DSM/ECU/Reverse Engineering: Difference between revisions
		
		
		
		Jump to navigation
		Jump to search
		
| (9 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| =Example= | |||
| Here is an example of record keeping of the components and PCB references I did on a 1.8l ECU I reversed as practice: | Here is an example of record keeping of the components and PCB references I did on a 1.8l ECU I reversed as practice: | ||
| ==Exterior== | |||
| ==== | <gallery> | ||
| Image:MD159561-E2T33674E.png|ECU top | |||
| Image:MD159561-E2T33674E-side.png|ECU Exterior, Side | |||
| </gallery> | |||
| ===Top=== | |||
|   MD159561 | |||
|   E2T33674E | |||
|    0607 | |||
|   Mitsubishi Electric Corp. | |||
|   Japan | |||
| ===Side=== | |||
|   9561 | |||
|   E2T33674E | |||
|   Mitsubishi Electric Corp. | |||
|   Japan | |||
| ==Interior== | |||
| <gallery> | |||
| </gallery> | |||
| === | ===Processor=== | ||
| [[DSM/ECU/TMP76xxx MH6xxx]] | |||
| [https://app.gitbook.com/s/-MbMmcGjBEeIX30liMDB/ DSM-ECU Book] | |||
| === | ===EPROM=== | ||
| * E924 | |||
| ===PCB=== | |||
| BOM: [[DSM/ECU/JE331B988B]] | |||
| <gallery> | <gallery> | ||
| Image:MD159561-E2T33674E-board-overview.png|Board overview | |||
| Image:1.8l dsm-ecu-traces.png|Copper traces of PCB | Image:1.8l dsm-ecu-traces.png|Copper traces of PCB | ||
| Image:JE331B-silkscreen.png|Silkscreen | Image:JE331B-silkscreen.png|Silkscreen | ||
| Line 79: | Line 97: | ||
| ===Result=== | ===Result=== | ||
| # A BOM of sorts | # A BOM of sorts | ||
| #* List of all the components and their  | #* List of all the components, and their values and locations on the PCB | ||
| # A Schematic of the electrical connections | # A Schematic of the electrical connections | ||
| # A PCB layout | # A PCB layout | ||
| # Lots of photos | # Lots of photos | ||
| # ROM dumps of all ROM, Internal ROM and EPROM | |||
| # Disassembly of all ROM, Internal and External | |||
| ==Toolbox== | ==Toolbox== | ||
| Line 118: | Line 138: | ||
| * Inkscape | * Inkscape | ||
| * KiCad | * KiCad | ||
| {|  class="wikitable" | |||
| ! align="center" style="background:#f0f0f0;"| '''''' | |||
| ! align="center" style="background:#f0f0f0;"| '''MC09D''' | |||
| ! align="center" style="background:#f0f0f0;"| '''MB14B''' | |||
| ! align="center" style="background:#f0f0f0;"| '''EB23C''' | |||
| ! align="center" style="background:#f0f0f0;"| '''MB06B''' | |||
| ! align="center" style="background:#f0f0f0;"| '''Best Guess''' | |||
| |- align="center " | |||
|  | FFAC || Instant return || Instant return || Entrypoint || Instant Return ||  | |||
| |- align="center" | |||
|  | FFAE || RX_VECTOR || RX_VECTOR || Read SCI_CTL || RX vector || SCI_VECTOR | |||
| |- align="center" | |||
|  | FFB0 || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFB2 || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFB4 || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFB6 || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFB8 || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFBA || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFBC || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFBE || SCI_TX || Instant return || Entrypoint || SCI_TX || ?RTI_VECTOR? | |||
| |- align="center" | |||
|  | FFC0 || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFC2 || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFC4 || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFC6 || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFC8 || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFCA || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFCC || Instant return || Touches 0x0C || Entrypoint || Instant Return || T1_OUTCMP | |||
| |- align="center" | |||
|  | FFCE || Reads 0x0E data register, manipulates PORT3 || Instant return || Entrypoint || 0x0E, Port3 || T1InputCapture | |||
| |- align="center" | |||
|  | FFD0 || Also reads 0x0E data register, then a bunch of RAM stuff || Instant return || Peeks 0x0E, modified 0x0D, 0x0B, Ports || 0x0E, lots of RAM || T1InputCapture | |||
| |- align="center" | |||
|  | FFD2 || Also reads 0x0E data register, and ands P3 with 0xFE || Touches 0x0E SCI_CTL and SCI_TX || Entrypoint || 0x0E, Port3 || T1InputCapture | |||
| |- align="center" | |||
|  | FFD4 || Reads 0x0E, RAM stuff, Port3 || Touched 0x0E || Entrypoint || 0x0E, Port3 || T1InputCapture | |||
| |- align="center" | |||
|  | FFD6 || Reads 0x0E, RAM stuff, Port3 || Touches 0x0E Port5 || Entrypoint || 0x0E, Port3 || T1InputCapture | |||
| |- align="center" | |||
|  | FFD8 || Reads 0x0E, RAM stuff, Port3, Port1 || Touches 0x0E and 0x0C || Entrypoint || 0x0E, Port1, Port3 || T1InputCapture | |||
| |- align="center" | |||
| T1OutCmp | |||
| |- align="center" | |||
|  | FFDA || Reads 0x0E, RAM stuff, Port3, Port1 || Reads 0x0E P1 P5 stuff || Entrypoint || 0x0E, Port1, Port3 || T1InputCapture | |||
| |- align="center" | |||
|  | FFDC || Reads 0x0E, RAM stuff, Port3, Port1 || Reads 0x0E || Entrypoint || 0x0E, Port1, Port3 || T1InputCapture | |||
| |- align="center" | |||
|  | FFDE || Instant return || Instant return || Modifies 0x1A and 0x09 || Instant Return || T2CSR2 | |||
| |- align="center" | |||
|  | FFE0 || Instant return || Instant return || Modifies 0x19 and 0x09 || Instant Return || T2CSR1 | |||
| |- align="center" | |||
|  | FFE2 || Instant return || Instant return || Modifies 0x18 and 0x09 || Instant Return || T1CSR2 | |||
| |- align="center" | |||
|  | FFE4 || Instant return || Instant return || Modifies 0x17 || Instant Return || ?? | |||
| |- align="center" | |||
|  | FFE6 || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFE8 || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFEA || Instant return || Instant return || 0x0D 0x0B || Instant Return || OutCmp | |||
| |- align="center" | |||
|  | FFEC || Instant return || Instant return || Peek 0x0D, handle 0x0B || Instant Return || OutCmp | |||
| |- align="center" | |||
|  | FFEE || Reads 0x0D, modifies 0x0A || 0x0D, 0x0A || Peeks 0x0D || 0x0D, 0x0A || T1InputCapture | |||
| |- align="center" | |||
|  | FFF0 || Reads 0x0D, modifies 0x0A || Instant return || Entrypoint || 0x0D, 0x0A || T1InputCapture | |||
| |- align="center" | |||
|  | FFF2 || Reads 0x0D, modifies 0x0A || 0x0D, 0x0C || Entrypoint || 0x0D, 0x0A || T1InputCapture | |||
| |- align="center" | |||
|  | FFF4 || Reads 0x0D, modifies 0x0A || ;0x0D || Entrypoint || 0x0D, 0x0A || T1InputCapture | |||
| |- align="center" | |||
|  | FFF6 || Reads 0x0D, modifies 0x0A || 0x0D, 0x0C || Entrypoint || 0x0D, 0x0A || T1InputCapture | |||
| |- align="center" | |||
|  | FFF8 || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFFA || Instant return || Instant return || Entrypoint || Instant Return || ? | |||
| |- align="center" | |||
|  | FFFC || nNMI || nNMI || nNMI_VECTOR || nNMI || ?nNMI_VECTOR? | |||
| |- align="center" | |||
|  | FFFE || Entrypoint || Entrypoint || Entrypoint || Entrypoint || RESET | |||
| |} | |||
Latest revision as of 21:11, 11 August 2022
Example
Here is an example of record keeping of the components and PCB references I did on a 1.8l ECU I reversed as practice:
Exterior
- 
			
