Reverse engineering a 411 operating system
Re: Reverse engineering a 411 operating system
I'm not sure what you're asking... What requests do you mean? Most (maybe all) of the OBD2 communication code is in that first flash block, so changing that code could basically change the rules of the OBD2 protocol. It might be interesting to watch the data on the OBD2 bus and see how they changed the protocol for use with their own custom OS.
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
Re: Reverse engineering a 411 operating system
I haven't, but there are a bunch of 68k disassember projects on Github too... I haven't tried any of these either, but it's worth a look:Gampy wrote: Has anyone played with Dismot68. Two pass Motorola 6833X disassembler from usbjtag.com?
https://github.com/search?q=68000+disassembler
https://github.com/search?q=68k+disassembler
One of them is written in 68k assembly. Whoah.
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
Re: Reverse engineering a 411 operating system
See also: http://www.easy68k.com/
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
Re: Reverse engineering a 411 operating system
I've tried several off Github, pretty crappy for the most part, a couple could get better with some work, most are for game consoles.
Yea, several are written in 68k, make for good reference ...
But I've just about had it with Github, their paranoia and their data collection ...Has become my most frequently visited Github page ...
I guess if I want something better I'll need to pick one and sprinkle some magic dust on it ...
Probably over my head though, I dunno know, never tried.
Thanks
Yea, several are written in 68k, make for good reference ...
But I've just about had it with Github, their paranoia and their data collection ...
Code: Select all
Whoa there!
You have triggered an abuse detection mechanism.
Please wait a few minutes before you try again.
I guess if I want something better I'll need to pick one and sprinkle some magic dust on it ...
Probably over my head though, I dunno know, never tried.
Thanks
Intelligence is in the details!
It is easier not to learn bad habits, then it is to break them!
If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
It is easier not to learn bad habits, then it is to break them!
If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
-
- Posts: 2883
- Joined: Sun Aug 02, 2009 9:16 pm
- Location: Bayside, Melbourne, Victoria
- Contact:
Re: Reverse engineering a 411 operating system
I've seen a few controllers E66, E77 & E67 that have stock files on them but they write something in the file to get negative response code 7F when requesting bootloader so I'm guessing when it ask's for those first sections you said to look for in the code they've edited, but when using that specific tuners own software it doesn't get that negative request code & will read or write happily... so I was thinking if I could see those first couple of sections you mentioned on page 1 it may lead to where/why it gets that response?NSFW wrote:I'm not sure what you're asking... What requests do you mean? Most (maybe all) of the OBD2 communication code is in that first flash block, so changing that code could basically change the rules of the OBD2 protocol. It might be interesting to watch the data on the OBD2 bus and see how they changed the protocol for use with their own custom OS.
Re: Reverse engineering a 411 operating system
Not sure what radare is like with processors in question, also not much of a gui. http://beta.rada.re/en/latest/
Re: Reverse engineering a 411 operating system
If the firmware has been modified to prevent reading, then it's not stock anymore.VX L67 Getrag wrote:I've seen a few controllers E66, E77 & E67 that have stock files on them but they write something in the file to get negative response code 7F when requesting bootloader so I'm guessing when it ask's for those first sections you said to look for in the code they've edited, but when using that specific tuners own software it doesn't get that negative request code & will read or write happily... so I was thinking if I could see those first couple of sections you mentioned on page 1 it may lead to where/why it gets that response?NSFW wrote:I'm not sure what you're asking... What requests do you mean? Most (maybe all) of the OBD2 communication code is in that first flash block, so changing that code could basically change the rules of the OBD2 protocol. It might be interesting to watch the data on the OBD2 bus and see how they changed the protocol for use with their own custom OS.
Who is "they" ? Were these tuned with HPTuners, or EFI Live, or something else?
I'm pretty sure bootloader is the wrong wrong word there - you probably mean kernel. Lots of people in the GM tuning world use bootloader when they mean kernel, but it's wrong, and it is kinda confusing right now, because the real bootloader is the firmware code that you wanting to examine.
