Disassemblers used? First modifications to P59

[jlvaldez]

Hey all,
I'm trying to get started with a few tweaks to the P59 PCM in my 03 Silverado. I've never tried to disassemble code, find the scalars I need, and then recompile or define it in an XDF for tuner pro.

I'm pretty experienced with tuning vehicles, particularly with HPTuners, EFILive, and Hondata's tuning tools. However, HPTuners does NOT expose some of the sections of code that I desire to edit. I saw a dis-assembled 411 file that was labeled and found the line I wanted to edit in that file. I need to do this same exercise with my P59 PCM, and figure out how to get it onto the PCM.

I do embedded C programming mostly, but have done plenty of C# in windows and some C++ projects on linux boxes. I don't normally have to dive into assembly in my day job, but can read it.

Let me get to what I've managed to do so far:
1) Get the bin for my P59 PCM with 12579405 OS.
2) Unsuccessfully find any XDF for this OS, from what I see, it was only used for 03, so i guess i'm just gunna have to do most of this myself
3) Tried a few decompilers. I don't have IDAPro, and everything I've seen seems to be problems with regards to purchasing it if your'e not a corporate entity.

Right now, I'm just trying to decompile the code well enough for me to find the section of code of interest for me (I'm modifying just a single if statement to always be true). What are yall using to decompile? I tried ODA, but it doesn't do a great job with labeling any of the jumps/functions.

I'm currently dabbling with Ghidra, which runs on several platforms and seems to be quite powerful! I ran the .bin through the auto analysis and it auto labeled all functions, and has even attempted to decompile parts of it to C. Kind of neat, but I'm not experienced enough with this to figure it out. Perhaps the best exercise for me on this would be to practice on a binary that's already been decompiled and well documented and see if I can come to the same conclusions.

Is there some secret repository for XDFs where my OS may exist? I've come up blank I have a solid understanding of processors and assembly, but I've got virtually 0 experience going from binary to assembly and trying to reverse engineer code. It's always been me writing the source code and then compiling to binary to flash onto our EPs

[Gampy]

Hey all,
I'm trying to get started with a few tweaks to the P59 PCM in my 03 Silverado. I've never tried to disassemble code, find the scalars I need, and then recompile or define it in an XDF for tuner pro.

I'm pretty experienced with tuning vehicles, particularly with HPTuners, EFILive, and Hondata's tuning tools. However, HPTuners does NOT expose some of the sections of code that I desire to edit. I saw a dis-assembled 411 file that was labeled and found the line I wanted to edit in that file. I need to do this same exercise with my P59 PCM, and figure out how to get it onto the PCM.

I do embedded C programming mostly, but have done plenty of C# in windows and some C++ projects on linux boxes. I don't normally have to dive into assembly in my day job, but can read it.

Let me get to what I've managed to do so far:
1) Get the bin for my P59 PCM with 12579405 OS.
2) Unsuccessfully find any XDF for this OS, from what I see, it was only used for 03, so i guess i'm just gunna have to do most of this myself
3) Tried a few decompilers. I don't have IDAPro, and everything I've seen seems to be problems with regards to purchasing it if your'e not a corporate entity.

Right now, I'm just trying to decompile the code well enough for me to find the section of code of interest for me (I'm modifying just a single if statement to always be true). What are yall using to decompile? I tried ODA, but it doesn't do a great job with labeling any of the jumps/functions.

I'm currently dabbling with Ghidra, which runs on several platforms and seems to be quite powerful! I ran the .bin through the auto analysis and it auto labeled all functions, and has even attempted to decompile parts of it to C. Kind of neat, but I'm not experienced enough with this to figure it out. Perhaps the best exercise for me on this would be to practice on a binary that's already been decompiled and well documented and see if I can come to the same conclusions.

Is there some secret repository for XDFs where my OS may exist? I've come up blank I have a solid understanding of processors and assembly, but I've got virtually 0 experience going from binary to assembly and trying to reverse engineer code. It's always been me writing the source code and then compiling to binary to flash onto our EPs

My opinion ...

Not wanting to discourage you, just inform you of the fact that is a huge mountain to climb. Disassembly, it takes many many many hours.

No disassembler is going to do the work for you ...

In that Os (12579405) there is well over a hundred thousand lines (never counted them all) of 68k assembly and it is an early Os version (one of the first if not the first P59 Os's) and has code for Intel Flash only. Meaning it will only work on something like the first three P59 revisions all of which seem to be of year 2003.

Thus, probably not the best Os version to spend that much time and effort on.

There are no 'if' statements in Assembly.

There are other techniques (binary edit) to do simple jmp,cmp,bra type changes, that's outside my realm at the moment.
If you said exactly what you want, someone might tell you ...

There are no secret XDF repositories, and that I know of there is no XDF for Os 125 79 405.

