T43 Dissasembly

[hjtrbo]

Following on from the first 4 pages of a blatant thread hijack (apologies Miestro), the thread continues here. This is my first crack at disassembly anything and using Ghidra. Very steep learning curve
viewtopic.php?f=26&t=8399

Tre-cool has set up a Ghirda project server if anyone wants to contribute.
viewtopic.php?f=26&t=8399&start=10#p125261

I'm re-attaching here files from the other thread if you want to download and play along.
A couple of notes on the address workbook

• It's about 2/3 of the HP definition.

• I'm currently labelling the tables in Ghidra and am noticing a bit of inconsistency with how tables are accessed which is causing some of my addresses to be off by a couple of bytes here or there. E.g. some tables have the axis size referenced whilst others which also might have axis info are not being referenced. Stupid GM. I'm fixing that up now as I go through labelling the tables.

• The address workbook is for Ghirda, it is not suitable for a straight xdf conversion (but it is an excellent starting point).

• I'll periodically update the workbook here.

For new users of Ghidra, the disassembly options where left as default and the processor settings to use for the T43 are:

PowerPC:BE:32:MPC8270

A couple of registers need to be set. Be sure to re-analyse the file after changing these addresses. The following values are used for the OS's that have been peeked at so far:

r13 = 0x400000
r2 = 0x8000

My end goals are:

• Locate extra tables / flags that might assist with torque converter tuning.

• Find PCS1 (line pressure solenoid) and see if there is a way to modify it's pressure response without having to edit the torque tables in the ECM. Even better would being able to scale the incoming torque value.

The OS I'm learning on is used in the 2013-2017 HSV LSA 6L90's and 2012-2015 Chevrolet Camaro ZL1 LSA 6L90's.

Side note, for comparing bins have a try of WinMerge if you're currently using HxD. I found it easier on my eyes and quicker to navigate differences.

[kur4o]

To keep discussion here.

I must have missed the switch from e67 to t43. Did a quick test with ida and your are correct about the r2 and r13.
If you play with e67 use the other settings for r2 and r13.

With universal patcher there is already a DTC map for t43. So no need to spend time on it.
Not sure how tables are accessed. With offset table, index table or some other way. The extra bytes before the table address are identification for the table`s axis length and data size. You can derive length of axis out of it

[kur4o]

Some memory mapping.

0-1FFF some reset vectors

2000-3FFF eeprom area

4000-7FFF unused

3 identical blocks of eeprom area
8000-9FFF
A000-DFFF
E000-FFFF

10000-1FFFF is some bdm recovery, FLASH, communication area??? No checksum found for it[might have one, needs checking]

BootBlock [20000 - 2FFFF]
OS [30000 - 11FFFF, 120000 - 1BFFFF]
per this OS
Trans [1C0000 - 1FCB57]
Diag [1FCB58 - 1FEB57]
System [1FEB58 - 1FFFFF]

RAM estimation, there might be other areas too.
Ram 302000-308000
RAM 3F8000-408000


Found some cpu identifier
PB010110BOSCH TC19.12 MPC562
GM_T43AEEWG/ETP_Bosch TCU19.12_SilverOakFlash_ProgrammingAccess
BOSCH AE/EWG TC19.12 MPC562 CC_OFF1270H00183_DUMMY_

[hjtrbo]

Thank you Kur4o, that information is outstanding. I'm envious how you made such quick work of the memory map. I do intend to have a dig through my e67 so your r2 and r13 values will be useful. Thanks again.

[antus]

He's a universal patcher guru. There is a tonne of stuff in there to search for things, and identify things, if you know how to use all the advanced functionality.

I am not so sure about those identifiers though, I see a lot of identifiers left over in GM code, that comes from SDKs that target multiple platforms. The object is sometimes linked in to a binary, even though the code and/or the reference does not match the target platform. Ive seen flash code duplicated and unused for all kinds of chips, and from "GM_T43AEEWG/ETP_Bosch TCU19.12_SilverOakFlash_ProgrammingAccess/BOSCH AE/EWG TC19.12 MPC562 CC_OFF1270H00183_DUMMY_" Bosch and SilverOak (Ford) doesnt make sense, and DUMMY is probably unused too. The GM_T43AEEWG might be relevant. Always interesting but often a red herring those bits.

[hjtrbo]

Making some headway with TCC discovery. I have found and tested the 1 and 2D table look ups. I converted the PPC assembly to C and ran it. It outputs the interpolated values perfectly. I've had a quick peak up 1 level to the calling function and it looks like there is a state machine to decipher.

What is becoming obvious is I need to read the RAM area outside of the binary image. I understand I might be able to try the 'ReadMemoryByAddress' service. I'm not sure how to go about that just yet.
These addresses I'd like to read at idle, cruising and sustained load.
003fc79a
003fc89a
003fcd2c

[hjtrbo]

I need help.

Using a trivial example, the TCC apply / release speed tables are not directly referenced. I don't understand what I'm looking for to work out how the OS directs a reference to that table. Presuming some pointer offset or the like but it's not obvious to me. I do get a xref to a addr instruction (if that's even legit) but that's where it ends.

[hjtrbo]

It's starting to click. Lots and lots of pointers to registers that hold the addresses of the tables. No direct xref's. God damn it...

[hjtrbo]

Found the tcc apply / release address table pointers. What a mission to find, there are no direct xref generated in Ghidra. I think that is because the pointer is being loaded into r12?. It's not until you get into the function that you see it. param_1 is a loop counter from the parent function.

[hjtrbo]

I think I've reached a point where I need to start logging the bus and learning how to use the readByAddress service. I just need these last memory locations (circled in red) to finish off this part of the TCC logic I'm interested in, namely the desired pressure table. Can someone sell me an a2l?



Link to an archive of my current Ghidra progress. Restore it in the project explorer. https://1drv.ms/u/s!Atuxgi8rpo3VoL9oF8h ... A?e=7HBcny