GM E38 E67 E40 Kernel/Bootloader Development Extravaganza
Re: GM E38 Kernel/Bootloader Deveopment Extravaganza
each block has two checksums
first two bytes to check load
and the second to verify that calibration is unchanged by tuning
first two bytes to check load
and the second to verify that calibration is unchanged by tuning
Re: GM E38 Kernel/Bootloader Deveopment Extravaganza
OS Calibration
Starts at 10000
Ends at 1BFFFF
CVN at 1001E
System Calibration
Starts at 1C0000
Ends at 1C134F
CVN at 1C001E
Fuel Calibration
Starts at 1C1350
Ends at 1C3573
CVN at 1C136E
Speed Calibration
Starts at 1C3574
Ends at 1C3917
CVN at 1C3592
Engine Diagnostic Calibration
Starts at 1C3918
Ends at 1CD373
CVN at 1C3936
Engine Calibration
Starts at 1CD374
Ends at 1FFFFF
CVN at 1CD392
Also note that 6 CRCs actually get noted at location E32E to E339. Infact... they actually appear multiple times in that top FFFF section
*edit
now looking at the top section, can see them labelled. Im pretty sure the values between the segments indicates address for caclulating CRC for each segment
Yeah ok, so it does seg total address then does top part of seg then it skips the CRC 2bytes, and does the remainder of the seg. And finally address is segment minus header to end of segment.
*edit 2
Now I think from memory it only calculates the CRC based on data after the CRC, wrote a app for this but ill be on the old laptop. But atleast its safe to know that all calibrations occur from 0x1C 0000.
Starts at 10000
Ends at 1BFFFF
CVN at 1001E
System Calibration
Starts at 1C0000
Ends at 1C134F
CVN at 1C001E
Fuel Calibration
Starts at 1C1350
Ends at 1C3573
CVN at 1C136E
Speed Calibration
Starts at 1C3574
Ends at 1C3917
CVN at 1C3592
Engine Diagnostic Calibration
Starts at 1C3918
Ends at 1CD373
CVN at 1C3936
Engine Calibration
Starts at 1CD374
Ends at 1FFFFF
CVN at 1CD392
Also note that 6 CRCs actually get noted at location E32E to E339. Infact... they actually appear multiple times in that top FFFF section
*edit
now looking at the top section, can see them labelled. Im pretty sure the values between the segments indicates address for caclulating CRC for each segment
Yeah ok, so it does seg total address then does top part of seg then it skips the CRC 2bytes, and does the remainder of the seg. And finally address is segment minus header to end of segment.
*edit 2
Now I think from memory it only calculates the CRC based on data after the CRC, wrote a app for this but ill be on the old laptop. But atleast its safe to know that all calibrations occur from 0x1C 0000.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 Kernel/Bootloader Deveopment Extravaganza
see also
address 0х3f0
it's a boot
its title will show you
how its parts are located in memory
the principle is the same
address 0х3f0
it's a boot
its title will show you
how its parts are located in memory
the principle is the same
Re: GM E38 Kernel/Bootloader Deveopment Extravaganza
Now that erasing, sectors of flash and also cal offsets of the bin are understood, can now look at whats required for programming.
flash data sheet shows:
need to send AA,55,A0 then finally address and data.
Will need to set the WP value to 1 for read/write access as well like done for requesting device ID and write enable input.
Cool cool.. Im feeling I have a very good understand of all this now. Kernel is about 2k currently.... I recon it shouldnt take more than maybe 100 instructions. so thatll be another 400ish bytes.
flash data sheet shows:
need to send AA,55,A0 then finally address and data.
Will need to set the WP value to 1 for read/write access as well like done for requesting device ID and write enable input.
