GM E38 E67 E40 Kernel/Bootloader Development Extravaganza
Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz
But as before, the GM kernel doesnt do any of this. It simple enables the flash chip for flashing. Then the OS routine can do the rest. This would have to be a safety precaution, so the flash enable cant be done without sending a kernel.
So.. the smartest and fastest option would be to just make a kernel which enables the flash then exits. Would need to double check if theres any other special functions happening with the GM one again now with a better understanding, but from what I have seen, it turns off a few other interrupts plus some house keepings, then just works. Wouldnt be surprised is theres a 'magic number' in there for the ECU to accept writing data.
*edit
One thought before I pass out. What if the GM kernel is uploaded to ram. But its only executed once the next mode 36 frame is sent which is at a different ram offset. Mmm... still wouldnt make sense to what the serial data is all about, plus it never accesses the CAN registers. But the kernel itself is almost broken into multiple functions.. as in you could start the kernel in multiple locations depending on the task/function you wanted it to do.
Theres multiple locations which have no previous call to, but yet have a blr (basically return from function). So it would make sense if the actual functions could be manually addressed by the scantool once the kernel is sitting in ram.
Will be tomorrows job to see if that actually matches up with the logs.
So.. the smartest and fastest option would be to just make a kernel which enables the flash then exits. Would need to double check if theres any other special functions happening with the GM one again now with a better understanding, but from what I have seen, it turns off a few other interrupts plus some house keepings, then just works. Wouldnt be surprised is theres a 'magic number' in there for the ECU to accept writing data.
*edit
One thought before I pass out. What if the GM kernel is uploaded to ram. But its only executed once the next mode 36 frame is sent which is at a different ram offset. Mmm... still wouldnt make sense to what the serial data is all about, plus it never accesses the CAN registers. But the kernel itself is almost broken into multiple functions.. as in you could start the kernel in multiple locations depending on the task/function you wanted it to do.
Theres multiple locations which have no previous call to, but yet have a blr (basically return from function). So it would make sense if the actual functions could be manually addressed by the scantool once the kernel is sitting in ram.
Will be tomorrows job to see if that actually matches up with the logs.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz
Keep us updated mate great reading
Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz
Some compilers to look into...
https://github.com/BullyWiiPlaza/PowerP ... y-Compiler
https://gbatemp.net/threads/powerpc-ass ... er.415721/
https://wiibrew.org/wiki/DevkitPPC (Appears to be a C powerpc option...)
ASMWiiRd
Dolphin
CASMPPCZ
https://github.com/BullyWiiPlaza/PowerP ... y-Compiler
https://gbatemp.net/threads/powerpc-ass ... er.415721/
https://wiibrew.org/wiki/DevkitPPC (Appears to be a C powerpc option...)
ASMWiiRd
Dolphin
CASMPPCZ
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz
Looking at the addresses, the gm kernel doesnt execute at an address inside of where the kernel was loaded, so thats that option busted.
Regardless, it seems the route of reading/.writing frames and making a custom kernel is the current route as it actually makes sense how it works.
Just need to settle on a ASM compile.. and make a stupid simple app to say helllo world on the bus or something and go from there!
Regardless, it seems the route of reading/.writing frames and making a custom kernel is the current route as it actually makes sense how it works.
Just need to settle on a ASM compile.. and make a stupid simple app to say helllo world on the bus or something and go from there!
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz
Going to be extremely short timed in the next few days to play with this some more.
Main concern is a suitable compiler to use. I have not found many examples of how to produce functions properly in PPC ASM so its going to be a bit of trial and error I think.
Worst case... I dont use functions, and just write everything out in one giant loop. Not exactly the most efficient thing to do, but it will get the job done. Basically alot of copy/paste for stetting can frames ect
Main concern is a suitable compiler to use. I have not found many examples of how to produce functions properly in PPC ASM so its going to be a bit of trial and error I think.
Worst case... I dont use functions, and just write everything out in one giant loop. Not exactly the most efficient thing to do, but it will get the job done. Basically alot of copy/paste for stetting can frames ect
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz
I believe making it work with J-tools will be best, already have that stuff nailed down so its just a matter of actually sending a kernel and the rest should be fairly straight forward.
Anyone with a J tool and E38, will be needing some other to give it a whirl! Im yet to see a E38 with different flash memory, but might be best to get a tonne of reads to just be safe.
The flashchips support reporting back what they are. So, thatll be a quick way of getting the kernel to report to the scantool if its going to be supported or not.
Anyone with a J tool and E38, will be needing some other to give it a whirl! Im yet to see a E38 with different flash memory, but might be best to get a tonne of reads to just be safe.
