14-18 GM BCM renasas v850 register setup
14-18 GM BCM renasas v850 register setup
working on the remote start timer for this generation of trucks and possibly other features as well but I'm running into problems with dissassembly. there are a large amount of data parameters that don't get referenced in the cal segments and I believe it's because I need to set a couple register values (GP, TP?). I'm hoping someone can help me verify that, and calculate these values.
if you open the bin in ghidra (V850 processor type) and go to 0x8260 and decompile, i believe that jump is the entry point. it should jump to 0x2E940. you should see it setting up the registers. I'm not good at assembly and don't trust myself to calculate these values correctly. it also looks like at 0x2e88c there is more manipulation of these registers.
https://www.renesas.com/us/en/document/ ... anguage=en
https://www.renesas.com/us/en/document/ ... anguage=en
if you open the bin in ghidra (V850 processor type) and go to 0x8260 and decompile, i believe that jump is the entry point. it should jump to 0x2E940. you should see it setting up the registers. I'm not good at assembly and don't trust myself to calculate these values correctly. it also looks like at 0x2e88c there is more manipulation of these registers.
https://www.renesas.com/us/en/document/ ... anguage=en
https://www.renesas.com/us/en/document/ ... anguage=en
- Attachments
-
- 2016 Escalade BCM OS and CAL file.bin
- (2 MiB) Downloaded 71 times
- Gatecrasher
- Posts: 273
- Joined: Sat Apr 25, 2020 6:09 am
Re: 14-18 GM BCM renasas v850 register setup
Is that bin file reconstructed from SPS files, or is it a full read of the actual chip? I ask because the stuff you're after may be set up in the bootloader segment.
It this a V850E2/FK4? The chip would be labeled uPD70F3558M1.
I'll try to take a look at it later tonight.
It this a V850E2/FK4? The chip would be labeled uPD70F3558M1.
I'll try to take a look at it later tonight.
Re: 14-18 GM BCM renasas v850 register setup
hmm, I thought the chips were V850E2/J series, but its been some time since looking at those processors. The reference manuals for the ones used in the BCM and infotainment systems are hidden behind non disclosure agreements, so they are no given out easily.
Needed the reference manual to try understand all the references and registers, but kinda makes it hard without it!
Needed the reference manual to try understand all the references and registers, but kinda makes it hard without it!
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
- Gatecrasher
- Posts: 273
- Joined: Sat Apr 25, 2020 6:09 am
Re: 14-18 GM BCM renasas v850 register setup
You had me doubting myself. So I opened up my 2016 Corvette BCM and it's definitely a V850E2/FK4. All the docs, including the user manual are available here: https://www.renesas.com/us/en/products/ ... ry=visible
The HMI 2.5 modules use a V850E2/FJ4 which is part of the same family. Some of the really late HMI 2.5s switched to an RH850 chip though.
I really think we need the bootloader to do this correctly. I've got an idea to get it.
The HMI 2.5 modules use a V850E2/FJ4 which is part of the same family. Some of the really late HMI 2.5s switched to an RH850 chip though.
I really think we need the bootloader to do this correctly. I've got an idea to get it.
- Gatecrasher
- Posts: 273
- Joined: Sat Apr 25, 2020 6:09 am
Re: 14-18 GM BCM renasas v850 register setup
Now I remember why I hate V850s. Everything is complicated on them. I'm no longer convinced we need the bootloader, but I went ahead and got it out of my BCM anyway. It's attached. You can see if yours is the same part number by using mode $1A $C0. I'm reasonably confident it's accurate, but I haven't found the checksum to double check it.
I can't find a straightforward explanation of how this thing starts executing code straight out of reset. I think it starts at 0x0, but that's confusing because the very first instruction in the bootloader is a mov from r2 to r0. How can there be anything in r2 if it's coming out of a cold start? Then it jumps to a sub that sets up the GP and TP similar to your example. But it all gets reworked at 0x2E940 anyway, so I'm not sure it's relevant.
Anyway, this is my best guess so far. It puts the GP at a point near the beginning of RAM, and the TP to flash, and the SP near the end of RAM.
The architecture manual describes the TP and GP like so:
r4 = gp = global pointer. When to access global variable in data area
r5 = tp = text pointer. Used as a register that indicates the start of the text area. (area where program code is placed)
So I think the flash file needs to be chopped up and rearranged a bit, but I don't know exactly how just yet.
