Updating GM EBCM Checksum

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
Post Reply
RADustin
Posts: 162
Joined: Fri Oct 17, 2014 9:44 am

Updating GM EBCM Checksum

Post by RADustin »

Gents,

Forum lurker for many years. I've been brought to a dead stop working on finalizing a long term project and the last bit will be to update the EBCM with a proper flash as I changed the abs tone rings (tooth count).

I believe I've found the addresses I'd like to modify for the tone rings, but I can't fix the checksum to allow the EBCM to accept the flash. The EBCM will go into a 'soft brick' status until I grab a known good file to flash instead.

I know the checksum is the last 4 byte of the file. I have compared similar files and the checksum varies radically, so I don't believe it is a sum. I've also looked at the checksum as 2 2-byte sums, but again they don't appear to a simple sum of any sort. This leads me to believe it could be a crc32 or even two crc16- I'm not sure.

The calid of the file is bytes 0x6 through 0x9. And I know the checksum or crc is the last 4bytes of the file, 0x7FFC-0x7FFF.

I'm not really sure where to go from here and am looking for an assist. I am hoping to leverage the years of experience you all have to get me going in the right direction. I feel maybe if I can better identify what I'm up against, then I can make a plan of attack.

Two OEM files attached that are most similar. Checksums are correct, they are completely stock.
Attachments
22902333.bin
(32 KiB) Downloaded 241 times
22902327.bin
(32 KiB) Downloaded 241 times
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Updating GM EBCM Checksum

Post by Tazzi »

what vehicle is it from?

Are you dumping this direct from the chip or actually flash updating?
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Updating GM EBCM Checksum

Post by kur4o »

Now it is kind a shoot in the dark.

Can you provide more info what you are working on. Some vins can help too. Full file of the controller. Pics of the board and any other relevant info you can share[a dissasembly if you have one].
RADustin
Posts: 162
Joined: Fri Oct 17, 2014 9:44 am

Re: Updating GM EBCM Checksum

Post by RADustin »

Tazzi wrote:what vehicle is it from?

Are you dumping this direct from the chip or actually flash updating?
kur4o wrote:Now it is kind a shoot in the dark.

Can you provide more info what you are working on. Some vins can help too. Full file of the controller. Pics of the board and any other relevant info you can share[a dissasembly if you have one].

The EBCM is a TRW EBC445 from a 2011-2014 GM pickup with a gross vehicle weight over 8600lbs. I think it was also used on 3/4 ton vans and suburbans.

A vin would be 1GT125E80DF185499

The two files I linked are the full data flash. Pulled from cache as an upload event was happening over TIS.

I have attached the OS here, ..1171. The OS is same for both files, just different data due to chassis configuration(wheelbase).

It's probably 2000-mid 2000s tech.

I have already tried to just upload a bad checksum and it will fail into the 'soft brick' status. The controller checks the checksum as the flash is going on from what I can tell.

This is pretty much all I know. All the other GM modules(other than ECM/TCM) in the truck from what I understand are simple sum checksums(2s comp). This one seems very different, or I'm just losing my mind.
Attachments
22761171.bin
(432 KiB) Downloaded 247 times
RADustin
Posts: 162
Joined: Fri Oct 17, 2014 9:44 am

Re: Updating GM EBCM Checksum

Post by RADustin »

I've tried to sum the entire flash minus the last 4 bytes. Then add to that the first two of the 4, and separately add the second 2 of the 4 bytes. And look at these sums, and their truncated amount to 16bit and 1s and 2s comp- to no avail.

My thought was maybe it was similar to the e38 with one 16bit value being a 2s comp sum and one being a crc16.
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Updating GM EBCM Checksum

Post by kur4o »

I did some digging that might help you.

AT $C is 4 byte address that points to start of the segment. At $10 is the length of the segment.
At $2c is some range start-end[start points to start of segment, while end points to first byte of checksum].

I found some range pairs in the OS
at $4d7c4

00 07 00 14
00 00 40 14
00 00 00 24
00 00 3F EC
00 06 FF FC
00 07 7F FC

24-3fec boot block
4014-6fffc OS
70014-7fffc CALibration

TOo bad I have no idea what processor runs the code. If processor is known a dissasembly can be made giving some clue about type of checksum calculation used.

