HOW TO: Reverse Engineering An LS1 Computer

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
bubba2533
Posts: 498
Joined: Wed Apr 11, 2018 8:50 am
cars: 03 Chevy S10 Turbo V6

HOW TO: Reverse Engineering An LS1 Computer

Post by bubba2533 »

I have been wanting to create something to help others get started with reverse engineering for awhile now.

So here is my first video on how to get Ghidra setup and ready to go. Please leave feedback as I know I'm not an expert and definitely made mistakes.

HOW TO: Reverse Engineering An LS1 Computer Part 1

Here is the video description text:
LS1 PCM Hacking with Ghidra

1. Software Setup

a. Download Ghidra https://github.com/NationalSecurityAgen ... .1.2_build
b. Download CPU32 Instructions (Requires PCMHacking.com Account) viewtopic.php?f=42&t=6626&start=10#p104736
c. Copy CPU32 Instructions to Ghidra

2. Start Ghidra Project

a. Open Ghidra (ghidraRun.bat)
b. Create New Project
c. Import Bin File
d. Create RAM Memory Blocks

3. Reference Docs/Websites

a. Bin File Repository https://github.com/BoredTruckOwner/LS_B ... Repository
b. MCU 68376 User Manual https://www.nxp.com/docs/en/user-guide/MC68336376UM.pdf
c. CPU32 Instruction Reference Manual https://www.nxp.com/docs/en/reference-m ... 000PRM.pdf
d. OBD-II PID Listing http://www.dashlogic.com/docs/technical/obdii_pids
e. Ghidra Cheat Sheet https://ghidra-sre.org/CheatSheet.html
I would like to create more videos like this on different parts of the reverse engineering process so if you have ideas or things you would like to see let me know.
LS1 Boost OS V3 Here. For feature suggestions post in here Development Thread. Support future development ->Patreon.
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: HOW TO: Reverse Engineering An LS1 Computer

Post by ironduke »

Thank you!!! Away on vacation with nothing but an iPad and limited spare time but I can’t wait to read and review all of this!!
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: HOW TO: Reverse Engineering An LS1 Computer

Post by antus »

Great, thanks for this. Ill add it to the FAQ shortly. FYI you dont need an account to download here, downloads are open (i'll only change that if it becomes a problem). I dont want everyone to have to jump through the signup process if they are not going to contribute and just want a file.

I also think boardyruckowner repo is dead, but dont have a better suggestion at the moment.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
RADustin
Posts: 162
Joined: Fri Oct 17, 2014 9:44 am

Re: HOW TO: Reverse Engineering An LS1 Computer

Post by RADustin »

Many thanks to you and NSFW for all the contributions and help. I was expecting to take a month to figure out my OS changes for the ac logic and I did it in less than a week from installing Ghidra and using it for the first time to testing the OS.

I'll add the label .txt file here as well. Using the 'dumpster dive' CSV for P59 OS 7603 (thanks to NSFW) I parsed it into an agreeable format so that the prewritten Ghidra script would run it.

The Ghidra script is 'ImportSymbolsScript.py'. Run it from the script manager and it'll prompt to open a file, use the attached file. This process will overlay the entire contents of the CSV into Ghidra and instantly make the code more human readable. This file only works for P59 OS 7603. I would suggest most people start there until we can locate more of these dumpster dive files for other OSs.

Antus has posted this link before for learning 68k assembly, it is VERY useful at breaking things down in manageable bits of info so that a regular person can learn it. I like the tests that it has.
https://mrjester.hapisan.com/04_MC68/

also this link is useful, especially for following what the program counter is doing for each command-
http://68k.hax.com/

this link for how Ghidra labels variables and functions and such.
https://github.com/NationalSecurityAgen ... Labels.htm
Attachments
12587603 for script.txt
(191.59 KiB) Downloaded 173 times
MudDuck514
Posts: 397
Joined: Wed Jul 05, 2017 8:30 am
cars: 2001 Pontiac Grand AM SE
LD9 2.4l I4, 4T40E
2005 Chevrolet Venture
LA1 3400 V6, 4T65E
Location: North TX, USA

Re: HOW TO: Reverse Engineering An LS1 Computer

Post by MudDuck514 »

antus wrote:Great, thanks for this. Ill add it to the FAQ shortly. FYI you dont need an account to download here, downloads are open (i'll only change that if it becomes a problem). I dont want everyone to have to jump through the signup process if they are not going to contribute and just want a file.

I also think boardyruckowner repo is dead, but dont have a better suggestion at the moment.
Hi all;

Antus, by "dead" do you mean not accessible?
Or not updated in over a year!?

Both it, and Snowman's haven't been updated lately, but I CAN still access them both!

Mike
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: HOW TO: Reverse Engineering An LS1 Computer

Post by Tazzi »

I love this!!!!!! Awesome guide!!!!!
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: HOW TO: Reverse Engineering An LS1 Computer

Post by antus »

Yes, both repos are out of date. Im stickying threads that are maintained here so they can be found, but nobody is tracking the latest and best XDFs at this stage that I am aware of.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: HOW TO: Reverse Engineering An LS1 Computer

Post by gmtech825 »

One issue I've found using ghidra for this is the tblu and tbls instructions don't dissassemble properly, especially when register A2 is involved. instead of referencing A2 for the tbl, It points to address 0x00000002. I'm currently trying to figure out how to fix this.

Anyone else seeing this issue?


EDIT: This seems to be happening for all address registers for tbl instructions
exo3901
Posts: 13
Joined: Fri Feb 11, 2022 2:00 am

Re: HOW TO: Reverse Engineering An LS1 Computer

Post by exo3901 »

I don’t really know what I am doing, but yea, same issue with the tbl stuff. I found an IDA disassembly and tried patching the ghidra side to be comparable. No idea if it that is correct or not. I’m focusing on trying to find and understand the shift routines but pressure and shift speed tables don’t even show references? I have a lot of learning to do.

To OP, thanks for the walk through and the labeling script!
RADustin
Posts: 162
Joined: Fri Oct 17, 2014 9:44 am

Re: HOW TO: Reverse Engineering An LS1 Computer

Post by RADustin »

gmtech825 wrote:One issue I've found using ghidra for this is the tblu and tbls instructions don't dissassemble properly, especially when register A2 is involved. instead of referencing A2 for the tbl, It points to address 0x00000002. I'm currently trying to figure out how to fix this.

Anyone else seeing this issue?


EDIT: This seems to be happening for all address registers for tbl instructions
have you loaded up NSFWs cpu32 instructions?
viewtopic.php?f=42&t=6626&start=10#p104736

seems to work for bigger tables, but I still wish I could get nibble or bit mapped tables to disassemble. I'd like to learn more about the send/receive class2 data messages for gauges and bcm coms and what not.
Post Reply