CRC's..Checksums.. Reverse Engineering!

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
Site Admin
User avatar
Posts: 6507
Joined: Sat Feb 28, 2009 8:34 pm

Re: CRC's..Checksums.. Reverse Engineering!

Postby antus » Fri Nov 21, 2014 1:40 pm

Yeah its 68k. I'd say treat it the same as the LS1 cpu unless we find out otherwise. Vectors look the same.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

User avatar
Posts: 2330
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: CRC's..Checksums.. Reverse Engineering!

Postby Tazzi » Fri Nov 21, 2014 2:05 pm

antus wrote:Yeah its 68k. I'd say treat it the same as the LS1 cpu unless we find out otherwise. Vectors look the same.

slewinson wrote:Looks like MPC555 is PowerPC.


Well I did some poking around in IDA.. and after just literally 3 or 4 hits at converting to code.. It suddley mapped out over 1600 sub routines :o

Soo its not the exact "load from entry point", but, could have stumbled upon something

disassembly.PNG
disassembly.PNG (54.05 KiB) Viewed 5538 times
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

User avatar
Posts: 10075
Joined: Sat Feb 28, 2009 9:05 pm
Location: Tenambit, NSW

Re: CRC's..Checksums.. Reverse Engineering!

Postby Holden202T » Sat Nov 22, 2014 8:24 am

nice, heres hoping!

Site Admin
User avatar
Posts: 6507
Joined: Sat Feb 28, 2009 8:34 pm

Re: CRC's..Checksums.. Reverse Engineering!

Postby antus » Sat Nov 22, 2014 8:33 am

Yeah, I reckon your on to a winner there. Disasm as PowerPC/MPC555 looks a lot better.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Site Admin
User avatar
Posts: 6507
Joined: Sat Feb 28, 2009 8:34 pm

Re: CRC's..Checksums.. Reverse Engineering!

Postby antus » Sat Nov 22, 2014 8:49 am

Im not saying it is for sure one of these, but it would have to be a likely. Right manufacturer, comes from the right era (i think, from a quick skim?), has can bus on board etc..

Knowing GM its also possibly custom, and some specs might be tweaked. Wether its 100% right or now its still probably a good reference to work from as a starting point.

MPC5554: Qorivva 32-bit MCU for Powertrain Applications

http://www.freescale.com/webapp/sps/sit ... 4&lang_cd=

MPC5554_BDTN.jpg
MPC5554_BDTN.jpg (52.2 KiB) Viewed 5514 times


The MPC5554 is the first member of a family of next Table of Contents
generation microcontrollers based on the PowerPC
Book E architecture that enhances the PowerPC
architecture’s fit in embedded applications. It is 100%
user mode compatible (with floating point library) with
the classic PowerPC instruction set. This document
provides an overview of the MPC5554 microcontroller
features, including the major functional components.
The MPC5554 device’s on-chip modules include the
following:
• Single issue, 32-bit PowerPC Book E-compliant
e200z6 CPU core complex
• 64-channel enhanced direct memory access
controller (eDMA)
• Interrupt controller (INTC) capable of handling
286 selectable-priority interrupt sources
• Frequency modulated phase-locked loop
(FMPLL)
• External bus interface (EBI) with error
correction status module (ECSM)
• System integration unit (SIU)
1 Block Diagram .....................................................3
2 Features ..............................................................4
MPC5554 Microcontroller
Product Brief
MPC5554 Microcontroller Product Brief, Rev. 2.2
2 Freescale Semiconductor
• 2 Mbytes on-chip Flash with Flash bus interface unit (FBIU)
• 64 Kbytes on-chip static RAM
• Boot assist module (BAM)
• 24-channel enhanced modular I/O system (eMIOS)
• 2 enhanced time processor unit (eTPU) engines. Each eTPU engine controls 32 hardware
channels.
• Enhanced queued analog-to-digital converter (eQADC)
• 4 deserial serial peripheral interface (DSPI) modules
• 2 enhanced serial communication interface (eSCI) modules
• 3 controller area network (FlexCAN) modules
• Nexus development interface (NDI) per IEEE-ISTO 5001-2003 standard
• Device/board test support per Joint Test Action Group (JTAG) of IEEE (IEEE 1149.1)


