PCMTec Development Blog

[rolls]

Update 8/11/2017

And we are live!

The website is https://www.pcmtec.com/

Once you have registered and confirmed your account you can download the demo from here https://www.pcmtec.com/demo
You must be logged in for the link to work. There are two demo files included in the zip that you can edit and view.

When you open the application please enter your registration details you signed up with from here: https://www.pcmtec.com/customer/info

Please visit our forums for all future updates regarding PCMTEC
https://forum.pcmtec.com





Old post below if you are curious to read our prior development history:

Software to edit and flash Fords utilizing spanish and black oak PCMs private alpha has been released. Beta map tracing/editing software in the works.

Software can read write Ford Falcon/Territory BA/BF/FG PCMS (Black Oak, Spanish Oak and Green Oak) using an OpenPort 2.0, J2534 cable. the program is being ALPHA tested at the moment by a few workshops.

Update 30/5/17
PCMTec is now an established company!

Update 25/1/17
Update:
We are getting closer. Server side code as far as the alpha release requires is basically complete. The editor software now logs in at startup, or if no internet uses cached login. Has licensed templates that are downloaded from the server. Also a global description database that the UI loads from is downloaded and updated.

I have implemented Sentry for all error logging. Eg any crashes etc it will log all user data (eg what buttons you pressed in what order), the crash location, call stack, user logs, what template you are using etc and send it all off automatically. If no internet it caches locally and sends later. I forked RavenSentry and modified it to allow this, link here if anyone is interested. Fantastic product and it is free for 1 user which is great for testing.
https://github.com/rolandh/raven-csharp

I've made an azure website and web api (what the editor connects to). This took me just over a month to do with zero website/azure or web api experience, so I learnt a lot doing this. Very fun project. I started off by writing a complete standalone webapi as a proof of concept so I understood all the password/username exchange and how to properly implement security and password hashing, once I understood it I binned that and went to aspnet/azure which does most of it for you.

User defined XML templates so you can make your own addresses up and see what's in them are complete.

Things still needed before we can go to a public BETA release:
Finish flash read/write UI screens (roughly 80% complete)
Add licensing UI screen to allow you to see what licenses you have available and purchase more.
Content UI screen which shows detailed descriptions regarding parameters.
Lots of binary verification testing. Eg change all parameters -> change them back. Verify everything is unchanged. Need to unit test lots of things like this to ensure no corruption or ability to brick your tune.
Complete description database for templates along with automated template address and unknown parameter generation. (Darryl is working hard on this)
Need a logo.
Website needs content and to be finished.
General UI tweaks

After the BETA:
User submissions for descriptions and parameter definitions. Eg submitting an unknown parameter with what you think it is. Most likely will use Sentry to track these.
Tune comparison and copy paste.
3D editor for maps (devexpress has a very nice one, just need to implement it)
Datalogging/Scanner capabilities
Map tracing
More stuff I forgot...

Future:
Live Tuning
Android mobile phone app that can connect to the OpenPort to allow in car flashing/datalogging similar to how the SCT handheld and NGauge work except without the need for additional hardware.

Screenshot of the login screen etc.



#Update 31-5-17




#Update 7-2-17 added flashing UI

[/quote]

AxisView


Software can sniff ISO15765 comms and display in human readable strings. Will show interesting information like the Ford specific UDS packets and also allows basic DMR logging primarily for testing, not designed to be used to datalog.





Original post:
So thought I would start a thread on my progress for developing a J2534 based Ford tuning platform.

Here is my latest update from Ford Forums:

Ok so I managed to get the level 1 security access (required for flashing) working.

