RomRaider

For the record, the problem was a bad kernel file : the "38377 byte payload" indicates a 38kB file, whereas all the kernels are around 4kB.

This is amazing (still magic to me but okay), I watched the FFFF966D adress and many thing happend when I was pushing buttons and pedals in the car. It changed when I pushed the break, when the PNP-switch changed state and by that time I ended up at the same 2C 00 2C 00 code stirkac had before. After putting the fans of the heater to off the state changed to 0C 00 0C 00. So I guess we identified code 0x95 combined with the 2C to be the Load Switch which in this case was the A/C or heater fans.

Finally we flashed the CD700 rom on the CD800 car with the steering wheel buttons and break + clutch pedal switches and now he has working CC!

@fenugrec if you don't have time to implement the 0x95 code in nisprog I will give it a go when I can find some spare time soon.

Thank you guys for all the help!

Next goal is finding something like deacceleration fuel cut since someone is requesting for pop's & bangs...

Thanks, but already done:
https://github.com/fenugrec/nisprog/com ... 29db82478f
it'll be in the next nisprog release.

Hi there,

I have a issue with reflashing a new rom. I have done a lot successfully already but i have not seen this message before. The second key needs to be loaded to run the 7055_18 kernel. But while flashing it seems to be unable to erase block 6. Someone knows whats going on?

Connected to ECU !
Using short headers.
ECUID: CE821
Key candidate dist (smaller is better)
0: 0x7B472BD1 3
1: 0xEED9A107 3
2: 0x968148AD 13

Using best choice, SID27 key=7B472BD1, SID36 key1=8F7577FC
Use "setkeys" to change keyset.
now using 7055.
nisprog: Settings loaded from nisprog.ini
nisprog> runkernel npk_7055_18.bin
Using 3908 byte payload, padding with garbage to 3936 (0x0F60) bytes.
SID 27: seed = 0x00 0x00 0x8B 0x91 ; using NPT_DDL algo (scode=0x7B472BD1),
got bad 27 02 response : General_Error, Requested_SID_securityAccess Error_invalidKey
sid27 problem
nisprog> setkeys 0xEED9A107
Now using SID27 key=EED9A107, SID36 key1=D6A9ED21
nisprog> runkernel npk_7055_18.bin
Using 3908 byte payload, padding with garbage to 3936 (0x0F60) bytes.
SID 27: seed = 0x8B 0x91 0x3F 0xAB ; using NPT_DDL algo (scode=0xEED9A107),
SUXXESS !!
SID 34 80 done.
SID36 block 0x007A/0x007A done
SID 36 done.
sid37: sending 0x37 0x8C 0x25
SID 37 done.
SID BF done.
ECU now running from RAM ! Disabling periodic keepalive;
Connected to kernel: SH7055_18-2fc59c4
You may now use kernel-specific commands.
nisprog> flrom roadster03-08-2018002.bin

checking block 15/15 (070000-07FFFF)... done.
Modified blocks : 6, 7, (total: 2)

y : To reflash the blocks listed above, enter 'y'
f : to reflash the whole ROM
p : to do a dry run (practice mode) without modifying ROM contents
n : To abort/cancel, enter 'n'
> y
reflashing selected blocks.
Block 06
got bad RequestDownload response : 180nm: bad DL_ERASE
nisprog>

Kind regards,

Vincent

Let me know what ECUID this is and I'll add its key to the next release.


your ECU is not 180nm, you'll need the 7055_35 kernel

Hi there!

Thanks fro your feedback. i tried the 35 kernel at first. but if gave me a "wrong kernel" error. So i switched to the 18 one. The 18 still have me errors and i found out i needed the second keyset. For some reason i stayed with the 18 kernel instead of switching back to the 35 with the second keyset. So its my error. sorry about that.

I do have an other weird thing: when running nisrom i dont get the checksum locations returned. Thay state "N/A". What am i missing? below the output of nisrom.

kind regards,

Vincent

Usually it indicates a corrupt or incomplete ROM dump (sometimes not exactly 512kB - make sure it's really 512*1024 bytes). nisrom isn't perfect but in my experience it finds checksums very reliably.

Hi there!

I've done the dump serveral times at 512k which resulted in those fields being empty. But after dumping more(1024K) it seems that the fields are filled in. So i have the slight assumption this is a 1024k rom? Or am i wrong?



edit: added the roms file in 512 and 1024 version. Maybe some of you can help me out?

edit2: when opening the 1024k rom with the nischeck enabled romraider it gives me a checksum error. Im quite lost

Kind regards,

Vincent

This in fact is SH7058 ROM image.

Hi there!

thanks for the feedback! figured it out now knowing its a 7058. this explains the size. The checksum was still on end="0x7FFFF". when changed to end="0xFFFFF" the checksum was correct.

Thanks a lot!

Kind regards,

Vincent

Oops, yes, I should've noticed that. Obviously you'll need the 7058 kernel to reflash. Good to know everything's working now.

Hi guys,

One of the members here (stirkac ) posted about this tool over on 350z-uk.com so i cane here to check it out and im having some issues.

In my ini file i have determined my ECU to be of the 7055 type, so have added these options



I can connect the car to the program, the car fans start spinning and Nisprog says the ECU is running in RAM, but whenever i try to do a dump of the ECU using this parameter:


I get this message in Nisprog


If i comment out the two lines i added to the INI file and connect without using the kernel, i have managed to successfully dump the rom in slow mode with a battery charger connected over the space or 90+ mins, but wanted to run it from the kernel really as i don't want to do any flashing at such a slow speed.

Any tips on what to do?

looks like connection/timing issues... some say opening media player helps. maybe stop the kernel and retry connecting few times.
Using debug mode will let you see more connection info (look for timeouts):

Smells a lot like just a timeout, try increasing the rxe value (see npconf command)