I'm back!

Hi, Everyone,

It has been way too long since I've posted anything on this blog.  Too many other things going on.  However, a couple of weeks ago I made the mistake of trying to read the EEPROM on my ECU.  I don't mean the large flash (29F200), but the little L56R (sometimes its a 93C56 - they are basically equivalent) next to the microcontroller.  This little guy holds immobilizer related information.

Sadly, I wasn't successful, and worse yet, when I reinstalled the ECU, my car wouldn't start!  I don't know if I damaged the ECU somehow, but my guess was that I had inadvertently modified the contents of the EEPROM and the immobilizer system wasn't happy about it.  When I say "immobilizer system" I mean the ECU + immobilizer, as they work together.

So what to do?  I figured that restoring the contents of the 93C56 was pretty much out of the question, since I had probably already scrambled it and I had no copy of the original data.  Plus I'd have to desolder it to reprogram it anyway, which I didn't feel like doing.

My only other option was to try to figure out how to bypass the immobilizer.  Long story short (and with the details intentionally omitted!), I was able to do this with just firmware mods (no hardware changes necessary, other than unplugging the immobilizer).  Yup, I can now start my car with no immobilizer.  Not the best solution security-wise, but it sure beats having to buy a new ECU/immobilizer/keys/etc.

Do you have an immobilizer issue?  Here are some things you can try:

• If the ECU went bad and needs to be replaced, buy a used one of the same type, then swap out the little EEPROM with the one from the original ECU.  Yes, you will have to desolder/solder a small surface mount IC.  I highly recommend making a copy of the contents of this EEPROM while you're at it, just in case.  From the immobilizer's point of view, the entire "identity" of the ECU resides in that EEPROM, so as far as it's concerned, after the chip swap, the replacement ECU will look just like the original one.
• If the ECU is good and the immobilizer needs to be replaced, this is a bit more involved.  First, buy a used (known good) immobilizer.  Make sure you can read the serial number on it.  Then, you'll need a way of getting the code word from the serial number.  There are programs out there that can do this.  Most are not free, but I know of at least one where the "demo" mode will do this for free!  It will be an 8 digit number.  You'll have to program this into the EEPROM.  I'm still looking for a way to do this without having to desolder the chip.  There must be a way, because the manufacturer does it - but until I find it, you'll have to remove the chip and program it that way.  If you are actually going to do this, let me know and I can help you out with the details.  Once the EEPROM's copy of the code word is made to match the immobilizer, then the new immobilizer should work with the ECU.  You'll have to reprogram your keys, too (you can find the procedure online).  Caveat - I haven't tried this myself, so YMMV.
• If both ECU and immobilizer are replaced, and you don't have a matching set, do the same as if you replaced just the immobilizer, as I don't know how to change the code word in the immobilizer, or if it's even possible.

Anyway, I hope you never have a problem with your immobilizer system, and I'm glad my car came with one, but if you do, just know that there are cheaper ways to get up and running again than replacing the ECU/immobilizer/keys/locks.

Hello again

Recently, I got an email from someone asking about the Miata ECU project.  It turned out that he works very close by where I work, so we met and talked over coffee.  I'd been so busy with other things (life, basically) that I hadn't really done anything with the project in a long time.  That in itself really didn't (and doesn't) bother me, but our meeting made me realize that others have taken an interest in the project, and that I've been remiss in keeping up this blog.  It's received a little over 10,000 page views, including over 500 last month, even though it's been over 2 years since I've written a project-related post.  So I do feel like I owe you some new posts.

While I really have not done much in the last year or so, there is a lot that I've already learned over the past couple of years that I haven't shared, so just catching everyone up will take up quite a few posts.

I left off with a series of posts about OBD modes.  I think next time, I'll just wrap up the remaining supported modes, so we can move on to more interesting topics.  If you have suggestions for topics of particular interest you'd like me to cover, please leave a comment!

Shameless Panhandling

Hello, again!  I haven't posted for some time now, as you can see.  I am still working on the reverse engineering project, when I have time.  My latest crazy idea has been to port the code to C# so I can run and debug it on my PC.  It's never going to actually run my car, but it is useful to be able to run it and trace the program flow, instead of just staring at static code.  It also gives me a perverse sense of nerd joy knowing that I'm probably the only one that's ever run the NB code in C#.  :P

Anyway, I'm writing today to (shamelessly) ask you to please click on an ad or two if you find any of this stuff interesting.  It won't cost you anything, and it may net me a penny or two.  To give you an idea of how little money we're talking about, to date the blog has been viewed about 2,000 times, and I've made less than $2 from the ads.  So it's obviously not going to make me any real money, but think of it as your way of encouraging me to continue sharing with you what I'm finding out about the NB ECU.  Thanks!  And thank you especially for the handful of readers that have left an encouraging note.  That's a great motivator for me!

NB Miata - OBD Mode 13

Happy Friday the 13th!  Are you superstitious?  I'm not - especially not about the number 13.  Speaking of which, we're talking about OBD Mode 13 today.  OK, so 13 in this case is actually a hexadecimal number, but anyway...

The ECU subroutines that handle Mode 13 are also shared with Modes 3 and 7.  It appears that, while the request messages for Modes 3 and 7 do not (actually, cannot) contain a PID, Mode 13 messages can contain extra bytes after the mode number.  I wish I could tell you what they are used for, if anything, but at this point, I don't know.

