GM E38 E67 E40 Kernel/Bootloader Development Extravaganza

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Post by Tazzi »

crystal_imprezav wrote:Not an assumption, NRC code 0x11 is pretty clear.
Definitely an assumption. So your telling me you've gone through every possible address with mode 23? :?
By definition, this allows reading any defined memory region. Clearly some may be locked, others not, but this includes flash AND ram areas, youd be amazed what stays in ram when it shouldn't as developers are not thinking about that. Clearly some addresses are locked, this includes the shadow flash.

I don't have the T87A,E41,E99 to just go rip it all out. But I certainly work with people that are doing so.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Post by gmtech825 »

can confirm, $23 does work on at least some of the e41 ram addresses I've tried.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Post by Tazzi »

gmtech825 wrote:can confirm, $23 does work on at least some of the e41 ram addresses I've tried.
;)

I have an E90 on the way to me currently. Time to join in the fun.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
crystal_imprezav
Posts: 9
Joined: Thu May 26, 2016 4:45 am

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Post by crystal_imprezav »

$23 only works in one range, so far nothing exciting. I've dumped about all that is open.
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Post by kur4o »

crystal_imprezav wrote:$23 only works in one range, so far nothing exciting. I've dumped about all that is open.
To get a better rate, try unlockin pcm first and increase the mec counter.
With unlocked pcm mode 23 can have more ranges available.

You can also test if pcm agrees to take mode 34 and mode 36
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Post by gmtech825 »

Tazzi wrote:
gmtech825 wrote:can confirm, $23 does work on at least some of the e41 ram addresses I've tried.
;)

I have an E90 on the way to me currently. Time to join in the fun.
I think I have an E90 kicking around here somewhere
crystal_imprezav
Posts: 9
Joined: Thu May 26, 2016 4:45 am

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Post by crystal_imprezav »

I am always working with the ECU unlocked, it is also patched. $34/$36 work fine. $35 NRC 0x11. Everything in the flash its self that I have tested I get a NRC 0x31. Only things readable are parts of the RAM.

Unless it has something to do with the patch which is highly unlikely (this is not an HP patch), I dont see a original giving more access. That being said, I will run the same tests on a E99(s) but I am thinking that may be locked down more but who knows. On a t87a, its not an issue, your can read/write what ever you want.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Post by Tazzi »

crystal_imprezav wrote:I am always working with the ECU unlocked, it is also patched. $34/$36 work fine. $35 NRC 0x11. Everything in the flash its self that I have tested I get a NRC 0x31. Only things readable are parts of the RAM.

Unless it has something to do with the patch which is highly unlikely (this is not an HP patch), I dont see a original giving more access. That being said, I will run the same tests on a E99(s) but I am thinking that may be locked down more but who knows. On a t87a, its not an issue, your can read/write what ever you want.
If it was used as an exploit to get in, then (personally) I would have patched it up. But this all depends how far someone goes to do this stuff.

*Edit
I believe the E88,E90 and E99 all use the same bootloader from what I have just looked at. At least the labelling for the loader has this labeling so Id assume this would be the case. Whether or not every single one can have the loader ripped is an uncertainty right now, but its a good 200+kb so its ALOT of decompiling ahead.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tre-Cool
Posts: 265
Joined: Tue Oct 16, 2012 12:17 pm
cars: VY SS UTE, VX Drag Car
Location: Perth
Contact:

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Post by Tre-Cool »

Taz, Did you do a remote removal of this software?

I just got back from work and was going to read an ecu & the program is gone from my desktop pc.

hmm. looks like ESET is picking it up something. as soon as i disable it i can run the installer and it puts the exe file back and doesn't disappear.

Odd.

oh well exclusion folder you go.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 E40 Kernel/Bootloader Development Extravaganz

Post by Tazzi »

Tre-Cool wrote:Taz, Did you do a remote removal of this software?

I just got back from work and was going to read an ecu & the program is gone from my desktop pc.

hmm. looks like ESET is picking it up something. as soon as i disable it i can run the installer and it puts the exe file back and doesn't disappear.

Odd.

oh well exclusion folder you go.
Some antivirus's will flag it. It is safe to use, its just the oreans protector which causes the false positive.

After now successfully getting a certificate with OBDX Pro, I will begin the process for Envyous so all future softwares should (hopefully) minimize those false positives.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Post Reply