The obvious first step to hacking your car's ECU is to locate it, and remove it without damaging it. This usually involves a Google search or just looking around your car, and then removing a few nuts, bolts and/or screws. A flat head screwdriver helps to remove the wiring harness from the ECU. It's probably prudent to ground yourself so you don't damage the ECU with static discharge, as well as disconnecting the car battery first. (I usually don't do either, but don't say I didn't warn you).
Once the ECU is out of the car, you'll need to open it up. At least in the case of the Civic, Integra and Miata, all you need is a Phillips screwdriver. Most ECUs are pretty basic - a PCB enclosed in a metal box, with a large connector for the wiring harness. You'll probably need to remove the PCB from the case in order to work on it. If you have an anti-static mat (such as this one from Fry's http://www.frys.com/product/2807074), you might want to use it. Take a look at the board. Take pictures. Pay special attention to the largest ICs. Two of them are probably going to be the microprocessor and a memory chip. If you're lucky, the part numbers will be easily readable. If you're not so lucky, all you will have to go on is the package type and pin count. Either way, you'll be going back to Google to find out all you can about these two components.
Auto manufacturers aren't in the business of making their own microcontrollers and custom memory ICs, so it's likely these will be commonly available parts, and it won't be hard to find information on them. On the other hand, when you build thousands or millions of ECUs, you can probably afford to use some ASICs. For example, in the CRX ECU (commonly referred to as the PM6), an 8051 microcontroller is used, along with a standard 27C256 EPROM. However, the particular variant of 8051 implements a non-standard opcode - why, I don't know. In addition, the PM6 has an important IC on it that you won't find a datasheet for anywhere. That made some of the inner workings of the ECU a mystery, but a great deal could still be learned from disassembling the 8051 program on the EPROM.
Anyway, once you identify your ECU's microprocessor and memory, you'll want to look for the necessary software tools to disassemble the program. But of course you need to access the program first, which for ECUs that are more than about 5-10 year old usually means physically removing the memory chip and reading it with an EPROM programmer. You can probably reprogram most newer ECUs without even removing them from the car, but I'm talking about the older ones at the moment.
It's usually pretty easy to find an EPROM programmer that will be able to read the particular memory chip you have. Ebay is full of them. I got one from mcumall.com that works well and was reasonably priced. There may be even better deals out there. The harder part is non-destructively removing the chip from the PCB. For older ECUs, where the memory chips are through-hole mounted, a desoldering tool like this one works well (http://www.radioshack.com/product/index.jsp?productId=2062731). In the Miata, however, the flash memory is a surface mount part.
I have to admit that the idea of desoldering a surface mount part kind of scared me, but in fact it's actually easier than desoldering through-hole components! Check out this video, for example: (http://www.youtube.com/watch?v=FTQqjggeklo). It really is that easy, and reattaching is a snap, too. Still, you should practice a couple of times on similar components on scrap boards before you try it on the real thing. And you will need a multimeter so you can verify that you don't have any open or short circuits after you're done.
In addition to the ChipQuik kit, you'll need a good (i.e., temperature-controlled) soldering iron such as a Weller, with a screwdriver- or hoof-shaped tip, plenty of Q-tips and rubbing alcohol to clean off the PCB after the chip is removed, and of course solder to reattach the SMD.
Next time, I'll talk about what to do with the firmware image once it's been copied off the EPROM (and this applies to both newer and older ECUs): how to disassemble it, and some strategies to consider when reverse-engineering the code.
No comments:
Post a Comment