Reading a 370 ECU ROM
I’ve always been interested in tuning my vehicles; even when I had cars that weren’t worth the effort. Now that I have a fun car, I’m going to finally get the chance to do it.
I’m aware that the Subaru community has a lot of support in the form of Open Source tools for ECU tuning, and we simply don’t have that for our newer Nissans. I would like to change that.
As I’m doing my research I’ve also learned that there are several “classes” of ECUs for most Nissan vehicles. It seems that before around 2008/2009 most of the ECUs were not exclusively controlled/queried over the CAN bus. There is some limited community support for these older K-line-equipped ECUs.
For our newer vehicles, we for the most part have to turn to one of two tuning systems; ECUTek or UpRev. From what I hear, ECUTek is more advanced software, but UpRev allows individuals to tune on their own. This is important to me. I waited around until I found a good deal on a used UpRev tuner cable/license on the 370z forums and I got it at a little less than half price. I’ve only casually played around with their software, but I was hoping for it to be more open than it is. I understand the need for companies to protect their IP, but I was hoping for a little more access, in general, than they provide. For example, I would like the ability to read my stock ROM from the vehicle. There is no reason for their tool not to support reading and saving a STOCK ROM… but they don’t.
There is an option in their software to “Copy ECU Data”. It seemed to me like this would dump my ROM. I connected the tool and read the data. After the tool finished, I was excited to be able to open up my ROM in a hex editor and stare at beautiful tables. Unfortunately, the tool stores even the stock ROMs encrypted on your PC. Why? Surely there’s no harm in giving me my own data. The tool instructed me to send the encrypted ROM file to UpRev. After some reading, I think that I learned that this is mainly used for sending ROMs from new, unsupported vehicles to UpRev, so that you can pay them to add a new model to their lineup.
So how do I get my ROM?
It just so happens that I work in the automotive industry, as a software engineer for company that makes braking ECUs. Because of this, I have access to some high-quality CAN tools. I figured that even if UpRev decides to store my stock ROM encrypted on my laptop, the reading of my ROM by the tool will still be cleartext. I figured that maybe if I take a bus log of the entire ECU read, then I could possibly recover my ROM from the data in the CAN transfer…
I figured right.
I brought my work laptop and my Vector CAN card home, and fired up my personal laptop with UpRev installed. I re-read my ECU with their tool, but this time I was watching in the background on my other laptop. I logged the entire 15 minute bus transfer in Vector’s CANAlyzer software. In order to accomplish this, I had to make a “Man in the middle” cable that will allow me to watch the CAN bus during the transfer. I left the rest of the OBD lines undisturbed, in case the tool uses those for some reason during the transfer.
After I pulled the entire log I was encouraged that this was going to work; the entire ECU ROM is read through CAN service 0x23 requests. For those unfamiliar, this is a CAN message used to request data stored at an arbitrary address. Support for this service is fading for good reasons revolving around security concerns. The ECU ROM is read 63 bytes at a time.
Below is a small sample of the data transfers:
CANFD 1 Rx 7e0 0 0 8 8 07 23 00 00 27 9f 00 3f
CANFD 1 Rx 2de 0 0 8 8 00 00 80 05 70 00 02 9c
CANFD 1 Rx 7e8 0 0 8 8 10 40 63 00 81 65 85 66
CANFD 1 Rx 2de 0 0 8 8 00 00 80 05 70 00 02 9c
CANFD 1 Rx 7e8 0 0 8 8 10 40 63 00 81 65 85 66
The tool’s ID is 0x7e0, and the ECU responds on 0x7e8. So this message is the UpRev tool asking for 63 bytes of data (0x3f) from memory address 0x279f. After the request the ECU sends this data. After seeing how simple and structured these requests are, I wasn’t worried about being able to recover my ROM.
What I ended up doing was writing a small piece of software (two, actually) to parse out the ROM data. First off, I wrote a small perl script to filter out everything except for the messages from IDs 0x7e0 and 0x7e8. Then, I wrote a small CSharp program to reconstruct the ROM from the remaining CAN messages. It’s not professional or beautiful code; it’s utilitarian and it works. It’s not abstracted to the point where it can be used on other vehicles with other CAN IDs, but I’m happy with how it turned out for 97 minutes of coding (yes, I timed it). I will post the code here. I haven’t modified it to make it pretty. Also, I note that the small perl scritp I wrote was my first and last experience with perl. I’m sure its inefficient, and I’m probably doing everything in all the wrong ways. Hopefully no one will laugh at me too hard, and maybe it will be useful to someone else. I’ll also add my original CAN bus log, and the ROM that my tool produced. I had to zip the stock ROM with a password for WordPress to accept the binary as an upload. The password is “leftoverpi” Enjoy!
Please comment with any tips, corrections or opinions!
You would likely find this useful, if you haven’t stumbled upon it already. https://projectbytes.wordpress.com/2013/08/25/nissan-370z-can-hacking/
His blog (which I found from some threads in the 370z forums) is what really got me interested in playing around with the CAN bus on the Z. I planned to mention/link to him when I add a post specifically about playing around on the bus. Thanks!
Hey mate,
Nice write up! I’m wondering if you might be able to help me convert an Uprev ROM dump to a binary file I can use to upload to an ECU? I had an uprev upload fail and now left with an ECU that wont flash or turn on. As I have the original Uprev rom dump that I took prior to Uprev adding support for this ECU, is it possible to send you the binary and get it ‘stipped’ of the encryption and turn out a usable binary I can work with?
I also have a binary of the same file from ECUtek? Do you know if they have encrypted ROMs also?
Cheers!
Hi, thanks for the comment!
Unfortunately I don’t know of any way to directly convert a proprietary UpRev ROM file to a raw ROM file; they are pretty heavily protected. I do have some reversing experience, and I wanted to play around with the UpRev software itself. I was only able to learn that they license some pretty advanced obfuscation software, which is beyond my ability. It is for this reason that I had to take the long way around and reconstruct the ROM from the flash log. The raw version of an UpRev tune can be recovered, but this is the only way I know how to do it.
I do not have any knowledge of ECUTek, but I assume it would be a similar setup.
What vehicle/year is it? I’m in the process of getting a bench setup with a spare ECU that I can run tests on.
Nicely done! I’m about to start working on reverse engineering the CAN traffic on my Z33. I’ve been meaning to do it for years but I’m lazy. I work at one of the auto manufacturers doing IVI research and it’s sort-of sad how often we have to reverse engineer our own data. 🙂
I noticed you’re in the Detroit Metro area… We’ve got a pretty good club (although not so active lately) in the area you might want to check out. Website is linked but Facebook is where things are actually active.
I must be missing something. If you have experience with the CAN protocol, and you even have an example of how the read is being performed from the UpRev capture, can you not fashion your own program to perform the read queries directly on the ECM without using the UpRev software or cable?
Hi John, thanks for the question. The reason that I used the UpRev software and cable is because they have already done all of the boring work in making a program to do so, and they already know any Nissan protocols that may or may not be in place for reading and/or writing the flash (for example, the very first message from the tool is a UDS session control request for session 0x85). I was interested in seeing this. Also, this was my first time using the UpRev software, and I had all the CAN traffic that it sent, so writing a parser for it was not a lot of work.
In theory, I think the fastest solution for such a program would be to simply use a CAPL script in CANalyzer. It could probably be knocked out by an experienced person in an hour or two
Excellent Work Don.
Thought you and your readers might be interested to know that newer 370Z have added a CAN Gateway that filters out most CAN traffic from the diagnostic port:
http://www.the370z.com/engine-drivetrain/128989-obdii-port-moved-my2019.html