GM E38 E67 E40 Kernel/Bootloader Development Extravaganza
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
Badass Tazman, it's quite a bit to devour. It's quite amazing how much different this is.
I don't have any T87a's to help with.
I haven't cut open an e92 and it doesn't look like I need to unless there is something you would like me to test. The only weird thing I can report, if it matters, is the e39a and the e92a on keyon draws quite a few thousand ma compared to the earlier versions and then settles back to a small ma draw. Basically as if they are charging some caps. A hardware look is probably in order and I apologize I haven't had the time to do much lately
Let us know whatever we can do to help
I don't have any T87a's to help with.
I haven't cut open an e92 and it doesn't look like I need to unless there is something you would like me to test. The only weird thing I can report, if it matters, is the e39a and the e92a on keyon draws quite a few thousand ma compared to the earlier versions and then settles back to a small ma draw. Basically as if they are charging some caps. A hardware look is probably in order and I apologize I haven't had the time to do much lately
Let us know whatever we can do to help
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
Thanks for the insight In-Tech!,
I was told about the T87a lock situation and figured it would be interesting to investigate. Iv got one on the way over to me so I can tear it apart. See if I cant BDM/JTAG it and/or start messing with the stuff I have posted. Im feeling kinda confident about the recovery mode situation as usually recovery code is wanting to accept anything to get it back up and running.
I was told about the T87a lock situation and figured it would be interesting to investigate. Iv got one on the way over to me so I can tear it apart. See if I cant BDM/JTAG it and/or start messing with the stuff I have posted. Im feeling kinda confident about the recovery mode situation as usually recovery code is wanting to accept anything to get it back up and running.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
Only other option I didnt consider is if the back lid is being removed and a BDM/JTAG device is being installed to dump the flash, edit the secure bootloader and flashing back in. I mean.. 10mins with a heatgun.. doesnt take much.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
Hiya,
I just ran another test, not sure if it matters. On the e92a, battery on, negligent power absorption like all the other gm controllers. Key on is many ma as mentioned. BUT this only happens once. If you key on later, the caps must already be charged. Doubtful this has anything to do with security, just thought I would mention since the earlier controllers don't do this.
Tazzi and others... I have access, via a salvage yard supplier, to a lot of controllers on the cheap. Let me know what I can do to help from this side of the planet
I just ran another test, not sure if it matters. On the e92a, battery on, negligent power absorption like all the other gm controllers. Key on is many ma as mentioned. BUT this only happens once. If you key on later, the caps must already be charged. Doubtful this has anything to do with security, just thought I would mention since the earlier controllers don't do this.
Tazzi and others... I have access, via a salvage yard supplier, to a lot of controllers on the cheap. Let me know what I can do to help from this side of the planet
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
I think I have most things covered currently. The E41 I bought got refunded as it was "miss placed". I think its more the fact I got a dirt cheap price and they didnt want to let it go.In-Tech wrote:Hiya,
I just ran another test, not sure if it matters. On the e92a, battery on, negligent power absorption like all the other gm controllers. Key on is many ma as mentioned. BUT this only happens once. If you key on later, the caps must already be charged. Doubtful this has anything to do with security, just thought I would mention since the earlier controllers don't do this.
Tazzi and others... I have access, via a salvage yard supplier, to a lot of controllers on the cheap. Let me know what I can do to help from this side of the planet
But as for the T87a, since it uses a spc564a80l7 processor, seems one could use a PEmicro tool and software: http://www.pemicro.com/products/product ... oductTab=3
Even havs a free 64k starter edition so... gonna try hookup to it and dump memory.
Looking at the supported algos.. we have:
ST SPC564A80 1x32x1024k ST_SPC564A80_1x32x1024k.pcp 1.09 12/16/2016
ST SPC564A80 1x32x1024k ST_SPC564A80_1x32x1024k_CFlash.pcp 1.10 07/10/2017 desc=CFlash
ST SPC564A80 1x32x4k ST_SPC564A80_1x32x4k_Shadow0_Blk.pcp 1.10 07/10/2017 desc=Shadow0_Blk
ST SPC564A80 1x32x4k ST_SPC564A80_1x32x4k_Shadow1_Blk.pcp 1.10 07/10/2017 desc=Shadow1_Blk
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
seems easy enough....
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
Another option is the BAM implementation which seems to allow flashing over CANBus when put into BAM mode: https://www.st.com/resource/en/data_bri ... lasher.pdf
Watched this great vid of an E41 tear down: https://www.youtube.com/watch?v=_SCJzzQckCA
Attempts to attack the BAM, which is locked with a different password to default.
So... one would 'assume' the T87a is doing the same. But never a good thing to assume.
Again, attacking via a recovery mode may hold the answers
Dayum, he managed to get into a locked jtag with glitching: https://eprint.iacr.org/2020/937.pdf
In one of the videos, I believe he described each ecu having a custom password from what he saw in power analysis. So even finding one doesnt mean it works for them all.
I dont believe his documents explicitly state if it is the same or not, but having to do that on every device to rip out the private password to gain access, then modify the boot code.. seems pretty incredible??
Starting to feel more likely towards a recovery state being taken advantage of to upload custom code maybe?
Watched this great vid of an E41 tear down: https://www.youtube.com/watch?v=_SCJzzQckCA
Attempts to attack the BAM, which is locked with a different password to default.
So... one would 'assume' the T87a is doing the same. But never a good thing to assume.
Again, attacking via a recovery mode may hold the answers
Dayum, he managed to get into a locked jtag with glitching: https://eprint.iacr.org/2020/937.pdf
In one of the videos, I believe he described each ecu having a custom password from what he saw in power analysis. So even finding one doesnt mean it works for them all.
I dont believe his documents explicitly state if it is the same or not, but having to do that on every device to rip out the private password to gain access, then modify the boot code.. seems pretty incredible??
Starting to feel more likely towards a recovery state being taken advantage of to upload custom code maybe?
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
-
- Posts: 6
- Joined: Tue Jul 25, 2017 11:53 am
- cars: Cobalt Sport 2.4l
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
How can I get my hands on a license for this software? Can it do e37 ecu? Also does clone work on serial number and VIN?
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
As seen in the thread title, currently only does E38 and E67.Hexadecimal wrote:How can I get my hands on a license for this software? Can it do e37 ecu? Also does clone work on serial number and VIN?
I have not added support for any other ecu at this time.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
-
- Posts: 1
- Joined: Wed Dec 09, 2020 11:54 am
- cars: 02 TA WS6 Collector Edition
05 GTO
02 Camaro SS
LSA Supercharged 04 Silverado
Any many more
Re: GM E38 E67 Kernel/Bootloader Development Extravaganza
Does this do a 100% complete clone of E38 ecm?
I have io Terminal and I was told it could not read and write a couple of sectors and could not be 100% cloned.
I see you are working on transmission stuff as well. Do you want any bin files of gas 6 speed controllers?
I have io Terminal and I was told it could not read and write a couple of sectors and could not be 100% cloned.
I see you are working on transmission stuff as well. Do you want any bin files of gas 6 speed controllers?