Originally Posted by
landspeed
Hi all! I was wondering. Would there be much interest in reverse engineering the CA18DET ECU? I am currently reverse-engineering the Toyota ECUs from the 2000s and later, which involves multiple 32-bit RISC CPUs, emulating a CAN network, and more. It is a big job, with ROMs being 384-768K in size, easily. I am working on the Prius at the moment, which, while not the sportiest car, is not upgradeable at all due to the computers being pretty much unexplored territory.
I am not wanting to replicate the Stage 1,2,3 ECU chips, as these are tried and tested. However, I was wondering if there would be much interest in delving deeper into the code of the ECU, and perhaps changing the way certain things are managed? Beyond modifying the maps and rev limiter. I have done some hand decompilation and can say that the ROM might have been written in 'C', because many of the setup routines are not written very efficiently.
I am also aware that the CA18DET ECU, while it only has a 16K EPROM, can actually use a 32K EPROM (I think there might be a resistor or something that needs modding but that is about it). So, it would be possible to add a lot more code. The early system-on-chip used has built-in serial port / other stuff, so it could be possible, for example, to do stuff like have a serial interface to a single-board computer, to do 'real-time' modding. Other ideas could be a true 'valet mode' for when the car is being serviced or whatever. I am sure that the maps could also be messed around with, perhaps increased in resolution if that would be of any interest?
I can say that I have the ability to reverse engineer this whole thing. The Prius ECUs are so much more complicated, and the SoCs are not documented, but I have still got quite far. The CA18DET stock ECU on the other hand is fully documented (at least, the SoC, and the rest can be gleaned from looking at the circuitboard - which I am going to do soon). It is an 8-bit Motorola 6801 clone with extensions (and additional hardware), with the ROM mapped into address 0x8000h and beyond. It has a flat 64K memory map. It is kind of like a 6502 but more advanced.
I would be interested in any thoughts on this. In particular, ideas as to what might be useful to add / modify in the ECU; new features etc.
I can say that hand analysis of the code thus far does show that, on boot-up, the ECU clears the RAM at addresses &0040 to &00FF (and, later, sets the stack pointer to &FF, so likely a descending stack), then it clears the RAM from &1000 to &1400, then branches to a subroutine, sets up a few of the hardware registers. This already helps as it shows where the internal RAM is mapped.