EV-ECU Reverse Engineering

[kiev]

This may be overly optimistic and entirely premature, but here are pictures of the top and bottom of the board to get it started.

Con1 is the main box connector which is subdivided into 4 separate connectors marked A-D on the board.

Con2 and 3 look like unpopulated programming ports, such as JTAG for the micro and something with a bunch of pins for an eeprom.

Also some little bitty 3- and 4-pins for Con4 and Con5, likely for some sort of program or testing power supplies.

IC1 has mitsubishi logo and is marked MH8106F 115A105 U0.

IC2 has a big mits logo and is marked E350B SC111528BAF M66E 263 QDE1124D.

Anybody interested feel free to jump in and bite off a slice--ain't gonna be easy but a whole lotta fun...

Top side

Bottom

 

[BruceWillis]

Hello , you can use mmcflash to read this ecu

 

[coulomb]

use mmcflash to read this ecu

Alas, the MH8106F chip seems rather mysterious. I haven't found a single datasheet for it as yet. This chip seems to often be used for vehicle ECUs, so I suspect that the lack of data is intentional, to make reverse engineering harder, so people can't do dangerous things with their cars. Unfortunately, that means they also can't get information on them for interoperability, or patch undesirable behaviour that the manufacturers don't fix.

To make progress with the iMiev ECU firmware, we'd need these things:

• A binary or hex dump of the flash image
• A datasheet for the MH8106F, with at least basic information on what the various special function registers do
• Probably also a datasheet for the other large IC, IC2. We don't even know which of the several numbers on it are the part number, or who the actual manufacturer is (I doubt that Mitsubishi have their own semiconductor fabrication facility, but I could be wrong).
• A disassembler / decoder, preferably for Ida Pro.
• Lots of time and patience.

This information has to be "out there", since there seems to be a market in reprogrammed chips for various vehicles, all at high prices. If anyone comes across any free information, I'd be interested.

 

[stoatwblr]

As far as I've been able to determine, it's a mitsubishi System on Chip (SoC) comprising a 32 bit CPU and 1024kB rom.

I ran into programming manuals for these SoCs a few months ago, promptly lost the link and have been unable to find it again

The point to making it easier to deal with is that the part number simply tells you a particular configuration. There are more "general purpose" designations for the families

Mitsubishi is vertically integrated and they do make their own chips in another arm of the conglomerate (Mitsubishi electric company - Melco)

This brings up the point that whilst the carmaker/brand is now owned by Nissan, the rest of the company is still a going concern and the details are still out there

If someone can get hold of an image - it doesn't need to be imiev, but does need to be from this ECU (it's used on a number of mid-2000s Mitsubishis) - then it's possible to identify the CPU family being used and that would be a good starting point

There's an ebook circulating called "mitsubishi ecu reverse engineering .pdf" which has a photo of this exact ECU on the front page. I've been unable to actually find a working link for the thing, but I suspect that most of the needed answers are in that publication

 

[kiev]

Haha, i found that .pdf being sold on a bunch of websites,

Also found a Dodge Stealth 3S forum with a fellow wanting to reverse the mits ecu for that car, he found a datasheet for the 37xxx family used back in the '90s. if i had time i would read it as a springboard into the 38xxx series as i would guess they didn't stray too far from those basic concepts (engineers are lazy and won't re-invent the wheel if possible).

https://archive.org/details/bitsavers_mitsubishiChip16bitMicrocomputers_17233007/page/n3/mode/2up

 

[coulomb]

he found a datasheet for the 37xxx family used back in the '90s.

I had a quick skim. It's a 16-bit CPU with 16 KiB of (mask programmable?) prom, A and B accumulators (16 bits), X and Y index registers (both 16-bit), and 16-bit S and PC registers. It sounds like a Motorola 6809, though quite possibly not instruction set compatible.