2 Features
This section provides a high-level description of the major features of the MPC5554.
• High performance e200z6 core processor
— 32-bit PowerPC Book E compliant CPU
— 32 64-bit general-purpose registers (GPRs)
— Memory management unit (MMU) with 32-entry, fully-associative translation look-aside
buffer (TLB)
— Branch processing unit
— Fully pipelined load/store unit
— 32-Kbyte unified cache with line locking
– 8-way set associative
– 2 32-bit fetches per clock
– 8-entry store buffer
– Way locking
– Supports assigning cache as instruction or data only on a per way basis
– Supports tag and data parity
— Vectored interrupt support
— Interrupt latency < 70 ns @132MHz (measured from interrupt request to execution of first
instruction of interrupt exception handler)
— Reservation instructions for implementing read-modify-write constructs (internal SRAM and
Flash)
— Signal processing engine (SPE) auxiliary processing unit (APU) operating on 64-bit GPRs
— Floating point
– IEEE 754 compatible with software wrapper
– Single precision in hardware and double precision with software library
– Conversion instructions between single precision floating point and fixed point
— Long cycle time instructions, except for guarded loads, do not increase interrupt latency in the
MPC5554. To reduce latency, long cycle time instructions are aborted upon interrupt requests.
— Extensive system development support through Nexus debug module
• Crossbar switch (XBAR)
— 3 master ports; 5 slave ports
— 32-bit address bus; 64-bit data bus
— Simultaneous accesses from different masters to different slaves (there is no clock penalty
when a parked master accesses a slave)
Features
MPC5554 Microcontroller Product Brief, Rev. 2.2
Freescale Semiconductor 5
• Enhanced direct memory access (eDMA) controller
— 64 channels support independent 8-, 16-, 32-, or 64-bit single value or block transfers
— Supports variable sized queues and circular queues
— Source and destination address registers are independently configured to post-increment or
remain constant
— Each transfer is initiated by a peripheral, CPU, or eDMA channel request
— Each eDMA channel can optionally send an interrupt request to the CPU on completion of a
single value or block transfer
• Interrupt controller (INTC)
— 308 total interrupt vectors
– 278 peripheral interrupt requests
– plus 8 software setable sources
– plus 22 reserved interrupts
— Unique 9-bit vector per interrupt source
— 16 priority levels with fixed hardware arbitration within priority levels for each interrupt
source
— Priority elevation for shared resources
• Frequency modulated phase-locked loop (FMPLL)
— Input clock frequency from 8 MHz to 20 MHz
— Current controlled oscillator (ICO) range from 50 MHz to maximum device frequency
— Reduced frequency divider (RFD) for reduced frequency operation without re-lock
— 4 selectable modes of operation
— Programmable frequency modulation
— Lock detect circuitry continuously monitors lock status
— Loss of clock (LOC) detection for reference and feedback clocks
— Self-clocked mode (SCM) operation
— On-chip loop filter (reduces number of external components required)
— Engineering clock output
• External bus interface (EBI)
— 1.8V–3.3V I/O nominal I/O voltage
— Memory controller with support for various memory types
— 32-bit data bus and 24-bit address bus with transfer size indication
— Selectable drive strength
— Configurable bus speed modes
— Support for external master accesses to internal addresses
— Burst support
MPC5554 Microcontroller Product Brief, Rev. 2.2
Features
6 Freescale Semiconductor
— Bus monitor
— Chip selects: 4 chip select (CS[0:3]) signals
— Configurable wait states
• System integration unit (SIU)
— Centralized GPIO control of 214 I/O and bus pins
— Centralized pad control on a per-pin basis
— System reset monitoring and generation
— External interrupt inputs, filtering, and control
• Error correction status module (ECSM)
— Configurable error-correcting codes (ECC) reporting for internal SRAM and Flash memories
• On-chip Flash
— 2 Mbytes burst Flash memory
— 256K × 64 bit configuration
— Censorship protection scheme to prevent Flash content visibility
— Hardware read-while-write feature that allows blocks to be erased/programmed while other
blocks are being read (used for EEPROM emulation and data calibration)
— 20 blocks, ranging from 16 Kbytes to 128 Kbytes, to support features such as boot block,
operating system block, and EEPROM emulation
— Read while write with multiple partitions
— Parallel programming mode to support rapid end of line programming
— Hardware programming state machine
• Configurable cache memory, 32-Kbyte
— 8-way set-associative, unified (instruction and data) cache
• On-chip, internal static RAM (SRAM)
— 64-Kbyte general-purpose RAM; 32 Kbytes on standby power
— ECC performs single bit correction, double bit error detection