Pull Pin 13 high (used 20v laptop power supply)
Power cycle ignition off
Wait a few seconds
Power cycle ignition on

...set CAN baud rate etc

Enter security level 1
00 00 07 E0 27 01

Possible responses:
If you have not applied power to pin 13 you will get: 7F 27 11
If you have applied power to pin 13 but not power cycled you will get 7F 27 12

If everything was ok you will get 67 which means successfully requested level 1
00 00 07 E8 67 01 XX XX XX

Generate seed response with level 1 security key
0xYY YY YY = GenerateSeed(level1_security_key, XX XX XX)

Send response
00 00 07 E0 27 02 YY YY YY

If you generated the response correctly you will get:
00 00 07 E8 67 02

You have now successfully unlocked the controller.

Send the following to initiate a read from memory request
00 00 07 E0 23 00 00 00 00 08 00

This is where it fails with my VCI mini crashing and causing an access violation or timeout regardless of the baud rate, timeout or how long I wait before polling the device. The cables requires a full power reset at this point.

I'm ordering an OpenPort 2.0 and will see how I go with that, the bonus is it has full 0-20V support for all vendor pins.

edit: OpenPort 2.0 is a success and can read the flash!

Heh.. beg to differ on the motorola thingy..

Look at this: http://www.nxp.com/files/microcontrolle ... leExt=.pdf

The actual spec sheet of the CPU (for a BA falcon Visteon PCM).. and the copyright is... (drumroll please) "Copyright 2001 MOTOROLA; All Rights Reserved" It also has a big "digital DNA from Motorola" logo thingy. rights got sold to freescale who eventually sold to nxp.
From memory the size of the flash on a BA is 1476.

There you go, I had no idea motorola had anything to do with PowerPC. End of the day they use the PowerPC instruction set which is what I was getting at and hence IDAPro can view the assembler quite easily. Heres some screens of my binary which appear the same in the black oak (BA) and spanish oak

stick it up on dropbox or similar.

those developing code, I've recently (last year) come to start using github for sharing code, great way to share an open source project, for those that want their stuff open.

I'm putting most of my stuff on my dropbox atm, won't put the tuning software up until it is complete though.
https://github.com/rolandh/J2534DotNet

here is a screenshot of my proof of concept I've developed
WinForms editor POC

WPF docking manager layout POC


Editor software - work in progress

[vlad01]

Isn't powerPC what old apple computers used? since they were motorola processors?

[antus]

Sort of, Apple/IBM/Motorola alliance.

https://en.wikipedia.org/wiki/PowerPC

Apple and Motorola involvement
IBM approached Apple with the goal of collaborating on the development of a family of single-chip microprocessors based on the POWER architecture. Soon after, Apple, being one of Motorola's largest customers of desktop-class microprocessors,[1] asked Motorola to join the discussions due to their long relationship, its more extensive experience with manufacturing high-volume microprocessors than IBM, and to form a second source for the microprocessors. This three-way collaboration became known as AIM alliance, for Apple, IBM, Motorola.

Numerically, the PowerPC is mostly found in controllers in cars. For the automotive market, Freescale Semiconductor initially offered many variations called the MPC5xx family such as the MPC555, built on a variation of the 601 core called the 8xx and designed in Israel by MSIL (Motorola Silicon Israel Limited). The 601 core is single issue, meaning it can only issue one instruction in a clock cycle. To this they add various bits of custom hardware, to allow for I/O on the one chip. In 2004, the next-generation four-digit 55xx devices were launched for the automotive market. These use the newer e200 series of PowerPC cores.

[antus]

The GM E38s also use PPC. Rolls, you might be interested in the tail end of this thread for comparison. https://pcmhacking.net/forums/viewt ... =13&t=3833

Top work on the development so far!

[vlad01]

Ah yeah I know of AIM, thats what most mobiles devices processors are built on.

[antus]

Nope, thats ARM. Who incidentally have just been bought by a Japanese company called softbank for 24 billion pounds (UK firm). But lets keep the thread on topic.

[Tazzi]

The GM E38s also use PPC. Rolls, you might be interested in the tail end of this thread for comparison. https://pcmhacking.net/forums/viewt ... =13&t=3833

Top work on the development so far!

Was literally what I was going to link to when I saw PPC!

