RomRaider

Via AUD port?

Obviously the Vector tools are vastly superior to the "dumb cables" that we often refer to as VAG-com which are basically just an USB->serial converter (typically a knockoff FT232 / CH340 IC) and one or two transistors. I would much prefer coding nisprog to use J2534 hardware but that raises the minimum investment considerably. If only there was opensource J2534 hardware ...



Hehe PM me if it gets deleted again

@ people trying to dump via CAN : have you guys tried SID 23 ReadMemory ? I vaguely recall hearing it works on some ECUs. Possibly needs an SID 10 "start diag session" first ? I have no idea.



usually if you can connect over the K line, nisprog can dump "anything" (7051, 7055,7058, 7059) but the "fast dump" trick that uses nisprog+npkern only works with 7055 and 7058. There is currently no npkern for 7051 and it's too different to "Just work". I don't remember how different the 7059 is, but it *might* work too, which would be just luck.

Hi fenugrec,
Do you work in the automotive industry? If you find software easy then you shouldn't have any issue finding a job with one of the larger car makers.

Anyway, what would be the best way to get a terminal style interface on the can bus for the 370z?
I've go a elm327 wifi version dongle, do i need the usb version?

Thanks!
Steve S

This is how i recovered my ROM. I have a bus trace from "a tool" that reads ROMs. Since that tool will not give me my stock ROM, I put it back together from the bus trace. It literally is 0x23 reads for the entire address space. It took like 15 minutes to dump 1.5 MB 63 bytes at a time. There are no 0x27 requests, but I forget which diag session it was in. 10 c0 or 10 85 both sound familiar.

Haha no, I'm just an amateur. But I have the luxury of choosing when, and what I work on - unlike a job in the auto industry P)


Ah good to know, thanks for confirming that.

So I'm finally able to get a few minutes to get back into this. As promised, attached is my stock ROM for a 2017 370z base model.

I used the following steps to construct the ROM:

Used UpRev's software to perform a ROM dump. Moderators please be aware that what I'm attaching is a completely stock, untuned ROM.

I took a CAN bus trace of the entire dump in Vector CANalyzer. The dump is nothing but SID 0x23 read requests. They read up to 63 bytes at a time

I wrote a small perl script to clean/normalize the log (removes timestamps, all messages that are not from 0x7e0/7e8, and flow control frames)

I wrote a small c# program to reconstruct the ROM from all of the 63 byte pieces that were transferred over the bus. The program is not bulletproof by any means, but it should handle things like repeated requests on the same memory address, overlapped requests, etc. I spent all of 90 minutes on it, so hopefully people don't laugh too loudly

I'm attaching my ROM and the original (and very large) raw CAN bus log (zipped) to this thread, but I will put the c# program and perl script on my website (would the forum SW even allow me to upload a perl script?)

https://leftoverpi.com/2020/01/23/readi ... z-ecu-rom/

I haven't run this through nisrom to validate the checksums, but the other sanity checks seem to be OK (keep this in mind if you want to do anything with it)

ECUID 6GE2C ?

Yes

If you don't mind me jumping in....

All you need is a "BlueTooth Terminal" program.
On my Android I use "Serial BlueTooth Terminal. Plug in the OBD scanner, pair your device with it, start he app, and connect it to the OBD scanner.

This allows you to send the ELM327 commands (https://www.elmelectronics.com/wp-conte ... M327DS.pdf)
to any module you want.

For example to read engine oil temp on most Nissan/Infiniti models:
after connecting:
• AT SH 7E0
• 10 C0 (enter diag mode $C0)
• 22 111F

The 3 bytes (I think?) is the requested temp value, data byte A.
The formula to get the temp in °C is A-50

source and very good G37/370z channel:
https://youtu.be/8oc7szSr-Xk

You might want to check out this post on a cheap Arduino based CAN Bus ECU ROM Dumper:
viewtopic.php?f=65&t=17089

Your ROM seems different than others I have seen.
To verify the first ROM dump from the "Arduino CAN ROM Dumper" I compared your ROM to a few ROMs I had.

The last 6 bytes of your ROM are "16GE2" which seems to be most of your ECU ID of "6GE2C"

Also your ROM had:
• V1UX0A @ 6EFF
• TOCHIEOLPG @ 701D
• Didn't have the usual "12345" @ 0x6F00

I wonder if this is leftover from the <return to stock>option on you know what.

Nope I am wrong...
Based on looking at 2 Nissan/Infiniti ROMs from 2012, it looks like the structure is different from the 2011 and older ROMs.

I suspect this might have to do with some EPA/CARB mandated updates required for air/fuel ratio sensor bias detection and probably some other updates.

Thanks for posting your ROM. It was interesting comparing your 2011 G37x to the ROM from my 2011 G37 Sport.
I did a quick hex editor compare and I would guess it was 90-95% the same. I suspect some of that difference has to do with automatic vs manual transmissions and throttle maps.

To dump my ROM, I built a "Nissan ECU ROM Dumper" using an Arduino Uno clone, CAN bus board (or shield in Arduino talk), SD card board and wrote the software. It checks for ROM size, gets the ECU ID and uses it as the filename of the ROM dump. Total hardware cost was under $35 Canadian ($25 US)

The 1.5MB ROM was dumped in 6 minutes or about 4400 bytes per second.

Have you spent anytime looking or finding maps? That's my next step.

Here is a ROM from a 2011 G37x.
ECU ID: 1NX7B
HW ID: 1FZ3XWN3
Processor: SH705927N

1.5 MB ROM copied to SD card in 5.1 minutes averaging about 5KB/second using my Arduino ECU ROM dumper.

Well this is interesting...

Over the weekend, I attempted to use my Arduino ROM dumper on a 2018 Maxima. It didn't work.
All the "read by memory address" returned 7F / negative response.

My current theory is that sometime after 2011, Nissan added the requirement to require a valid password via 0x27 to be able to read the memory.

I don't think it is my code as I have been able to dump multiple ECU: two different 07 G35x, 10 Altima, 11 G37 and 11 G37x.
Anyways, I try to find a 2012 or 2013 Nissan I can borrow to try to determine when this change came into effect.

My guess is 2012, as that is when the location of the typical strings (LOADER80, DATABASE, 12345) changes.
"12345" stops in 2011, and "TOCHIEOLPG" (@ 0x701D) starts to show up in 2012+ ECUs.
(based on the a 2012 FX37 and 2017 370 ROM dump, so only 2 data points)

I think 2012 is also the year of new mandatory EPA/CARB changes, so that might be part of the reason.