VQ35HR rom files

TomC · **Joined:** Thu Oct 26, 2017 4:11 am **Posts:** 34

Been following this forum and using nisprog for a while (awsome software!) on my old '03 350Z. I just bought an '08 350Z with a VQ35HR engine. I saw there was a thread before about the definition files but haven't found one. Is it even possible to read the HR ECU using k-line or is it CAN only? I have been searching google hard on it and how to dump/tune the rom using other softwares with no results.

Do you guys think it makes sense to use nisprog for this or is it better/easier to use something else?

fenugrec · **Joined:** Wed Jan 08, 2014 11:07 pm **Posts:** 652

TomC wrote:

Is it even possible to read the HR ECU using k-line or is it CAN only?

I fear 08 might be too recent and probably CAN-only. A quick look at the OBD connector will tell you if there's any hope of K line being supported, if the K pin is connected.

Quote:

Do you guys think it makes sense to use nisprog for this or is it better/easier to use something else?

Unfortunately, nisprog uses freediag code as a backend which doesn't support CAN. I never needed CAN myself so I didn't bother to add support for it. I'm not aware of other free software that will dump any Nissan ECU, but some commercial software probably does.

Shuher · **Posted:** Thu Jul 26, 2018 8:03 am

As far as I'm concerned CAN-only ECUs started somewhere in the end of 2012 so there is still a hope to dump 2008 ECU via KLine.
Most of the cars I saw here till 2012 manufactruring date were K-Line ones.

TomC · **Joined:** Thu Oct 26, 2017 4:11 am **Posts:** 34

That is good news, I was just wondering why nobody bothered to do so. Maybe no HR owners around here who want to put effort in it? I will hook up nisprog and try connecting. Will see if it works. In case it works I will upload the dump here and see whatever existing rom is close.

Shuher · **Posted:** Thu Jul 26, 2018 8:17 am

In worst case you may always use Piasini tool - quite cheap from Aliexpress/Ebay.

As fro CAN ECUs support for nisprog - I had this idea to get this implemented but never had enough time to make this happen. First question was to decide what hardware to use as CAN adapter to keep it same affordable as cheap K-Line cable.

dschultz · **Posted:** Thu Jul 26, 2018 9:31 am

https://www.fischl.de/usbtin/

TomC · **Joined:** Thu Oct 26, 2017 4:11 am **Posts:** 34

So using these approaches I then have the rom as binary, but still no mapping like in romraider. Is there any software available for that? Or do you think mapping it myself makes more sense?

I am just wondering why there are no 350Z HR's mapped in the nissan definitions? Is it so difficult?

TomC · **Joined:** Thu Oct 26, 2017 4:11 am **Posts:** 34

Today I tried dumping the rom but no result. I used the same cable I used before to connect to multiple ECU's, an alternative cable and all USB ports. I get timeouts, the debug logs below;

Code:

diag_os_gethrt() resolution <= 0us, avg ~0us
diag_os_getms() resolution: ~16ms.
diag_os_chronoms() : resolution: ~15ms
Calibrating timing, this will take a few seconds...
diag_os_millisleep(50) off by +2% (+1058us); spread=11%
diag_os_millisleep(40) off by +11% (+4665us); spread=24%
diag_os_millisleep(30) off by +10% (+3287us); spread=31%
diag_os_millisleep(20) off by +55% (+11009us); spread=87%
diag_os_millisleep(18) off by +21% (+3836us); spread=61%
diag_os_millisleep(14) off by +20% (+2926us); spread=73%
diag_os_millisleep(12) off by +38% (+4663us); spread=82%
diag_os_millisleep(10) off by +66% (+6625us); spread=117%
Calibration done.
nisprog v1.02
nisprog: Interface set to default: DUMB
nisprog: Type HELP for a list of commands
nisprog: Type SCAN to start ODBII Scan
nisprog: Then use MONITOR to monitor real-time data
nisprog: **** IMPORTANT : this is beta software ! Use at your own risk.
nisprog: **** Remember, "debug all -1" displays all debugging info.
interface is now DUMB
Note concerning generic (dumb) interfaces : there are additional
options which can be set with "set dumbopts". By default
"K-line only" and "MAN_BREAK" are set.
port set to: \\.\COM4
dumbopts set to:    72
testerid: using 0xFC
destaddr: using 0x10
L1 debug is 0x8C: READ WRITE DATA
        p3 set to 0 (0x0).
        rxe set to 40 (0x28).
diag_l1.c:156:  _send: len=5 P4=5 l0flags=0x1011; 0x81 0x10 0xFC 0x81 0x0E
diag_l1.c:254:  _recv request len=1024, timeout=70;
diag_l2_iso14230.c:736: Read/Write timeout.
diag_l2.c:438: Read/Write timeout.
L2 StartComms failed
now using 7058.
nisprog: Settings loaded from nisprog.ini

I used the following settings:

Code:

#This is just an example .ini file to show some of the possible commands.
set
interface dumb
#Customize this to your hardware
port \\.\COM4
#This should always be OK
dumbopts 0x48

# No need to touch these unless you know what they are
l2protocol iso14230
initmode fast
testerid 0xfc
destaddr 0x10
addrtype phys
up

#help

#Enable read/write debugging output
debug l1 0x8c

#watchmode
#npt 8 0x08

#Reduce delay between requests
npconf p3 0

#Extend read timeouts (in ms)
npconf rxe 40

nc
setdev 2

Anybody any idea?

