning between the fingers ;)
I hope I was of help, and especially the clear.. twisted, definitely, but I hope it's clear
Ask me another if you need it

tranky

doing a summary: to have XYZ is equivalent to having a driver/damos interpreter of the file only encodes that the damos/driver interprets the ID, the"XYZ" would play the entire composition of the file.ecu

munro

ok but if we do not have "xyz" how can we decipher the contents of a micro or eprom?
I seem to have read somewhere that you use the language ASCII...

munro

15-01-2016, 18:22

Ask and you shall receive!
I'm not really a programmer certificate, but I coddato a lot in various programming languages.
You have to realize?
the idea and implement in the micro and eprom new functions not provided by the manufacturer, see, for example, multimappa,launch control with als,system bang-bang,etc. this could be done in theory by changing the code strings in the eprom so that the micro in the reading of his routine program implements these functions.

tranky

It is the ASCII you see in fact, from the code on the hex dump.
Should I see some files of the EPROM and see the composition.
As soon as I have time I'll take a look.

munro

thank you...I like this do..des ;))

munro

dimeticavo if you need some file micro can I post it..

tranky

Watch you have my full cooperation and if you want a Sunday morning with calm postane one and start to see the composition and decomposition.
But certainly nothing of drinking seen that each character in the ascii table is linked to a function (either string a single character) from the program that generates these files to the ecu, and with difficulty something maybe results.
Or perhaps it is less complicated as we think..

munro

thank you very much tranky but you say that it would be for me nearly impossible to learn to read the ASCII??
intato, however, place a small reminder in a way that even those who are less experienced can understand what we're talking about.

The constitution and the operation logic of the electronic control units (ECU)

I want to try to tackle a topic very theoretical and of little practical use, that can help many of us to understand the logic of the functioning and the constitution of the love/hate electronic control units ECU that daily confront us in the diagnosis and repair of the vehicles and in their reprogramming.
My knowledge and skills in this area are rather basic: I am not an expert and I hope that those who have more experience can correct me.
The topic in depth would take a turn very theoretical and abstract fontamentalmente need and do not need it if one has to do is only rimappature, the situation is different in the case of the reprogramming of certain parameters of the micro most of the eprom, so I will try to be as simple as possible by summarising the information that I have in order to understand the reasoning of a control unit.

What is a ecu?
Any it is from the engine to the parking, from the first only appeared for the injection, until those of the last generation, the electronic control units are mainly formed by 5 the physical parts :

-Power supply:
Includes the positive and the negative coming in from the power source which, in the case of cars, is the battery. The control unit has devices that can stabilise the voltage levels, and generate other voltages such as the 5V for the sensors, and filter the potential of mass that is isolated from external noise (ignition systems, spurious radio frequency, electromagnetic interference, etc..)

-The inputs or input (I):
A control unit must have inputs for receiving information from the outside, whether they are "communications" (e.g. CAN) or incoming signals from the sensors; ****llo the physical inputs must be composed of at devices that read the electric signals and transform them into digital information.

-Outputs or output (O):
The outputs are used to convert the digital control signals and power to operate the actuators and / or send information.

-Microprocessor:
It is the operational heart of everything and is able to process the incoming information from the inputs, the access to the memory and the program operation and to control the outputs.

-Memory or eprom's:
It is the home where is "crammed" the information, the famous map and the necessary instructions to manage the processor.

Microprocessors "stupid".
The microprocessor is "stupid" has no possibility of reasoning, but only to execute statements one at a time; a set of instruction of make sense, that they perform a job to the processor that is called a Program example:
- Read the information of a sensor;
- Access to the memory right;
- Compare them with the stored parameters;
- Check the plausibility of the value;
- Manage an eventual exit command.
This set of instructions can be a real "program" what we're interested in.
The special feature of a microprocessor is the speed with which it executes the individual instructions; a speed that can reach even the migliardo operations per second!

How do you manage the information?
The Processor of any control unit being an electronic component can only reason with electrical signals: hence, there exists the need to convert all signals will be adequate.
The speech of the conversion is the basis of my discussion: the information undergo many transformations in the time that they reach the control unit, and for now leave it, the complexity is in the follow them all.

Bits,Bytes, hex, and ASCII
All this names represent the "formats", and the languages used by the control units (and the PC) to process the data, but let's start from the base.
The bits:
The only thing that knows how to make an electronic component is to recognize the voltages (with a multimeter), that, behold, hence the need to turn everything into electric signals, where a low voltage almost equal to zero will be recognized as a "0", while a higher voltage (for example 5V) will be recognized as "1", these two parameters are the bit, or the letters of the alphabet electronic.
By making all the combinations of 1 and 0 we can create an alphabet, and then words or instructions example 00000001 means "the beginning of the text," you have to think that a processor does not need a quantity of words as a human being, but only instructions to execute.
8-bit consecutive make up a Byte.
HEX CODE:
To simplify the work programme and who manages this fleet of 1's and 0's have created another language that simplifies everything is the "language, hexadecimal" or "HEX" or a system with base 16 which transforms the data into bytes, a code more short example 00111111 you can write 1F (translated means separator or N°31).
It seems difficult, but in the end it is just a different way of representing the same information, in the HEX code also appears that the letters (A B C D E F). Usually the ecus and the PC this code (in HEX) is used to represent the addresses of the memories, or the address from where to take or where to write the information, this need arises from the fact that a processor needs to know where to go to look for the data that they need otherwise they can find.
ASCII CODE
The ASCII code is an additional code to transform the Bytes of letters or sentences in order to understand something about us human beings is to program is to interface, for example, the diagnosis (P0300 means misfire).

To sum it up:
the management programs are written in ASCII code, the addresses in the HEX code and everything is translated by the program itself in Bytes (8bit) or the only language that the processor can understand, the practical side if we use an oscilloscope to, and observe what passes on the pin of the processor, we see electrical signals similar to square waves that represent the bits 1 and 0:

If, however, the programs which is affixed to, for example, those of remapping, we look for something in the memories we use addresses in HEX

If we make the diagnosis or plan we use the ASCII code, and ragionandoci you understand why there are so many languages, bits are inleggibili, the HEX are complex and used in rimappature only from "eyes" experts, while the ASCII code is for all the workers so to speak, is a bit like if we were to read japanese, translate in English and then in Italian.

Turns that you turn the control unit through the use of specific electrical signals (instructions) stored in the memory, operates with the other electrical signals by enabling or not the outputs, all at a speed ininmaginabile and without committing any errors, the errors if there are any, have been made by those who made the programs.
The unit for work, it must have the right supplies, the right input signals, and must operate in the correct manner, always speaking of voltages, currents and reaction times, while inside the memories need to contain the programs and the processor must control everything.

Clearly most the control unit is complex, and most operations must manage and the harder it is to analyze from our side, but with the knowledge bases described we can tackle any kind from a window automatically with a EDC17, clearly with the proper proportions.

The remapping on the part of the word is to vary some parameters "motor" inserted in the memory and taken as a reference by the processor, occupy a small part of the whole program and the protections of the anti-processing.

