Page 7 of 22 FirstFirst ... 2345678910111217 ... LastLast
Results 91 to 105 of 321

Thread: Flashhack - New LT1 flash tool

  1. #91
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    it's crazy there's a time difference.... is there a long connection time with the '94? are there any read checksum errors in the comm log, and is it recovering properly from them? (it should but actually i've tested write waaaaay more than read)

  2. #92
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    757
    The connection time isn't that different between the two. It's that during the read it occasionally hits an incorrect response, retransmits, then gets the correct response. Or as Flashhack puts it, it times out waiting for the response and tries again. It does this incredibly gracefully and the end result is a successful read.

    Here's what one of those "pauses" in the read looks like:

    20.695: COMM::Sent message: F45C060200200B390044
    21.705: COMM::Packet error: Timeout waiting for reply payload.
    21.705: Trying to reconnect to bus...
    21.988: COMM::Sent message: F45C060200200B390044
    22.167: COMM::Recieved reply: F4D906AA390076747080808080808080808080808080808080 8080808080808080808080808080808080801A40FF401A8080 80805858585858585858585858585880808080808080808080 80808080808080808080808080808080808080808080808080 808080D0D0D0D0D0D0D0D0D0D0D0D0D0808080808080808080 80808080808080808035
    22.167: DEBUG::Read TSIDE3900[80]

    I should note that WinFlash also took longer to flash/read the '94 than the '95, likely for the same reason Flashhack does. That's why I don't consider it a problem as long as Flashhack is handling it gracefully, which it is.
    Last edited by NomakeWan; 04-26-2020 at 05:37 AM.
    1990 Corvette (Manual)
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  3. #93
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    ah cool that's kind of what i wanted to see

    i've simulated similar stuff just unplugging and reconnecting the aldl cable at random during a write but never really bothered to check read..

    if it happens during an erase sometimes it's okay and keeps going, and sometimes you have to hit 'write' again. depends when and for how long it dies.

    most operations retry a decent amount of times before failure but i've cut that number back in later versions, because if something insane is going on, sometimes you have to accept catastrophe and just restart the procedure clean to win, and now that it's possible to do that at any point during a write, sometimes it's worth it to just bail.

  4. #94
    Fuel Injected! JimCT_9C1's Avatar
    Join Date
    Feb 2013
    Location
    Connecticut
    Posts
    63
    First off - thank you to steveo and all those working on developing and testing flashhack!

    Been doing some testing of b0.5.4 with good results on a 95 B-body (9C1) and 95 F-body (TA).
    Tested Dbg_B, loaded/unloaded kernels as well as full reads. Tested with 16ms, 3ms, and 1ms latency.

    Max predelay was 2. All kernel unload tests and full reads on both B and F cars consistently showed a timeout waiting for reply payload during T-side reboot, but b0.5.4 caught it and continued to completion. I pasted a typical comm below - very similar to that of NomakeWan's post above.

    35.240: Rebooting TSIDE
    35.242: DEBUG::Executing prepared program REBOOT on TSIDE
    35.255: COMM::Sent message: F4700602003C30CC06AAED00C6029D1438CE01FF6F000926FB 6F0020FE1A
    36.301: COMM::Packet error: Timeout waiting for reply payload.
    36.304: Trying to reconnect to bus...
    36.583: COMM::Sent message: F4700602003C30CC06AAED00C6029D1438CE01FF6F000926FB 6F0020FE1A
    36.637: COMM::Recieved reply: F45706AA05
    36.639: DEBUG::Executed REBOOT on TSIDE
    36.641: Rebooted TSIDE

    With regard to echoes, I had done some earlier test reads using b0.5.1 and saw something similar, but attributed it to using the default 16ms latency. It occurred on both the B and F cars when entering programming mode; T-side (B-body) and E-side (F-body). These errors caused b0.5.1 to hang at that point without an obvious path forward. Here are the tail ends of the comms:

    B-body:
    55.068: COMM::Sent message: F45608AE
    55.352: Successfully connected to the ALDL bus.
    55.353: COMM::Sent message: F45605B1
    55.368: COMM::Timeout waiting for read of size 4
    55.368: COMM::Recieved reply: F45605B1F4580D023372
    55.369: DEBUG::Unknown response when entering programming mode.
    55.369: ERROR! Could not connect or load the kernel.

    F-body:
    61.400: Entering programming mode on ESIDE
    61.413: COMM::Sent message: E45605C1
    61.429: COMM::Timeout waiting for read of size 4
    61.431: COMM::Recieved reply: E45605C1E4580D023382
    61.432: DEBUG::Unknown response when entering programming mode.
    61.433: ERROR! Could not connect or load the kernel.


