Question for the Gurus

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
planethax
Posts: 41
Joined: Fri Jan 01, 2010 12:45 pm

Re: Question for the Gurus

Post by planethax »

So if I have this correctly I am needing to
Create a Bootloader for the INTEL FLASH chip to tell the MOTOROLA CPU to Dump the BIN to my peripheral device?


:wall:
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Question for the Gurus

Post by antus »

I wouldnt be looking at a boot loader, no. While you could probably add some kind of boot loader to the code which could contain the option to dump the chip at startup the problem would be getting it on the flash chip in the first place, and it would not be standard. So, when you used it to upload a new bin, unless that bin was pre-patched with a bootloader you'd be back to square one. Most GM ecus have a method (after unlocking) of loading code to ram and executing it. So you'd be wanting to create the code that can run from ram to read/erase/write the flash chip. It may be possible to capture this code somehow from a bin update with a gm tech 2 or similar, or you could look at creating it yourself. If you could log a code update with a tech 2 then you'd see the whole process you need to implement.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
planethax
Posts: 41
Joined: Fri Jan 01, 2010 12:45 pm

Re: Question for the Gurus

Post by planethax »

Hmmm, well most places I have read says that These PCms do not have the routine built in for reading/writing files, so we need a bootloader.

I do have a Tech2, maybe I'll see if my Elm will monitor DL while it is connected and then do a reflash and capture it all.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Question for the Gurus

Post by antus »

well im not well versed in OBD2 but AFAIK all the OBD1.5 and later pcms do have the ability to load code to ram and execute, which provides the way in. Capturing the process would put you well on the way.

If you were going to use a boot loader you'd need to know how it fits in to the rest of system. Where it lives in the pcm, how to get it there and how the cpu honours it and uses it at startup. Some of this info could be found in the cpu datasheet. But I bet the dealers dont hack in a bootloader to flash in a factory code update.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
VL400
Posts: 4991
Joined: Sun Mar 01, 2009 2:54 pm
cars: VL Calais and Toyota Landcruiser. Plus some toys :)
Location: Perth, WA
Contact:

Re: Question for the Gurus

Post by VL400 »

planethax wrote:Hmmm, well most places I have read says that These PCms do not have the routine built in for reading/writing files, so we need a bootloader.
The OBDII PCMs over here dont have the code in there to read/write the bin, but you dont use a bootloader as such. You have to write your own just like antus was saying send it to the PCMs RAM - there are specific modes described in the J1850 paper for this purpose. There is a guy on thirdgen.org thats playing with the OBDII code, dimented24x7. Very switched on guy and might be able to give you some help on whats needed in the routines for the 32bit CPUs - he has disassembled a fair bit of the code now so should have a pretty good idea.
planethax
Posts: 41
Joined: Fri Jan 01, 2010 12:45 pm

Re: Question for the Gurus

Post by planethax »

This is the lastest info I have found (maybe some have different definitions of bootloaders? )
1) you unlock the PCM
2) set the PCM into diagnostics mode
3) request upload (to ram)
4) upload the "bootloader" after uploading you send the address in ram that you uploaded it to, this tells the PCM to reboot and start execution at that address
5) PCM reboots
6) the bootloader is listening fir commands
7) you tell the bootloader "give be bytes 1-256 of the flash" it reads them and sends you a message with the bytes in it
8) repeat 7 untill you have read the entire flash
9) turning the key off ... Wait 5-15 seconds... Turn key on and the ram is cleared and the pc reboots again.
Writing to the flash is about the Sam but the loader listens for write commands.

The hardest part is writing the bootloaders. They must be compiled to run on the motorolla 68332 chip. have yet to find a compiler for that chip
User avatar
VL400
Posts: 4991
Joined: Sun Mar 01, 2009 2:54 pm
cars: VL Calais and Toyota Landcruiser. Plus some toys :)
Location: Perth, WA
Contact:

Re: Question for the Gurus

Post by VL400 »

Thats a little different to how I understood it to be - if they do in fact reset then yeah you could call it a bootloader. And can say thanks to GM for making it different!

All the info I have for the OBDII PCMs here on Oz dont reset after the routines are sent to the PCM - you just request that they start executing. You need to reset it once finished though as the RAM is all messed up. The OBD1.5 PCMs dont reset either, just start executing. They are still a class 1 serial device.
planethax
Posts: 41
Joined: Fri Jan 01, 2010 12:45 pm

Re: Question for the Gurus

Post by planethax »

Well, GM is good at making things different lol.

Going to set up the elm to monitor while I do some testing with TechII to capture whats going on.

Just not sure if the Elm will infact still monitor dataline with TechII connected.
Heres hoping!
sabercatpuck
Posts: 67
Joined: Thu Jan 14, 2010 1:03 am
cars: 1999 Saturn SL1
2003 Monte Carlo

Re: Question for the Gurus

Post by sabercatpuck »

The biggest problems I forsee with monitoring with the elm are needing a way to patch 2 devices in at the same time, not being able to see what happens in 4x mode, and the easy ones setting it up to log the session, set the at h1 and at ma on the elm to see all the traffic.
Post Reply