EV-ECU Reverse Engineering

[kiev]

This may be overly optimistic and entirely premature, but here are pictures of the top and bottom of the board to get it started.

Con1 is the main box connector which is subdivided into 4 separate connectors marked A-D on the board.

Con2 and 3 look like unpopulated programming ports, such as JTAG for the micro and something with a bunch of pins for an eeprom.

Also some little bitty 3- and 4-pins for Con4 and Con5, likely for some sort of program or testing power supplies.

IC1 has mitsubishi logo and is marked MH8106F 115A105 U0.

IC2 has a big mits logo and is marked E350B SC111528BAF M66E 263 QDE1124D.

Anybody interested feel free to jump in and bite off a slice--ain't gonna be easy but a whole lotta fun...

Top side

Bottom

 

[BruceWillis]

Hello , you can use mmcflash to read this ecu

 

[coulomb]

use mmcflash to read this ecu

Alas, the MH8106F chip seems rather mysterious. I haven't found a single datasheet for it as yet. This chip seems to often be used for vehicle ECUs, so I suspect that the lack of data is intentional, to make reverse engineering harder, so people can't do dangerous things with their cars. Unfortunately, that means they also can't get information on them for interoperability, or patch undesirable behaviour that the manufacturers don't fix.

To make progress with the iMiev ECU firmware, we'd need these things:

• A binary or hex dump of the flash image
• A datasheet for the MH8106F, with at least basic information on what the various special function registers do
• Probably also a datasheet for the other large IC, IC2. We don't even know which of the several numbers on it are the part number, or who the actual manufacturer is (I doubt that Mitsubishi have their own semiconductor fabrication facility, but I could be wrong).
• A disassembler / decoder, preferably for Ida Pro.
• Lots of time and patience.

This information has to be "out there", since there seems to be a market in reprogrammed chips for various vehicles, all at high prices. If anyone comes across any free information, I'd be interested.

 

[stoatwblr]

As far as I've been able to determine, it's a mitsubishi System on Chip (SoC) comprising a 32 bit CPU and 1024kB rom.

I ran into programming manuals for these SoCs a few months ago, promptly lost the link and have been unable to find it again

The point to making it easier to deal with is that the part number simply tells you a particular configuration. There are more "general purpose" designations for the families

Mitsubishi is vertically integrated and they do make their own chips in another arm of the conglomerate (Mitsubishi electric company - Melco)

This brings up the point that whilst the carmaker/brand is now owned by Nissan, the rest of the company is still a going concern and the details are still out there

If someone can get hold of an image - it doesn't need to be imiev, but does need to be from this ECU (it's used on a number of mid-2000s Mitsubishis) - then it's possible to identify the CPU family being used and that would be a good starting point

There's an ebook circulating called "mitsubishi ecu reverse engineering .pdf" which has a photo of this exact ECU on the front page. I've been unable to actually find a working link for the thing, but I suspect that most of the needed answers are in that publication

 

[kiev]

Haha, i found that .pdf being sold on a bunch of websites,

Also found a Dodge Stealth 3S forum with a fellow wanting to reverse the mits ecu for that car, he found a datasheet for the 37xxx family used back in the '90s. if i had time i would read it as a springboard into the 38xxx series as i would guess they didn't stray too far from those basic concepts (engineers are lazy and won't re-invent the wheel if possible).

https://archive.org/details/bitsavers_mitsubishiChip16bitMicrocomputers_17233007/page/n3/mode/2up

 

[coulomb]

he found a datasheet for the 37xxx family used back in the '90s.

I had a quick skim. It's a 16-bit CPU with 16 KiB of (mask programmable?) prom, A and B accumulators (16 bits), X and Y index registers (both 16-bit), and 16-bit S and PC registers. It sounds like a Motorola 6809, though quite possibly not instruction set compatible.

[ Edit: definitely not compatible; 6809 had 8-bit A and B which could be treated as a 16-bit D, being the concatenation of B and A. ]

It seems far too limited for use in modern cars, except perhaps for really simple tasks (not BMS or VCU/EVCU). Were the '90s still that crude?

[ Edit: Accumulators are 16 bit. ]