DIY_EFI Digest Saturday, 10 August 1996 Volume 01 : Number 226 In this issue: Re: Eprom Security Board HONDA OEM processor type HONDA OEM processor type, found, sort of Re: Contact Re: Eprom Security Board Re: Eprom Security Board Re: Eprom Security Board Re: Eprom Security Board Re: "Dropping" resistors ?? Re: Eprom Security Board See the end of the digest for information on subscribing to the DIY_EFI or DIY_EFI-Digest mailing lists. ---------------------------------------------------------------------- From: Rod Barman Date: Fri, 9 Aug 1996 8:11:15 UTC-0700 Subject: Re: Eprom Security Board > It makes the Eproms unreadable in a standard reader, but it is > transparent to the MCU. Interesting. So let me get this straight, if you plug either the adapter board with the eprom on it or just the eprom into a standard reader you get garbage? But plugging the adapter with eprom into the ECU and it works ... Is there only the single IC, the pic, on the board? Any idea how the address and datalines are mapped? (ie. take an ohm-meter and check for continuity between the eprom socket and adapter pins). - --rod. - -- Rod Barman, IRIS IS-6 @ Laboratory for Computational Intelligence University of British Columbia rodb@xxx.ca ------------------------------ From: Jeff Date: Fri, 09 Aug 1996 11:02:08 -0700 Subject: HONDA OEM processor type Does anyone know what processor Honda uses in their EFI systems? Specifically from a 1992 Honda Accord. I took the cover off the unit, and the chip has an OKI label, part 66911, it is packaged in a high desnsity 64 pin DIP. Also, I assume the standard DIP labeled 38256 is the ROM. Can anyone confirm that? Thanks, Jeff ------------------------------ From: Jeff Date: Fri, 09 Aug 1996 11:22:31 -0700 Subject: HONDA OEM processor type, found, sort of Ok, without much trouble I was able to find out OKI makes microcontrollers that start with the prefix 66xxx, come a 64 pin HD DIP, and operate at up to 10 MHz (which was the crystal frequency in the Honda). This information is located at : http://www.okisemi.com/tables/P25-T1.html I should be able to figure things out from here, but if anyone else has info on Honda type EFI boxes, please let me know. Thanks, Jeff ------------------------------ From: Jonathan Lloyd Date: Thu, 8 Aug 1996 20:49:03 +0100 Subject: Re: Contact In message <199608071522.AA15031@xxx. Hernandez" writes >Jonathan Lloyd wrote: >> >> Has anyone managed to write to Mr Kirk Arwood? He has a page on the >EFI >> web and says willing to talk about Ford EEC. I've posted several >times >> and even with a deliberately wrong email address and still got no >> "failed mail" message back. >> -- >> Jonathan Lloyd > >What email address is he listed under? > I read it as k.arwood@xxx.com but as I said it doesnt seem to work. - -- Jonathan Lloyd ------------------------------ From: John Dammeyer Date: Fri, 9 Aug 96 10:44 PDT Subject: Re: Eprom Security Board At 08:11 AM 09/08/1996 UTC-0700, you wrote: > >> It makes the Eproms unreadable in a standard reader, but it is >> transparent to the MCU. Actually, there are several rather clever ways of making an eprom appear like garbage, all of which are suitable for confusing the amateur but only slow down the serious 'reverse engineer'. 1. Make an adapter for the EPROM that has some of the data lines swapped. The eprom is placed into the adapter and the adapter into the programer. As far as the programmer is concerned the correct bits are set into the eprom. On the circuit board the same leads are exchanged, perferably under the EPROM socket (out of sight). As far as the Micro is concerned it still gets the correct opcodes. 2. Same deal. An adapter that swaps the address lines. The reset vector is in the correct place. It just vectors to garbage if the adapter is not available to swap back the address lines. Done correctly with a few DB or DW constants in the code (if you have room), you can send the reversing engineer off on a wild goose chase for a while where the code looks correct but isn't. 3. Mix the two. Again with a judicious use of define bytes and swapping the correct address and data lines the code when dissassembled from the eprom, without the adapter looks correct but isn't. 4. The professional 'reverse engineer' just hangs a logic analyzer or an ICE on the processor and tracks the program from reset. Verifies that with the contents of the eprom and builds a suitable adapter. Then proceeds to dissassemble the code. Remember, if you have the hardware in front of you; and you know the purpose of the application; and you have the knowledge of what the sensors are supposed to do; reverse engineering is not all that difficult. As for encrypting the code and then first decrypting in to RAM and running from there.... see point 4. Freeze the processor after the system is running and dump the RAM using a processor emulator. ie: For the pro reverse engineering isn't that tough; for the amateur it just requires some time and perhaps some equipment. recall too that if it's a big Micro, nowadays most of the application whill be written in a high level language. This shows up in stack frame manipulations that are consistant from function to function. Local variables are always accessed the same as are lookup tables. Good assembler is also easy to figure out. Poor assembler (hack code) is the toughest; both to reverse engineer and to debug while being developed. John. Pioneers are the ones, face down in the mud, with arrows in their backs. Automation Artisans Inc. Ph. 604-544-4950 6468 Loganberry Place Fax 604-544-4954 Victoria BC CANADA V8Z 7E6 ------------------------------ From: Rod Barman Date: Fri, 9 Aug 1996 11:22:51 UTC-0700 Subject: Re: Eprom Security Board > Todd .. they are available from the folks at SuperChips for about $20 each > they work based on timing .. But Jimster, if this was true, couldn't one just uplug the eprom and stick it in the reader? Or are the soldered on? - --rod. - -- Rod