[rolls]

Interesting stuff. Here is the checksum method I've developed for the spanish oak PCM. It appears ford use 3 seperate checksums for 3 different areas. Attached the relevant code:

Code: Select all

        public bool ValidateChecksums()
        {
            bool check1 = ValidateChecksum(pcmDefinition.CheckSum1Address, pcmDefinition._CheckSum1AreaAddress);
            bool check2 = ValidateChecksum(pcmDefinition.CheckSum2Address, pcmDefinition._CheckSum2AreaAddress);
            bool check3 = ValidateChecksum(pcmDefinition.CheckSum3Address, pcmDefinition._CheckSum3AreaAddress);
            return (check1 && check2 && check3);
        }

        public bool UpdateChecksums()
        {
            uint calculatedChecksum1 = CalculateChecksum(pcmDefinition.CheckSum1AreaAddress);
            uint calculatedChecksum2 = CalculateChecksum(pcmDefinition.CheckSum2AreaAddress);
            uint calculatedChecksum3 = CalculateChecksum(pcmDefinition.CheckSum3AreaAddress);
            BinaryHelper.WriteBigEndianUInt32(pcmDefinition.CheckSum1Address, calculatedChecksum1, this.rawBinary);
            BinaryHelper.WriteBigEndianUInt32(pcmDefinition.CheckSum2Address, calculatedChecksum2, this.rawBinary);
            BinaryHelper.WriteBigEndianUInt32(pcmDefinition.CheckSum3Address, calculatedChecksum3, this.rawBinary);

            //Revalidate checksums for good measure
            return ValidateChecksums();
        }
        

        public bool ValidateChecksum(uint CheckSumAddress, uint CheckSumAreaAddress)
        {
            uint checksum = BinaryHelper.GetBigEndianUInt32(CheckSumAddress, this.rawBinary);
            uint calculatedChecksum = CalculateChecksum(CheckSumAreaAddress);
            return (calculatedChecksum == checksum);
        }
		
        uint CalculateChecksum(uint CheckSumAreaAddress)
        {
            uint checksumEndAddress = BinaryHelper.GetBigEndianUInt32(CheckSumAreaAddress, this.rawBinary);
            uint checksumStartAddress = BinaryHelper.GetBigEndianUInt32(CheckSumAreaAddress + 4, this.rawBinary);

            if (rawBinary == null) return 0;
            if (checksumStartAddress > rawBinary.Length) return 0;
            if (checksumEndAddress > rawBinary.Length) return 0;

            long checkSum = 0;
            uint length = checksumEndAddress - checksumStartAddress + 1;
            int uintsToCheckSum = (int)(length / 4u);  //Number of uints to checksum
            uint i;
            for (i = 0; i < uintsToCheckSum; i++)
            {
                //Get 4 bytes at this address and sum them
                uint address = (uint)(checksumStartAddress + i * 4u);
                if (address + 3 > rawBinary.Length) return 0;
                checkSum += (long)BinaryHelper.GetBigEndianUInt32(address, rawBinary);
            }

            //if (length is not divisible by 4 then get the remaining bytes
            if (length % 4u != 0u)
            {
                uint address = (uint)(checksumStartAddress + i * 4u);
                uint data = BinaryHelper.GetBigEndianUInt32(address, rawBinary) >> (int)((4u - checksumEndAddress % 4u) * 8u);
                checkSum += data;
            }

            return (uint)checkSum;
        }
		
		public static class BinaryHelper{
			
			public static uint GetBigEndianUInt32(uint address, byte[] bytes)
			{
				uint byte1 = (uint)bytes[(int)address] << 24;
				uint byte2 = (uint)bytes[(int)address + 1] << 16;
				uint byte3 = (uint)bytes[(int)address + 2] << 8;
				uint byte4 = (uint)bytes[(int)address + 3];
				return (byte1 + byte2 + byte3 + byte4);
			}
			
			public static bool WriteBigEndianUInt32(uint address, uint value, byte[] rawBinary)
			{
				if (rawBinary == null) return false;
				if (address + 4 > rawBinary.Length) return false;
				byte byte1 = (byte)(value >> 24);
				byte byte2 = (byte)(value >> 16);
				byte byte3 = (byte)(value >> 8);
				byte byte4 = (byte)(value);
				rawBinary[address] = byte1;
				rawBinary[address + 1] = byte2;
				rawBinary[address + 2] = byte3;
				rawBinary[address + 3] = byte4;
				return true;
			}
		}

