T43 Dissasembly

[hjtrbo]

Thanks antus, it's a lot to take in for a novice

[gmtech825]

Here's the powerpc psuedo code ghidra spits out for an ecm for the 0c9 can message that i've added labels to. I don't have the information on what the 0be message breakdown is so your posted code is hard for me to follow. It's cleaner than what you have there so maybe it will help. you can see how it builds each byte of the can message based on ram and data parameters.

Code: Select all

void 0C9_FUNCTION(undefined *param_1)

{
  undefined uVar2;
  undefined2 uVar1;
  
  uVar2 = 0C9_BYTE_0_FUNCTION();
  *param_1 = uVar2;
  uVar1 = GetRangeScaledValue(ENGINE_SPEED_Nx.25,0,0x46800000);
  param_1[1] = (char)((ushort)uVar1 >> 8);
  param_1[2] = (char)uVar1;
  uVar2 = 0C9_BYTE_3_FUNCTION();
  param_1[3] = uVar2;
  uVar2 = CalculateScaledRatio(ACCELERATOR_ACTUAL_POSITION,&DAT_00008080);
  param_1[4] = uVar2;
  uVar2 = 0C9_BYTE_5_FUNCTION();
  param_1[5] = uVar2;
  uVar2 = 0C9_BYTE_6_FUNCTION();
  param_1[6] = uVar2;
  uVar2 = NormalizeAndScaleValue(BOOST_PRESSURE_KPA_g,0xffffffffffff8000,0x7fff);
  param_1[7] = uVar2;
  CRUISE_THROTTLE_OVERRIDE_STATUS = CRUISE_THROTTLE_OVERRIDE_STATUS + 1 & 3;
  return;
}

Code: Select all

uint 0C9_BYTE_0_FUNCTION(void)

{
  uint uVar1;
  uint uVar2;
  
  if (ENGINE_SPEED_STATUS_0_NORMAL:1_DEGRADED_3_INVALID == 1) {
    uVar2 = 1;
  }
  else if (ENGINE_SPEED_STATUS_0_NORMAL:1_DEGRADED_3_INVALID == 2) {
    uVar2 = 3;
  }
  else {
    uVar2 = 0;
  }
  uVar1 = uVar2 | 0x80;
  if (Propulsion/ENGINE_RUN_Active == '\0') {
    uVar1 = uVar2;
  }
  uVar2 = uVar1 | 0x40;
  if (CRANK_ACTIVE == '\0') {
    uVar2 = uVar1;
  }
  uVar1 = uVar2 | 0x20;
  if (CRANK_ABORTED == '\0') {
    uVar1 = uVar2;
  }
  uVar2 = uVar1 | 0x10;
  if (RUN_ABORTED == '\0') {
    uVar2 = uVar1;
  }
  uVar1 = uVar2 | 8;
  if (PTO_RUN_ABORTED == '\0') {
    uVar1 = uVar2;
  }
  if (IDLE_ACTIVE == '\x01') {
    uVar1 = uVar1 | 4;
  }
  return uVar1;
}

[hjtrbo]

Thanks. You've done a nice job.

I'm getting it worked out. I'm working on a easier function similar to the one I posted that sits above the byte / bit breakdown you've got mapped. It loops around 28 times, does some confusing shit but then points me to 28 consecutive address tables. When I click into those functions pointed to by the address tables I get very similar to what you've shown
and everything is lining up. Yah.

[04colyZQ8]

Didn’t read the entire thread but does anyone have a program to flash the t43, with bin file?

I think the only thing I have for that is tuner cat and efi live? Is there anything else?

[antus]

Out of curiosity is the T43 (and/or T42) still VPW? I wonder if it'd be a good and simple enough target to add to pcmhammer?

[hjtrbo]

T43 is CAN.

[hjtrbo]

Calling all you software hoarders and looters.

I've hit a bit of a road block nailing down some of the TCC logic I'm interested in. In desperation; If any of you kind souls have a 2012+ T43 definition file could you please pm me to discuss a possible trade.

[ejukated]

Wow, just caught up on this thread. Awesome work!

Has anyone looked into reading the adapt values? I can only assume its stored somewhere maybe in eeprom as it seems to persist after reflash?

[fastboatster]

very interesting thread, it inspired me to take a peek at some BWM T43 TCUs, but that's off-topic. I have a couple of questions about OP's ROM, though. Bear with me as this is my first post
I see that OP says that r13 is 0x400000 and r2 is 0x8000. I was looking at OP's ROM and I found where r2 and r13 were getting assigned:

Code: Select all

                             LAB_00031854                                    XREF[1]:     FUN_00047e9c:00047ecc(R)  
        00031854 3d a0 00 40     lis        r13,0x40
        00031858 39 ad 00 00     addi       r13,r13,0x0
        0003185c 3c 40 00 30     lis        r2,0x30
        00031860 38 42 00 00     addi       r2,r2,0x0

The r2 is not 0x8000, is it? Or does it get assigned again elsewhere? I think it doesn't.
Also, these MPC5xx microcontrollers might have both internal and external flash memory, so my other question is if we are looking at some part of the external flash or an internal flash.
Also, do we know if T43s have an internal bootloader for OBD-II flashing or bootloader is external like in some PCMs and it gets uploaded to the TCU during the programming session? If the bootloader is internal (I hope not), where is it located? I'm wondering if there're any protections against firmware modifications and how these are bypassed.

[hjtrbo]

Looks like it get's re-assigned. Here it is 8000h

Code: Select all

      ROM:010290 3d a0 00 40     lis        r13,0x40
      ROM:010294 39 ad 00 00     addi       r13,r13,0x0
      ROM:010298 3c 40 00 01     lis        r2,0x1
      ROM:01029c 38 42 80 00     subi       r2,r2,DAT_00008000                              

Flash kernal is loaded externally