Scoobypedia | Trusted knowledge for everything Subaru
Scoobypedia | Trusted knowledge for everything Subaru
Search Scoobypedia:

Scoobypedia Home

The Knowledge

Buying Guides

Projects

Scoobypedia

edit sidebar

DBW Checksum Algorithm

< IAM & Load Memory Locations | | OBDII Cable Manufacturers >

Introduction

The DBW Subaru ECUs have a checksum system built into the code which performs a number of checksums on the main flash area. If the checksum diagnosis fails, the vehicle is placed in a sort of limp-home mode with a flashing check engine light. When you edit a 32-bit rom, you can end up causing the ecu to fail its checksum sequence because the data no longer matches what is expected.

The areas to be checksummed and the checksum results are actually defined in the data itself. This can be eploited to disable the checksum, making reflashing ROMs easier. This article describes how the checksum algorithm works, and how you can fix a flash image to have either the correct checksum, or not be checksummed at all.

Checksum Algorithm

At address 0x007FB80 (512kB SH7055 ECUs) or 0x00FFB80 (1024kB SH7058 ECUs) there is a table which defines the checksum areas.

The checksum algorithm is simply to sum the little endian 32-bit values in the address range from addr_start to addr_end, add the checksum_value to the sum, and make sure it equals 0x5AA5A55A. There is also some validation to make sure that the address range is reasonable.

Disabling the checksum

It is valid to have an address range which is simply 0x00000000 to 0x00000000. In this case, the sum will be zero, and checksum_value will need to be 0x5AA5A55A for the checksum to be valid. If you look at the checksum table in flash, you will see that most checksum areas are disabled in this way. So, by simply replacing all entries in the checksum table with 0x00000000 0x00000000 0x5AA5A55A, checksumming can be turned off completely.

(For 512kb DBW ECU's) Step 1: Open your fresh map in your favourite hex editor. Step 2: Search for 0x7FB80 in 512kb ROMs. Step 3: Press INSERT key on keyboard to allow Overwrite mode. Step 4: At 0x7FB80 enter the following 0000 0000 0000 0000 5AA5 A55A Step 5: Save your file, you're done!

(For 1MB DBW ECU's) Step 1: Open your fresh map in your favourite hex editor. Step 2: Search for 0xFFB80 in 1MB ROM. Step 3: Press INSERT key on keyboard to allow Overwrite mode. Step 4: At FFB80 enter the following 0000 0000 0000 0000 5AA5 A55A Step 5: Save your file, you're done!

Recalculating new checksum

One can compute the checksum using the algorithm above, subtract that sum from 0x5AA5A55A, and determine the needed checksum_value.

Alternatively some tools will automate this for you. Fortunately, RomRaider has a parameter called “Checksum Fix” that allows you to pass the checksum process, regardless of the changes you have made. Simply click on the "enable" check box and the checksum problem will be fixed after you save your rom. Un-checking the box and then saving will write the original factory checksum code back in.

Information Source: OpenECU, DBW Checksum Algorithm article

Related Articles

  • None
Page last modified on September 13, 2008, at 10:31 AM
Scoobypedia can not be held responsibile for the information published here. Site rules apply for all published content.