PCM Hammer P05 support

[antus]

No news yet, but it just arrived and is now in hand, so its up next.

[kur4o]

To save you some debug work.

[antus]

Thanks!

I spent some time on this tonight before I saw that. So far bench wiring is ok, unlock is ok, and watchdogs maybe ok, or maybe watchdog 2 is a crash. DLC is ok for VPW read/write. Its accepting the kernel and responds with a kernel version number so some major pieces are working ok for that. But there is still more to do... It was never going to be a 1 session job anyway and definitely all the pieces needed are not found and in the kernel source yet. It could still easily be a weeks / months job. We'll see. Flash ID obviously wrong. Its known that flash chip state machine control is not right yet.

[antus]

I don't remember adding support for the P05 file format, but must have done it last year some time as it just worked when I expected a fail. That's another step ready.

[11:39:21:523] File is P05 1Mb.
[11:39:21:526] Start End Stored Needed Verdict Segment Name
[11:39:21:538] 00000 FFFFF F576C57A F576C57A Good Whole File
[11:39:21:545] All checksums are valid.

[antus]

The crash is on the flash chip command access, leave that out and it reads fine. So a bit more to learn about hardware, but getting a bin is a nice milestone.

[03:55:00:054] PCM Hammer (18/07/2024, 3:54 PM)
[03:55:00:065] Thursday, July 18 2024 @03:55:00:06
[03:55:00:082] Thanks for using PCM Hammer.
[03:55:00:121] AVT 852 Reset OK
[03:55:00:129] AVT Firmware 1.5
[03:55:08:920] Will save to S:\backedup\ecu\P05\test.bin
[03:55:09:966] Querying operating system of current PCM.
[03:55:10:067] OSID: 12603291
[03:55:10:080] Description: P05
[03:55:10:238] Unlock succeeded.
[03:55:10:309] Attempting switch to VPW 4x
[03:55:10:339] Module 0x10 (engine controller) has agreed to enter high-speed mode.
[03:55:14:064] Kernel upload 100% complete.
[03:55:14:074] Kernel Version: 82400200
[03:55:14:077] Kernel uploaded to PCM succesfully. Requesting data...
[03:58:54:200] Read complete.
[03:58:54:206] All read-request messages succeeded on the first try. You have an excellent connection to the PCM.
[03:58:54:269] Clearing trouble codes.
[03:58:55:398] Elapsed time 00:03:45.1587658
[03:58:55:402] Saving contents to S:\backedup\ecu\P05\test.bin

[antus]

I think the deal here is that its an Intel 28F800F3 fast boot block flash memory chip which might not be compatible with the older algorithms, but not sure yet. It might start working / stop crashing when trying to communicate with the flash state machine if the rest of the hardware is in the right state, yet to be determined. It looks like there are also AMD AM29BL802C variations.

[Tazzi]

I think the deal here is that its an Intel 28F800F3 fast boot block flash memory chip which might not be compatible with the older algorithms, but not sure yet. It might start working / stop crashing when trying to communicate with the flash state machine if the rest of the hardware is in the right state, yet to be determined. It looks like there are also AMD AM29BL802C variations.

Looking at the command definitions (Page 13), it doesnt look any different, appears same for intels?

Id be interested to look at the GM flash update kernel, could hold a few secrets to speed up the process (Could grab one from an online programming session).

[antus]

I got a bit overexcited working on it last night and decided to hack around the flash chip ID and hard code the wrong one just as a test to see what else broke or work further down the line. Then I patched a bin and put some junk in an unused sector thinking it would be pretty safe for hammer to attempt to erase and write that sector so I could find out how much more stuff I am going to have to fix. I should have done a test write to see if everything else was going to be healthy or not, and I am not sure why P10 got mentioned by hammer perhaps because of one of my hacks to its workflow in this test build but the result was unique like ive never seen before. It seems the CRC32 routine, which has been rock solid on all other PCMs, reports the CRC of each sector back as though every single byte it read was FF. The net result of this, is that empty sectors that were actually full of FF came up as identical - no flash required, and every sector with any data (including the one I intended, but also calibration, os and boot) came up as different. And so the flash began. I havnt looked yet if this PCM has a bootloader, and hammer would have kept trying to re-write until the CRC matched, so that was quite a bad breakage. I tried to pull the cable when it was processing the sector I intended to be written, and I dont know but I am thinking erase worked, but write didnt, for most the content of the PCM. Anyway no boot recovery and its dead now, so time to investigate BDM.