What I can tell you is that mode 13 reports the same DTCs as Mode 3, plus:

P0605 - Internal Control Module ROM Error
P1602 - Immobilizer / ECM Communication Error
P1603 - ID Number Unregistered
P1604 - Code Word Unregistered
P1621 - Immobilizer Code Words Do Not Match
P1622 - Immobilizer ID Does Not Match
P1623 - Immobilizer Code Word/ID Number Write Failure
P1624 - Vehicle anti-theft system malfunction
P1631 - Alternator Regulator #2 Control Circuit
P1633 - Generator Control System - over charge
P1634 - Generator Control System - no charge

I could be wrong about the meaning of the last three.  But what you can see from looking at the rest of the list is that they represent a class of errors that have more to do with the system electronics than the engine, so they are different.  I'm particularly interested in how the immobilizer works, and will post more about it later.

It's been about 9 months since I have looked at the code, so it will take me a little bit of time to get back to where I was, but if I recall correctly, there may be some additional requirements that must be met in order to access Mode 13 (such as placing a jumper somewhere or something).  As I get back into analyzing the code, I will update this post with any additional info I find.

Next up, Mode 14.

Season's Greetings

Hi to everyone who's stumbled across this blog!  As so often happens in life, you sometimes get busy doing other stuff and all of a sudden a few months have gone by.  I was very surprised to see that there have been a lot more views than I expected since I last posted.  I will resolve to continue posting in 2012!  See you in the new year.

NB Miata - OBD Mode 8

Today I'm going to talk about Mode 8.  It's been a while since I posted, partly because I have been busy with other things, and partly because I was hoping to have a more complete picture of what Mode 8 does.  Unfortunately, it's still mostly a mystery to me.  But at least I can tell you what I know.

In general Mode 8 is used to control some on-board system, sometimes to create conditions necessary to test a component or subsystem.  In my ECU, here's the quick summary:

1. In the NB Miata, it only applies to OBD-II vehicles.  Any other flavor will simply respond to a Mode 8 request with an error reply.
2. Only two PIDs are supported:  00 and 01.
3. The request message must be 11 bytes long, so must be zero-padded.  And the extra bytes cannot be anything other than zero.
4. PID 0 is just a PIDs supported request.  Since I'm telling you now that only 0 and 1 are supported, this is no longer of any use to you.
5. If a PID 1 request is sent and bit 0 of 10055 is set at the time, then the ECU will set bit 0 of 108ED and respond with an affirmative OBD reply.

I think that the request is only honored if the engine is not running at the time, but I'm not 100% sure if that's the case.  Anyway, while it may seem like a lot of trouble just to set one bit in memory, setting that bit has a pretty significant ripple effect.  I'm not sure I've discovered all of the secondary effects, and I'm pretty much in the dark about what the ultimate purpose is, but it appears to temporarily put the ECU in an altered state, and there are literally dozens of places in the the code that are ultimately affected.  Some of the affected subroutines are related to the short term fuel trim, but there are many others that I still have no idea what they are used for.

I hope to eventually unravel the complete story.  In the meantime, if you are willing to try, you can see if you can get your car to accept a Mode 8 PID 1 command and see if you can tell how your car's behavior changes.  I doubt very much that Mazda would build in a test that could potentially damage your car, but of course I can't guarantee it, so proceed at your own risk.

Next time, Mode 9?  Sorry, but the NB Miata doesn't support Mode 9.  In fact, the next higher supported mode is Mode 13.

NB Miata - OBD Mode 7, and Mode 3 update

Mode 7 is similar to Mode 3, in that it does not take any PIDs, and reports on DTCs.  They are so similar, in fact, that they share the same subroutines to generate responses to requests.  However, while Mode 3 responds by reporting active DTCs, Mode 7 reports pending DTCs - that is, problems that have been detected but have not yet risen to the level of severity of an active DTC.

Another key difference between the two is that they support a slightly different set of DTCs.  When I first listed the DTCs in the Mode 3 post, I thought that Mode 3 could report all of them.  However, upon closer inspection, it turns out that only a subset of them will ever show up in a Mode 3 response.  Similarly, the Mode 7 DTCs are a subset of the Mode 3 DTCs.

Rather than re-list the DTCs that are associated with Mode 7, I'll just list the numbers.  You can refer to the previous Mode 3 post for more info.

Mode 7 DTCs
P0011, P0012, P0031, P0032, P0037, P0038, P0101, P0106, P0111, P0116, P0121, P0125, P0126, P0128, P0131, P0132, P0133, P0134, P0138, P0140, P0171, P0172, P0300, P0301, P0302, P0303, P0304, P0401, P0402, P0420, P0421, P0442, P0451, P0443, P0452, P0453, P0455, P0461, P0462, P0463, P0464, P0480, P0500, P0506, P0507, P0550, P0703, P0704, P0706, P0715, P0725, P0741, P0742, P0751, P0752, P0756, P0757, P0850, P1450, P1496, P1497, P1498, P1499, P1512, P1518, P1569, P1570

Mode 3 DTCs
(the above list), plus: P0010, P0102, P0103, P0107, P0108, P0112, P0113, P0117, P0118, P0122, P0123, P0222, P0223, P0327, P0328, P0335, P0340, P0505, P0720, P0743, P0753, P0758, P1562, P1601

Finally, there are a few other modes that report DTCs, and have their own subset of DTCs.  More on these later.  Up next:  Mode 8.