GM E38 E67 E40 Kernel/Bootloader Development Extravaganza
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
Hiya Tazzi,
Man, I'm going off of sheer bad memory here. Doesn't the e40 do vpw AND can? The only other thing I remember is it was super dependent on having over 13v in the car when programming or it would brick during programming, recoverable but bricked EVERY time if I didn't have a charger hooked up. This was a SSR with the battery in the back or hidden somewhere, been a bit.
Man, I'm going off of sheer bad memory here. Doesn't the e40 do vpw AND can? The only other thing I remember is it was super dependent on having over 13v in the car when programming or it would brick during programming, recoverable but bricked EVERY time if I didn't have a charger hooked up. This was a SSR with the battery in the back or hidden somewhere, been a bit.
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
Yes it does do VPW and CANbus. But for E40, we only care about canbus for read/writing flash.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
Gets weirder. Im almost certain the CPU is either a custom variant or its identified incorrectly. The internal registers being changed or edited just dont seem to make sense with what the reference manual shows they are.
I believe along the lines of a FA00+ or abouts seems to be canbus, yet the data sheet is showing F080. Thinking I might need to download every single datasheet I can find and see if any address canbus at around that address maybe.
Things like the watchdog seem to be correct, but this is likely identical throughout the entire chip series. Its really throwing me off to be honest!!!
Would make sense why I have been struggling so hard with getting canbus working... seems Im not addressing correct place at all!!
I believe along the lines of a FA00+ or abouts seems to be canbus, yet the data sheet is showing F080. Thinking I might need to download every single datasheet I can find and see if any address canbus at around that address maybe.
Things like the watchdog seem to be correct, but this is likely identical throughout the entire chip series. Its really throwing me off to be honest!!!
Would make sense why I have been struggling so hard with getting canbus working... seems Im not addressing correct place at all!!
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
*sigh*... yepp... wrong CPU. Basically nutted out most of it working off the wrong data sheet but making assumptions on what the register was, such as BIM and CAN.
Flashchip reading is basically identical to that of the E38/E67. Same command definitions so erasing and flashing will be essentially copy/paste
Flashchip reading is basically identical to that of the E38/E67. Same command definitions so erasing and flashing will be essentially copy/paste
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
With that now making sense.. we have communication.
Couple things though:
1) some data does need to be shot off to the QSPI line, which appears to be aimed at the slave chip to keep it happy. Without it, master gets reset by slave.
2) I have not had much luck using the free running timers, they roll over too quickly making it hard to calculate time, which will be used for erase routines. id rather not use a nop loop.. but I guess if I can accurately work out how many nop loops it takes for 1ms, then I can just pass a variable to the function to generate an accurate delay.
Couple things though:
1) some data does need to be shot off to the QSPI line, which appears to be aimed at the slave chip to keep it happy. Without it, master gets reset by slave.
2) I have not had much luck using the free running timers, they roll over too quickly making it hard to calculate time, which will be used for erase routines. id rather not use a nop loop.. but I guess if I can accurately work out how many nop loops it takes for 1ms, then I can just pass a variable to the function to generate an accurate delay.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
-
- Posts: 8
- Joined: Sun Jul 08, 2018 11:43 am
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
MC68376 isn't correct, that's not even the correct pin count. Its a 377. Its the same as the Saab t8 uses. Might be worth checking this project out https://github.com/mattiasclaesson/TuningSuitesTazzi wrote:Ok so we have processor: MC68376 (Thanks dustin!)
and flashchip: am29bl802cb
Flash is basically the same as that of the E38, so the flash routines to unlock flash ect should be very very similar.
Now to take a peak at GMs factory kernel for writing.. this should give the require flash routines used, and any other hidden things needed (But I think itll be fairly self explanatory??)
Have not done much 68x assembly, so this is going to be another learning curve.
Last edited by nightjoker7 on Wed Feb 17, 2021 12:06 am, edited 1 time in total.
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
Spot on, its not correct, but is the information I was working off of as thats what I was indicatednightjoker7 wrote:The e40 does not use the MC68376, that's not even the correct pin count. Its a MC68377. Its the same as the Saab t8 uses. Might be worth checking this project out https://github.com/mattiasclaesson/TuningSuitesTazzi wrote:Ok so we have processor: MC68376 (Thanks dustin!)
and flashchip: am29bl802cb
Flash is basically the same as that of the E38, so the flash routines to unlock flash ect should be very very similar.
Now to take a peak at GMs factory kernel for writing.. this should give the require flash routines used, and any other hidden things needed (But I think itll be fairly self explanatory??)
Have not done much 68x assembly, so this is going to be another learning curve.
As more addresses were identified, it made it (clearly) obviously it wasnt correct so I just opened up every 68k CPU until I found one with a matching register.. which was the 377.
Cheers for the suggestion! If I get stuck, might be something to checkout but I am successfully sending and receiving CAN frames now, and pulled the first 8 bytes of flash memory yesterday so we are almost there
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz
Am surprised how small the kernel is so far for reading. Its actually quite small in comparison to the E38.
Itll obviously increase after implementing write, but it shouldnt be too much. Basically just the erase function, write data chunks and finally a verify function. Preferred if could be done with a CRC although not sure if I can work that out in motorola assembly.. maybe could use easy68k to write in C and compile it.. then extract the assembly from that.. hmm.
Itll obviously increase after implementing write, but it shouldnt be too much. Basically just the erase function, write data chunks and finally a verify function. Preferred if could be done with a CRC although not sure if I can work that out in motorola assembly.. maybe could use easy68k to write in C and compile it.. then extract the assembly from that.. hmm.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
-
- Posts: 8
- Joined: Sun Jul 08, 2018 11:43 am
Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz
Could I please get a license for your program? I would really like to check it out.
Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz
Not requiring any more testers at this time. Thanks for the interestnightjoker7 wrote:Could I please get a license for your program? I would really like to check it out.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726