As for the fault, makes me wonder if this CPU has trouble with 32 bit values. First 16bit of flash manufacturer is OK, next 16 bit seems to not happen. 32 Bit CRCs.. something very different about this processor from the earlier ones.

[01:03:19:200] PCM Hammer (19/07/2024, 1:03 AM)
[01:03:19:211] Friday, July 19 2024 @01:03:19:21
[01:03:19:221] Initializing J2534 Device
[01:03:19:248] Loaded DLL
[01:03:19:289] Connected to the device.
[01:03:19:293] Battery Voltage is: 13.5
[01:03:19:518] Thanks for using PCM Hammer.
[01:03:26:716] S:\backedup\ecu\P05\test-AAAAAA at A000.bin
[01:03:26:860] Identifying 1024Kb file.
[01:03:26:868] File is P05 1Mb.
[01:03:26:878] File operating system ID: 12603291
[01:03:26:884] File is P05 1Mb.
[01:03:26:887] Start End Stored Needed Verdict Segment Name
[01:03:26:900] 00000 FFFFF F5455A0E F5455A0E Good Whole File
[01:03:26:905] Requesting operating system ID...
[01:03:26:960] File is P05 1Mb.
[01:03:26:968] PCM and file are both for the same Hardware P05
[01:03:26:974] File is P05 1Mb.
[01:03:26:981] PCM and file are both operating system 12603291
[01:03:26:986] Warning: Writes to the P05 slave CPU are not supported.
You must have another way to update the slave CPU to match when you change operating system, else electroncic throttle may not work.
Restore this PCM to its original operating system if this happens.
[01:03:28:278] User chose to proceed.
[01:03:28:353] Unlock succeeded.
[01:03:28:371] Attempting switch to VPW 4x
[01:03:28:392] Module 0x10 (engine controller) has agreed to enter high-speed mode.
[01:03:35:072] Kernel upload 100% complete.
[01:03:35:083] Kernel Version: 82400205
[01:03:35:088] Kernel uploaded to PCM succesfully.
[01:03:35:102] File is P05 1Mb.
[01:03:35:110] Changing PCM to operating system 12603291
[01:03:35:128] Flash chip: Intel 28F800F3-B, 1mb
[01:03:35:133] File size 1,048,576 for flash chip size 1,048,576. Allowable for P10.
[01:03:35:142] Calculating CRCs from file.
[01:03:35:155] Requesting CRCs from PCM.
[01:03:35:160] Range File CRC PCM CRC Verdict Purpose
[01:03:36:521] 0F0000-0FFFFF 15E1DBC0 A50F3C90 Different General
[01:03:37:882] 0E0000-0EFFFF 4A7FA8E8 A50F3C90 Different General
[01:03:39:268] 0D0000-0DFFFF A50F3C90 A50F3C90 Same General
[01:03:40:647] 0C0000-0CFFFF 83289D99 A50F3C90 Different General
[01:03:42:029] 0B0000-0BFFFF A50F3C90 A50F3C90 Same General
[01:03:43:394] 0A0000-0AFFFF 778045E7 A50F3C90 Different General
[01:03:44:779] 090000-09FFFF 276713F6 A50F3C90 Different General
[01:03:46:163] 080000-08FFFF 948266C3 A50F3C90 Different General
[01:03:47:530] 070000-07FFFF 64AA8B6A A50F3C90 Different General
[01:03:48:898] 060000-06FFFF F453BA9D A50F3C90 Different General
[01:03:50:281] 050000-05FFFF 57C82AB5 A50F3C90 Different General
[01:03:51:659] 040000-04FFFF FB39EBB1 A50F3C90 Different General
[01:03:53:026] 030000-03FFFF 1A8222A9 A50F3C90 Different General
[01:03:54:417] 020000-02FFFF 94E05435 A50F3C90 Different General
[01:03:55:803] 010000-01FFFF 2FD83B07 A50F3C90 Different General
[01:03:56:005] 00E000-00FFFF 85B5BB36 85B5BB36 Same General
[01:03:56:196] 00C000-00DFFF 85B5BB36 85B5BB36 Same General
[01:03:56:386] 00A000-00BFFF 492F4124 85B5BB36 Different General
[01:03:56:577] 008000-009FFF 85B5BB36 85B5BB36 Same General
[01:03:56:771] 006000-007FFF 85B5BB36 85B5BB36 Same General
[01:03:56:962] 004000-005FFF C121BB28 85B5BB36 Different General
[01:03:57:155] 002000-003FFF 85B5BB36 85B5BB36 Same General
[01:03:57:349] 000000-001FFF FD5C1CE2 85B5BB36 Different General
[01:03:57:385] Processing range 0F0000-0FFFFF
[01:03:57:402] Erasing.
[01:03:58:412] Writing...
[01:04:31:147] Processing range 0E0000-0EFFFF
[01:04:31:162] Erasing.
[01:04:32:187] Writing...
[01:05:04:721] Processing range 0C0000-0CFFFF
[01:05:04:737] Erasing.
[01:05:05:742] Writing...
[01:05:37:886] Processing range 0A0000-0AFFFF
[01:05:37:916] Erasing.
[01:05:38:917] Writing...
[01:06:11:138] Processing range 090000-09FFFF
[01:06:11:162] Erasing.
[01:06:12:168] Writing...
[01:06:44:979] Processing range 080000-08FFFF
[01:06:45:016] Erasing.
[01:06:46:023] Writing...
[01:07:18:823] Processing range 070000-07FFFF
[01:07:18:834] Erasing.
[01:07:19:838] Writing...
[01:07:53:188] Processing range 060000-06FFFF
[01:07:53:205] Erasing.
[01:07:54:210] Writing...
[01:08:27:146] Processing range 050000-05FFFF
[01:08:27:179] Erasing.
[01:08:28:183] Writing...
[01:09:01:031] Processing range 040000-04FFFF
[01:09:01:056] Erasing.
[01:09:02:060] Writing...
[01:09:34:899] Processing range 030000-03FFFF
[01:09:34:916] Erasing.
[01:09:35:923] Writing...
[01:10:08:801] Processing range 020000-02FFFF
[01:10:08:828] Erasing.
[01:10:09:829] Writing...

