ok since my blog got deleted with this info in it, i just figured it would be easy to keep up with it by starting a thread....If anyone wants to help, they will get recognition and of course perks...

http://i26.tinypic.com/34oarys.jpg

The picture is high res enough that you can see all of the serial numbers and everything, but none of those help to tell what kind of processor this is.

As you can see there are a couple of sets of rows on the bottom left hand corner of the board..The 16 pin one with the holes is a COP connector. The 20 lead one on the left i believe is a ARM connector.

I just purchased a wiggler that should be able to connect with both of these interfaces. but as you can see the supposed 20 ARM (JTAG)connector is directly interfacing with the processor, so i beleive i should try and go for that first.

http://img.villagephotos.com/p/2007-10/1283540/perehodnik_240.jpg

theres only twelve, because there are about 9 grounds on the line itself, but i needed something that can interface with current software without having to dev my own...

I'll leave it at this for now, and keep adding stuff as i find it...

Very interesting topic, I would think that it might be password protected, but maybe not since it's pretty up to date but common technology.
As I read on this ECU, it seem to be a learning type of ECU, the BMW guys had a hell of a time to understand the E46 ECU witch seem to work in the same way, but they did it with amazing results, I remember the fuel adaptation value to max out were the most common CEL problems, they had to tweak almost everything on the program to make it work flawlessly. I still think that for the average DIY a standalone may be an easier option, this would require an e-throttle capacity and send the ECU price to the sky...or revert to cable with all the headaches that comes with it...

Yeah, i was going to get into the BMW bandwagon and play with the new tricore hardware, but thats at a later date and when i have more money for R&D. A reflash will be cheaper by all means atleast if it comes from me, because i know how costly something can be...

Atleast when all is said and done i will atleast have access to throttle maps, fuel, ignition, O2 sensors, etc, which is needed for a basic tune, the more complicated stuff i can work out later.

If i were trying to crack it through OBD, maybe, but ive dealt with encryption before on the Audi ECU's. When you are dealing with something that has direct contact with the MCU, i doubt there will be an encryption since it is such a mundane way of programming the ecu directly from the factory... Now if they removed a resistor to short out the communication, then ill be screwed...

I read that some EPROM will erase themself if they are hacked in some way, I just hope it's not the case here.
If they do have encrypted their data, there's no way to decrypt unless we get the key, witch should be somewhere in the ECU.
Nothing is impossible, but this seem to be very hard to achieve.
We need more info on this EPROM, some spec sheet.


If i were trying to crack it through OBD, maybe, but ive dealt with encryption before on the Audi ECU's. When you are dealing with something that has direct contact with the MCU, i doubt there will be an encryption since it is such a mundane way of programming the ecu directly from the factory... Now if they removed a resistor to short out the communication, then ill be screwed...
A chat with a Toyota chief mechanic coud provide some good info on the "how" they reflash them, but it may be a simple hook the machine and press play...
If it's the way they change their maps, I guess it's possible to go trough there, the best tuners are all over the Supra, but I doubt that their ECU is as complex as this one.

Thanks, that would be cool and helpful, I emailed Denso they said they would help if they could, but it would be on Toyotas side I would have to bother... I think the Supra should just be a basic 28pin easy chip to do, but ive never seen their ECU.

I had my other buddy working on the Yaris ECU, but I don't think he ever went through with it either.

How would someone be able to tell if they had a Chief mechanic in their dealership or is it mandatory to have one in all dealerships? Mine seems like a bunch of boneheads last time i went there well the service manager was..."We adjusted the alignment, did you know the car was lowered????!" NOTE THE RED SPRINGS.... yeesh

yeah a digital gauge would be cool for tuning it as well and monitorting knock correction, make things a hell of alot easier. I would be willing to help you with that, shouldnt be that difficult as long as you know the standard OBDII(I think its ISO2049 or some crap for Japanese cars). But all you would need to do is monitor the data and make them from there...

Also, this would be something easy to code in Visual Basic as long as you knew the code and can make a Dashboard if you liked something simple

Just a small note on the side.

I was chatting with some one who visited the SEMA stand for the company JET Chip (jetchip.com) and they told him that they have the capability to offer custom re-flashes for the modern Toyota 4 cyl engines. According to them is just a matter of send the the stock ECU for a couple of days.

This buddy question was in regard to the new scion xD, but still I think it will be something interesting to check out.

I know they offer chips for the Tundra, FJ cruiser and a lot other cars that actually do work.

:biggrin: I know close to nothing about electronics nor how they acomplish the re-flash they offer... And this is something I would never try to do on my own!

I was just pointing out that it looks like this is something it can be done! Otherwise they will not be offering the service...:biggrin:

Any ways... keep up the good work!

hahaha, and with this being a 208pin QSOP chip, i dont even think i would trust myself to do it... its almost robotic... i mean, the Honda chips are a breeze, but something like this is a bit too hardcore to solder/resolder... plus where can i find an adapter for an auckward chip like this lol....

but i do remember someone pointing out on a JET website that they had a reflasher type tool, before the hack.. ill see if i can dig it up

Excellent thread! Hopefully there's some progress on this soon.

I keep thinking that an ECU reflash could produce some of the biggest gains on the Yaris.