    I hope these results are helpful -

    Jim
    1995 Caprice 9C1 LT1 - 4.10s, Dynomax Catback, K&N Cold Air Kit, Other Little Stuff
    1996 Caprice 9C1 LT1 - 3.73s, Stock

  5. #95
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    yep that’s the bug i was just talking about. i would expect it to be gone now.

    the error on reboot is fine, one of those acceptable errors. ive been ignoring it since the reboot always seems to succeed whether it has a valid response or not. its possible that im not waiting long enough for the reply though

  6. #96
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    hey nomakewan aka mr. ccm,

    can you do some testing for me for fun?

    there is a 'send raw command' in flashhack's advanced tab.* connection should be automatic if your CCM has woken up. the output shows up in the debug log.

    the first field is the device, so set it to F1
    second field is the command
    third field (long) is the rest of the message

    can you try the following commands/payloads to see what commands it supports or if it responds at all, the payloads should cause the command to fail but then we'll know the command exists:

    03, 2000 (read 64 bytes starting at 0x2000)
    03, 0200 (read 64 bytes starting at 0x0200)
    04, 0000 (test actuator)
    05 (empty) (enter program mode.* dont worry, it'll ask for a key with 0D if this works, we just wont give it one)
    0C (empty) (program aux eeprom)

    in particular if the mode 3 command works we can dump the rom which could yield some fun stuff. if it supports mode 5 we might be able to flash it ourselves one day.

  7. #97
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    757
    Sure thing. Here are the results of my testing. First section was using EEHack's manual command, followed by flashhack's.

    Code:
    TX+F15803200094
    RX+F1570300B5
    TX+F158030200B2
    RX+F1570300B5
    TX+F158040000B3
    RX+F15604B5
    TX+F15605B4
    RX+F1570500B3
    TX+F1560CAD
    RX+NO REPLY
    
    
    
    COMM::Sent message: F15803200094
    COMM::Recieved reply: F1570300B5
    DEBUG::Got reply to command: DEVICE=F1 COMMAND=3 DATA=00
    DEBUG::Sending raw command: DEVICE=F1 COMMAND=3 DATA=0200
    COMM::Sent message: F158030200B2
    COMM::Recieved reply: F1570300B5
    DEBUG::Got reply to command: DEVICE=F1 COMMAND=3 DATA=00
    DEBUG::Sending raw command: DEVICE=F1 COMMAND=4 DATA=0000
    Reconnecting to ALDL bus, please wait....
    Listening for ALDL heartbeat to determine current bus master...
    Got heartbeat frame for current master f1
    Silencing bus master device f1
    DEBUG::Found heartbeat, sending mode 8 request with predelay 0
    COMM::Sent message: F15608B1
    DEBUG::Found heartbeat, sending mode 8 request with predelay 1
    COMM::Sent message: F15608B1
    COMM::Exceeded minumum silence length, connection is likely.
    Successfully connected to the ALDL bus.
    COMM::Sent message: F158040000B3
    COMM::Recieved reply: F15604B5
    DEBUG::Got reply to command: DEVICE=F1 COMMAND=4 DATA=
    DEBUG::Sending raw command: DEVICE=F1 COMMAND=5 DATA=
    COMM::Sent message: F15605B4
    COMM::Recieved reply: F1570500B3
    DEBUG::Got reply to command: DEVICE=F1 COMMAND=5 DATA=00
    DEBUG::Sending raw command: DEVICE=F1 COMMAND=C DATA=
    Reconnecting to ALDL bus, please wait....
    Listening for ALDL heartbeat to determine current bus master...
    Got heartbeat frame for current master f1
    Silencing bus master device f1
    DEBUG::Found heartbeat, sending mode 8 request with predelay 0
    COMM::Sent message: F15608B1
    DEBUG::Found heartbeat, sending mode 8 request with predelay 1
    COMM::Sent message: F15608B1
    COMM::Exceeded minumum silence length, connection is likely.
    Successfully connected to the ALDL bus.
    COMM::Sent message: F1560CAD
    COMM::Packet error: Timeout waiting for reply payload.
    Trying to reconnect to bus...
    COMM::Sent message: F1560CAD
    COMM::Packet error: Timeout waiting for reply payload.
    Trying to reconnect to bus...
    COMM::Sent message: F1560CAD
    COMM::Packet error: Timeout waiting for reply payload.
    Trying to reconnect to bus...
    COMM::Sent message: F1560CAD
    COMM::Packet error: Timeout waiting for reply payload.
    Trying to reconnect to bus...
    ERROR! Raw command not successful: DEVICE=F1 COMMAND=C DATA=
    1990 Corvette (Manual)
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  8. #98
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    ok cool thanks

    i screwed up and the first commands should have been mode 2 (read 64 byte chunk) but if it does mode 3 (read single address) it probably does mode 2 as well.

    i'll write you a thing to dump the CCM rom with mode 2 so we can try to see if there's anything cool in there or at least have it for reference, maybe get both the 94 and 95 so we can compare? i haven't seen a CCM bin floating around so it could come in handy.

    if mode 5 responds that means we could probably reprogram it but who knows. the mode 4 commands its supports we might be able to find pretty quick once we have that rom.

