FORScan PCM reprogramming (as-built) RX-8 (+other Mazdas...)

[JamieM]

Note: The first few posts of this thread are no longer relevant - it started as a simple question about module programming (as-built) in FORScan based on my own misunderstanding, then turned into a discussion about how to achieve as-built data reprogramming on the PCM, which FORScan currently doesn't support (it can only reprogram the other modules).

I have since figured out how to do this myself and written my own program to achieve my aims for the RX-8 (which was to enable cruise control), which also happens to work on some (but not all) similar age Mazdas.

However, I have detailed all my findings on the protocol etc in this thread so that support could be added to FORScan or used by others in the future. You probably want to ignore the first few replies and start reading from when I renamed the thread here: http://forscan.org/forum/viewtopic.php? ... 244#p10245

The post explaining the layout of the data / VIN block is on the 2nd page here: http://forscan.org/forum/viewtopic.php? ... =10#p16553

And finally, I released a slightly more generic as-built data modifier program that can change any aspect of the ABD (rather than just the cruise control) of the RX-8, or cars with the same VIN block layout as per the above post, here: https://forscan.org/forum/viewtopic.php ... =60#p20345


-------------------------------

Hi,

Been trying out this wonderful program with my 2005 Mazda RX-8, which I am fairly sure has some modules on MS-CAN. It seems to work very nicely with the modules it detects on HS-CAN for DTCs etc However, FORScan never asks me to flip the switch and try looking for MS-CAN modules, which I believe it should for this car. Am I missing something?

I am using a USB china clone ELM327 v1.4 with the HS/MS CAN switch mod, and have selected the "HS/MS switch" option in Settings->Connection->MS-CAN support.

If it makes a difference, what I am trying to do is modify my as-built data to enable cruise control, having installed all the necessary hardware (literally just the steering controls). I know this is possible because it has been done before, by one person, but he got a Mazda dealer to do the module programming part. Specifically, I want to write as-built data to the module at address 0x58 (58-09 block in the as-built data), I do not know which module this is but I know it exists as it is in the as-built data. Having compared lots of as-built data for different models/options of this car, I have worked out what I am 90% sure is the bit that enables cruise. However, I cannot find a module in the list FORScan presents under module programming to write to this address. This leads me to believe it is probably one of the modules on MS-CAN that's not showing up?

Alternatively, is there any way to just write as-built data to an address I specify, rather than having to choose the module it belongs to first? I am reasonably confident in what I am doing, I am an embedded software engineer by trade and though I am not particularly familiar with CAN, I work extensively with microprocessors and communications protocols and designing systems based around them

Many thanks,
Jamie

[JamieM]

More info: I am using the latest windows version of the program (extended license) on Windows 7, I have no saved profiles and start from scratch every time I connect to the car. I have tried searching the forum and can't find anyone else with my exact problem. In FTDI or COM mode my USB ELM327 reports a "maximum delay" of 2ms (I have changed the setting in Windows device manager to reduce delay from 16ms -> 1ms), and operates at 500 Kbps with the "Auto-increase" option ticked.

To clarify, I believe that FORScan should ask to flip the HS/MS CAN switch for this vehicle, but it doesn't. I think this may be incorrect?

Does anybody know which module corresponds to address 58? Another possibility is that the as-built programming for this module is just not showing up when it should (I can't find it, having tried all the available options)

Thanks

[Innerlurken]

Having checked on my cars OBD port it does not have the wires for MS-CAN bus system

Mines a 53 plate 231

[JamieM]

Since writing this I have been playing around with my ELM327, and discovered that module 0x58 actually uses ISO 9142-2, so not using CAN at all, rather than being on MS-CAN as I first thought, which is why I couldn't talk to it. A misunderstanding on my part, d'oh!

