Question for the Gurus

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
planethax
Posts: 41
Joined: Fri Jan 01, 2010 12:45 pm

Question for the Gurus

Post by planethax »

While I wait for my 4X Speed cable, I now I will need to have a bootloader to be able to Download/Upload bin files to the PCM.

(I believe most GM OBD2 Pcms use Motorola 68332 chip? )

I really don't know assembly at all, but may have someone to help me (he codes low level language for AMD and now for HD TV tuners)

First step I have read is removing the chip and installing in a reader to dump the info.

Here is where my question lies;

All the OBD2 flash files I find are 512Kb, is that the WHOLE chip? If I give that file to this guy to work with, will it be possible to write the bootloader? or is there more info that absolutely needs to have the chip removed and dumped?

I attach 1 such file.


Thanx.
2001_Impala_12221682.bin
(512 KiB) Downloaded 517 times
User avatar
antus
Site Admin
Posts: 8239
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Question for the Gurus

Post by antus »

it looks like the whole chip to me. the code disassembles as motorola 68330 32bit code.

it looks kinda funny, im so used to 16bit!
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
VL400
Posts: 4991
Joined: Sun Mar 01, 2009 2:54 pm
cars: VL Calais and Toyota Landcruiser. Plus some toys :)
Location: Perth, WA
Contact:

Re: Question for the Gurus

Post by VL400 »

A 512KB bin is pretty standard for the OBDII bins we get here so is most prob correct.

The advantage of OBDII over the early protocol is it follows a standard, GM use a SAE J1850 VPW. So there is all the info you need on each mode available for free.

SAE J1850 documents of interest:
SAE J1850: Specifies requirements for a vehicle data communications
network. Compliance committee recently formed (J1699)
SAE J2178: Specifies non-diagnostic messages.
Part 1 - Message header formats and physical node addresses
Part 2 - Message parametric data
Part 3 - Message assignments for the single byte header format
Part 4 - Message assignments for the three byte header format
SAE J1962: Diagnostic Connector (under dash). New 16-pin standard.
SAE J2012: Diagnostic Codes
SAE J2190: Specifies diagnostic and malfunction messages (to “fix” vehicles)
SAE J2008: Recommended Organization of Vehicle Service Information
SAE J1978: OBD - II Scan Tool (On Board Diagnostics)
SAE J2205: Expanded Diagnostic Protocol for OBD-II Scan Tools
SAE J2300: Conformance Test Procedures for OBD-II Scan Tools
SAE J1979: Specifies CARB/EPA functions and messages.
SAE J1699: Compliance Tests and Test Methods for SAE J1850
SAE J1113: Electromagnetic Susceptibility Measurement Procedures for
Vehicle Components
SAE J1547: Electromagnetic Susceptibility Measurement Procedures for
Common Mode Injection
SAE J1211: Electronic Equipment Design Recommended Procedure
SAE J1879: General Qualification and Production Acceptance Criteria for
Integrated Circuits in Automotive Applications
SAE J1930: Electrical/Electronic Systems Diagnostic Terms, Definitions,
Abbreviation, and Acronyms
SAE J1213: Glossary of terms for vehicle networks






The basic bin dump process normally goes something like...
Mode 3F - Test if anything is present
Mode 28 - Disable Chatter
Optionally get the VIN
Mode 27 - Security (Your well versed in this one!)
Mode A0 - Start high speed comms
Mode 34 - Download a routine to dump the bin
Mode 35 - To dump the bin using your downloaded routine
Mode 20 - Return To Normal

And for reflashing something like..
Mode 3F - Test if anything is present
Mode 28 - Disable Chatter
Optionally get the VIN
Mode 27 - Security (Your well versed in this one!)
Mode A0 - Start high speed comms
Mode 36 - Data Transfer To Download a Routine And Then Pass The Bin To Write
Mode 20 - Return To Normal


As far as writing the bin dumper and reflash routines thats where you need to look at the specific type of flash chip in the PCM and use the data sheet for it. In the OBDI PCMs here we use 29F010 and in the OBDII either an AMD or intel thats a 29F040 (check this as its been awhile since I looked at the LS1 stuff). The thing to note here is how the memory is arranged, i forget which way but one starts at the top and one at the bottom.

Hope that helps a bit, getting a freeware bin dumper/writer tool is def something I would like to see out there :thumbup:
planethax
Posts: 41
Joined: Fri Jan 01, 2010 12:45 pm

Re: Question for the Gurus

Post by planethax »

Ya! Thanx for the info, I am researching the Chip now, trying to find some sort of "dumper/writer"
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: Question for the Gurus

Post by sabercatpuck »

I found this list invaluable when I started looking into mine. I found it under a 711 programmer on ebay. It lists several cross references, unfortunately not for the 68330 ones. Such as in my case I had E87J my chip and you can see in the list it crosses to MC68HC11F1. If anyone can expand this it would be usefull.

