The bit-rot, bit rot, and bitrot thread

Flash memory is used in all the Prius ECUs. Flash memory stores the data as a 'voltage' in a specific set of transistors (or, at least a specific set of components). Each memory 'bit' is stored in a certain way. Flash memory uses a stored charge to 'encode' the value. This means that each 'bit' is, essentially, encoded as a stored voltage on a capacitor. Flash memory uses similar technology to normal capacitors - the difference is that there is no 'drain'. A USB flash stick, a solid-state drive, and a car ECU, all use voltages, stored as charges, to encode the information they store.

The Prius ECUs (and basically almost (or all) car ECUs from the early 2000s onward) use flash memory to store the 'ROM' data that the ECU uses to 'run'. Older ECUs used 'masked ROM' which was 'hard-coded' ROM, which was cheaper in mass production, but which could *not* be modified, ever, as it was 'hard-coded'.

At the current time, all Prius ECUs are likely immune from bit-rot. The time to 'decay' is 10-20 years; this is a per-bit decay (I think), but the error-correcting mechanisms cover for this.

Whatever is true, the Toyota Prius ECUs will all, eventually, have the 'flash RAM capacitors' discharge, and the program code in the ECU will be gone; the car will then be useless. This makes no difference in the current disposable society, but older cars (e.g. Ford Model T) still exist, but if it had somehow had an 'ECU', almost all the ECUs would have failed.

Any thoughts on this? The obvious answer is that most cars are thrown away before 20 years, so it is OK that 'bit rot' will destroy the ECUs after they would have been thrown away. If someone wanted to keep a classic car, e.g. a classic Prius when all cars are BEVs, this might actually become an issue. Most care manufacturers protect their code, and Toyota protect their code, possibly more than some other car manufacturers. It would be a shame if the code in our ECUs 'fades away', given that the binaries are hidden by the manufacturer.

NZ : 2008 Prius NWH20, 2003 Insight Manual, 2003 Honda CT110
NZ : Nissan 200SX Turbo (factory), Bluebird Turbo U11 pillarless, UK import T72 Bluebird Turbo
NZ : Nissan Leaf (72% SoH)
UK : Prius 2003 NWH11, Nissan 200SX Turbo (factory), T72 Bluebird Turbo

 

The ECU flash memories are among the longest lived type; normal consumer-grade items such as SSDs are usually less resilient. The degradation worsens with temperature, so cars with ECUs under the engine bay are at more risk. We are lucky in the way (although, depending on the heat output of the microcontroller, it would be definition heat up the on-chip flash, likely not by much, though.

I do agree I am overthinking this (however, I am on leave, so I am allowed to!) . However, it is an issue and I just found a very interesting thread where people are wanting to keep their calculators going;

shelf life time of a ROM, EEPROM, EPROM vs Mask Rom

For car ECUs, the solution will likely be a totally new replacement ECU (or set of ECUs). For the Prius, the battery ECU isn't really needed, as it could be replaced with discrete parts, doing, for example:
- (a simple circuit that puts on a warning light if the battery gets hot, and disconnects the battery if it gets even hotter)
- Leave the fan at '6' all the time, or maybe leave it at '3' all the time, with a thermistor to get to 'max' if it gets to a certain temp
- Testing block voltages would be the main issue, but is not vital if the battery is known to be 'good'. (not vital in the short term).

The engine computer can be replaced with an off-the-shelf one, with the CAN-bus communications being the complicating factor.

The ECU that controls the hybrid synergy drive would be the main problem in the long term, as it is very proprietary, and very locked-down.

For what it is worth, Toyota have set up their ECUs so that, in order to re-flash them, the ECU first has to be sent a password, and it has to send a reply that it 'accepts' the password. That password is based upon the firmware currently on the ECU (no-one has any idea how that password is made), and without that password, the firmware can't be upgraded, as the ECU simply won't allow reprogramming to occur.

By the time Priuses (and all cars) start dying, most car manufacturers won't support them anymore, so they may not have to find a solution. Third party enthusiasts will likely find a way, however, which will be good, because if Toyota keep a set of ECU reprogrammers for classic cars, the flash RAM on those could also 'die'.

While 'bit rot' can refer to flash memory, it can also refer to general deterioration of all storage media (and hard drives, CD-ROMs and so on all have the same problem). Even if files are preserved, the means to decode and make meaningful use of them can be lost (the BBC did the 'Domesday Project' in the mid-80s in the UK) - BBC Domesday Project - Wikipedia - and the system used a modified BBC micro with a specially made laserdisc player, secondary processor. The systems were distributed, and the data was almost lost. It took work between US and UK universities and reverse engineering and emulation to save the data.

EDIT : I could summarise most of the above with the a single word : 'Entropy'!

Anyway I will enjoy my Prius, which got the 1-year roadworthiness check for $40US (approx) including repairs yesterday; and do some more reverse engineering!

 

So I won't post much more on this topic (for now) until I come across the first automotive issues due to this, which may be a while (most manufacturers will say 'your ECU has failed', and due to the random nature of bit-rot, the scrapyard ECU may work fine for many more years. Some ECUs, like the ones in our Prius, require a working Flash to program (by the dealer, but I shall be experimenting with the JTAG port which I hope will give direct access to the Flash)

However, if you see this, I note your signature says 'have the trouble codes read, *after* checking the 12v health'; the Nissan Leaf brake failure issue that is starting to emerge seems to be due to - random 12v issues. The Leaf charges to 12v to about 13 volts, but is programmed to stop at that point, and stops charging it completely until the next start. Which is concerning as there seems to be an emerging pattern where the 12v is often weak after brake failure event!

 

I am hoping that the raw binary data can be read, as there are no binaries (or .CUW files) for the battery ECU, and that is the one I want to do some modifications to; I have ordered some JTAG connectors and will see whether Toyota have locked it down or not. I would expect anyone to lock it down but there are binaries out there that suggest people have read Toyota ECUs, which is promising.

If the binary is read, it can be written back via JTAG (unless there are restrictions; programming the ECU via the official CAN method is very locked-down, but if it can be written via JTAG it would be very good, because it would also mean it would be possible to attempt to modify the ROM without fear of permanently bricking the ECU.

If JTAG works, then it shouldn't be an issue in the longer term (as long as the JTAG protocol exists, so that you can buy new tools, given that many tools will have Flash firmware too). Then again, everything has flash firmware these days; laptop BIOS, all the peripherals in the laptop, and so on. I have found so many older computers to just 'die' even when stored indoors; I put it down to metal whiskers (given the furry whiskers that had grown all over tin plated connectors on my old 2002 PC when I dug it out), but in the longer term, many things with flash will be problematic (such as hard drives, unless steps are taken to re-flash them, somehow, every decade or so).

Apple have done it right in a way; the iPhone has a 'mask-ROM' type bootloader for the earliest boot stage. The mask-ROM bootloader then boots from Flash, but also it has enough functionality to allow the the Flash RAM to be reprogrammed, so even if an iPhone was to suffer bit rot in a few decades, you could probably get it working again!
-> The problem here would be if Apple were to, for some reason, go bankrupt (unlikely at this time but who knows what the future holds?). With every restore, the iPhone has to 'validate' the chosen ROM with the central Apple server using currently unbreakable encryption. If the Apple 'signing server' became unavailable, iPhones could never be upgraded or reset, and once they were, would be permanently bricked. But that is a topic for a whole other thread (on a different forum)