Reverse Engineering 12587603

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
Vampyre
Posts: 261
Joined: Wed Dec 06, 2017 1:02 pm
cars: grand am, trans am

Re: Reverse Engineering 12587603

Post by Vampyre »

might your anonymous friend have any data for p04s, ive spent last few days labeling the bin in ghidra from a the data in tinytuner and it doesnt have near all of them
Highlander
Posts: 81
Joined: Sun May 11, 2014 6:36 pm
cars: Z06

Re: Reverse Engineering 12587603

Post by Highlander »

roughneck427 wrote:6960 OS was an update for the 7603 as well. There were no vehicles with the 6960 OS that had a 4l80. I have cut the trans and trans diag and speedo segments in hex from the 7603 and put them in the 6960 and it worked fine. I see this more for guys using other tuning suites that would have to pay for credits to change the OS. I have tested the same method on a 99 calibration as well. As long as the segment length is the same size you can plug it in.

I also tested this same method on E38. On swaps the speedo on the scanner will read 158mph for an E38 auto trans calibration. I cut the system segment from a manual car and plugged it in a truck auto calibration and it fixed the speedo issue these were non matching OS. Again on this the segment length was the same so the file size never changed
It reads 158 because the ECM is expecting the Speed from the bus and its not there. Or at least the validity of it.
ColPaul
Posts: 36
Joined: Tue Dec 31, 2019 11:24 am

Re: Reverse Engineering 12587603

Post by ColPaul »

NSFW wrote:I was sent a file containing addresses, names, and some comments for what appears to be the entire calibration segment. It's kind of amazing. I'm guessing somebody went dumpster-diving outside a GM building 15+ years ago and hit the jackpot. I won't mention any names, but the person who sent it can chime in if they choose to.

Last night I made a script that turns it into an IDC file (12587603.csv.idc), and just now I added the CSV, IDC, and PS1 files to the GitHub repo linked in the first post of this thread, plus a re-generated ASM file.

Merging this with your own work might be tricky. I wanted to preserve the table names from my existing IDA project, since they came from an XDF, have mixed-case names (GM was really fond of ALL_CAPS_EVERYWHERE), and the names include row/column info, etc, so here's what I did:

1) Dump my existing IDA project to an IDC file (temp.idc).
2) Run 12587603.csv.idc
3) Run temp.idc

So now I have XDF-based names for everything that was in the XDF, and GM's names for everything else.

You can sorta get a sense of what's going on in lots of arbitrary sections of code now, just by looking at the names of the parameters that are referenced. I don't have any great new discoveries to share, but with this info I'm pretty sure it's going to be a whole lot easier to discover anything you want.

NSFW would you share the file, maybe on your Github repository or even here? I'm working on using your info from 12587603 to create an XDF for 12592618. I just set up a Ghidra-Server repository if anyone is interested in helping.
turbo_bu
Posts: 55
Joined: Tue Dec 03, 2019 3:58 am

Re: Reverse Engineering 12587603

Post by turbo_bu »

NSFW, any chance you could share the file with the names / addresses? I am working on an older disassembly and would like to compare it with what I have been able to find.
aaronc7
Posts: 53
Joined: Mon Jun 15, 2020 12:35 pm
cars: 2003 C5Z
2017 Audi S3

Re: Reverse Engineering 12587603

Post by aaronc7 »

https://github.com/LegacyNsfw/12587603

I used it to help map some flex fuel tables, thank you whoever shared the data!
turbo_bu
Posts: 55
Joined: Tue Dec 03, 2019 3:58 am

Re: Reverse Engineering 12587603

Post by turbo_bu »

I saw the assembly file that NSFW merged, but it is a little difficult to follow. I was hoping that he could share the raw information so I can try to map it against an older disassembly I originally started on years ago.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Reverse Engineering 12587603

Post by antus »

Its just addresses and names, no more. Its all in the csv and also the idc file and you can load idc in to your ida disassembly of the matching os to annotate it then go from there. Or if your no using ida script something to use the csv.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: Reverse Engineering 12587603

Post by NSFW »

Sorry for the delay! As antus said, the CSV file is the "raw information" you're looking for:

https://github.com/LegacyNsfw/12587603/ ... 587603.csv
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
roughneck427
Posts: 49
Joined: Thu Feb 07, 2013 1:49 pm
cars: 2002 Camaro
2008 Pontiac G8

Re: Reverse Engineering 12587603

Post by roughneck427 »

This is the 7603 os dtc lookup table axis. You have to view in 16 hi low hex and skip 2 bytes to populate the axis properly . If someone wants to add to IDA script for dtc look up table address is 87F74. Disregard I have the axis as the map it was easier for me to shift and move things toggle in hex and 2d mode


F105EC8A-0918-4693-AF2A-8AAF483BE439.jpeg
.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Reverse Engineering 12587603

Post by antus »

NSFW wrote:12587603 is the P59 operating system that is available in pretty much every combination of throttle and transmission, so I think it's the one to focus on for P59 hacking.

So I opened one in IDA Pro and did the following:

* Used DzidaV8's XDF to label a bunch of tables and constants
* Used the table of PIDs in the bin file to label the functions that handle those PIDs.
* Disasssembled everything I could.

Then I exported an IDC file for anyone who wants a head start digging into it with IDA.
Then I exported an ASM file for anyone who wants to get pitch in and doesn't have IDA.

When Ghidra supports the table-lookup opcodes, I'll find a way to convert the IDC file into something that Ghidra can support, and that will make this easier (and so much cheaper) for everyone.

https://github.com/LegacyNsfw/12587603
I just found this document describing how to add a new CPU to Ghidra. I dont know if it shows anything that would help add the missing opcodes?

https://docs.google.com/presentation/d/ ... fTHRfvVSYo
I'll add a local mirror here incase it goes away.
Attachments
flashre - BeeRump.pdf
(469.03 KiB) Downloaded 242 times
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Post Reply