12587603 OS disassembly

They go by many names, P01, P59, VPW, '0411 etc . Circa 1999 to 2006. All VPW OBD2 PCMs.
Posts: 7
Joined: Tue Dec 31, 2019 11:24 am

12587603 OS disassembly

Postby ColPaul » Sun Jan 12, 2020 1:48 pm

Does anyone have a commented disassembly of this OS? Seems like most of the work on tuning is coming from this build. I followed https://github.com/LegacyNsfw/PcmHacks/wiki on this bin with IDA Pro and still have lots of work to do to understand. I'm mostly interested in how the system segment responds to the DLC. I appreciate all the work being done for PCM Hammer. My dad bought a 91 S10 with a 5.3L/4L60 out of a 2005 Silverado. I am hoping he has 12587603 in that PCM so I can help him tune it.

Paul

User avatar
Posts: 323
Joined: Fri Feb 02, 2018 3:13 pm

Re: 12587603 OS disassembly

Postby NSFW » Tue Jan 14, 2020 12:11 pm

I haven't started on this OS yet but that's something I aim to do pretty soon.

I want to try it with Ghidra though, so I've been tweaking the powershell scripts so they will generate CSV files that can be imported into Ghidra.
Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

Posts: 7
Joined: Tue Dec 31, 2019 11:24 am

Re: 12587603 OS disassembly

Postby ColPaul » Wed Jan 15, 2020 12:34 pm

I am installing Ghidra now and will start learning how to use it. How can I help?

I was reading https://www.thirdgen.org/forums/diy-pro ... -step.html. I don't have access to a PCM right now, as it is my Dad's truck and I'm 7 hours away. The article is on a P01. Do you know the interrupt of the DLC still mapped to Level 1, as in the P01? Are the DLC FIFO addresses the same ($FF9000 and $FF9001)? Which chip is the DLC (MC68HC58?)? Looking forward to learn both a new tool and the specifics of the 603 OS.

User avatar
Posts: 323
Joined: Fri Feb 02, 2018 3:13 pm

Re: 12587603 OS disassembly

Postby NSFW » Wed Jan 15, 2020 8:07 pm

The DLC communication works exactly the same way on both the P01 and P59. PCM Hammer actually sends the same kernel code every time. The kernel checks for both AMD and Intel flash chips, and uses different subroutines to erase and rewrite based on which chip it found, but otherwise it behaves identically on both PCMs. If you're interested in how to talk to the DLC, you might want to start with the PCM Hammer kernel code, since it's in C. :)

For the disassembly stuff... the biggest thing we're missing is Ghidra support for the table-lookup instructions in the CPU32 version of the Motorola 68k instruction set. DzidaV8 filed a feature request about it, and started implementing it, but I don't understand it well enough to say how close it is to being usable. If you Google for "Ghidra CPU32" his request will be the first hit, and he's got a link to his fork of Ghidra and you can see the changes he's made so far.

I'm trying to get my head around the Sleigh language, which is how processor instructions are modeled for Ghidra's disassembler:
https://ghidra.re/courses/languages/html/sleigh.html

I still don't see how to test changes though. I copied Dzida's changes into my local Ghidra, but the CPU32 option doesn't appear. There's a "reload Sleigh" script, in Ghidra's script manager, but running it doesn't make any difference.

The next thing, which I think is almost working, is figuring out how to label addresses in a Ghidra disassembly using scripts. For IDA Pro, I wrote a couple of scripts that generate IDC (IDA's scripting language), and for Ghidra I modified them to generate CSV files. DzidaV8 wrote a Ghidra script that imports CSV files. My CSV files only have two columns (address and name), but DzidaV8's script needs a couple more columns. I haven't looked into what those columns are yet.

Check out this thread here for what we have so far:
http://www.gearhead-efi.com/Fuel-Inject ... #post79631

DvidaV8 is interested in a different OS, but the scripts will work for any OS. One script needs needs an XDF and it produces a file with the addresses and names of every table and parameter. The other script needs the start-address of the PID function table (which is in the '603 XDF in the Github repo) and it produces a list with the address and PID name for the functions that handle PID queries. If we can import those lists into Ghidra we'll have a huge head start on reveres engineering.
I won't have much free time for the next week, so if you want to take a shot at bridging the gap between our scripts that would be cool. Even without CPU32 support you can still disassemble a decent amount of a PCM OS.
Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

Posts: 7
Joined: Tue Dec 31, 2019 11:24 am

Re: 12587603 OS disassembly

Postby ColPaul » Thu Jan 16, 2020 1:07 pm

I had never thought to read thru the kernel code. I did some reading today on your common.h, common.c and the MC68HC58 datasheet. I correlated the least significant address bit to the DLC ADDR0 and address bit 1 to R/!W line. However, common.h also identified DLC_CONFIGURATION @ 0x00FFF600 and DLC_INTERRUPTCONFIGURATION @0x00FFF606. Are the address bits 2 and 3 connected to the DLC and if so how? I just assumed address bits 2 and 3 were not connected to the DLC so that both 0x00FFF600 and 0x00FF606 referenced the same registers on 0x00FFF0C and 0x00FFF0E, respectively.