Note that PCM Hammer probably won't work with any of the controllers you listed. It only works with P01 and P59, and P59 writing isn't finished yet. If you are using PCM Hammer with those PCMs, there is a good chance that the 7F response is caused by PCM Hammer trying to upload the kernel to a RAM address that isn't right for those PCMs. And even if you fix the RAM address, the app is going to upload a kernel written for a Motorola 68k CPU onto a PCM that probably has a PowerPC CPU, and that's not going to work.
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
-
- Posts: 2883
- Joined: Sun Aug 02, 2009 9:16 pm
- Location: Bayside, Melbourne, Victoria
- Contact:
Re: Reverse engineering a 411 operating system
Yeah I'm not sure if it's bootloader or kernel, I know the HPT message when reading says bootloader(I'll attach a screenshot later).
This current ECU in question is E67 that is coming with that response & not sure what it's tuned with possibly EFIlive.
I have had the same issue with the E66 & E77 controllers tuned with trifecta & the only way I could get the files off was with BDM & they were an identical layout to stock format for tuning parametres but unsure of what wasn't mapped.... but BDM isn't possible on the E67 as there's no info for it's process, it's very similar to E38 layout but again no BDM info for that either.
But no I haven't tried PCMhammer for any of these as I knew it most likely would go....WTF I cant communicate with that you idiot!
This current ECU in question is E67 that is coming with that response & not sure what it's tuned with possibly EFIlive.
I have had the same issue with the E66 & E77 controllers tuned with trifecta & the only way I could get the files off was with BDM & they were an identical layout to stock format for tuning parametres but unsure of what wasn't mapped.... but BDM isn't possible on the E67 as there's no info for it's process, it's very similar to E38 layout but again no BDM info for that either.
But no I haven't tried PCMhammer for any of these as I knew it most likely would go....WTF I cant communicate with that you idiot!
- antus
- Site Admin
- Posts: 8252
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: Reverse engineering a 411 operating system
Yeah E66 and E67 are later pcms and are completely different to P01 and P59. P01 and P59 are Motorola 68k processors, which do things described in the 68k datasheet at power on, and E66 and E67 are powerpc processors which do power pc things. You cant really compare their boot process at all. They are of completely different architectures.
HPT says bootloader to fit with 'traditional' but incorrect terminology, what they are really describing is upload of the flash kernel. NFSW was talking about the actual boot loader, which is the equivalent of a pc computer bios that runs as soon as the power comes on and sets up the hardware in the device to known state and then hands off control to the operating system.
On a PC the bootloader/bios is the part that initialises the ram, the graphics/text, all the controllers on the motherboard for hard drives, usb, serial, sound etc, it'll beep codes if it cant get the system to a state with graphics where it can be considered 'running'. Then outside the scope of bootloader, but still pc bios it then shows you the manufacturer info, does a memory test, loads the master boot record off some type of storage, and executes that.
In a pcm, the initialization of the hardware part is the same, then it validates the OS and the Calibration (and enters a tiny recovery kernel if they are not) but assuming they are OK it hands control straight the fully fledged operating system.
HPT says bootloader to fit with 'traditional' but incorrect terminology, what they are really describing is upload of the flash kernel. NFSW was talking about the actual boot loader, which is the equivalent of a pc computer bios that runs as soon as the power comes on and sets up the hardware in the device to known state and then hands off control to the operating system.
On a PC the bootloader/bios is the part that initialises the ram, the graphics/text, all the controllers on the motherboard for hard drives, usb, serial, sound etc, it'll beep codes if it cant get the system to a state with graphics where it can be considered 'running'. Then outside the scope of bootloader, but still pc bios it then shows you the manufacturer info, does a memory test, loads the master boot record off some type of storage, and executes that.
In a pcm, the initialization of the hardware part is the same, then it validates the OS and the Calibration (and enters a tiny recovery kernel if they are not) but assuming they are OK it hands control straight the fully fledged operating system.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
-
- Posts: 2883
- Joined: Sun Aug 02, 2009 9:16 pm
- Location: Bayside, Melbourne, Victoria
- Contact:
Re: Reverse engineering a 411 operating system
Ahh bugger, I was hoping it may have given me insight as to where to look for the issue but doesn't look like it will be, I wonder if the BDM read's would show where the byte/bytes have been changed to know what to change in the kernel?
Anyhow here is the screenshots of what errors when trying to read these controllers...
Anyhow here is the screenshots of what errors when trying to read these controllers...