Updating GM EBCM Checksum

[Gatecrasher]

It's actually helping me understand ARM disassembly a little better. It'll benefit me in some other projects down the road.

I wish your controller didn't use a BGA chip. My BCM used a QFP package, so I was able to trace out the JTAG pins. In your photo, there's a little 6 pin footprint that might be it. Do you have some hardware part numbers for similar controllers? Did the 1500s use the same hardware? I might see if I can pick one up cheap.

[RADustin]

It's actually helping me understand ARM disassembly a little better. It'll benefit me in some other projects down the road.

I wish your controller didn't use a BGA chip. My BCM used a QFP package, so I was able to trace out the JTAG pins. In your photo, there's a little 6 pin footprint that might be it. Do you have some hardware part numbers for similar controllers? Did the 1500s use the same hardware? I might see if I can pick one up cheap.

they didn't. only 2500 vans,trucks, and suburbans and some 3500 trucks I believe. The earlier 07+ to 2010 2500 trucks MAY have used the same hardware but this is not well understood and not worth the gamble IMO.

'ABS Pumps' are ~$80ish on ebay. I got one for $50 before though... I've bought quite a few so far but I don't have an extra handy to mail to you.

Before I setup the brute force attack, I'll probably take this newest one apart and see what I can see. I do agree, there has to be a JTAG port; it's just a matter of finding it. I have a feeling it may be under one of the solenoid valves.

Do you have hardware for dumping through the JTAG pins? I may need to buy that in prep for dumping it. I'm sure I can get the dump and post it so you don't need to worry about it- just need a little direction.

Thanks again.

[Gatecrasher]

I did mine with a BusPirate. It wasn't able to reliably control the CPU, but I got it to work well enough to dump the memory. You can't beat it for the price.

[RADustin]

I did mine with a BusPirate. It wasn't able to reliably control the CPU, but I got it to work well enough to dump the memory. You can't beat it for the price.

OK once this brute force deal is up and running I'll start looking into that.

[Gatecrasher]

I'm done with the flash kernel. It's basically an implementation of this:

https://e2e.ti.com/cfs-file/__key/commu ... 00_api.pdf

So no checksum routine.

I'm going to go back and look at the main flash dump again. But it's looking really likely this is in the on-chip bootloader.

[RADustin]

I'm done with the flash kernel. It's basically an implementation of this:

https://e2e.ti.com/cfs-file/__key/commu ... 00_api.pdf

So no checksum routine.

I'm going to go back and look at the main flash dump again. But it's looking really likely this is in the on-chip bootloader.

Ok cool. I’ll be looking into jtag and dumping the chip shortly.

The brute force tool is currently running just to see what I can come up with. Not killing the service tool present messages after a bad flash caused me lots of pains, but I eventually realized my mistake and things are running. I started the checksum about decimal 250 counts below the OEM checksum value with the byte of interest within flash incremented by 1. I think the checksum should increase in value if the flash value increases but who knows, just started a little low just incase. We’ll see what it turns up with, if anything.

[RADustin]

looks like a J link edu is about 60bucks. I think that may give me the least amount of fuss and work fine since I'm just in this endeavor to get my personal project running (and to learn, much appreciated everyone).

biggest I concern I see with going through JTAG is that it may be blocked. Much of the literature from TI recommends to lock the port, although I'm not sure if TRW/General motors did so. I guess we'll have to find out one way or the other. I need to search the board for a jtag header or pins, I'll pause the brute force and take a look today.

The brute force tool is about 5,800 iterations in. I think I'll stop it around 10,000(assuming it doesn't land) and change directions and go 10,000 iterations down- see if anything is there.

[RADustin]

cleaned the board from all the solenoids and connectors that are on the bottom. I was really hoping there would be an obvious JTAG header...but I don't see one.

attached some pics.

[RADustin]

I'm done with the flash kernel. It's basically an implementation of this:

https://e2e.ti.com/cfs-file/__key/commu ... 00_api.pdf

So no checksum routine.

I'm going to go back and look at the main flash dump again. But it's looking really likely this is in the on-chip bootloader.

you have any pics of what your JTAG port looked like for the BCM?

and were any of the pads tied high or low that you had to bust free to use it?

[Gatecrasher]

Mine wasn't obvious. I traced the pins back to vias and soldered wires to those. My chip was a QFP package, so I was able to trace the pins out. I didn't have to remove any resistors to make it work.

That unpopulated 14 pin pad near the main connector looks promising.