Microtech DIY Firmware
01-24-12, 08:26 PM
#1
DIY Firmware
anyone interested in flashing their own Microtech?
Has anyone tried it yet?
The two ECU's I have in front of me are HC11 and HC912 CPUs and those flashing procedures are widely known - just wondering if anyone else has played with these micro-controller on the ecus?
I've been able to completely disassemble the LTX-8 w/ External Map sensor ..was able to enable logging on the box but didn't bother messing with anything else. I dont run or own one of these units but am helping a buddy with his.
Also, it looks like the 9pin port on the box itself is actually the parallel lines for the LCD / hand controller. We know the LCD in the hand controller uses 8 pins which leaves the single pin left for input of the buttons on the handle controller.
Anyhow - has anyone else played with LowTech ecu (as I've started calling it) devices?
Has anyone tried it yet?
The two ECU's I have in front of me are HC11 and HC912 CPUs and those flashing procedures are widely known - just wondering if anyone else has played with these micro-controller on the ecus?
I've been able to completely disassemble the LTX-8 w/ External Map sensor ..was able to enable logging on the box but didn't bother messing with anything else. I dont run or own one of these units but am helping a buddy with his.
Also, it looks like the 9pin port on the box itself is actually the parallel lines for the LCD / hand controller. We know the LCD in the hand controller uses 8 pins which leaves the single pin left for input of the buttons on the handle controller.
Anyhow - has anyone else played with LowTech ecu (as I've started calling it) devices?
01-25-12, 10:34 PM
#5
I bought a $50 HC11 programmer from ebay, popped the chip out and ran it through IDA.
It would only take a few days to rework firmware so that its recompilable.
Further, the ecu is really low tech and isn't very interesting.
It's overly limited and not much there to "open up". Kinda like a 1989 V6 Camaro.
I took a dremel and attached the thin cutting blade to cut slots into the head of the screws..
used a flat blade screw driver to open the case.
here is the cpu (this is an HC11 variant ..probably an HC11E)
Attachment 1
Here is the routine that pumps data out to the LCD/Parallel lines
Attachment 1
Spread the word guys - get people involved.
Hell, the reflashing/programming/firmware upgrade port is on the box.
just imagine not having to send the ECU back to AUS for firmware upgrade/update.
If you guys know any "ecu hacker" people - get 'em involved.
So far, all I've seen is an HC11 cpu and HC912 cpu - anyone can can hack these boxes.
I'll post some photos of the dongle so you guys can make your own.
..there is probably $5 in parts to make of these things.
Trending Topics
01-26-12, 08:59 AM
#8
I dont much about programming chips and all that. What would be possible? Could the calibration range for the O2 sensor be changed so that it accepts and reads widebands and give accurate readouts? Could it accept another input like an EGT data input and log it with all the other parameters?
01-26-12, 05:27 PM
#9
They would have to subpoena Internet Brands for my contact info then my ISP, etc etc.. but further, do the laws of AUS apply in the US regarding intellectual property rights?
(here is a good place to start reading: http://www.aph.gov.au/library/intgui...lectuallaw.htm)
I suspect if anything, I might get a nasty PM or something.. But honestly, I've not even remotely begun to touch these - I think the firmware guy(s) knows it.
I know they realize its old and tons of tools are available for reversing the firmware code for the HC11 and HC912.
Listen guys, I'm not chasing any "mods" down on these boxes, again, I dont own one and not looking forward to owning one. These really are LowTech ecus. I just wanted to point out a few things for someone else who might want to start digging into their own box.
For the record, yes.. most of your typical requests are possible.
1) Can I re-calibrate for external MAP sensor? - yes
2) Can I re-calibrate for another [brand] wideband input? - yes
3) Can I flash my box for XYZ firmware? - with in reason, yes.
See, the programming/reprogramming port in on the front of the ecu.. you can reflash the ecu from there - you can't reflash it via the DB9 port on the box - thats simply for the parallel lines and the input (6 Buttons on the hand controller).
01-26-12, 05:52 PM
#10
Full Member
Hey great work!
What software are you using to decompile?
Doing something with the O2 input would be interesting, changing it to wide band would be good.
The display will be in "Nibble mode", 4 data bits sent in two halves on the same bus so you need less IO pins, Low tech it may be but I have always been impressed that MT managed to get a Hitachi compatible LCD and what 5 buttons inside a DB9 connector! You can see that it the routine you posted above, you can see it loads the accumulator with high bytes and low bytes (dispupper/displower), I'd assume that the bit sets that follow are toggling the lcd control lines so it grabs the data.
Manipulating what the aux lines do would be very handy, though their number is very limited.
Arran
What software are you using to decompile?
Doing something with the O2 input would be interesting, changing it to wide band would be good.
The display will be in "Nibble mode", 4 data bits sent in two halves on the same bus so you need less IO pins, Low tech it may be but I have always been impressed that MT managed to get a Hitachi compatible LCD and what 5 buttons inside a DB9 connector! You can see that it the routine you posted above, you can see it loads the accumulator with high bytes and low bytes (dispupper/displower), I'd assume that the bit sets that follow are toggling the lcd control lines so it grabs the data.
Manipulating what the aux lines do would be very handy, though their number is very limited.
Arran
01-26-12, 05:59 PM
#11
Hey great work!
What software are you using to decompile?
Doing something with the O2 input would be interesting, changing it to wide band would be good.
The display will be in "Nibble mode", 4 data bits sent in two halves on the same bus so you need less IO pins, Low tech it may be but I have always been impressed that MT managed to get a Hitachi compatible LCD and what 5 buttons inside a DB9 connector! You can see that it the routine you posted above, you can see it loads the accumulator with high bytes and low bytes (dispupper/displower), I'd assume that the bit sets that follow are toggling the lcd control lines so it grabs the data.
Manipulating what the aux lines do would be very handy, though their number is very limited.
Arran
What software are you using to decompile?
Doing something with the O2 input would be interesting, changing it to wide band would be good.
The display will be in "Nibble mode", 4 data bits sent in two halves on the same bus so you need less IO pins, Low tech it may be but I have always been impressed that MT managed to get a Hitachi compatible LCD and what 5 buttons inside a DB9 connector! You can see that it the routine you posted above, you can see it loads the accumulator with high bytes and low bytes (dispupper/displower), I'd assume that the bit sets that follow are toggling the lcd control lines so it grabs the data.
Manipulating what the aux lines do would be very handy, though their number is very limited.
Arran
I'm using IDA Pro 6.1 (paid for) but you dont need a $1k+ tool to disassemble the ECU firmware but really does help! There are tons of free disassemblers out there for free.
I used a cheapy ebay $50 progarammer, used the HC11E1/E9/EA9/E20 and yanked the firmware.
The HC916 is even more specific, in terms of bdm's.
Anyhow, I'm sure you can find a copy of IDA Pro, the HC11 processor module in this tool is just beyond crazy good. :-)
01-26-12, 06:43 PM
#12
worst they can do is void your warranty which is why they used tamper proof inverted torx bits to hold the box together. if they would even honor the warranty anyways that is.
i don't see anything wrong with any of this, there is no support for the ECU in the US so repairs are time consuming and costly.
and on the other end i promote this because they refuse to come out of the stone age and still sell these rocks with wires in them, yet still charge for very minor changes to the configurations that all other ECUs have had swappable within the software for many many years now. basically microtech still opts to nickel and dime you on any modifications to the ECU setup.
i like that they are easy to install, tune and are reliable. i VERY much dislike that to even log a wideband O2 signal you have to pay a grip of cash to do so... or to convert to a 3 bar from a 2 bar, or to run different sensors, or to reconfigure things like fuel cut and ignition cut.
seriously, who in the flying **** uses a narrowband input? it doesn't even work right even if you configure it properly with an LC1 box either..
i haven't even touched on the fact that they don't give a rats *** about saving maps to disk and their stupid *** dongles that they also charge wayyyy too much for just in order to actually do something with the rock in a box.
basically the microtech is anti tuner friendly, but they're lazy ***** and it works but their sales have to really be hurting by now i would think. even the honduh AEM system(universal) is killing them in the market now.
as far as doing anything beyond that, don't look at me. i'm a grease monkey, not a pencil pusher.
i don't see anything wrong with any of this, there is no support for the ECU in the US so repairs are time consuming and costly.
and on the other end i promote this because they refuse to come out of the stone age and still sell these rocks with wires in them, yet still charge for very minor changes to the configurations that all other ECUs have had swappable within the software for many many years now. basically microtech still opts to nickel and dime you on any modifications to the ECU setup.
i like that they are easy to install, tune and are reliable. i VERY much dislike that to even log a wideband O2 signal you have to pay a grip of cash to do so... or to convert to a 3 bar from a 2 bar, or to run different sensors, or to reconfigure things like fuel cut and ignition cut.
seriously, who in the flying **** uses a narrowband input? it doesn't even work right even if you configure it properly with an LC1 box either..
i haven't even touched on the fact that they don't give a rats *** about saving maps to disk and their stupid *** dongles that they also charge wayyyy too much for just in order to actually do something with the rock in a box.
basically the microtech is anti tuner friendly, but they're lazy ***** and it works but their sales have to really be hurting by now i would think. even the honduh AEM system(universal) is killing them in the market now.
as far as doing anything beyond that, don't look at me. i'm a grease monkey, not a pencil pusher.
