Unbricking 86/BRZ/FR-S ECU with SH Boot

[ztan]

Before you get too excited, this is not a solution. Just my progress down the path so far. Hopefully when the solution is reached, I can change this header.

This is for when your ECU is bricked and won't communicate over CAN for normal operation via OBD port.

Start by reading info on Tactrix site and NASIOC and make usb-ftdi serial circuit and oscillator to keep WDT happy.

Read SH72531 manual.

Software used: EcuFlash and Renesas Flash Development Tool (FDT)

Trace test points on bottom of ECU board to emulator pad points on front of ECU board and ECU pins - see attached pdf.

Attachments for our ECU:
P400 - MDA - Ground
P401 - TxD_A - RxD on FTDI
P404 - RxD_A - TxD on FTDI
P413 - PG7 - to 125-150Hz oscillator for WDT
P415 - Reset - Switch to ground to reset

Result: FTDI serial interface communicates wtih 72531 chip but within EcuFlash will not write, as full writable data not available. With FDT, says will erase User Boot MAT and User MAT on initialization, but requires ID Code to enter programming session.

Does anyone have copies of the full ROM that are not padded from 0000-8000? Would be happy to have a look at any version - please PM me. If anyone has clues on the ID Code to unlock this, please share how these may be generated.

EcuFlash Screendump:

Code:

[20:34:20.822] sending bit rate sync bytes...
[20:34:20.938] received bit rate adjust response
               sending boot command
[20:34:21.448] got boot response
[20:34:21.578] 1 supported device(s):
[20:34:21.578]    550d R5F72531D
[20:34:21.578] selecting device 550d
[20:34:21.819] 1 supported clock mode(s):
[20:34:21.819]    1
[20:34:21.819] selecting clock mode 1
[20:34:22.060] 2 supported clock type(s):
[20:34:22.060] 1 ratios for clock type 1
[20:34:22.060]    x8
[20:34:22.060] 1 ratios for clock type 2
[20:34:22.060]    x2
[20:34:22.181] 2 supported clock frequency range(s):
[20:34:22.181] 1 128000000-160000000
[20:34:22.181] 2 32000000-40000000
[20:34:22.301] 1 user boot MAT area(s):
[20:34:22.302] 1 00000000-00007fff
[20:34:22.422] 1 user MAT area(s):
[20:34:22.422] 1 00000000-0013ffff
[20:34:22.753] 26 erase block area(s):
[20:34:22.754] 1 00000000-00001fff
[20:34:22.754] 2 00002000-00003fff
[20:34:22.754] 3 00004000-00005fff
[20:34:22.754] 4 00006000-00007fff
[20:34:22.754] 5 00008000-00009fff
[20:34:22.754] 6 0000a000-0000bfff
[20:34:22.754] 7 0000c000-0000dfff
[20:34:22.754] 8 0000e000-0000ffff
[20:34:22.754] 9 00010000-0001ffff
[20:34:22.754] 10 00020000-0002ffff
[20:34:22.754] 11 00030000-0003ffff
[20:34:22.754] 12 00040000-0004ffff
[20:34:22.754] 13 00050000-0005ffff
[20:34:22.754] 14 00060000-0006ffff
[20:34:22.754] 15 00070000-0007ffff
[20:34:22.754] 16 00080000-0008ffff
[20:34:22.754] 17 00090000-0009ffff
[20:34:22.754] 18 000a0000-000bffff
[20:34:22.754] 19 000c0000-000dffff
[20:34:22.754] 20 000e0000-000fffff
[20:34:22.754] 21 00100000-0011ffff
[20:34:22.754] 22 00120000-0013ffff
[20:34:22.754] 23 80100000-80101fff
[20:34:22.754] 24 80102000-80103fff
[20:34:22.754] 25 80104000-80105fff
[20:34:22.755] 26 80106000-80107fff
[20:34:22.875] has data MAT area: 1
[20:34:22.995] 1 data MAT area(s):
[20:34:22.995] 1 80100000-80107fff
[20:34:23.116] programming unit is 256
[20:34:23.236] one MAT programming supported at 00000000
[20:34:23.236] setting baud rate to 62500
[20:34:23.488] there are more memory areas in this CPU that will be erased than the ROM file you have has data for. write process aborted.
[20:34:23.488] interface close