I hope I have not made confusion, I tried to sum up everything and make it as simple as possible in order to help to understand the logic of operation of a control unit, in order to have fewer doubts,on the other hand, luck or misfortune of these units there are and there is nothing you can do, if not get past them friends and improve our work.

tranky

Quoto in full as you have shown.
You could not be more clear as well

tranky

Munro view of your preparation I believe you put on less you to interpret the code of the EPROM, that I to make maps meaningful.

tranky

News
I did a search side tool to see any disassemblatori (no decompilers) and I saw that there are.
Now, the unknown is to know and understand what architecture (x86, arm, or what else) are made from these files and the ec response by the processor of the ECU and the type of memory that is used.
I don't know if I can post links only for vision, I take the responsibility of any claimant to the admin but only to make clear what is described in the hope that it is not interpreted as spam (do not do part of the unit of the site).

tranky

munro

very interesting tranky I seem to have understood that there is a sw able to decompile a file directly from a hex or dla bin to ASCII it seems to me that it's called IDA pro or something like that...I though that ostato above most do not know about the compilation/decompilation file that is otherwise not opened a tread tranky...
I hope to learn why as you rightly said you knowing to do this you really have the electronics in hand.

munro

go to the dissasembler me7.1, there are 3 video tutorials interesting, however, and all in English, a bit hard to follow for me..

tranky

Quiet, I'm taking the information necessary for the search of any software or of the type of decoding to be done to the ecu.
You advance that, in the case there are tools and should be made script specific, 90% is necessary to pass on Linux (and them I know pain for those who don't has never put hands).
Anyway nothing is impossible, the convenience of using Linux is in the compilers to whom entrust us to run a conversion script with multeplici variables and functionality with debug for any troubleshooting of the code that you created to maybe improve it or correct it.
Tomorrow I have more time to spend, now I have to go with the baby and miles by family (du palleeeee)...

tranky

go to the dissasembler me7.1, there are 3 video tutorials interesting, however, and all in English, a bit hard to follow for me..

Good!
but it is only for the Bosch ME7.5

tranky

I saw the tutorial and there may also be those of the bosch group.. from the video part by the letter I in the view of choice, therefore I assume but I'm not sure.
Staresa I can see better now I must get away from the parents (the snakes).
Have a good evening

Errecinque

Hey the two of you .....I, I look out the window for now. The hunger to know is so much.....but why haven't I listened to my mother and I have not studied in 20 years these things when I had the time and inclination to do instead of the university of the 3rd age in evening classes in his forum.

tranky

Hello Errecinque, approach the window that is cold!
You don't need a degree for these things.
I work from when I was 16anni and I don't even have a diploma.
Just a clear idea and the desire and time to learn and sight of your preparation and I guarantee you that you will be a guru in a very short time.
Later on, the beginning and place the results, starting from the file of the flash and see what comes out
After

tranky

Here I am with updates..
Today I have dug out to the network to find software suitable for the purpose of the topic started by munro, and I've done about twenty installations of software that, for the most part, they are recognised as less useless for the purpose.
At the end between the various tools, the better and functional, as well as winhex, which partially is what is searched, but is highly shit, is IDAPro, which I downloaded and fired.
The file of the flash has the offset that they will interact in the control unit and I show you some output:
seg000:001D60C0 dd 8000800h, 0E8038403h, 0D007DC05h, 0B80BC409h, 0A00FAC0Dh
seg000:001D60C0 dd 0F4010000h, 0DC05E803h, 0C409D007h, 0AC0DB80Bh, 20h dup(0)
seg000:001D6164 dd 8000800h, 84035203h, 0DC05E803h, 0C409D007h, 0AC0DB80Bh
seg000:001D6164 dd 0E803F401h, 0D007DC05h, 0B80BC409h, 0A00FAC0Dh, 20h dup(0)
seg000:001D6208 dd 8000800h, 84035203h, 0DC05E803h, 0C409D007h, 0AC0DB80Bh
This is very UNIX-like methodology of the processing of memories so now we have to run a few tests on other memories.
Please post an entire backup is not verginato and see if the extrapolation is outside any given sense.
Because of my ignorance I have to ask if you had the chance to post a backup of the body or to process the info only by the ecu and is only by the interpreter and "arm" of the functions of the ecu?
As a matter of curiosity, and if it were feasible we would change the ENTIRE screen of the dashboard, personalizing it (sorry for itself recently!)
I look forward to your feedback and backup to be put in the press!

tranky

The programming of the flash file is in Alllesmbly, with the files of the other memories we can understand the relationship, if any, of the functions and variables in order to define the functions that will be expressed with some variable but together we have it definitely..
From the guys posted something of any brand, as long as they are all memories

tranky

Alllesmbly = Assembly (typing error.. sorry)
https://it.wikipedia.org/wiki/Assembly
A bordellone, but nothing impossible!

munro

mamma mia che casino....you understand something? what do you need the file of a microprocessor or all the backup ecu that the contents of the eprom,e2p, and micro?

tranky

That "casino" you see are only the functions that send him. In the main memory, there should be identifications of these codes.
Since here it is all in correlation, if you can send me a full backup of a any kind of control unit would be better, in such a way that:
I read in the central memory, and I see the ID and their identification on the main memory
I read the other memories and I see what you recall which functions in comparison of the memories.

I reveal the question of the body as soon as you have 2 minutes? I did not understand if it has a memory of whether or undertake functions related to the ecu but I think he has some of his memory from what I think... but I could be wrong.

munro

then guy can you please post the complete backup of an edc16c39 alfa 159 mjet 150cv so we stay in context for your ecu if you want I can also qualcosadi the most simple to start, because I believe that the edc16 is very complex to take apart...let's say that this operation that we want to try are excellent in the case of ecu dated, of which there are damos or you don't understand well the logic of operation...
for the instrument panel ..Tranky I could not tell you I'm in in principle of processing and repair motor on these subjects:body,abs,paintings, etc., I entrust myself to my partner electricians...
I can try to ask him on Monday so I do have to say, the operation, however, I believe that the dial functions in two ways that, alas, described you...i.e. it has both an internal memory is also receives instructions from the external view the tachometer or the signal on the odometer...

tranky

Thanks for the "guy" but so I have to be young.
Let's try this and if I can understand something we move on to one where you can load the EPROM to test it.

tranky

Munro I sent you a ****you reply, as described as soon as you can.
I viewed the 3 files and they have all of that offset. Now I have to define the function of all the offset and catalogue them, compare them and understand the references.
Give me time and place the results as I work.
I'll try to define them in C++ on Linux and see if I can find the function in its variables.
Has anyone worked with Meucci and knows if they are defined a few operations of that kind or not?

sisco

Tranky, I congratulate you for your courage in the face of this challenge from the daring ( or do you know something of programming, then congratulations again), I long ago I tried to use some software like ollydb or ws32dasm for some exe that I did not have the serial and after the first few approaches I thought " here I become old" and then I let loose, I also like errecinque I'm following and also I read that IDApro seems to be the most suitable for what you want to try and do, that to say good luck and I hope that you will succeed in the intent

tranky

Thanks sisco,
I am not a programmer, and also because programmers to 99% are sold out, crazy, mediocre, and appropriations.
On the contrary, I am sociable, friendly and above all THROMBUS.. those not even with the 3d they see a (ghgh).
Jokes apart, thank you for the encouragement, it seems na bullshit, but I appreciate more of the many smiles fake.
Will update as soon as I have news but very slowly this week due to work onsite (at customer) for the accommodation of the network.
I downloaded and tried the Telephone, and makes the verginamento file e2p.. as soon as I have time, I use it in debug and see what the offset process, at least beginning to catalog them, given that there are an infinite number...
Will update as soon as I place hands on the backup shared from munro

munro

tranky

Among the many things in this period I'm trying to get to the solution of this topic.
The latest news I have is that the processor MPC56xx is the same (PPC) of mobile devices.
I attach a document that explains the very complex shape of the exercises targeted to perform a "hello world" in function of its flags (the flags are the operations that a processor can run in the programming language in which it is used, and each language has its own flags that are compatible.. let's say...).
Such a processor is a processor that put in work on the bin file posted by munro, will be used to allocate operations to different memory areas which are in the phase of processing to create a "function".
I'm trying to extract such functions, so you can riprogrammarle but it is a "blood bath" do not have clear tables that are set by the mother bosch.
Barcollo but do not give up!
here's the file mentioned above..

