Author Topic: Toyota firmware fail  (Read 24618 times)

0 Members and 1 Guest are viewing this topic.

Offline dannyf

  • Super Contributor
  • ***
  • Posts: 8229
  • Country: 00
Re: Toyota firmware fail
« Reply #75 on: November 03, 2013, 02:54:38 pm »
Quote
could flip bits illegally

I don't know how you could flip bits "illegally" or "legally" for that matter.

The person in question seems to be an expert at selectively presenting his facts and selling his stories to the legal system.

Whether he is an expert on identifying the issues remain to be seen.

Unfortunately, our system favors people like that.
================================
https://dannyelectronics.wordpress.com/
 

Offline G0HZU

  • Super Contributor
  • ***
  • Posts: 2576
  • Country: gb
Re: Toyota firmware fail
« Reply #76 on: November 03, 2013, 03:17:48 pm »
Quote
I don't know how you could flip bits "illegally" or "legally" for that matter.

They are just the words I chose to describe the process... what I mean is that I'm assuming they allowed him to tap into the system to overwrite bits in various registers/memory at will.

I could do this with Denso ECUs once I had modified their code to allow write access. Their ECUs in the 80s/90s had  a diagnostic window where you could ask the ECU for the contents of registers or memory on each lap of the main runtime. It isn't difficult to mod this to allow write access direct to the registers and RAM.

Obviously, this could cause all kinds of chaos if you started modifying the RAM with the intent to corrupt the system. It would be possible to write code that flipped the bits during other parts of the run time as well. What I find amusing is that Barr still failed to cause the UA even with the ability to modify the memory contents.

 Obviously I have never seen the program code for the ECU in question but I remain really impressed with the quality of Densos ECUs (and coding) for the 80s and 90s ECUs that I did look at. However, I'm not a professional ECU designer or reviewer so I guess my opinion carries little weight :)
 

Offline pinkysbrein

  • Contributor
  • Posts: 33
Re: Toyota firmware fail
« Reply #77 on: November 03, 2013, 03:46:24 pm »
One day I accidentally left the parking lights on overnight.  When I went back to the van I could hear a relay chattering due to the really low battery.

Naive question to which I assume there is an answer which I should simply realize, but I don't and google isn't helping. Why do cars generally not have low voltage lockouts which just turn stuff off until you start the engine?
« Last Edit: November 03, 2013, 03:49:13 pm by pinkysbrein »
 

Offline dannyf

  • Super Contributor
  • ***
  • Posts: 8229
  • Country: 00
Re: Toyota firmware fail
« Reply #78 on: November 03, 2013, 04:26:33 pm »
Quote
They are just the words I chose to describe the process...

That's fine as long as you don't use those words to communicate with other people - otherwise, people get confused by your arbitrary meanings of words.

Quote
I could do this with Denso ECUs once I had modified their code to allow write access.

It is a typical fairy tale of people modifying modern ECUs (without access to OEM documentation).

Quote
Why do cars generally not have low voltage lockouts which just turn stuff off until you start the engine?

If the battery has gotten so low it wouldn't have started the car anyway. Then, what's the point of such a feature?
================================
https://dannyelectronics.wordpress.com/
 

Offline G0HZU

  • Super Contributor
  • ***
  • Posts: 2576
  • Country: gb
Re: Toyota firmware fail
« Reply #79 on: November 03, 2013, 04:57:32 pm »
Quote
It is a typical fairy tale of people modifying modern ECUs (without access to OEM documentation).

I'm the one getting confused by your meaning of words now...  What do you mean by fairy tale? Are you implying that I am making this up?

 

Offline dannyf

  • Super Contributor
  • ***
  • Posts: 8229
  • Country: 00
Re: Toyota firmware fail
« Reply #80 on: November 03, 2013, 05:32:32 pm »
Quote
Are you implying that I am making this up?

I wasn't implying at all.
================================
https://dannyelectronics.wordpress.com/
 

Offline G0HZU

  • Super Contributor
  • ***
  • Posts: 2576
  • Country: gb
Re: Toyota firmware fail
« Reply #81 on: November 03, 2013, 06:54:09 pm »
Whatever... :)


One day I ought to revisit my work on this stuff and do a youtube teardown of a hacked Denso ECU.

I did do this for a Toyota club magazine about 10 years ago and explained in several magazine articles how all the mapping worked and printed out the maps and explained how it was able to control the fuel and ignition.

I managed to find a screenshot of an early tuning interface of mine. I think this was for a MR2 turbo and this would have been the interface used by Ryan (and Charlie) at Surrey rolling road maybe 7 years ago.

The interface allowed the stock 'read only' diagnostics to run but it also supported my extra code that allowed write access (via a packet system over RS-232) to the relevant map address in RAM memory. It used various forms of error checking to minimise bugs.