FDT screendump using Generic BOOT Device:

Code:

Flash Development Toolkit and flash programming components
are provided without support
OS: Windows Vista/Server 2008 [Non-Admin]
FDT API initialised: version 4, 09, 02, 000
Initiating BOOT SCI sequence
Attempting 9600
Attempting 4800
Received immediate response from device: 0xE6
Detected generic boot device
Requesting supported devices list...
List received - 1 selectable device(s)
    Device Code, Product Code: 550d,R5F72531D

Selecting Device - 550d
Device selected

List received - 1 selectable clock mode(s)
    Clock Mode: 0x01

Selecting Clock mode - 1
Clock mode selected

Requesting supported multiplication ratio list...
List received - 2 types of multiplication ratio(s)
 Multiplication Ratio type 2:
    Multiplication Ratio = 8

 Multiplication Ratio type 1:
    Multiplication Ratio = 2


Requesting supported operating frequencies list...
List received - 2 operating frequency range(s)
    Operating Frequency Range 0: 128.00 - 160.00 MHz
    Operating Frequency Range 1: 32.00 - 40.00 MHz

Requesting supported clock type list...
Requesting user ROM information...
List received - 1 user ROM area(s)
    User ROM Area 0: 0x00000000 - 0x0013FFFF

Requesting user-boot ROM information...
List received - 1 user-boot ROM area(s)
    User Boot ROM Area 0: 0x00000000 - 0x00007FFF

Requesting data mat existence information...
    Data mat existence received - 1

Requesting data area ROM information...
List received - 1 data ROM area(s)
    Data ROM Area 0: 0x80100000 - 0x80107FFF

Requesting erase block information...
List received - 26 erase block(s)
    Erase Block 00: 0x00000000 - 0x00001FFF
    Erase Block 01: 0x00002000 - 0x00003FFF
    Erase Block 02: 0x00004000 - 0x00005FFF
    Erase Block 03: 0x00006000 - 0x00007FFF
    Erase Block 04: 0x00008000 - 0x00009FFF
    Erase Block 05: 0x0000A000 - 0x0000BFFF
    Erase Block 06: 0x0000C000 - 0x0000DFFF
    Erase Block 07: 0x0000E000 - 0x0000FFFF
    Erase Block 08: 0x00010000 - 0x0001FFFF
    Erase Block 09: 0x00020000 - 0x0002FFFF
    Erase Block 10: 0x00030000 - 0x0003FFFF
    Erase Block 11: 0x00040000 - 0x0004FFFF
    Erase Block 12: 0x00050000 - 0x0005FFFF
    Erase Block 13: 0x00060000 - 0x0006FFFF
    Erase Block 14: 0x00070000 - 0x0007FFFF
    Erase Block 15: 0x00080000 - 0x0008FFFF
    Erase Block 16: 0x00090000 - 0x0009FFFF
    Erase Block 17: 0x000A0000 - 0x000BFFFF
    Erase Block 18: 0x000C0000 - 0x000DFFFF
    Erase Block 19: 0x000E0000 - 0x000FFFFF
    Erase Block 20: 0x00100000 - 0x0011FFFF
    Erase Block 21: 0x00120000 - 0x0013FFFF
    Erase Block 22: 0x80100000 - 0x80101FFF
    Erase Block 23: 0x80102000 - 0x80103FFF
    Erase Block 24: 0x80104000 - 0x80105FFF
    Erase Block 25: 0x80106000 - 0x80107FFF

Requesting line size information...
    Line size received - 256

Clock Frequency (External) = 20.0000MHz, CKM = 8, and CKP = 2
Changing baud rate to 38400 bps
Set baud rate value = 38400
Error No 16194: ID code check failure
Error No 16194: ID code check failure
Wizard cancelled - please click the 'Configure Flash Project' toolbar icon to initiate the project

[steve99]

Hi ztan

was talking to the tactrix guys a while back and they ran into same issue in that sh boot mode erases all areas and no one has copy on the boot areas, they were looking into modifing ecuflash to read those areas not sure how far they got.