			ECU top
- 
			
			ECU Exterior, Side
Top
MD159561 E2T33674E 0607 Mitsubishi Electric Corp. Japan
Side
9561 E2T33674E Mitsubishi Electric Corp. Japan
Interior
Processor
EPROM
- E924
PCB
BOM: DSM/ECU/JE331B988B
- 
			
			Board overview
- 
			
			Copper traces of PCB
- 
			
			Silkscreen
- 
			
			Top layer photo
- 
			
			Bottom layer photo
How-To
Hardware
- Obtain ECU
- Take external photographs
- Mostly for all the numbers and letters/the stickers
 
- Open ECU
- Remove PCB
- TAKE MORE PICTURES (before you touch anything else)
- The code on the plug socket
- The microprocessor
- The EPROM (if there is one)
- Any and all visible marking on components
- The ENTIRE board on BOTH sides
 
- RECORD all components with visible markings, decode resistor values
- This means a table with the PCB Silkscreen references and the components values
 
- ACETONE bath
- This is to remove all the conformal coating junk that interferes with reading markings AND the ability to probe, test, and desolder
 
- SCRUB with Toothbrush, Q-Tips
- PHOTOGRAPH and RECORD any newly visible information
- REMOVE any components with known values:
- Electrolytic capacitors can go first
- Then any ICs
- Resistors with the bands already decoded
- Connectors
 
- REMOVE components with unknown values ONE AT A TIME
- SMD Capacitors and Transistors are good examples
- Remove one, use the Multimeter and/or LCR meter to get values and RECORD them in the table
 
- Eventually you will be left with a BARE BOARD
- SPRAY and WIPE DOWN the bare PCB with WD-40 to clean up any remaining conformal coating and junk
- This preps the board for nice clear photographs
 
- PHOTOGRAPH both sides of the PCB
- Get ONE photo of EACH side of the PCB
- Flat
- In focus
- Dead-on photos with no perspective error
- Use a tripod
- Use lighting
- Use a remote shutter-release to eliminate shake from the image
 
