E92 PCM Reverse Engineering

[kur4o]

AFter some good break, figured the code that is needed

Code: Select all

89 5F 00 05 lbz       r10, 5(r31) 
55 4A 40 2E slwi      r10, r10, 8 

89 7F 00 06 lbz       r11, 6(r31)
7D 4A 5A 14 add       r10, r10, r11


55 4A 40 2E slwi      r10, r10, 8 

89 7F 00 07 lbz       r11, 7(r31)
7D 4A 5A 14 add       r10, r10, r11
55 4A 40 2E slwi      r10, r10, 8 

89 7F 00 08 lbz       r11, 8(r31)
7D 4A 5A 14 add       r10, r10, r11

This one seems to work perfectly.

Anyone wondering what it is. I patched some e92 read routine to accept 4 bytes addressing, so RAM can be read and also to comply with iso15765 standard, for easier use.

[kojab]

There are some very cleaver people on this forum.

[MudDuck514]

There are some very cleaver people on this forum.

MUCH smarter than I am!

Mike

[bubba2533]

Ok, so my OBDX Pro GT cable came in today and It makes me realize I should have never tried to use that Tactrix Openport.

I'm getting better results now that I'm able to create scripts and get the expected response.

I rewrote my last working kernel (Kernel Test 10) to have the correct response count for each message.

There was one error with the OBDX Pro unit that it didn't connect with the second protocol to be able to see if the ECU was sending out chatter or not. It's not a huge deal because I just sent a Mode 28 message to confirm that the Kernel was looping so there was no response. And then a couple minutes later I sent the same message after doing a key cycle and it was back to responding.

Kernel Test 10 Updated.JPG (148.71 KiB) Viewed 1640 times

Kernel Test 10 - Updated.txt

(709 Bytes) Downloaded 77 times

Now it's time to get back to working on a read Kernel.

[kur4o]

I am not sure how you set up the upload code, but recently found how it works.

When you send mode 36 80, at 40008000 for example, the code should start at 40008004 and the first 4 bytes should be a pointer to code location

Example, YOu upload and execute data at 40008000. It should start with

400080004

Code: Select all

I hope you got What I mean. You can`t just run uploaded code, it needs pointer, pcm loads the pointer and jump to code when it sees 36 80 is sent.

I see you are using pretty outdated version of program, some recent bugs have been fixed[some added] and new features added to j-console.

You can always open second instance of the program and use tactrix for raw monitoring. I wonder why it can`t turn loop off. ON the web there is info it havesome pretty bad bug echoing longer message too long, and they found a cure for it. Maybe contact them to see how they do it.

Too bad echoed data have no flags to it, and filtering is too much work.

Edit:on testing 2 protocols with GT did you check the "use protocol 1" checkbox. It needs to be checked

[Tazzi]

There was one error with the OBDX Pro unit that it didn't connect with the second protocol to be able to see if the ECU was sending out chatter or not. It's not a huge deal because I just sent a Mode 28 message to confirm that the Kernel was looping so there was no response. And then a couple minutes later I sent the same message after doing a key cycle and it was back to responding.

Technically the OBDX Pro can only open 1 protocol at a time.

[bubba2533]

I am not sure how you set up the upload code, but recently found how it works.

When you send mode 36 80, at 40008000 for example, the code should start at 40008004 and the first 4 bytes should be a pointer to code location

Example, YOu upload and execute data at 40008000. It should start with

400080004

Code: Select all

I hope you got What I mean. You can`t just run uploaded code, it needs pointer, pcm loads the pointer and jump to code when it sees 36 80 is sent.[/quote]

It works just fine without a pointer as the entry point to the Kernel.


[quote="kur4o"]
I see you are using pretty outdated version of program, some recent bugs have been fixed[some added] and new features added to j-console.[/quote]
Ok, I'll download the latest thanks!

[quote="kur4o"]
You can always open second instance of the program and use tactrix for raw monitoring. I wonder why it can`t turn loop off. ON the web there is info it havesome pretty bad bug echoing longer message too long, and they found a cure for it. Maybe contact them to see how they do it.

Too bad echoed data have no flags to it, and filtering is too much work.
[/quote]
At this point I'm just going to use the OBDX Pro, but when I have time I'll try to reach out.

[quote="kur4o"]
Edit:on testing 2 protocols with GT did you check the "use protocol 1" checkbox. It needs to be checked[/quote]
Yeah, I tried that as well and got an error.

[quote="Tazzi"]
Technically the OBDX Pro can only open 1 protocol at a time.  :thumbup:[/quote]

No big deal. Any specific reason for that?

[Tazzi]

No big deal. Any specific reason for that?

The OBDX Pro only has 1 CAN chip, plus a relay that allows switching to GMLAN.

Newer models that we are working on will have 2 or 3 CAN chips that will be able to run at the same time as the chipset will have up to 3 dedicated CAN channels to run.

I also found that there has been no J2534 software out there which connects to more then 1 protocol at a time so far. Its likely only engineering tools that would need to realistically

[bubba2533]

I'm guessing it would be possible to disconnect from the ISO 15765 and reconnect via generic CAN?

I would think it's possible, but I'm not able to get it to connect.

CAN_Connect_Error.JPG (112.29 KiB) Viewed 1480 times

[bubba2533]

I'm also getting an error now using the Tactrix tool.

Code: Select all

Loading J2534 settings from file: C:\Users\brand\Desktop\UniversalPatcher-Full\Logger\J2534Profiles\CAN_raw_logALL_6&14_500k.xml
[OK]
Loading combined J2534 settings from file: C:\Users\brand\Desktop\iso15765+can over iso_logall.xmlx
[OK]
[OK]
J2534 client initializing...
Initializing J2534 Device
J2534 client: Device initialization complete.
Connected to the device, ID: 1
Battery Voltage is: 12.417
Versions: Firmware: 1.16.4769, DLL: 1.02.4798 Jun 13 2016 17:16:24, Api: 04.04
Connected protocol: ISO15765 Speed: ISO15765
Adding filters
Type:FLOW_CONTROL_FILTER
Mask:FFFFFFFF,RxStatus:NONE,TxFlags:NONE
Pattern:000007E8,RxStatus:NONE,TxFlags:NONE
FlowControl:000007E0,RxStatus:NONE,TxFlags:NONE

Type:FLOW_CONTROL_FILTER
Mask:FFFFFFFF,RxStatus:NONE,TxFlags:NONE
Pattern:000007E0,RxStatus:NONE,TxFlags:NONE
FlowControl:000007E8,RxStatus:NONE,TxFlags:NONE

Added filter, ID: 0
Added filter, ID: 1
Device initialization complete.
Setting: CAN_MIXED_FORMAT = 1
Error setting config: ERR_NOT_SUPPORTED
Adding filters
Type:PASS_FILTER,Name:23-02-07-10-47-59
Mask:00,RxStatus:NONE,TxFlags:NONE
Pattern:00,RxStatus:NONE,TxFlags:NONE


Added filter, ID: 2
Secondary protocol connected: CAN, ChannelID: 4
Error, j2534Server line 86: String reference not set to an instance of a String.
Parameter name: s