^ that was cut n paste, then pulled the cable at sector A000.... and then game over. I lost this round.

[antus]

@Tazzi yeah the protocol looks the same, the speed and VPP support is different. It may be able to write without switching on 12v VPP which would be nice as you get more flash cycles and I doubt the speed difference is enough to matter. That is, if VPP is tied to VCC. Anyway, will get it alive again then figure out what to do next.

In addition to the enhanced architecture and
interface, this family of products incorporates
SmartVoltage technology which enables fast factory
programming and low power designs. Specifically
designed for low voltage systems, Fast Boot Block
flash memory components support read operations
at 2.7 V (3.3 V for automotive temperature) VCC and
block erase and program operations at 2.7 V
(3.3 V for automotive temperature) and 12 V VPP.
The 12 V VPP option renders the fastest program
performance to increase factory programming
throughput. With the 2.7 V (3.3 V for automotive
temperature) VPP option, VCC and VPP can be tied
together for a simple, low power design. In addition
to the voltage flexibility, the dedicated VPP pin gives
complete data protection when VPP ≤ VPPLK

[antus]

I think I've killed this one. Its cold here and I had trouble getting the back off and managed to go to deep and chip off a resistor and a capacitor. I didnt notice until after the cap was lost, and when resoldering the resistor back in to place it kept sticking to my smd tools then flew off never to be seen again. I thought if I was lucky that might be in an analog part of the PCM which does not matter for reflash development, but I cant get it to detect the flash with BDM, and I have a feeling it may have something to do with power or pull up of the flash chip. I'll have to order another PCM which will probably take another month to get here before resuming work on the P05. Its a good time to work on getting the next release of pcmhammer out anyway and getting P04, P08, BlackBox out there.