14-18 GM BCM renasas v850 register setup

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
Post Reply
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

14-18 GM BCM renasas v850 register setup

Post by gmtech825 »

working on the remote start timer for this generation of trucks and possibly other features as well but I'm running into problems with dissassembly. there are a large amount of data parameters that don't get referenced in the cal segments and I believe it's because I need to set a couple register values (GP, TP?). I'm hoping someone can help me verify that, and calculate these values.

if you open the bin in ghidra (V850 processor type) and go to 0x8260 and decompile, i believe that jump is the entry point. it should jump to 0x2E940. you should see it setting up the registers. I'm not good at assembly and don't trust myself to calculate these values correctly. it also looks like at 0x2e88c there is more manipulation of these registers.

https://www.renesas.com/us/en/document/ ... anguage=en
https://www.renesas.com/us/en/document/ ... anguage=en
Attachments
v850 register setup 1.PNG
2016 Escalade BCM OS and CAL file.bin
(2 MiB) Downloaded 71 times
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: 14-18 GM BCM renasas v850 register setup

Post by Gatecrasher »

Is that bin file reconstructed from SPS files, or is it a full read of the actual chip? I ask because the stuff you're after may be set up in the bootloader segment.

It this a V850E2/FK4? The chip would be labeled uPD70F3558M1.

I'll try to take a look at it later tonight.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: 14-18 GM BCM renasas v850 register setup

Post by Tazzi »

hmm, I thought the chips were V850E2/J series, but its been some time since looking at those processors. The reference manuals for the ones used in the BCM and infotainment systems are hidden behind non disclosure agreements, so they are no given out easily.
Needed the reference manual to try understand all the references and registers, but kinda makes it hard without it!
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: 14-18 GM BCM renasas v850 register setup

Post by Gatecrasher »

You had me doubting myself. So I opened up my 2016 Corvette BCM and it's definitely a V850E2/FK4. All the docs, including the user manual are available here: https://www.renesas.com/us/en/products/ ... ry=visible

The HMI 2.5 modules use a V850E2/FJ4 which is part of the same family. Some of the really late HMI 2.5s switched to an RH850 chip though.

I really think we need the bootloader to do this correctly. I've got an idea to get it.
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: 14-18 GM BCM renasas v850 register setup

Post by Gatecrasher »

Now I remember why I hate V850s. Everything is complicated on them. I'm no longer convinced we need the bootloader, but I went ahead and got it out of my BCM anyway. It's attached. You can see if yours is the same part number by using mode $1A $C0. I'm reasonably confident it's accurate, but I haven't found the checksum to double check it.

I can't find a straightforward explanation of how this thing starts executing code straight out of reset. I think it starts at 0x0, but that's confusing because the very first instruction in the bootloader is a mov from r2 to r0. How can there be anything in r2 if it's coming out of a cold start? Then it jumps to a sub that sets up the GP and TP similar to your example. But it all gets reworked at 0x2E940 anyway, so I'm not sure it's relevant.

Anyway, this is my best guess so far. It puts the GP at a point near the beginning of RAM, and the TP to flash, and the SP near the end of RAM.

Code: Select all

                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_0002e940()
             undefined         r10:1          <RETURN>
                             FUN_0002e940                                    XREF[2]:     FUN_000048b4:000048ea(c), 
                                                                                          000092e0(*)  
        0002e940 40 26 de fe     movhi      -0x122,r0,gp			//Write 0xFEDE0000 to GP
        0002e944 24 26 14 c2     movea      -0x3dec,gp,gp			//Add -0x3DEC to GP. GP = 0xFEDDC214
        0002e948 40 2e 19 00     movhi      0x19,r0,tp				//Write 0x00190000 to TP
        0002e94c 25 2e 98 2e     movea      0x2e98,tp,tp			//Add 0x2E98 to TP. TP = 0x00192E98
        0002e950 40 1e e0 fe     movhi      -0x120,r0,sp			//Write 0xFEE00000 to SP
        0002e954 23 1e d4 ef     movea      -0x102c,sp,sp			//Add -0x102C to SP. 0xFEDFEFD4
        0002e958 1c 0a           mov        -0x4,r1
        0002e95a 41 19           and        r1,sp
        0002e95c 80 ff 04 00     jarl       thunk_FUN_0002e870,lp                            undefined thunk_FUN_0002e870()
The architecture manual describes the TP and GP like so:

r4 = gp = global pointer. When to access global variable in data area
r5 = tp = text pointer. Used as a register that indicates the start of the text area. (area where program code is placed)

So I think the flash file needs to be chopped up and rearranged a bit, but I don't know exactly how just yet.
Attachments
MY16 BCM bootloader 13586286.bin
(32 KiB) Downloaded 88 times
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: 14-18 GM BCM renasas v850 register setup

Post by Gatecrasher »

Drill down to 0x2E88C. It screws with both registers again, in an even more complicated way. :roll:

And again at 0x2E940.

That's just what I found on a quick glance. There's probably more.

This might be helpful going forward. https://blog.willemmelching.nl/carhacki ... /vw-part2/
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: 14-18 GM BCM renasas v850 register setup

Post by Tazzi »

Gatecrasher wrote:You had me doubting myself. So I opened up my 2016 Corvette BCM and it's definitely a V850E2/FK4. All the docs, including the user manual are available here: https://www.renesas.com/us/en/products/ ... ry=visible

The HMI 2.5 modules use a V850E2/FJ4 which is part of the same family. Some of the really late HMI 2.5s switched to an RH850 chip though.

I really think we need the bootloader to do this correctly. I've got an idea to get it.
Im sure the BCMs in our VFs used something slightly different, but I believe regardless they all would use the same registers being the same family of chips.


Is the whole bootloader disassembling correctly? Or is there a heap of code it stops on?
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: 14-18 GM BCM renasas v850 register setup

Post by Gatecrasher »

I think I've seen some BCMs with Bosch logos, so maybe it's just a supplier difference?

I was just trying to help gmtech out. There's big blocks that disassemble, but other that don't. I don't know if they're data or what. I haven't done any real detailed checking on this code because it's such a pain. Even if the code disassembles, the cross references will be broken without accurate TP and GP references.
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 14-18 GM BCM renasas v850 register setup

Post by gmtech825 »

thanks for the replies so far. the file posted was made from sps files so no boot which you already gathered i think. I dont have the vehicle it came from to check the boot software number. I do have a bench bcm from a 15 tahoe i can compare to...but for some reason I'm having trouble getting it to talk on the bench. I'm missing something, a wake up signal or ground maybe. need coffee...then maybe I'll try again
Post Reply