GM E38 Kernel/Bootloader Reverse Engineering Extravaganza

Bosch Motronic etc ECUs and PCMs
Posts: 407
Joined: Wed Mar 04, 2009 8:52 pm

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby ejukated » Thu Jul 18, 2019 10:04 pm

I think the factory reflash procedure is somehow already onboard because its pretty hard to brick an E38, not like a P01 where the bootloader is sent to RAM so if you drop power you loose comms.

User avatar
Posts: 1851
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Tazzi » Sat Jul 20, 2019 3:37 am

Ok soo... update time.

I can only flash after uploading the kernel. :thumbdown: Without doing the OS, flashing is 48seconds.

BUT... I still stand by the kernel is not actually running the show.

It appears to be enabling an internal function/setting to allow flashing, since at no point does it run in a loop searching for CAN frames or actually transmit any CAN frames.

Next step, is forcing the kernel to exit early, find at what point it stops enabling writing.
Image

User avatar
Posts: 1851
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Tazzi » Sat Jul 20, 2019 3:37 am

Can confirm the kernel has no checksum, so.. going to make some modifications.. and see what happens..

*edit
Well... a good 35% of the kernel is quite literally just FF's at the end... removed it all.. and it still runs fine. Seems kinda silly to have filled in that much rubbish.

Can also confirm its definitely executing from location 0 of the kernel bin, since messing with any of those top bytes completely mucks it up.

It comes back saying accepted for the kernel uploaded, but then hangs after I send it some data and does nothing.
Image

User avatar
Posts: 1851
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Tazzi » Sat Jul 20, 2019 1:10 pm

100% not going mad, after looking at a couple other 'donated' kernels... they all address the CAN register and run from the kernel itself.

Whereas, the GM one is enabling some sort of internal kernel.
Im going to have to write a little app to do these command conversion for me as they break my skull in half:
insrwi r3, r20, 1,29

which is "Insert from right immediate". I seem o struggle wrapping my head around examples, or easily fuck up. Just need to make a quick app to conver what goes in r20, and pops out in r3.
Image

User avatar
Posts: 1851
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Tazzi » Sat Jul 20, 2019 4:38 pm

Ok I see.
The Kernel is Enabling the flash chip and memory options to allow flashing.

That is all its basically doing. So.. once the MCU is allows to flash the chip, which the internal OS write function is allowed to run. If I was to take a stab at it, they have not included that enabling section in the OS function to prevent accidental writes ect
Image

User avatar
Posts: 1851
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Tazzi » Sat Jul 20, 2019 5:36 pm

... Magic numbers... I swear they will be the death of me.

So.. we have this line of instructions occur quite alot:

li r15, 0 //r15 = 0
li r3, 0xAA //r3=0xAA
li r9, 0x55 //r9=0x55
li r12, 0x80 //12=0x80
stw r3, 0x1554(r15) //store word (r3=0000 00AA) to loc 0x1554
stw r9, 0xAA8(r15) //store word (r9=0000 0055) to loc 0xAA8
stw r12, 0x1554(r15) //store word (r12=0000 0080) to loc 0x1554
stw r3, 0x1554(r15) //store word (r3=0000 00AA) to loc 0x1554
stw r9, 0xAA8(r15) //store word (r9=0000 0055) to loc 0xAA8

Now.. the issue with the above... is address AA8 and 1554... go to fucking nothing in the memory map! Just some sort of magic wizard shit which seems to enable access to the flash chip. This seems to occur in all kernels I have seen.

I cant seem to find any refernce to those magic numbers, but.. apparently required.
Image

User avatar
Posts: 1851
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Tazzi » Sat Jul 20, 2019 5:44 pm

Love how there is quite literally no information in the cpu reference manual on this.

Commands are executed on AMD/Spansion FLASH devices by writing a command sequence to the
command registers of the FLASH.


"Switch an AM29BDD with <bus_width> long to ID mode."
"Data.Set 0xa0001554 %Long 0xaa
Data.Set 0xa000aa8 %Long 0x55
Data.Set 0xa0001554 %Long 0x90"

so.. its doing the commands for the flash chip.

makes zero sense why its sending the data to where it is.
Image

User avatar
Posts: 1851
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Tazzi » Sat Jul 20, 2019 5:55 pm

Ah no I see. I think...

flash BEGINS at 0x08 0000.. thats the address used where data is stored.

Everything before that, is bascially just empty space used for commands to the flash chip since the MPC561/2 doesnt have internal flash.
Image

Posts: 1112
Joined: Sun Mar 15, 2009 10:20 am
Location: Geelong, VIC

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby yoda69 » Sat Jul 20, 2019 6:51 pm

Way beyond me Tazzi, but looks like you’re making some progress :thumbup:

User avatar
Posts: 1851
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Tazzi » Sun Jul 21, 2019 4:15 am

yoda69 wrote:Way beyond me Tazzi, but looks like you’re making some progress :thumbup:


The more I look at it, the more its making sense. At least stuff that appeared to be rubbish is now making sense.

I now have an understand of:
- Setting up CAN buffers for reading and writing
- CAN register interrupts for detecting when new frame is in.
- Enabling flash chip for erase/writing
- Reading from flash chip

Things I need to still learn:
- Set filter and mask registers so only messages of interest are read.
- how to identify when a CAN message has sent successfully. Alot of kernels seem to just use a "delay" and just assume the message sent... really this is just lazy and inefficient
- How to create functions in ASM. I understand how they work, saving link register/stack and other registers ect. But still dont actually understand how to create the actual function itself that gets called to. Will need to find some powerpc examples.
- What app to use to compile PPC ASM. Could just write it out in hex, but thats a whole other ballgame of difficulty.

See how we go.. Id say Im done for the night... or morning..since its 2:13am currently.. :lol:
Image

PreviousNext

Return to Bosch ECUs

Who is online

Users browsing this forum: No registered users and 1 guest