ECU flashing with M2

Hi all!

I’m really pleased to have received my hardware now. I’m looking at data logging and flashing engine and transmission ECUs with the M2. Has anyone had any similar thoughts?


Oh boy are you in for a fun ride. Yes, I intend to do ECU flashing and firmware manipulation with an M2. That’s a rather large undertaking. How much do you know about UDS? It is likely that your engines and transmissions do firmware updates over UDS which itself is tunneled through the ISO-TP protocol that runs on top of vanilla CAN. So, essentially the process is three layers deep - standard CAN is used to send ISO-TP frames which are in turn used to send UDS messages back and forth. So if you hadn’t heard of ISOTP or UDS then you should start by looking up details about them.

1 Like

Flashing it with what files…? How are you generating ECU files?

This is such a broad question you might as well be asking “I was thinking about seeing if I can make the M2 fly” haha.

And besides that…you didnt even mention what car you’re working with…? Surprisingly enough, flashing a 1998 chevy cavalier ECU is about here to the moon different than flashing a 2017 Mercedes S600 ECU…

Hell, the car you’re working with might not even allow modified files to be flashed, if the ECU cal segments contain a digital signature.

You’re looking at hundreds of hours of work just to get the framework in place for the Macchina to flash an ECU.

Then you need to write a bootloader.

Then you need to modify and calibrate the ECU files themselves.

Then you need to generate checksums.

Then you need to get it all rolled into the proper hardware layer/protocol…

Then… :wink:

Sounds like a piece of cake to me… :wink:

I haven’t checked in on the RomRaider community in awhile. Last I knew there was only one supported piece of hardware that could pull and flash the rom. I wonder if we could get M2 working for that. Even something like that, a project that has already been done before is probably a massive undertaking. Would be pretty neat for us Subaru people though.

1 Like

I’m an ECU tuner by trade, but I’m currently locked in to using commercial flash tools. I think we are all in to this project to push the boundaries, so, can the M2 fly?

Of course it can!

I know very little about CAN signalling at this stage to be honest. But every day is a school day and I’m interested to see how far we can get as a group.

Yeah ok well you’re still missing the entire point that you cant just generate files with your tuner software/UI and flash them with a third party device because those files are compressed or encrypted!!!

I assume you use a tuning suite like EFILive or HP Tuners…?

BTW you’re probably talking 1000 man-hours of work to write flashing software for the M2. And that would cover/work for…ONE car.

Not to mention you should expect to/plan on bricking at least a dozen ECU’s in the R&D process.

Wonder if there is some way to mimic the “fancy” OBD2 cables like this:

Reason I ask is because of this tool:

I’m not missing the entire point. Not at all. But thank you for your input.

No I don’t use a tuning suite, I use hex editing software and damos/a2l files, coupled with a range of commercial flash tools mainly for VW/BMW/Mercedes

1 Like

Anything is possible but since the majority of flashing software for different vehicles is proprietary you would need to know the device protocol or be able to reverse engineer it. You could use the M2 as a sort of man in the middle attack between a flashing tool and the vehicle your trying to flash but still have to figure out how to accomplish what you want. You can attempt to reverse engineer but you need a programmer to do that and be able to pull the firmware from that device or similar methods. But then again if you have access to the hardware necessary to do the flash are you going to waste your time trying to copy it?

For an older system like the J1850 VPW the information is out there but I haven’t seen anything personally about other things. And with forums out there dedicated to hacking ECM’s someone is probably trying.

Ok so at least you’re working in the raw bins, I assume with WinOLS. Or maybe really old school and using IDA or a straight hex editor (if thats the case, mad props to you).

You’ll still need to write your own bootloader though. Most of the europeans did WEIRD stuff, or rather blame it on Bosch. Especially later cars, right up until they turned on TPROT and laid down the hammer altogether.

You’d need to write a specific bootloader for each ECU, and maybe even each different Operating System depending on how much structure has been changed. The only Bosch ECU’s I have experience with are the EDC16-C34 (2006-10 GM duramax diesel) and EDC17-CP18 (11-16 Duramax)…they are NOT easy controllers to work with, and depending on if any segments have digital signatures or more complex checksums that WinOLS cant calculate…you’ve got your work cut out for ya. :slightly_smiling_face:

Start reading about CAN, USDT/UUDT protocol, and sniff a reflash process using your commercial tools…that will give you a huge head start.