Digitization
- Do color correction in darktable
- Import to GiMP and isolate the Silkscreen to generate a silkscreen layer
- Import into Inkscape to create a vector of the copper traces
- Use the last two steps to import into KiCad
- Recreate the PCB
- Create a schematic from the PCB
 
Result
- A BOM of sorts
- List of all the components, and their values and locations on the PCB
 
- A Schematic of the electrical connections
- A PCB layout
- Lots of photos
- ROM dumps of all ROM, Internal ROM and EPROM
- Disassembly of all ROM, Internal and External
Toolbox
Tools
- Screwdrivers
- Tweezers
- Solder
- Solder Sucker
- Solder Wick
- Soldering Iron
- SMD/Reflow Air Tool
- Chamois cloth
- Multimeter
- LCR Meter
Solvents
- Acetone
- 99% Isopropyl alcohol
- WD-40
- Flux
- Flux cleaner
- H2O
Camera
- DSLR
- Tripod
- Circular-polarized lens
- Remote shutter-release
- Lighting
Software
- Darktable
- GiMP
- Inkscape
- KiCad
| ' | MC09D | MB14B | EB23C | MB06B | Best Guess | 
|---|---|---|---|---|---|
| FFAC | Instant return | Instant return | Entrypoint | Instant Return | |
| FFAE | RX_VECTOR | RX_VECTOR | Read SCI_CTL | RX vector | SCI_VECTOR | 
| FFB0 | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFB2 | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFB4 | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFB6 | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFB8 | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFBA | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFBC | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFBE | SCI_TX | Instant return | Entrypoint | SCI_TX | ?RTI_VECTOR? | 
| FFC0 | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFC2 | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFC4 | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFC6 | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFC8 | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFCA | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFCC | Instant return | Touches 0x0C | Entrypoint | Instant Return | T1_OUTCMP | 
| FFCE | Reads 0x0E data register, manipulates PORT3 | Instant return | Entrypoint | 0x0E, Port3 | T1InputCapture | 
| FFD0 | Also reads 0x0E data register, then a bunch of RAM stuff | Instant return | Peeks 0x0E, modified 0x0D, 0x0B, Ports | 0x0E, lots of RAM | T1InputCapture | 
| FFD2 | Also reads 0x0E data register, and ands P3 with 0xFE | Touches 0x0E SCI_CTL and SCI_TX | Entrypoint | 0x0E, Port3 | T1InputCapture | 
| FFD4 | Reads 0x0E, RAM stuff, Port3 | Touched 0x0E | Entrypoint | 0x0E, Port3 | T1InputCapture | 
| FFD6 | Reads 0x0E, RAM stuff, Port3 | Touches 0x0E Port5 | Entrypoint | 0x0E, Port3 | T1InputCapture | 
| FFD8 | Reads 0x0E, RAM stuff, Port3, Port1 | Touches 0x0E and 0x0C | Entrypoint | 0x0E, Port1, Port3 | T1InputCapture | 
| FFDA | Reads 0x0E, RAM stuff, Port3, Port1 | Reads 0x0E P1 P5 stuff | Entrypoint | 0x0E, Port1, Port3 | T1InputCapture | 
| FFDC | Reads 0x0E, RAM stuff, Port3, Port1 | Reads 0x0E | Entrypoint | 0x0E, Port1, Port3 | T1InputCapture | 
| FFDE | Instant return | Instant return | Modifies 0x1A and 0x09 | Instant Return | T2CSR2 | 
| FFE0 | Instant return | Instant return | Modifies 0x19 and 0x09 | Instant Return | T2CSR1 | 
| FFE2 | Instant return | Instant return | Modifies 0x18 and 0x09 | Instant Return | T1CSR2 | 
| FFE4 | Instant return | Instant return | Modifies 0x17 | Instant Return | ?? | 
| FFE6 | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFE8 | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFEA | Instant return | Instant return | 0x0D 0x0B | Instant Return | OutCmp | 
| FFEC | Instant return | Instant return | Peek 0x0D, handle 0x0B | Instant Return | OutCmp | 
| FFEE | Reads 0x0D, modifies 0x0A | 0x0D, 0x0A | Peeks 0x0D | 0x0D, 0x0A | T1InputCapture | 
| FFF0 | Reads 0x0D, modifies 0x0A | Instant return | Entrypoint | 0x0D, 0x0A | T1InputCapture | 
| FFF2 | Reads 0x0D, modifies 0x0A | 0x0D, 0x0C | Entrypoint | 0x0D, 0x0A | T1InputCapture | 
| FFF4 | Reads 0x0D, modifies 0x0A | ;0x0D | Entrypoint | 0x0D, 0x0A | T1InputCapture | 
| FFF6 | Reads 0x0D, modifies 0x0A | 0x0D, 0x0C | Entrypoint | 0x0D, 0x0A | T1InputCapture | 
| FFF8 | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFFA | Instant return | Instant return | Entrypoint | Instant Return | ? | 
| FFFC | nNMI | nNMI | nNMI_VECTOR | nNMI | ?nNMI_VECTOR? | 
| FFFE | Entrypoint | Entrypoint | Entrypoint | Entrypoint | RESET | 






