GM E38 E67 Kernel/Bootloader Development Extravaganza

Bosch Motronic etc ECUs and PCMs
Posts: 142
Joined: Tue Oct 16, 2012 12:17 pm
Location: Perth

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby Tre-Cool » Fri May 29, 2020 8:37 pm

So with the cloning option.

Where about's in the bin file or segment has the security link information. mainly interested in copying it from one bin to another. i.e if doing a OS change/upgrade.

Posts: 85
Joined: Thu Feb 13, 2020 11:32 pm

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby ironduke » Sat May 30, 2020 9:45 am

Hopefully someone a lot more knowledgeable will chime in but I thought I remember reading that it was the 2 bytes in between the seed and the key in the bin.. I tried finding where I had read that, but sorry to say can't find the document or forum topic that I read it from..

User avatar
Posts: 2180
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby Tazzi » Sat May 30, 2020 11:38 am

Tre-Cool wrote:So with the cloning option.

Where about's in the bin file or segment has the security link information. mainly interested in copying it from one bin to another. i.e if doing a OS change/upgrade.


The immobiliser,seed/key,vin,serial ect is in the parameter block area, which is from the 0x8000 to 0xA000 area of the top of my head.

The immo code stands out, its a 4digit number in that block :thumbup:
Image

Posts: 85
Joined: Thu Feb 13, 2020 11:32 pm

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby ironduke » Sat May 30, 2020 11:46 am

I just tried an immobilizer learn on my bench E38, didn't change what I thought was the immo key.. but that's only 2 bytes anyways so that wasn't it..

The immo learn didn't change anything, but it did add some code from 0xCCB6 to 0xD170.. total length of 0x4C4 bytes..

I can only guess it's code to write the new immo when it seeds one send from the BCM?? total guesswork on my part.. Gonna be busy the next couple of days but I want to plug it into a car and then read it again to see if it learns a different immo..

Posts: 173
Joined: Mon Mar 09, 2020 4:35 pm

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby In-Tech » Wed Jun 03, 2020 11:14 am

Hi Tazzi,
We talked earlier in this thread about reading the last two modules. Keep in mind this snippet is just that so pay no attention to the exact order of things, a bit of some things I was doing on a different 8 bit project. I was bit banging the IO register to do some reading on some stuff that had built in clock jitter, the numbers noted are clock ticks :ugeek: Maybe it will give you some ideas to incorporate. Fun stuff :mrgreen:
Code: Select all
SaveA:          equ     $XX      ;IO Register address

BTDelay:        equ     $F0             ;bit delay this can be any value ya like

;
;BootStrap code starts here
;
                sei         ;enable interrupts, not really necessary
                lda     #$55      ;55h is the response that basically says you are
                         ;running this bootstrap, can be any value you like
                bra     Start           ;run dumper

SendByte:       sta     SaveA
                clra
                bsr     DecA            ;Inter-Byte delay
                ldx     #$0A
                coma                    ;invert byte

                bclr0   $00             ;5 Zero Bit      
                bsr     DelayBit        ;1st Start Bit
                bra     SetIO           ;3

SetIO:          bset    $00, #0         ;5 One Bit
                bsr     DelayBit
                clc                     ;2nd Start Bit

SendBit:        bcs     Send1           ;3

                bclr0   $00             ;5 Zero Bit     |   
                bra     bitdelay        ;3              |count this for timing calc

Send1:          bset    $00, #0         ;5 One Bit      |but not this
                bra     bitdelay        ;3      |

bitdelay:       bsr     DelayBit
                asla    a               ;3
                decx                    ;3
                bne     SendBit         ;3
                bset    $00, #0         ;Parity = 0, Stop bits = 1
                rts                     ;6

DelayBit:                               ;standard 8 bit delay loop
                sta     SaveA
                lda     #BTDelay   
DecA:           deca
                bne     DecA
                lda     $XX             ;SaveA  This is the IO register
                rts
                                              
Start:          bsr     SendByte
LongDelay:      deca
                bsr     DelayBit
                bne     LongDelay   
                lda     #$30      ;Start address of 3000
                sta     $47      ;Now address stored at 47,48 in ram
                lda     #$00
                sta     $48
; ---------------------------------------------------------------------------
                dw $7180      ;Change page to eeprom
; ---------------------------------------------------------------------------
Loop:           dw      $92C6      ;Load A with the value of this next byte address 92C647
               ;Haven't fixed assembler to allow this new opcode yet
                db      $47
                bsr     SendByte      
                inc     $48
                bne     Loop
                inc     $47
                bne     Loop
;need to create "reversible" idling loop here or rts


Posts: 1
Joined: Wed Jun 03, 2020 7:28 pm

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby Yustas » Fri Jun 05, 2020 8:43 am

Really impressed work, Tazzi!

