E38 ETC/Slave - Deeper Dive

[MPC001]

Here is a collection of slave bins by ID. I'm not sure what is what and it covers most platforms. If you have the cal id you want check in here and see how you go.

Most impressive collection of slave bins I have ever seen. Thankyou for sharing Sir.

[hjtrbo]

Attached is the BDM extracted image 0x0000 to 0x7FFF as read with OS starting at the top at 0x0000 etc.

Operating System: 0x0000 to 0x67FF
Calibration Segment: 0x6800 to 0x6DFF
Non Volatile Mem 1: 0x6E00 to 0x6FFF
Non Volatile Mem 2: 0x7000 to 0x71FF
Boot block: 0x7200 to 0x7FFF
(Boot block runs backwards from 0x7FFF)
(starting at the pre seg ID jump (?) table.)

The OS is an earlier 12617980 vs the later header posted above 12625892. OS Header memmap is the same for both so it looks like the BDM read is offset 0x8000 / 32k into the device flash map (etc?). The ULink config XML now that I check it points to the read starting at 0x8000. Silly me should have checked earlier.

Though I gotta confess my head is not fully around the possibilities of the boot block starting where it does yet LoL. Maybe an M68k guru has an idea? HCS12 spec sheet shows 32k, 64k, 128k flash versions, and this is likely to be some specific automotive spec version.

Great info, then I imagine in ghidra we need to create a dummy block of length of 0x8000. The bin will start after that. Addressing is indirect btw with x, y & sp registers. Not easy.

[hjtrbo]

Seems happy

Screenshot 2025-05-30 200721.png (43.72 KiB) Viewed 491 times

[antus]

Motorola usually has a vector table at the top of the bottom of the flash. the 68k we are familiar with its at the bottom (at 0), works with vectors. I think its first is stack, second is entry point, and later ones align with interrupts which have an amount of code behind them too. The HC11 which is the processor in the 80's and 90's ecms and pcms this sit started on, have the vector table at the top. They're 16 bit, and the last 2 bytes have the address of the entry point. HC12 or HCS12 at the top will be similar. It will be a standard format and the datasheets should describe what address have what vectors. Because these are small cpus and HC12 is the logical continuation of the HC11 I'd expect a 16 bit or 32 bit address in the top bytes of the bin that point to the entry point. EG what you are seeing there, reset vector at the top, 16 bits.

[MPC001]

Clarifying FYI: E38 has MC9S12 variant of HCS12 - mask ID 1M34C points to MC9S12C32 - 32k flash.

Mem for flash start confirms as 0x8000 to 0xFFFF. 2K RAM at 0x3800-0x4000. Vector table as Antus noted top of the bottom - 0xFF00-0xFFFF

MC9S12-HCS12-32kFL-1M34C.PNG (93.11 KiB) Viewed 397 times

MC9S12C32MEMMAP2.PNG (54.41 KiB) Viewed 397 times

Credits to Anon for the E38 MC9S12c32 pic, NXP doc for 32K mem map.

[antus]

When you say top of the bottom, that sounds a bit confusing, but I get it from the screen shot. The standard is 0 is the bottom, highest address is the top. When you are looking at intel flash chips they have top and bottom variants as well, and also use 0 for bottom, highest address is top. So that picture shows it the other way but the vector table is technically at the top.

[MPC001]

When you say top of the bottom, that sounds a bit confusing, but I get it from the screen shot. The standard is 0 is the bottom, highest address is the top. When you are looking at intel flash chips they have top and bottom variants as well, and also use 0 for bottom, highest address is top. So that picture shows it the other way but the vector table is technically at the top.

Thank you Antus for clarifying. Yes it's a bit confusing when compared to the main E38 flash which runs from the boot block and vector table at 0x00000 at the "top" with NVM, then OS then cals in sequence towards the "bottom" (numerically the top) . Just gotta wrap one's head around it all.