I knew it wasn't on HS-CAN (well, it doesn't use that protocol) but I was wrong about where it is actually located and thus how to talk to it Turns out FORScan module programming doesn't work for this module though, which according to FORScan is the RCM. It fails to read the as-built data, the progress bar gets to about 20% or so when initiating the proceedure (I don't remember exactly) then returns an error

I'm not too worried about this however, as some new information has come to light that suggests I was looking in the wrong module anyway (which makes sense, if it is the RCM, it's unlikely to have anything to do with cruise). The relevant as-built data for this is more likely stored in the PCM itself, which is in direct control of the electronic throttle but unfortunately doesn't show as a programmable module in FORScan. Therefore I have been writing some Python scripts to interface with the ELM327 directly. Currently trying to reverse engineer the security key out of the Mazda IDS software

[Innerlurken]

Sounds like you have made some progress then, can the mazda software not edit the as built data? And would looking at mazda edit software help at all with access to the pcm key?

[JamieM]

Yes it can, however I don't have the hardware for it unfortunately (VCM - they are rather expensive)! My aim is to come up with a solution utilising cheap, off-the-shelf hardware. I don't have MazdaEdit, but I know it doesn't do as-built data, otherwise this would be much easier! I also dismantled a spare PCM and built a debug interface from an MBED to interface directly with the Renesas CPU. I have obtained a ROM dump via this method and found the memory address of the as-built data, however I appear to only be able to read it and not write to it over the debug (AUD) pins. This isn't really an off-the-shelf solution, as I had to build/program it up, but has helped a lot in my reverse engineering and aided in my understanding

The only software I know of that can write as-built data to the PCM of an RX-8 is Mazda's own IDS thus far!

(Thread re-named to better reflect the contents and direction it is now going)

[JamieM]

I think I've also found where the security key is stored in the ROM of my spare ECU, however the key doesn't work on the PCM that's in my car, which has been re-mapped using MazdaEdit. Haven't got around to plugging the spare ECU into my car to see if that works yet. Interestingly the same key does however work for some of the other modules in my car e.g. the IC (Instrument Cluster). FORScan can already program this module though so not particularly useful!

[JamieM]

The key works on my unmodified spare ecu, so I can now get past the securityAccess stage for the PCM, and write as-built data. The new problem is, whilst writing to the smaller chunks is easy as the write instruction and data all fit in a single frame CAN packet, the PCM 1-9 sections all appear to be stored in one big chunk. I can't quite figure out the protocol of writing as-built data using a multi-frame CAN packet.

Example, here is the as-built data for an RX-8 PCM (from my spare ecu, but it's actually the same for every UK series 1 RX-8):

Code: Select all

PCM Module 
PCM 1 FFFF FFFF 0310 
PCM 2 0DFF FFFF FF1B 
PCM 3 FFFF FFFF FF0E 
PCM 4 FFFF FFFF FF0F 
PCM 5 FFFF FFFF FF10 
PCM 6 FFFF FFFF FF11 
PCM 7 FFFF FFFF FF12 
PCM 8 FFFF FFFF FF13 
PCM 9 FFFF FFFF FF14 
7E0-01-01 3133 4895 
7E0-02-01 3620 
7E0-03-01 4631 62 
7E0-04-01 301C 

The 7E0 lines are easy, for example to read 7E0-01-01 you just send the command 21 01 to the ecu at address 7E0
To read 7E0-02-01, you send 21 02, etc.
(21 is the read data by id command)

To write you first do a securityAccess 27 01, the ecu replies with a seed 67 01 ######, you calculate a key from a known secret (which I know for this ecu from the ROM dump I obtained) and send it back 27 02 ######. This is all just standard UDS commands (see https://en.wikipedia.org/wiki/Unified_D ... c_Services), except Mazda use slightly different command IDs for read/write.

You can then write to for example 7E0-03-01 by sending the command 3B 03 ####
(3B is the write data by id command for Mazdas)
No need to include the last byte as this is just a checksum.

e.g.