tranky

I was able to view the operations of the processor for each ID of the file (tested on flash file and e2p), but the objects are encrypted as usual, and do not define what makes that function.
(blasem..parolac..whisk****c)
Tomorrow I'll post the result and see if more minds to something, we can understand better.

munro

great tranky....there are things that unfortunately I can not do because of my mechanical extraction say..
but thanks to you, we can perhaps understand more of every single ecu>micro - >eprom...
you are a great..

tranky

Quiet munro
You think to do what you have to in the first place.
We hope that between my skills and your on the ECU, we are able to unravel is in the skein and there we program the ECU without the brakes (not the wheels otherwise we crashtest).
Have a good evening

munro

in practice corregimi if I'm wrong tranky the only thing that is missing in the hack of the micro-now is the source code??

tranky

To put it as it is these units I don't know if the process code is encrypted (with the source encrypted) or only compiled and it must be defined with what..
In the first case back in the force the history of the XYZ mentioned above, while in the second it is only an interpreter to be defined, use it to convert and understand..
Tomorrow at work I'm with your ass parked without chores there I've been toying around some more and will update it.

munro

I read in the document that you posted you that the programming code used is the C
now, however, we do not know if bosch or fiat have adopted this, I would say yes, but who better than you can find out..

tranky

To find out I need a Linux crosscompiler and a PC!
As soon as I finish the notebook I install it with dual-boot and I have to if decompile in C, or tomorrow will be VMware.. See you tomorrow

tranky

Hello,
here are the news of the day (we're ****lli of the Messenger, every day chronicle of the day):

Here you place a brief description of the processing of the code Assembly ****llo processor.
regarding the intent of integrating new features, I would say that we are not very far from it, we should at this point have an ecu+auto test and make any rip-offs of codes relating to functions that are defined in the ecu test and see if you integrate. What I don't know if it compromises the size of the file to be rewritten, we'll know only by trial.
Here is the document on the assembly (partial of course since this will be nmila pages in toto)

If anyone has had the opportunity to read the code as described and has any advice, are welcome.
Remember that the change of the SistemaOperativo of the ECU is an implementation of the native system comparable to an android smartphone custom of the house to which we install for example cyanogenmod above, then the same functionality with something more of the house (always if it works and does not lock the ecu, but nothing that a BDM you will work around with the file ORI)
The next update (work in progress)

tranky

ah I forgot to say one thing..
notice the img code that the processing is divided by 2 types of processor:
- 386 that would be the x86 processor standard 32bit
- 8086 that would be a very old range of processors (the late 80, early 90)
I would say that the components of the Ecu are diversified also by 2 types of processors..
I presume but have not verified on the online documentations of the componenstistiche of the ecu.
byebye

Errecinque

tranky

No excuse little OT, but teeee riding these things (and I have seen how many pages are in the doc attached, I have saved and put aside for retirement) and you tangle on BP that a donkey like me understand? You're right... you THROMBUS, too....the end of the OT

AHAHAHAHHAHA
I adore you friend.

munro

then tranky...we're almost there I think...in the jpg that you posted(that you can see really bad) I seem to see the functions in the ecu code now, according to me, is missing a last step to extrapolate from that pile of letters is numbers without meaning something readable...
in practice, we see this
sub_FFA60:
FFA60 mov r4, word_8E40
FFA64 mov r9, word_BE80
FFA68 cmp r9, r4
FFA6A jmpr cc_ULE, loc_FFA7C
FFA6C mov r4, word_F87A
FFA70 mov r9, word_BE82
FFA74 cmp r4, r9
FFA76 jmpr cc_ULE, loc_FFA7C
FFA78 movb byte_8DAC, ZEROS
FFA7C
FFA7C loc_FFA7C:
FFA7C
FFA7C extp #0E1h, #1
FFA80 mov r4, 0CFF2h
FFA84 jnb r4.2, loc_FFA9A
FFA88 jnb word_FD48.9, loc_FFA94
FFA8C extp #0E1h, #1
FFA90 mov 0CFF2h, ZEROS
FFA94
FFA94 loc_FFA94:
FFA94 movb rl4, byte_8AF3
FFA98 rets
FFA9A ; ---------------------------------------------------------------------------
FFA9A
FFA9A loc_FFA9A:
FFA9A extp #0E1h, #1
FFA9E mov r4, 0CFF0h
FFAA2 mov r9, word_BE7E
FFAA6 cmp r9, r4
FFAA8 jmpr cc_ULE, loc_FFABE
FFAAA movb byte_8DAC, CC2IC
FFAAE addb rl4, #1
FFAB0 extp #0E1h, #1
FFAB4 movb 0CFF0h, rl4
FFAB8 movb rl4, byte_8AF3
FFABC rets
FFABE ; ---------------------------------------------------------------------------
FFABE
FFABE loc_FFABE:
FFABE jb word_FD48.9, loc_FFACE
FFAC2 extp #0E1h, #2
FFAC6 mov 0CFF0h, ZEROS
FFACA mov 0CFF2h, ONES
FFACE
FFACE loc_FFACE:
FFACE movb rl4, byte_8AF3
FFAD2 rets
FFAD2 ; End of function sub_FFA60

but to understand the whole thing and implement the new features we should see this

function_8FFA60()
{
// Anti-Lag
if (vehicleSpeed < ThresholdSpeed && engineRpm > ThresholdRpm)
{
closingTime = 0; // Interrupt ignition
}

// No-Lift-Shift
if (! noLiftShift_active)
{
// NoLiftShift is inactive
if (cond_clutchPressed)
{
noLiftShift_active = TRUE;
}
}
else
{
// NoLiftShift is active
if (counter_NoLiftShift < ThresholdCounter)
{
closingTime = 0; // Interrupt ignition
counter_NoLiftShift++;
}
else
{
if (! cond_clutchPressed)
{
counter_NoLiftShift = 0;
noLiftShift_active = FALSE;
}
}
}
}

function_antilag_noliftshift()
{
// Anti-Lag
if (B_kuppl && vfil_w < SpeedThreshold && nmot_w > LaunchRPM)
{
tsrldyn = 0; // Interrupt ignition
return;
}

// No-Lift-Shift
if (B_kuppl)
{
if (! B_brems && nmot_w > RPMThreshold && wped > AccPedalThreshold)
{
// NoLiftShift is active
if (counter_NoLiftShift < IgnitionCutDuration)
{
tsrldyn = 0; // Interrupt ignition
counter_NoLiftShift++;
}
}
else
{
// Other conditions not true, don't allow ignition interruption
// until the clutch is released and pressed again
counter_NoLiftShift = 0xFFFF;
}
}
else
{
// Clutch released -> re-arm NLS
counter_NoLiftShift = 0;
}
}

here my friend re-enters in the game you on how to do this...
P. S: erre has reason to fucks less if you understand these things the bp and cazzatine various are a smoked cigarette.

tranky

Where did you produce that output?
About the fuck talk with my wife, I don't have a voice.. the woman has the "stick" of the command!

munro

from nefmoto...

