Hacking pre-OBD car for fun and Horsepower

Today's victim

Journey

What are we not talking about

How E85 produce power

E85 fuel as a smaller stoichiometric coefficient than common fuel, which mean it needs more fuel to run properly. It is less lubricant than unleaded fuel and also more corosive.

But the energetic efficiency is higher, which meen more HRSPRS !

Honda PGMFI

One of the first manufacturer to include electronics in car. PGM-FI system are still used today in motorcycle and honda car.

For this talk there is no VTEC (sorry K20 addicts).

Honda PGMFI for E85

As it is an electronic fuel management it should be possible to get this thing runnning on E85.

E85 run will provide :

Pre-OBD thing ?

Honda provides a OBDish protocol on the PG7 ECU. It is not named as on-board-dignostic for now.

Diagnostic are done by LED messages. It seem to get serial logging capabilities too.

On-Board diagnosis or the story of an unattended association

Datalogging

So in the process of getting information coming from the car, I decided to attach the serial port(strongly possible UART), to my keyboard screen:

Woops !

They say it will be patched with the new website coming in October, it is not the same company anymore so they did not have any documentation on STRIKE7 product.

Until this patch, every executable found on site may have been backdoored...

Firmware analysis

As firmware updater can be found online, I decided to reverse it to find out how to communicate over the serial interface:

Firmware analysis caveats

So it is a conventional IMX233 target, kind a lot of information can be found.

To get the wanted result, just disable the auto start-up of QT app, then plug a USB-Serial converter and should be good...

But... USB port are not standard.

I find someone else taking notes on reverse this thing https://gist.github.com/0xdevalias/7652064

ECU chipping

The process of ECU chipping, which is swaping ROM, is a common practice on HONDA models.

To get E85 running, a simple ECU swap should be possible, but we are hacker right?

So I try to do ECU chipping by myself without any knowledge and with few information.

Information gathering

So I ask almost everywhere if someone as done this thing before.

@Icefluid which is a specialist on Honda chipping did not work on this ECU.

@Honda did not answer my tweet.

I ask a local preparator to help me (Supermap autosport), he can read my extracted, modified map with his pro tool and confirm if the Dump is good or not.

Hondata seem's promising too but I discover a bug inside it.

PGM-FI.org Grassroot engine managment was the most valuable ressource.

Someone has already dump the content of PG7 ECU. So I try to dump it by myself.

Epic fail

The M38128 seem's to be a mask ROM and not so much information are available, need to dig in old datasheet

Moar fails !

Asuming it's a 128kbit memory I use the 27C128 configuration to dump content. but it looks like some OKI batch are misstamped, explaining probably why the internet dump is 32ko size.

What to think

So the internet dump is 32ko size but it look like it is the same map repeated twice.

I almost burned the ROM unsoldering it, maybe the ROM size is really 128kbit...

Need some valid thing to refer on.

After further research, the datalogging system on most modern version is activated by code/firmware modification, still don't get it on my old one despite CN3(datalog) port is present.

OSINT to the rescue

After doing some OSINT task I finally found something interresting, a old Honda racerom :

Annnnnnnd... I'm lost

So apparently on this one they decided to split the ROM in 2x64kbit memory with an address decoder :

Address decoding

So I assume my initial guess of a 128kb memory was the right one and I decide to reconstruct this memory by hand with a basic concatenation. This map will have datalogging on by default (referring ECU pictures).

This did not work because with the use of address decoder the start af the second memory is referred +1 added with previous memory end :

Glueing things together

My reconstructed map can be read by my local tuner, so let's move on and burn this on chip.

This kind of old chip was difficult to find (no time for delivery) but at the end my local dealership have one last.

The choosen one is a 27LC256. Yes I know it is a 256 kbit memory but I will use the trick I discover from the internet dump and burn it 2 times.

Messed up ... again

This time I completly screwed up the flashing process.

In my dd operation of creating the racerom repeated 2 times I only create the map on the "second sector", so first part of the map is empty...

Burning this on the EPROM (UV erasable) and plugging it to the car:

Odd things happen

The car lights up without any error, so first I guess this was good.

But when turning the key it did not start. My first conclusion were :

so I decided to dump the content again where I discover the flash fail.

Not such a big issue you say?

To empty this old chip I need to get a UV eraser, so in order I try :

Then solution !

Current state of the project

Cat toy are not so efficient deleting a 256kbit memory (2 week and almost 20% erased).

If you got a UV eraser here with you please reach me out.

Kinda sure this will work (or even more surprises?)

What next ?

Question ?