Last edited by RotaryEvolution; 01-26-12 at 06:52 PM.
01-26-12, 09:28 PM
#14
F-IT
iTrader: (5)
Join Date: Jun 2006
Location: ocala,fl
Posts: 995
Likes: 0
Received 0 Likes
on
0 Posts
all of their patents would be in AU, not in the US. Iirc they don't carry over to other countries(which is why knockoffs can be done in various countrie without and copyright infringement).
01-27-12, 03:44 AM
#15
Eats, Sleeps, Dreams Rotary
iTrader: (13)
Join Date: Aug 2002
Location: Pittsburg, KS.
Posts: 4,152
Likes: 0
Received 0 Likes
on
0 Posts
worst they can do is void your warranty which is why they used tamper proof inverted torx bits to hold the box together. if they would even honor the warranty anyways that is.
i don't see anything wrong with any of this, there is no support for the ECU in the US so repairs are time consuming and costly.
and on the other end i promote this because they refuse to come out of the stone age and still sell these rocks with wires in them, yet still charge for very minor changes to the configurations that all other ECUs have had swappable within the software for many many years now. basically microtech still opts to nickel and dime you on any modifications to the ECU setup.
i like that they are easy to install, tune and are reliable. i VERY much dislike that to even log a wideband O2 signal you have to pay a grip of cash to do so... or to convert to a 3 bar from a 2 bar, or to run different sensors, or to reconfigure things like fuel cut and ignition cut.
seriously, who in the flying **** uses a narrowband input? it doesn't even work right even if you configure it properly with an LC1 box either..
i haven't even touched on the fact that they don't give a rats *** about saving maps to disk and their stupid *** dongles that they also charge wayyyy too much for just in order to actually do something with the rock in a box.
basically the microtech is anti tuner friendly, but they're lazy ***** and it works but their sales have to really be hurting by now i would think. even the honduh AEM system(universal) is killing them in the market now.
as far as doing anything beyond that, don't look at me. i'm a grease monkey, not a pencil pusher.
i don't see anything wrong with any of this, there is no support for the ECU in the US so repairs are time consuming and costly.
and on the other end i promote this because they refuse to come out of the stone age and still sell these rocks with wires in them, yet still charge for very minor changes to the configurations that all other ECUs have had swappable within the software for many many years now. basically microtech still opts to nickel and dime you on any modifications to the ECU setup.
i like that they are easy to install, tune and are reliable. i VERY much dislike that to even log a wideband O2 signal you have to pay a grip of cash to do so... or to convert to a 3 bar from a 2 bar, or to run different sensors, or to reconfigure things like fuel cut and ignition cut.
seriously, who in the flying **** uses a narrowband input? it doesn't even work right even if you configure it properly with an LC1 box either..
i haven't even touched on the fact that they don't give a rats *** about saving maps to disk and their stupid *** dongles that they also charge wayyyy too much for just in order to actually do something with the rock in a box.
basically the microtech is anti tuner friendly, but they're lazy ***** and it works but their sales have to really be hurting by now i would think. even the honduh AEM system(universal) is killing them in the market now.
as far as doing anything beyond that, don't look at me. i'm a grease monkey, not a pencil pusher.
01-29-12, 06:07 PM
#20
he already said he has no plans of doing anything with a firmware upgrade. so it's up to someone who can decipher that scrabble board into something managable.
but i can pretty much guarantee that people would pay for info on modifying their own EMS or send it somewhere in the US to have it modified versus paying too much for simple **** from microtech and waiting extended delays for shipping and even the possibility of items disappearing beyond customs.
would be nice to convert mine to a 3BAR map for a little bit less than what they wanted or to have the car sit unusable for 2 months while waiting.
but i can pretty much guarantee that people would pay for info on modifying their own EMS or send it somewhere in the US to have it modified versus paying too much for simple **** from microtech and waiting extended delays for shipping and even the possibility of items disappearing beyond customs.
would be nice to convert mine to a 3BAR map for a little bit less than what they wanted or to have the car sit unusable for 2 months while waiting.
Last edited by RotaryEvolution; 01-29-12 at 06:13 PM.