MOTOROLA MC68HC05 Series:
MC68HC05B6, MC68HC05B8, MC68HC05B16, MC68HC05B32, MC68HC05X32(0D53J),
MC68HC05X32(0D69J), MC68HC05X32(1H52A), MC68HC05X32(1D69J),
MC68HC705X32(2D59J), MC68HC705B16, MC68HC705B16N, MC68HC705B32,
MC68HC05L28, MC68HC05E6(0F82B), MC68HC05E6(0G72G), MC68HC05H12(0H57A),
MC68HC05P3(1E25B)


MOTOROLA MC68HC08 Series:
MC68HC08AS32(1J27F), MC68HC08AZ32, MC68HC08AZ32(0J66D), MC68HC08AS60,
MC68HC08AS60(8H62A), MC68HC08AZ60, MC68HC08AZ60(2J74Y), MC68HC08AZ60A


MOTOROLA MC68HC11 Series :
MC68HC11A8(old), MC68HC11A8(new), MC68HC11E1, MC68HC11E9, MC68HC11EA9,
MC68HC11EA9(0D46J), MC68HC11EA9(1D47J), MC68HC11EA9(2D47J),
MC68HC11F1(2F37E), MC68HC11F1(E87J), MC68HC11K4, MC68HC11K4(1E62H),
MC68HC11K4(3E74J), MC68HC11KS2(1E59B), MC68HC11KA4, MC68HC11KA4(0E57S),
MC68HC11KW1, MC68HC11L6, MC68HC11P2(3E74J), MC68HC11P2(1E53M),
MC68HC11P2(0G10V), MC68HC11PA8, MC68HC11PH8, MC68HC11PH8(3D64J),
MC68HC11PH8(0H30R)


MOTOROLA MC68HC(S)12 Series:
XC68HC12B32(9H91F), MC68HC12B32(1H91F), MC68HC12B32(3H91F),
MC68HC12BE32(2H54T), MC68HC12BE32(0J38M), MC68HC12D60(0K75F),
MC68HC12D60(1F68K), MC68HC12D60(1L28M), MC68HC912DG128(5H55W),
MC9S12D64(2L86D), MC9S12DG256(2K79X)
planethax
Posts: 41
Joined: Fri Jan 01, 2010 12:45 pm

Re: Question for the Gurus

Post by planethax »

Thanx for the info.

Well I took apart 1 Pcm I had here, The Flash chip said
INTEL
16236995
AB28f400BX
U8390438Q

So I assume it is an Intel 28F400BX based Flash Chip?

When I read that it is "motorola 68330 32bit code" that means that Chip is coded with a Code Style named motorola 68330 32bit ?


Sorry, a newb when it comes to this but am learning.
User avatar
antus
Site Admin
Posts: 8239
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Question for the Gurus

Post by antus »

yep, thats all correct...

sample of the code:

Code: Select all

ROM:0001B834 loc_1B834:                              
ROM:0001B834                 tst.b   ($FFFF9EB1).w
ROM:0001B838                 beq.s   loc_1B848
ROM:0001B83A                 btst    #1,($FFFF9AE4).w
ROM:0001B840                 beq.s   loc_1B848
ROM:0001B842                 jsr     sub_1BDB4
ROM:0001B848
ROM:0001B848 loc_1B848:                              
ROM:0001B848                 move.w  ($FFFF9B42).w,($FFFF9B44).w
ROM:0001B84E                 move.w  ($FFFF9B34).w,($FFFF9B42).w
ROM:0001B854                 rts
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
planethax
Posts: 41
Joined: Fri Jan 01, 2010 12:45 pm

Re: Question for the Gurus

Post by planethax »

Cool, so its starting (just barely lol) to sink in.

What are you guys using to see that code? (IDA I read somewhere)

I looked at it with Hex WorkShop but it doesn't look like that, tried to open with Olly Debugger too lol.
planethax
Posts: 41
Joined: Fri Jan 01, 2010 12:45 pm

Re: Question for the Gurus

Post by planethax »

Picked up a copy of IDA.

Now time to learn that lol.
Head may explode soon :driving:
planethax
Posts: 41
Joined: Fri Jan 01, 2010 12:45 pm

Re: Question for the Gurus

Post by planethax »

Well I opened up 2 Pcms last night
This is what I found

Flash Chips
2001 Impala 3400

Code: Select all

Intel
16236995
AB28F400BX
E5012
U8390438Q
1999 Chev Venture 3400

Code: Select all

Intel
16236995
AB28F400BX
H3311
U0490294Y
Not sure of the differences between the Two besides last to lines, but def same family (maybe build code dates etc?)

It seems MANY MANY GM Pcms use this chip (even back to 96 4.3l in trucks I have seen)

Searching for Data on this chip, I come up to referrences to
AB28F400BX with a T90 or B90 at the end? not sure what that would be?

Also have found
http://pdf1.alldatasheet.com/datasheet- ... X-B90.html
which seems to reference both B and T

Here is the image of the 99 Venture
(edited to make image a reasonable size lol)
Attachments
pcm.jpg
pcm.jpg (285.9 KiB) Viewed 11544 times
chips.jpg
chips.jpg (253.38 KiB) Viewed 11542 times
Post Reply