-Enjoy

[MudDuck514]

Hi all,

This was posted in another thread somewhere:
https://onlinedisassembler.com/odaweb/Pqoog1pg/0

Maybe you can use it.

Mike

[NSFW]

I wrote down the steps I used to get started with the OS in my Corvette using IDA:
https://github.com/LegacyNsfw/12593358/wiki/How-To

I had a head start since there is an XDF for that OS, but I don't think that's a requirement. The OS also has a table of OBD2 PIDs and function pointers, and those pointers mostly refer to very short functions that just read a value from RAM and convert it to the units required for OBD2. So you can pretty confidently label those RAM addresses with the OBD2 parameter name. That lead to having labeled RAM addresses in a lot of code, and that gives you some hints about what the code might be doing.

An XDF would be a big help but if you've already found the line you want in another OS, I suspect you'll be able to find it in this OS. If you have HPT for your current OS, you can try making changes to tables in HPT, reading the bin file with PCM Hammer / LS Droid, and then comparing the files to see where the table is. It would be time consuming to build an XDF that way but you probably only need a few tables to help you find the code you're interested in.

I have been using IDA, but Ghidra sounds very interesting and I need to give it a try. Since it's free and apparently quite capable, I think that's going to become the standard tool for reverse engineering PCMs.

If you have the option of switching to the 12587603 OS, that would be great, because I think that's where most P59 OS hacking is going to happen. That OS seems to support every option of transmission, DBW, DBC, etc.

What change are you planning to make? I've been trying to find the code that disables the high octane timing table when you disable the MAF sensor... I'm not there yet but I think I'm getting close.

[jlvaldez]

Hey all,
I'm trying to get started with a few tweaks to the P59 PCM in my 03 Silverado. I've never tried to disassemble code, find the scalars I need, and then recompile or define it in an XDF for tuner pro.

I'm pretty experienced with tuning vehicles, particularly with HPTuners, EFILive, and Hondata's tuning tools. However, HPTuners does NOT expose some of the sections of code that I desire to edit. I saw a dis-assembled 411 file that was labeled and found the line I wanted to edit in that file. I need to do this same exercise with my P59 PCM, and figure out how to get it onto the PCM.

I do embedded C programming mostly, but have done plenty of C# in windows and some C++ projects on linux boxes. I don't normally have to dive into assembly in my day job, but can read it.

Let me get to what I've managed to do so far:
1) Get the bin for my P59 PCM with 12579405 OS.
2) Unsuccessfully find any XDF for this OS, from what I see, it was only used for 03, so i guess i'm just gunna have to do most of this myself
3) Tried a few decompilers. I don't have IDAPro, and everything I've seen seems to be problems with regards to purchasing it if your'e not a corporate entity.

Right now, I'm just trying to decompile the code well enough for me to find the section of code of interest for me (I'm modifying just a single if statement to always be true). What are yall using to decompile? I tried ODA, but it doesn't do a great job with labeling any of the jumps/functions.

I'm currently dabbling with Ghidra, which runs on several platforms and seems to be quite powerful! I ran the .bin through the auto analysis and it auto labeled all functions, and has even attempted to decompile parts of it to C. Kind of neat, but I'm not experienced enough with this to figure it out. Perhaps the best exercise for me on this would be to practice on a binary that's already been decompiled and well documented and see if I can come to the same conclusions.

Is there some secret repository for XDFs where my OS may exist? I've come up blank I have a solid understanding of processors and assembly, but I've got virtually 0 experience going from binary to assembly and trying to reverse engineer code. It's always been me writing the source code and then compiling to binary to flash onto our EPs

My opinion ...

Not wanting to discourage you, just inform you of the fact that is a huge mountain to climb. Disassembly, it takes many many many hours.

No disassembler is going to do the work for you ...

In that Os (12579405) there is well over a hundred thousand lines (never counted them all) of 68k assembly and it is an early Os version (one of the first if not the first P59 Os's) and has code for Intel Flash only. Meaning it will only work on something like the first three P59 revisions all of which seem to be of year 2003.

Thus, probably not the best Os version to spend that much time and effort on.

There are no 'if' statements in Assembly.

There are other techniques (binary edit) to do simple jmp,cmp,bra type changes, that's outside my realm at the moment.
If you said exactly what you want, someone might tell you ...

There are no secret XDF repositories, and that I know of there is no XDF for Os 125 79 405.

-Enjoy

I appreciate the blunt reply. I have no illusions that it should be a quick

To better explain what I'm trying to do: There is a simple branch not equal instruction for some fuel modifiers which I either need to change to a branch on equal or simply change the register value that it's compared against. I simplified it when I said an if statement. Unfortunately, it's for my P59 ECU that I need to do this to, so I will eventually need to find the magical branch instruction that I need to change.

Thanks NSFW, I'll dig through your GitHub for tips and tricks.

