IPC Hammer

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
bbmike
Posts: 45
Joined: Thu Apr 02, 2015 1:10 pm
cars: Too many!!

Re: IPC Hammer

Post by bbmike »

You can get it at https://github.com/mikebb203/IPC-Hammer. It won’t program a trailblazer yet.
bbmike
Posts: 45
Joined: Thu Apr 02, 2015 1:10 pm
cars: Too many!!

Re: IPC Hammer

Post by bbmike »

Looking at your file. It looks like you dumped the bootloader and calibration. The bootloader starts at 0x0000 and the calibration starts at 0x4000. The OS starts at 0x18000 and ends at 0x1FFFF. I believe that the ram starts at 0xC000.
darkman5001
Posts: 212
Joined: Sat Dec 18, 2021 8:15 am
cars: 2004 Suburban, 2001 Tahoe, 2002 Envoy, 2006 Envoy, 2003 Lincoln LS
Location: New Jersey, USA

Re: IPC Hammer

Post by darkman5001 »

kur4o wrote:Is there any source for precompiled version of IPC hammer.

Might test it on 2002 trailblazer IPC.

I made a dump of this ipc but is not complete. Some data is missing. Cal segment is full and there is what seems like ram at c000 and eeprom at e000.

Kur4o, how did you get the dump? JTAG, BDM?
bbmike
Posts: 45
Joined: Thu Apr 02, 2015 1:10 pm
cars: Too many!!

Re: IPC Hammer

Post by bbmike »

I use minimon from Infineon with a usb to serial adapter. Fixed until broken on YouTube has videos on how to do it.
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: IPC Hammer

Post by kur4o »

With some hints from bbmike, I managed to get the full dump. Last attempt I did was upto 18000 address, just where the os starts.

Now I got a full dump but still can`t figure the checksum range of OS.

I also tested the ipchammer, some functions work, others not, On read properties it stops, when there is a negative 7f response. Maybe some exception can be added, so info from non fully supported ipcs still can be read.

The other questions how the dump was got. I made a script to read it via mode22 messages, and compile the messages to a bin file. Slow[10-20mins] but efficient way to get the full dump[including ram] on a running ipc.

Here is the full dump.
Attachments
ipc_dump_18000-30000.rtf.bin
(192 KiB) Downloaded 235 times
In-Tech
Posts: 778
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: IPC Hammer

Post by In-Tech »

Hiya,
Are you running into a security issue with the dump? What is the address for the serial i/o? I might be able to help with an old serial dumper that doesn't require Rom info.

edit,
It's a bit toggler breach, I am not sure it will work in this environment. I will have to dig into old VB stuff to make an app to work.
bbmike
Posts: 45
Joined: Thu Apr 02, 2015 1:10 pm
cars: Too many!!

Re: IPC Hammer

Post by bbmike »

The os checksum should be from 0x18002 to the last byte before the 0xC3A5 at the end of the os. If you change the 0xC3A5 at the end of the os and make a bin with just the os the test checksum button in ipchammer should work to calculate the checksum.
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: IPC Hammer

Post by kur4o »

Hi mike, I tested the ipc hammer and it says it finds correct checksum. I did try to do some manual calculations and the all known methods for gm failed.
Can you disclose what method is being used here. I want to add it to universal patcher for easier checksum correction.

In the dump I posted the boot block have some range missing. I think it is locked for reading via mode22. The range is 8000-bfff.
bbmike
Posts: 45
Joined: Thu Apr 02, 2015 1:10 pm
cars: Too many!!

Re: IPC Hammer

Post by bbmike »

I’ll have to look for the checksum math. The range of 8000-bfff would be used for external access. I don’t think the clusters use the external bus. All the boot loader is in 0-3fff. The calibration should be in 4000-7fff.
bbmike
Posts: 45
Joined: Thu Apr 02, 2015 1:10 pm
cars: Too many!!

Re: IPC Hammer

Post by bbmike »

If I remember correctly you have to do 16 bit big endian sum and then 2’s complement.
Post Reply