Reverse Engineering 12587603

They go by many names, P01, P59, VPW, '0411 etc . Circa 1999 to 2006. All VPW OBD2 PCMs.
User avatar
Posts: 400
Joined: Fri Feb 02, 2018 3:13 pm

Reverse Engineering 12587603

Postby NSFW » Sun Apr 19, 2020 8:22 am

12587603 is the P59 operating system that is available in pretty much every combination of throttle and transmission, so I think it's the one to focus on for P59 hacking.

So I opened one in IDA Pro and did the following:

* Used DzidaV8's XDF to label a bunch of tables and constants
* Used the table of PIDs in the bin file to label the functions that handle those PIDs.
* Disasssembled everything I could.

Then I exported an IDC file for anyone who wants a head start digging into it with IDA.
Then I exported an ASM file for anyone who wants to get pitch in and doesn't have IDA.

When Ghidra supports the table-lookup opcodes, I'll find a way to convert the IDC file into something that Ghidra can support, and that will make this easier (and so much cheaper) for everyone.

https://github.com/LegacyNsfw/12587603
Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

Posts: 9
Joined: Sat Apr 11, 2020 1:54 pm

Re: Reverse Engineering 12587603

Postby tkelly2784 » Sun Apr 19, 2020 1:23 pm

This may not belong here, your disassembly helped me verify some of the work I did today, thank you.

First the MAP sensor scaling was multiplied by 4 in tunerpro, either xdf works for this. Then I verified that ~1.25V into the sensor maxes out the value in the data logger, it does. This means the kPa * 51.2 number is much bigger. So then I looked to find where it was being limited.


Looking here

loc_80960: ; CODE XREF: sub_8093C+1Aj
move.w (Constant16_C6302___MAP_Sensor_Offset).l,d5
ext.l d5
move.w (Constant16_C6301___MAP_Sensor_Scaler).l,d3
mulu.w ($FFFFB28E).w,d3
lsr.l #8,d3
lsr.l #8,d3
add.l d5,d3
tst.l d3
blt.s loc_80990
cmpi.l #$FFFF,d3
bhi.s loc_8098A
cmpi.w #$14FF,d3
bls.s loc_80992

loc_8098A: ; CODE XREF: sub_8093C+46j
move.w #$14FF,d3
bra.s loc_80992

this code is identical to the 2088 MAP sensor update routine. To allow a higher map scaling I took the code

0C 43 14 FF 63 08 36 3C 14 FF

at 8080A and turned it into

0C 43 53 FC 63 08 36 3C 53 FC

There were 2 other places where this was changed

80986 & 80a2c

80986 looks consistent with the * 25.6 value storage. 80a2c is a mystery to me, but I did it anyway because it had a routine that looked like it limited the MAP. For all I know it's some other sensor.

The result? The datalogger now reads kPa up to 255, then wraps around up to 135ish, so 390kPa. That's plenty to pop a head gasket with. Next is to aim the VE table lookup somewhere else. It should run like this with a 4bar map and a stock engine.

Next I will move the table lookups to aim at a part of the empty rom. I have been using UniversalPatcher for the checksums and it seems to work good. If it can handle a table swap I will be really impressed. I will test the non-checkum in patcher, but not on a working box. This is going too well.

User avatar
Posts: 400
Joined: Fri Feb 02, 2018 3:13 pm

Re: Reverse Engineering 12587603

Postby NSFW » Mon Apr 20, 2020 4:30 am

Cool. :)
Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

Posts: 156
Joined: Sun Apr 10, 2016 9:20 pm

Re: Reverse Engineering 12587603

Postby kur4o » Mon Apr 20, 2020 6:35 am


User avatar
Posts: 400
Joined: Fri Feb 02, 2018 3:13 pm

Re: Reverse Engineering 12587603

Postby NSFW » Tue Apr 21, 2020 12:23 pm

Also cool!
Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

User avatar
Posts: 400
Joined: Fri Feb 02, 2018 3:13 pm

Re: Reverse Engineering 12587603

Postby NSFW » Fri Apr 24, 2020 10:38 am

I was sent a file containing addresses, names, and some comments for what appears to be the entire calibration segment. It's kind of amazing. I'm guessing somebody went dumpster-diving outside a GM building 15+ years ago and hit the jackpot. I won't mention any names, but the person who sent it can chime in if they choose to.

Last night I made a script that turns it into an IDC file (12587603.csv.idc), and just now I added the CSV, IDC, and PS1 files to the GitHub repo linked in the first post of this thread, plus a re-generated ASM file.

Merging this with your own work might be tricky. I wanted to preserve the table names from my existing IDA project, since they came from an XDF, have mixed-case names (GM was really fond of ALL_CAPS_EVERYWHERE), and the names include row/column info, etc, so here's what I did:

1) Dump my existing IDA project to an IDC file (temp.idc).
2) Run 12587603.csv.idc
3) Run temp.idc

So now I have XDF-based names for everything that was in the XDF, and GM's names for everything else.

You can sorta get a sense of what's going on in lots of arbitrary sections of code now, just by looking at the names of the parameters that are referenced. I don't have any great new discoveries to share, but with this info I'm pretty sure it's going to be a whole lot easier to discover anything you want.
Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

Posts: 49
Joined: Sun May 11, 2014 6:36 pm

Re: Reverse Engineering 12587603

Postby Highlander » Fri Apr 24, 2020 12:32 pm

This is actually very good...

Posts: 49
Joined: Sun May 11, 2014 6:36 pm

Re: Reverse Engineering 12587603

Postby Highlander » Fri Apr 24, 2020 12:37 pm

NSFW wrote:Cool. :)

bra = branch.... its jumping to that location.

Posts: 49
Joined: Sun May 11, 2014 6:36 pm

Re: Reverse Engineering 12587603

Postby Highlander » Fri Apr 24, 2020 12:38 pm

anyone here have the 12592425 os for regular c5?

Apparently there is a fix for power consumption when off and its essentially the same os as 12587603

Posts: 139
Joined: Mon Mar 09, 2020 4:35 pm

Re: Reverse Engineering 12587603

Postby In-Tech » Fri Apr 24, 2020 3:11 pm

Let's see if I did this correctly. I used the universal patcher program.
12592425.rar
(208.74 KiB) Downloaded 14 times

Next

Return to GM LS1 512Kbyte and 1Mbyte

Who is online

Users browsing this forum: No registered users and 1 guest