GM E38 E67 E40 Kernel/Bootloader Development Extravaganza

[Tazzi]

So I "think" the flash is corrupted, have attached BDM and able to dump/verify the read. But now need to pop a fresh dump in and see if it comes back to life!

*Edit
Yep, she's now alive!!
Now this can be recovered when learning so no need to worry about bricking.

[julespatch]

Nice work!

[Tazzi]

Using the E38/E67 as a template, things I need for the kernel is:
1) Find RAM area
2) Check for Watch Dog
3) Identify CAN routines and make a read/write function
4) Create a timer or wait loop
5) Validate in factory GM kernel the write sequence to flash, it should be fairly straight forward.

Some quick links for the processor:
Product page: https://www.nxp.com/products/no-longer- ... tation_Tab
Users Manual: https://www.nxp.com/docs/en/user-guide/MC68336376UM.pdf

For learning 68000, this has been pretty useful: https://chibiakumas.com/68000/

The general flow of how I have done the E38/E67 will be used here, this should significantly speed up the process as the main logic flow has already been completed.
Couple things I will be added in (And to the PPC loader) is:
1) Reports back programmed status (E2) as a custom value to identify its still in bootloader
2) Report back to mode 28 and other diagnostic requests incase bus has woken up and kernel is still running

[Tazzi]

So watchdog requires writing 0x55 then 0xAA to the SWSR register.

Factory kernel does some funky other stuff... im guessing this is like the E38/E67 where its satisfying other connected devices, ram ect.

[Tazzi]

Yeah ok, iv got a pretty good understanding of whats going on now.
Other then a weird QSPI request thats referenced to regularly, but this is similar to what happens in E38/E67 to keep other devices satisified, so that function can literally be copy/pasted out and referenced to in a kernel.

Up first is getting a suitable compiler, and making a simple app output a CANbus frame.
From there that can be made into a function and the main loop of the app can do watchdog pat, QSPI check and canbus frame spam.

[ScarabEpic22]

E40 was V8 (maybe a random V6 too?) only, P12 was used on inline engines only and does transmission control as well (last PCM from GM). From what I've read, they're in the same case, but have different hardware internally. The E60/LLY Duramax ECM uses the same case and harness connectors as E40+P12, you can use the same bench harness to communicate with all 3 of them (P12, E40, E60/LLY).

P12 was used mainly on Atlas I4/5/6 engines and a few other 2L I4s (Cobalt SS comes to mind). It's also the successor to the P10 for 4.2 I6 engines. [If you ever want to dig into an old oddball PCM with the P10 (02-05, 1 engine, 1 platform), I've got extra PCMs and would be happy to ship you a few. Might be more up antus/NSFW's alley with the VPW comms though.] I've got a dead P12 (believe it's 06, I'll go dig it out), happy to cut it open and provide numbers off the chips it if that'd help.

I know that:
P12 MY 04-06, 7x crank reluctor, 1MB flash
P12 MY 07, 58x crank reluctor, 2MB flash (not sure why GM didn't just go to the E67+T42?)
E40s have different service numbers 05 to 06. I'm going to speculate it was done for the same reason the E38/67s had different service numbers: parameter block changes...

The 07 P12 I have here has p/n 12613427, service no 12602010.

do you have a service number of the 58x P12 for atlas? also a binary?

Most 2007s are 7x like previous gens I thought. I've heard of some being 58x but never any proof.

GM's documentation mentioned 58x for 07, I'm basing my statement off that (it's been a few years since I've really dug into it too so going off my old notes).

Looking at the PCM read I have that from a j/y PCM with matching 07 part number/service number and VIN+OS, the filesize is <512kb and within ~40kb of an 06 file...so not seeing the extra 1MB of flash either.

I've got reads of the 07 file, not in .bin format unfortunately. Happy to share what I have if you're interested.



Tazzi- glad to hear you were able to grab an E40 and get started on it!

[Tazzi]

Weird. I cant seem to get GMs kernel running without effectively running the entire thing as its own separate function, after its run, I can make a loop to just poll the watch dog and QSPI device.

So.. it works.. but.. not exactly ideal.

I can tell when it crashes/restarts since all the ECM chatter starts up again. Now to try get the CANBus stuff working nicely

[In-Tech]

Hiya Tazzi,
I have ONE e40 on the shelf and can do some testing for you if needed when the time comes. However, I don't have a vehicle but would be glad to bench test anything you would like.

[Tazzi]

Hiya Tazzi,
I have ONE e40 on the shelf and can do some testing for you if needed when the time comes. However, I don't have a vehicle but would be glad to bench test anything you would like.

Cheers! Once I get to a point that I can pull flash, I’ll definitely need the testing.

Just got to get the CANbus working. The gm kernel doesn’t seem to address the CAN registers at all. It’s an almost identical cab system to the E38s so I believe I can copy the same setup I used there(hopefully)

[Tazzi]

Ok so seems the OS has setup interrupt based CAN reception as I can’t seem to get it to read any messages. I think the interrupt is taking the message from the buffer before I poll for it

Will need to identify the exact bit to disable that, hopefully will resolve that.

I believe the same commands to the actual flashchip can be used from E38, difference being the flash size. I found similar references in the GM kernel so I think that will work.