tranky

ok then tunerpro.. now we begin to understand the direction to take even if I have not understood how it works with the file xdf..
I learn I learn I learn...
work in progresex !

munro

is progresex it...:cool:

munro

26-01-2016, 17:27

azzarola...demeticavo..the file xdf drivers such as those of the ecm, but created by the user in tunerpro the same in practice, I think the Sw exists a function disassembly directly from the file in a hex through which you can create your drivers, or xdf as a function of the same file.once this is done in tunerpro you load the file first golds of the eprom change and, subsequently, the setting file xdf made from the file ori the same once loaded all is two drop-down menu in the sw and shows all the maps in the xdf
it is an easy thing to say, but very hard to do I tried as tunerpro is a software open source but I gave up because according to me it is more a thing to programmers who know the hexadecimal code, and know how to make the calculations in hexadecimal.
to obtain these files is not difficult, something around in there is only that being created from unknown users, their trust does a little bit to desire.

tranky

today I asked a programmer of my company to see a according to that file, and I trimmed of the illustrations about the code that if he said that it was not capable was the most beautiful figure..
Ongoing studies with my beautiful III media in a stomach to the face of those who die behind a book to become a celebroleso

will update as soon as I have news that I'm currently testing 4 other conversion tool on the mpc56xx waiting for something I can see...

munro

you are a genius...

tranky

update.
I switched to linux to make the procedure of conversion and compilation, but.. all the variables are undefined and not visible.. so at this point we leave the biastime.
The file is partially decompiled but without that famous factor XYZ we will not see 'na sega..
We await news that, in the event the bait, first published in an intact form for decompilation.
Up to now, then: Bosch 1 - tuner 0 (damn!)

munro

guys hi I am new here...sorry to all for my prolonged absence on the forum, but lately I'm having several health issues that I do not allow you to follow everything as I would like...
however, the project of hacherare a drive proceeds, even if at slow pace...
I wanted to make you a part of recent developments in studioin the matter and bring it back here for anyone interested in the topic of an important page that I have fished in the network and I have added and/or deleted some parts.
the author of this illustration I want to forgive for the "scopiazzatura".
So in this post, I want to report my experiences and studies about vehicle electronics on"hacheraggio" car".
Warnings: I have found that the generally available information on this topic on the internet are pretty poor and not very clear. While I'm trying to do my best in checking, errors may be present.
Feel free to add your comments and/or criticisms.
This is going to be a long-term project, so this page will be improved in the course of time*****and you know, the cars are complex,always complex.
The electronics in the car is really sophisticated, and the cars current cars on the market have dozens of control units for management devices, sensors,etc..
This premise is a must for what I'm trying to do then here is a reminder of the various components and features of the systems concerned in this study.
ECU: control Unit Elecronic,we all know what they are but the coniscenza about is really superficial because we are limited to understand only a small part of these complex units.
there is to know to those who do not know that these ecu's(or at least from a certain period onwards,and we'll see more next),"speak" local networks, vehicles that are similar to a common computer in-line LAN, but based on different protocols.
ECU, Engine Control Unit, were the first to be connected to the network of vehicles, soon followed by other units (generic electronic control unit).
this in order to reduce the amount of signal wires among the many electric components of a modern car, were introduced in communication protocols, digital interfaces and digital electronic, between each electrical device and connected to one another precisely as the computer in line with a communication infrastructure.
The ecu is the most important is the control unit of the engine.
as BOSCH (Example: EDC16), MAGNETI MARELLI (example: 95160), SAGEM (example: 95080), SIEMENS (example: TMS374), etc...

Communication Standard:a terrible headache
There are many standards that define the protocols, management,self-diagnosis and intercommunication deelle electronic drive.
Here is an incomplete list and probably wrong too
SAE and ISO are the standard panels, and documents the most common, but there are many other
SAE is the Society of Automotive Engineers.
SAE defines the communication standard used in the vehicles On-and Off-Road and land. In this scheme, 3 classes of communication devices are explained:

Class a: up To 10Kbit / sec, multi-purpose, asynchronous, used for non-real-time(keep in mind this phrase, because my project was born exactly from here,but I'll explain later), intelligent sensors, the reduction of cables in the car as we said.
Class B: in the range 10Kbit / sec up to 125Kbit / sec, used for the transfer of data and control intermodulo not in real-time. SAE J1850 is a protocol CLASS B, currently used for low-cost connectivity between the nodes, such as instrumentation and diagnostic devices.
CLASS C: critical, high-speed, real-time communications between the devices. For these needs, high-speed CAN is currently used (up to 1 Mbit / sec), but there are quicker alternatives, such as Flexray (up to 10Mbit / sec, first implemented in the BMW X6 in 2008, for example ).

SAE J1850 describes two different protocols: Protocol a VPW single wire low speed (Variable Pulse Width) running at 10.4 Kbit / sec, and a faster protocol two-wire differential PWM (Pulse Width Modulation) running at 41.6 Kbit / sec. This is not can nor is it compatible with CAN.
VPW is classically used by General Motors (GM) vehicles.
PWM is typically used by vehicles Ford.

ISO_9141-2 is not a signaling protocol, but a diagnostic interface to verify the functionality of the components of the vehicle. Is a serial interface that operates at 9.6 Kbit / sec. It is often available in the connector the OBD-2.

ISO_11992 is a CAN bus used in the trucks for communication between the tractor and trailer.

SAE_J1939 is a set of specifications on the basis of an infrastructure the CAN below, working with identifiers CAN 29-bit, and usually with a bit rate of 250kbit / sec. This is normally used for trucks and industrial vehicles. This is a prerequisite for the FMS (see below) system to work. ui . Other information J1939 can be found on wikipedia,also according to wiki SAE_J1939 replaces SAE_J1708 and SAE_J1587.

Here is a list of the data bus Automotive.

Vehicle networks
In reality there are many networks of the vehicle, possibly on the basis of different standards, different criticality, different protocols, and different communication speed. Currently, these networks are converging to the standard CAN, but there are many others. Since CAN is now the de-facto standard for the networking of vehicles, it is sometimes also identified as the BSI (the data bus of the vehicle).
Despite its popularity, the CAN bus is not the only network within any modern vehicle, and in a single vehicle, there are usually different networks (multiple networks and non-CAN networks).

CAN stands for Controller Area Network. It was originally developed by Bosch, starting from 1983. CAN is used in many automation environments and not only in the automotive industry.

In a CAN bus for all communication devices are connected to the same two wires, labeled CAN-high and CAN-Low. All devices must use the bus at the same speed. At each end, the two wires are connected with a 120 ohm resistor termination.
It is not necessary to have a signal of common ground between the communication devices. maximum length of bus depends on the operating speed, and 1Mb / s is about 40metri. the speed of the bus on-board network are usually below 500kBit / sec.(and as if in one second we can write or read half the map from a mb,to understand, and this is very interesting for what we want to achieve)implementation, the vehicle high-speed bus often adopts the double braided cables.
In a normal situation, the two wires carry a signal in two ****lli, perfectly mirror-like, and when one is high the other is low.

The different logical values of the signals can be read, and here each signal has a duration of about 1V.A full transfer can package is visible. The overall time of packet transfer is about 200ms (320-120).

munro

this is only a part later on I will post more in the matter.