Another thing i was looking at was using the MDA and MDB pins to force the ecu into boot mode or user boot mode(p75\76 renasis manual)

hopefully tactrix may then be able to erase\write to user rom area as i have notice ecuflash tries oem method then tries boot mode. you should be able to do this via normal odb interface with ecu back in car.

Im assuming ecu is bricked due bad user mat and the boot mat is ok.
and that the ecu goes off with the fairies due bad user mat code, it appears bumping it into boot mode via hardware strap may get arround this.

i have not got the pinout for the 72531 in front of me but i think Vcc was conviently located next to MDB pin so looping those should drop processor into boot mode on next powerup from cold.
The obd interface should still be active in boot mode (not sh boot mode) so hopefully after looping pins ecu back in car ecuflash may connect. ie your hardware straping processor into same mode, ecuflash was likely trying to get via software command

long shot but may work but assumes boot mat is good and has not been erased by entering SH boot mode via serial interface

[ztan]

***Update***

Before you try SH Boot blackmagic which may not work, try this from throttlehappy on RomRaider:

Quote:

They are self recovering.

I have restored every one thats been bricked in minutes

Disconnect power, tap brake pedal, reconnect power, flash in a stock ROM. Back in business

I've already used SHBoot on my ROM and overwritten my Boot MAT so I can't verify. However, after doing what throttlehappy recommended, my ECU can communicate with EcuFlash via OEM flash method, but has no normal CanBus communication available.

[steve99]

Thanks will try that next time i brick one.

However i am not sure that will work.

Assume the tap the brake pedal is just to bleed off any residual power.

I have worked with a coulple of guys remotly that have bricked ecu with tactrix and oft and have disconnected battery but still no joy communicating with ecu with tactrix or an oft.

tactrix says trying to comminicate with ecu failed , trying oem boot (mat) fai
ed comms, game over. Thn dealer has a go at it fails again , new ecu.

each time its been guys editing or flashing rom with incorrect definitions or editing the lc\ffs parameters on a rom without the patch.

This appears to result in corrupt ecu main mat code and ecu wont talk via can buss.

Ive had several failed flashes and been able to recover by reflashing without turning ignition off, ie due bad comms to ecu not writing a complete rom., i have not had any succcess recovering anyone who has written a complete but corrupt rom to the ecu.

But they have all been overseas and not able to try bumping the ecu into boot mode via hardware

[steve99]

Quote:

Originally Posted by ztan

***Update***

Before you try SH Boot blackmagic which may not work, try this from throttlehappy on RomRaider:



I've already used SHBoot on my ROM and overwritten my Boot MAT so I can't verify. However, after doing what throttlehappy recommended, my ECU can communicate with EcuFlash via OEM flash method, but has no normal CanBus communication available.

hopefully the tactrix guys will get arround to getting read\write support for boot mat area.

but then with your ecu the security will be a problem as a new ecu has already been coded in to security set i think.

[steve99]

http://documentation.renesas.com/doc...nsh7a840ae.pdf

appears to indicate you can read the user Boot rom mat

[ztan]

Quote:

Originally Posted by steve99

http://documentation.renesas.com/doc...nsh7a840ae.pdf

appears to indicate you can read the user Boot rom mat

You can, but you need to load a program into RAM and run it from RAM to read that area and then output it to a suitable interface. No direct reads available until after you have programmed it.

[steve99]

Quote:

Originally Posted by ztan

You can, but you need to load a program into RAM and run it from RAM to read that area and then output it to a suitable interface. No direct reads available until after you have programmed it.

i figured its not going to be easy as no one has done it yet not even the tactrix guys

[silviahrc]

Hi ZTAN,I need to ask your question

Will the P415 button

When you need to start this button?

now you can using FDT success Unlock?

ECUFlash can't?