The idea was to then burn these tuned maps into the factory program code (in external FLASH) once the mapping was complete. So my modded code was only temporary and wasn't used for daily driving. So only the map values were changed in the version uploaded to FLASH memory after tuning.

To get the factory ECU to support remapping required the MCU in the ECU to be reconfigured to support external memory and this required a piggy PCB to hold the factory MCU plus a CPLD and a datalogging/tuning interface that I designed. The piggy PCB is below and shows the factory MCU plus the CPLD and external Flash and SRAM. The ribbon cables fit into the 64 holes vacated by the original 64 pin MCU.
« Last Edit: November 03, 2013, 07:02:33 pm by G0HZU »
 

Online Dr. Frank

  • Super Contributor
  • ***
  • Posts: 1875
  • Country: de
Re: Toyota firmware fail
« Reply #82 on: November 03, 2013, 07:10:17 pm »
I would be surprised if Denso is a major player in the ecu (chip) business: Renesas and Freescale are two names I would put on top in that market.

You have misunderstood something:

Denso, as Delphi, Bosch, Conti and so on are suppliers of the complete modules / electronics for Toyota.

Renesas and Freescale are sub-Suppliers, they produce the microcontrollers only, and deliver them to Denso et.al., but do not design ECUs or other modules on their own.

Frank
« Last Edit: November 03, 2013, 07:18:17 pm by Dr. Frank »
 

Offline G0HZU

  • Super Contributor
  • ***
  • Posts: 2576
  • Country: gb
Re: Toyota firmware fail
« Reply #83 on: November 03, 2013, 07:20:52 pm »
I found the court case PDF here:


http://cybergibbons.com/wp-content/uploads/2013/10/Bookout_v_Toyota_Barr_REDACTED.pdf

It's not exactly riveting reading but it does show that Toyota were keen to hide various technical details about the ECU because lots of info about the affected 'tasks' in the program code is masked using the classic black block shapes to hide certain words...

 

Online Dr. Frank

  • Super Contributor
  • ***
  • Posts: 1875
  • Country: de
Re: Toyota firmware fail
« Reply #84 on: November 03, 2013, 07:26:25 pm »
However, here's a link to the Denso website that shows a similar ECU

http://denso-europe.com/products/electronics/

Yes, you are right.

The unit in question seems to be a successor, or from the same family as the one on the DENSO site.

Same processors, same kind of components (esp. XTALs), very similar design / layout.
That's more than similar, definitely.

On the DENSO site, P/N is 275036-1150-2, the unit in question is 275036-2290.

It is very improbable, that a 2nd source supplier of the ECU is allowed to use the same processors and such a similar design.

So, if Denso still belongs to Toyota (I don't know anything about that connection), then Toyota keeps the blame in house.

Frank

 

Online Dr. Frank

  • Super Contributor
  • ***
  • Posts: 1875
  • Country: de
Re: Toyota firmware fail
« Reply #85 on: November 03, 2013, 07:40:28 pm »
I found the court case PDF here:


http://cybergibbons.com/wp-content/uploads/2013/10/Bookout_v_Toyota_Barr_REDACTED.pdf

It's not exactly riveting reading but it does show that Toyota were keen to hide various technical details about the ECU because lots of info about the affected 'tasks' in the program code is masked using the classic black block shapes to hide certain words...

286 pages - very interesting, how they argue.
Will take my time for that reading.

Everybody in the engineering is informed / trained about financial regress due to faulty design...

But SW flaws are really very hard to mitigate, such systems are mostly too complex, and test methods can never dig 100% deep.

Frank
« Last Edit: November 03, 2013, 07:44:13 pm by Dr. Frank »
 

Offline David_AVD

  • Super Contributor
  • ***
  • Posts: 2607
  • Country: au
Re: Toyota firmware fail
« Reply #86 on: November 03, 2013, 09:29:58 pm »
One day I accidentally left the parking lights on overnight.  When I went back to the van I could hear a relay chattering due to the really low battery.

Naive question to which I assume there is an answer which I should simply realize, but I don't and google isn't helping. Why do cars generally not have low voltage lockouts which just turn stuff off until you start the engine?

I'd expect that the lighting circuits on most (certainly lower end) cars are simple switches or switches directly controlling relays.

Maybe I managed to get the van into a state where the ECU was repeatedly booting?

There was definitely a relay chattering but I don't know what that relay was controlling.  I don't recall now (it was 4 or 5 years ago ) if the parking lights were flickering while in that state.
 

Offline Stonent

  • Super Contributor
  • ***
  • Posts: 3824
  • Country: us
Re: Toyota firmware fail
« Reply #87 on: November 03, 2013, 09:50:40 pm »
Cars like my Jeep that like to turn the headlights on when the doors are unlocked can be annoying when the battery is a bit weak and you're trying to start it with the extra load.
The larger the government, the smaller the citizen.
 