• Boot assist module (BAM)
— Enables and manages the transition of MCU from reset to user code execution in the
following configurations:
– User application can boot from internal or external Flash memory
– Download and execution of code via FlexCAN or eSCI
• Enhanced modular I/O system (eMIOS)
— 24 orthogonal channels with double action, PWM, and modulus counter functionality
— Supports all DASM and PWM modes of MIOS14 (MPC5xx)
— 4 selectable time bases plus shared time or angle counter bus
— DMA and interrupt request support
Features
MPC5554 Microcontroller Product Brief, Rev. 2.2
Freescale Semiconductor 7
— Motor control capability
• Enhanced time processor unit (eTPU)
— MPC5554 has 2 eTPU engines
— Each eTPU engine is an event-triggered timer subsystem
— High level assembler/compiler
— 32 channels per engine
— 24-bit timer resolution
— 16-Kbyte shared code memory
— 3-Kbyte shared data memory
— Variable number of parameters allocatable per channel
— Double match/capture channels
— Angle clock hardware support
— Shared time or angle counter bus for all eTPU and eMIOS modules
— DMA and interrupt request support
— Nexus Class 3 Debug support (with some Class 4 support)
• Enhanced queued analog/digital converter (eQADC)
— 2 independent ADCs with 12-bit A/D resolution
— Common mode conversion range of 0–5V
— 40 single-ended inputs channels, expandable to 65 channels with external multiplexers
— 4 pairs of differential analog input channels.
— 10-bit accuracy at 400 ksamples/s, 8-bit accuracy at 800 ksamples/s
— Supports 6 FIFO queues with fixed priority.
— Queue modes with priority-based preemption; initiated by software command, internal (eTPU
and eMIOS), or external triggers
— DMA and interrupt request support
— Supports all functional modes from QADC (MPC5xx family)
• 4 Deserial serial peripheral interface modules (DSPI)
— Serial peripheral interface (SPI)
– Full duplex communication ports with interrupt and eDMA request support
– Supports all functional modes from QSPI submodule of QSMCM (MPC5xx family)
– Support for queues in RAM
– 6 chip selects, expandable to 64 with external demultiplexers
– Programmable frame size, baud rate, clock delay, and clock phase on a per frame basis
– Modified SPI mode for interfacing to peripherals with longer setup time requirements
— Deserial serial interface (DSI)
– Pin reduction by hardware serialization and deserialization of eTPU and eMIOS channels
MPC5554 Microcontroller Product Brief, Rev. 2.2
Features
8 Freescale Semiconductor
– Chaining of DSI submodules
– Triggered transfer control and change in data transfer control (for reduced EMI)
• 2 enhanced serial communication interface (eSCI) modules
— UART mode provides NRZ format and half or full duplex interface
— eSCI bit rate up to 1 Mbps
— Advanced error detection, and optional parity generation and detection
— Word length programmable as 8 or 9 bits
— Separately enabled transmitter and receiver
— LIN Support
— DMA support
— Interrupt request support
• 3 FlexCANs
— 64 message buffers each
— Full implementation of the CAN protocol specification, Version 2.0B
— Based on and including all existing features of the Freescale TouCAN module
— Programmable acceptance filters
— Short latency time for high priority transmit messages
— Arbitration scheme according to message ID or message buffer number
— Listen only mode capabilities
— Programmable clock source: system clock or oscillator clock
• Nexus development interface (NDI)
— Per IEEE-ISTO 5001-2003
— Real time development support for e200z6 core and eTPU engines through Nexus Class 3
(some Class 4 support)
— Data trace of eDMA accesses
— Read and write access
— Configured via the IEEE 1149.1 (JTAG) port
— High bandwidth mode for fast message transmission
— Reduced bandwidth mode for reduced pin usage
• IEEE 1149.1 JTAG controller (JTAGC)
— IEEE 1149.1-2001 Test Access Port (TAP) interface
— A JCOMP input that provides the ability to share the TAP. Selectable modes of operation
include JTAGC/debug or normal system operation.
— A 5-bit instruction register that supports IEEE 1149.1-2001 defined instructions
— A 5-bit instruction register that supports additional public instructions
— 3 test data registers: bypass, boundary scan, and device identification
Features
MPC5554 Microcontroller Product Brief, Rev. 2.2
Freescale Semiconductor 9
— A TAP controller state machine that controls the operation of the data registers, instruction
register and associated circuitry
• Voltage regulator controller
— Provides a low cost solution to power the core logic. It reduces the number of power supplies
required from the customer power supply chip.
• POR block
— Provides initial reset condition up to the voltage at which pins (RESET) can be read safely. It
does not guarantee the safe operation of the chip at specified minimum operating voltages.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