Do you have more files ripped for comparison.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Updating GM EBCM Checksum

Post by antus »

22761171.bin is dated 2006 from TRW Automotive. I think its a Renesas processor, trying as a M32C/80 gives chunks of code that look sain (compare or test, followed by branch or jump), but it doesnt get far before hitting invalid opcodes. I thought it might be the right family but ive tried a few other Renesas now with not great results so Im not sure.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Updating GM EBCM Checksum

Post by Tazzi »

Iv found when dealing with renesas, I have to make sure the base address is set before decompiling as the jump offsets are usually absolute values, so they will go to incorrect places and decompile incorrectly without it :)
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Updating GM EBCM Checksum

Post by antus »

Ive been trying and trying and I think I might have found it. This is the largest routine when some chunks are disassembled as Intel 8051. Surely this has to be a real routine? I can see it is referencing hardware inputs. But having said that, some architectures just look better than others by fluke, too. I'll see if I can make any more sense of it, but I dont really know what the code should look like, and Im not familiar with the platform. Loops and multiple selective code paths that then join back together do look right, as well as small code blocks followed by conditional branches. But there are nops in strange places, and Im not sure if for example this could be a real routine with padding or not. Also 8051 is a pretty old platform to be used in 2006. :think:

Code: Select all

                    ; CODE XREF: ROM_27B42-232↓p
ROM:2610D
ROM:2610D             ; FUNCTION CHUNK AT code:000060AC SIZE 00000020 BYTES
ROM:2610D             ; FUNCTION CHUNK AT code:000060D5 SIZE 0000000F BYTES
ROM:2610D             ; FUNCTION CHUNK AT code:000060E9 SIZE 00000003 BYTES
ROM:2610D             ; FUNCTION CHUNK AT code:00006103 SIZE 00000002 BYTES
ROM:2610D             ; FUNCTION CHUNK AT code:00006114 SIZE 00000003 BYTES
ROM:2610D             ; FUNCTION CHUNK AT code:0000615F SIZE 00000003 BYTES
ROM:2610D             ; FUNCTION CHUNK AT code:00006701 SIZE 00000003 BYTES
ROM:2610D
ROM:2610D 20 30 A2                    jb      RAM_26.0, code_60B2
ROM:26110 00                          nop
ROM:26111 20 30 98                    jb      RAM_26.0, code_60AC
ROM:26114 00                          nop
ROM:26115 20 2F 38                    jb      RAM_25.7, code_6150
ROM:26118 00                          nop
ROM:26119 20 30 A8                    jb      RAM_26.0, code_60C4
ROM:2611C 00                          nop
ROM:2611D 20 30 A4                    jb      RAM_26.0, code_60C4
ROM:26120 00                          nop
ROM:26121 20 30 AC                    jb      RAM_26.0, code_60D0
ROM:26124 00                          nop
ROM:26125 20 30 AD                    jb      RAM_26.0, code_60D5
ROM:26128 00                          nop
ROM:26129 20 30 E8                    jb      RAM_26.0, code_6114
ROM:2612C 00                          nop
ROM:2612D 20 2E 80                    jb      RAM_25.6, code_60B0
ROM:26130 00                          nop
ROM:26131 20 30 3F                    jb      RAM_26.0, code_6173
ROM:26134 B5 FC 4C                    cjne    A, RESERVED00FC, code_6182+1 ; RESERVED
ROM:26137 DC 26                       djnz    R4, code_615F
ROM:26139 00                          nop
ROM:2613A 73                          jmp     @A+DPTR
ROM:2613A             ; End of function ROM_2610D
Attachments
8051.png
8051.png (21 KiB) Viewed 5777 times
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Updating GM EBCM Checksum

Post by kur4o »

antus wrote:Ive been trying and trying and I think I might have found it. This is the largest routine when some chunks are disassembled as Intel 8051.
Try with this file. I compiled it the way it should be seen by the cpu. The first part is missing[boot lock] I filled with FFs. Any jump to that area will look weird.
Attachments
EBCM_09_fullBIN.bin
(480 KiB) Downloaded 232 times
Post Reply