GM E38 E67 E40 Kernel/Bootloader Development Extravaganza

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
User avatar
Tre-Cool
Posts: 265
Joined: Tue Oct 16, 2012 12:17 pm
cars: VY SS UTE, VX Drag Car
Location: Perth
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tre-Cool »

So with the cloning option.

Where about's in the bin file or segment has the security link information. mainly interested in copying it from one bin to another. i.e if doing a OS change/upgrade.
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by ironduke »

Hopefully someone a lot more knowledgeable will chime in but I thought I remember reading that it was the 2 bytes in between the seed and the key in the bin.. I tried finding where I had read that, but sorry to say can't find the document or forum topic that I read it from..
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

Tre-Cool wrote:So with the cloning option.

Where about's in the bin file or segment has the security link information. mainly interested in copying it from one bin to another. i.e if doing a OS change/upgrade.
The immobiliser,seed/key,vin,serial ect is in the parameter block area, which is from the 0x8000 to 0xA000 area of the top of my head.

The immo code stands out, its a 4digit number in that block :thumbup:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by ironduke »

I just tried an immobilizer learn on my bench E38, didn't change what I thought was the immo key.. but that's only 2 bytes anyways so that wasn't it..

The immo learn didn't change anything, but it did add some code from 0xCCB6 to 0xD170.. total length of 0x4C4 bytes..

I can only guess it's code to write the new immo when it seeds one send from the BCM?? total guesswork on my part.. Gonna be busy the next couple of days but I want to plug it into a car and then read it again to see if it learns a different immo..
In-Tech
Posts: 778
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by In-Tech »

Hi Tazzi,
We talked earlier in this thread about reading the last two modules. Keep in mind this snippet is just that so pay no attention to the exact order of things, a bit of some things I was doing on a different 8 bit project. I was bit banging the IO register to do some reading on some stuff that had built in clock jitter, the numbers noted are clock ticks :ugeek: Maybe it will give you some ideas to incorporate. Fun stuff :mrgreen:

Code: Select all

SaveA:          equ     $XX		;IO Register address

BTDelay:        equ     $F0             ;bit delay this can be any value ya like

;
;BootStrap code starts here
;
                sei			;enable interrupts, not really necessary
                lda     #$55		;55h is the response that basically says you are
                			;running this bootstrap, can be any value you like
                bra     Start           ;run dumper

SendByte:       sta     SaveA
                clra
                bsr     DecA            ;Inter-Byte delay
                ldx     #$0A
                coma                    ;invert byte

                bclr0   $00             ;5 Zero Bit		
                bsr     DelayBit        ;1st Start Bit
                bra     SetIO           ;3

SetIO:          bset    $00, #0         ;5 One Bit
                bsr     DelayBit
                clc                     ;2nd Start Bit

SendBit:        bcs     Send1           ;3

                bclr0   $00             ;5 Zero Bit     |	
                bra     bitdelay        ;3              |count this for timing calc

Send1:          bset    $00, #0         ;5 One Bit      |but not this
                bra     bitdelay        ;3		|

bitdelay:       bsr     DelayBit
                asla    a               ;3
                decx                    ;3
                bne     SendBit         ;3
                bset    $00, #0         ;Parity = 0, Stop bits = 1
                rts                     ;6

DelayBit:                               ;standard 8 bit delay loop
                sta     SaveA
                lda     #BTDelay	
DecA:           deca
                bne     DecA
                lda     $XX             ;SaveA  This is the IO register
                rts
                 		                 		
Start:          bsr     SendByte
LongDelay:      deca
                bsr     DelayBit
                bne     LongDelay	
                lda     #$30		;Start address of 3000
                sta     $47		;Now address stored at 47,48 in ram
                lda     #$00
                sta     $48
; ---------------------------------------------------------------------------
                dw $7180		;Change page to eeprom
; ---------------------------------------------------------------------------
Loop:           dw      $92C6		;Load A with the value of this next byte address 92C647
					;Haven't fixed assembler to allow this new opcode yet
                db      $47
                bsr     SendByte		
                inc     $48
                bne     Loop
                inc     $47
                bne     Loop
;need to create "reversible" idling loop here or rts

Yustas
Posts: 2
Joined: Wed Jun 03, 2020 7:28 pm
cars: DF Goblin

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Yustas »

Really impressed work, Tazzi!
User avatar
The1
Posts: 4694
Joined: Mon Jan 04, 2010 10:23 am

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by The1 »

awesome work tazzi, lots of hours to get this far :o
In-Tech
Posts: 778
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by In-Tech »

Hiya Tazzi,
Just an update that I built bench setups for the E67, E78 and E92 if you want me to do anything. I can rig up a CAN logger/sniffer too. I'll make the T42 and T87 adapters soon.

I screwed up the other day and didn't read a messed up E38 after I got the key. It was fubar'd bad enough it only had a 3 byte seed. Seed was BE2 and key was 881, didn't take long to brute it and I got sidetracked by the phone and forgot to read it before repair :typist:

Here's a couple E78 reads from some ebay puters.
2013_Sonic_ABMW_Flex_Stock.rar
(1 MiB) Downloaded 168 times
2015_Cruz_Turbo_Stock_AB67.rar
(1.01 MiB) Downloaded 171 times
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

The1 wrote:awesome work tazzi, lots of hours to get this far :o
Thanks!
In-Tech wrote:Hiya Tazzi,
Just an update that I built bench setups for the E67, E78 and E92 if you want me to do anything. I can rig up a CAN logger/sniffer too. I'll make the T42 and T87 adapters soon.

I screwed up the other day and didn't read a messed up E38 after I got the key. It was fubar'd bad enough it only had a 3 byte seed. Seed was BE2 and key was 881, didn't take long to brute it and I got sidetracked by the phone and forgot to read it before repair :typist:

Here's a couple E78 reads from some ebay puters.
2013_Sonic_ABMW_Flex_Stock.rar
2015_Cruz_Turbo_Stock_AB67.rar
Sweet as. Iv been bogged down with work during all the COVID, its only starting to normalise for me now so I will (Hopefully) have more free time again soon to start attacking more ecus.

I did start cutting into my E92, back plate isnt completely off yet but made a start :lol:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
In-Tech
Posts: 778
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by In-Tech »

Shoot, I meant to cut open an E92 here too and got sidetracked, will try this weekend.

I read those .bin files out with TunerCat. I have two of the 2013 Sonic ECM's here, both broadcast code ABMW. I just did a compare of the two in Hex Workshop and they are identical. Is the vin and seed/key and other parameters stored in the processor or are these files I posted padded in those areas meaning they aren't read? Or do you have to put it in a particular mode to read that info.

Here's the info for the one I posted.
VIN: 1G1JC6SH9D4148561

PCM Service No: 12655499
PCM Traceability Code: 86ABMWK02298Y1VG
PCM Security Seed: 648E

PCM Module 1: 12655492
PCM Module 2: 55594171
PCM Module 3: 55594167
PCM Module 4: 55593091
PCM Module 5: 55593079
PCM Module 6: 55594163
PCM Module 7: 12643594
PCM Module 8: 55585772

Here's the info for the other one I read.
VIN: 1G1JC5SH9D4103453

PCM Service No: 12655499
PCM Traceability Code: 86ABMWK02217SACR
PCM Security Seed: 772C

PCM Module 1: 12655492
PCM Module 2: 55594171
PCM Module 3: 55594167
PCM Module 4: 55593091
PCM Module 5: 55593079
PCM Module 6: 55594163
PCM Module 7: 12643594
PCM Module 8: 55585772

The question is should I try to write a different file from a v8 to this box and see if it takes?
Post Reply