Also I've seen in the rom list for the HR's it has different checksums (alt,alt2,RM160) does this have to be implemented in nischkfix and romraider before I could flash my rom back?

Shuher · **Posted:** Wed Aug 01, 2018 3:48 pm

Does your laptop have Win8 or Win10 as OS?
Calibration corrections are way too big for my view - once I installed Win10 on my laptop I started getting same beheviour and was unable to connect to ECU.

Try starting any multimedia player in background - this will force OS timer to be more precise and ease timing management for nisprog. If this doesn't help - your ECU is probably CAN-type.
Btw, did you check your OBD connector? Does it have pin 7 or it's just a hole in a connector's case?

TomC · **Joined:** Thu Oct 26, 2017 4:11 am **Posts:** 34

I do have win 10 and tried while playing a movie on the background but no change. Also I checked obd pin nr 7 and it's filled.

Are my settings correct?
And the most important part, how about the checksums? Can I even write an adjusted rom back without issues?

fenugrec · **Joined:** Wed Jan 08, 2014 11:07 pm **Posts:** 652

TomC wrote:

I do have win 10 and tried while playing a movie on the background but no change.

No change ? the "diag_os_millisleep ... off by XX %" should definitely be better, or possibly even disappear altogether. If you're still getting wide spreads there you still have OS timing issues. It is also possible that while the K line is wired, it's not used by the ECU but other modules. But you need to fix the timing first, or put statistics to work for you and just retry connecting many times in a row; sometimes that works with marginal timings.

Quote:

checksums? Can I even write an adjusted rom back without issues?

I believe the RR build that includes checksums should work, as long as the defs have the proper bounds for the summed area. Either alt or alt2 depending on what area you're modifying. I've written about that, here and on nissanecu.miraheze.org .

I don't recommend reflashing with un-corrected checksums, you'll get at least a P0605 DTC and possibly other problems.

TomC · **Joined:** Thu Oct 26, 2017 4:11 am **Posts:** 34

Today I was able to connect to the ECU! however I had L1 debug on for connecting thus after starting the kernel I disconnected to disable debug and I am not able to get back inside. Tried like 100 time after with same timing precisions but no luck. As you can see I also had the 0x95 error again which disappeared after setting the AC fan to off. Here is the log;

Code:

diag_os_gethrt() resolution <= 0us, avg ~0us
diag_os_getms() resolution: ~16ms.
diag_os_chronoms() : resolution: ~16ms
Calibrating timing, this will take a few seconds...
Calibration done.
nisprog v1.02
nisprog: Interface set to default: DUMB
nisprog: Type HELP for a list of commands
nisprog: Type SCAN to start ODBII Scan
nisprog: Then use MONITOR to monitor real-time data
nisprog: **** IMPORTANT : this is beta software ! Use at your own risk.
nisprog: **** Remember, "debug all -1" displays all debugging info.
interface is now DUMB
Note concerning generic (dumb) interfaces : there are additional
options which can be set with "set dumbopts". By default
"K-line only" and "MAN_BREAK" are set.
port set to: \\.\COM3
dumbopts set to:    72
testerid: using 0xFC
destaddr: using 0x10
L1 debug is 0x8C: READ WRITE DATA
        p3 set to 0 (0x0).
        rxe set to 40 (0x28).
diag_l1.c:156:  _send: len=5 P4=5 l0flags=0x1011; 0x81 0x10 0xFC 0x81 0x0E
diag_l1.c:254:  _recv request len=1024, timeout=70;got 7 bytes, 0x83 0xFC 0x10 0xC1 0x5D 0x8F 0x3C
diag_l1.c:254:  _recv request len=1017, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:254:  _recv request len=1024, timeout=100;
Connected to ECU !
Using short headers.
diag_l1.c:156:  _send: len=4 P4=0 l0flags=0x1011; 0x02 0x1A 0x81 0x9D
diag_l1.c:254:  _recv request len=1024, timeout=60;got 9 bytes, 0x07 0x5A 0x31 0x45 0x56 0x31 0x36 0x41 0xD5
diag_l1.c:254:  _recv request len=1015, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
ECUID: EV16A
Key candidate   dist (smaller is better)
0: 0xC6E19CF0   6
1: 0x8FFD3C82   6
2: 0x968148AD   15

