E92 PCM Reverse Engineering

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
Post Reply
bubba2533
Posts: 498
Joined: Wed Apr 11, 2018 8:50 am
cars: 03 Chevy S10 Turbo V6

Re: E92 PCM Reverse Engineering

Post by bubba2533 »

More learning....I'm trying to go through the code of the Mode 23, 27, etc to work out some of the logic and learn more about this assembly language. I have to say this is much more difficult to understand than CPU32 instructions.

I think I have the seed request working, and I'm just trying to follow along with the code to see how it decodes it and returns the appropriate response. Without Ghidra's decompile window I'm fairly certain I would be lost.

Here is the seed request and response for my PCM:

Code: Select all

[18:43:16.266] [637980001962660629] 00 00 07 E0 02 27 01
[18:43:16.281] [637980001962816878] 00 00 07 E8 04 67 01 5A 6F AA AA AA
LS1 Boost OS V3 Here. For feature suggestions post in here Development Thread. Support future development ->Patreon.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: E92 PCM Reverse Engineering

Post by Tazzi »

bubba2533 wrote:More learning....I'm trying to go through the code of the Mode 23, 27, etc to work out some of the logic and learn more about this assembly language. I have to say this is much more difficult to understand than CPU32 instructions.

I think I have the seed request working, and I'm just trying to follow along with the code to see how it decodes it and returns the appropriate response. Without Ghidra's decompile window I'm fairly certain I would be lost.

Here is the seed request and response for my PCM:

Code: Select all

[18:43:16.266] [637980001962660629] 00 00 07 E0 02 27 01
[18:43:16.281] [637980001962816878] 00 00 07 E8 04 67 01 5A 6F AA AA AA
If you need help understand the canbus, more then happy to break it down.
But PPC with VLE is alot harder to follow/decode then Motorola as used with the P01/P59 ecus. I spent quite a few months going through examples, simulators and even uploading commands in a basic custom kernel to work out what specific opcodes were doing. VLE is still new to me, the commands themselves are basic but doesnt seem to decompile nicely sometimes.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
bubba2533
Posts: 498
Joined: Wed Apr 11, 2018 8:50 am
cars: 03 Chevy S10 Turbo V6

Re: E92 PCM Reverse Engineering

Post by bubba2533 »

Tazzi wrote: If you need help understand the canbus, more then happy to break it down.
I think I'm getting it now, but I'm sure there will be more questions I have.
Tazzi wrote: But PPC with VLE is alot harder to follow/decode then Motorola as used with the P01/P59 ecus. I spent quite a few months going through examples, simulators and even uploading commands in a basic custom kernel to work out what specific opcodes were doing. VLE is still new to me, the commands themselves are basic but doesnt seem to decompile nicely sometimes.
This is definingly something I'm struggling with as well. If you have any resources please post them up. I'm relying so much on the decompile window that if it did something incorrect I don't think I would notice it.
LS1 Boost OS V3 Here. For feature suggestions post in here Development Thread. Support future development ->Patreon.
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: E92 PCM Reverse Engineering

Post by Gatecrasher »

It would really help you to buy a copy of GMW3110. For $36, it's a bargain. As far as I know this is officially licensed by GM, so it's not leaked or bootleg or illegal. I've bought other standards docs from them as well. Just don't repost it anywhere, because it's watermarked with your name and this morse code looking thing that identifies it as your copy.

https://global.ihs.com/doc_detail.cfm?d ... y=00415169

It's GMs own diagnostic spec, meant for people who write scan tools and ECU code. It explains exactly how the messaging and code flow is supposed to work. They even include pseudo-code that lines up nicely with the Ghidra disassembly. It's not always exact because there are various implementation differences, but it'll get you well on your way.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: E92 PCM Reverse Engineering

Post by Tazzi »

bubba2533 wrote:
Tazzi wrote: If you need help understand the canbus, more then happy to break it down.
I think I'm getting it now, but I'm sure there will be more questions I have.
Tazzi wrote: But PPC with VLE is alot harder to follow/decode then Motorola as used with the P01/P59 ecus. I spent quite a few months going through examples, simulators and even uploading commands in a basic custom kernel to work out what specific opcodes were doing. VLE is still new to me, the commands themselves are basic but doesnt seem to decompile nicely sometimes.
This is definingly something I'm struggling with as well. If you have any resources please post them up. I'm relying so much on the decompile window that if it did something incorrect I don't think I would notice it.
Biggest thing for me was understanding common op codes like rlwinm (Rotate Left Word Immediate then AND with Mask), since this was used everywhere and cause massive headache. I did have a great link I use to reference too which broke down the commands nicely, but I cant seem to see it in my bookmarks.
IBM has great examples though: https://www.ibm.com/docs/en/aix/7.1?top ... nstruction

Code: Select all

he following code rotates the contents of GPR 4 to the left by 2 bits and logically ANDs the result with a mask of 29 ones:
# Assume GPR 4 contains 0x9000 3000.
# Assume GPR 6 contains 0xFFFF FFFF.
rlwinm 6,4,2,0,0x1D
# GPR 6 now contains 0x4000 C000.
# Under the same conditions
# rlwinm 6,4,2,0xFFFFFFFC
# will produce the same result.
So it ends up looking like this: GP6 = (GP4<<2) && (0x1D).
Keeping in mind that the registers will wrap around when shifting, so bit 31 (counting from 0) will then move back to bit0 location is shifting by 1.

