Here is another old-timer with environmental system problems. The task is to develop a software Decat solution.
We have a Mitsubishi FS6S18881B E2T88876H engine control unit (ECU), which utilizes the H8 core processor with 128KB of flash memory. The firmware is identified as EZFS6S.
This microprocessor has a specific characteristic – when loaded into IDA Pro, the ROM addressing does not start from the beginning.
Let’s load the firmware into WinOls and examine the error table. Here is what we found:
It appears that the errors related to the rear oxygen sensor are located on the same line, which simplifies the task since the activation flags are likely to be in the same byte.
Next, let’s analyze the same information in IDA Pro and locate the necessary procedures:
Through this process, we discovered the “mask” for the activation bits that control both errors in our identified string. Or at least they should control them!
However, there is an unexpected surprise from the developers – it seems that the DTC P0141 cannot be disabled using this method. We had to dig deeper, and as a result, we found additional procedures where the required bits are set based on certain conditions. These flags are written to the RAM and processed by the procedures only when necessary. It is worth noting that just because we observe throttle voltage during diagnostics doesn’t necessarily mean that these values are actively processed in the program.
Finally, we managed to locate the specific bit we needed and deactivated it. After several days of work, we successfully created one of the Decat variants for this program.