GM E38 E67 E40 Kernel/Bootloader Development Extravaganza

[In-Tech]

Badass Tazman, it's quite a bit to devour. It's quite amazing how much different this is.
I don't have any T87a's to help with.
I haven't cut open an e92 and it doesn't look like I need to unless there is something you would like me to test. The only weird thing I can report, if it matters, is the e39a and the e92a on keyon draws quite a few thousand ma compared to the earlier versions and then settles back to a small ma draw. Basically as if they are charging some caps. A hardware look is probably in order and I apologize I haven't had the time to do much lately
Let us know whatever we can do to help

[Tazzi]

Thanks for the insight In-Tech!,

I was told about the T87a lock situation and figured it would be interesting to investigate. Iv got one on the way over to me so I can tear it apart. See if I cant BDM/JTAG it and/or start messing with the stuff I have posted. Im feeling kinda confident about the recovery mode situation as usually recovery code is wanting to accept anything to get it back up and running.

[Tazzi]

Only other option I didnt consider is if the back lid is being removed and a BDM/JTAG device is being installed to dump the flash, edit the secure bootloader and flashing back in. I mean.. 10mins with a heatgun.. doesnt take much.

[In-Tech]

Hiya,
I just ran another test, not sure if it matters. On the e92a, battery on, negligent power absorption like all the other gm controllers. Key on is many ma as mentioned. BUT this only happens once. If you key on later, the caps must already be charged. Doubtful this has anything to do with security, just thought I would mention since the earlier controllers don't do this.
Tazzi and others... I have access, via a salvage yard supplier, to a lot of controllers on the cheap. Let me know what I can do to help from this side of the planet

[Tazzi]

Hiya,
I just ran another test, not sure if it matters. On the e92a, battery on, negligent power absorption like all the other gm controllers. Key on is many ma as mentioned. BUT this only happens once. If you key on later, the caps must already be charged. Doubtful this has anything to do with security, just thought I would mention since the earlier controllers don't do this.
Tazzi and others... I have access, via a salvage yard supplier, to a lot of controllers on the cheap. Let me know what I can do to help from this side of the planet

I think I have most things covered currently. The E41 I bought got refunded as it was "miss placed". I think its more the fact I got a dirt cheap price and they didnt want to let it go.

But as for the T87a, since it uses a spc564a80l7 processor, seems one could use a PEmicro tool and software: http://www.pemicro.com/products/product ... oductTab=3
Even havs a free 64k starter edition so... gonna try hookup to it and dump memory.

Looking at the supported algos.. we have:
ST SPC564A80 1x32x1024k ST_SPC564A80_1x32x1024k.pcp 1.09 12/16/2016
ST SPC564A80 1x32x1024k ST_SPC564A80_1x32x1024k_CFlash.pcp 1.10 07/10/2017 desc=CFlash
ST SPC564A80 1x32x4k ST_SPC564A80_1x32x4k_Shadow0_Blk.pcp 1.10 07/10/2017 desc=Shadow0_Blk
ST SPC564A80 1x32x4k ST_SPC564A80_1x32x4k_Shadow1_Blk.pcp 1.10 07/10/2017 desc=Shadow1_Blk

[Tazzi]

seems easy enough....

pic1.PNG (371.26 KiB) Viewed 3968 times

pic2.PNG (40.64 KiB) Viewed 3968 times

[Tazzi]

Another option is the BAM implementation which seems to allow flashing over CANBus when put into BAM mode: https://www.st.com/resource/en/data_bri ... lasher.pdf

Watched this great vid of an E41 tear down: https://www.youtube.com/watch?v=_SCJzzQckCA
Attempts to attack the BAM, which is locked with a different password to default.

So... one would 'assume' the T87a is doing the same. But never a good thing to assume.

Again, attacking via a recovery mode may hold the answers

Dayum, he managed to get into a locked jtag with glitching: https://eprint.iacr.org/2020/937.pdf

In one of the videos, I believe he described each ecu having a custom password from what he saw in power analysis. So even finding one doesnt mean it works for them all.
I dont believe his documents explicitly state if it is the same or not, but having to do that on every device to rip out the private password to gain access, then modify the boot code.. seems pretty incredible??

Starting to feel more likely towards a recovery state being taken advantage of to upload custom code maybe?

[Hexadecimal]

How can I get my hands on a license for this software? Can it do e37 ecu? Also does clone work on serial number and VIN?

[Tazzi]

How can I get my hands on a license for this software? Can it do e37 ecu? Also does clone work on serial number and VIN?

As seen in the thread title, currently only does E38 and E67.

I have not added support for any other ecu at this time.

[Hurst_CE_TA]

Does this do a 100% complete clone of E38 ecm?

I have io Terminal and I was told it could not read and write a couple of sectors and could not be 100% cloned.

I see you are working on transmission stuff as well. Do you want any bin files of gas 6 speed controllers?