Using best choice, SID27 key=C6E19CF0, SID36 key1=685BFBBA
Use "setkeys" to change keyset.
now using 7058.
nisprog: Settings loaded from nisprog.ini

nisprog> runkernel npk_SH7058.bin
Using 3912 byte payload, padding with garbage to 3936 (0x0F60) bytes.
diag_l1.c:156:  _send: len=4 P4=0 l0flags=0x1011; 0x02 0x27 0x01 0x2A
diag_l1.c:254:  _recv request len=1024, timeout=60;got 5 bytes, 0x03 0x7F 0x27 0x95 0x3E
diag_l1.c:254:  _recv request len=1019, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
got bad 27 01 response : General_Error, Requested_SID_securityAccess Error_Unknown Response code
sid27 problem
nisprog> runkernel npk_SH7058.bin
Using 3912 byte payload, padding with garbage to 3936 (0x0F60) bytes.
diag_l1.c:156:  _send: len=4 P4=0 l0flags=0x1011; 0x02 0x27 0x01 0x2A
diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x67 0x01 0x9A 0x24 0x3E 0xCA 0x34
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
SID 27: seed = 0x9A 0x24 0x3E 0xCA ; using NPT_DDL algo (scode=0xC6E19CF0),
diag_l1.c:156:  _send: len=8 P4=0 l0flags=0x1011; 0x06 0x27 0x02 0xF6 0xB9 0x86 0x72 0xD6
diag_l1.c:254:  _recv request len=1024, timeout=60;got 5 bytes, 0x03 0x7F 0x27 0x35 0xDE
diag_l1.c:254:  _recv request len=1019, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
got bad 27 02 response : General_Error, Requested_SID_securityAccess Error_invalidKey
sid27 problem
nisprog> setkeys 0x8FFD3C82
Now using SID27 key=8FFD3C82, SID36 key1=277C374B
nisprog> runkernel npk_SH7058.bin

fenugrec · **Joined:** Wed Jan 08, 2014 11:07 pm **Posts:** 652

TomC wrote:

after starting the kernel I disconnected to disable debug and I am not able to get back inside.

Kernel probably still running. Read the nisprog docs, and/or hard-reset the ECU (disconnect battery)

Quote:

Code:

diag_l1.c:254:  _recv request len=1024, timeout=60;got 5 bytes, 0x03 0x7F 0x27 0x95 0x3E

...

got bad 27 02 response : General_Error, Requested_SID_securityAccess Error_invalidKey
sid27 problem
nisprog> setkeys 0x8FFD3C82
Now using SID27 key=8FFD3C82, SID36 key1=277C374B
nisprog> runkernel npk_SH7058.bin

So, you had error 0x95, which you fixed by turning off the fans; then you had an invalidKey error, so you tried a different key set, and then what ? what happened with the last runkernel ?

TomC · **Joined:** Thu Oct 26, 2017 4:11 am **Posts:** 34

After the last line of runkernel it started giving the debug lines of the kernel data transfer of which I didn't save the output. I stopped transfering the kernel (ctrl+c) since it started spitting out the debug of the data transfer. Then I commented out the debug line and run nisprog again. This time no success. Did disconnected the battery to do a hard reset after trying to reconnect for about 30 times. Tried again for about 30 times after the reset but no luck.

TomC · **Joined:** Thu Oct 26, 2017 4:11 am **Posts:** 34

This week I found online a EV16A Rom dump and a tuned version! Using wols demo + IDA + UpRev tuned rom values I was able to find many tables allready. Both are attached including the xml, IDA database (with marked tables and axes) and the nisrom output.

1. Can someone please take some time to check my results? Mainly the axes I am not sure of. I found them searching for expected values (based on UpRev rom) and then folowing xlinks to see which xrefs are close and in the same routines. How do you guys find the tables and corresponding axes?

2. The output from nisrom is telling me its a SH7058 with Loader 80 and IVT2 at 0x20004. Also it doesnt have std_s nor std_x so for the checksum I used alt_s, alt_x but romraides keeps saying the checksum is not correct. How do I set the correct checksum locations in the XML file? My rom seems to have ck_alt, ck_alt2 and RIPEMD-160, is nisprog able to do the correct checksums? In the stock roms table I see Loader 80 roms where the notes state 'Bad altcks?', does it have to do with the different checksums?

Besides all of this I built nisrom using Visual Studio so I am able to debug the K-line connection to the ECU and see why the connection gives a timeout within the timeout bounds.

Moderator: Tuned ROM removed. Please see posting rules before submitting ROMs or maps.

RomRaider

Forum rules

VQ35HR rom files

Who is online