User avatar
Posts: 4234
Joined: Mon Jan 04, 2010 10:23 am

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby The1 » Sat Jun 13, 2020 7:54 pm

awesome work tazzi, lots of hours to get this far :o

Posts: 173
Joined: Mon Mar 09, 2020 4:35 pm

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby In-Tech » Wed Jun 17, 2020 8:23 am

Hiya Tazzi,
Just an update that I built bench setups for the E67, E78 and E92 if you want me to do anything. I can rig up a CAN logger/sniffer too. I'll make the T42 and T87 adapters soon.

I screwed up the other day and didn't read a messed up E38 after I got the key. It was fubar'd bad enough it only had a 3 byte seed. Seed was BE2 and key was 881, didn't take long to brute it and I got sidetracked by the phone and forgot to read it before repair :typist:

Here's a couple E78 reads from some ebay puters.
2013_Sonic_ABMW_Flex_Stock.rar
(1 MiB) Downloaded 10 times

2015_Cruz_Turbo_Stock_AB67.rar
(1.01 MiB) Downloaded 11 times

User avatar
Posts: 2180
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby Tazzi » Wed Jun 17, 2020 10:47 am

The1 wrote:awesome work tazzi, lots of hours to get this far :o

Thanks!

In-Tech wrote:Hiya Tazzi,
Just an update that I built bench setups for the E67, E78 and E92 if you want me to do anything. I can rig up a CAN logger/sniffer too. I'll make the T42 and T87 adapters soon.

I screwed up the other day and didn't read a messed up E38 after I got the key. It was fubar'd bad enough it only had a 3 byte seed. Seed was BE2 and key was 881, didn't take long to brute it and I got sidetracked by the phone and forgot to read it before repair :typist:

Here's a couple E78 reads from some ebay puters.
2013_Sonic_ABMW_Flex_Stock.rar

2015_Cruz_Turbo_Stock_AB67.rar


Sweet as. Iv been bogged down with work during all the COVID, its only starting to normalise for me now so I will (Hopefully) have more free time again soon to start attacking more ecus.

I did start cutting into my E92, back plate isnt completely off yet but made a start :lol:
Image

Posts: 173
Joined: Mon Mar 09, 2020 4:35 pm

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby In-Tech » Wed Jun 17, 2020 1:35 pm

Shoot, I meant to cut open an E92 here too and got sidetracked, will try this weekend.

I read those .bin files out with TunerCat. I have two of the 2013 Sonic ECM's here, both broadcast code ABMW. I just did a compare of the two in Hex Workshop and they are identical. Is the vin and seed/key and other parameters stored in the processor or are these files I posted padded in those areas meaning they aren't read? Or do you have to put it in a particular mode to read that info.

Here's the info for the one I posted.
VIN: 1G1JC6SH9D4148561

PCM Service No: 12655499
PCM Traceability Code: 86ABMWK02298Y1VG
PCM Security Seed: 648E

PCM Module 1: 12655492
PCM Module 2: 55594171
PCM Module 3: 55594167
PCM Module 4: 55593091
PCM Module 5: 55593079
PCM Module 6: 55594163
PCM Module 7: 12643594
PCM Module 8: 55585772

Here's the info for the other one I read.
VIN: 1G1JC5SH9D4103453

PCM Service No: 12655499
PCM Traceability Code: 86ABMWK02217SACR
PCM Security Seed: 772C

PCM Module 1: 12655492
PCM Module 2: 55594171
PCM Module 3: 55594167
PCM Module 4: 55593091
PCM Module 5: 55593079
PCM Module 6: 55594163
PCM Module 7: 12643594
PCM Module 8: 55585772

The question is should I try to write a different file from a v8 to this box and see if it takes?

PreviousNext

Return to Bosch ECUs

Who is online

Users browsing this forum: No registered users and 3 guests