GM E38 E67 E40 Kernel/Bootloader Development Extravaganza

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
kostia111
Posts: 47
Joined: Mon Oct 21, 2019 4:58 am

Re: GM E38 Kernel/Bootloader Deveopment Extravaganza

Post by kostia111 »

each block has two checksums
first two bytes to check load
and the second to verify that calibration is unchanged by tuning
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 Kernel/Bootloader Deveopment Extravaganza

Post by Tazzi »

OS Calibration
Starts at 10000
Ends at 1BFFFF
CVN at 1001E

System Calibration
Starts at 1C0000
Ends at 1C134F
CVN at 1C001E

Fuel Calibration
Starts at 1C1350
Ends at 1C3573
CVN at 1C136E


Speed Calibration
Starts at 1C3574
Ends at 1C3917
CVN at 1C3592

Engine Diagnostic Calibration
Starts at 1C3918
Ends at 1CD373
CVN at 1C3936

Engine Calibration
Starts at 1CD374
Ends at 1FFFFF
CVN at 1CD392


Also note that 6 CRCs actually get noted at location E32E to E339. Infact... they actually appear multiple times in that top FFFF section

*edit
now looking at the top section, can see them labelled. Im pretty sure the values between the segments indicates address for caclulating CRC for each segment

Yeah ok, so it does seg total address then does top part of seg then it skips the CRC 2bytes, and does the remainder of the seg. And finally address is segment minus header to end of segment.

*edit 2
Now I think from memory it only calculates the CRC based on data after the CRC, wrote a app for this but ill be on the old laptop. But atleast its safe to know that all calibrations occur from 0x1C 0000.
e38segoffsets.PNG
e38segoffsets.PNG (37.52 KiB) Viewed 6195 times
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
kostia111
Posts: 47
Joined: Mon Oct 21, 2019 4:58 am

Re: GM E38 Kernel/Bootloader Deveopment Extravaganza

Post by kostia111 »

see also
address 0х3f0
it's a boot
its title will show you
how its parts are located in memory
the principle is the same
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 Kernel/Bootloader Deveopment Extravaganza

Post by Tazzi »

Now that erasing, sectors of flash and also cal offsets of the bin are understood, can now look at whats required for programming.

flash data sheet shows:
need to send AA,55,A0 then finally address and data.

Will need to set the WP value to 1 for read/write access as well like done for requesting device ID and write enable input.

Cool cool.. Im feeling I have a very good understand of all this now. Kernel is about 2k currently.... I recon it shouldnt take more than maybe 100 instructions. so thatll be another 400ish bytes.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 Kernel/Bootloader Deveopment Extravaganza

Post by Tazzi »

kostia111 wrote:see also
address 0х3f0
it's a boot
its title will show you
how its parts are located in memory
the principle is the same
Ok I see that. 12605900, must be the ID for the boot.

I dont see the address in that area of anything else of interest, but its good to know regardless.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
kostia111
Posts: 47
Joined: Mon Oct 21, 2019 4:58 am

Re: GM E38 Kernel/Bootloader Deveopment Extravaganza

Post by kostia111 »

see
the header is not always at the beginning of the file
he can describe the memory above and below himself
Attachments
e38-2.JPG
e38-2.JPG (87.64 KiB) Viewed 6180 times
kostia111
Posts: 47
Joined: Mon Oct 21, 2019 4:58 am

Re: GM E38 Kernel/Bootloader Deveopment Extravaganza

Post by kostia111 »

I showed the markup a little incorrectly
but I think the meaning is clear
file consists of 2 parts
in the header can be indicated not only the address of the beginning and end
but also the starting address and length

I translate through google
and the translation is not quite right

sorry

0x0000---0x03ef
0x03f0--0xbfff
Last edited by kostia111 on Sat Feb 08, 2020 11:20 pm, edited 1 time in total.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 Kernel/Bootloader Deveopment Extravaganza

Post by Tazzi »

kostia111 wrote:I showed the markup a little incorrectly
but I think the meaning is clear
file consists of 2 parts
in the header can be indicated not only the address of the beginning and end
but also the starting address and length

I translate through google
and the translation is not quite right

sorry
Thats OK, Im understanding what your saying (mostly)

I see how you have marked it up which makes sense. But what Im saying is there is nothing that is really needed from that section, since we will not be touching that boot segment.

I have begun adding the skeleton of the writing process and have hard coded in for cal only at the moment to ensure I dont majorly bugger up
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 Kernel/Bootloader Deveopment Extravaganza

Post by Tazzi »

For my reference (And sanity).

Compiled some code in C through a PPC compiler to generate this assembly:
I will throw that into a function... and assuming I set r31 into ram, it should hopefully work. Store the 16bit CRC into ram at the end and hopefully thatll work.

Code: Select all

#CRC Start     
li 9,0
stw 9,8(31)
li 9,0
stw 9,12(31)

ForLoop:
        lwz 9,12(31)
        cmpwi 7,9,7
        ble 7,Part1Cal:
	b EndCRC

Part1Cal:
        lwz 9,12(31)
        addi 10,9,1
        stw 10,12(31)
        lwz 10,24(31)
        add 9,10,9
        lbz 9,0(9)
        rlwinm 9,9,0,0xff
        slwi 9,9,8
        lwz 10,8(31)
        xor 9,10,9
        stw 9,8(31)
        li 9,0
        stw 9,16(31)

BitsRotate:
        lwz 9,16(31)
        cmpwi 7,9,7
        ble 7,Part2Cal
        lwz 9,12(31)
        addi 9,9,1
        stw 9,12(31)
	b Part1Cal

Part2Cal:
        lwz 9,8(31)
        rlwinm 9,9,0,16,16
        cmpwi 7,9,0
        beq 7,CRCOp1
        lwz 9,8(31)
        slwi 9,9,1
        xori 9,9,32773
        b CRCOp2
CRCOp1:
        lwz 9,8(31)
        slwi 9,9,1
CRCOp2:
        stw 9,8(31)
        lwz 9,16(31)
        addi 9,9,1
        stw 9,16(31)
	b BitsRotate:

EndCRC:
        lwz 9,8(31)
        rlwinm 9,9,0,16,31
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
kostia111
Posts: 47
Joined: Mon Oct 21, 2019 4:58 am

Re: GM E38 Kernel/Bootloader Deveopment Extravaganza

Post by kostia111 »

if you want to do programming just like sps does
then in addition to software and calibrations, nothing more needs to be programmed
if checksums are already calculated in the file

if the checksums are not yet corrected
this can be done on the fly before programming
memory area where you still found them

I often program modified files
standard sps procedures
I only preliminarily count checksums
and change them in the file
Post Reply