Also…having the A2L’s obviously is all but essential, but what would really be key to developing a reflash tool is if you had the Funksionsrhamens (whatever its called) or other engineering level ECU strategy docs…usually those at least have an outline of the flash process on a higher level.

Yes I’m working with WinOLS, I’m not quite that old school!

TPROT is annoying but it has been got around now, I understand there’ll be some investment on the software side in order to buy information from people to make this happen, but the M2 hardware could work out to be a good piece to use, especially if it is compatible with so many other software projects.

I appreciate your input

The Macchina hardware is 100% definitely capable of it…put bins on the SD card, and have the Macchina pull the bins off there, reformat into what the ECU wants to see during a reflash process, and go from there.

Software is going to take a LOT of work and a LOT of time.

TPROT, there are many different versions…the latest versions have not been defeatable as far as I know, or at least via OBD port…gotta open up the ECU and flash it via JTAG.

I think some of the latest BMW’s, even the JTAG port is password protected…so unless you’ve got a connection at BMW, its game over.

The 2017+ GM Duramax diesel pickup trucks are like this; SHA256 digital signatures on all cal segments, and a password-locked JTAG port…so unless someone high up at GM wants to get fired (best case) or go to jail for a long time (worst case), its “untunable”…

All car mfg’s are going this way quickly unfortunately. It wont be long before the ECU processors are actually storing the flash as an encrypted binary, and then a dedicated ASIC chip decrypts the flash/OS on the fly as the engine runs…pretty wild stuff.

Just my 0.02 - I can confirm most of what @dmaxben has said, from my experience developing nisprog (Nissan ECU reflashing):

You’re looking at hundreds of hours of work
Then you need to write a bootloader.
Then you need to modify and calibrate the ECU files themselves.
Then you need to generate checksums.
Then you need to get it all rolled into the proper hardware layer/protocol…

Yes. Around 1000-2000 hours in my case.

Not to mention you should expect to/plan on bricking at least a dozen ECUs

I did better on this one : not a single bricked ECU. One close call though.

I haven’t checked in on the RomRaider community in awhile. Last I knew there was only one supported piece of hardware that could pull and flash the rom.

RomRaider has so far been Subaru-centric, but now with nisprog and some open definitions files, many people have tuned and reflashed their Nissan ECUs.

I believe the best investiment in time would be to write a J2534 implementation for M2, and leave the flashing to the PC/host side, as it is meant to be. I don’t think there is any reflashing protocol that cannot be carried out by a J2534 device. One limitation of M2 however would be the lack of “special function” pins that some ECUs need to have at a certain voltage to enable reflashing.

1 Like

Most of what the op is trying to accomplish seems like bosch ecu.

  1. bootloader not so needed as these ecu’s typically just need tp2 protocol or UDS for newer.
  2. Cal sections, seems like he has this covered with winols.
  3. file checksums, covered if winols likely.

OP needs to basically integrate transport(TP2) on hardware ideally, let PC control the application(kwp2000), can bus. Kline needs to have similar hardware code written as well if doing older bosch. You also need to know how to handle seed key security for programming mode, flash file encryption/compression methods, and block checksum for block flash verification. TPROT passwords can be read by OBD, but you need bootstrap loader to actually utilize them and do bootmode flashes. You can bypass TPROT entirely via OBD with some IDA work. Its a large undertaking, and a lot of “secret” knowledge involved.

You can do it all as said like J2534 passthrough, via the PC. J2534’s major downfall in my opinion is that you have to always poll for messages, no possible event for message received, so you must be crafty with threading to accomplish reading thread, and handlers that way. It can be done(ive done it).

If you go either route, i agree in the amount of hours others have said, 1000-2000. You can maybe be lucky and get some of the information required if you search well on internet and understand programming well. IDA is tremendous help along with matching .a2l files.

Best of luck!

I will be picking up a Tech 2 (clone) as soon as my taxes come back. I will be working with the M2RET software and some other stuff I have to try and make a bridge so I can run my Tech 2 through my M2’s and be able to decipher what it is doing.

I will be doing this with my older truck (J1850) then with my '09 CTS. I may also try to use my Lab and mimic some of the stuff so I can easier grab the results as less noise will be in the system.

I understand this is used as a pass through device to work with GM’s flash software so maybe I can figure out how to do it with an M2. No promises though but would be cool to figure out.