(1998.5 - 2002 ISB)
There are 2 computers on the Ram. One on the passenger side firewall behind the air cleaner assembly (the Powertrain Control Module, or PCM), and the ECU, which is located on the left side of the engine, mounted directly on the engine block. The ECU is connected with a single 50-pin connector.
The ECU itself is a sealed unit, with a single air vent device. It is constructed of an aluminum 'frame', or center section, that has the mounting tabs to fasten it to the engine, and a sheet aluminum 'cover', that isn't really a cover at all - the flexible plastic 'circuit board' is adhered directly to the inside of this 'cover', on both sides. There is gray silicone sealer between the 'cover' and the 'frame'.
To open the ECU, one must remove the screws, and carefully pry the cover open. You must be sure to keep the cover straight and don't bend it, as the flexible circuit board is adhered directly to the inside of it. The side of the ECU with the electrical connector seems to contain power supply and other power-switching components (driver transistors, etc). I do not know if there are any ICs on this side, because I did not open mine up on that side (and at this point, I do not really want to). The other side contains the 'computer' components (processor, memory, etc) as shown below:
Most of the ICs inside are standard components. There are several unidentified components:
- 8L12A: 8-pin IC. Possibly 12V voltage regulator for flash programming?
- Phillips IC, marked '4651148 005633-- Fhr011B'. Maybe analog MUX for ADC inputs?
- Atmel IC, marled 'ENCORE 51R42722U02 82002253-001 A9D0013 9951'. I have no idea what this is for, it looks like an ASIC.
- 8-pin IC marked '74690 XAVS'
- 8-pin IC marked '3029009 1951130'. Near the filter choke. CAN bus driver?
The ECU only uses 256KB of flash, even if the installed chip is larger. The original ECU I opened had a 512KB chip (28F400). I later obtained another ECU, and discovered it had a 256KB chip (28F200). These flash chips are organized into a 16KB boot block, 2 8KB parameter blocks, and the remaining blocks are regular data blocks. The parameter blocks can sustain many more read/write cycles than the other blocks on the chip. There is 64k of RAM available, in the 2 32Kx8 SRAM chips.
The memory is organized as follows:
- 0x000000 - 0x3FFFFF: Flash. The first 16k (0x000000 - 0x004000) is the 'boot' part of the flash chip.
- 0x800000 - 0x80FFFF: RAM
- 0xFFD000 - 0xFFD7FF: Some unknown peripheral device. Perhaps the Atmel chip?
- 0xFFD800 - 0xFFDFFF: Intel CAN Controller
- 0xFFE000 - 0xFFEFFF: TPURAM (Refer to the MC68336 manual)
- 0xFFF000 - 0xFFFFFF: MC68336 internal functions/integrated peripherals
Using a BDM interface cable and driver, I wrote a program that would dump the contents of the flash chip to a file for inspection. This was difficult because every so often during the data transfer, an error would occur. I solved this problem by only reading 2KB at a time. I later found out that this read error was occurring because of a 'watchdog timer' in the ECU hardware was attempting to assert RESET while I was reading the data (because when reading through the BDM port, the CPU is stopped). Once I modified the program to do 2KB reads I was able to get a successful read of the data. I used GNU objdump to create an assembler listing of the file. I have spent many hours 'picking apart' the program to figure out what each section is for, how the peripherals of the MC68336 are configured/used, etc.
There is a compressed program in the lower 16K (boot block) that gets decompressed into RAM at startup, only if certain conditions are met. This is probably a small program that is only good for reading the CAN bus, so that the flash can be reprogrammed. I have not spent much time examining this program.
The VIN of the vehicle is embedded in data around 0x4000, and again around 0x8000. There is also a 'signature' around 0x8000 that is checked at startup, and if it is valid, an address is read from location 0x800a and execution of the 'main' startup code continues at that address.
There is a considerable amount of data that gets moved from the end of the flash data into RAM at startup. In this example, the data begins at 0x3829e and ends at 0x3fee7. That is approx. 32KB of data.
At this time, I have only been able to identify the startup code, where the various components are initialized and addresses are set up, and parts of the program that read/write the CAN messages.
The following things need to be done:
- Identify the CAN messages themselves, the message contents, and what they mean.
- Identify which inputs connect to where (temp sensors, MAP, APPS, etc).
- Identify the other outputs and what ports they are located (Wait to start lamp, VP44 relay, fuel pump relay, intake heaters, etc.)
- Determine how the flash can be programmed by methods other than desoldering the chip from the board
- Identify the remaining program sections, and their assocaited data (the 'maps')
It would probably be useful to build a CAN interface for my PC, and 'watch' the data on the CAN bus while the engine is in operation. This might yield some information that can be used to identify more of the program.
It appears that the ECU itself was designed (and possibly manufactured) by Motorola. The ECU software, is unknown. There is no copyright message or any other identifying information in the dump of the flash memory, except the VIN number and the string '091197'. I do not know what language the program was originally written in, probably C, I really don't think something that large would be written in assembly language.
Because it is my truck, my ECU, my flash memory chip, etc. and I have a right to know how it works. And I also have the right to do what I want with it, whether that be drive it, or take the ECU out, sprinkle cheddar cheese on it and bake it in the oven, etc.
I think people should be able to understand, and repair if necessary, anything that they own, whether it be a computer, a car, a dishwasher, or a bike.