Info I Wish Someone Had Told Me About Ecu Reprogramming - Caution Nerd Alert

I just recently started looking at mapping and ECU programming again do to some curiosity about some of my bikes. It’s been 15-20 years so it's taken a bit to re-familiarize myself with the whole environment. I also remember back to doing my initial work on programmers and ECU mapping thinking it would sure have been helpful if someone had done a write up how “this stuff” works. So, I thought I’d take a few moments and post some information. Others please feel free to add in if you like.

Most of the ECUs I’ve looked at use the same protocol to program. There are normally three different memory spaces of which two are traditionally accessible for programming over the communication port. The two types of communication I’ve dealt with are K-Line which is a single wire serial connection and CAN which is a differential bus running at either 500k or 1M bits per second. The two areas of processor program space that is normally accessed is calibration space (where the maps/tables live) and program space where the primary program being run by the ECU lives. There is also a third space normally referred to as BootLoader space where the basic communication routines live. This protected area exists so you can completely foul up programming the main program space and still have the ability to talk to the ECU and fix it.

So here is a quick summary of how ECU reprogramming works. I’ll stick to CAN bus as that is the norm for newer Cars/Bikes.

The thing you connect to the target (car/bike) is considered a “test tool”. There is some data and communication that any test tool or tester can gain access to without special permission. In addition, there are other layers of access that require different levels of permission. The process is called tester authentication and involves a simple Seed/Key challenge. The tester asks for a level of security access and the target provides a Seed normally two bytes. The Tester then applies an algorithm to generate a Key from the Seed which is sent back to the target. You get it right, you get access. I know of two ways to figure out the Seed/Key algorithm for a given ECU. You can join the association of test tool producers to gain access to information published by the OEMs or you can read the boot loader area and decompile the code to find the CAN handling and security areas. Now for an example of what this looks like. I’ll try to provide some notations but this is a MB ME97 flashing session. Bike ECUs do pretty much the same with a few differences depending on make/model like Triumph using extended CAN bus addressing.

"00:02:54.80","7E8","Std","","01 7E 00 00 00 00 00 00 "
"00:02:57.30","7E0","Std","","02 3E 01 FF FF FF FF FF “
Generic keep alive message. Once you start a tester session you need to send periodic messages to keep the session active.

Note CAN messages are 8 bytes long. The data being sent takes the form of “01” is less than 8 bytes of data. The next byte is number of bytes of data so the 02 above means the data is 3E and 01 with the rest being stuffing.

A typical tester present message and response
"00:03:53.30","7E0","Std","","02 10 92 FF FF FF FF FF “ 10 followed by a 92 level
"00:03:53.30","7E8","Std","","02 50 92 00 00 00 00 00 “ ok acknowledgement

Mode 27 security 27 01
"00:03:53.51","7E0","Std","","02 27 01 FF FF FF FF FF “ ask for Mode 27 access level 01
"00:03:53.51","7E8","Std","","03 7F 27 78 00 00 00 00 “ response to wait a sec
"00:03:53.58","7E8","Std","","04 67 01 5E F4 00 00 00 “ response here is your Seed 5E 4F
"00:03:53.62","7E0","Std","","04 27 02 11 6E FF FF FF “ tester chews on the Seed and provides a Key 11 6E
"00:03:53.63","7E8","Std","","03 7F 27 78 00 00 00 00 “ target thinking about it
"00:03:53.71","7E8","Std","","03 67 02 34 00 00 00 00 “ target accepts and grants access
This is a security access level one request

Testers then normally ask for a bunch of things like ViN number, software version and the like using 1A requests. These look like-
"00:03:53.75","7E0","Std","","02 1A 9A FF FF FF FF FF "
"00:03:53.76","7E8","Std","","10 0C 5A 9A 01 00 00 07 "
"00:03:53.76","7E0","Std","","30 08 00 FF FF FF FF FF "
"00:03:53.77","7E8","Std","","21 10 09 81 07 38 00 00 "

