Updating GM EBCM Checksum

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
Posts: 13
Joined: Fri Oct 17, 2014 9:44 am

Re: Updating GM EBCM Checksum

Postby RADustin » Sun Jan 31, 2021 5:29 am

You guys are great.

I had to run out of town, but I return tomorrow and I can post some more binaries I have that may help.

The two I originally posted are just the two different ones that are the most similar. I have others that vary by quite a bit, all same OS.

Catchup with you guys tomorrow.

Site Admin
User avatar
Posts: 6518
Joined: Sat Feb 28, 2009 8:34 pm

Re: Updating GM EBCM Checksum

Postby antus » Sun Jan 31, 2021 9:39 am

@kur40, I had a look at that file, but the closer I look the cracks appear. I think the 8051 instructions might be small enough that almost any random hex will convert in to op codes. There are nops where I wouldnt expect them, and code flow that doesnt look sain the closer I look. To many jumps for no logical reason like the disassembler is just running away. :thumbdown:
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 13
Joined: Fri Oct 17, 2014 9:44 am

Re: Updating GM EBCM Checksum

Postby RADustin » Mon Feb 01, 2021 1:27 pm

kur4o wrote:I did some digging that might help you.

AT $C is 4 byte address that points to start of the segment. At $10 is the length of the segment.
At $2c is some range start-end[start points to start of segment, while end points to first byte of checksum].

I found some range pairs in the OS
at $4d7c4

00 07 00 14
00 00 40 14
00 00 00 24
00 00 3F EC
00 06 FF FC
00 07 7F FC

24-3fec boot block
4014-6fffc OS
70014-7fffc CALibration

TOo bad I have no idea what processor runs the code. If processor is known a disassembly can be made giving some clue about type of checksum calculation used.

Do you have more files ripped for comparison.


I attached a few more bins.

2328 is same chassis configuration as 2327. Just different engine and I think 4x2 vs 4x4.

2324 is different chassis type from all.


Please forgive as I haven't had time to sit and mentally process what you guys have looked at yet. I will shortly, although my disassembly skills are very minimal.

I did know that the technology(EBCM logic) is mid-2000s, I'm curious how that can be found in the binary? or was it possible to search the bin calid or similiar to find out?

I'm also working some paths to figure out the processor. I'm hoping I can run across some TRW documentation. The EBC460 is newer but should be similar- and is used all over the place.
Attachments
22902324.bin
(32 KiB) Downloaded 10 times
22902328.bin
(32 KiB) Downloaded 7 times

Posts: 13
Joined: Fri Oct 17, 2014 9:44 am

Re: Updating GM EBCM Checksum

Postby RADustin » Wed Feb 03, 2021 11:56 pm

There are two CPUs on the board. My understanding is limited but I believe one cpu is handling the sensor inputs and low level system calcs, and the other is the slave chip that is flashed with the GM specific cal files.

Either way-

CPU 1-
Infineon Orion D2
G1222
VE228203M04

CPU 2- edit- added info
Texas Instruments
Family is TMS470R1
https://www.ti.com/lit/ug/spnu554/spnu5 ... 2488397980

hoping you guys can do something now that the processors are known.

Posts: 13
Joined: Fri Oct 17, 2014 9:44 am

Re: Updating GM EBCM Checksum

Postby RADustin » Fri Feb 05, 2021 2:07 pm

kur4o wrote:I did some digging that might help you.

AT $C is 4 byte address that points to start of the segment. At $10 is the length of the segment.
At $2c is some range start-end[start points to start of segment, while end points to first byte of checksum].

I found some range pairs in the OS
at $4d7c4

00 07 00 14
00 00 40 14
00 00 00 24
00 00 3F EC
00 06 FF FC
00 07 7F FC

24-3fec boot block
4014-6fffc OS
70014-7fffc CALibration

TOo bad I have no idea what processor runs the code. If processor is known a dissasembly can be made giving some clue about type of checksum calculation used.

Do you have more files ripped for comparison.


do you think that the checksum may only cover the calibration block? is that typical?

Posts: 32
Joined: Tue Dec 03, 2019 3:58 am

Re: Updating GM EBCM Checksum

Postby turbo_bu » Fri Feb 12, 2021 4:55 am

Please forgive my limited knowledge in this area, this is probably a bad hack, but could you make the change to fix the tone wheel teeth, then go to a blank area of the code near by and adjust one of the bytes by the inverse amount so that the checksum doesn't need to change?

User avatar
Posts: 2347
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: Updating GM EBCM Checksum

Postby Tazzi » Sat Feb 13, 2021 2:08 pm

So long as you know where the checksum is, I have previously brute forced the checksum value by continuously flashing and increasing the checksum by one until its accepted.

Takes a long time but does work
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Posts: 13
Joined: Fri Oct 17, 2014 9:44 am

Re: Updating GM EBCM Checksum

Postby RADustin » Thu Feb 18, 2021 1:45 am

turbo_bu wrote:Please forgive my limited knowledge in this area, this is probably a bad hack, but could you make the change to fix the tone wheel teeth, then go to a blank area of the code near by and adjust one of the bytes by the inverse amount so that the checksum doesn't need to change?


if the checksum is a simple sum, I think this would be adequate. Unfortunately, to the best of my current abilities, I don't think it is a simple sum. It could be a two part deal, but I'm really not sure.

Posts: 13
Joined: Fri Oct 17, 2014 9:44 am

Re: Updating GM EBCM Checksum

Postby RADustin » Thu Feb 18, 2021 2:13 am

Tazzi wrote:So long as you know where the checksum is, I have previously brute forced the checksum value by continuously flashing and increasing the checksum by one until its accepted.

Takes a long time but does work


The problem is, one a bad file is uploaded- the module goes into a 'soft brick' mode and if another bad file is tried it will brick. So you would have to upload a trial, then go back to a known good file, then back to another trial and so forth.

The checksum is 4 bytes. I'm not sure if it's a double deal where 2 bytes are a CRC and 2 bytes are a sum or something....all 4 bytes don't appear to be a single simple sum though.

The 4 byte CS is really throwing me off though. All the other modules in the truck are 2 byte sums.

I do know from the calibrations I have that when the overall sum of the flash barely changes, all 4 bytes of the checksum change drastically. So again, I'm not exactly sure what's going on.

I've tried a bunch of different summing strategies. I'm fairly handy in excel so I can mess around in there.

Posts: 13
Joined: Fri Oct 17, 2014 9:44 am

Re: Updating GM EBCM Checksum

Postby RADustin » Mon Feb 22, 2021 2:31 pm

Tazzi wrote:So long as you know where the checksum is, I have previously brute forced the checksum value by continuously flashing and increasing the checksum by one until its accepted.

Takes a long time but does work


do you think you could figure out the checksum algo? potentially for pay? I'm not looking for anything for free, but I would like to get my project up and going.

LMK, thanks.

PreviousNext

Return to Engineering and Reverse Engineering

Who is online

Users browsing this forum: No registered users and 3 guests