The part that I'm confused on, is the history of the P59. I'm not very familiar with the OS revision options for this ECU. I thought the P59 was used on everything from 03-2006. Wonder if it would be easier for me if I could flash to an updated OS that was better supported. Don't know if that was an option.

[Gampy]

I appreciate the blunt reply. I have no illusions that it should be a quick

To better explain what I'm trying to do: There is a simple branch not equal instruction for some fuel modifiers which I either need to change to a branch on equal or simply change the register value that it's compared against. I simplified it when I said an if statement. Unfortunately, it's for my P59 ECU that I need to do this to, so I will eventually need to find the magical branch instruction that I need to change.

Thanks NSFW, I'll dig through your GitHub for tips and tricks.

The part that I'm confused on, is the history of the P59. I'm not very familiar with the OS revision options for this ECU. I thought the P59 was used on everything from 03-2006. Wonder if it would be easier for me if I could flash to an updated OS that was better supported. Don't know if that was an option.

Like I said, I don't want to discourage you, it's an interesting thing to do.

Yea, that year frame is about right, my data shows 03-07.
The issue is the first few revisions of the P59 used Intel Flash Chips, in ~04 they went to a AMD Flash Chip ...

Updating to a newer Os is very much an option as NSFW stated, Os 12587603 at the moment it is the preferred P59 Os.

[jlvaldez]

I wrote down the steps I used to get started with the OS in my Corvette using IDA:
https://github.com/LegacyNsfw/12593358/wiki/How-To

I had a head start since there is an XDF for that OS, but I don't think that's a requirement. The OS also has a table of OBD2 PIDs and function pointers, and those pointers mostly refer to very short functions that just read a value from RAM and convert it to the units required for OBD2. So you can pretty confidently label those RAM addresses with the OBD2 parameter name. That lead to having labeled RAM addresses in a lot of code, and that gives you some hints about what the code might be doing.

An XDF would be a big help but if you've already found the line you want in another OS, I suspect you'll be able to find it in this OS. If you have HPT for your current OS, you can try making changes to tables in HPT, reading the bin file with PCM Hammer / LS Droid, and then comparing the files to see where the table is. It would be time consuming to build an XDF that way but you probably only need a few tables to help you find the code you're interested in.

I have been using IDA, but Ghidra sounds very interesting and I need to give it a try. Since it's free and apparently quite capable, I think that's going to become the standard tool for reverse engineering PCMs.

If you have the option of switching to the 12587603 OS, that would be great, because I think that's where most P59 OS hacking is going to happen. That OS seems to support every option of transmission, DBW, DBC, etc.

What change are you planning to make? I've been trying to find the code that disables the high octane timing table when you disable the MAF sensor... I'm not there yet but I think I'm getting close.

I opened up my copy of TIS2000, looks like my options for OSes for my VIN are (from oldest to newest)
12578128 (initial release)
12579405 (What i'm currently on)
12580055
12593058

Doesn't look like 12587603 is an option for me I've got a 2003 Silverado 2500 HD 6.0/4L80E

To be specific. I'm trying to bypass the platform check for lean cruise. You can set the platform manually in HPT, but for whatever reason the cruise control stops working when the platform code is changed. So I want to simply change the branch on not equal to branch on equal.

A quick google for me shows no luck finding an XDF for this OS either... However, it did point me to a thread where Gampy was making a comment about this OS just a few days ago in the LS Droid thread.

I found on NSFW's GitHub, this txt file that talks about the advantages of the 7603 OS. Says that all combinations are supported by this OS. However, TIS2000 does not show it as an option for me. I wonder if I can flash it with my TECH2 using a different VIN. Or if I should simply flash a 7603 binary onto the truck with PCMHammer and then use HPT to copy over all of my tune edits...

Edit: So i was digging through NSFW's XDF for 7603, and it looks like you already have an OS patch to do exactly what I want to do... Hmmmmm

Edit 2: The patch doesn't seem to point to a valid location in a 04 Z06 .bin... Nothing refers to the address in the patch according to my decompiler. Weird thing is I can't find the lean cruise branch code. Maybe the enable is different than the 411 PCMs (which I found it in originally).

[antus]

Look for patterns in the code. Addresses will be different and the code might be different too but you need to find similar code on or around the conditional branch your looking for to get a reference then go back or forward a little in the other bin when you find a match to find exactly the bit your looking for. It might take a few gos and you need to look for other matches for the same pattern because might have found the wrong match but once youve investigated as much as you can make a judgement call and test it. If its wrong revert the patch.

[cmaje72]

From the info I have this should do it. Write full after the change.
Lean cruise patch for 12579405:
0002AAB8 66 to 4E
0002AAB9 06 to 71

[Gampy]

When does TunerPro apply a patch that is in a XDF??
For example the Lean Cruise patch in the xdf for OsID 12587603, what has to be done to apply it.