Reverse engineering a 411 operating system

They go by many names, P01, P59, VPW, '0411 etc . Circa 1999 to 2006. All VPW OBD2 PCMs.
User avatar
Posts: 172
Joined: Fri Feb 02, 2018 3:13 pm

Re: Reverse engineering a 411 operating system

Postby NSFW » Wed Feb 13, 2019 5:35 am

I'm not sure what you're asking... What requests do you mean? Most (maybe all) of the OBD2 communication code is in that first flash block, so changing that code could basically change the rules of the OBD2 protocol. It might be interesting to watch the data on the OBD2 bus and see how they changed the protocol for use with their own custom OS.
Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

User avatar
Posts: 172
Joined: Fri Feb 02, 2018 3:13 pm

Re: Reverse engineering a 411 operating system

Postby NSFW » Wed Feb 13, 2019 5:36 am

Gampy wrote:Has anyone played with Dismot68. Two pass Motorola 6833X disassembler from usbjtag.com?


I haven't, but there are a bunch of 68k disassember projects on Github too... I haven't tried any of these either, but it's worth a look:

https://github.com/search?q=68000+disassembler

https://github.com/search?q=68k+disassembler

One of them is written in 68k assembly. Whoah. :)
Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

User avatar
Posts: 172
Joined: Fri Feb 02, 2018 3:13 pm

Re: Reverse engineering a 411 operating system

Postby NSFW » Wed Feb 13, 2019 10:19 am

Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

Posts: 104
Joined: Sat Dec 15, 2018 7:38 am

Re: Reverse engineering a 411 operating system

Postby Gampy » Wed Feb 13, 2019 7:07 pm

I've tried several off Github, pretty crappy for the most part, a couple could get better with some work, most are for game consoles.
Yea, several are written in 68k, make for good reference ...

But I've just about had it with Github, their paranoia and their data collection ...
Code: Select all
Whoa there!

You have triggered an abuse detection mechanism.
Please wait a few minutes before you try again.
Has become my most frequently visited Github page ...

I guess if I want something better I'll need to pick one and sprinkle some magic dust on it ... :(
Probably over my head though, I dunno know, never tried.

Thanks

Posts: 2407
Joined: Sun Aug 02, 2009 9:16 pm
Location: Bayside, Melbourne, Victoria

Re: Reverse engineering a 411 operating system

Postby VX L67 Getrag » Wed Feb 13, 2019 8:35 pm

NSFW wrote:I'm not sure what you're asking... What requests do you mean? Most (maybe all) of the OBD2 communication code is in that first flash block, so changing that code could basically change the rules of the OBD2 protocol. It might be interesting to watch the data on the OBD2 bus and see how they changed the protocol for use with their own custom OS.


I've seen a few controllers E66, E77 & E67 that have stock files on them but they write something in the file to get negative response code 7F when requesting bootloader so I'm guessing when it ask's for those first sections you said to look for in the code they've edited, but when using that specific tuners own software it doesn't get that negative request code & will read or write happily... so I was thinking if I could see those first couple of sections you mentioned on page 1 it may lead to where/why it gets that response?

Posts: 44
Joined: Mon Jul 11, 2011 8:42 pm

Re: Reverse engineering a 411 operating system

Postby jay woo » Wed Feb 13, 2019 8:37 pm

Not sure what radare is like with processors in question, also not much of a gui. http://beta.rada.re/en/latest/

User avatar
Posts: 172
Joined: Fri Feb 02, 2018 3:13 pm

Re: Reverse engineering a 411 operating system

Postby NSFW » Thu Feb 14, 2019 8:41 am

VX L67 Getrag wrote:
NSFW wrote:I'm not sure what you're asking... What requests do you mean? Most (maybe all) of the OBD2 communication code is in that first flash block, so changing that code could basically change the rules of the OBD2 protocol. It might be interesting to watch the data on the OBD2 bus and see how they changed the protocol for use with their own custom OS.


I've seen a few controllers E66, E77 & E67 that have stock files on them but they write something in the file to get negative response code 7F when requesting bootloader so I'm guessing when it ask's for those first sections you said to look for in the code they've edited, but when using that specific tuners own software it doesn't get that negative request code & will read or write happily... so I was thinking if I could see those first couple of sections you mentioned on page 1 it may lead to where/why it gets that response?