01-30-12, 07:22 AM
#22
he already said he has no plans of doing anything with a firmware upgrade. so it's up to someone who can decipher that scrabble board into something managable.
but i can pretty much guarantee that people would pay for info on modifying their own EMS or send it somewhere in the US to have it modified versus paying too much for simple **** from microtech and waiting extended delays for shipping and even the possibility of items disappearing beyond customs.
would be nice to convert mine to a 3BAR map for a little bit less than what they wanted or to have the car sit unusable for 2 months while waiting.
but i can pretty much guarantee that people would pay for info on modifying their own EMS or send it somewhere in the US to have it modified versus paying too much for simple **** from microtech and waiting extended delays for shipping and even the possibility of items disappearing beyond customs.
would be nice to convert mine to a 3BAR map for a little bit less than what they wanted or to have the car sit unusable for 2 months while waiting.
I do realize that there is money to be made in this, I really do, however, if there are any legal related things I skipped - I dont want them to find me later on.
Besides, I'd rather it be free - there is no sense in paying $100 for a few bytes of data change to a piece of firmware.
08-13-12, 07:15 AM
#24
Full Member
I have retrieved the HEX from an MTX8-L with the Rotary firmware.
I am not having a great deal of luck disassembling it though.
I have IDA PRO 6.1, though this app is very new to me so there is a high likelihood of user error.
I specify the HEX file is Intel Hex format, also tried Binary format, tell IDA PRO it is from a 6811 motorola processor, and then select the E9.
IDA PRO then tells me:
"IDA Pro can't identify the entry point automatically as there is no standard set of binaries.
Plese nove to what you think is an entry point and press 'C' to start the autoanalysis"
I had a shot with DHC11 and it also seems to complain about the entry point.....
Arran
I am not having a great deal of luck disassembling it though.
I have IDA PRO 6.1, though this app is very new to me so there is a high likelihood of user error.
I specify the HEX file is Intel Hex format, also tried Binary format, tell IDA PRO it is from a 6811 motorola processor, and then select the E9.
IDA PRO then tells me:
"IDA Pro can't identify the entry point automatically as there is no standard set of binaries.
Plese nove to what you think is an entry point and press 'C' to start the autoanalysis"
I had a shot with DHC11 and it also seems to complain about the entry point.....
Arran
08-13-12, 02:30 PM
#25
ironically they recently put out their new line of LTxC ECUs which have a communication line for auxiliary displays but no other change to the ECUs themselves aside from that that i could see from the listings. still stuck with the hardline map swaps and integrated hardware...
"oh Microtech, when will you step into the 21st century?"
there will probably be flying cars out before you can reconfigure a basic MAP sensor swap without sending a small box half way around the world and back again..
best of luck Arran with your project, if you can hack it i bet a number of people would donate to your cause. i would like to support microtech but this nickel and diming continuance as well as time sink has been putting a sour taste in my mouth for their products as they continue to ignore what people want. the nicest thing that remains about microtech is the design, based around utilizing the factory sensors making it semi plug and play. i also like the ease of mapping with tuning, i find the microtech to be the fastest and easiest to tune still. BUT it is so basic and behind the times that it will soon be obsolete as more people look to other companies that offer much more flexibility for the same price.
the communication output to my handheld on my LT8 apparently took a dump recently(laptop connection still works thank god), i am even thinking about using a megasquirt for my newer project if i wind up selling this car. simply not worth the down time.
i will say that the microtech has worked flawlessly beside that one issue for nearly 8 years and 50k miles now.
"oh Microtech, when will you step into the 21st century?"
there will probably be flying cars out before you can reconfigure a basic MAP sensor swap without sending a small box half way around the world and back again..
best of luck Arran with your project, if you can hack it i bet a number of people would donate to your cause. i would like to support microtech but this nickel and diming continuance as well as time sink has been putting a sour taste in my mouth for their products as they continue to ignore what people want. the nicest thing that remains about microtech is the design, based around utilizing the factory sensors making it semi plug and play. i also like the ease of mapping with tuning, i find the microtech to be the fastest and easiest to tune still. BUT it is so basic and behind the times that it will soon be obsolete as more people look to other companies that offer much more flexibility for the same price.
the communication output to my handheld on my LT8 apparently took a dump recently(laptop connection still works thank god), i am even thinking about using a megasquirt for my newer project if i wind up selling this car. simply not worth the down time.
i will say that the microtech has worked flawlessly beside that one issue for nearly 8 years and 50k miles now.
Last edited by RotaryEvolution; 08-13-12 at 02:44 PM.