Cool cool.. Im feeling I have a very good understand of all this now. Kernel is about 2k currently.... I recon it shouldnt take more than maybe 100 instructions. so thatll be another 400ish bytes.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 Kernel/Bootloader Deveopment Extravaganza
Ok I see that. 12605900, must be the ID for the boot.kostia111 wrote:see also
address 0х3f0
it's a boot
its title will show you
how its parts are located in memory
the principle is the same
I dont see the address in that area of anything else of interest, but its good to know regardless.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 Kernel/Bootloader Deveopment Extravaganza
see
the header is not always at the beginning of the file
he can describe the memory above and below himself
the header is not always at the beginning of the file
he can describe the memory above and below himself
- Attachments
-
- e38-2.JPG (87.64 KiB) Viewed 6358 times
Re: GM E38 Kernel/Bootloader Deveopment Extravaganza
I showed the markup a little incorrectly
but I think the meaning is clear
file consists of 2 parts
in the header can be indicated not only the address of the beginning and end
but also the starting address and length
I translate through google
and the translation is not quite right
sorry
0x0000---0x03ef
0x03f0--0xbfff
but I think the meaning is clear
file consists of 2 parts
in the header can be indicated not only the address of the beginning and end
but also the starting address and length
I translate through google
and the translation is not quite right
sorry
0x0000---0x03ef
0x03f0--0xbfff
Last edited by kostia111 on Sat Feb 08, 2020 11:20 pm, edited 1 time in total.
Re: GM E38 Kernel/Bootloader Deveopment Extravaganza
Thats OK, Im understanding what your saying (mostly)kostia111 wrote:I showed the markup a little incorrectly
but I think the meaning is clear
file consists of 2 parts
in the header can be indicated not only the address of the beginning and end
but also the starting address and length
I translate through google
and the translation is not quite right
sorry
I see how you have marked it up which makes sense. But what Im saying is there is nothing that is really needed from that section, since we will not be touching that boot segment.
I have begun adding the skeleton of the writing process and have hard coded in for cal only at the moment to ensure I dont majorly bugger up
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 Kernel/Bootloader Deveopment Extravaganza
For my reference (And sanity).
Compiled some code in C through a PPC compiler to generate this assembly:
I will throw that into a function... and assuming I set r31 into ram, it should hopefully work. Store the 16bit CRC into ram at the end and hopefully thatll work.
Compiled some code in C through a PPC compiler to generate this assembly:
I will throw that into a function... and assuming I set r31 into ram, it should hopefully work. Store the 16bit CRC into ram at the end and hopefully thatll work.
Code: Select all
#CRC Start
li 9,0
stw 9,8(31)
li 9,0
stw 9,12(31)
ForLoop:
lwz 9,12(31)
cmpwi 7,9,7
ble 7,Part1Cal:
b EndCRC
Part1Cal:
lwz 9,12(31)
addi 10,9,1
stw 10,12(31)
lwz 10,24(31)
add 9,10,9
lbz 9,0(9)
rlwinm 9,9,0,0xff
slwi 9,9,8
lwz 10,8(31)
xor 9,10,9
stw 9,8(31)
li 9,0
stw 9,16(31)
BitsRotate:
lwz 9,16(31)
cmpwi 7,9,7
ble 7,Part2Cal
lwz 9,12(31)
addi 9,9,1
stw 9,12(31)
b Part1Cal
Part2Cal:
lwz 9,8(31)
rlwinm 9,9,0,16,16
cmpwi 7,9,0
beq 7,CRCOp1
lwz 9,8(31)
slwi 9,9,1
xori 9,9,32773
b CRCOp2
CRCOp1:
lwz 9,8(31)
slwi 9,9,1
CRCOp2:
stw 9,8(31)
lwz 9,16(31)
addi 9,9,1
stw 9,16(31)
b BitsRotate:
EndCRC:
lwz 9,8(31)
rlwinm 9,9,0,16,31
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 Kernel/Bootloader Deveopment Extravaganza
if you want to do programming just like sps does
then in addition to software and calibrations, nothing more needs to be programmed
if checksums are already calculated in the file
if the checksums are not yet corrected
this can be done on the fly before programming
memory area where you still found them
I often program modified files
standard sps procedures
I only preliminarily count checksums
and change them in the file
then in addition to software and calibrations, nothing more needs to be programmed
if checksums are already calculated in the file
if the checksums are not yet corrected
this can be done on the fly before programming
memory area where you still found them
I often program modified files
standard sps procedures
I only preliminarily count checksums
and change them in the file