GM E38 E67 E40 Kernel/Bootloader Development Extravaganza

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

Looks like theres quite a few people having lots of success (emails and PMs sent to me).

If success/fails/everything be posted here.. that would be great. Much easier for me to answer back one location or keep track of how everyone is going.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
julespatch
Posts: 159
Joined: Fri Aug 25, 2017 5:28 pm
cars: liberty gen 5
Location: Adelaide

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by julespatch »

I've just bought 2 x E38's back to life. (AAKC - 12635862 - serv#12633238)
Both of them had scrambled vins and serial numbers and now they both have them back 100%!!!!!!!!

This was done with a genuine Ford VCM2 pass thru but would no doubt work with Tactrix, MDI, AVDI etc etc

I've attached the file I used to write them with too.

Good work badboy!!!!
Attachments
E38 2010.rar
(663.21 KiB) Downloaded 196 times
julespatch
Posts: 159
Joined: Fri Aug 25, 2017 5:28 pm
cars: liberty gen 5
Location: Adelaide

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by julespatch »

This is the log from the one I can't get in to. Out of all the bricks I had, this would have been the easiest but so far I've had no luck.
It's definitely not tunerlocked. It was flashed wrong and brought back to life with SPS(Vauxhall/LS2/LS3), but I think that's what scrambled it in the first place. I can load this one up in my paid SPS account and get it to want to start programming with a Holden VIN but choosing Chev out of the drop down list, but it fails. Reprogramming Error E4491 and E4423 - unknown reprogramming error 5 at step 0.

The Vauxhall SPS brought back one of the the other 2 I have earlier today but scrambled the vin and serial number - Tazzi's flasher has now restored that with my 2010 bin file.

[06:30:43:075] Checking if kernel already running
[06:30:43:075] Kernel not running
[06:30:43:090] Requesting VIN..
[06:30:43:106] VIN is: 6G1EK54H98L960615
[06:30:43:106] Requesting Serial..
[06:30:43:121] Serial is:
[06:30:43:121] Requesting OS..
[06:30:43:137] Operating System: 12619078
[06:30:43:137] Detected GM E38
[06:30:58:129] Checking if kernel already running
[06:30:58:269] Kernel not running
[06:30:58:269] Operating System: 12619078
[06:30:58:269] Starting tester present
[06:30:59:439] Disabling DTC Faults
[06:30:59:439] Requesting to disable vehicle chatter
[06:30:59:439] Checking ECU programmed state
[06:30:59:455] Programmed state is: 0x00
[06:30:59:455] Requesting to enter programming mode
[06:30:59:455] Requesting highspeed mode
[06:30:59:470] Performing Security Negotiation
[06:30:59:486] Incorrect key, opening custom key dialog
[06:31:07:085] User cancelled custom key dialog. Exiting read routine.
[06:36:09:132] Opened file: E:\TUNED FILES\VE SS SERIES 2 HENRY\E38 2010.bin
[06:36:15:594] Checking if kernel already running
[06:36:15:761] Kernel not running
[06:36:15:767] Operating System: 12619078
[06:36:15:772] Starting tester present
[06:36:16:875] Disabling DTC Faults
[06:36:16:880] Requesting to disable vehicle chatter
[06:36:16:887] Checking ECU programmed state
[06:36:16:892] Programmed state is: 0x00
[06:36:16:894] Requesting to enter programming mode
[06:36:16:899] Requesting highspeed mode
[06:36:16:903] Performing Security Negotiation
[06:36:16:918] Incorrect key, opening custom key dialog
[06:36:20:097] User cancelled custom key dialog. Exiting write routine.



[06:30:34:510] Initializing Envyous Customs J2534 Scantool
[06:30:34:526] DLL successfully loaded
[06:30:37:490] Connected to Scantool
[06:30:37:505] Firmware: 2.4.73
[06:30:37:505] API: 04.04
[06:30:37:505] DLL: 2.4.73.75
[06:30:37:505] Battery Voltage: 12.925
[06:30:59:470] Requested seed frame: 00,00,07,E8,67,01,10,00,
[06:30:59:470] Module seed is 0x1000
[06:30:59:470] Calculated key is 0x9802
[06:30:59:486] Key response frame: 00,00,07,E8,7F,27,36,
[06:30:59:486] Key Incorrect, Could be tuner locked
[06:36:16:911] Requested seed frame: 00,00,07,E8,67,01,10,00,
[06:36:16:911] Module seed is 0x1000
[06:36:16:911] Calculated key is 0x9802
[06:36:16:917] Key response frame: 00,00,07,E8,7F,27,36,
[06:36:16:918] Key Incorrect, Could be tuner locked
Attachments
15861646514314101383227309011557.jpg
15861646096284696684924115484952.jpg
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

oh, must be a recovery seed/key then maybe?? Wonder what the keys is...

shows as 0x1000... yet SPS says its 0000..

Wonder if the key is 0xEFFF.

Glad its working well for you!!!
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by ironduke »

Works for my bench unit at work!!! Can't wait to get home and try the problematic one.. Nice!! Love how it came up with the save file name for me, excellent..

Looks like the ecu is in recovery but it had 1000 for a seed?? Weird how Tazzi's program comes up with the 0x1000 for seed and gmsps says it's 0000... I'm assuming his program looks to see if it's in recovery?? I thought that was when the seed is 0000 but its already unlocked?

Can you try a tuner lock key of 0000??? or even try 1000...
julespatch
Posts: 159
Joined: Fri Aug 25, 2017 5:28 pm
cars: liberty gen 5
Location: Adelaide

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by julespatch »

1000 worked. F me. Awesome!!!
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

OK sweet, I'm going to add trying to use the seed as the key in next version.

Very interesting!
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

julespatch wrote:1000 worked. F me. Awesome!!!
Can I get a dump of that ecu? So I can try replicate it on my bench?
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
julespatch
Posts: 159
Joined: Fri Aug 25, 2017 5:28 pm
cars: liberty gen 5
Location: Adelaide

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by julespatch »

ahh shit sorry, i got halfway thru it and stopped. just wrote straight over the top
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

No stress. I'll add the coding for trying seed as the alternative key anyways, just nice to be able to test and verify
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Post Reply