GM E38 Kernel/Bootloader Reverse Engineering Extravaganza

Bosch Motronic etc ECUs and PCMs
User avatar
Posts: 1888
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Tazzi » Sun Jul 21, 2019 4:23 am

But as before, the GM kernel doesnt do any of this. It simple enables the flash chip for flashing. Then the OS routine can do the rest. This would have to be a safety precaution, so the flash enable cant be done without sending a kernel.

So.. the smartest and fastest option would be to just make a kernel which enables the flash then exits. Would need to double check if theres any other special functions happening with the GM one again now with a better understanding, but from what I have seen, it turns off a few other interrupts plus some house keepings, then just works. Wouldnt be surprised is theres a 'magic number' in there for the ECU to accept writing data.

*edit
One thought before I pass out. What if the GM kernel is uploaded to ram. But its only executed once the next mode 36 frame is sent which is at a different ram offset. Mmm... still wouldnt make sense to what the serial data is all about, plus it never accesses the CAN registers. But the kernel itself is almost broken into multiple functions.. as in you could start the kernel in multiple locations depending on the task/function you wanted it to do.
Theres multiple locations which have no previous call to, but yet have a blr (basically return from function). So it would make sense if the actual functions could be manually addressed by the scantool once the kernel is sitting in ram.

Will be tomorrows job to see if that actually matches up with the logs.
Image

Posts: 3195
Joined: Mon Aug 02, 2010 6:35 pm

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Dylan » Sun Jul 21, 2019 9:34 am

Keep us updated mate great reading

User avatar
Posts: 1888
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Tazzi » Sun Jul 21, 2019 12:40 pm

Image

User avatar
Posts: 1888
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Tazzi » Sun Jul 21, 2019 12:43 pm

Looking at the addresses, the gm kernel doesnt execute at an address inside of where the kernel was loaded, so thats that option busted.

Regardless, it seems the route of reading/.writing frames and making a custom kernel is the current route as it actually makes sense how it works.
Just need to settle on a ASM compile.. and make a stupid simple app to say helllo world on the bus or something and go from there!
Image

User avatar
Posts: 1888
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Tazzi » Mon Jul 22, 2019 12:19 pm

Going to be extremely short timed in the next few days to play with this some more.
Main concern is a suitable compiler to use. I have not found many examples of how to produce functions properly in PPC ASM so its going to be a bit of trial and error I think.

Worst case... I dont use functions, and just write everything out in one giant loop. Not exactly the most efficient thing to do, but it will get the job done. Basically alot of copy/paste for stetting can frames ect :lol:
Image

User avatar
Posts: 1888
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Tazzi » Mon Jul 22, 2019 1:32 pm

I believe making it work with J-tools will be best, already have that stuff nailed down so its just a matter of actually sending a kernel and the rest should be fairly straight forward.
Anyone with a J tool and E38, will be needing some other to give it a whirl! Im yet to see a E38 with different flash memory, but might be best to get a tonne of reads to just be safe.

The flashchips support reporting back what they are. So, thatll be a quick way of getting the kernel to report to the scantool if its going to be supported or not.
Image

User avatar
Posts: 1888
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Tazzi » Tue Jul 23, 2019 6:48 pm

I have close to about 100 tabs open with examples, code and all sorts for MPC... so dont mind me.. just copying in links that have been helpful so far :lol:

Reference to cpu:
https://www.nxp.com/products/processors ... PC562#nogo
https://www.nxp.com/docs/en/data-sheet/MPC561RM.pdf
https://www.nxp.com/docs/en/supporting- ... RY_MAP.pdf
https://www.nxp.com/docs/en/user-guide/MPC564EVBUM.pdf

General PPC decoding:
https://www.ibm.com/support/knowledgece ... s_set.html
https://developer.apple.com/library/arc ... -TPXREF101 (Apple does great examples)
https://www.cs.uaf.edu/2011/fall/cs301/ ... werPC.html (Good example about stack and function returns)
https://wiibrew.org/wiki/Assembler_Tutorial
http://www.tentech.ca/downloads/other/P ... 2_2010.pdf (bunch of quick references/examples/lookups)
https://cache.freescale.com/files/produ ... XINSET.pdf
http://math-atlas.sourceforge.net/devel ... pc_isa.pdf

Understanding insrwi and rlwimi:
https://stackoverflow.com/questions/265 ... nstruction
https://www.ibm.com/support/knowledgece ... itreg.html
http://personal.denison.edu/~bressoud/c ... ctions.pdf
http://www.asmcommunity.net/forums/topic/?id=30640
https://www.se7ensins.com/forums/thread ... i.1230332/
http://ps-2.kev009.com/wisclibrary/aix5 ... hift32.htm

Nor flash commands:
http://www2.lauterbach.com/pdf/flash_diagnosis.pdf
https://pdf1.alldatasheet.com/datasheet ... 9CD-J.html
https://www.cypress.com/file/219931/download
https://www.cypress.com/file/195291/download (guide to common flash interface)

General examples
https://www.sciencedirect.com/topics/co ... nal-branch
http://www.eecs.umich.edu/courses/eecs3 ... s/lec2.pdf
https://wiki.netbsd.org/examples/elf_ex ... r_powerpc/
https://cr.yp.to/2005-590/powerpc-cwg.pdf (lots of examples including crc)
https://www.ibm.com/developerworks/libr ... index.html
https://www.ibm.com/developerworks/libr ... index.html

compiling PowerPC in windows
https://stackoverflow.com/questions/321 ... or-powerpc
Last edited by Tazzi on Tue Jul 23, 2019 6:51 pm, edited 1 time in total.
Image

User avatar
Posts: 1888
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Tazzi » Tue Jul 23, 2019 6:49 pm

Ah thats gonna make lookups easier. Has so many double ups in chrome from searches.

I saw valid references to the command set for the S29 flashchip in its datasheet, so thats all making sense now. Not sure if the actual address's made sense by the data (commands) were matching up, so thats vital for unlocking, erasing, writing ect.
Image

Posts: 15
Joined: Thu Jun 11, 2015 11:53 am

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby tek1229 » Wed Jul 24, 2019 10:56 am

I just found this post, AMAZING WORK!!!

I understand some of the gist if what your doing, but it's mostly over my head..

I do have an E38 sitting on my bench at work with a bench harness already on it, and I have a couple MDI's, so if it's something simply I can do to help you verify something, let me know..

Very interesting reading, I really can't afford the time to get into stuff like this in the summer, that's my winter hobby, lol..

User avatar
Posts: 1888
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz

Postby Tazzi » Wed Jul 24, 2019 12:22 pm

tek1229 wrote:I just found this post, AMAZING WORK!!!

I understand some of the gist if what your doing, but it's mostly over my head..

I do have an E38 sitting on my bench at work with a bench harness already on it, and I have a couple MDI's, so if it's something simply I can do to help you verify something, let me know..

Very interesting reading, I really can't afford the time to get into stuff like this in the summer, that's my winter hobby, lol..


Iv had to deal with a bit of PPC recently, so applied it to the E38s (Which is also going to be applicable to E40 and E67) and so far.. its not actually going to be all that bad.

Its just a time thing to be honest. Looking over various kernels... its just a big game of "who did it first" or, how many ways can you do 1+1=2?
Theres a few critical things which all happen exactly the same including setting up CANbus, setting up pins and Flashchip and updating interrupts. Once these things are done, its all fairly straight forward.
Image

PreviousNext

Return to Bosch ECUs

Who is online

Users browsing this forum: No registered users and 3 guests