I can't find a straightforward explanation of how this thing starts executing code straight out of reset. I think it starts at 0x0, but that's confusing because the very first instruction in the bootloader is a mov from r2 to r0. How can there be anything in r2 if it's coming out of a cold start? Then it jumps to a sub that sets up the GP and TP similar to your example. But it all gets reworked at 0x2E940 anyway, so I'm not sure it's relevant.
Anyway, this is my best guess so far. It puts the GP at a point near the beginning of RAM, and the TP to flash, and the SP near the end of RAM.
Code: Select all
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_0002e940()
undefined r10:1 <RETURN>
FUN_0002e940 XREF[2]: FUN_000048b4:000048ea(c),
000092e0(*)
0002e940 40 26 de fe movhi -0x122,r0,gp //Write 0xFEDE0000 to GP
0002e944 24 26 14 c2 movea -0x3dec,gp,gp //Add -0x3DEC to GP. GP = 0xFEDDC214
0002e948 40 2e 19 00 movhi 0x19,r0,tp //Write 0x00190000 to TP
0002e94c 25 2e 98 2e movea 0x2e98,tp,tp //Add 0x2E98 to TP. TP = 0x00192E98
0002e950 40 1e e0 fe movhi -0x120,r0,sp //Write 0xFEE00000 to SP
0002e954 23 1e d4 ef movea -0x102c,sp,sp //Add -0x102C to SP. 0xFEDFEFD4
0002e958 1c 0a mov -0x4,r1
0002e95a 41 19 and r1,sp
0002e95c 80 ff 04 00 jarl thunk_FUN_0002e870,lp undefined thunk_FUN_0002e870()
r4 = gp = global pointer. When to access global variable in data area
r5 = tp = text pointer. Used as a register that indicates the start of the text area. (area where program code is placed)
So I think the flash file needs to be chopped up and rearranged a bit, but I don't know exactly how just yet.
- Attachments
-
- MY16 BCM bootloader 13586286.bin
- (32 KiB) Downloaded 90 times
- Gatecrasher
- Posts: 273
- Joined: Sat Apr 25, 2020 6:09 am
Re: 14-18 GM BCM renasas v850 register setup
Drill down to 0x2E88C. It screws with both registers again, in an even more complicated way.
And again at 0x2E940.
That's just what I found on a quick glance. There's probably more.
This might be helpful going forward. https://blog.willemmelching.nl/carhacki ... /vw-part2/
And again at 0x2E940.
That's just what I found on a quick glance. There's probably more.
This might be helpful going forward. https://blog.willemmelching.nl/carhacki ... /vw-part2/
Re: 14-18 GM BCM renasas v850 register setup
Im sure the BCMs in our VFs used something slightly different, but I believe regardless they all would use the same registers being the same family of chips.Gatecrasher wrote:You had me doubting myself. So I opened up my 2016 Corvette BCM and it's definitely a V850E2/FK4. All the docs, including the user manual are available here: https://www.renesas.com/us/en/products/ ... ry=visible
The HMI 2.5 modules use a V850E2/FJ4 which is part of the same family. Some of the really late HMI 2.5s switched to an RH850 chip though.
I really think we need the bootloader to do this correctly. I've got an idea to get it.
Is the whole bootloader disassembling correctly? Or is there a heap of code it stops on?
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
- Gatecrasher
- Posts: 273
- Joined: Sat Apr 25, 2020 6:09 am
Re: 14-18 GM BCM renasas v850 register setup
I think I've seen some BCMs with Bosch logos, so maybe it's just a supplier difference?
I was just trying to help gmtech out. There's big blocks that disassemble, but other that don't. I don't know if they're data or what. I haven't done any real detailed checking on this code because it's such a pain. Even if the code disassembles, the cross references will be broken without accurate TP and GP references.
I was just trying to help gmtech out. There's big blocks that disassemble, but other that don't. I don't know if they're data or what. I haven't done any real detailed checking on this code because it's such a pain. Even if the code disassembles, the cross references will be broken without accurate TP and GP references.
Re: 14-18 GM BCM renasas v850 register setup
thanks for the replies so far. the file posted was made from sps files so no boot which you already gathered i think. I dont have the vehicle it came from to check the boot software number. I do have a bench bcm from a 15 tahoe i can compare to...but for some reason I'm having trouble getting it to talk on the bench. I'm missing something, a wake up signal or ground maybe. need coffee...then maybe I'll try again