GM E38 E67 E40 Kernel/Bootloader Development Extravaganza

[ironduke]

If I get time this week I am going to pull out my BDM tool and see if this works on my bricked E38..

I found out I had a poor ground on my bench harness, I may not have killed it trying to write to it No idea what would have happened if I lost the ground while writing.. Even with good wiring it's bricked though, can see the can lines jump up in voltage slightly when turning the ign on, but both are flat lined..


Oh ya.. still working on figuring out how to actually access the J2534 with c or c++ so I'm just playing around with elm327 and another E38.. trying to get it to where I can push a kernel to it.. I know it's probably not going to work, lol.. but go ahead and read along if your bored..

I'm using processing for now only because I am familiar with using it for serial connections.

I can get correct responses all the way thru request download request "07 e0 34 00 00 15 40" and finally got that worked out so I get the 74 response, but the next one that sends the address has me stumped? lol. Comparing logs and trying different messages to even get a response.. Need to read up more on that.. Daniel's PowerPCM program sends the entire kernel in 7 byte pieces somehow, thought I would try the same with just the gm kernel for now(a lot smaller and easier for me to work with, lol).. I am not even to the point of sending the kernel though.. I'll keep on playing with it.. If I use his program to install the kernel then I can run a processing program to dump the flash, takes about 14 minutes though, lol.. This is with a elm running 115,200.. running 500k and optimizing for larger packets actually slowed it down, I am sure my coding is to blame..

Sorry for getting kinda off topic.. Just trying to follow along a little on my own..

[In-Tech]

Thats the flash there!
Iv tried pulling pins down low ect but it never goes into a 'recovery' state.

Interest bdm document through, havent seen that one before

Well shoot, I thought I read that you were using a pin when you were trying to revive your e38, misunderstood...so I guess you were software attacking it to beat it into submission?

I'm milling open an e92 later this week. Do we already know what flash chip that one uses? I'm dreaming but do we know much about the e90?

[In-Tech]

Is INCA by ETAS a bad word around here?

Oh, does the E67 use the same flash chip as the e38?

Another note, the e90 can be had at rockauto for ~$200. Of course it's blank but I'll save up some more pennies and cut one open some day.
ACDELCO 12703685 {#12690388} GM Original Equipment

[kur4o]

Is INCA by ETAS a bad word around here?

Something I have been looking for, for a long time. Isn`t that the tool used for making calibrations into reality.

Instead of milling the case, why not just desolder the connectors` pins.


About the ground pin for recovery mode. It must be the address line pin between memory and cpu that matches the last segment of the bin. Grounding the pin forces pcm to read the last 8 bytes[where the recovery mode checkword is located] as FFs and boot into recovery mode.

[In-Tech]

I'll start another thread if there isn't a simple answer. I've got a tuner locked e38 here that I'd like to fix. I stumble along through a lot of this but I couldn't tell if you can ground an address line, maybe pin 20 or pin 45? Attached is the chip info .pdf

002-00948_29CD032J_S29CD016J_S29CL032J_S29CL016J_32_16_Mbit_2.6_3.3_V_Dual_Boot_Simultaneous_Read_Write_Burst_Flash.pdf

(1.33 MiB) Downloaded 282 times

[Tazzi]

Something I have been looking for, for a long time. Isn`t that the tool used for making calibrations into reality.

Instead of milling the case, why not just desolder the connectors` pins.


About the ground pin for recovery mode. It must be the address line pin between memory and cpu that matches the last segment of the bin. Grounding the pin forces pcm to read the last 8 bytes[where the recovery mode checkword is located] as FFs and boot into recovery mode.

I tried holding the last address pin low, and the ECU does not boot at all. In fact.. I tried every pin

As soon as I let go of the address pin, it boots and begins communicating. ECU still uses same seed/key and information. It just reboots.

[Tazzi]

Well shoot, I thought I read that you were using a pin when you were trying to revive your e38, misunderstood...so I guess you were software attacking it to beat it into submission?

I'm milling open an e92 later this week. Do we already know what flash chip that one uses? I'm dreaming but do we know much about the e90?

I was referring to recovering the bad flash.. which I ended up using a spare flash chip I had, soldered wires to the back side of the board and held the reset pin of the 'onboard' flash to ground.

Basically it was a super duper dodgy method of hotswapping the memory chips. Once the kernel was up and running, I could disconnect the wired in flash and let the kernel write over the onboard flash.

Technically.. if someone made a custom PCB with the correct pin spacing.. this could be made to be a plugon board to do it

I just received an E92 the other day, but yet to open it. No idea about the E90.. I couldnt find one that was less than $400aud (although thats now 200usd due to how bad the aussie dollar is right now).

[In-Tech]

Pretty clever
I found this adaptor https://www.epboard.com/eproducts/protoadapter1.htm further down the page is an E80-0205, sucks they only have the small pics, could solder a good flash to that and then would still have to make a way to get it to the needed pins. How many pins/wires did you have to use? Found this too https://www.proto-advantage.com/store/p ... id=3100149

I'm going to have some boards made soon for another project. I could add this idea to those boards and then just cut the boards. I did that on my old max233/7407 serial boards I made years back. It was basically the same price for 100 boards with 4 circuits on each board then I cut them myself and that gave me 400 circuit boards. These circuits were pretty small, fit inside a db9 shell.

[In-Tech]

Tazzi, the more I think about this, the more I like it. I'll dig out my bga crap and see what my 80 pin stuff is. For me that will decide if I use the 9 x 11, or 11 x 13 sized bga instead of the PQFP footprint. Then I can have some adapter boards made using some pins placed where you were attaching to the original PQFP footprint on the bottom of the board. So, again, curious what all you hooked up to accomplish that great task you did. Thinking this type of thing might be useful in next gen stuff too. I can make up a big handful of these and give them out to all the interested parties here.

[In-Tech]

One last question, looking at the datasheet and chips easily had... The suffix QFM01 is what we have now and looks like its reply would be 7E08 and if suffix is QFM11 the reply would be 7E36

Code: Select all

Autoselect ID Option (15th Character)
0 = 7E, 08, 01/00 Autoselect ID
1 = 7E, 36, 01/00 Autoselect ID 

Is that a big deal and I should only try to get ones ending in 01? I've got the rest of the part number worked out for the package just curious on this last part.