pcmhacking.net

You can get it at https://github.com/mikebb203/IPC-Hammer. It won’t program a trailblazer yet.

Looking at your file. It looks like you dumped the bootloader and calibration. The bootloader starts at 0x0000 and the calibration starts at 0x4000. The OS starts at 0x18000 and ends at 0x1FFFF. I believe that the ram starts at 0xC000.

kur4o wrote:Is there any source for precompiled version of IPC hammer.

Might test it on 2002 trailblazer IPC.

I made a dump of this ipc but is not complete. Some data is missing. Cal segment is full and there is what seems like ram at c000 and eeprom at e000.

Kur4o, how did you get the dump? JTAG, BDM?

I use minimon from Infineon with a usb to serial adapter. Fixed until broken on YouTube has videos on how to do it.

With some hints from bbmike, I managed to get the full dump. Last attempt I did was upto 18000 address, just where the os starts.

Now I got a full dump but still can`t figure the checksum range of OS.

I also tested the ipchammer, some functions work, others not, On read properties it stops, when there is a negative 7f response. Maybe some exception can be added, so info from non fully supported ipcs still can be read.

The other questions how the dump was got. I made a script to read it via mode22 messages, and compile the messages to a bin file. Slow[10-20mins] but efficient way to get the full dump[including ram] on a running ipc.

Here is the full dump.

Hiya,
Are you running into a security issue with the dump? What is the address for the serial i/o? I might be able to help with an old serial dumper that doesn't require Rom info.

edit,
It's a bit toggler breach, I am not sure it will work in this environment. I will have to dig into old VB stuff to make an app to work.

The os checksum should be from 0x18002 to the last byte before the 0xC3A5 at the end of the os. If you change the 0xC3A5 at the end of the os and make a bin with just the os the test checksum button in ipchammer should work to calculate the checksum.

Hi mike, I tested the ipc hammer and it says it finds correct checksum. I did try to do some manual calculations and the all known methods for gm failed.
Can you disclose what method is being used here. I want to add it to universal patcher for easier checksum correction.

In the dump I posted the boot block have some range missing. I think it is locked for reading via mode22. The range is 8000-bfff.

I’ll have to look for the checksum math. The range of 8000-bfff would be used for external access. I don’t think the clusters use the external bus. All the boot loader is in 0-3fff. The calibration should be in 4000-7fff.

If I remember correctly you have to do 16 bit big endian sum and then 2’s complement.