[rolls]

Also found the Seed/Response key routine in the assembler in my PCM Binary. You can see the "mucked value" 0xC541A9 being loaded in and you can also see the level 1 security secret key which oddly has a different first byte.

Code: Select all

ROM:0000C094 sub_C094:                               # CODE XREF: sub_9444+A8p
ROM:0000C094                                         # sub_C050+2Cp
ROM:0000C094
ROM:0000C094 .set var_1C, -0x1C
ROM:0000C094 .set var_18, -0x18
ROM:0000C094 .set var_14, -0x14
ROM:0000C094 .set var_10, -0x10
ROM:0000C094 .set var_C, -0xC
ROM:0000C094 .set var_8, -8
ROM:0000C094 .set var_4, -4
ROM:0000C094 .set arg_4,  4
ROM:0000C094
ROM:0000C094                 mflr      r0
ROM:0000C098                 stw       r0, arg_4(r1)
ROM:0000C09C                 stwu      r1, -0x28(r1)
ROM:0000C0A0                 andi.     r3, r3, 0xFF
ROM:0000C0A4                 andi.     r4, r4, 0xFF
ROM:0000C0A8                 andi.     r5, r5, 0xFF
ROM:0000C0AC                 li        r0, 0
ROM:0000C0B0                 stw       r0, 0x28+var_18(r1)
ROM:0000C0B4                 stb       r5, 0x28+var_18+1(r1)
ROM:0000C0B8                 stb       r4, 0x28+var_18+2(r1)
ROM:0000C0BC                 stb       r3, 0x28+var_18+3(r1)
ROM:0000C0C0                 stw       r0, 0x28+var_1C(r1)
ROM:0000C0C4                 stw       r0, 0x28+var_4(r1)
ROM:0000C0C8                 stw       r0, 0x28+var_8(r1)

ROM:0000C0CC                 lis       r0, 0xC5 # 0xC541A9 # '+'
ROM:0000C0D0                 ori       r0, r0, 0x41A9 # 0xC541A9

ROM:0000C0D4                 stw       r0, 0x28+var_14(r1)
ROM:0000C0D8                 li        r0, 8
ROM:0000C0DC                 stb       r0, 0x28+var_18(r1)

