5EAT TCM JECS ROM Image

rimwall · **Joined:** Fri Aug 21, 2020 6:05 am **Posts:** 315

Ok, after many hours of digging and head-scratching here is what should be the process to jump into the on-board kernel in a TCU. Not yet tested. I'm hoping MiikaS will be kind enough to add code for another module in FastECU to enable testing. Then I'll need some help with testing (I don't have an AT car). Or someone could donate a TCU for me to play with

Applies to Subaru TCU 5EAT M32R (specifically TCU ROM ACD1A06000). Probably works for other TCUs.

ROM has code for Serial comms and CAN comms. Serial comms has normal SSM commands, and 0x27 process, but ability to jump to kernel appears to have been disabled - probably deprecated. CAN comms has SSM commands as well as 0x27 process providing the ability to ROM dump / flash via an on-board kernel.

Car status
- stationary, in park, solenoid lock on, good and stable Battery Voltage, ignition on

Comms setup
- laptop connected to Car via USB to OBD cable

CAN Setup - TCU
- TX to the TCU uses CAN ID 0x1f21
- RX from the TCU uses CAN ID 0x1f29
- CAN speed 500bps (per normal Subaru highspeed CAN). This is an assumption (not checked)
- CAN frame data has the message length in the first byte

Command: 0x02 0x10 0x03 [Start diagnostic session]
Response: 0x02 0x50 0x03

Command: 0x02 0x27 0x01 [Security Access step 1]
Response: 0x06 0x67 0x01 [S3] [S2] [S1] [S0]

Decrypt seed bytes S3-S0 to key bytes K3-K0 using the Subaru decryption algorithm as for ECUs. The TCU algorithm looks the same, but I haven't confirmed in detail. Encryption words are different. Nybbles are the same. See values below. Reverse word order for decryption.

Command: 0x06 0x27 0x02 [K3] [K2] [K1] [K0] [Security Access step 2]
Response: 0x02 0x67 0x02

Command: 0x02 0x10 0x02 [Jump to kernel]
Response: 0x02 0x50 0x02

CAN Setup - Kernel
- same TX/RX CAN IDs as the normal TCU comms
- CAN speed is the same as normal TCU comms (500 bps)

[Kernel commands will added here later]

Encryption Words:
F2CA, 2417, 21DE, 8475, 39AB, F767, 6204, 6BE0, BC63, 5988, 2845, 9846, EB97, 99DE, C7DB, EFAE

Encryption Nybbles:
05, 06, 07, 01, 09, 0c, 0d, 08, 0a, 0d, 02, 0b, 0f, 04, 00, 03, 0b, 04, 06, 00, 0f, 02, 0d, 09, 05, 0c, 01, 0a, 03, 0d, 0e, 08

A few other points of interest:
- [deleted - actually, I don't think the TCU does support 'mode 0x22']
- There are various ROM integrity checks on start-up so that will need to be satisfied by any modified ROM

riksk · **Joined:** Sun Jun 28, 2020 2:25 am **Posts:** 237

rimwall wrote:

Ok, after many hours of digging and head-scratching here is what should be the process to jump into the on-board kernel in a TCU. Not yet tested. I'm hoping MiikaS will be kind enough to add code for another module in FastECU to enable testing. Then I'll need some help with testing (I don't have an AT car). Or someone could donate a TCU for me to play with

Applies to Subaru TCU 5EAT M32R (specifically TCU ROM ACD1A06000). Probably works for other TCUs.

ROM has code for Serial comms and CAN comms. Serial comms has normal SSM commands, and 0x27 process, but ability to jump to kernel appears to have been disabled - probably deprecated. CAN comms has SSM commands as well as 0x27 process providing the ability to ROM dump / flash via an on-board kernel.