I'm a script kiddie and descent at adapting similar solutions from Googling. I'll work the PID script first and then the XDF import.

Site Admin
User avatar
Posts: 6041
Joined: Sat Feb 28, 2009 8:34 pm

Re: 12587603 OS disassembly

Postby antus » Thu Jan 16, 2020 2:04 pm

the dlc addresses are base + offset. we know the base, so we've #defined all the registers even though they are not all used. Its not a single bit to address sort of thing. The low level hardware part is in place, so the code only needs to send and receive magic numbers (often bits, hence the masking) to the control and registers and data to and from the fifos. Its easier to assign names to the registers in your tool of choice and then dont worry about the exact register addresses.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 7
Joined: Tue Dec 31, 2019 11:24 am

Re: 12587603 OS disassembly

Postby ColPaul » Fri Jan 17, 2020 1:21 pm

Antus take a look at the below PID import script and see if it works for you. I also loaded it at https://github.com/ColPaulR/Ghidra-Scripts-for-PCM-Hacking.

#Imports a file with lines in the form "PID# Description"
#@category Data
#@author

f = askFile("Select PID List File", "Go baby go!")

pid = {}
for line in file(f.absolutePath): # note, cannot use open(), since that is in GhidraScript
parts = line.split(" ",1)
pid[int(parts[0],base=16)]=parts[1]

baseAddress=currentProgram.getAddressFactory().getAddress("0x1f70")
myListing=currentProgram.listing

for index in range (0,308):
parameterId = myListing.getDataAt(baseAddress).getValue().getValue()<<8
parameterId += myListing.getDataAt(baseAddress.add(1)).getValue().getValue()

functionAddress = myListing.getDataAt(baseAddress.add(5)).getValue().getValue()<<16
functionAddress += myListing.getDataAt(baseAddress.add(6)).getValue().getValue()<<8
functionAddress += myListing.getDataAt(baseAddress.add(7)).getValue().getValue()

functionAddress &= 0xffffff
functionName = "GetPid_"+hex(parameterId)

if parameterId in pid:
functionName += "_" + pid[parameterId]

createLabel(currentProgram.getAddressFactory().getAddress("0x{:06x}".format(functionAddress)), functionName, False)

baseAddress = baseAddress.add(8)

Posts: 47
Joined: Mon Feb 11, 2019 12:48 pm

Re: 12587603 OS disassembly

Postby jlvaldez » Mon Jan 20, 2020 2:47 am

NSFW wrote:I'm trying to get my head around the Sleigh language, which is how processor instructions are modeled for Ghidra's disassembler:
https://ghidra.re/courses/languages/html/sleigh.html

I still don't see how to test changes though. I copied Dzida's changes into my local Ghidra, but the CPU32 option doesn't appear. There's a "reload Sleigh" script, in Ghidra's script manager, but running it doesn't make any difference.


NSFW,
To get CPU32 to show up in my Ghidra, I had to compile it with sleigh via the command line. Once compiled, it would show up in sleigh after a reboot (though I didn't notice the refresh button). Once it shows up in sleigh, it looks like you can simply recompile it to make it use the new file.

Path is <Ghidra root>/support/

You'll see the sleigh and sleigh.bat files.

Input it seems to want is:
./sleigh -DBaseDir=<path to Ghidra root directory (one directory above the support directory)> -i ../Ghidra/Processors/68000/data/sleighArgs.txt ../Ghidra/Processors/68000/data/languages/CPU32.slaspec ../Ghidra/Processors/68000/data/languages/CPU32.sla

This is where my help ends. I don't understand the sleigh language, but I haven't spend too much time looking into it.


ColPaul wrote:Antus take a look at the below PID import script and see if it works for you. I also loaded it at https://github.com/ColPaulR/Ghidra-Scripts-for-PCM-Hacking.

Nice,
I'm also working on some scripts for importing labels and functions from files.
For some reason, Ghidra does not seem to be able to import the symbol lists it can export (???). So I started a python script to do that. If you look at the symbol export csv, it has much more information than just name, address.

It's far from complete, but I was trying to get it to be able to import and retain the information about an address (data type, length, etc).
Attachments
ImportSymbolsCSV.zip
(1.74 KiB) Downloaded 7 times

Posts: 7
Joined: Tue Dec 31, 2019 11:24 am

Re: 12587603 OS disassembly

Postby ColPaul » Mon Jan 20, 2020 8:23 am

XDF Parsing script below. I also dropped it at https://github.com/ColPaulR/Ghidra-Scripts-for-PCM-Hacking/blob/master/ImportXDF.py

#TODO write a description for this script
#@author
#@category Data
#@keybinding
#@menupath
#@toolbar


#TODO Add User Code Here
import xml.etree.ElementTree as ET

def SanitizeName(myName):
myOut =""
for c in myName:
if c==" ":
myOut += "_"
elif c.isalnum():
myOut += c
return myOut

filename = (askFile("Select XDF List File", "Go baby go!")).toString()

tree = ET.parse(filename)
root = tree.getroot()

for i in root.iter('XDFFLAG'):
mask=i.find('mask').text
title=i.find('title').text
embeddeddata=i.find('EMBEDDEDDATA')
mmeaddress=embeddeddata.get('mmedaddress')

# at least 1 line in XDF was missing mmeaddress
if mmeaddress == None:
continue
address=toAddr(mmeaddress)
name = SanitizeName("Flag " + mask + " " + title)
print "createLabel("+mmeaddress+", "+name+", False)"
removeDataAt(address)
createLabel(address, name, False)

for i in root.iter('XDFCONSTANT'):
title=i.find('title').text
embeddeddata=i.find('EMBEDDEDDATA')
size=embeddeddata.get('mmedelementsizebits')

if size == None:
continue

mmeaddress=embeddeddata.get('mmedaddress')

if mmeaddress == None:
continue

address=toAddr(mmeaddress)
name = SanitizeName("Constant"+size+" " + title)
print "createLabel("+mmeaddress+", "+name+", False)"
removeDataAt(address)
createLabel(address, name, False)

# foreach ($table in $xdf.XDFFORMAT.XDFTABLE)
# {
for i in root.iter('XDFTABLE'):
# $columns = $table.XDFAXIS[0].indexcount;
# $rows = $table.XDFAXIS[1].indexcount;
# $address = $table.XDFAXIS[$table.XDFAXIS.Length - 1].EMBEDDEDDATA.mmedaddress;
rows=0
columns=0
axis = i.findall('XDFAXIS')
lastaxis = len(axis) - 1

for myaxis in axis:
if myaxis == axis[lastaxis]:
data=myaxis.find('EMBEDDEDDATA')
mmeaddress=data.get('mmedaddress')

indexcount=myaxis.find('indexcount')
if indexcount == None:
continue
count = int(indexcount.text)
if myaxis.attrib.get('id') == 'x':
columns = count
elif myaxis.attrib.get('id') == 'y':
rows = count
#
# if ($columns -eq 1)
if columns == 1:
# {
# if ($rows -eq 1)
if rows == 1:
# {
# $name = "" # this is a checksum 'table' and the name will be clear enough
name = "" # this is a checksum 'table' and the name will be clear enough
# }
# else
else:
# {
# $name = "CurveTable " + $rows + " Rows"
name = "CurveTable_" + str(rows) + "_Rows"
# }
# }
# else
else:
# {
# if ($rows -eq 1)
if rows == 1:
# {
# $name = "CurveTable " + $columns + " Columns"
name = "CurveTable_" + str(columns) + "_Columns"
# }
# else
else:
# {
# $name = "SurfaceTable " + $columns + "x" + $rows
name = "SurfaceTable_" + str(columns) + "x" + str(rows)
# }
# }
#
# $name = $name + " " + $table.title
title = i.find('title')
if title != None:
name += "_" + title.text
#
#
# $unused = $builder.AppendLine("MakeNameEx($address, `"$name`", nameFlags);")
name=SanitizeName(name)
print "createLabel("+mmeaddress+", "+name+", False)"
address=toAddr(mmeaddress)
removeDataAt(address)
createLabel(address, name, False)
# }

Posts: 7
Joined: Tue Dec 31, 2019 11:24 am

Re: 12587603 OS disassembly

Postby ColPaul » Tue Jan 21, 2020 12:49 am

I was reading on the MC68HC58, but it appears that the P59 units have a different DLC. Can anyone point me to the IC specs and possible a users manual for the DLC? Thanks to Antus for the 12202088.annotated.asm file. I'm cross walking the with the 603 binary.

Next

Return to GM LS1 512Kbyte and 1Mbyte

Who is online

Users browsing this forum: No registered users and 2 guests