GM E38 E67 E40 Kernel/Bootloader Development Extravaganza

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
User avatar
Posts: 3112
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Postby Tazzi » Mon Jan 16, 2023 8:56 pm

Knackersjewels wrote:Is there currently any way to flash an LY7 OS onto an E67 without SPS or a BCM/TCM?


LY7, as in the VZ V6 Engines? Those use an E55 ECU, not a E67 ECU.
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Posts: 157
Joined: Fri Aug 25, 2017 5:28 pm
Location: Adelaide

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Postby julespatch » Tue Jan 17, 2023 10:25 pm

Tazzi wrote:
Knackersjewels wrote:Is there currently any way to flash an LY7 OS onto an E67 without SPS or a BCM/TCM?


LY7, as in the VZ V6 Engines? Those use an E55 ECU, not a E67 ECU.


Also the E77 in the VE.

Posts: 9
Joined: Thu May 26, 2016 4:45 am

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Postby crystal_imprezav » Tue Jan 24, 2023 5:10 am

Tazzi wrote:
crystal_imprezav wrote:I am always working with the ECU unlocked, it is also patched. $34/$36 work fine. $35 NRC 0x11. Everything in the flash its self that I have tested I get a NRC 0x31. Only things readable are parts of the RAM.

Unless it has something to do with the patch which is highly unlikely (this is not an HP patch), I dont see a original giving more access. That being said, I will run the same tests on a E99(s) but I am thinking that may be locked down more but who knows. On a t87a, its not an issue, your can read/write what ever you want.


If it was used as an exploit to get in, then (personally) I would have patched it up. But this all depends how far someone goes to do this stuff.

*Edit
I believe the E88,E90 and E99 all use the same bootloader from what I have just looked at. At least the labelling for the loader has this labeling so Id assume this would be the case. Whether or not every single one can have the loader ripped is an uncertainty right now, but its a good 200+kb so its ALOT of decompiling ahead.


after more testing seems like the mpc5777 ecu's e88/e90/e99 etc are open to many areas but the e41 is for what ever reason more locked down and you can only read a very limited sector in ram.

User avatar
Posts: 3112
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Postby Tazzi » Tue Jan 24, 2023 12:00 pm

crystal_imprezav wrote:after more testing seems like the mpc5777 ecu's e88/e90/e99 etc are open to many areas but the e41 is for what ever reason more locked down and you can only read a very limited sector in ram.


Requires a bit more inventive thinking on other ecus. Using higher unlock clearance to be allowed to read restricted areas would likely be the engineers option since.. well... I dont know anyone on the planet which has successfully used those modes since they don't have a method for generating keys. Doesn't mean it can't be done, just requires out the box thinking.

I have a development board on the way for the MPC57 cpu, so I can actually recover it after messing around with it. As its unlocked, this will allow actually stepping through code to better understand whats happening as well.
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Posts: 149
Joined: Sat Apr 25, 2020 6:09 am

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Postby Gatecrasher » Wed Jan 25, 2023 3:51 am

Have you seen this? It's the first concise write up I've seen concerning the security in the E99. I'd only seen bits and pieces scattered around whitepapers, industry presentations, etc.

https://www.tapouttuning.com/frequently ... blackwing/

Click on "Why can't Blackwings be tuned the same way we tune ATS-Vs?"

Posts: 9
Joined: Thu May 26, 2016 4:45 am

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Postby crystal_imprezav » Wed Jan 25, 2023 5:22 am

Tazzi wrote:
crystal_imprezav wrote:after more testing seems like the mpc5777 ecu's e88/e90/e99 etc are open to many areas but the e41 is for what ever reason more locked down and you can only read a very limited sector in ram.


Requires a bit more inventive thinking on other ecus. Using higher unlock clearance to be allowed to read restricted areas would likely be the engineers option since.. well... I dont know anyone on the planet which has successfully used those modes since they don't have a method for generating keys. Doesn't mean it can't be done, just requires out the box thinking.

I have a development board on the way for the MPC57 cpu, so I can actually recover it after messing around with it. As its unlocked, this will allow actually stepping through code to better understand whats happening as well.


I've extracted the full image from a boot read, using elevated privileges in 27 03 doesn't gain you anything so far that i have tested.

Posts: 80
Joined: Sun May 11, 2014 6:36 pm

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Postby Highlander » Wed Jan 25, 2023 5:28 am

crystal_imprezav wrote:
Tazzi wrote:
crystal_imprezav wrote:after more testing seems like the mpc5777 ecu's e88/e90/e99 etc are open to many areas but the e41 is for what ever reason more locked down and you can only read a very limited sector in ram.


Requires a bit more inventive thinking on other ecus. Using higher unlock clearance to be allowed to read restricted areas would likely be the engineers option since.. well... I dont know anyone on the planet which has successfully used those modes since they don't have a method for generating keys. Doesn't mean it can't be done, just requires out the box thinking.

I have a development board on the way for the MPC57 cpu, so I can actually recover it after messing around with it. As its unlocked, this will allow actually stepping through code to better understand whats happening as well.


I've extracted the full image from a boot read, using elevated privileges in 27 03 doesn't gain you anything so far that i have tested.

This is what i keep telling people.

User avatar
Posts: 3112
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Postby Tazzi » Wed Jan 25, 2023 2:03 pm

crystal_imprezav wrote:I've extracted the full image from a boot read, using elevated privileges in 27 03 doesn't gain you anything so far that i have tested.

Originally you said that the boot image can't even be read, yet.. it can in specific modules.

Its all about thinking outside the box. Just assuming it doesn't work doesn't help. 27 03 provides higher level access since it allows actually writing in seed/key values, serials ect. This in itself indicates higher level access as it writing security/secured memory areas which are typically locked. This does not mean its the only capability it does.
Whats to stop this from allow tampering with other sections? Do you have proof of unlocking with mode 27 03 and messing with these sections?

None of the above is a dig at you. I just hear it time and time again that "It can't be done" for many things I work on, yet... they can.... simply because people haven't tried all options or just assume it won't work.
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Posts: 3
Joined: Thu May 05, 2022 8:24 pm
Location: Maffra, Vic

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Postby Knackersjewels » Sun Jan 29, 2023 8:05 am

Tazzi wrote:
Knackersjewels wrote:Is there currently any way to flash an LY7 OS onto an E67 without SPS or a BCM/TCM?


LY7, as in the VZ V6 Engines? Those use an E55 ECU, not a E67 ECU.


2007-2008 GMC Acadia were LY7 using an E67

Posts: 1
Joined: Fri Dec 30, 2022 6:19 am

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Postby muscleup » Tue Jan 31, 2023 11:19 pm

These two documents are of importance

Using the Cryptographic Service Engine (CSE) - NXP Semiconductors
https://www.nxp.com/docs/en/application-note/AN4234.pdf
https://www.nxp.com/docs/en/application-note/AN4235.pdf

RAppID Boot Loader Utility can interface with the MPCs, you have to find the right files though. In that CSE pdf it details multiple different ways of the resetting/erasing to clear keys etc.. I'm pretty sure looking over the SPS bins that the first part of the code gets executed by the security module, then resets to determined mode, which allows certain read privileges depending on cases.

PreviousNext

Return to Engineering and Reverse Engineering

Who is online

Users browsing this forum: No registered users and 1 guest