I can also make some calls to Toyota techs and see if I can get the specs on those ROMs and let you know if I find out anything. :thumbsup:

please, if anyone can do anything that would be awesome and i might consider open sourcing it to some people, but alot of people are looking to crack these ECU's in Europe to begin with.. so id rather keep it in the community or on the DL.

If i remember correctly, these cars run very lean or rich from the factory with low ignition mapping mainly for use with low octane fuel as an economy car. I do beleive there should be impressive gains to be had with this car in stock form, and even moreso in a FI form.

awesome, it looks like this is going places fast :). Thanks for keeping us informed....

That's awesome, if we can get at least a rough idea of how this ECU works, we can at least search in the right direction.

Any update on this?

Lafiro, 100 points for bumping this thread. :clap:

I bet someone can bribe a lead Toyota tech, so that you can use his little machine to get into the computer

I read that some EPROM will erase themself if they are hacked in some way, I just hope it's not the case here.

Probably a checksum that is computed at the time of code compilation. That was one way to do it.

If the checksum doesn't add up the code will not run.

Gene

they probably swap out the toyota chip and put in a reflashed one , its doable but you need a SMT machine to mount the chip back on the board, you don't want to be doing it yourself without prior experience and steady hands.

mself i have remounted several chips and components using SMT and its a pain in the ass to do, we actually had a whole class about it.

I did it professionally for two years at Sony. Down to 0.5mm pitch SMT and some BGA (though not a lot).

Putting the chip in is a lot easier than getting it out.

To put the chip in requires no more than the right flux and the right technique with a moderate powered soldering iron. The iron MUST be cleaned routinely with a sponge soaked in water, then you must immediately retin the iron. This is a fundamental thing and should not be ignored!

What we did first was clean the landing pads, insuring that they were not damaged. You MUST clean the landing pads so that they are "even". If the board is "virgin" than it still is a good idea to examine it. I never took anything for granted and thus never got into messes.

Orient the chip properly. You're going to goof it up at least once before this becomes a ritual.

Soak the legs of the SMT with a "sticky" soldering flux. Do not be shy about using too much. It washes off when you're through.

Start in one corner, "tack" a few legs, then on the opposite corner.

Pick a "virgin" run along one side, using a small drop of solder in the iron, draw the soldering iron CAREFULLY along the run of legs, keeping it above the legs so that the solder can adhere to the legs but that the iron does not bump the legs. There is a definite technique to this and it requires some practice.

Get some "Scrap" boards,which is how I perfected my technique. I'd need a few hours to get it back again, but it's like riding a bike.

The trick is to use cohesion and adhesion of the liquid solder to make it soak up under the legs of the SMT without bridging between them.

Go around the chip. You may have excess which will blob up on the end of the run. If so take a soldering wick and "soak up" the excess. In time you will learn from experience how to put enough solder on the iron to do the job.

The flux protects the solder from oxidation, and the process can be messy, with lots of smoking flux. Be sure to have your fan working!

You will need to examine the chip afterwards under magnification for "bridges". These are touchy and require just the right "touch" to suck up just enough solder using a soldering wick.

Taking an SMT chip out is an ass pain - most places use hot air for the removal. That's what we used too. The machine would apply hot air to the surface of the chip and then we would remove it with "air tweezers", basically a tiny suction cup with a vacuum source.

Some people will remove the SMT ONE LEG AT A TIME. This is a pain in the ass, the hot air machine is thousands of times easier.

A lot of times the SMTs contained embedded firmware so we had to reuse them. Resoldering an SMT chip back is a chore unto itself. You must ensure that each leg is straight.

If you go to http://www.sparkfun.com/commerce/tutorials.php there is an entire series of tutorials devoted to SMT work.

Sparkfun sells hot air machines which can remove some SMTs. They also make SMT boards using a common electric skillet and offer a tutorial about it. Those guys are HARDCORE prototypers.

Gene

Sparkfun has their own Youtube channel where they feature videos on SMT.

http://www.youtube.com/user/sparkfun

Gene

You know, what we really need is the source code for the Yaris's ECU.

Fat chance of getting that in English!

Gene

http://forums.openecu.org/viewtopic.php?t=1063&view=next&sid=b2c04d8d018d09245c80d3040dc30bdf

http://www.rollaclub.com/faq/index.php?title=Tech:Engine/A_Series/ECU_Pinouts


Okay... we need the Nippon Denso part number for this ECU.. That will simplify searches for the pinouts.


Gene

Don't think i forgot about everyone, i know this is still an ongoing issue with alot of people...

What i most definately need is someone who can get me a canbus OBDII reflash log from a service technician if anyone has any friends

this will probably be the only way we can crack this ecu... if anyone knows anyone/anything please let me know!

Don't think i forgot about everyone, i know this is still an ongoing issue with alot of people...

What i most definately need is someone who can get me a canbus OBDII reflash log from a service technician if anyone has any friends

this will probably be the only way we can crack this ecu... if anyone knows anyone/anything please let me know!

What is it you're looking for in the reflash log? I'd be a little surprised if they didn't use CCP for the downloads.

in a reflash log you can pretty much see where it accesses and what codes it uses to do so as in read and write then i would be able to flash over canbus then bench it