//Secret key = 0x08 30 61 A4 C5

ROM:0000C0E0                 li        r0, 0xC5 # '+'
ROM:0000C0E4                 stb       r0, 0x28+var_1C(r1)
ROM:0000C0E8                 li        r0, 0xA4 # 'ñ'
ROM:0000C0EC                 stb       r0, 0x28+var_1C+1(r1)
ROM:0000C0F0                 li        r0, 0x61 # 'a'
ROM:0000C0F4                 stb       r0, 0x28+var_1C+2(r1)
ROM:0000C0F8                 li        r0, 0x30 # '0'
ROM:0000C0FC                 stb       r0, 0x28+var_1C+3(r1)
ROM:0000C100                 li        r6, 0
ROM:0000C104                 b         loc_C210
ROM:0000C108 # ---------------------------------------------------------------------------
ROM:0000C108
ROM:0000C108 loc_C108:                               # CODE XREF: sub_C094+180j
ROM:0000C108                 cmpwi     r6, 0x1F
ROM:0000C10C                 bgt       loc_C120
ROM:0000C110                 lwz       r10, 0x28+var_18(r1)
ROM:0000C114                 srw       r11, r10, r6
ROM:0000C118                 stw       r11, 0x28+var_8(r1)
ROM:0000C11C                 b         loc_C130
ROM:0000C120 # ---------------------------------------------------------------------------
ROM:0000C120
ROM:0000C120 loc_C120:                               # CODE XREF: sub_C094+78j
ROM:0000C120                 lwz       r7, 0x28+var_1C(r1)
ROM:0000C124                 addi      r9, r6, -0x20
ROM:0000C128                 srw       r8, r7, r9
ROM:0000C12C                 stw       r8, 0x28+var_8(r1)
ROM:0000C130
ROM:0000C130 loc_C130:                               # CODE XREF: sub_C094+88j
ROM:0000C130                 lwz       r10, 0x28+var_14(r1)
ROM:0000C134                 lbz       r7, 0x28+var_14+3(r1)
ROM:0000C138                 srwi      r11, r10, 1
ROM:0000C13C                 lis       r8, 0x7F # 0x7FFFFF # ''
ROM:0000C140                 ori       r8, r8, 0xFFFF # 0x7FFFFF
ROM:0000C144                 and       r9, r8, r11
ROM:0000C148                 lbz       r11, 0x28+var_8+3(r1)
ROM:0000C14C                 clrlwi    r7, r7, 31
ROM:0000C150                 clrlwi    r11, r11, 31
ROM:0000C154                 stw       r9, 0x28+var_10(r1)
ROM:0000C158                 lbz       r9, 0x28+var_10+1(r1)
ROM:0000C15C                 xor       r10, r7, r11
ROM:0000C160                 insrwi    r9, r10, 1,24
ROM:0000C164                 stb       r9, 0x28+var_10+1(r1)
ROM:0000C168                 lwz       r8, 0x28+var_10(r1)
ROM:0000C16C                 lis       r7, 0xFF # 0xFFFFFF
ROM:0000C170                 ori       r7, r7, 0xFFFF # 0xFFFFFF
ROM:0000C174                 and       r8, r7, r8
ROM:0000C178                 stw       r8, 0x28+var_C(r1)
ROM:0000C17C                 andi.     r5, r9, 0xFF
ROM:0000C180                 andi.     r11, r9, 0xFF
ROM:0000C184                 lbz       r8, 0x28+var_10+2(r1)
ROM:0000C188                 extrwi    r5, r5, 1,24
ROM:0000C18C                 extrwi    r8, r8, 1,24
ROM:0000C190                 extrwi    r11, r11, 1,27
ROM:0000C194                 xor       r10, r5, r11
ROM:0000C198                 lbz       r11, 0x28+var_C+2(r1)
ROM:0000C19C                 xor       r7, r5, r8
ROM:0000C1A0                 insrwi    r11, r7, 1,24
ROM:0000C1A4                 andi.     r8, r11, 0xFF
ROM:0000C1A8                 lbz       r9, 0x28+var_C+1(r1)
ROM:0000C1AC                 lbz       r7, 0x28+var_10+3(r1)
ROM:0000C1B0                 insrwi    r9, r10, 1,27
ROM:0000C1B4                 lbz       r10, 0x28+var_10+2(r1)
ROM:0000C1B8                 stb       r9, 0x28+var_C+1(r1)
ROM:0000C1BC                 extrwi    r10, r10, 1,27
