Reverse engineering a 411 operating system

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: Reverse engineering a 411 operating system

Post by NSFW »

I'm not sure what you're asking... What requests do you mean? Most (maybe all) of the OBD2 communication code is in that first flash block, so changing that code could basically change the rules of the OBD2 protocol. It might be interesting to watch the data on the OBD2 bus and see how they changed the protocol for use with their own custom OS.
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: Reverse engineering a 411 operating system

Post by NSFW »

Gampy wrote: Has anyone played with Dismot68. Two pass Motorola 6833X disassembler from usbjtag.com?
I haven't, but there are a bunch of 68k disassember projects on Github too... I haven't tried any of these either, but it's worth a look:

https://github.com/search?q=68000+disassembler

https://github.com/search?q=68k+disassembler

One of them is written in 68k assembly. Whoah. :)
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: Reverse engineering a 411 operating system

Post by NSFW »

Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: Reverse engineering a 411 operating system

Post by Gampy »

I've tried several off Github, pretty crappy for the most part, a couple could get better with some work, most are for game consoles.
Yea, several are written in 68k, make for good reference ...

But I've just about had it with Github, their paranoia and their data collection ...

Code: Select all

Whoa there!

You have triggered an abuse detection mechanism.
Please wait a few minutes before you try again.
Has become my most frequently visited Github page ...

I guess if I want something better I'll need to pick one and sprinkle some magic dust on it ... :(
Probably over my head though, I dunno know, never tried.

Thanks
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
VX L67 Getrag
Posts: 2877
Joined: Sun Aug 02, 2009 9:16 pm
Location: Bayside, Melbourne, Victoria
Contact:

Re: Reverse engineering a 411 operating system

Post by VX L67 Getrag »

NSFW wrote:I'm not sure what you're asking... What requests do you mean? Most (maybe all) of the OBD2 communication code is in that first flash block, so changing that code could basically change the rules of the OBD2 protocol. It might be interesting to watch the data on the OBD2 bus and see how they changed the protocol for use with their own custom OS.
I've seen a few controllers E66, E77 & E67 that have stock files on them but they write something in the file to get negative response code 7F when requesting bootloader so I'm guessing when it ask's for those first sections you said to look for in the code they've edited, but when using that specific tuners own software it doesn't get that negative request code & will read or write happily... so I was thinking if I could see those first couple of sections you mentioned on page 1 it may lead to where/why it gets that response?
jay woo
Posts: 51
Joined: Mon Jul 11, 2011 8:42 pm

Re: Reverse engineering a 411 operating system

Post by jay woo »

Not sure what radare is like with processors in question, also not much of a gui. http://beta.rada.re/en/latest/
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: Reverse engineering a 411 operating system

Post by NSFW »

VX L67 Getrag wrote:
NSFW wrote:I'm not sure what you're asking... What requests do you mean? Most (maybe all) of the OBD2 communication code is in that first flash block, so changing that code could basically change the rules of the OBD2 protocol. It might be interesting to watch the data on the OBD2 bus and see how they changed the protocol for use with their own custom OS.
I've seen a few controllers E66, E77 & E67 that have stock files on them but they write something in the file to get negative response code 7F when requesting bootloader so I'm guessing when it ask's for those first sections you said to look for in the code they've edited, but when using that specific tuners own software it doesn't get that negative request code & will read or write happily... so I was thinking if I could see those first couple of sections you mentioned on page 1 it may lead to where/why it gets that response?
If the firmware has been modified to prevent reading, then it's not stock anymore.

Who is "they" ? Were these tuned with HPTuners, or EFI Live, or something else?

I'm pretty sure bootloader is the wrong wrong word there - you probably mean kernel. Lots of people in the GM tuning world use bootloader when they mean kernel, but it's wrong, and it is kinda confusing right now, because the real bootloader is the firmware code that you wanting to examine.

Note that PCM Hammer probably won't work with any of the controllers you listed. It only works with P01 and P59, and P59 writing isn't finished yet. If you are using PCM Hammer with those PCMs, there is a good chance that the 7F response is caused by PCM Hammer trying to upload the kernel to a RAM address that isn't right for those PCMs. And even if you fix the RAM address, the app is going to upload a kernel written for a Motorola 68k CPU onto a PCM that probably has a PowerPC CPU, and that's not going to work.
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
VX L67 Getrag
Posts: 2877
Joined: Sun Aug 02, 2009 9:16 pm
Location: Bayside, Melbourne, Victoria
Contact:

Re: Reverse engineering a 411 operating system

Post by VX L67 Getrag »

Yeah I'm not sure if it's bootloader or kernel, I know the HPT message when reading says bootloader(I'll attach a screenshot later).

This current ECU in question is E67 that is coming with that response & not sure what it's tuned with possibly EFIlive.

I have had the same issue with the E66 & E77 controllers tuned with trifecta & the only way I could get the files off was with BDM & they were an identical layout to stock format for tuning parametres but unsure of what wasn't mapped.... but BDM isn't possible on the E67 as there's no info for it's process, it's very similar to E38 layout but again no BDM info for that either.

But no I haven't tried PCMhammer for any of these as I knew it most likely would go....WTF I cant communicate with that you idiot!
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Reverse engineering a 411 operating system

Post by antus »

Yeah E66 and E67 are later pcms and are completely different to P01 and P59. P01 and P59 are Motorola 68k processors, which do things described in the 68k datasheet at power on, and E66 and E67 are powerpc processors which do power pc things. You cant really compare their boot process at all. They are of completely different architectures.

HPT says bootloader to fit with 'traditional' but incorrect terminology, what they are really describing is upload of the flash kernel. NFSW was talking about the actual boot loader, which is the equivalent of a pc computer bios that runs as soon as the power comes on and sets up the hardware in the device to known state and then hands off control to the operating system.

On a PC the bootloader/bios is the part that initialises the ram, the graphics/text, all the controllers on the motherboard for hard drives, usb, serial, sound etc, it'll beep codes if it cant get the system to a state with graphics where it can be considered 'running'. Then outside the scope of bootloader, but still pc bios it then shows you the manufacturer info, does a memory test, loads the master boot record off some type of storage, and executes that.

In a pcm, the initialization of the hardware part is the same, then it validates the OS and the Calibration (and enters a tiny recovery kernel if they are not) but assuming they are OK it hands control straight the fully fledged operating system.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
VX L67 Getrag
Posts: 2877
Joined: Sun Aug 02, 2009 9:16 pm
Location: Bayside, Melbourne, Victoria
Contact:

Re: Reverse engineering a 411 operating system

Post by VX L67 Getrag »

Ahh bugger, I was hoping it may have given me insight as to where to look for the issue but doesn't look like it will be, I wonder if the BDM read's would show where the byte/bytes have been changed to know what to change in the kernel?

Anyhow here is the screenshots of what errors when trying to read these controllers...
HPT write neg response code.png
HPT write neg response code.png (8.74 KiB) Viewed 3977 times
HPT read neg response code.png
HPT read neg response code.png (6.38 KiB) Viewed 3977 times
Post Reply