Pages: [1]
Author Topic: Any hints to find Nm limiter in Aisin AL1000 gearboxes?  (Read 6090 times)
k0mpresd
Hero Member
*****

Karma: +146/-54
Offline Offline

Posts: 1655


« on: February 07, 2016, 11:58:07 AM »

anyone have tips to finding Nm limiters or other helpful maps in Aisin AL1000 gearbox?

attached data portion from frf file > bin.

regards.
Logged
cherry
Sr. Member
****

Karma: +26/-2
Offline Offline

Posts: 260


« Reply #1 on: January 03, 2021, 05:00:30 PM »

Old thread, but does anyone know what is the torque limit from AL1000 0C8927750H 1885? It´s for 2012 Touareg with CASA engine 176kw 550NM. Attached Winols FRF -> BIN file, it´s data part only.
Logged
cherry
Sr. Member
****

Karma: +26/-2
Offline Offline

Posts: 260


« Reply #2 on: January 03, 2021, 09:17:11 PM »

In fact blocks in FRF for these TCU are not crypted, so it "should" be possible to modify FRF/ODX, calculate checksum (OLS817) and flash it with standard tools.

Does anyone know if these tcu have some kind of protection / RSA which tuning tools bypass before writing calibration? TCU is outside from gearbox and very cheap at ebay. Someone knows what is inside?
Logged
cherry
Sr. Member
****

Karma: +26/-2
Offline Offline

Posts: 260


« Reply #3 on: January 20, 2021, 11:37:42 AM »

If anyone needs pinout for table test...
« Last Edit: January 20, 2021, 11:40:57 AM by cherry » Logged
cherry
Sr. Member
****

Karma: +26/-2
Offline Offline

Posts: 260


« Reply #4 on: October 29, 2021, 02:43:30 PM »

Since i was asked in PM about these tcu controllers. There is a SH7058 in AL750 and SH7059 in AL1000. SH7058 can be read even with some Fgtech clone or i think with some other clone tools for these mcu. I bought xprog from eldb with authorization for these Renesas SuperH: http://www.eldb.eu/index.php?route=product/product&path=35&product_id=87 There is also a pinout online for AL750. To make it short, it was waste of money, support is not existant, i think SH7059 will never work. Anyway SGO from AL750 (some does not exist, e.g. the Q7 BTR from a friend) and FRF from AL1000 can be unpacked straight forward since they are not compressed or crypted, checksum can be done with OLS817. Signing from SGO / ODX is also no problem because it´s only the checksum result. Some newer AL1000 tcu has compressed FRF, this will make it a little bit more complicated. Anyway did not found informations about AISIN maps, my friend lost his driver license, so for now i canceled this...
Logged
kpematop
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 8


« Reply #5 on: August 09, 2022, 06:00:56 AM »

Does anyone has damos for 0C8/AL1000?
Many cables supports now virtual read/writing but no good damos ...
Logged
cstl3722
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 1


« Reply #6 on: May 13, 2024, 07:31:54 PM »

Since i was asked in PM about these tcu controllers. There is a SH7058 in AL750 and SH7059 in AL1000. SH7058 can be read even with some Fgtech clone or i think with some other clone tools for these mcu. I bought xprog from eldb with authorization for these Renesas SuperH: http://www.eldb.eu/index.php?route=product/product&path=35&product_id=87 There is also a pinout online for AL750. To make it short, it was waste of money, support is not existant, i think SH7059 will never work. Anyway SGO from AL750 (some does not exist, e.g. the Q7 BTR from a friend) and FRF from AL1000 can be unpacked straight forward since they are not compressed or crypted, checksum can be done with OLS817. Signing from SGO / ODX is also no problem because it´s only the checksum result. Some newer AL1000 tcu has compressed FRF, this will make it a little bit more complicated. Anyway did not found informations about AISIN maps, my friend lost his driver license, so for now i canceled this...

On a decoded AL1000 FRF does someone know how to figure the start address of each datablock ? In this case we have 01 and 02 as SOURCE-START-ADDRESS

         
Code:
<DATABLOCKS>
            <DATABLOCK ID="EMEM_0C8927750CF3376.DB_0ERASEDATA" TYPE="ERASE">
              <SHORT-NAME>DB_0ERASEDATA</SHORT-NAME>
              <LONG-NAME>0 ERASE DATA</LONG-NAME>
              <FLASHDATA-REF ID-REF="EMEM_0C8927750CF3376.FD_0ERASEDATA"/>
              <SEGMENTS>
                <SEGMENT ID="EMEM_0C8927750CF3376.DB_0ERASEDATA.SEG_0ERASEDATA">
                  <SHORT-NAME>SEG_0ERASEDATA</SHORT-NAME>
                  <LONG-NAME>0 ERASE DATA</LONG-NAME>
                  <SOURCE-START-ADDRESS>01</SOURCE-START-ADDRESS>
                  <UNCOMPRESSED-SIZE>1048576</UNCOMPRESSED-SIZE>
                </SEGMENT>
              </SEGMENTS>
            </DATABLOCK>
Logged
IamwhoIam
Hero Member
*****

Karma: +52/-115
Offline Offline

Posts: 1070


« Reply #7 on: May 14, 2024, 12:21:20 AM »

I'm sure the god Laborde will soon chime on here to try to sell you a map pack that contains no torque limiters LOL
Logged

I have no logs because I have a boost gauge (makes things easier)
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #8 on: May 14, 2024, 10:59:05 AM »

I'm sure the god Laborde will soon chime on here to try to sell you a map pack that contains no torque limiters LOL

 Cheesy Cheesy Cheesy Cheesy Cheesy Grin Grin Grin Grin
Logged
dikidera
Full Member
***

Karma: +8/-8
Offline Offline

Posts: 149


« Reply #9 on: May 14, 2024, 11:21:42 AM »

Just for funsies I loaded the file in the main post in IDA. I have more experience with SH2 now and makes some things easier, but my method of reverse engineering is to view the code and data the way the ECU sees it. I lay it out in the memory regions where I need them.

In my opinion you need a full dump (full no missing bytes) of the main SH2 rom, and any external memories. Then you can stitch an IDB and start reverse engineering. Of course this is a general approach I would personally take, unless there are some internal documents which give you an edge.

Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.02 seconds with 16 queries. (Pretty URLs adds 0s, 0q)