ROM:0000C1C0                 xor       r9, r5, r10
ROM:0000C1C4                 insrwi    r8, r9, 1,27
ROM:0000C1C8                 lbz       r9, 0x28+var_10+3(r1)
ROM:0000C1CC                 extrwi    r7, r7, 1,26
ROM:0000C1D0                 lbz       r10, 0x28+var_C+3(r1)
ROM:0000C1D4                 xor       r11, r5, r7
ROM:0000C1D8                 insrwi    r10, r11, 1,26
ROM:0000C1DC                 andi.     r7, r10, 0xFF
ROM:0000C1E0                 stb       r8, 0x28+var_C+2(r1)
ROM:0000C1E4                 extrwi    r9, r9, 1,28
ROM:0000C1E8                 xor       r8, r5, r9
ROM:0000C1EC                 insrwi    r7, r8, 1,28
ROM:0000C1F0                 stb       r7, 0x28+var_C+3(r1)
ROM:0000C1F4                 lwz       r11, 0x28+var_C(r1)
ROM:0000C1F8                 lis       r10, 0xFF # 0xFFFFFF
ROM:0000C1FC                 ori       r10, r10, 0xFFFF # 0xFFFFFF
ROM:0000C200                 and       r11, r10, r11
ROM:0000C204                 stw       r11, 0x28+var_14(r1)
ROM:0000C208                 addi      r6, r6, 1
ROM:0000C20C                 andi.     r6, r6, 0xFF
ROM:0000C210
ROM:0000C210 loc_C210:                               # CODE XREF: sub_C094+70j
ROM:0000C210                 cmpwi     r6, 0x40
ROM:0000C214                 blt       loc_C108
ROM:0000C218                 lbz       r9, 0x28+var_C+3(r1)
ROM:0000C21C                 lbz       r8, 0x28+var_4+3(r1)
ROM:0000C220                 extrwi    r9, r9, 1,27
ROM:0000C224                 insrwi    r8, r9, 1,31
ROM:0000C228                 andi.     r11, r8, 0xFF
ROM:0000C22C                 lbz       r7, 0x28+var_C+3(r1)
ROM:0000C230                 lbz       r10, 0x28+var_C+3(r1)
ROM:0000C234                 extrwi    r7, r7, 1,26
ROM:0000C238                 insrwi    r11, r7, 1,30
ROM:0000C23C                 andi.     r9, r11, 0xFF
ROM:0000C240                 extrwi    r10, r10, 1,25
ROM:0000C244                 insrwi    r9, r10, 1,29
ROM:0000C248                 lbz       r8, 0x28+var_C+3(r1)
ROM:0000C24C                 andi.     r7, r9, 0xFF
ROM:0000C250                 extrwi    r8, r8, 1,24
ROM:0000C254                 insrwi    r7, r8, 1,28
ROM:0000C258                 andi.     r10, r7, 0xFF
ROM:0000C25C                 lbz       r9, 0x28+var_C+2(r1)
ROM:0000C260                 lbz       r11, 0x28+var_C+2(r1)
ROM:0000C264                 extrwi    r9, r9, 1,30
ROM:0000C268                 clrlwi    r11, r11, 31
ROM:0000C26C                 insrwi    r10, r11, 1,27
ROM:0000C270                 andi.     r8, r10, 0xFF
ROM:0000C274                 insrwi    r8, r9, 1,26
ROM:0000C278                 andi.     r11, r8, 0xFF
ROM:0000C27C                 lbz       r7, 0x28+var_C+2(r1)
ROM:0000C280                 lbz       r10, 0x28+var_C+2(r1)
ROM:0000C284                 extrwi    r7, r7, 1,29
ROM:0000C288                 insrwi    r11, r7, 1,25
ROM:0000C28C                 andi.     r9, r11, 0xFF
ROM:0000C290                 extrwi    r10, r10, 1,28
ROM:0000C294                 insrwi    r9, r10, 1,24
ROM:0000C298                 lbz       r8, 0x28+var_C+1(r1)
ROM:0000C29C                 lbz       r7, 0x28+var_4+2(r1)
ROM:0000C2A0                 extrwi    r8, r8, 1,27
ROM:0000C2A4                 insrwi    r7, r8, 1,31
ROM:0000C2A8                 andi.     r10, r7, 0xFF
ROM:0000C2AC                 stb       r9, 0x28+var_4+3(r1)
ROM:0000C2B0                 lbz       r9, 0x28+var_C+1(r1)
ROM:0000C2B4                 lbz       r11, 0x28+var_C+1(r1)
ROM:0000C2B8                 extrwi    r9, r9, 1,25