Car status
- stationary, in park, solenoid lock on, good and stable Battery Voltage, ignition on

Comms setup
- laptop connected to Car via USB to OBD cable

CAN Setup - TCU
- TX to the TCU uses CAN ID 0x1f21
- RX from the TCU uses CAN ID 0x1f1f (not sure about this, but should be easy to tell once we're communicating with the TCU)
- CAN speed 500bps (per normal Subaru highspeed CAN). This is an assumption (not checked)
- CAN frame data has the message length in the first byte

Command: 0x02 0x10 0x03
Response: 0x02 0x50 0x03

Command: 0x02 0x27 0x01 [Security Access step 1]
Response: 0x06 0x67 0x01 [S3] [S2] [S1] [S0]

Decrypt seed bytes S3-S0 to key bytes K3-K0 using the Subaru decryption algorithm as for ECUs. The TCU algorithm looks the same, but I haven't confirmed in detail. Encryption words are different. Nybbles are the same. See values below. Reverse word order for decryption.

Command: 0x06 0x27 0x02 [K3] [K2] [K1] [K0] [Security Access step 2]
Response: 0x02 0x67 0x02

Command: 0x02 0x10 0x02
Response: 0x02 0x50 0x02

CAN Setup - Kernel
- TX to the TCU kernel uses CAN ID 0x1f29
- RX from the TCU kernel uses CAN ID 0x???? (not sure about this, but should be easy to tell once we're in the kernel)
- CAN speed is the same as normal TCU comms (500 bps)

Command: 0x04 0x02 0x50 0x42 0x02
Response: none?, code execution jumps to kernel in ROM

[Kernel commands will added here later]

Encryption Words:
F2CA, 2417, 21DE, 8475, 39AB, F767, 6204, 6BE0, BC63, 5988, 2845, 9846, EB97, 99DE, C7DB, EFAE

Encryption Nybbles:
05, 06, 07, 01, 09, 0c, 0d, 08, 0a, 0d, 02, 0b, 0f, 04, 00, 03, 0b, 04, 06, 00, 0f, 02, 0d, 09, 05, 0c, 01, 0a, 03, 0d, 0e, 08

A few other points of interest:
- It looks like the TCU has the so-called mode 0x22 for fast logging of multiple parameters. Which raises the question - how does RR do TCU logging (serial comms or CAN) and does it already use 'mode 0x22'? I had a quick look in the source code but couldn't figure it out. I couldn't find any hits for CAN ID "1f21" so I'm guessing RR does TCU logging via serial comms?
- There are various ROM integrity checks on start-up so that will need to be satisfied by any modified ROM

RR TCU logging is slow so I have to believe it's on serial comms.

kiki86 · **Posted:** Wed Jun 07, 2023 2:57 pm

To follow

I have Legacy 2004 JDM 5EAT with Rom-Id AA D1 A0 60 00

rimwall · **Joined:** Fri Aug 21, 2020 6:05 am **Posts:** 315

Excellent, merci beaucoup kiki86!

If you already have a dump of your TCU, send it to me so I can start finding RAM addresses to log. If you don't have a dump, that's ok. Once the FastECU code is updated we will be able to dump using FastECU.

kiki86 · **Posted:** Fri Jun 09, 2023 2:41 pm

I do not have dump file of my tcu :cry:

rimwall · **Joined:** Fri Aug 21, 2020 6:05 am **Posts:** 315

Getting closer. I will start writing the code soon.

To get ready for testing TCU comms, logging & ROM dumps - @uprev and @kiki86 - do you have a Tactrix cable? Or other cable for CAN comms?

Tugsay · **Joined:** Tue Dec 28, 2021 6:01 am **Posts:** 15

I have eudm 2005 outback 3.0r 5eat and I hate the shifting points. No si-modes to select and I tuned the car similar to later si-mode model car's sport mode but wothout flashing 5eat, there are lots of stupidity on transmission behaviours.

I'm using vag-com cable and it works well for flashing. If I can help for anything, I'll do my best.

Thanks for your afford, you all my hero

rimwall · **Joined:** Fri Aug 21, 2020 6:05 am **Posts:** 315

Quote:

I'm using vag-com cable and it works well for flashing.

Hi, based on what I have seen so far, the 5EAT TCU uses CAN comms for flashing. A VAG-COM cable can't do CAN comms. FastECU currently does CAN comms with a Tactrix - do you have access to one of those?