Online Marco

  • Super Contributor
  • ***
  • Posts: 4756
  • Country: nl
Re: Toyota firmware fail
« Reply #88 on: November 03, 2013, 10:34:52 pm »
I'd expect that the lighting circuits on most (certainly lower end) cars are simple switches or switches directly controlling relays.
You could still just put a latching relay in front of all the non essential stuff and switch it off when the battery gets too low.
 

Offline David_AVD

  • Super Contributor
  • ***
  • Posts: 2607
  • Country: au
Re: Toyota firmware fail
« Reply #89 on: November 03, 2013, 10:54:06 pm »
I'd expect that the lighting circuits on most (certainly lower end) cars are simple switches or switches directly controlling relays.
You could still just put a latching relay in front of all the non essential stuff and switch it off when the battery gets too low.

Ah, but that would cost money.   ;)
 

Offline N TYPE

  • Regular Contributor
  • *
  • Posts: 57
  • Country: au
Re: Toyota firmware fail
« Reply #90 on: November 04, 2013, 11:47:26 am »
Whatever... :)


One day I ought to revisit my work on this stuff and do a youtube teardown of a hacked Denso ECU.

I did do this for a Toyota club magazine about 10 years ago and explained in several magazine articles how all the mapping worked and printed out the maps and explained how it was able to control the fuel and ignition.

I managed to find a screenshot of an early tuning interface of mine. I think this was for a MR2 turbo and this would have been the interface used by Ryan (and Charlie) at Surrey rolling road maybe 7 years ago.

The interface allowed the stock 'read only' diagnostics to run but it also supported my extra code that allowed write access (via a packet system over RS-232) to the relevant map address in RAM memory. It used various forms of error checking to minimise bugs.

The idea was to then burn these tuned maps into the factory program code (in external FLASH) once the mapping was complete. So my modded code was only temporary and wasn't used for daily driving. So only the map values were changed in the version uploaded to FLASH memory after tuning.

To get the factory ECU to support remapping required the MCU in the ECU to be reconfigured to support external memory and this required a piggy PCB to hold the factory MCU plus a CPLD and a datalogging/tuning interface that I designed. The piggy PCB is below and shows the factory MCU plus the CPLD and external Flash and SRAM. The ribbon cables fit into the 64 holes vacated by the original 64 pin MCU.

http://toyota.kgbconsulting.ca/wiki/Main_Page
 

Offline nerdyHippy

  • Contributor
  • Posts: 37
  • Country: us
Re: Toyota firmware fail
« Reply #91 on: November 04, 2013, 03:20:34 pm »
Quote
Why do cars generally not have low voltage lockouts which just turn stuff off until you start the engine?
If the battery has gotten so low it wouldn't have started the car anyway. Then, what's the point of such a feature?
It would prevent the battery from sustaining damage from discharging too far.
 

Online nctnico

  • Super Contributor
  • ***
  • Posts: 19690
  • Country: nl
    • NCT Developments
Re: Toyota firmware fail
« Reply #92 on: November 04, 2013, 04:06:21 pm »
One day I accidentally left the parking lights on overnight.  When I went back to the van I could hear a relay chattering due to the really low battery.
Naive question to which I assume there is an answer which I should simply realize, but I don't and google isn't helping. Why do cars generally not have low voltage lockouts which just turn stuff off until you start the engine?
For most stuff to get power you have to turn the ignition key to 'ON'. During starting itself most cars turn everything off (including the lights) so all power is available for the starter motor. OTOH you'll want parking lights. I once visited a customer who lived in the middle of nowhere. When I stepped out the door it was already dark and without any lighting outside it was completely dark. Fortunately I left the parking lights on so I could see my car.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline bcx

  • Contributor
  • Posts: 7
  • Country: au
Re: Toyota firmware fail
« Reply #93 on: November 04, 2013, 04:24:37 pm »
I worked out how the MCU operated and was able to make the ECU run my own copy of the factory ROM so I could modify it at will. eg I partly rewrote their code to support real time map retuning by uploading a version of factory code with the maps running in (external) RAM rather than internal ROM and I upgraded their diagnostics to include write access rather than just read access.

So it could still datalog but it could also show where it was on its maps as well as allow retuning via a laptop on a rolling road :)

hehe, I do this now, but with Renesas/Hitachi H8/539 or SuperH - specifically for either Mitsubishi Magna/Verada or Mitsubishi Galant/Legnum VR4. Except no need for any hardware mods, plenty of onboard RAM & flash to use.

