pcmhacking.net

I found one with an H as the 8th digit..

Awesome thanks, I’ll definitely be looking at that when I get home from work. There must be a ton of unused space if it zips down to 1.12mb from a 4mb file.

bubba2533 wrote:Awesome thanks, I’ll definitely be looking at that when I get home from work. There must be a ton of unused space if it zips down to 1.12mb from a 4mb file.

There's a fair amount of free space.. You can use universal patcher to see the layout..

Reading Platform config: e92-platform.xml [OK]
Loading file: e92.xml [OK]
(SegmentSeek-e92.xml)
E92.2016.Silverado.OS-12670743.3GCUKREH4GG221234_2022.05.09_07-55.AM.bin (e92 (v 1))

Segments:
Boot Block PN: 12656994, Ver: AB, Nr: 99 [0000 - FFF7], Size: FFF8
OS PN: 12670743, Ver: AA, Nr: 1 [C0000 - FFFFF, 100000 - 3FFFFF], Size: 340000
System PN: 12666193, Ver: AG, Nr: 2 [40000 - 42FFF], Size: 3000
Fuel PN: 12665605, Ver: AF, Nr: 3 [43000 - 47FFF], Size: 5000
Speedo PN: 12666225, Ver: AE, Nr: 4 [48000 - 48FFF], Size: 1000
EngineDiag PN: 12673090, Ver: AB, Nr: 5 [49000 - 5FFFF], Size: 17000
Engine PN: 12666138, Ver: AF, Nr: 6 [60000 - BFFFF], Size: 60000
Checksums:
Boot Block Checksum 1: A013 [OK] Checksum 2: 1B9F [OK]
OS Checksum 1: 93D3 [OK] Checksum 2: DD7B [OK] [n/a]
System Checksum 1: 0520 [OK] Checksum 2: 0D9B [OK] [n/a]
Fuel Checksum 1: 814D [OK] Checksum 2: 1DBE [OK] [n/a]
Speedo Checksum 1: 91C8 [OK] Checksum 2: 0158 [OK] [n/a]
EngineDiag Checksum 1: C895 [OK] Checksum 2: F0CF [OK] [n/a]
ENG extra 1 Checksum 1: F53B583A [OK] Checksum 2: F4C7BE0E [OK]
ENG extra 2 Checksum 1: ED87469A [OK]
Engine Checksum 1: 82EA [OK] Checksum 2: 1DDE [OK] [n/a]
Seeking tables... (TableSeek-e92.xml) Done
PID search not implemented for this file type

heres a H vin for you

What are you guys using to pull these flash dumps?

Gatecrasher wrote:What are you guys using to pull these flash dumps?

I’m interested in this as well.

Maybe I can help a little. I threw IronDuke's 16 Silverado into Ghidra. At a glance, the CAN and diagnostic stuff looks really similar to the chassis control module I took apart.

What's the end goal here?

If you are asking me, I don’t have a specific goal in mind at the moment. I mainly just wanted to start learning more about this platform and then when I have something that I would like to modify I would have a head start on getting familiar with it.

There are no open source ways to read/flash this platform that I’m aware of, but if that would happen then I imagine I could develop some modifications to the operating system to improve tuning or operation of the vehicle.

Probably a stupid question, but I'd rather ask than take hours trying to figure it out. What processor should I select when opening with Ghidra?

Edit: I selected PowerPC, but I don't know if that's correct as nothing disassembled.

It's definitely not stupid. It took me a while to figure it out on the chassis control module. It was only after I spent a lot of time looking at broken, gibberish code that I realized my processor model was wrong.

You want: PowerPC:BE:64:VLE-32addr (1.5)

It's listed in the selection dialog as PowerISA-VLE-64-32addr, but the other entry is what it'll end up saying in the "language" and "about" boxes.

Skip the auto analysis for the moment. Select the entire file (ctrl-A). Then right click and do 'set register values'. Set each of the following registers as shown. You have to click ok after each one, so you'll do this three times.

r13 = 40008000
r14 = 40018000
r15 = 40028000

This basically sets up some indirect memory references the code uses for data and function lookups.

Then do analysis > auto analyze. It'll take a few minutes.

If you want a hint to some easy code, go to 0x326284. It's the lookup table for the diagnostic modes. There's 4 bytes that describe a diag mode, and 4 bytes that are a pointer to the relevant subroutine.

So security access looks like this:
That table starts with mode 01 and ends with mode AE.

The DTC table is at 0x1D0820. It looks like there's 1077 possible DTCs. Though a lot of them will probably be disabled in the calibration tables.

This is all using the 2016 Silverado ROM IronDuke posted, BTW.