RomRaider

This one seems different to most other RE5 TCMs.

This is what is on the MCU on the TCM

Unisia JECS
A12-212 560
SC431725CFC
J43C 185
QQEP0315E

Last time I looked further into this, best guess was it's most likely Mitsubishi 7700 family architecture.

The TCM calibration on these things is absolute garbage so tuning availability is very sought after. Would disassembly even be useful without having a manual for the MCU?

I won’t have a chance to check out the .bin tonight, but I’ll be sure to do so tomorrowish. What interests me the most is the ROM size. 256kb vs CF40A’s 448kb. For both being RE5’s, I’m very surprised to see such a difference in size. I only have an 06 TCM dump, so I’m not sure about the differences between the 350z RE5 ROM sizes. But I wonder if it’s consistent across the board or not. Would definitely make any flashing procedure easier to come up with if there was some consistency.

As far as disassembly, you NEED a data sheet of some sort. Even with a data sheet, MPC555 sucks to disassemble Mainly because it’s yet another language I have to try to learn. But you really won’t be able to figure out anything outside of ASCI data without a data sheet.

Yeah this Unisia Jecs TCM seems to be completely different to most, if not all, of the other RE5 TCMs. This has an external separate flash chip which I removed and read.

agreed. You guys need to do a bit of detective work... SC** parts seem to be motorola / freescale / nxp (renumbered, maybe customized, from regular "orderable" parts?) depending on when it was manufactured. Possible families are mpc555, hcs12 / hcs12x, mc68332 , possibly others. Try and find the one that matches the package and pinout (tip, look at gnd, vcc, xtal pins; those are unmistakeable). web.archive.org to browse old versions of websites, etc.

It should just be in ASCII code. For my 06;


Not sure what exactly it would be past MPC555.

Heh, I didn't even open the dump... pretend I didn't say anything

Yea, we can tell So even though it’ll communicate through KWP2000, what does this mean for kernels and commands? I haven’t really dug into communication protocols, so I’m not exactly knowledgeable about any of it. But I take it the SID’s for erase/writing aren’t as simple as just telling it to replace x block?

If I’m thinking about it correctly, the only chance we have of not needing a kernel is if the SID somehow handles absolutely everything. But that wouldn’t make sense to me since if you were to erase all ROM data, it would presumably erase the SID control stuff. The TCM DOES have RAM apparently, so a kernel would probably work?

But I’ve seen how much time and effort has gone into your ECU flashing kernel, not sure if I’d ever be able to do something like that lol It would require quite a bit of processor analysis.

Edit; I might ask questions that have already been answered, so forgive me if I repeat a question! It’s been a while since I’ve worked on this stuff and I still have to transfer my multiple notes documents into one file for easy viewing

No I’m glad you did. Mine doesn’t have it in ASCII. I’ll start investigating what chip it might be a clone of. Thanks.

Correct. The more recent CAN-only ecus have the "kernel" built-in with the stock ROM and it only needs the right sequence of SIDs to activate it and reflash.

There's at least a few possiblities for TCMs :
- something easy like the CAN-only ECUs
- something less easy like nisprog+npkern
- something way less easy if there's no SID that lets you even send+run a kernel
- even worse if Nissan actively tried to prevent reflashing ( is there even .dat / repro files for these ?)
- abandon hope if you find out the mcu is locked read-only. Unlikely I would think...

You also need to understand and map out all the code + data areas used by the TCM. That data you guys are dumping, where does it live ? on the main mcu ROM ? some external IC ? How much of the mcu ROM is not included in that dump ?

I suggest you guys can add pages on nissanceu.miraheze.org - PCB pics, datasheets you find, etc. Makes it easier to combine notes than scrolling through a forum IMO



Correct. Two ways around it - for sh705x, you absolutely have to execute a kernel from RAM, then you're free to erase/write individual flash blocks (what nisprog+npkern does). Or use the builtin bootloader (this is how the factory does it, and how you unbrick). Note, CAN-only ECUs hide the magic of running their kernel from RAM but it's in there.

Some mcu families (not sure about mpc555) might allow execution from a certain area of ROM while you reflash the rest.


Indeed.

Here's what I gathered from the ASCII stuff;

"Fuji-Isesaki" At beginning of ROM. Definitely odd. Both are cities within Japan.

"IX5373 N HC16N1 N ... VD2156 99000WL1" 0x8037 Now this one is interesting.


Comparing yours vs CF40A (06). But these comparisons are just assumed, not sure if they're actually stating the same thing or not.

IX5373 // RX1596 (Communication or chip based maybe?)
HC16N1 and VD2156 // 8BG119 or 149C32? (No clue apart from more identifiers)
99000WL1 // 1270H00114 (probably HWID or something like that)

They're definitely very different from one another. I'm surprised yours had so little information available tbh.

Since it's K-line based with no consult-II work support, I don't think it'll work like CAN based ECU's sadly. There ARE .dat/repro files for this and it CAN be reflashed with NERS. Albeit, Nissan only has documents showing a brand new TCM being reflashed. I don't see any possibility of it being read only luckily! Unless Nissan wanted to make it so that after a TCM has been programmed, there's no going back without purchasing a new TCM. But like you said, very unlikely.

The processor is a 32-bit PowerPC architecture (compliant with PowerPC Architecture Book 1)

It definitely seems that the most probable option is going to be nisprog+npkern. I was really hoping that the SID thing would turn out to be nicer, but it makes sense.


My dump seems to be the EEPROM Memory (CMF). It's also referred to as "Flash". His being 256kb makes me think he didn't dump both flash sections.

1.2.5 448 Kbytes of CDR MoneT Flash EEPROM Memory (CMF)
• One 256-Kbyte and one 192-Kbyte module
• Page read mode
• Block (32-Kbyte) erasable
• External 4.75-V to 5.25-V program and erase power supply




Good point, I'll have to get one setup.

I really think our TCMs really are completely different from completely different TCM vendors with almost no similarities. Mine is an external TCM made by Unisia Jecs. Mine is not MPC555. It has an external 29F200 256KB flash chip which I removed to take the read. It has a header on the board to add a 2nd flash chip and switch between the two with jumpers.

That's exactly the kind of info (along with PCB pics) that's really going to be helpful to organize somehwere P )

I have a bunch of known pin functions by tracing pins to known flash chip pins too. I'll begin the hours of browsing datasheets haha.

Edit: I just opened a support ticket with NXP begging them for the datasheet for the SC431725CFC.

I hope that works. But if you can even get them to care enough to search their own archives, I'm betting on "sorry NDA bullshït etc". But if you can at least convince them to tell you what family it's from, or even just showing the first few pages of a datasheet, that would narrow down your search a lot...