[ Edit: definitely not compatible; 6809 had 8-bit A and B which could be treated as a 16-bit D, being the concatenation of B and A. ]

It seems far too limited for use in modern cars, except perhaps for really simple tasks (not BMS or VCU/EVCU). Were the '90s still that crude?

[ Edit: Accumulators are 16 bit. ]

 

[philsuth]

Alas, the MH8106F chip seems rather mysterious. I haven't found a single datasheet for it as yet. This chip seems to often be used for vehicle ECUs, so I suspect that the lack of data is intentional, to make reverse engineering harder, so people can't do dangerous things with their cars. Unfortunately, that means they also can't get information on them for interoperability, or patch undesirable behaviour that the manufacturers don't fix.
...

This information has to be "out there", since there seems to be a market in reprogrammed chips for various vehicles, all at high prices. If anyone comes across any free information, I'd be interested.

The following information might be out there somewhere already, but if so I've not found it yet.

I'm doing a little reverse engineering myself at the moment. Background is that I'm still on the trail of my coolant pump warning issue. Having excluded everything else, I'm now of the opinion that the issue is in the ECU itself, so I've spent time over our long weekend here in Western Australia doing a little reverse engineering.

In the process, I traced the WPN signal (water pump speed feedback) from the connector back through a protection/conditioning network of resistors and diodes. It drives a digital transistor (transistor with internal bias resistors - probably an RT1N141U) the collector of which connects to a pin on the MH8106F processor. Networks seems ok though I'm still tracing it out - not sure about the transistor.

I did the usual web trawls for information on the processor, without a great deal of success, then I started looking for similar devices. I've now convinced myself that our MH8106F is an M32R device from Renesas, probably a variant of an M32192 or M32196. The M32172 and M32173 also have very similar pinouts, but they are earlier amd have less flash memory than the 1MB I believe our one does. What convinced me was:

• Correct package
• Locations of JTAG pins on the device
• Locations of oscillator pins
• Locations of ground pins
• The WPN signal ends up on pin 120 of the MH8106. That pin is labelled P125/TCLK1/A10/DD2 - P125 matches the pin identity on the vehicle schematics. (this one was the Aha! moment)

I haven't yet traced any other signal to confirm the numbering coincidence, but the odds are pretty good I'd reckon.

Hardware manual for the M32192 and other technical information can be found here.
Software manual for the M32R CPU is here.

 

[kiev]

Great catch Phil

 

[stoatwblr]

Were the '90s still that crude?

[ Edit: Accumulators are 16 bit. ]

In short, yes.

The use of M32R shouldn't be a surprise. Mitsubishi have used that "since forever" and the same ECUs crop up in Lancers (Evo models) of the late 1990s

The GOOD thing about that is that it means the chip and ECU are both thoroughly documented in Evo forums and whilst the code may be "different", I'll almost guarantee that it's substantially similar in block layout to existing ICE control code (This is based on my 1990s interactions with Japanese companies and coders. Calling them a lazy bunch isn't fair, but heavy reuse of standard blocks and kludging to make them fit was a feature of much code of the era from Japan)

This also means that if someone can extract the rom dumps, it should be possible to run things through a disassembler - this is most likely what kolyandrex did to decode the BMU (also a standard Mitsubishi ECU found in Lancers and other vehicles)

 

[stoatwblr]

A bit of trawling has unearthed this wee gem: https://mcuinnovations.com/software/renesasrecovery/

It may be of use, but then again being tied to W7 it may be a boat anchor.

The IDE for M32R is linked at https://www.renesas.com/en/products...her-mcus-mpus/m32r-family-mcus/software-tools

Edit: Wow, that chip is used in a LOT of Japanese car/motorcycle ECUs, with quite a bunch of them using proprietary protocols to enforce use of manufacturer-specific tools - Without digging further I'd suggest that most of them use very basic obfuscation techniques, given the audience and automaker attitudes to software (remember, this was the era when Toyota ECU code got so bad that it could possibly jam the thottlle wide open)