First pass of software to access the on board kernel almost ready for testing... who is ready to help? Will need access to a Tactrix cable, or equivalent. I'll post a link to an updated FastECU when it's ready.

Tugsay · **Joined:** Tue Dec 28, 2021 6:01 am **Posts:** 15

My cable have FTDI232RL chipset and it says vag kkl.
I don't have any access on a tactrix and in my country it's nearly impossible to borrow one to try.

I can read and wrtite ecu but I don't know anything about tcu.

uprev · **Posted:** Tue Jun 13, 2023 9:14 am

rimwall wrote:

Getting closer. I will start writing the code soon.

To get ready for testing TCU comms, logging & ROM dumps - @uprev and @kiki86 - do you have a Tactrix cable? Or other cable for CAN comms?

I have a Tactrix ready to use

Sent from my iPhone using Tapatalk

kiki86 · **Posted:** Tue Jun 13, 2023 1:06 pm

I also have Tactrix cable

rimwall · **Joined:** Fri Aug 21, 2020 6:05 am **Posts:** 315

Onward. Here's a rough plan:
1. Confirm working access to on board kernel
2. Confirm successful ROM dump using the on board kernel
3. Use dumped ROMs to log some key parameters to finalise Table definitions
4. Do manual ROM editing and some test flashing to confirm successful ROM flashing
5. Do manual ROM editing on whatever ROM parameters you want to change and flash to ROM
6. Update FastECU / RR to edit maps in a more user friendly way than manual editing

To start step 1...
- First pass of the code is done on the repo (development branch) here
- Easiest method is to download the FastECU-Windows.zip file from the ./precompiled branch. This is the release version of FastECU (no TCU edits)
- Make sure you can successfully run this version of FastECU (eg) do a test ECU ROM dump. This will confirm working software and cable, so any bugs from here are only related to the TCU code.
- Then download the separate FastECU.exe file from the ./precompiled folder and use this to overwrite the same file that came with the zip file. Also download the separate protocols.cfg file from the ./config folder and use this to overwrite the same file that came with the zip file in the ./config folder. Going forward, as we fix bugs, ideally you should only need to download updated versions of FastECU.exe
- Run FastECU again. When you press the Select button, you should now see an "Unknown" entry - this is for the 5EAT TCU. Select it, and then press the large green down arrow. This won't actually attempt a TCU ROM dump, but it will attempt to access the TCU kernel.
- If kernel access works, it's a miracle. Your TCU will be running from its onboard kernel. You will need to turn your car off and on again to get it back to normal. Nothing will have changed.
- More likely the kernel access won't work due to a bug of some kind. If so, copy and send the text from the log window.

Doing the coding separate from the testing is going to be clunky, but we should get there in the end...!

AJ08H65EAT · **Joined:** Tue Jul 05, 2016 7:14 am **Posts:** 17

Kudos to the experts for working on this.
I have a AUSDM 2008 Outback 3.0R 5EAT (Si Drive) and for sure there is room to improve the shift points and lock up behavior.

I have Tactrix cable. Have used it for minor engine tuning and to alter the Accelerator pedal to engine torque maps which slightly helped transmission behavior. Happy to try and read TCU or whatever if it helps.
AJ.

rimwall · **Joined:** Fri Aug 21, 2020 6:05 am **Posts:** 315

Excellent! Have a crack at Step 1 (from above) and let us know the results.

AJ08H65EAT · **Joined:** Tue Jul 05, 2016 7:14 am **Posts:** 17

OK, tried step 1 with released version of FastECU-Windows.
exe ran OK. Test ECU ROM dump did not work - maybe because I did not have the correct vehicle selected as mine is an 2008 Outback 3.0R (aka Legacy), which I could not find in the list, not sure.
Having failed step 1a, I continued to step 1b.

New exe ran OK. Unknown entry appeared under select. Large green down arrow started some activity, please refer attached notes from log window.
FastECU had the following text along the bottom of the window:
FastECU | ECU connected | ECU ID: 4B5A347007 Unknown unk-unk CAN (Hitachi M32176F4/384KB)
Hopefully that is useful - let me know next steps!

RomRaider

5EAT TCM JECS ROM Image

Who is online