Errecinque

Welcome Munro, I hope nothing too serious, we asked just that to you did with the other user. So much the better

munro

Hello r, thank you for everything, unfortunately, I repeat, the problems that I have does not allow me to follow everything as I would like but I hope to be able to ristabilirmi as soon as possible...

munro

here is more info about the can line as basically my idea is to be able to reprogram various ecu using not the classic port the obd but by implementing the pc with the tool reprogramming, properly conformed to be able to follow in real time both work and the ecu,then micro,ram, and flash,and accordingly to implement pieces of code for the recalibration of the same unfortunately, as you can see below, it is feasible but it is particularly difficult because, precisely, each frame of data to the canbus has a code identifier and one of the priorities through the various nodes in the can is from time to time processed.

The CAN protocol
There are currently two main versions of the CAN protocol
standard: 2.0 with 11bit identifiers
a standard CAN extended: 2.0 B with 29bits identifiers
CAN is defined in ISO_11519 and ISO_11898.

ISO 11898-2 defines high speed CAN up to 1Mbit / sec

The ISO 11898-2 high-speed

ISO 11898-2 is the standard of ****llo physical used to CAN networks. It describes the unit of access to the bus (implemented as a transceiver CAN high-speed) functions, as well as some features of the interface medium-dependent.
In this standard the data rate is defined up to 1 Mbit / s with a theoretically possible bus length of 40 m at 1 Mbit / s. The high-speed standard specifies a differential bus, two wires for which the number of nodes is limited by the busload power. The line impedance characteristic is 120 Ohms, the common-mode voltage ranges from -2 V on CAN_L to +7 V CAN_H. The nominal specific propagation delay of the bus line two-wire is specified at 5 ns / m. All of these figures are only valid for a transfer speed of 1 Mbit s and a length-of-network maximum of 40 m.
To get compatibility the physical all the nodes in the network must use the same or a similar bit-timing. For automotive applications the SAE published the specifications in SAE J2284. For applications non-automotive, industrial, and other, the system designer can use the recommendation CiA 102. This specification defines the bit-timing for rates of 10 kbit / s to 1 Mbit / s. It also provides recommendations for the bus lines and the connectors and pin assignment.

ISO 11.898-3 (aka ISO 11.519-2) defines the fault-tolerant (and lower speed) can up to 125Kbit / sec

ISO 11.898-3 fault-tolerant

An alternative form of the interfacing bus and to the disposition of the bus lines is specified in ISO-11.898-3 (fault-tolerant CAN). This standard is mainly used for the electronics of the body in the automotive industry. Given that this specification is based on the premise of the circuit short, the problem of the reflection signal is not as important as for the bus lines long. This makes the use of a bus line open as possible.
This means the driver to lower the bus can be used for networks with very low power consumption and the bus topology is not limited to a linear structure. It is possible to transmit data asymmetrically over just one bus line in case of electrical failure of one of the bus lines.
ISO 11.898-3 defines data transfer speeds of up to 125 kbit / s maximum length of bus depends on the speed of data transmission used, and the tide. Are specified up to 32 nodes per network. The common-mode voltage ranges between -2 V and +7 V. The power supply is defined at 5 V.
Transceiver Chip, which support this standard are available from several companies. The transceivers fault-tolerant can support the management of the full error including the detection of bus errors and automatic switching to the transmission of the signal asymmetrical.

****mem voltage ISO 11898-2 (CAN high speed)

Signal state recessive state dominant
min nominal max min nominal max
CAN-high 2.0 2.5 3.0 or 2.75 3.5 4.5 Volts
CAN-Low 2.0 2.5 3.0 0.5 1.5 2.25 Volt

Note that the status is recessive, the nominal voltage for the two wires is the same. This decreases the power consumption by the nodes through the termination resistors. These resistors are 120ohm and are located on each end of the wires. Some people have played with the use of termination resistors in the middle (i.e., put them in a place on the bus). This is not recommended, because this configuration will not prevent any reflection problems.

ISO 11519 ****mem voltage (CAN low speed)

Signal state recessive state dominant
min nominal max min nominal max
CAN-high 1.6 1.75 1.9 3.85 4.0 5.0 Volts
CAN-Low 3.1 3.25 3.4 0 1.0 1.15 Volts

ISO 11519 does not require termination resistors. They are not necessary because the rates are bit limited (maximum 125 kb / s) makes the bus insensitive to reflections. The ****th e voltage on the CAN bus is recessive when the bus is idle.

lengths of bus
The maximum length of the bus of a CAN network depends on the bit rate used. It is necessary that the wave front of the bit signal has time to travel to the node most remote and vice versa first is to sample the bit. This means that if the bus length is near the maximum for the bit rate used, you should
choose the point of sampling with the utmost care - a the other hand, you should always do it!
Below is a table of the different lengths of the bus and the transmission speed corresponding maximum.

bus length (m) Maximum bit rate (bit / s)
40 1 Mbit / s
100 500 kbit / s
200 250 KPIT / s
500 125 kbit / s
6 km 10 kbit / s

cables
According to the standard ISO 11898, the impedance of the cable must be 120 + - 12 ohms. You must be twisted pair, shielded or unshielded. The work is in progress on the standard single-wire can SAE J2411.

munro

CAN frames
Here is some information on the data frame CAN

The Standard frames and extended are shown, and the different length of the address field can be seen.

CAN reliability
The CAN communications bus are generally very reliable, and rather insensitive to external noise (from outside interference affect similarly both wires, the difference between the voltages remains unchanged), and the single failure of a control unit. Devices can often also work in the case of the bus being badly connected bad cable (a cable shorted to ground or Vcc). There is a need for a common ground and increases the robustness. This reliability is among the properties that have made it the current standard in difficult environments, with a wide range of temperatures, and very diverse environmental situations.

Detection CAN
Since there are many wires, it is not easy to locate the appropriate ones.
signals 0.CAN usually are not present if the key is not turned on to power the dashboard. (Normally it is not necessary that the motor is powered).
the wires 1.can usually are interwoven.
2.Checking signal CAN presence without using an oscilloscope: A simple test to see if the bus works properly is to use a multimeter and measure the voltage between the two wires. In situations "perfect", if the bus is active and working it will show a 2.5 V or 0.5 V stable (in the absence of changes of the signal), or a quick alternation between 0.5 and 2.5 V. If it does not work, it will be 0V as one of the CAN controllers on the network is pulling the bus low (known as Bus Off).
3. Working with a two-channel oscilloscope, and using the function to subtract between the two signals CAN-H and CAN-L, you should get a constant (because the two signals have phases opposite). The oscilloscope can also help to detect the speed of the CAN bus signals. (Add details here).
4. An indicator of presence can indirectly could be the test for the correct termination. The proper termination of a can bus can be easily tested with a multimeter: when the bus is not used, a resistance of 60ohm shall be measured between the two cables (two 120 ohm terminators in parallel to the sides sends a global resistance of 120 / 2 = 60 ohms).
5. As a useful tool for the detection, can control the Würth CANfinder device .
6. CAN signals could not be present where they should be (that is, in the connector, OBD2) if a correct setting is not performed on the gateway device.
right on the gateway I would like to pause just because this "can bus port" is the object of study as it seems to be present on the different cars,in reality, there are interfaces specifically sviluupate with a lot of sw that allows already to implement a pc on-line can making it another node or module, like the ecu, because if you think about it the ecu behaves a bit like a pc with hard disk(flash eprom).Moreover, as we shall see, there are a variety of other hardware that can interface to the can network.

Interfacing with CAN
In terms of the circuits, each device connecting to the CAN bus usually interfaces via a CAN controller, which acceses the bus via a driver CAN line (actually a transceiver).

