GM E38 E67 E40 Kernel/Bootloader Development Extravaganza

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
In-Tech
Posts: 779
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by In-Tech »

Hiya Tazzi,
Man, I'm going off of sheer bad memory here. Doesn't the e40 do vpw AND can? The only other thing I remember is it was super dependent on having over 13v in the car when programming or it would brick during programming, recoverable but bricked EVERY time if I didn't have a charger hooked up. This was a SSR with the battery in the back or hidden somewhere, been a bit.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

Yes it does do VPW and CANbus. But for E40, we only care about canbus for read/writing flash. :)
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

Gets weirder. Im almost certain the CPU is either a custom variant or its identified incorrectly. The internal registers being changed or edited just dont seem to make sense with what the reference manual shows they are.
I believe along the lines of a FA00+ or abouts seems to be canbus, yet the data sheet is showing F080. Thinking I might need to download every single datasheet I can find and see if any address canbus at around that address maybe.

Things like the watchdog seem to be correct, but this is likely identical throughout the entire chip series. Its really throwing me off to be honest!!!

Would make sense why I have been struggling so hard with getting canbus working... seems Im not addressing correct place at all!! :lol: :roll:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

*sigh*... yepp... wrong CPU. Basically nutted out most of it working off the wrong data sheet but making assumptions on what the register was, such as BIM and CAN.
Flashchip reading is basically identical to that of the E38/E67. Same command definitions so erasing and flashing will be essentially copy/paste
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

With that now making sense.. we have communication.

Couple things though:
1) some data does need to be shot off to the QSPI line, which appears to be aimed at the slave chip to keep it happy. Without it, master gets reset by slave.
2) I have not had much luck using the free running timers, they roll over too quickly making it hard to calculate time, which will be used for erase routines. id rather not use a nop loop.. but I guess if I can accurately work out how many nop loops it takes for 1ms, then I can just pass a variable to the function to generate an accurate delay.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
nightjoker7
Posts: 8
Joined: Sun Jul 08, 2018 11:43 am

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by nightjoker7 »

Tazzi wrote:Ok so we have processor: MC68376 (Thanks dustin!)
and flashchip: am29bl802cb

Flash is basically the same as that of the E38, so the flash routines to unlock flash ect should be very very similar.

Now to take a peak at GMs factory kernel for writing.. this should give the require flash routines used, and any other hidden things needed (But I think itll be fairly self explanatory??)

Have not done much 68x assembly, so this is going to be another learning curve.
MC68376 isn't correct, that's not even the correct pin count. Its a 377. Its the same as the Saab t8 uses. Might be worth checking this project out https://github.com/mattiasclaesson/TuningSuites
Last edited by nightjoker7 on Wed Feb 17, 2021 12:06 am, edited 1 time in total.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

nightjoker7 wrote:
Tazzi wrote:Ok so we have processor: MC68376 (Thanks dustin!)
and flashchip: am29bl802cb

Flash is basically the same as that of the E38, so the flash routines to unlock flash ect should be very very similar.

Now to take a peak at GMs factory kernel for writing.. this should give the require flash routines used, and any other hidden things needed (But I think itll be fairly self explanatory??)

Have not done much 68x assembly, so this is going to be another learning curve.
The e40 does not use the MC68376, that's not even the correct pin count. Its a MC68377. Its the same as the Saab t8 uses. Might be worth checking this project out https://github.com/mattiasclaesson/TuningSuites
Spot on, its not correct, but is the information I was working off of as thats what I was indicated :wtf:
As more addresses were identified, it made it (clearly) obviously it wasnt correct so I just opened up every 68k CPU until I found one with a matching register.. which was the 377.

Cheers for the suggestion! If I get stuck, might be something to checkout but I am successfully sending and receiving CAN frames now, and pulled the first 8 bytes of flash memory yesterday so we are almost there :thumbup:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Post by Tazzi »

Am surprised how small the kernel is so far for reading. Its actually quite small in comparison to the E38.

Itll obviously increase after implementing write, but it shouldnt be too much. Basically just the erase function, write data chunks and finally a verify function. Preferred if could be done with a CRC although not sure if I can work that out in motorola assembly.. maybe could use easy68k to write in C and compile it.. then extract the assembly from that.. hmm.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
nightjoker7
Posts: 8
Joined: Sun Jul 08, 2018 11:43 am

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Post by nightjoker7 »

Could I please get a license for your program? I would really like to check it out.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Post by Tazzi »

nightjoker7 wrote:Could I please get a license for your program? I would really like to check it out.
Not requiring any more testers at this time. Thanks for the interest :thumbup:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Post Reply