Infact, there is a big market for modding the stock firmware. Mitsubishi Evolution guys have added heaps of features to their roms, like speed density, launch control, antilag, live tuning and more recently FuelFlex for ethanol fuels. Same for the Subaru guys too - their ecus are manufactured by Mitsubishi Electric and use Renesas SuperH too.  Slightly off topic from the Toyota discussion.
« Last Edit: November 04, 2013, 04:27:57 pm by bcx »
 

Offline SeanB

  • Super Contributor
  • ***
  • Posts: 15388
  • Country: za
Re: Toyota firmware fail
« Reply #94 on: November 04, 2013, 07:18:17 pm »
Chattering relays on the Toyota with low battery will be the 2 DC bus relays that reduce the load on the ignition switch. Made by Denso, and have 2 6.3mm coil spades and some 10mm high current connections that switch all the DC bus loads. One bus runs engine management and ECU, and the other runs all other loads that are turned off during starting. There is a 3rd relay for the accessory bus, but this is a 4 6.3mm spade type rated at 25A. The main relays are IIRC rated at 50A. Interesting way they have to reduce back EMF by using a resistor in parallel with the relay coil instead of a diode.
 

Offline trackman44

  • Regular Contributor
  • *
  • Posts: 67
  • Country: ca
Re: Toyota firmware fail
« Reply #95 on: November 09, 2013, 04:33:52 am »
When the government is breathing down your neck and mandating for better fuel economy, as a car manufacturer what are you supposed to do? Take away more control from the driver! So that's why we have drive-by-wire throttle control. Like variable displacement and cam shaft timing wasn't good enough?!?!  :wtf: . Why would you design something more complex than a cheap as nails throttle cable? Next thing you know will have drive-by-wire clutch, brakes and steering or worse, autonomous driven cars!  " Open the pod bay doors HAL.... HAL open the pod bay doors!!.... HAL!!!"

Will
How 'bout them Maple Leafs?
 

Offline Teemo

  • Regular Contributor
  • *
  • Posts: 58
  • Country: ee
Re: Toyota firmware fail
« Reply #96 on: November 09, 2013, 09:43:41 am »
“Everything should be made as simple as possible, but not simpler.” (Albert Einstein)

It seems to me that for last 20 years the automotive industy only made cars more complex -- unneccesarily. The Otto cycle gasoline engine already reached to its best designs 20 years ago. There is very slight improvement in fuel economy and emissions, but at the cost of safety, serviceability and most importantly loss of simplicity and elegant design.

Only way out of this, to get things simple again, is some completely new engine design. This may very well come from some old invention whose time has come (like Bourke engine with modern electronics). Techincally it is all possible but we must overcome more difficult obstructions of user habits(a la engine sound) and legal issues.
 

Offline Nerull

  • Frequent Contributor
  • **
  • Posts: 681
Re: Toyota firmware fail
« Reply #97 on: November 09, 2013, 09:01:47 pm »
I can recall when the Prius runaway problem hit the news Steve Wozniak chimed in and claimed his prius was affected, Here is a youtube clip:
http://youtu.be/u44XjkWgFac    Read some of the comments, it seems Woz was confused by the cruise control.
 I partially remember reading there was a strong driver age bias (over 60 years old) to the cohort of un-commanded accelleration complainers.

In the early 80's when GM was a ghung-ho  early adopter of microprocessors  everywhere I heard about a software bug in one of the Cadillac models. When accelerating uphill or under load and transitioning through the middle gears - auto trans, if the driver then honked the horn the engine would suddenly lose power. :-DD

Diesel engines are reluctant to shut down once they are running, I think the standard design is to cut the fuel supply to the common fuel rail, but sometimes even that isn't sufficient. VW's first generation 4 cylinder engine installed in Rabbits in the mid 70's replicated a noob design flaw also exhibited by a few early american truck engines in 50's. They would, on rare occasion, cannilbalize  their own crankcase oil as fuel if the cylinders or rings were worn. When that happened the engine would race to 6000 rpm and seize in short order, but not before leaving the driver with an intense and bewildering experience, no software required.

I just helped replace a 40 year old Volvo diesel engine in a sailboat. The only way to shut it off if the throttle control failed was to reach into the engine compartment and throw the compression release levers that vented the cylinders.
 

Offline wraper

  • Supporter
  • ****
  • Posts: 11511
  • Country: lv
Re: Toyota firmware fail
« Reply #98 on: November 09, 2013, 09:25:30 pm »
Chattering relays on the Toyota with low battery will be the 2 DC bus relays that reduce the load on the ignition switch. Made by Denso, and have 2 6.3mm coil spades and some 10mm high current connections that switch all the DC bus loads. One bus runs engine management and ECU, and the other runs all other loads that are turned off during starting. There is a 3rd relay for the accessory bus, but this is a 4 6.3mm spade type rated at 25A. The main relays are IIRC rated at 50A. Interesting way they have to reduce back EMF by using a resistor in parallel with the relay coil instead of a diode.
Diode increases relay release time significantly, so contacts start arching. I personally used bidirectional TVS diodes with 2x of the coil voltage in my latest design which included high power relays.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf