Reverse Engineering 12587603

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Reverse Engineering 12587603

Post by NSFW »

12587603 is the P59 operating system that is available in pretty much every combination of throttle and transmission, so I think it's the one to focus on for P59 hacking.

So I opened one in IDA Pro and did the following:

* Used DzidaV8's XDF to label a bunch of tables and constants
* Used the table of PIDs in the bin file to label the functions that handle those PIDs.
* Disasssembled everything I could.

Then I exported an IDC file for anyone who wants a head start digging into it with IDA.
Then I exported an ASM file for anyone who wants to get pitch in and doesn't have IDA.

When Ghidra supports the table-lookup opcodes, I'll find a way to convert the IDC file into something that Ghidra can support, and that will make this easier (and so much cheaper) for everyone.

https://github.com/LegacyNsfw/12587603
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
tkelly2784
Posts: 9
Joined: Sat Apr 11, 2020 1:54 pm
cars: Too many BMW's.

Re: Reverse Engineering 12587603

Post by tkelly2784 »

This may not belong here, your disassembly helped me verify some of the work I did today, thank you.

First the MAP sensor scaling was multiplied by 4 in tunerpro, either xdf works for this. Then I verified that ~1.25V into the sensor maxes out the value in the data logger, it does. This means the kPa * 51.2 number is much bigger. So then I looked to find where it was being limited.


Looking here

loc_80960: ; CODE XREF: sub_8093C+1Aj
move.w (Constant16_C6302___MAP_Sensor_Offset).l,d5
ext.l d5
move.w (Constant16_C6301___MAP_Sensor_Scaler).l,d3
mulu.w ($FFFFB28E).w,d3
lsr.l #8,d3
lsr.l #8,d3
add.l d5,d3
tst.l d3
blt.s loc_80990
cmpi.l #$FFFF,d3
bhi.s loc_8098A
cmpi.w #$14FF,d3
bls.s loc_80992

loc_8098A: ; CODE XREF: sub_8093C+46j
move.w #$14FF,d3
bra.s loc_80992

this code is identical to the 2088 MAP sensor update routine. To allow a higher map scaling I took the code

0C 43 14 FF 63 08 36 3C 14 FF

at 8080A and turned it into

0C 43 53 FC 63 08 36 3C 53 FC

There were 2 other places where this was changed

80986 & 80a2c

80986 looks consistent with the * 25.6 value storage. 80a2c is a mystery to me, but I did it anyway because it had a routine that looked like it limited the MAP. For all I know it's some other sensor.

The result? The datalogger now reads kPa up to 255, then wraps around up to 135ish, so 390kPa. That's plenty to pop a head gasket with. Next is to aim the VE table lookup somewhere else. It should run like this with a 4bar map and a stock engine.

Next I will move the table lookups to aim at a part of the empty rom. I have been using UniversalPatcher for the checksums and it seems to work good. If it can handle a table swap I will be really impressed. I will test the non-checkum in patcher, but not on a working box. This is going too well.
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: Reverse Engineering 12587603

Post by NSFW »

Cool. :)
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Reverse Engineering 12587603

Post by kur4o »

User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: Reverse Engineering 12587603

Post by NSFW »

Also cool!
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: Reverse Engineering 12587603

Post by NSFW »

I was sent a file containing addresses, names, and some comments for what appears to be the entire calibration segment. It's kind of amazing. I'm guessing somebody went dumpster-diving outside a GM building 15+ years ago and hit the jackpot. I won't mention any names, but the person who sent it can chime in if they choose to.

Last night I made a script that turns it into an IDC file (12587603.csv.idc), and just now I added the CSV, IDC, and PS1 files to the GitHub repo linked in the first post of this thread, plus a re-generated ASM file.

Merging this with your own work might be tricky. I wanted to preserve the table names from my existing IDA project, since they came from an XDF, have mixed-case names (GM was really fond of ALL_CAPS_EVERYWHERE), and the names include row/column info, etc, so here's what I did:

1) Dump my existing IDA project to an IDC file (temp.idc).
2) Run 12587603.csv.idc
3) Run temp.idc

So now I have XDF-based names for everything that was in the XDF, and GM's names for everything else.

You can sorta get a sense of what's going on in lots of arbitrary sections of code now, just by looking at the names of the parameters that are referenced. I don't have any great new discoveries to share, but with this info I'm pretty sure it's going to be a whole lot easier to discover anything you want.
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
Highlander
Posts: 81
Joined: Sun May 11, 2014 6:36 pm
cars: Z06

Re: Reverse Engineering 12587603

Post by Highlander »

This is actually very good...
Highlander
Posts: 81
Joined: Sun May 11, 2014 6:36 pm
cars: Z06

Re: Reverse Engineering 12587603

Post by Highlander »

NSFW wrote:Cool. :)
bra = branch.... its jumping to that location.
Highlander
Posts: 81
Joined: Sun May 11, 2014 6:36 pm
cars: Z06

Re: Reverse Engineering 12587603

Post by Highlander »

anyone here have the 12592425 os for regular c5?

Apparently there is a fix for power consumption when off and its essentially the same os as 12587603
In-Tech
Posts: 778
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: Reverse Engineering 12587603

Post by In-Tech »

Let's see if I did this correctly. I used the universal patcher program.
12592425.rar
(208.74 KiB) Downloaded 434 times
Post Reply