LB7 Duramax E54 ECU

[In-Tech]

Are you saying PcmHammer created them bins??

Naw, you gotta be talking about the title ... I can't believe PcmHammer read the E54 yet.

No, sorry, those are .bin files I found somewhere. I've got a few logs to post shortly. The earlier .bin I posted, I read out using a different program.

[In-Tech]

Here are two that both provide interesting results with the changes in PCM Hammer for testing.

The one with the 020202 timestamp was with using the bootpin and it loaded the kernel
The one with the 020743 timestamp was with using the correct key F81F and it 7F'd the kernel load.

PcmHammer_debugLog_20200714@020202.txt

(34.84 KiB) Downloaded 171 times

PcmHammer_debugLog_20200714@020743.txt

(123.73 KiB) Downloaded 159 times

[antus]

Code: Select all

[02:00:59:320]  TX: 6C 10 F0 3D 01
[02:00:59:350]  RX: 8C F0 10 7F 3D 01 11
[02:00:59:350]  Received an unexpected response. Attempt #1, status UnexpectedResponse.

Yeah thats almost certainly from the factory OS after a crash and reboot, because it doesnt know what the mode 3D requests which we used for the pcmhammer kernel are about.

[In-Tech]

Without correct key to unlock-Bootpin used

[02:00:46:868] Requesting permission to upload kernel.
[02:00:46:868] TX: 6C 10 F0 34 00 10 00 FF 80 00
[02:00:46:878] RX: 6C F0 10 74 00 44
[02:00:46:878] Found response, Success
[02:00:46:878] Upload permission granted.

Kernel Sent-Part A,
[02:00:47:758] RX: 6C F0 10 76 00 78
[02:00:47:758] Found response, Success
[02:00:47:758] Kernel upload 48% complete.

Kernel Sent-Part B,
[02:00:48:678] RX: 6C F0 10 76 80 74 <<<<<<<<<< Doesn't 80 mean it is executing?
[02:00:48:678] Found response, Success
[02:00:48:678] Kernel upload 100% complete.
[02:00:48:688] TX: 6C 10 F0 3D 00 <<<<<<<<<< Yep, doesn't know what to do with the 3D command yet


With correct key to unlock

[02:05:51:437] Requesting permission to upload kernel.
[02:05:51:447] TX: 6C 10 F0 34 00 10 00 FF 80 00
[02:05:51:467] RX: 6C F0 10 74 00 42 <<<<<<<<<< where did this 42 come from?
[02:05:51:467] Found response, Success
[02:05:51:467] Upload permission granted.

Kernel Sent-Part A,
[02:05:52:347] RX: 6C F0 10 7F 34 00 10 00 FF 80 22
[02:05:52:347] Ignoring message: UnexpectedResponse 6C F0 10 7F 34 00 10 00 FF 80 22 <<<<<<<<<< The dreaded 7F

[antus]

Ok let me add some comments as I see it:

Without correct key to unlock-Bootpin used

[02:00:46:868] Requesting permission to upload kernel.
[02:00:46:868] TX: 6C 10 F0 34 00 10 00 FF 80 00 # Tool F0 asks PCM 10 "Can I upload (34) 4k (001000) of data to address FF8000?"
[02:00:46:878] RX: 6C F0 10 74 00 44 # PCM 10 replys to tool F0 with a response of 34+40 = 74, good response - yes you can, with 00 44 additional information of some type which may be in an SAE document somewhere
[02:00:46:878] Found response, Success
[02:00:46:878] Upload permission granted.

Kernel Sent-Part A,
[02:00:47:758] RX: 6C F0 10 76 00 78 # your 36 send gets a 36+40=76 response, upload OK
[02:00:47:758] Found response, Success
[02:00:47:758] Kernel upload 48% complete.

Kernel Sent-Part B,
[02:00:48:678] RX: 6C F0 10 76 80 74 <<<<<<<<<< Doesn't 80 mean it is executing? # Probably, ive not paid attention but 80 contains 1 bit set which is the execute bit on upload, so that would make sense. The 36+40=76 is enough to know that what we asked was successful and we asked for load an execute.
[02:00:48:678] Found response, Success # kernel is executing on the pcm
[02:00:48:678] Kernel upload 100% complete. # And probably crashes rebooting the pcm in to the factory OS
[02:00:48:688] TX: 6C 10 F0 3D 00 <<<<<<<<<< Yep, doesn't know what to do with the 3D command yet # Yep...


With correct key to unlock

[02:05:51:437] Requesting permission to upload kernel.
[02:05:51:447] TX: 6C 10 F0 34 00 10 00 FF 80 00 # Can we upload... as above?
[02:05:51:467] RX: 6C F0 10 74 00 42 <<<<<<<<<< where did this 42 come from? # 34+40=74 means 'yes', the 00 42 Probably means something to do with the security challenge that preceded this, but does not change that its still a good response. Perhaps the ultimate and correct security answer, eg hitchhikers guide to the galaxy[1]
[02:05:51:467] Found response, Success
[02:05:51:467] Upload permission granted.

Kernel Sent-Part A,
[02:05:52:347] RX: 6C F0 10 7F 34 00 10 00 FF 80 22
[02:05:52:347] Ignoring message: UnexpectedResponse 6C F0 10 7F 34 00 10 00 FF 80 22 <<<<<<<<<< The dreaded 7F

[1] good book, and its rumoured that author Douglas Adams, when he came up with 42, even though its meant to make no sense in the context of the book, was referring to ascii code 42 which is the * symbol, meaning wildcard 'everything'

[Gampy]

I'm going to pull out the big gun, the micro kernel ...

Smaller memory foot print.
Single packet upload.

And get it to talk then go from there ...

[antus]

Maybe we need to load it higher, the last load error shows address FF 80 22, which seems like an odd place to write too, perhaps we've corrupted the running OS.

[In-Tech]

I'm going to pull out the big gun, the micro kernel ...

Smaller memory foot print.
Single packet upload.

And get it to talk then go from there ...

Good idea, it would at the minimum confirm timing or security issues causing that 7F.

Maybe we need to load it higher, the last load error shows address FF 80 22, which seems like an odd place to write too, perhaps we've corrupted the running OS.

Where were you seeing that?

edit, I see it now, surely we can spare 22 bytes?

[In-Tech]

RX: 6C F0 10 7F 34 00 10 00 FF 80 22

Are we sure that's not the response code for the Mode $34 we sent in?

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
This shows an example of a Mode $3B request containing 8 data bytes. Four
valid general response messages are shown, with others possible to be defined by the vehicle manufacturer.
Note that the response code is always the last data byte of the response message.

[In-Tech]

More to do with kernel stuff and since I used to do everything in assembly back in the day, does anyone have Mot68xxx chart of mnemonics and hex opcodes? Everything I've found has mnemonics and binary but no hex. Would love to have alphabetic mnemonics to hex and also alphanumerical hex to mnemonic.
I can't believe it's so hard to find I imagine it's in somebody's disassembler but I haven't gotten that far yet.
Something like: alphabetic mnemonic, binary, hex, description, length etc then numeric hex first etc

nop 0100 1110 0111 0001 4E71
rte 0100 1110 0111 0011 4E73
rtr 0100 1110 0111 0111 4E77
rts 0100 1110 0111 0101 4E75

I understand there are 16 bit opcodes and some with words(16bit) or large words(24bit or 32bit) after, I like to see things visually.

I'd sure appreciate it.