E92 PCM Reverse Engineering

ironduke · Post by **ironduke** » Mon Aug 29, 2022 11:45 pm

I found one with an H as the 8th digit..

E92.2016.Silverado.OS-12670743.3GCUKREH4GG221234_2022.05.09_07-55.AM.7z: (1.12 MiB) Downloaded 277 times

turbo_v6 · Post by **turbo_v6** » Tue Aug 30, 2022 12:05 am

Awesome thanks, I’ll definitely be looking at that when I get home from work. There must be a ton of unused space if it zips down to 1.12mb from a 4mb file.

ironduke · Post by **ironduke** » Tue Aug 30, 2022 12:10 am

bubba2533 wrote:Awesome thanks, I’ll definitely be looking at that when I get home from work. There must be a ton of unused space if it zips down to 1.12mb from a 4mb file.

There's a fair amount of free space.. You can use universal patcher to see the layout..

Reading Platform config: e92-platform.xml [OK]
Loading file: e92.xml [OK]
(SegmentSeek-e92.xml)
E92.2016.Silverado.OS-12670743.3GCUKREH4GG221234_2022.05.09_07-55.AM.bin (e92 (v 1))

Segments:
Boot Block PN: 12656994, Ver: AB, Nr: 99 [0000 - FFF7], Size: FFF8
OS PN: 12670743, Ver: AA, Nr: 1 [C0000 - FFFFF, 100000 - 3FFFFF], Size: 340000
System PN: 12666193, Ver: AG, Nr: 2 [40000 - 42FFF], Size: 3000
Fuel PN: 12665605, Ver: AF, Nr: 3 [43000 - 47FFF], Size: 5000
Speedo PN: 12666225, Ver: AE, Nr: 4 [48000 - 48FFF], Size: 1000
EngineDiag PN: 12673090, Ver: AB, Nr: 5 [49000 - 5FFFF], Size: 17000
Engine PN: 12666138, Ver: AF, Nr: 6 [60000 - BFFFF], Size: 60000
Checksums:
Boot Block Checksum 1: A013 [OK] Checksum 2: 1B9F [OK]
OS Checksum 1: 93D3 [OK] Checksum 2: DD7B [OK] [n/a]
System Checksum 1: 0520 [OK] Checksum 2: 0D9B [OK] [n/a]
Fuel Checksum 1: 814D [OK] Checksum 2: 1DBE [OK] [n/a]
Speedo Checksum 1: 91C8 [OK] Checksum 2: 0158 [OK] [n/a]
EngineDiag Checksum 1: C895 [OK] Checksum 2: F0CF [OK] [n/a]
ENG extra 1 Checksum 1: F53B583A [OK] Checksum 2: F4C7BE0E [OK]
ENG extra 2 Checksum 1: ED87469A [OK]
Engine Checksum 1: 82EA [OK] Checksum 2: 1DDE [OK] [n/a]
Seeking tables... (TableSeek-e92.xml) Done
PID search not implemented for this file type

gmtech825 · Post by **gmtech825** » Tue Aug 30, 2022 1:49 am

heres a H vin for you

Gatecrasher · Post by **Gatecrasher** » Tue Aug 30, 2022 2:35 am

What are you guys using to pull these flash dumps?

turbo_v6 · Post by **turbo_v6** » Tue Aug 30, 2022 2:36 am

Gatecrasher wrote:What are you guys using to pull these flash dumps?

I’m interested in this as well.

Gatecrasher · Post by **Gatecrasher** » Tue Aug 30, 2022 4:16 am

Maybe I can help a little. I threw IronDuke's 16 Silverado into Ghidra. At a glance, the CAN and diagnostic stuff looks really similar to the chassis control module I took apart.

What's the end goal here?

turbo_v6 · Post by **turbo_v6** » Tue Aug 30, 2022 4:50 am

If you are asking me, I don’t have a specific goal in mind at the moment. I mainly just wanted to start learning more about this platform and then when I have something that I would like to modify I would have a head start on getting familiar with it.

There are no open source ways to read/flash this platform that I’m aware of, but if that would happen then I imagine I could develop some modifications to the operating system to improve tuning or operation of the vehicle.

turbo_v6 · Post by **turbo_v6** » Tue Aug 30, 2022 12:11 pm

Probably a stupid question, but I'd rather ask than take hours trying to figure it out. What processor should I select when opening with Ghidra?

Edit: I selected PowerPC, but I don't know if that's correct as nothing disassembled.

Gatecrasher · Post by **Gatecrasher** » Tue Aug 30, 2022 12:31 pm

It's definitely not stupid. It took me a while to figure it out on the chassis control module. It was only after I spent a lot of time looking at broken, gibberish code that I realized my processor model was wrong.

You want: PowerPC:BE:64:VLE-32addr (1.5)

It's listed in the selection dialog as PowerISA-VLE-64-32addr, but the other entry is what it'll end up saying in the "language" and "about" boxes.

Skip the auto analysis for the moment. Select the entire file (ctrl-A). Then right click and do 'set register values'. Set each of the following registers as shown. You have to click ok after each one, so you'll do this three times.

r13 = 40008000
r14 = 40018000
r15 = 40028000

This basically sets up some indirect memory references the code uses for data and function lookups.

Then do analysis > auto analyze. It'll take a few minutes.

If you want a hint to some easy code, go to 0x326284. It's the lookup table for the diagnostic modes. There's 4 bytes that describe a diag mode, and 4 bytes that are a pointer to the relevant subroutine.

So security access looks like this:

Code: Select all

        003262f4 27              ??         27h    '
        003262f5 00              ??         00h
        003262f6 00              ??         00h                                              ?  ->  00000032
        003262f7 00              ??         00h
        003262f8 00 32 47 20     addr       Diag_Mode27_GMSecAccess

That table starts with mode 01 and ends with mode AE.

The DTC table is at 0x1D0820. It looks like there's 1077 possible DTCs. Though a lot of them will probably be disabled in the calibration tables.

This is all using the 2016 Silverado ROM IronDuke posted, BTW.

E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering