GM E38 E67 E40 Kernel/Bootloader Development Extravaganza

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
ejukated
Posts: 443
Joined: Wed Mar 04, 2009 8:52 pm

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Post by ejukated »

I think the factory reflash procedure is somehow already onboard because its pretty hard to brick an E38, not like a P01 where the bootloader is sent to RAM so if you drop power you loose comms.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Post by Tazzi »

Ok soo... update time.

I can only flash after uploading the kernel. :thumbdown: Without doing the OS, flashing is 48seconds.

BUT... I still stand by the kernel is not actually running the show.

It appears to be enabling an internal function/setting to allow flashing, since at no point does it run in a loop searching for CAN frames or actually transmit any CAN frames.

Next step, is forcing the kernel to exit early, find at what point it stops enabling writing.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Post by Tazzi »

Can confirm the kernel has no checksum, so.. going to make some modifications.. and see what happens..

*edit
Well... a good 35% of the kernel is quite literally just FF's at the end... removed it all.. and it still runs fine. Seems kinda silly to have filled in that much rubbish.

Can also confirm its definitely executing from location 0 of the kernel bin, since messing with any of those top bytes completely mucks it up.

It comes back saying accepted for the kernel uploaded, but then hangs after I send it some data and does nothing.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Post by Tazzi »

100% not going mad, after looking at a couple other examples online... they all address the CAN register and run from the kernel itself.

Whereas, the GM one is enabling some sort of internal kernel.
Im going to have to write a little app to do these command conversion for me as they break my skull in half:
insrwi r3, r20, 1,29

which is "Insert from right immediate". I seem o struggle wrapping my head around examples, or easily fuck up. Just need to make a quick app to conver what goes in r20, and pops out in r3.
Last edited by Tazzi on Sat Feb 08, 2020 4:46 pm, edited 1 time in total.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Post by Tazzi »

Ok I see.
The Kernel is Enabling the flash chip and memory options to allow flashing.

That is all its basically doing. So.. once the MCU is allows to flash the chip, which the internal OS write function is allowed to run. If I was to take a stab at it, they have not included that enabling section in the OS function to prevent accidental writes ect
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Post by Tazzi »

... Magic numbers... I swear they will be the death of me.

So.. we have this line of instructions occur quite alot:

li r15, 0 //r15 = 0
li r3, 0xAA //r3=0xAA
li r9, 0x55 //r9=0x55
li r12, 0x80 //12=0x80
stw r3, 0x1554(r15) //store word (r3=0000 00AA) to loc 0x1554
stw r9, 0xAA8(r15) //store word (r9=0000 0055) to loc 0xAA8
stw r12, 0x1554(r15) //store word (r12=0000 0080) to loc 0x1554
stw r3, 0x1554(r15) //store word (r3=0000 00AA) to loc 0x1554
stw r9, 0xAA8(r15) //store word (r9=0000 0055) to loc 0xAA8

Now.. the issue with the above... is address AA8 and 1554... go to fucking nothing in the memory map! Just some sort of magic wizard shit which seems to enable access to the flash chip. This seems to occur in all kernels I have seen.

I cant seem to find any refernce to those magic numbers, but.. apparently required.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Post by Tazzi »

Love how there is quite literally no information in the cpu reference manual on this.
Commands are executed on AMD/Spansion FLASH devices by writing a command sequence to the
command registers of the FLASH.
"Switch an AM29BDD with <bus_width> long to ID mode."
"Data.Set 0xa0001554 %Long 0xaa
Data.Set 0xa000aa8 %Long 0x55
Data.Set 0xa0001554 %Long 0x90"

so.. its doing the commands for the flash chip.

makes zero sense why its sending the data to where it is.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Post by Tazzi »

Ah no I see. I think...

flash BEGINS at 0x08 0000.. thats the address used where data is stored.

Everything before that, is bascially just empty space used for commands to the flash chip since the MPC561/2 doesnt have internal flash.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
yoda69
Posts: 1215
Joined: Sun Mar 15, 2009 10:20 am
cars: 2004 VYII Acclaim Wagon V6 Auto LPG/Petrol
2004 VYII Berlina sedan V6 Auto
2005 VZ Monaro CV8 manual
Location: Geelong, VIC

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Post by yoda69 »

Way beyond me Tazzi, but looks like you’re making some progress :thumbup:
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Post by Tazzi »

yoda69 wrote:Way beyond me Tazzi, but looks like you’re making some progress :thumbup:
The more I look at it, the more its making sense. At least stuff that appeared to be rubbish is now making sense.

I now have an understand of:
- Setting up CAN buffers for reading and writing
- CAN register interrupts for detecting when new frame is in.
- Enabling flash chip for erase/writing
- Reading from flash chip

Things I need to still learn:
- Set filter and mask registers so only messages of interest are read.
- how to identify when a CAN message has sent successfully. Alot of kernels seem to just use a "delay" and just assume the message sent... really this is just lazy and inefficient
- How to create functions in ASM. I understand how they work, saving link register/stack and other registers ect. But still dont actually understand how to create the actual function itself that gets called to. Will need to find some powerpc examples.
- What app to use to compile PPC ASM. Could just write it out in hex, but thats a whole other ballgame of difficulty.

See how we go.. Id say Im done for the night... or morning..since its 2:13am currently.. :lol:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Post Reply