Hi all!

Since I have E40 PCM powered car I was thinking about opening the platform for open source flashing. Recently I have started the disassembly work on a Impala LS4 bin file I found here.

E40 ECM has both J1850 VPW and GM High-Speed LAN (500kbps CAN, 29bit ID) capabilities, and from what I already decoded both are used by the bootloader. Looks like simmilar approach as in 0411 style PCMs is needed to transfer reflash kernel, as there is no reflash code in there.

If anyone wants to chime in and help then it would be great. I have done a lot of work disassembling LT1 and LS1 PCMs, but here the code is much more complicated with heavy pointer usage, most likely Delphi has switched to higher level language like C++ developing E40 code.

For now, feel free to have a look at and comment about the code I disassembled so far.

There might be a reflash routine in the operating system, to store check-engine-light codes. I didn't realize that about 411 PCMs until we already had 411 flashing working, but the code gave me a rough idea of what the P59 flash code would have to do.

(P59 flashing is still not working reliably but it's still on the to-do list. First I have to figure out how to unbrick both of my bench PCMs.)

If the E40 supports the same J1850 messages that the 411 uses to upload and execute a flash kernel, then it would probably make sense to extend PCM Hammer to support it. CAN would allow for much faster reflashes but for CAn it would make more sense to fork PCM Hammer than to just extend it. But it would probably still be easier than starting from scratch.

I'm not able to open that IDB file because I'm using a relatively old version of IDA.
If you can export it to an IDC file (script) that will probably work for me.
Thanks!

I made some progress on the E40 code. I think I've found built in block reflash routines starting at 0xEA0E4. From the commands there I think the flash chip is 29F800 series. Have a look at .idc file attached.

You found a lot of good stuff in there! I agree, that does look like reflash code. The magic numbers in the chunk at EA1F8 looks pretty familiar.

If the same commands over the VPW bus can be used to upload a kernel, it should be straightforward to add support for this in PCM Hammer - assuming we can get the PCM Hammer kernel to support the flash chip. I think it's the same chip used in the P59, and I was able to flash the P59 on my desk once, but I bricked it on the next attempt - and then bricked the 2nd that I bought to experiment with, so something definitely isn't right about the existing flash code.

The new kernel code in the GitHub project has been updated, so what's there now is what has been included in the releases. If you can spare some time to look over the AMD flash code (flash-amd.c) I'd love to know if you see anything suspicious.

Where you able to develop an xdf for the 12604792?