The controller can actually talk to the device in some way (for example via a serial RS232 interface) and on the other Many manufacturers produce integrated circuits of the driver line CAN, for example, by Dallas Semiconductors / MAXIM MAX13050 or Microchip MCP2551 .or Philips PCA82C250 . or Philips / NXP TJA1054

Proper bus termination must be present at each end of the bus to dampen the reflection of the electrical signals (echoes). It is also important to minimize the length of the connection between the bus and the transceiver of each device connected (to minimize side effects eco).

Modules are collections of ECU
In a vehicle, a module usually identifies a collection of two or more electronic control units.
The control of the engine is the first and most critical, the corresponding control units are the most complex. Engine Control Unit (ECU) is supported by transmission control unit (TCU) and the two are sometimes referred to as the control module Powertrain (PCM). The Transmission Control Unit, among other things, takes care of gear shifting.

The electronic control unit of its users are often referred to as a whole with the term module body computer or BCM.

munro

different networks
The different criticality of the signaling between the electronic devices of the vehicle, has created a push to isolate the networks of the different modules, for security needs, but also for different interfaces of equipment being at different speeds.
These different networks are grouped into 3 main classes:

Frame Body, that require speeds of up to 10Kbps (electric windows, doors, etc) [as an example of BCM see subsequent references to Peugeot BSI Built-in System Interface]
the instrumentation of the dashboard, which requires speed range 50-125Kbps (instrumentation, air conditioning, etc.)
The engine and transmission, requiring high-speed (up to 1Mbps)

Some of these networks, the vehicle can also be non-CAN. There are other standards used in the networks of vehicles, such as LIN (used for the low-cost, low-speed use is not critical, see also here ), FlexRay (used for high speed, critical needs, in a BMW SUV), MOST (Media Oriented System Transport ) for multimedia and infotainment.

Separation Bus

Engine control, Airbag, subsystem, braking, speed control and ABS, are the systems most critical to safety, require high-speed, and then they are usually kept separate from the systems that are less critical.

The separation between the different buses can allow a lot more capacity for the recovery of critical systems in the case of a control unit is not critical fails (the car engine still starts if you have a problem in the CD player or in the lights of the cabin).

The gateway between different networks
In most vehicles, many CAN networks are there, operating at different speed, and that there are gateways that allow data transfers between the various buses.
The presence of these gateways allow filtered transfer of information, together with any change of speed. A gateway could act as a firewall by only allowing the propagation of specific packages. Gateway are actually electronic devices connected to multiple buses, and may be programmed to allow the filtering of packages.
There is a specific interesting called Pass-Through SAE J2534-1 which is designed to allow a sort of common protocol (!! vendor and brand independent !!) crossing in-between the gateway bus (can or cannot). This standard must be supported on all vehicles produced after 2004. specific pass-through is aimed at reprogramming and re-flashing of the individual electronic control units, but also allows you to read and write I / O, and periodic messages definition. There is also a set of defined API's (Application interfaces for programs), through which the dialog can be implemented.

"This recommended practice SAE provides the framework to enable software applications to reprogramming by every automaker the opportunity to work with more instruments of the connection interface vehicle data from multiple tool suppliers. This system enables each vehicle manufacturer to control the programming sequence for electronic control unit (ECUS ) in their vehicles, but allows a single set of hardware interface programming, and vehicles to use to program modules for all vehicle manufacturers. This document does not limit the possibilities of hardware for the connection between the PC used for the software application and the tool ( for example, RS-232, RS-485, USB, Ethernet ...). tooling suppliers are free to choose the hardware interface appropriate for their instrument. the objective of this document is to ensure that the software of the reprogramming by any vehicle manufacturer is compatible with hardware supplied by any tool manufacturer. the agency the u.s. Environmental Protection (EPA) and the California Air Resources Board (ARB) have proposed the requirements for the reprogramming of vehicles for all manufacturers by the aftermarket repair. The present document aims to meet these proposed requirements for vehicles of model year 2004. Additional requirements for the model year 2005, may request the revision of this document, in particular, the inclusion of SAE J1939 for some heavy-duty vehicles. This document will be reviewed for possible revision after those regulations are finalized and requirements are better understood. Possible revisions include specific software SAE J1939 connector and an alternative vehicle, but it provides the basic hardware of a device interface SAE J2534 remain unchanged ".

This device is in fact a firewall with a sophisticated filter the content of packages and the ability to rewrite.
Here is a document that describes a device that can input in a car Volkswagen Golf

The role of the Gateway (also known as the data bus J533 diagnostic interface) is the exchange of data between the bus systems CAN data ( 'Powertrain CAN data bus', 'convenience CAN data bus' and 'bus infotainment CAN data') and the conversion of diagnostic data from the bus systems of the CAN data to K-cable and vice versa so that the data can be used for the diagnosis of vehicles, information systems, and experimentation, as tools, dealer VAS and Vagcom / VCDS.

For various reasons, including problems of energy consumption with a head unit of the third generation or the addition of new modules is not supported, the gateway CAN bus must be upgraded to a new version. This guide covers the replacement of the gateway CAN bus in a 2005 MY06 Volkswagen Golf GTI. The update replaces the 1K0 907 530 E (1K0907530E) with a 1K0 907 530 AA (1K0907530AA).

This gateway in terms of Volkswagen is called the "data bus diagnostic interface J533". It is used in many car models from this provider. I found a technical document of Audi (Audi A5 owners group site Audi_A5 _-_ Networking_en_2.pdf ) that describes the version 4 different of this gateway component (differences are in terms of interfaces), for different car models. It is connected to many bus different (different cans, Lin, most). The document states that the "mode of transport" can be activated on request. I believe that this mode of transport could allow the flow of information between the different bus routes through the gateway itself (which in this mode acts a bit like a router).

munro

parlaimo a bit of the port is obd or serial port that allows the reprogramming of the parameters in the ecu(not all-it depends,but this is another topic)then that is the one that affects us all.
the reason for this extensive post which I would like to excuse a little I repeat, is the implementation of new functions also do not impengnando physically to that port.let's see how it works.

OBD: On Board Diagnostic
Due to the progressive diffusion of electronic devices in the vehicle sector, also diagnostic procedures have begun to rely on querying these different pieces of electronics, troubleshooting, and tuning of the parameters.
The standard on-board diagnostic (OBD) define how these diagnoses can be performed. Each control unit has a series of diagnostic trouble codes (DTC) that can help identify your status or any faults.
actual diagnosis is performed by a technician connecting an inspection device to a plug specific to the interior of the vehicle, and the analysis by running.
In many vehicles, the OBD connector (currently usually compliant to OBD-2 standards) is within easy reach of the driving seat and allows access to at least one of the vehicle's can bus.

In the course of the years, many different versions of the OBD standard appeared, and the current one is labeled OBD-2 or OBD-II, which uses a 16-pin (2x8) Connector female SAE J1962) on the vehicle. specific configurations of the gateway may be needed in order to allow specific units, electronic traffic control (filtering) is available on the OBD-2 interface CAN. Also, depending on the manufacturer and the model, the availability of the CAN bus on the OBD connector-2 may be required a specific configuration elsewhere (perhaps jumpers in the switch panel).
Be present in many vehicles, the OBD connector-2 usually allows access to many diagnostic signals. Sometimes more than one CAN bus is made available on the connector, on a different map.

