E92 PCM Reverse Engineering

[turbo_v6]

Thanks!!!

For anyone else this is what it looks like in the dialog box.

Capture.PNG (4.71 KiB) Viewed 6843 times

All of that info is super helpful, so thanks again.

[Tazzi]

It's definitely not stupid. It took me a while to figure it out on the chassis control module. It was only after I spent a lot of time looking at broken, gibberish code that I realized my processor model was wrong.

You want: PowerPC:BE:64:VLE-32addr (1.5)

It's listed in the selection dialog as PowerISA-VLE-64-32addr, but the other entry is what it'll end up saying in the "language" and "about" boxes.

Skip the auto analysis for the moment. Select the entire file (ctrl-A). Then right click and do 'set register values'. Set each of the following registers as shown. You have to click ok after each one, so you'll do this three times.

r13 = 40008000
r14 = 40018000
r15 = 40028000

This basically sets up some indirect memory references the code uses for data and function lookups.

Then do analysis > auto analyze. It'll take a few minutes.

If you want a hint to some easy code, go to 0x326284. It's the lookup table for the diagnostic modes. There's 4 bytes that describe a diag mode, and 4 bytes that are a pointer to the relevant subroutine.

So security access looks like this:

Code: Select all

        003262f4 27              ??         27h    '
        003262f5 00              ??         00h
        003262f6 00              ??         00h                                              ?  ->  00000032
        003262f7 00              ??         00h
        003262f8 00 32 47 20     addr       Diag_Mode27_GMSecAccess

That table starts with mode 01 and ends with mode AE.

The DTC table is at 0x1D0820. It looks like there's 1077 possible DTCs. Though a lot of them will probably be disabled in the calibration tables.

This is all using the 2016 Silverado ROM IronDuke posted, BTW.

Ooooo! Thats very useful! Should help with identifying and finding the erase/flash routines to use in a custom kernel! Since it needs to be able to do that when using commands like change vin.

[Gatecrasher]

The R13-15 stuff only happens after the main OS boots, so it may not be that useful in a reflash environment.

I've already got the 1A, 3B and AE stuff identified. I'm trying to map out everything related to VIN and PIN changes, but I'm not quite clear on how it copies the emulated EEPROM blocks into RAM yet.

My goal is to figure out the security environment so I can get it integrated on a bench with a BCM and working proximity keys. I want to figure out what it takes to make these parts fully reusable.

It'd be very helpful if I had something I could use to dump my bench E92, and maybe even the one in my car. I really need a dump of a 2014+ BCM too.

As far as Bubba wanting to enable some open source tuning for these, I'm all for it. I do worry about the number of hardware and software revisions that exist though.

[turbo_v6]

Ok, it looks like 0x3222D8 could be the PID function table with the ID's starting at 0x3219FC and the bytes returned starting at 0x32348C.

Also, what should be entered to create the RAM memory block?

[Gatecrasher]

I think you're right on with the PID tables.

For the RAM, go to Window > Memory Map. Create two segments. Standby SRAM and Primary SRAM. Standby is 0x40000000 with length 0x8000 and Primary is 0x40008000 with length 0x38000. The standby SRAM looks like where all the EEPROM type values are kept.

I also create segments for various function registers like the FlexCAN interfaces, and I break up the main flash section by calibration segments.

[turbo_v6]

Thanks again, you are killing it with all the help.

How about data types? Do we think it's using floating point? I'm only familiar with the scaled integers that the P01/P59 used.

Also, it would be good to find out how to log memory locations if that's possible. I know Mode 34 can be used in the P01/P59, but it would be good to confirm the same for this PCM. Or if not maybe there is another way.

[kur4o]

To read ram or rom mode 23 can be used but, I still haven`t figured the correct format of the command.

[Gatecrasher]

The chassis module used FP values in the calibration tables. I'd assume the same is true here. Probably more so.

At a glance, it looks like Mode 34 doesn't do anything but set a single memory value. I'd guess that signals the ECU to reboot into bootloader mode and/or wait for a reflash kernel to be transferred to memory. That's kind of a bummer since I was able to use it on my H3 BCM to dump the RAM copy of the EEPROM.

Mode 23 (read memory by address) should work for this. There's bound to be certain memory ranges that are protected, but it might be possible to work around those with security access.

The format for mode 23 is: 23 HH HM LM LL SH SL. 4 byte memory address, 2 byte size. You may need to fiddle with the size a bit to find out how many bytes you can get back with a single request. I haven't tried it on an ECM yet, but that's how it's worked on other modules I've messed with. Some older modules use 3 byte addressing, BTW.

Speaking of security access, it looks like there's no way to write the MEC on this thing once it hits zero. At least not with a normal 3B write. The same looks to be true of the VIN.

Since this thing uses flash to emulate EEPROM, wouldn't it be possible to write any and all of these values with a modified bin file? Or does the bootloader block writes to those regions?

[Gatecrasher]

I have no idea if this will be helpful, but I figured I'd pass it along anyway.

If you go here and download the GM ECU wiring diagrams, it has a page with bootpin recovery for the E92.

http://ioterminal.com/?page_id=148

I don't really know what it does, but maybe it'll be good for brick recovery or something. It's gotta have some value if it's worth cutting into the ECU over. Kinda makes me wonder if those pins are available on the external connectors. Might be an interesting side project for one of you guys that have cut one apart.

[gmtech825]

I have no idea if this will be helpful, but I figured I'd pass it along anyway.

If you go here and download the GM ECU wiring diagrams, it has a page with bootpin recovery for the E92.

http://ioterminal.com/?page_id=148

I don't really know what it does, but maybe it'll be good for brick recovery or something. It's gotta have some value if it's worth cutting into the ECU over. Kinda makes me wonder if those pins are available on the external connectors. Might be an interesting side project for one of you guys that have cut one apart.

download requires a login