The flashchips support reporting back what they are. So, thatll be a quick way of getting the kernel to report to the scantool if its going to be supported or not.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz
I have close to about 100 tabs open with examples, code and all sorts for MPC... so dont mind me.. just copying in links that have been helpful so far
Reference to cpu:
https://www.nxp.com/products/processors ... PC562#nogo
https://www.nxp.com/docs/en/data-sheet/MPC561RM.pdf
https://www.nxp.com/docs/en/supporting- ... RY_MAP.pdf
https://www.nxp.com/docs/en/user-guide/MPC564EVBUM.pdf
General PPC decoding:
https://www.ibm.com/support/knowledgece ... s_set.html
https://developer.apple.com/library/arc ... -TPXREF101 (Apple does great examples)
https://www.cs.uaf.edu/2011/fall/cs301/ ... werPC.html (Good example about stack and function returns)
https://wiibrew.org/wiki/Assembler_Tutorial
http://www.tentech.ca/downloads/other/P ... 2_2010.pdf (bunch of quick references/examples/lookups)
https://cache.freescale.com/files/produ ... XINSET.pdf
http://math-atlas.sourceforge.net/devel ... pc_isa.pdf
Understanding insrwi and rlwimi:
https://stackoverflow.com/questions/265 ... nstruction
https://www.ibm.com/support/knowledgece ... itreg.html
http://personal.denison.edu/~bressoud/c ... ctions.pdf
http://www.asmcommunity.net/forums/topic/?id=30640
https://www.se7ensins.com/forums/thread ... i.1230332/
http://ps-2.kev009.com/wisclibrary/aix5 ... hift32.htm
Nor flash commands:
http://www2.lauterbach.com/pdf/flash_diagnosis.pdf
https://pdf1.alldatasheet.com/datasheet ... 9CD-J.html
https://www.cypress.com/file/219931/download
https://www.cypress.com/file/195291/download (guide to common flash interface)
General examples
https://www.sciencedirect.com/topics/co ... nal-branch
http://www.eecs.umich.edu/courses/eecs3 ... s/lec2.pdf
https://wiki.netbsd.org/examples/elf_ex ... r_powerpc/
https://cr.yp.to/2005-590/powerpc-cwg.pdf (lots of examples including crc)
https://www.ibm.com/developerworks/libr ... index.html
https://www.ibm.com/developerworks/libr ... index.html
compiling PowerPC in windows
https://stackoverflow.com/questions/321 ... or-powerpc
Reference to cpu:
https://www.nxp.com/products/processors ... PC562#nogo
https://www.nxp.com/docs/en/data-sheet/MPC561RM.pdf
https://www.nxp.com/docs/en/supporting- ... RY_MAP.pdf
https://www.nxp.com/docs/en/user-guide/MPC564EVBUM.pdf
General PPC decoding:
https://www.ibm.com/support/knowledgece ... s_set.html
https://developer.apple.com/library/arc ... -TPXREF101 (Apple does great examples)
https://www.cs.uaf.edu/2011/fall/cs301/ ... werPC.html (Good example about stack and function returns)
https://wiibrew.org/wiki/Assembler_Tutorial
http://www.tentech.ca/downloads/other/P ... 2_2010.pdf (bunch of quick references/examples/lookups)
https://cache.freescale.com/files/produ ... XINSET.pdf
http://math-atlas.sourceforge.net/devel ... pc_isa.pdf
Understanding insrwi and rlwimi:
https://stackoverflow.com/questions/265 ... nstruction
https://www.ibm.com/support/knowledgece ... itreg.html
http://personal.denison.edu/~bressoud/c ... ctions.pdf
http://www.asmcommunity.net/forums/topic/?id=30640
https://www.se7ensins.com/forums/thread ... i.1230332/
http://ps-2.kev009.com/wisclibrary/aix5 ... hift32.htm
Nor flash commands:
http://www2.lauterbach.com/pdf/flash_diagnosis.pdf
https://pdf1.alldatasheet.com/datasheet ... 9CD-J.html
https://www.cypress.com/file/219931/download
https://www.cypress.com/file/195291/download (guide to common flash interface)
General examples
https://www.sciencedirect.com/topics/co ... nal-branch
http://www.eecs.umich.edu/courses/eecs3 ... s/lec2.pdf
https://wiki.netbsd.org/examples/elf_ex ... r_powerpc/
https://cr.yp.to/2005-590/powerpc-cwg.pdf (lots of examples including crc)
https://www.ibm.com/developerworks/libr ... index.html
https://www.ibm.com/developerworks/libr ... index.html
compiling PowerPC in windows
https://stackoverflow.com/questions/321 ... or-powerpc
Last edited by Tazzi on Tue Jul 23, 2019 6:51 pm, edited 1 time in total.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz
Ah thats gonna make lookups easier. Has so many double ups in chrome from searches.
I saw valid references to the command set for the S29 flashchip in its datasheet, so thats all making sense now. Not sure if the actual address's made sense by the data (commands) were matching up, so thats vital for unlocking, erasing, writing ect.
I saw valid references to the command set for the S29 flashchip in its datasheet, so thats all making sense now. Not sure if the actual address's made sense by the data (commands) were matching up, so thats vital for unlocking, erasing, writing ect.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz
I just found this post, AMAZING WORK!!!
I understand some of the gist if what your doing, but it's mostly over my head..
I do have an E38 sitting on my bench at work with a bench harness already on it, and I have a couple MDI's, so if it's something simply I can do to help you verify something, let me know..
Very interesting reading, I really can't afford the time to get into stuff like this in the summer, that's my winter hobby, lol..
I understand some of the gist if what your doing, but it's mostly over my head..
I do have an E38 sitting on my bench at work with a bench harness already on it, and I have a couple MDI's, so if it's something simply I can do to help you verify something, let me know..
Very interesting reading, I really can't afford the time to get into stuff like this in the summer, that's my winter hobby, lol..
Re: GM E38 Kernel/Bootloader Reverse Engineering Extravaganz
Iv had to deal with a bit of PPC recently, so applied it to the E38s (Which is also going to be applicable to E40 and E67) and so far.. its not actually going to be all that bad.tek1229 wrote:I just found this post, AMAZING WORK!!!
I understand some of the gist if what your doing, but it's mostly over my head..
I do have an E38 sitting on my bench at work with a bench harness already on it, and I have a couple MDI's, so if it's something simply I can do to help you verify something, let me know..
Very interesting reading, I really can't afford the time to get into stuff like this in the summer, that's my winter hobby, lol..
Its just a time thing to be honest. Looking over various kernels... its just a big game of "who did it first" or, how many ways can you do 1+1=2?
Theres a few critical things which all happen exactly the same including setting up CANbus, setting up pins and Flashchip and updating interrupts. Once these things are done, its all fairly straight forward.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726