"00:03:53.82","7E0","Std","","02 1A 9B FF FF FF FF FF "
"00:03:53.82","7E8","Std","","10 0C 5A 9B 01 00 03 00 "
"00:03:53.82","7E0","Std","","30 08 00 FF FF FF FF FF "
"00:03:53.83","7E8","Std","","21 00 00 00 00 00 00 00 "
"00:03:53.87","7E0","Std","","02 1A 9C FF FF FF FF FF "

"00:03:53.87","7E8","Std","","10 15 5A 9C 01 01 03 0F "
"00:03:53.87","7E0","Std","","30 08 00 FF FF FF FF FF "
"00:03:53.88","7E8","Std","","21 18 FF 07 33 01 30 30 "
"00:03:53.88","7E8","Std","","22 38 34 34 38 34 34 34 "
"00:03:53.88","7E8","Std","","23 30 00 00 00 00 00 00 "

"00:03:53.94","7E0","Std","","02 1A 9D FF FF FF FF FF “ info request
"00:03:53.95","7E8","Std","","10 15 5A 9D 01 01 03 FF “ multi line response
"00:03:53.95","7E0","Std","","30 08 00 FF FF FF FF FF “ multi line acknowledgement
"00:03:53.96","7E8","Std","","21 FF FF 07 33 00 30 30 "
"00:03:53.96","7E8","Std","","22 35 34 34 37 33 37 34 "
"00:03:53.96","7E8","Std","","23 30 00 00 00 00 00 00 “
The last one looks like a SW number request. Multi line messages start with a value from 0x10 but less than 0x30. 0x30 is reserved for a multi line acknowledgement. The amount of data in the line is the low nibble (least significant four bits) of the first byte on top of the next byte. The low nibble of 0x10 is 0 and the next byte is 0x15 so the total message length is 0x015 or 21 bytes which looks like this
15 5A 9D 01 01 03 FF FF FF 07 33 00 30 30 35 34 34 37 33 37 34 23
The last ten bytes are ASCII for 005447374# which IMSM is a software number for the ME97.


Now we look at a different access level
"00:04:02.82","7E0","Std","","02 10 85 FF FF FF FF FF “ test present for programming 10 85
"00:04:02.84","7E8","Std","","02 50 85 00 00 00 00 00 "

"00:04:02.88","7E0","Std","","02 27 05 FF FF FF FF FF “ Seed/Key access for mode27 level 05
"00:04:02.88","7E8","Std","","04 67 05 56 8D 00 00 00 "
"00:04:02.92","7E0","Std","","04 27 06 4C BF FF FF FF "
"00:04:02.92","7E8","Std","","03 7F 27 78 00 00 00 00 "
"00:04:02.93","7E8","Std","","03 67 06 34 00 00 00 00 “

Erasure Command
"00:04:03.15","7E0","Std","","02 31 E0 FF FF FF FF FF “ erase “E0” space
"00:04:03.15","7E8","Std","","03 7F 31 78 00 00 00 00 “ thinking about it
"00:04:07.65","7E8","Std","","03 7F 31 78 00 00 00 00 "
"00:04:12.16","7E8","Std","","03 7F 31 78 00 00 00 00 "
"00:04:16.67","7E8","Std","","03 7F 31 78 00 00 00 00 "
"00:04:21.17","7E8","Std","","03 7F 31 78 00 00 00 00 "
"00:04:25.68","7E8","Std","","03 7F 31 78 00 00 00 00 "
"00:04:30.19","7E8","Std","","03 7F 31 78 00 00 00 00 "
"00:04:30.64","7E8","Std","","03 71 E0 00 00 00 00 00 “ Done

Mode 34 download 2000000 for 1C840
"00:04:30.68","7E0","Std","","10 08 34 02 00 00 00 01 "
"00:04:30.68","7E8","Std","","30 08 00 00 00 00 00 00 "
"00:04:30.68","7E0","Std","","21 C8 40 FF FF FF FF FF "
"00:04:30.69","7E8","Std","","03 74 00 FD 00 00 00 00 "
This is a request to send a certain amount of data starting at a given processor address space. This command’s values will change by processor and area being reprogrammed.

