E92 PCM Reverse Engineering

[Tazzi]

That's disappointing. Luckily I'll be getting a OBDX Pro GT in the mail and I'll get back to testing!

On its way out of Amazon

You can design using J2534 or with the native OBDX commands.

[muscleup]

It's definitely not stupid. It took me a while to figure it out on the chassis control module. It was only after I spent a lot of time looking at broken, gibberish code that I realized my processor model was wrong.

You want: PowerPC:BE:64:VLE-32addr (1.5)

It's listed in the selection dialog as PowerISA-VLE-64-32addr, but the other entry is what it'll end up saying in the "language" and "about" boxes.

Skip the auto analysis for the moment. Select the entire file (ctrl-A). Then right click and do 'set register values'. Set each of the following registers as shown. You have to click ok after each one, so you'll do this three times.

r13 = 40008000
r14 = 40018000
r15 = 40028000

This basically sets up some indirect memory references the code uses for data and function lookups.

Then do analysis > auto analyze. It'll take a few minutes.

If you want a hint to some easy code, go to 0x326284. It's the lookup table for the diagnostic modes. There's 4 bytes that describe a diag mode, and 4 bytes that are a pointer to the relevant subroutine.

So security access looks like this:

Code: Select all

        003262f4 27              ??         27h    '
        003262f5 00              ??         00h
        003262f6 00              ??         00h                                              ?  ->  00000032
        003262f7 00              ??         00h
        003262f8 00 32 47 20     addr       Diag_Mode27_GMSecAccess

That table starts with mode 01 and ends with mode AE.

The DTC table is at 0x1D0820. It looks like there's 1077 possible DTCs. Though a lot of them will probably be disabled in the calibration tables.

This is all using the 2016 Silverado ROM IronDuke posted, BTW.

Can any of you figure out or know the registers or how to do this with the mpc5777c? Yes it's unlocked and I have a full read bin, 16mb, starts at around 84000000 I think other than some initial code at the first.. I also have the bin from hptuners which is 8mb approx.. This is based off the e98 but it's for the E46. Has e98 checksum also but can't load it into universal patcher either even after contacting creator. I can decompile it for the most part but I should be able to get function names and labels if correctly analyzed and decompiled right?

[Gatecrasher]

I might be able to help with the registers, but that won't get you function names and labels. That 100% has to come from external sources. Either your own reverse engineering work, or some other form of documentation.

[kur4o]

Can any of you figure out or know the registers or how to do this with the mpc5777c? Yes it's unlocked and I have a full read bin, 16mb, starts at around 84000000 I think other than some initial code at the first.. I also have the bin from hptuners which is 8mb approx.. This is based off the e98 but it's for the E46. Has e98 checksum also but can't load it into universal patcher either even after contacting creator. I can decompile it for the most part but I should be able to get function names and labels if correctly analyzed and decompiled right?

With a full dump you can get the registers from disassembly. With IDA pro it autoloads them if are disassembled in the beginning of process, you only need to set r2 and r13, All others are analyzed on the fly from IDA.

e98 and e98a are fully supported for checksums, for e46 you need proper bin layout as cpu sees it, since addresses are read from bin if some data is not aligned properly in the bin it will fail. If data is not available you can always hardcode ranges to specific OS.
If you have a full dump bin to share I can get you some initial disassembly to work with.

[turbo_v6]

Perhaps also start your own thread as that has nonrelevance here.

[kur4o]

Some dumb off topic question.

What is the size of ppc registers r10 and r11 for example, ARe they 16 or 32bit.

I need to load some 32 bit data in register and save it to a dword.

Anyone have some example code.

[turbo_v6]

Chat GPT says:

In the PowerPC architecture, including PPC32 and PPC64, the general-purpose registers such as r10 and r11 are 32-bit registers. They can hold 32-bit (4-byte) values. These registers are typically used for general computation and storage of data during program execution.

It's important to note that the register size can vary depending on the specific implementation of the PowerPC architecture or the programming model being used. However, in the commonly used variants like PPC32 and PPC64, the general-purpose registers are 32 bits wide.

Edit:
Also, can you be more specific? Are you looking for assembly instructions? Or source code?

It might be better to say what you are trying to do in more detail. I'm assuming you are starting with a 32 bit value already loaded into the r10 register and want to move it to a RAM location?

[kur4o]

Code: Select all

lbz       r10, 5(r31)
slwi      r10, r10, 8
lbz       r10, 6(r31)
slwi      r10, r10, 8
lbz       r10, 7(r31)
slwi      r10, r10, 8
lbz       r11, 8(r31)
add       r10, r10, r11

Data is stored to offset from r31

bytes are read 1 by 1 and fed into r10

r10 is stored at some RAM location at the end.

I got some sample code but can`t make it load the 1st byte in the register, always get 00, other bytes are good.

The example is one of the many attempts I tried. Not sure it is correct, or it may need some corrections.

[turbo_v6]

From the Instruction Manual I have that instruction would clear all other bits than the 8 (single byte) that was loaded into the register, so I don't think that's the appropriate way to do that.

lbz_Instruction.JPG (41 KiB) Viewed 2752 times

Edit:

Something like this might work, but I haven't tried to write anything in asm for powerpc yet.

Code: Select all

lbz r10, 5(r31)
slwi r10, r10, 8
lbz r11, 6(r31)
or r10, r10, r11
slwi r10, r10, 8
lbz r11, 7(r31)
or r10, r10, r11
slwi r10, r10, 8
lbz r11, 8(r31)
or r10, r10, r11

[kur4o]

Just tested this piece of code

lbz r10, 5(r31) 89 5F 00 05
slwi r10, r10, 8 55 4A 40 2E
lbz r10, 6(r31) 89 5F 00 06
slwi r10, r10, 8 55 4A 40 2E
lbz r10, 7(r31) 89 5F 00 07
slwi r10, r10, 8 55 4A 40 2E
lbz r11, 8(r31) 89 7F 00 08
add r10, r10, r11 7D 4A 5A 14
lis r12, dword_40008074@h
ori r12, r12, dword_40008074@l
stw r10, ((dword_40008074-0x8074)@l)(r12)

First 2 bytes are cleared, last 2 are copied correctly. I guess I am on the right path, Can make it 2 separates words instead of dword, but prefer to make it work as it should.