E92 PCM Reverse Engineering
-
Gatecrasher
- Posts: 274
- Joined: Sat Apr 25, 2020 6:09 am
Re: E92 PCM Reverse Engineering
FYI, don't do Mode 23 reads on a live ECM. Some addresses force a full power reset. Fortunately I was sitting in my driveway when I tried it.
Re: E92 PCM Reverse Engineering
Do you have specific examples? And what were the indications that you needed to do a power reset? Was it running and shut off? Or did you try to start it and it wouldn't?Gatecrasher wrote:FYI, don't do Mode 23 reads on a live ECM. Some addresses force a full power reset. Fortunately I was sitting in my driveway when I tried it.
I could maybe try to replicate once I get my full bench tester created.
LS1 Boost OS V3 Here. For feature suggestions post in here Development Thread. Support future development ->Patreon.
-
Gatecrasher
- Posts: 274
- Joined: Sat Apr 25, 2020 6:09 am
Re: E92 PCM Reverse Engineering
I had it in ignition on / engine off mode. So everything was nice and quiet. I sent the 23 command, I heard a relay click, and my gauge needles twitched. I did it once more to make sure I wasn't imagining things. When I went to start it, the ignition button didn't do anything. I shut everything off, opened the door, waited 30 sec. Got back in and everything was back to normal. I pulled codes and the BCM and power steering had both lost comm with the ECM. ECM itself didn't have any codes.
My theory is the ECM rebooted and the power mode got out of sync with the rest of the car.
These are the addresses I was trying to read. The ones with xxx crashed the ECM. The other ones returned usable values.
40036b40 xxx
40037044 b463
400379e4 xxx
40037eb8 xxx
400393f4 4c90
4003998a f330
The addresses probably won't do you any good since you're likely not testing against the same OS as I am.
My theory is the ECM rebooted and the power mode got out of sync with the rest of the car.
These are the addresses I was trying to read. The ones with xxx crashed the ECM. The other ones returned usable values.
40036b40 xxx
40037044 b463
400379e4 xxx
40037eb8 xxx
400393f4 4c90
4003998a f330
The addresses probably won't do you any good since you're likely not testing against the same OS as I am.
Re: E92 PCM Reverse Engineering
Some memory reads does crash the pcm, for some reason, It is also valid for earlier vpw pcms, Maybe some locked registers, who knows.
M23 can`tread anything even if pcm is unlocked, to get a full map, a patch is needed.
I made a test script that will dump the flash to log, and can be converted to bin, anyone willing to test.
M23 can`tread anything even if pcm is unlocked, to get a full map, a patch is needed.
I made a test script that will dump the flash to log, and can be converted to bin, anyone willing to test.
-
Gatecrasher
- Posts: 274
- Joined: Sat Apr 25, 2020 6:09 am
Re: E92 PCM Reverse Engineering
I already have a full dump of my car's ECM. I wasn't trying to get a full read or anything. I was just trying to chase down some possible data related to the skip shift function.
I can try your script on one of my bench ECMs if you want. I've got an E92 and an E92A. I have the keys for both, so security shouldn't be an issue.
I can try your script on one of my bench ECMs if you want. I've got an E92 and an E92A. I have the keys for both, so security shouldn't be an issue.
Re: E92 PCM Reverse Engineering
Here is the script.
You can use the ecm_ISO16765.xml preset for connection.
Some addresses might crash the pcm, at least with e78 it does, I have set them for skip based on it, but on e92 there might be other ranges.
It should unlock so no need to add anything, if it fails some timing might be adjusted.
We can also add loop to dump ram if needed or other ranges.
You can use the ecm_ISO16765.xml preset for connection.
Some addresses might crash the pcm, at least with e78 it does, I have set them for skip based on it, but on e92 there might be other ranges.
It should unlock so no need to add anything, if it fails some timing might be adjusted.
We can also add loop to dump ram if needed or other ranges.
- Attachments
-
- E92_dump_script.7z
- (2.46 KiB) Downloaded 57 times
Re: E92 PCM Reverse Engineering
Ok, I was able to add the periodic tester present message to the script and got the mode 34 message to work.
Next would be to create a kernel and use Mode 36 to upload.
I am just using assembly language and this website to create it.
- Working Periodic Script.PNG (61.81 KiB) Viewed 813 times
I am just using assembly language and this website to create it.
Code: Select all
WasteTime:
nop
nop
nop
nop
b WasteTime
LS1 Boost OS V3 Here. For feature suggestions post in here Development Thread. Support future development ->Patreon.
Re: E92 PCM Reverse Engineering
Glad you made it working,
Here is some example how to add loops in script
variable:<name>:<size>:<value in hex>
<name>=you sepcify a name for the variable
<size>=how many bytes is the variable 4= 4 bytes variable,2=2bytes variable
<value>=initial value of variable, 4000=the value that will be used for first message for the variable.
with this you can specify a loop of sending multiple messages in a loop, it could be the same message or increased by variable
loop:<loop count in decimal>
.......
endloop
Here you have a variable with varread name initial value of 4000 , expected response count=1, and timeout set at 20ms
00 00 07 E0 23 varread 00 10:1:20
some idle message that have 0 expected response count and timeout of 5ms
00 00 07 DF 3e:0:5
with this line you can increment the value of variable by +10, so at each loop you will add +10 to variable value, you can also decrement it by using -10 for example
variable:<name>:<size>:<adder +- in hex>
variable:varread:4:+10
Here is some example how to add loops in script
Code: Select all
variable:varread:4:4000
loop:196608
00 00 07 E0 23 varread 00 10:1:20
00 00 07 DF 3e:0:5
variable:varread:4:+10
endloop
<name>=you sepcify a name for the variable
<size>=how many bytes is the variable 4= 4 bytes variable,2=2bytes variable
<value>=initial value of variable, 4000=the value that will be used for first message for the variable.
with this you can specify a loop of sending multiple messages in a loop, it could be the same message or increased by variable
loop:<loop count in decimal>
.......
endloop
Here you have a variable with varread name initial value of 4000 , expected response count=1, and timeout set at 20ms
00 00 07 E0 23 varread 00 10:1:20
some idle message that have 0 expected response count and timeout of 5ms
00 00 07 DF 3e:0:5
with this line you can increment the value of variable by +10, so at each loop you will add +10 to variable value, you can also decrement it by using -10 for example
variable:<name>:<size>:<adder +- in hex>
variable:varread:4:+10
Re: E92 PCM Reverse Engineering
If I am sending a request that has multiple messages in the response do I have to account for that in the response count?
Edit: Here is what I'm doing and not getting any response from the Mode 36 request.
Edit: Here is what I'm doing and not getting any response from the Mode 36 request.
- Mode 36 No Response.PNG (65.29 KiB) Viewed 792 times
LS1 Boost OS V3 Here. For feature suggestions post in here Development Thread. Support future development ->Patreon.
Re: E92 PCM Reverse Engineering
00 00 07 E0 36 00 [40 80 00 00] 60 00 00 00 60 00 00 00 60 00 00 00 60 00 00 00 4B FF FF F0:2:2000
I think you are uploading to an non existent address 40800000,
You can try 40008000
When an upload is successful a 76 response is expected.
I think you are uploading to an non existent address 40800000,
You can try 40008000
When an upload is successful a 76 response is expected.