T43 Dissasembly

fastboatster · Post by **fastboatster** » Sat Dec 28, 2024 3:25 pm

hjtrbo wrote: ↑Sat Dec 28, 2024 3:07 pm Looks like it get's re-assigned. Here it is 8000h

      ROM:010290 3d a0 00 40     lis        r13,0x40
      ROM:010294 39 ad 00 00     addi       r13,r13,0x0
      ROM:010298 3c 40 00 01     lis        r2,0x1
      ROM:01029c 38 42 80 00     subi       r2,r2,DAT_00008000

Flash kernal is loaded externally

thanks a lot! looks like I missed this. Explains why some references got broken when I used r2 and r13 values from 00031854. As for the externally loaded flash kernel, does it get loaded over the CAN bus or via K-Line? I now in some non-GM PCMs the kernel gets loaded via K-Line first and then than kernel reads the data over the CAN.

hjtrbo · Post by **hjtrbo** » Sat Dec 28, 2024 7:48 pm

Over the canbus for these modules. I don't recall the kernal been public, however from what I'm told if you know your way around it can be easily had.

fastboatster · Post by **fastboatster** » Sun Dec 29, 2024 5:28 am

hjtrbo wrote: ↑Sat Dec 28, 2024 7:48 pm Over the canbus for these modules. I don't recall the kernal been public, however from what I'm told if you know your way around it can be easily had.

I see, so these kernels are probably obtained by "listening" to GM update process and then patched to disable things like sig verification etc?
Going back to the r2 register, it looks like the code that you provided (at 0x010290) is in the 10000-1FFFF area, which Kur4o said to be "some bdm recovery, FLASH, communication area?" OS is said to be at 30000 - 11FFFF and 120000 - 1BFFFF. So I think that when the OS section initializes, it sets the r2 and r13 values. Not unheard of in other PCMs/ECMs where boot sections and application software sections redo the init process at their beginning and set their own register values. Anyhow, it looks like r2 value doesn't seem to matter too much, I have to take back that some of the references got broken/changed when I changed the r2 register.

hjtrbo · Post by **hjtrbo** » Sun Dec 29, 2024 12:32 pm

fastboatster wrote: ↑Sun Dec 29, 2024 5:28 am
hjtrbo wrote: ↑Sat Dec 28, 2024 7:48 pm Over the canbus for these modules. I don't recall the kernal been public, however from what I'm told if you know your way around it can be easily had.
Going back to the r2 register, it looks like the code that you provided (at 0x010290) is in the 10000-1FFFF area, which Kur4o said to be "some bdm recovery, FLASH, communication area?" OS is said to be at 30000 - 11FFFF and 120000 - 1BFFFF. So I think that when the OS section initializes, it sets the r2 and r13 values.

I like your logic, I think you raise a valid point as to what the final value of r2 is for the OS execution.

Tre-Cool · Post by **Tre-Cool** » Fri Mar 14, 2025 10:07 pm

Slightly related, Have the Link G4X ECU with the 6L Can comms firmware in a car & running. Mates still gotta finish putting it all togethor but it was good enough to start engine up and run the trans upto 5th gear on his hoist.

hjtrbo · Post by **hjtrbo** » Sat Mar 15, 2025 12:24 pm

Awesome! That'll be great for my project when the day comes. I've got a Link Storm. Thanks for sharing your results!

T43 Dissasembly

Re: T43 Dissasembly

Re: T43 Dissasembly

Re: T43 Dissasembly

Re: T43 Dissasembly

Re: T43 Dissasembly

Re: T43 Dissasembly