Some "rules" about the connector the OBD-2

If the pin 5,6,14,16 are connected, the pins 6 and 14 are CAN-HI / LOW (ISO_15765-4 / SAE_J2284), while pin 5 is ground and pin 16 is 12Vcc
If they are connected to pins 5,7,16, and optionally 15, the connector supports access to ISO_9141-2 (aka KWP): pin 5 is ground, pin 16 is 12Vcc, pin 7 is the ISO-data (aka ISO_K-line), as well as the pin is optional 15, that is more old ISO_9141-2 (aka ISO_L-line).
If they are connected to the pins 2,5,16, the connector supports access to VPW_J1850: pin 5 is ground, pin 16 is 12 Vdc and pin 2 is VPW-data

If you are connected to the pin 2,5,10,16, the connector supports access to PWM_J1850: pin 5 is ground, pin 16 is 12 Vdc and pin 2 and 10 are PWM-data

Connector Pins 1,3,8,9,11,12,13 (if connected) are used differently from different vehicle manufacturers, and the standard OBD-2 does not define their role.

pin SAE J1979,
ISO 15031 GM Fiat Opel Saab Isuzu GM-FI
from 5,2002
1 Manufacturer sent second UART ABS, brakes, K-Line reserved the Saab Instruments (+) SIR (GM8192 Prot.) SW-LS-CAN (33kb)
or
DW-FT-CAN ( + ) (<125KB)
2 J1850 (+) PWM / VPW J1850 (+) VPW DW-FT-CAN (+) n / a n / a n / a n / a
3 the Manufacturer sent Comfort Airbag K-Line, K2, TCM, sunroof, CDL, Multi-Timer n / a ABS (KW81-Prot.) MS-CAN (+) (95kb)
4 chassis ground chassis ground chassis ground chassis ground chassis ground chassis ground chassis ground
5 signal ground signal ground signal ground signal ground signal ground signal ground signal ground
6 ISO 15765 HS-CAN (+) PCM ISO 15765 HS-CAN (+) Blinkcode Blinkcode TCM ISO 15765 HS-CAN (+) (500kB)
7 ISO 9141 K-Line n / a ISO 9141 K-Line (motor) K-Line, K1 (engine) K-Line, K1 (engine) K-Line, K1 (engine) n / a
8 Manufacturer the mandate of the CCM n / a K-Line K4, K-Line (Saab 9000/1, KW81 / 82 Prot.) n / a reserved
9 the Producer sent the first UART, the body ECU reserviert Saab Instruments (-) ECM / TCM (GM8192 Prot.) DW-FT-CAN ( - ) (<125KB)
10 J1850 (-) PWM n / a DW-FT-CAN (-) n / a n / a n / a n / a
11 Manufacturer sent controller EVA (burglar alarm System) reserved memory slots L-Line LORD the MS-CAN (-) (95kb)
12 Manufacturer sent abdominal compartment engine K-Line, K3, ABS, TC, steering, RTD, OW n / a abdominal K-Line (KW82 Prot.)
13 Manufacturer mandate from the LORD, luggage Compartment f reserved. K-Line K5 n / a ECM reserved
14 ISO 15765 HS-CAN (-) AND & C ISO 15765 HS-CAN (-) reserved n / a n / a ISO 15765 HS-CAN (-) (500kB)
A 15-ISO 9141 L-Line n / a n / a n / a n / a n / a n / a
16 Battery, switched Battery, switched Battery, switched Battery, switched Battery, switched Battery, switched Battery, switched

Access to the CAN bus in the car
When the CAN bus is not available in the plug OBD2 or not it is possible for the connection in the serial port, or if the gateway is not "public" signs on the door, OBD2,or via bus you could have the chance to connect to his wireless.
But you need a disclaimer:
In most cases, car manufacturers are not disclosing the specifications of their diagnostic systems and there are approaches simple that are consistent between the different brands. Even if you are able to access the CAN signals, it will not be an easy task to decode and understand the meaning of the data packets. Here is a guide (prepared by the british company Racelogic ) to find the right cables in a variety of vehicles. Devices such as the above mentioned Würth canfinder can also be useful.

A-line unshielded two-wire (1) and (2) with a cross-section of 0.35 mm2 or 0.5 mm2 is used for the wiring of the CAN bus.
The color codes of the wiring CAN bus are:
Powertrain CAN high wire orange / black
Convenience CAN high wire orange / green
Infotainment CAN high orange / purple
The CAN low wire, (all) orange / brown

On FIAT Punto diesel, we found a signal CAN in the connector behind the radio. The wires can in this car are pink-black and white-pink.
the following link describes a project to interface a CAN-bus machine to a Wi-Fi network:

Here is a picture of a Peugeot BSI.

munro

Access CAN in the truck
In particular, for trucks, there is another standard, to have a uniform access to the data of the vehicle, and targeted to the needs of help of monitoring devices.

http://www.fms-standard*****/
This standard FMS (Fleet Management System) is very important to allow access to information specific to the truck as the speedometer and odometer, which are required to be read on other devices to check the activity of the driver (digital tachographs). FMS requires a SAE J1939 (CAN 29-bit 250kbit / sec below the standard.

For digital tachographs the european, check http
://www.dtco.vdo*****
In order to be compatible with the FMS series, manufacturers of commercial vehicles implement a specific control unit of the gateway that reads the required information from the beginning from all locations and through all of the required standards, while respecting the internal protocols specific to the vehicle-brand, and makes all these information available through a specific CAN bus to which your device is connected to the tachometer.
In this way, a FMS devices tachometer digital compatible can be easily connected to any FMS truck compatible.

Different connecting cables
(This section needs work and is partially superseded by what I have written in the section of the connector the OBD-2)

A number of different cables ready exists to access the diagnostics for the car, usually through the above mentioned connector ODB-2
here is a list of their names, but they are far from understanding their differences

SAE J1850 (can be a double differential wire of 41.6 Kbit / s PWM-pulse Width Modulation, or 10.4 Kbit / s VPW Singlewire Pulse-Width -Variable). see this Intel document.
SAE J2534 (this is a protocol PWM used in Ford, Lincoln, Mercury, Mazda vehicles)

K-LINE and L-LINE (ISO 9141-2) (to explain: I need to study)
ISO 14230-4 (also known as KWP)

PWM can
HS-CAN (ISO 15765)

VAG-COM is not a cable but a product from Ross-Tech. It is a Windows software diagnostic for Volkswagen / Audi. Some cables to use with this software are labeled VAG-COM

ELM 32x are integrated circuits, (here is elm327 description), sold by elmelectronics***** based on Microchip Technology Inc . Devices first. These chip ELM act as decoders ODB2 generic, and are able to identify and decode many different signals available on the plug ODB2, and provides an RS232 connection to a PC. Many diagnostic software PC are capable of interfacing with the car electronics via an adapter, ELM base, like this

Arduino, and CAN
It is possible to interface an Arduino 2009 board with the CAN bus, by means of a specific code string
you can use SkPang Arduino CAN-Bus Shield to connect to an Audi A6 (2003) and is able (using the sample application provided) to read the correct RPM (revolutions per minute) data from the engine using a polling mechanism.

This shield uses a MCP2515 CAN controller and a MCP2551 CAN Line Driver.

OBDuino
It is a project, launched in 2009, to use an Arduino, as it was the custom to interface with the car's CAN-Bus and build a

MPGuino

Teltonika FM4200
It is a device specially designed to interface with FMS interface of the CAN in the truck.
using a microcontroller, NXP LPC2368 that is (incidentally) the same UC is used by the mbed project. Here is some information about the microcontroller which includes a CAN controller (but not a CAN transceiver). The circuits FM4200 using a Texas Instruments SN65HVD234D CAN transceiver 3.3 V.