ROM:0000C2BC                 extrwi    r11, r11, 1,26
ROM:0000C2C0                 insrwi    r10, r11, 1,30
ROM:0000C2C4                 andi.     r8, r10, 0xFF
ROM:0000C2C8                 insrwi    r8, r9, 1,29
ROM:0000C2CC                 andi.     r11, r8, 0xFF
ROM:0000C2D0                 lbz       r7, 0x28+var_C+1(r1)
ROM:0000C2D4                 lbz       r8, 0x28+var_C+2(r1)
ROM:0000C2D8                 extrwi    r7, r7, 1,24
ROM:0000C2DC                 insrwi    r11, r7, 1,28
ROM:0000C2E0                 andi.     r9, r11, 0xFF
ROM:0000C2E4                 lbz       r10, 0x28+var_C+2(r1)
ROM:0000C2E8                 extrwi    r8, r8, 1,26
ROM:0000C2EC                 extrwi    r10, r10, 1,27
ROM:0000C2F0                 insrwi    r9, r10, 1,27
ROM:0000C2F4                 andi.     r7, r9, 0xFF
ROM:0000C2F8                 insrwi    r7, r8, 1,26
ROM:0000C2FC                 andi.     r10, r7, 0xFF
ROM:0000C300                 lbz       r11, 0x28+var_C+2(r1)
ROM:0000C304                 lbz       r9, 0x28+var_C+2(r1)
ROM:0000C308                 extrwi    r11, r11, 1,25
ROM:0000C30C                 insrwi    r10, r11, 1,25
ROM:0000C310                 andi.     r8, r10, 0xFF
ROM:0000C314                 extrwi    r9, r9, 1,24
ROM:0000C318                 insrwi    r8, r9, 1,24
ROM:0000C31C                 lbz       r7, 0x28+var_C+1(r1)
ROM:0000C320                 lbz       r11, 0x28+var_4+1(r1)
ROM:0000C324                 clrlwi    r7, r7, 31
ROM:0000C328                 insrwi    r11, r7, 1,31
ROM:0000C32C                 andi.     r9, r11, 0xFF
ROM:0000C330                 stb       r8, 0x28+var_4+2(r1)
ROM:0000C334                 lbz       r8, 0x28+var_C+1(r1)
ROM:0000C338                 lbz       r10, 0x28+var_C+1(r1)
ROM:0000C33C                 extrwi    r8, r8, 1,29
ROM:0000C340                 extrwi    r10, r10, 1,30
ROM:0000C344                 insrwi    r9, r10, 1,30
ROM:0000C348                 andi.     r7, r9, 0xFF
ROM:0000C34C                 insrwi    r7, r8, 1,29
ROM:0000C350
ROM:0000C350 loc_C350:                               # DATA XREF: sub_829C+20o
ROM:0000C350                                         # sub_829C+24o
ROM:0000C350                 andi.     r10, r7, 0xFF
ROM:0000C354                 lbz       r11, 0x28+var_C+1(r1)
ROM:0000C358                 lbz       r7, 0x28+var_C+3(r1)
ROM:0000C35C                 extrwi    r11, r11, 1,28
ROM:0000C360                 insrwi    r10, r11, 1,28
ROM:0000C364                 andi.     r8, r10, 0xFF
ROM:0000C368                 lbz       r9, 0x28+var_C+3(r1)
ROM:0000C36C                 extrwi    r7, r7, 1,30
ROM:0000C370                 clrlwi    r9, r9, 31
ROM:0000C374                 insrwi    r8, r9, 1,27
ROM:0000C378                 andi.     r11, r8, 0xFF
ROM:0000C37C                 insrwi    r11, r7, 1,26
ROM:0000C380                 andi.     r9, r11, 0xFF
ROM:0000C384                 lbz       r8, 0x28+var_C+3(r1)
ROM:0000C388                 lbz       r10, 0x28+var_C+3(r1)
ROM:0000C38C                 extrwi    r8, r8, 1,28
ROM:0000C390                 extrwi    r10, r10, 1,29
ROM:0000C394                 insrwi    r9, r10, 1,25
ROM:0000C398                 andi.     r7, r9, 0xFF
ROM:0000C39C                 insrwi    r7, r8, 1,24
ROM:0000C3A0                 stb       r7, 0x28+var_4+1(r1)
ROM:0000C3A4                 lwz       r3, 0x28+var_4(r1)
ROM:0000C3A8                 lwz       r0, 0x28+arg_4(r1)
ROM:0000C3AC                 addi      r1, r1, 0x28
ROM:0000C3B0                 mtlr      r0
ROM:0000C3B4                 blr
ROM:0000C3B4 # End of function sub_C094