If the firmware has been modified to prevent reading, then it's not stock anymore.

Who is "they" ? Were these tuned with HPTuners, or EFI Live, or something else?

I'm pretty sure bootloader is the wrong wrong word there - you probably mean kernel. Lots of people in the GM tuning world use bootloader when they mean kernel, but it's wrong, and it is kinda confusing right now, because the real bootloader is the firmware code that you wanting to examine.

Note that PCM Hammer probably won't work with any of the controllers you listed. It only works with P01 and P59, and P59 writing isn't finished yet. If you are using PCM Hammer with those PCMs, there is a good chance that the 7F response is caused by PCM Hammer trying to upload the kernel to a RAM address that isn't right for those PCMs. And even if you fix the RAM address, the app is going to upload a kernel written for a Motorola 68k CPU onto a PCM that probably has a PowerPC CPU, and that's not going to work.
Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

Posts: 2407
Joined: Sun Aug 02, 2009 9:16 pm
Location: Bayside, Melbourne, Victoria

Re: Reverse engineering a 411 operating system

Postby VX L67 Getrag » Thu Feb 14, 2019 9:42 am

Yeah I'm not sure if it's bootloader or kernel, I know the HPT message when reading says bootloader(I'll attach a screenshot later).

This current ECU in question is E67 that is coming with that response & not sure what it's tuned with possibly EFIlive.

I have had the same issue with the E66 & E77 controllers tuned with trifecta & the only way I could get the files off was with BDM & they were an identical layout to stock format for tuning parametres but unsure of what wasn't mapped.... but BDM isn't possible on the E67 as there's no info for it's process, it's very similar to E38 layout but again no BDM info for that either.

But no I haven't tried PCMhammer for any of these as I knew it most likely would go....WTF I cant communicate with that you idiot!

Site Admin
User avatar
Posts: 5659
Joined: Sat Feb 28, 2009 8:34 pm

Re: Reverse engineering a 411 operating system

Postby antus » Thu Feb 14, 2019 11:46 am

Yeah E66 and E67 are later pcms and are completely different to P01 and P59. P01 and P59 are Motorola 68k processors, which do things described in the 68k datasheet at power on, and E66 and E67 are powerpc processors which do power pc things. You cant really compare their boot process at all. They are of completely different architectures.

HPT says bootloader to fit with 'traditional' but incorrect terminology, what they are really describing is upload of the flash kernel. NFSW was talking about the actual boot loader, which is the equivalent of a pc computer bios that runs as soon as the power comes on and sets up the hardware in the device to known state and then hands off control to the operating system.

On a PC the bootloader/bios is the part that initialises the ram, the graphics/text, all the controllers on the motherboard for hard drives, usb, serial, sound etc, it'll beep codes if it cant get the system to a state with graphics where it can be considered 'running'. Then outside the scope of bootloader, but still pc bios it then shows you the manufacturer info, does a memory test, loads the master boot record off some type of storage, and executes that.

In a pcm, the initialization of the hardware part is the same, then it validates the OS and the Calibration (and enters a tiny recovery kernel if they are not) but assuming they are OK it hands control straight the fully fledged operating system.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 2407
Joined: Sun Aug 02, 2009 9:16 pm
Location: Bayside, Melbourne, Victoria

Re: Reverse engineering a 411 operating system

Postby VX L67 Getrag » Thu Feb 14, 2019 11:57 am

Ahh bugger, I was hoping it may have given me insight as to where to look for the issue but doesn't look like it will be, I wonder if the BDM read's would show where the byte/bytes have been changed to know what to change in the kernel?

Anyhow here is the screenshots of what errors when trying to read these controllers...

HPT write neg response code.png
HPT write neg response code.png (8.74 KiB) Viewed 328 times

HPT read neg response code.png
HPT read neg response code.png (6.38 KiB) Viewed 328 times

PreviousNext

Return to GM LS1 512Kbyte and 1Mbyte

Who is online

Users browsing this forum: No registered users and 1 guest