Code: Select all

>21 03
61 03 46 31

>3B 03 FACE
7B 03

>21 03
61 03 FA CE

>3B 03 4631
7B 03

>21 03
61 03 46 31

As you an see, this works nicely (if this is useful information FORScan team, please add RX-8 PCM as-built data writing functionality to FORScan! )

However, the PCM1-9 data all seems to be stored in one big block, which you can obtain with the command 21 00,
The ELM responds with this (turned off spaces so the buffer didn't overflow):

Code: Select all

>21 00
082
0:61004A4D5A53
1:45313733363030
2:313139353131FF
3:FFFFFF2AFFFFFF
4:FF030DFFFFFFFF
5:FFFFFFFFFFFFFF
6:FFFFFFFFFFFFFF
7:FFFFFFFFFFFFFF
8:FFFFFFFFFFFFFF
9:FFFFFFFFFFFFFF
A:FFFFFFFFFFFFFF
B:FFFFFFFFFFFFFF
C:FFFFFFFFFFFFFF
D:FFFFFFFFFFFFFF
E:FFFFFFFFFFFFFF
F:FFFFFFFFFFFFFF
0:FFFFFFFFFFFFFF
1:FFFFFFFFFFFFFF
2:FFDEFEFF300000

>

Fine. It's just a long response. It's 0x82 bytes long, starts with the VIN after the 6100 acknoledgement, some other data, then has the PCM sections 1-9 from about half way through line 3 to end of line 9. Then a load more stuff.

The problem is I can't seem to write to this, which is annoyingly the section I want to change.

The ELM won't let me write more than 8 bytes with auto formatting on, so I've tried turning it off and doing the multi-frame CAN packet manually. But I never get any response from the PCM after the last line of data is sent:

Code: Select all

>AT CAF0        <--- auto formatting off
OK

>10 82 3B 00 4A4D5A53   <--- first frame (1), length 082, 3B 00 <data>
3000000000000000         <--- flow control response from PCM, ok

>21 45313733363030    <--- 1st consecutive frame (21 <data>)
NO DATA

>22 313233343536FF    <--- 2nd consecutive frame (22 <data>)
NO DATA

>23 FFFFFF2ABBBBBB    <---  ...etc...
NO DATA

>24 BB030DBBBBBBBB
NO DATA

>25 BBBBBBBBBBBBBB
NO DATA

>26 BBBBBBBBBBBBBB
NO DATA

>27 BBBBBBBBBBBBBB
NO DATA

>28 BBBBBBBBBBBBBB
NO DATA

>29 BBBBBBBBBBBBBB
NO DATA

>2A FFFFFFFFFFFFFF
NO DATA

>2B FFFFFFFFFFFFFF
NO DATA

>2C FFFFFFFFFFFFFF
NO DATA

>2D FFFFFFFFFFFFFF
NO DATA

>2E FFFFFFFFFFFFFF
NO DATA

>2F FFFFFFFFFFFFFF
NO DATA

>20 FFFFFFFFFFFFFF
NO DATA

>21 FFFFFFFFFFFFFF
NO DATA

>22 FFDEFEFF300000
NO DATA

>

The 30000000000 response from the PCM indicates that it is ok to proceed with the entire multi-frame packet as fast as I like (see https://en.wikipedia.org/wiki/ISO_15765-2). The consecutive frames consist of a '2' and a sequence number 0-f,which loops back around if the packet is longer than 15 consecutive frames.

But after the last frame there is no response, and reading back the data again with 21 00 it hasn't changed :/ Have also tried sending some extra dummy data, adjusting the length, sending commands afterwards, but I think I'm missing something. So close I can feel it!

[zoptrik]

http://www.rx8ownersclub.co.uk/forum/vi ... hp?t=56965
http://www.rx8ownersclub.co.uk/forum/vi ... se+control
Did you see this links? I'm waiting for your solution.
Thanks.

[JamieM]

Well, yes, I have been an active poster in both of those threads... my username on RX8OC and here is the same

Solution unlikely, I've tried everything I can personally think of, need access to a VCM / VCM 2 to sniff what the official Mazda IDS does and copy that or something. Unless anyone has any ideas how to write as-built data with multi-frame CAN packets?