Next thing thing that blew my mind, is the data is stared in big ed format. This honestly kept breaking my head without examples. If you had the example of say, 0xC7, which in binary is 0x11000111. If you wanted to remove the lowest two bits, you would need to && this with a mask of 0 to 29 (0x3FFF FFFF), as this will have bits 30 and 31 as zero. Thus end result would be 0x11000100= C4.

My E38 thread.. is a chronical of a man slowly going mad working the above bullshit out.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
bubba2533
Posts: 498
Joined: Wed Apr 11, 2018 8:50 am
cars: 03 Chevy S10 Turbo V6

Re: E92 PCM Reverse Engineering

Post by bubba2533 »

Gatecrasher wrote:It would really help you to buy a copy of GMW3110. For $36, it's a bargain. As far as I know this is officially licensed by GM, so it's not leaked or bootleg or illegal. I've bought other standards docs from them as well. Just don't repost it anywhere, because it's watermarked with your name and this morse code looking thing that identifies it as your copy.

https://global.ihs.com/doc_detail.cfm?d ... y=00415169

It's GMs own diagnostic spec, meant for people who write scan tools and ECU code. It explains exactly how the messaging and code flow is supposed to work. They even include pseudo-code that lines up nicely with the Ghidra disassembly. It's not always exact because there are various implementation differences, but it'll get you well on your way.
Ok, so I was able to find a copy of the 2010 edition of that document. It helped for sure and it seems accurate with everything I went through.

I was able to use Seed Key Brute Force Program that ironduke shared to find the key and get my PCM unlocked. I'm sure others already have figured out the GM seed/key algorithm, but I'm not that good.

I've played around with some of the other commands and had good luck. I'm not sure what my next step would be, but it seems that creating a test kernel of some sort would be a good milestone. I've never done anything like that before, so it'll be a learning experience. I think if I am able to download a very simple kernel that maybe just sends out a heartbeat message would be the first goal. I know there is something about keeping watchdogs happy, which is probably going to be the most difficult thing to figure out.

Here is a quick list of commands:
  1. Mode 3E - Periodic Tester Present (Done every 2 sec)
  2. Mode 28 - Disable Normal Comms
  3. Mode 27 - Request Seed
  4. Mode 27 - Send Key
  5. Mode A5 - Request Programming Mode
  6. Mode A5 - Enable Programming Mode
  7. Mode 34 - Request Download
  8. Mode 36 - Transfer Data and/or Execute (Only one I haven't tested)
To be able to do the Mode 36 I need:
  1. Target location of the kernel
  2. Create kernel
  3. - Send out heartbeat message
  4. - Reset watchdog timer
  5. - Waste time (some kind of NOP or something)
LS1 Boost OS V3 Here. For feature suggestions post in here Development Thread. Support future development ->Patreon.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: E92 PCM Reverse Engineering

Post by Tazzi »

bubba2533 wrote:To be able to do the Mode 36 I need:
  1. Target location of the kernel
  2. Create kernel
  3. - Send out heartbeat message
  4. - Reset watchdog timer
  5. - Waste time (some kind of NOP or something)
First thing, we need the processors reference manual as have to identify all the desirable registers
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
bubba2533
Posts: 498
Joined: Wed Apr 11, 2018 8:50 am
cars: 03 Chevy S10 Turbo V6

Re: E92 PCM Reverse Engineering

Post by bubba2533 »

Tazzi wrote: First thing, we need the processors reference manual as have to identify all the desirable registers
Yeah, I was going off of what you posted actually (MPC5674RM). It's in the first post of the thread.

I haven't done much digging yet, but I know I'm going to be looking at that manual until my eyes hurt.
LS1 Boost OS V3 Here. For feature suggestions post in here Development Thread. Support future development ->Patreon.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: E92 PCM Reverse Engineering

Post by Tazzi »

Quick look shows we have ram at: 0x4000_8000—0x4003_FFFF
canbus at: 0xFFFC_0000—0xFFFC_3FFF

and SWT Service Register (SWT_SR), which is our software watch dog: 0xFFF3_8000—0xFFF3_BFFF

For watchdog:

Code: Select all

Watchdog Service Code.This field is used to service the watchdog and to clear the soft lock bit
(SWT_MCR[SLK]). If the SWT_MCR[KEY] bit is set, two pseudorandom key values are written to service
the watchdog, see section Section 17.4, “Functional Description”, for details. Otherwise, the sequence
0xA602 followed by 0xB480 is written to the WSC field. To clear the soft lock bit (SWT_MCR[SLK]), the value
0xC520 followed by 0xD928 is written to the WSC field.
This would be the bare essentials needed to make a message send back with a custom kernel.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
bubba2533
Posts: 498
Joined: Wed Apr 11, 2018 8:50 am
cars: 03 Chevy S10 Turbo V6

Re: E92 PCM Reverse Engineering

Post by bubba2533 »

I mapped the FlexCAN memory locations and there are references to both A & B modules. I'm under the assumption that overriding any locations in RAM won't matter as there will be a reset when exiting the kernel.

The SWT memory range (0xFFF38000 - 0xFFF3BFFF) doesn't have any references at all. I even searched in memory for "FF F3" and still couldn't find anything valuable. This doesn't make me very confident that this is the correct reference manual. I was thinking maybe there is some code that wasn't disassembled so that's why I searched for ""FF F3", but I'm lost at the moment so maybe I should take a break and come back to it.

Also I found this online tool which has helped convert back and forth between hex and ASM. https://disasm.pro/

And I found a reference for the instructions that includes instruction encoding. https://wiki.alcf.anl.gov/images/f/fb/P ... nt_2.3.pdf
LS1 Boost OS V3 Here. For feature suggestions post in here Development Thread. Support future development ->Patreon.
Post Reply