CAN bus data reverse engineering:

General references and links

The dictionary can contains a definition of most of the acronyms and abbreviations.

Bosch CAN 2.0 specification .

CAN analytics providers, and equipment
http://www.vector-group.net
http://www.kvaser*****

http://www.lawicel*****/
http://www.peak-system*****/

munro

CAN bus in motion
Of course,even the bikes use electronics with digital protocols.
and here, too, to be able to hacherare the can bus and, with it, the ecu has applications are tremendous, not only on the real-time mapping but on a whole series of systems that are built on modern motorcycles
as the traction control drive-by-wire, etc..any developments on these systems would sew him the bike and of course not only this as a dress you just have to have imagination.below place a sw very well known that I am using in their free time to the study of logic can bus.
Software

Summary of first glance seem impossible to succeed in the aim, But this inability is not normally due to physical reasons. Each ECU manufacturer uses its own set of rules and codes of the data packets on their networks vehicles. These information and data formats are not easily available, and there are shared rules followed by different manufacturers.

FM4200 that I mentioned before, for example, is designed to be able to decode FMS CAN, which is a representation format of the data to accepted standards and shared by all the industrial vehicles (trucks). The objective is to allow interconnection tachometer with the instrument panel of the vehicle.

Tachometers are devices that in many countries must be installed on the trucks to monitor driver behavior and work activities. Since there are many devices, rev counter, which are constructed and installed by many countries certified suppliers, it was necessary to a standard, so FMS was born. Access not professional for the data connection of the speedometer is generally prohibited.

Through the data bus reverse car engineering techniques, for the most part on the basis of trials and errors and / or leaked information, it is theoretically possible to map some of the data packets to their meaning. Generally only read approach is safe. But problems may arise when the maintenance of the software of the vehicle is made, as meaning the package of data may change, and producers today are not required to disclose openly to these details.

Write access to the transmission and the engine of the bus is considered critical and is usually explicitly prohibited or strongly discouraged, even if we all know that if we were to give a straight you have vetoes imposed by some bureaucrat whose turn it is, we would have been, maybe still in the stone age.

Sure, but it might be great if all of the data to be understandable and accessible, but there are important security implications if the irresponsible people tamper with these things. Vehicle security, insurance cover and road safety may be influenced.
I hope I have not bored any with this lengthy treatise on the subject, and I recommend:

Always study, learn and understand it before "play"with this stuff.
And if you want to condividte responsibly on your findings.

Munro

ugoboss

nice work , thanks, and wishes for health.

frenk85

Great work! You don't know what a pleasure to have you read here on the forum! Welcome back and best wishes for everything!

munro

Thanks you guys for everything

tranky

munro

I don't want to curb the hopes of someone, but what you want to do is almost impossible, and those looking for a bit I can confirm.

In the meantime, don't dwell on what is in the eeprom, but on what is in the flash; and in the eeprom there are data-only variables, in the flash there is the true operating system of the ecu, that would be the one to disassemble and interpret.

You need to make clarifications, each type of ecu has a micro with a different architecture; in the case of edc16c39 there is a motorola with the arm architecture.

Designers when they create an ecu, write the program to do and write it in a language of high ****llo (C++ or similar), then compile using the tools available from the same companies that create microcontrollers, making it become a binary file which is loaded, or directly to the memory of the microcontroller, or in an external memory.

A binary file or hex can in no way and with no software to return the listing to the original source, but can only be disassemlato with the same tools used to compile it, getting a file in machine language or assembly, but of course without the name of a variable and various info.

In essence, I can't read the contents of an ecu, I can disassemble it, but the assembly file that I get is almost useless as I just get pages and pages of source code written in a machine language without names, and notes, humanly speaking, impossible to interpret.

If I want to actually create something, I need the original sources to the ecu, not written in machine language, but into a language of high ****llo more humanly interpretable.
I agree with what was said tranky that is, once you manage to decompile all of the code is that it is in the micro or in the ram, in theory it would be possible to go back to the memory locations of the various routines and sub-routines that the same code is run in the "machine" of course, no one here said that is one thing that's easy to do it in two minutes but there is people who are doing it already currently is not only hacked the source code without "the key" read the listing but unable to implement strings of code from fareseguire as new instructions to the "machine" so what I say is if there are riuscit other people because you can not fail us..

munro

Partially true what you say, but if programs, and I assume of you given that I speak to way, you know that a reverse with de compilation made with the native architecture returns the native code.
Then if it is C++ in addition to the variables defined by the manufacturer, you can interpret the roule (rules/instructions) and logic changed.
So it is impossible I can't say I've done worse.. ;) but definitely a lot of work, and you have to have a good computing power to do the revert of the code.
exact tranky reversando the machine code with assembly or C or C++ program to decompile the same, you gets the source code..is a bit of a dog chasing its tail if we want to put it so..sure, then it's difficult to understand all the istruction set in various location with all the diagrams of the routines and sub-routines and there is the nice..
let's say that with the ida-pro once you have identified the micro exact to feed him the decompilazioneè rather simple, the difficult is after to figure out the rest..

Backgroop

of course, being processor 32-bit not you can use the software on the pc 64bit

munro

Hello Guys long time no that feels true?
I could not do ammeno to read your very interesting conversation..
I want to steer in the right way, then:
All of the microcontrollers developed by freescale with motorola which

MPC533: 32-bit Microcontrollers
MPC534: 32-bit Microcontrollers
MPC535: 32-bit Microcontrollers
MPC555: 32-bit Microcontrollers
MPC561: 32-bit Microcontrollers
MPC562: 32-bit Microcontrollers
MPC563: 32-bit Microcontrollers
MPC564: 32-bit Microcontrollers
MPC565: 32 Bit Microcontroller

are programmed with a software development called codewarrior that includes an optimizing c compiler and c++ (of course needs external libraries, therefore, must be installed in the two compilers, borland)
the optimizin compiler makes it easy to work as the asseble motorola 32bit complex is converted in to language multiparadigma simple.
I used this software about 2 years ago and I can say that something you could do, but it takes a lot of study.
most of the data contained in the controller are to manage the communication and I/O to the internal logic.
it is necessary to know the memory addresses of the internal and how are they managed and then there occcorrera a user manual of the mpc5xx
Hello Backgroup, the sw Ida pro that you are using does everything that you have written you are on a PC from 32 to 64bit without the need of libraries or user manual as it supports many micro-just select the one that interests reversare him "meal" the file is the sw returns to the diagrams with the locations containing routines and subroutines of the case both for the logic states for the istruction set, the problem is that as written by Matthew SR
Everything is translated in the language of ****th e top is not having much familiarity with this decipher it all takes time and effort, also the version of Ida pro that we use is not official and is missing several plugins as an official version and all plug-ins of the sw is about 5000 euro... I would say that for us amateurs to ****llo amateur of this stuff is definitely too much

cinqueturbo

Sorry munro, I have the Pro version v6 5-2015 seems to be complete but I do not know untangle very well with this sw, you have something more up to date?

munro

Sorry munro, I have the Pro version v6 5-2015 seems to be complete but I do not know untangle very well with this sw, you have something more up to date?
version 6.8
I think there are a few differences maybe ****s debugger the most up-to-date and libraries more "spacious" and some other implementation of micro - /ram support..

munro

28-10-2016, 17:29

I forgot to write that in order to use the full potential of this sw we would like a minimum of a bachelor's degree in computer science..
so I think that here, we are all "the same boat"..