PCMHammer P04

User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: PCMHammer P04

Post by antus »

This is the bin image from my problem PCM, and the bytes that seem to crash the kernel.

55 15 is 0101 0101 0001 0101 so I think there is something to that pattern, repeated. The 11 17 could be part of it too, since its 0001 0001 0001 0111.
Attachments
p04 vpw cant transmit.png
p04 vpw cant transmit.png (77.55 KiB) Viewed 2792 times
p04 read.bin
(512 KiB) Downloaded 70 times
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Jakefunny
Posts: 10
Joined: Fri Sep 30, 2022 3:20 pm
cars: 1999 Porsche Booster
1986 Pontiac Fiero

Re: PCMHammer P04

Post by Jakefunny »

Now to find a different tool to use or develop that write kernel. I'm not going to be able to test that until I get one of those 2 done or get a PCM similar to yours.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: PCMHammer P04

Post by antus »

We will need the loader implemented in pcmhammer, so you could look at that. I think it'll need another capability added and mapped to just P04 to use the loader, and the loader filename, and we'll need to figure out how to use it. Kur4o might be able to help with that if its not clear by decompiling it. If you can get it loading the loader, then uploading a 4kb dummy kernel in parts that is just rubbish data, that'll be a win at this stage. It'll mean we can re-visit the read kernel and put more features in it too.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: PCMHammer P04

Post by Tazzi »

Pete and I had this issue where both of our ECUs would react completely different to one another even though they were both P04 when running a read or write kernel.

One was WAY more stable then the other. We eliminated that it was the ECU hardware since we clones one P04 into another, and the issue followed. Its something related to internal interrupts that causes problems, at least thats what we could tell. Interrupts/timers are the only thing that would still be active in the ECU from its OS when running a custom kernel for read/writing flash.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: PCMHammer P04

Post by kur4o »

When I looked at p04, there was some very weird crash issue. Basically the sent data was echoed to ram as input data and when there was some specific 20 command the flash routine exited on its own. What you guys using for exit the flash routine. Maybe you can disable it and try again.

The loaded is very simple to use. Just upload it somewhere in memory and it will accept mode 36 requests 36 80 and 36 00 supported.
In-Tech
Posts: 778
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: PCMHammer P04

Post by In-Tech »

I hope to not speak out of turn. It appears to be a "security" issue. I remember this from tms370 days and it took quite a bit to find it in the actual working ram, not storage ram. The only way I found it was reading the "protected" stack and I had to read it backwards to avoid "security" bit set and that only gave me a few bits at a time. That gave me the address in rom so I could study. They had that xor'd so it was jibberish, then the MAPROM would AND it so it became even more jib. When I finally dumped the maprom 8 bits at a time, it all made sense.
Anyway, it sure seems like a security measure which was prevalent in the early 2000's with GM in a few things. Now GM is heavy into protecting. I'm not sure I have any p04's here, but as time permits, I would like to help too :)
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: PCMHammer P04

Post by antus »

I dont think its a security issue. There is no OS software running on the pcm at read time, only the kernel we have written and uploaded that is executing. Also, other commercial tools that do pretty much the same thing can read it ok. The devil is in the details though. If it is a security thing that the kernel needs to be doing it would have to be hardware security and would be surprising that it has not come up before. Not impossible, of course, but I still have my doubts.

I should flash a different bin in to mine with another tool and see if I can read that back after.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
In-Tech
Posts: 778
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: PCMHammer P04

Post by In-Tech »

I mean, I hope it isn't a security issue. GM was only playing with that back in the day.

Good luck with your trials and as said, I will help whatever I can do as time allows :)

Thanks to all and a very merry holidays to all too :)
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: PCMHammer P04

Post by antus »

Thanks for your help also!

I loaded this bin on to my p04, and read it back with pcmhammer with 4k packets with the current kernel in the develop branch and no issues at all. Very interesting. Maybe a very obscure data issue with my original bin only?! At least I think this confirms not a security issue since its the same hardware, same kernel.

note the failure in the screen shot was because I had not rebooted the pcm initially after its first flash writing. also this OS is not in the pcmhammer source, I just added it in to my local copy for this test only. We need to get a more complete list of P04 OSIDs and add it to the tool.
Attachments
p04 12223462.bin
(59.75 KiB) Downloaded 66 times
p04 12223462.PNG
p04 12223462.PNG (59.75 KiB) Viewed 2736 times
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Gampy
Posts: 2330
Joined: Sat Dec 15, 2018 7:38 am

Re: PCMHammer P04

Post by Gampy »

It is of my opinion that the current list of P04 OsIDs in PCMHammer should be stripped and started fresh ... I believe it to be bloated with other than OsIDs.
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
Post Reply