  9. #99
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    757
    Sure! I'd be more than happy to dump both cars, anything ya need. Would be pretty cool to be able to get more of the modules on the car to respond to open-source tools.
    1990 Corvette (Manual)
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  10. #100
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    did two fun things tonight for the next version

    made the connection code faster, there's a checkbox in configuration that will speed up interfaces that are known not to be awful and are fairly low latency. it's off by default because flash tools need safe defaults.

    it also has some learning capability now, regarding the preemption delay factor, so if it always tends to connect with 2ms of preemption, that's the first thing it'll try next time to avoid too much initial guessing. if it has a high preempt value it'll tend towards allowing it to reduce (since it might just be a fluke it took so long that one time). it should speed up most connections without slowing down many.

    the mode 2 based sequential memory dump is done and it behaves kind of like a regular flash read but with no kernel, in fact it's almost better at reading the tside than the real flash routine which is kind of embarrassing considering all the extra work we've done. it's super primitive and doesn't do any region pre-mapping. it'll be nice to have. it should dump the rom for *anything* that supports mode 2 including the earlier non-flash capable ECMs in case anyone wants to do that.

    if you want to dump the ccm just use M2 read device in the advanced tab with device F1, i think it'll work. you can leave the size alone since we don't know how much ram the CCM has. if it crashes the CCM or something dumb like that it'll still save the bin. don't worry it's entirely safe.

    i'll have it up on the internets in a sec

    edit: okey dokey, 5.5 is up there, give it a shot

  11. #101
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    757
    Okay! Had a chance to test it out. I'm pleased to report that the read routine for the CCM worked on both cars, and I've attached both the BINs and logs to this post.

    I'm also pleased to report that on default settings, the new version of flashhack reduced the read time on my '95 from 3 minutes 7 seconds to 2 minutes 51 seconds. A whole 16 seconds faster, not bad at all. I can't currently test the '94 because it's a little low on charge and I loaned my tender out to a friend. It's about time to take her out of the garage to stretch her legs, though, so once she's had a good drive to charge the battery I'll try it again and see if it had any improvement too.
    Attached Files Attached Files
    1990 Corvette (Manual)
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  12. #102
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    that's awesome that it worked. a first run disassembly revealed a few familiar routines. i doubt i'll have much time to work those over but they might be worth having a look at one day.

    the 94 and 95 are different enough in the program region where i think the main program had a pretty decent sized rewrite between those years, it doesn't just seem like some configuration changed.

    i can't imagine reflashing the ccm would have any real benefit but maybe we can find some cool tricks and exploit them just for fun. to be honest i don't know what the CCM even really does.

    i'm glad we can read arbitrary gm device code, i wonder if there are any other devices around we could dump roms on

  13. #103
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    I looked at the 2 files and they seem to have 32kb rom, eprom or external flash. 95 having some extra code at the end. Pretty similar though.

    There is 100 bytes ram on the processor and some ram mapped at 6000 area.

    I looked at the comm code but too far from anything. You can upload code and execute for sure.

    I know these ccms are very expensive to rebuilt and some needs vin and engine code set up to run correctly.

    Now that mode2 for random device is awesome idea. You might expand it to specify a custom ID[f1,f4,e4,f9 and so on] to run it on other modules.

    Master is not always the target.

  14. #104
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    Now that mode2 for random device is awesome idea. You might expand it to specify a custom ID[f1,f4,e4,f9 and so on] to run it on other modules.

    Master is not always the target.
    it will work on anything that supports mode 2..

    you specify a device ID in hex and a maximum read size and press go.

    in fact the way that flashhack is designed, the flash processor doesn't know or care what the master device is. it just says 'make this request' and the interface layer makes sure that we have control over the bus before it sends it.

    give it a try

  15. #105
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    well my test bench ecm 8051 ECM is finally done

    the ESIDE just stopped booting out of nowhere. i have verified with a chip reader the bin that's on it is perfect, so obviously the re-socketing and torch abuse and constant chip removal-install has created some kind of connection fault that i can't trace.

    last time this happened i reflowed the socket and it came back to life, but not anymore. luckily i think it served its purpose and the EE flash tool is as good as its going to get with maybe the odd bug fix here and there. i can start working on other ECMs.

    R.I.P.

    in other news certain bins have refused to install the recovery patch just on the e-side, if this happens it will complain, the fix is to just go to the parameters and disable that recovery rom patch for now. it'll still be 100x safer than any other flash tool assuming nobody comes and turns your key off during flashing.

    i'll try to figure out why it's happening and fix it for future releases.

Similar Threads

  1. LS1 Flash Tool Released
    By antus in forum OBDII Tuning
    Replies: 118
    Last Post: 4 Weeks Ago, 07:02 PM
  2. 24x7 flash tool
    By myburb in forum OBDII Tuning
    Replies: 11
    Last Post: 09-30-2018, 01:17 AM
  3. Dimented24x7's LS1 flash tool issue
    By dzidaV8 in forum OBDII Tuning
    Replies: 1
    Last Post: 07-29-2017, 06:22 PM
  4. $EE Flash tool progress
    By steveo in forum GM EFI Systems
    Replies: 112
    Last Post: 12-17-2015, 06:30 PM
  5. Memcal Flash Tool
    By EagleMark in forum GM EFI Systems
    Replies: 6
    Last Post: 01-22-2013, 05:26 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •