Can you post it?Tazzi wrote:I think I have also extracted the kernel... although no way of verifying without simulating a module on bench.
If you got it by recording the messages from a reflash session I'd love to see that too.
Can you post it?Tazzi wrote:I think I have also extracted the kernel... although no way of verifying without simulating a module on bench.
I had no module data to simulate on the bench so can't grab a full reflash session, but attached is kernel, or at least one of them that gets sent in a session.NSFW wrote:
Can you post it?
If you got it by recording the messages from a reflash session I'd love to see that too.
The module id is $28. You can quiet the bus and poll the ebcm what modes are supported. A 7f as a response will likely mean the mode is not supported. Some of the earlier PCM have built in mode 35 support, so it is worth trying.I wonder if mode 35 could be used to read the existing firmware.
Unfortunately I'm just getting 7F responses to these messages. I wrote a loop that tried to reach every 256-byte chunk from 0-512kb and they all failed.kur4o wrote:The module id is $28. You can quiet the bus and poll the ebcm what modes are supported. A 7f as a response will likely mean the mode is not supported. Some of the earlier PCM have built in mode 35 support, so it is worth trying.I wonder if mode 35 could be used to read the existing firmware.
The requests will look like
6C 28 F0 XX
XX=MODE
To confirm, is there not a way to use a J2534 device to monitor bus traffic? I haven't sat down and played with the dll shim thing for J2534 to sniff the api calls, but I can use Tech2Win and try to sniff the PIDs from the ABS module.NSFW wrote:Unfortunately I'm just getting 7F responses to these messages. I wrote a loop that tried to reach every 256-byte chunk from 0-512kb and they all failed.kur4o wrote:The module id is $28. You can quiet the bus and poll the ebcm what modes are supported. A 7f as a response will likely mean the mode is not supported. Some of the earlier PCM have built in mode 35 support, so it is worth trying.I wonder if mode 35 could be used to read the existing firmware.
The requests will look like
6C 28 F0 XX
XX=MODE
I've been trying a bunch of things, using PCM Hammer's core code and changing the device ID from 10 to 28...
The first thing I tried was to read a PID, but I just got a 7F response. This is annoying because I have a list of PIDs that the ABS is supposed to support. But apparently it doesn't support the "get one PID" messages that the PCM supports. This is the query for PID 0x0001:
[10:16:08:401] TX: AT SH 6C 28 F0
[10:16:08:423] TX: 22000101
[10:16:08:593] RX: 6C F0 28 7F 22 00 01 01 11
I also tried removing the final 0x01 in the request message (not sure why the PCM needs it), but that made no difference.
So I tried to check for trouble codes and this actually worked, and indeed the ABS unit in my C5 has no codes. (If it said it had DTCs that would be a surprise.)
Good news: I'm supposed to receive a 2002 ABS unit tomorrow.
Bad news: I won't have much time for car hacking stuff for another week or so.