Barman, IRIS IS-6 @ Laboratory for Computational Intelligence University of British Columbia rodb@xxx.ca ------------------------------ From: Land Shark Date: Fri, 09 Aug 1996 13:17:25 -0600 Subject: Re: Eprom Security Board At 11:22 AM 8/9/96 UTC-0700, you wrote: >But Jimster, if this was true, couldn't one just uplug the eprom and stick >it in the reader? Or are the soldered on? But the EPROM is encrypted and the little "thingie" actually DECRYPTS it for the processor .. BUT an EPROM reader does NOT access and EPROM the same as the MCU does, so it does NOT fully decrypt and the readout fails.. Jim PS: ANY DECENT MCU ENGINEER can break these things in 2 minutes .. but WHY?!? It's easier (for me at least) to reverse the DME myself.. ------------------------------ From: Todd Knighton Date: Fri, 09 Aug 1996 17:03:57 -0700 Subject: Re: Eprom Security Board Land Shark wrote: > > > PS: ANY DECENT MCU ENGINEER can break these things in 2 minutes .. but WHY?!? > It's easier (for me at least) to reverse the DME myself.. Actually, Jim, I've had them in my hands because people send them to me to break. Your right, but I think it took about 5 minutes to fire up the ICE and rewire an old C1 computer to take a 27C512 chip. Then wallah, there comes the code, just as it should be. I'm just trying to keep the other 99.99% of the population from copying our code, I know that it's still unsafe to people on this board, but then they're the ones that get the encripted microprocessors with only data tables in the eprom's. Let's have some fun with those. Todd Knighton Protomotive Engineering Email: knighton@xxx.com P.S. Thanks to everyone on the board for the great response. Sounds like everyone on this board is just chomping at the bit for some really fun thing to chat about. Hmmm, let's see... How about electric motors mounted in the hubs of each wheel that will not only be motors, but regenerative brakes as well as use the magnetic properties of the motors for levitation so a bearing or some teflon surface would only be used for powered down conditions. Then let's build the EFI332 to control all these things. Actually, you wouldn't even need a steering wheel, you could use the controller to rotate the wheels at different speeds like a tank and turn the vehicle about it's axis. But let's not be boring here. Let's put an onboard turbine engine to generate power for these things so we have some acceleration, otherwise 200hp motors at 4 wheels, or 800hp wouldn't last too long with the conventional battery technology. You know, it's gotta be fun, even if it does comply with the zero emmissions stuff. ------------------------------ From: Todd Knighton Date: Fri, 09 Aug 1996 17:08:13 -0700 Subject: Re: "Dropping" resistors ?? Stephen, Honda used to use the same type resistors as well as the Porsche 914's with L-Jetronic Fuel Injection. Those might be sources for you, but even simpler might be Radio Shack. They have some 8ohm 50watt ballast resistors that we've used in the past for a similar app. They work fine and dissipate plenty of heat. They have a few other ratings close to this but that one might be the best and cheapest alternative. Todd Knighton Protomotive Engineering Email: knighton@xxx.com Stephen Lamb wrote: > > A friend of mine appears to have blown the "dropping" resistor assembly on > the (stock) injector system of an FJ20 (in a Datsun 1600). Nissan don't > want to know him, and he's having trouble finding a replacement (the FJ20 > was an imported performance engine). > > >From what I've been able to find out about these things, they are simply a > bunch of heavy duty resistors in-line to the injectors. All the manuals > I've read on the Nissan version of the L-Jetronic system suggest that each > resistor should be about 6 ohm. > > My question is: Could I simply make a substitute by wiring in a bunch of 6 > ohm, 5W wire-wound resistors, or is there some other magical property to > this device ?? > > TIA > > PS: Are there any suppliers for these items in the States ?? > > Stephen Lamb > Dept. of Defence DSTO, AMRL > 506 Lorimer Street > Fishermans Bend VIC 3207 Australia > Tel: +61 3 9626 7525 > Fax: +61 3 9626 7089 > > IZCC #180 ------------------------------ From: Digital Boy Date: Fri, 9 Aug 1996 21:32:17 -0700 (PDT) Subject: Re: Eprom Security Board At 05:03 PM 8/9/96 -0700, you wrote: > >P.S. Thanks to everyone on the board for the great response. Sounds >like everyone on this board is just chomping at the bit for some really >fun thing to chat about. Hmmm, let's see... How about electric motors >mounted in the hubs of each wheel that will not only be motors, but >regenerative brakes as well as use the magnetic properties of the motors >for levitation so a bearing or some teflon surface would only be used >for powered down conditions. Then let's build the EFI332 to control all >these things. Actually, you wouldn't even need a steering wheel, you >could use the controller to rotate the wheels at different speeds like a >tank and turn the vehicle about it's axis. Well, I'm all for the AWD EV / HEV concept. I own a Neon, and I'd love to install 4 200HP electric motors in it. > But let's not be boring here. Let's put an onboard turbine engine to >generate power for these things so we have some acceleration, otherwise >200hp motors at 4 wheels, or 800hp wouldn't last too long with the >conventional battery technology. You know, it's gotta be fun, even if >it does comply with the zero emmissions stuff. Well, a turbine would be good, or a small diesel engine turning a biggish generator to top the batteries off, and provide oomph when passing. :] Terry ------------------------------ End of DIY_EFI Digest V1 #226 ***************************** To subscribe to DIY_EFI-Digest, send the command: subscribe diy_efi-digest in the body of a message to "Majordomo@xxx. A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace "diy_efi-digest" in the command above with "diy_efi".