[rolls]

Also found the unified diagnostic service (OBD2 extension ISO14229) command handler routine, I'm sure this will help with finding out what commands it does and doesn't support.

https://automotive.wiki/index.php/ISO_14229
//0x10 Diagnostic Session Control
//0x11 ECU Reset
//0x14 Clear Diagnostic Information (not supported)
//0x18 ???
//0x19 Read DTC Information (not supported)
//0x22 Read Data By Identifier
//0x23 Read Memory By Address
//0x27 Security Access
//0x28 Communication Control (not supported)
//0x2E Write Data By Identifier (not supported)
//0x2F Input Output Control By Identifier (not supported)
//0x31 Routine Control
//0x34 Request Download
//0x35 Request Upload (not supported)
//0x36 Transfer Data
//0x37 Transfer Exit (not supported)
//0x3D Write Memory By Address (not supported)
//0x3E Tester Present
//0x85 Control DTC Setting (not supported)
//0xB1 DiagnosticCommand

edit: according to the IOActive adventures in automotive networks and control units B1 is "DiagnosticCommand" which has some fun functions, could try fuzzing this command to see what else it does?

B1 00 3C - Force brakes enabled
B1 00 2B - Disable brakes (lol this sounds bad)
B1 00 B2 - Erase binary flash (use this for flashing)
B1 00 01 A3 - perform magic???

Code: Select all

ROM:00008380 loc_8380:                               # CODE XREF: sub_829C+D0j
ROM:00008380                 lbz       r10, 0(r31)
ROM:00008384                 mr        r11, r10
ROM:00008388                 cmplwi    r11, 0x10
ROM:0000838C                 beq       loc_83F8
ROM:00008390                 cmplwi    r11, 0x11
ROM:00008394                 beq       loc_83F8
ROM:00008398                 cmplwi    r11, 0x18
ROM:0000839C                 beq       loc_83F8
ROM:000083A0                 cmplwi    r11, 0x22
ROM:000083A4                 beq       loc_83F8
ROM:000083A8                 cmplwi    r11, 0x23
ROM:000083AC                 beq       loc_83F8
ROM:000083B0                 cmplwi    r11, 0x27
ROM:000083B4                 beq       loc_83F8
ROM:000083B8                 cmplwi    r11, 0x31
ROM:000083BC                 beq       loc_83F8
ROM:000083C0                 cmplwi    r11, 0x36
ROM:000083C4                 beq       loc_83F8
ROM:000083C8                 cmplwi    r11, 0x37
ROM:000083CC                 beq       loc_83F8
ROM:000083D0                 cmplwi    r11, 0x3E
ROM:000083D4                 beq       loc_83F8
ROM:000083D8                 cmplwi    r11, 0xB1
ROM:000083DC                 beq       loc_83F8
ROM:000083E0                 cmplwi    r11, 0x34
ROM:000083E4                 beq       loc_83F8
ROM:000083E8                 mr        r3, r10
ROM:000083EC                 li        r4, 0x11
ROM:000083F0                 bl        sub_A170
ROM:000083F4                 b         loc_841C
ROM:000083F8 # ---------------------------------------------------------------------------

If it is none of these functions it then loads 0x11 which is service unsupported and sub_A170 loads 0x7F which is negative response code.