GM E38 E67 E40 Kernel/Bootloader Development Extravaganza

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

it will be due to being a custom OS.

It is responding which is a positive so it will probably proceed through assuming the seed/key isnt messed up (Which probably is).

I will be working on the software today so will update that OS ID into the supported list, see if its able to read and write it.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Highlander
Posts: 81
Joined: Sun May 11, 2014 6:36 pm
cars: Z06

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Highlander »

julespatch wrote:Morning peeps.
I've got one that I couldn't bring back to life. I tried everything I have in my power, SPS paid, SPS Global32, HP, EFI life and the Tazzi tool. EFI could change the vin number but that's as far as it would get.
The OS is a HP custom one i think.
If I've missed something let me know cos I'm pretty sure I bought this one back to life last week - I dont think it was this sick though :)

[07:26:38:941] Checking if kernel already running
[07:26:38:955] Kernel not running
[07:26:38:955] Requesting VIN..
[07:26:38:973] VIN is: 6G1EX55W49L330033
[07:26:38:975] Requesting Serial..
[07:26:38:992] Serial is:
[07:26:39:005] Requesting OS..
[07:26:39:011] Operating System: 1250228
[07:26:39:012] Unknown ECU Connected, Please manually select ECU from Identify dropdown box.
[07:27:13:507] Checking if kernel already running
[07:27:13:517] Kernel not running
[07:27:13:518] Requesting VIN..
[07:27:13:535] VIN is: 6G1EX55W49L330033
[07:27:13:537] Requesting Serial..
[07:27:13:554] Serial is:
[07:27:13:556] Requesting OS..
[07:27:13:560] Operating System: 1250228
[07:27:13:562] Unknown ECU Connected, Please manually select ECU from Identify dropdown box.
[07:27:49:689] Opened file: C:\Users\jd\Desktop\E38 2010.bin
[07:28:03:515] Checking if kernel already running
[07:28:03:804] Kernel not running
[07:28:03:810] Operating System: 1250228
[07:28:03:811] Unsupported Operating System currently on ECU or does not match loaded file ECU type. Write routine cancelled (No programming has occurred).
[07:28:17:428] Checking if kernel already running
[07:28:17:716] Kernel not running
[07:28:17:722] Operating System: 1250228
[07:28:17:724] Unsupported Operating System currently on ECU or does not match loaded file ECU type. Write routine cancelled (No programming has occurred).
if os is incompatible with cal you will need to flash the full os from whatever you want to use to wipe. I've had some controllers be on a seed loop where they reply that they are not ready to send out the seed. so .. in essence dead.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

Slightly unrelated but kinda is related too.

I had to program another key to my bench setup, and decided refresh my memory on the commands for key programming.
What I have found interesting, is it is a MUST to know the immobilizer code to be able to program a new key. After the 10min delay, you can send a command to request learning new keys and then follow required procedure from there for each additional key.

What intrigues me, is the immo code cannot be read from the BCM through normal requests. So it makes me wonder how some aftermarket tools are doing it?
My only thought is a custom kernel to dump the memory, get the immo and then finally use to write keys? I mean, the level of complexity seems quite extreme. Typically these places have bought the diagnostic information and just copying it into their tool.

Same goes for security linking another ECM. The ECMs original immo code and also new immo codes must be known to be able to reset and write the new one. This basically restricts ones access to using SPS to do it.

The next issue is if the VIN of the module has been changed and immo has not, SPS is unable to then code keys or even change the immo :shock:
So.. heres the kicker! What does the dealership have to say about modules like that??? Replace it.... :lol:

How does one then get a Immo?
On pre-Global A, you can call a dealership and request the information.
But on Global A and newer, its not on their vehicle security information lookups.

So wheres that leave us?
Brute... fucking... force. :lol:
Just like seed/key, you can attempt immos every x amount of time until its accepted. It takes alot of time, and then still has the timeout delay, but is better then replacing a perfectly good module.

I know for our Holdens here, if you dont do a prepare for removal first before trying to write a different vehicle cal/vin, your basically shit out of luck when it comes to security linking :roll:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Gatecrasher »

I've been lurking and watching this for a while. I'm super excited about it. I'm trying to put together a Global A bench setup that's a carbon copy of my car. I've also got a truck that needs a speedometer correction, and I don't fancy paying several hundred dollars to change a couple bytes of code.

Regarding the Global A BCMs...I know it's not as elegant as an OBD-only solution, but is there any other reason you can't just open the module and dump the EEPROM? The immo pin is right there in plain ASCII.
julespatch
Posts: 159
Joined: Fri Aug 25, 2017 5:28 pm
cars: liberty gen 5
Location: Adelaide

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by julespatch »

As long as you load some software into new BCMs you can clone or swap the eeprom. No need to relink with any codes, just start the car. If it's a second hand part don't even worry about SPS. I try not to be a tightass with new ones though, just spend the $60.
The immo code is also stored in the Bosch VE V6 ECM eeprom if you can't get it from your local dealer.
There's ways around the Global A system - it might just cost a couple of subscriptions
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

Gatecrasher wrote:I've been lurking and watching this for a while. I'm super excited about it. I'm trying to put together a Global A bench setup that's a carbon copy of my car. I've also got a truck that needs a speedometer correction, and I don't fancy paying several hundred dollars to change a couple bytes of code.

Regarding the Global A BCMs...I know it's not as elegant as an OBD-only solution, but is there any other reason you can't just open the module and dump the EEPROM? The immo pin is right there in plain ASCII.
Not all modules have EEproms so its not always that simple. :thumbdown:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Gatecrasher »

That's a bummer. I've got BCMs from a 13 ATS, 15 Sonic, and 16 Corvette, and they're all basically identical. I wrongly assumed all the Conti BCMs were set up that way.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

Thes Bosche and Conti BCMs. The board layouts between the two are slightly different. :thumbup:

*Edit
Just realised you said 3 different year BCMs... I have just recently gone through the shit storm of how different years and operating systems change. Was a fu***** nightmare getting shit to line up.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Gatecrasher »

Is there somewhere else that you're discussing your BCM work? I don't want to derail this thread.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

Gatecrasher wrote:Is there somewhere else that you're discussing your BCM work? I don't want to derail this thread.
Its a bit of a mix-n-mash in this thread.

The BCM work I do isnt posted online for the R&D. I use it commercially, mostly over in U.S for the trucks/Caddys/Corvettes ect.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Post Reply