In this article, I would like to show the analysis which I have done on the ECU installed on Honda CBR125R. One person from France kindly sent me for free this ECU, and I sent him a Fuelino Proto3. Before opening the ECU, it looks as in the following picture.
First of all, the following picture shows the location of the ECU (Engine Control Unit) on a Honda CBR125R motorcycle (Model Year 2011). On the ECU, some info are written: Keihin 38770-KTY-H52 9042-116092. First of all, Keihin is the manufacturer, it is an electronic components company owned by Honda. The second code should be the product number, and the third is the serial number.
The ECU shown in the picture below is the one that I received from France. After opening the cover, the PCB becomes visible. I made a quick analysis of the components mounted on the PCB. Firs of all, the big integrated circuit with many pins, on the upper right side of the board, is the microcontroller. On the surface, it is written "DF 368 7F ZV H8/368". After searching in Google, I found that this microcontroller is manufactured by Renesas. The datasheet is here: DF3687FPV_microcontroller_datasheet. After cross checking the code written on the surface, and Renesas website, I think that the model should be HD64F3687FPV. I was very surprised, because such microcontroller features are comparable with a standard Arduino Uno, which is equipped with Atmel ATmega328p. The main features of the Renesas microcontroller installed on Honda CBR125R are the following:
- Clock frequency: max 20MHz
- Program memory: 56kB FLASH
- RAM: 4kB
- 16 bits mathematics operation microcontroller
Of course, the amount of functions that it has to perform are not so many, on a 125cc single cylinder engine, but I expected something a bit more powerful. It has some more features if compared to an ATmega328p, for example: instructions can operate on 16 bit instead of 8 bit, and also Renesas microcontroller supports 32 bits operations, and divisions mathematical instructions. But the clock frequency is practically the same (Arduino Uno runs at 16MHz).
On this side, on the low-left side of the PCB, there is also a big transistor ("MN 638 S" written on it). It is the following NPN transistor: Sanken_MN638S_NPN_transistor. It can resist to a voltage up to 380V, and the maximum current rating is 6A. I am not sure 100%, but I think that this transistor is used for the ignition coil primary command, for the spark plug.
The back side looks as below. There is a very big IC, with many pins, and on it it is written "Keihin KT2011SA". I did not find the data-sheet in Google, so I suppose that this is a custom IC which Keihin uses also on other ECUs to manage standard functions, such as crankshaft pulses signals acquisition, voltage regulator for the microcontroller power supply, and so on.
On this side of the PCB, there are also other power components: one PNP transistor (2SA2097_PNP_transistor), on its surface it is written "A 2097", and a N-channel MOSFET (2SK2782_N_MOS), "K 2782" is written on it. These are for sure used for other power functions, such as injector command, fuel pump, 12V protected power supply and so on. By crosschecking with the Honda Service Manual (Honda CBR125R Service Manual), maybe it is possible to make some more assumptions about the purpose of these transistors.
On the PCB, there is also an 8-pins chip, the EEPROM (BR93L56RF_EEPROM). Inside the EEPROM, usually manufacturers store important information, such as the ECU part number, distance run (km), learning data, and so on. Practically, these info are personalized on each vehicle, so they cannot be saved in the FLASH memory.
Some other people tried to perform reverse engineering on this ECU. I found the following pictures on a French forum, however no-one was really able to analyze the details of the functions, neither to extract data from the microcontroller.
For those who were expecting me to hack this ECU, I have to say sorry, I did not do it. The main reason is that it is practically impossible, for a person who does not know anything about this ECU project, to extract useful data from microcontroller FLASH memory. Even if I could extract the data written on the Renesas microcontroller, it would be too hard to try to understand the meaning of each byte. What could be done, theoretically, is to read the content of the EEPROM (it can be done easily since there is no lock), and try to understand the meaning of the bytes, but same as for FLASH memory, this is a very hard work.
Due to the reasons explained above, I think that the best way to "hack" a motorcycle ECU equipped with Fuel Injector (such as this Keihin one for Honda CBR125R) is to do it from outside, as I am doing with Fuelino Project, instead of trying to "penetrate" the microcontroller or the EEPROM. By faking ECU input signals, or control signals (such as the injector command signal) it is possible to act as a "man in the middle" between the Original ECU and the Injector (or any other actuator) and change the behavior of the engine. This approach is less time consuming, and basically valid for many motorcycles, as long as their engine is equipped with an injector.