Here is some of the actual data transfer
"00:04:30.76","7E0","Std","","10 FD 36 5A 5A 5A 5A 33 “ FD bytes of Mode 36 data starting 0x5A 0x5A….. Note the 0xFD amount of data includes the “36” which is not reflashing data.
"00:04:30.76","7E8","Std","","30 08 00 00 00 00 00 00 "
"00:04:30.77","7E0","Std","","21 33 33 33 00 02 00 C0 "
"00:04:30.77","7E0","Std","","22 00 02 00 80 00 02 01 "
"00:04:30.77","7E0","Std","","23 00 FF FF FF FF 00 03 "
"00:04:30.77","7E0","Std","","24 C8 3C 00 03 C8 3C 00 "
"00:04:30.77","7E0","Std","","25 02 9E 18 00 02 9C FC "
"00:04:30.77","7E0","Std","","26 00 02 9E 18 00 02 9E "
"00:04:30.77","7E0","Std","","27 18 00 04 01 50 00 05 "
"00:04:30.77","7E0","Std","","28 62 78 BD AF 80 00 42 "
"00:04:30.77","7E8","Std","","30 08 00 00 00 00 00 00 " periodic target acknowledgement
"00:04:30.77","7E0","Std","","29 50 7F FF FF FF FF FF "
"00:04:30.77","7E0","Std","","2A FF FF FF FF FF FF FF "
"00:04:30.77","7E0","Std","","2B FF FF FF FF FF FF FF "
"00:04:30.77","7E0","Std","","2C FF FF FF FF FF FF FF "
"00:04:30.77","7E0","Std","","2D FF FF FF FF FF FF FF "
"00:04:30.77","7E0","Std","","2E FF FF FF FF FF FF FF "
"00:04:30.77","7E0","Std","","2F FF FF FF FF FF FF FF "
"00:04:30.77","7E0","Std","","20 FF FF FF FF FF FF FF "
"00:04:30.77","7E8","Std","","30 08 00 00 00 00 00 00 "
Yada yada yada

"00:04:30.78","7E0","Std","","21 00 00 00 00 00 00 00 "
"00:04:30.78","7E0","Std","","22 00 00 00 00 00 00 00 "
"00:04:30.78","7E0","Std","","23 00 00 00 00 00 00 00 "
"00:04:30.78","7E0","Std","","24 00 00 FF FF FF FF FF "
"00:04:30.79","7E8","Std","","01 76 00 00 00 00 00 00 “ target acknowledges getting the data

"00:04:30.87","7E0","Std","","10 FD 36 00 00 00 00 FF “ next Block 36 transfer
"00:04:30.87","7E8","Std","","30 08 00 00 00 00 00 00 "
"00:04:30.87","7E0","Std","","21 FF FF FF FF FF FF FF "
"00:04:30.87","7E0","Std","","22 FF FF FF FF FF FF FF "



"00:20:00.66","7E0","Std","","2A 01 0F 01 0F 00 00 00 "
"00:20:00.66","7E0","Std","","2B 00 00 00 00 00 5A 5A "
"00:20:00.66","7E0","Std","","2C 5A 5A FF FF FF FF FF "
"00:20:00.67","7E8","Std","","01 76 00 00 00 00 00 00 “ got it


"00:20:00.69","7E0","Std","","01 37 FF FF FF FF FF FF “ Tester saying all done
"00:20:00.69","7E8","Std","","01 77 00 00 00 00 00 00 “ Target acknowledging

I’ll leave it here for now and happy to make corrections if I got anything wrong.

 

I'm just hoping it will accelerate someone like me when I got started.
That said, it is pretty thick but did come with a Nerd warning