User avatar
Posts: 2330
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: CRC's..Checksums.. Reverse Engineering!

Postby Tazzi » Sun Nov 23, 2014 2:59 pm

antus wrote:Yeah, I reckon your on to a winner there. Disasm as PowerPC/MPC555 looks a lot better.

I think so too. I dissassmbled with powerPC and seems to be logical with basic interpretation with the appropriate opcode tables. :thumbup:

Seems it was enough for IDA to trace back to a main loop of sorts which mapped out the rest of the sub routines. Pretty damn cool if you ask me :thumbup:
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Site Admin
User avatar
Posts: 6507
Joined: Sat Feb 28, 2009 8:34 pm

Re: CRC's..Checksums.. Reverse Engineering!

Postby antus » Sun Nov 23, 2014 5:25 pm

Yeah, easier than 68k where the OS tends to loads the jump address to a register, then jump to that register. IDA doesnt follow jumps set up like that out the box which makes disasm a PITA. You need to write some code in idc or python to look and follow them.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Site Admin
User avatar
Posts: 6507
Joined: Sat Feb 28, 2009 8:34 pm

Re: CRC's..Checksums.. Reverse Engineering!

Postby antus » Sun Nov 23, 2014 11:35 pm

Have been trying to work out the vectors.. lots of 60 00 00 00 and 48 00 xx xx type addresses. I wondered if the flash was not mapped to 0x0000000 but it turns out its not like 68k or hc11 where vectors are a list of addresses instead those bytes are just exectued. 60 00 00 00 is a nop (no operation, blank vector) and 48 00 xx xx is a branch to the code to handle that situation. So hitting 'c' for code on each vector finds all the executable code as the branches are followed to the landing addresses. Reset vector is at 0x100.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

User avatar
Posts: 2330
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: CRC's..Checksums.. Reverse Engineering!

Postby Tazzi » Mon Nov 24, 2014 2:08 am

antus wrote:Have been trying to work out the vectors.. lots of 60 00 00 00 and 48 00 xx xx type addresses. I wondered if the flash was not mapped to 0x0000000 but it turns out its not like 68k or hc11 where vectors are a list of addresses instead those bytes are just exectued. 60 00 00 00 is a nop (no operation, blank vector) and 48 00 xx xx is a branch to the code to handle that situation. So hitting 'c' for code on each vector finds all the executable code as the branches are followed to the landing addresses. Reset vector is at 0x100.


Yeah, well IDA seems to think so and the branches seem to be logical :thumbup:

Its well sorted enough that "graph view" can be used to see an overview which is pretty handy!
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Posts: 20
Joined: Thu Jan 16, 2014 12:41 pm

Re: CRC's..Checksums.. Reverse Engineering!

Postby 04colyZQ8 » Sat Mar 18, 2017 4:05 pm

antus wrote:Ok. The CVN is a CRC16, and the sum is a 16 bit 2s compliment. When calculating the data you need to update the CVN first, as it IS included in the sum. The CVN is not a derivative of the sum (or directly vice versa).

Makes sense really as the scan tools (or PCs) can verify the CVN after reading the bin for warranty test purposes (that's why its in there), but the PCM only needs to do the sum which is quicker in an embedded system like a pcm. CRC can be accellerated with a lookup table, but they are probably looking at it from a space savings angle in the pcm, and its not really needed anyway.

Next steps, figure out how to ID each segment type, handle disabled sums and segments, handle differing numbers of segments, and add partnumber/ID strings.

Also, put this login in to a TP checksum plugin. Probably merge the delco checksum plugin, ls1 checksum plugin, and e38 checksumtool in to one TP5 checksum plugin.

Whos keen to help work on XDFs?


I'm trying to figure out how the checksums are calculated, so I can calculate GM BCM checksums. But I'm first trying to understand how you got the E38 fireguard out? If I pull the speedo segment and save it, as bin, and view in hxd hex editor, I select the segment minus the first two bytes and click analyse CRC-16 checksums I don't get anything close t the CVN or calculated sum? I read all pages of this thread, yet I'm still confused how its calculated? Can anyone help me?

PreviousNext

Return to Engineering and Reverse Engineering

Who is online

Users browsing this forum: No registered users and 7 guests