Sophie Dexter
Just4Trionic - CAN and BDM FLASH programmer for Saab cars
t8utils.cpp
- Committer:
- Just4pLeisure
- Date:
- 2013-09-11
- Revision:
- 4:682d96ff6d79
- Child:
- 5:1775b4b13232
File content as of revision 4:682d96ff6d79:
/*******************************************************************************
t7utils.cpp
(c) 2011, 2012 by Sophie Dexter
portions (c) Tomi Liljemark (firstname.surname@gmail.com)
This C++ module provides functions for communicating simple messages to and from
the T7 ECU
********************************************************************************
WARNING: Use at your own risk, sadly this software comes with no guarantees.
This software is provided 'free' and in good faith, but the author does not
accept liability for any damage arising from its use.
*******************************************************************************/
#include "t8utils.h"
Timer TesterPresent;
//
// t8_initialise
//
// sends an initialisation message to the T7 ECU
// but doesn't displays anything.
//
// inputs: none
// return: bool TRUE if there was a message, FALSE if no message.
//
bool t8_initialise()
{
return TRUE;
}
bool t8_show_VIN()
{
uint16_t i;
char T8TxFlo[] = T8FLOCTL;
char T8TxMsg[] = T8REQVIN;
char T8RxMsg[8];
printf("Requesting VIN from T8...\r\n");
// Send "Request VIN" to Trionic8
if (!can_send_timeout (T8TSTRID, T8TxMsg, 8, T8MESSAGETIMEOUT))
return FALSE;
// wait for the T8 to reply
// Read "Seed"
// if a message is not received id return false
if (!can_wait_timeout(T8ECU_ID, T8RxMsg, 8, T8MESSAGETIMEOUT))
return FALSE;
//* DEBUG info...
for (i = 0; i < 8; i++ ) printf("0x%02X ", T8RxMsg[i] );
printf("\r\n");
for (i = 5; i < 8; i++ ) printf("%c", T8RxMsg[i] );
printf("\r\n");
// Send Trionic8 a "Flow Control Message to get the rest of the VIN
if (!can_send_timeout (T8TSTRID, T8TxFlo, 8, T8MESSAGETIMEOUT))
return FALSE;
if (!can_wait_timeout(T8ECU_ID, T8RxMsg, 8, T8MESSAGETIMEOUT))
return FALSE;
//* DEBUG info...
for (i = 0; i < 8; i++ ) printf("0x%02X ", T8RxMsg[i] );
printf("\r\n");
for (i = 1; i < 8; i++ ) printf("%c", T8RxMsg[i] );
printf("\r\n");
if (!can_wait_timeout(T8ECU_ID, T8RxMsg, 8, T8MESSAGETIMEOUT))
return FALSE;
//* DEBUG info...
for (i = 0; i < 8; i++ ) printf("0x%02X ", T8RxMsg[i] );
printf("\r\n");
for (i = 1; i < 8; i++ ) printf("%c", T8RxMsg[i] );
printf("\r\n");
//*/
return TRUE;
}
bool t8_write_VIN()
{
char SetVin10[] = {0x10,0x13,0x3B,0x90,0x59,0x53,0x33,0x46};
char SetVin21[] = {0x21,0x46,0x34,0x35,0x53,0x38,0x33,0x31};
// char SetVin22[] = {0x22,0x30,0x30,0x32,0x33,0x34,0x30,0xaa}; // Original
char SetVin22[] = {0x22,0x30,0x30,0x34,0x33,0x32,0x31,0x00};
char T8RxMsg[8];
char k = 0;
// GMLANTesterPresentT8();
// wait_ms(2000);
//
// printf("Requesting Security Access\r\n");
// if (!t8_authenticate(0x01)) {
// printf("Unable to get Security Access\r\n");
// return FALSE;
// }
// printf("Security Access Granted\r\n");
//
// GMLANTesterPresentT8();
// wait_ms(2000);
//
// GMLANTesterPresentT8();
// wait_ms(2000);
//
if (!can_send_timeout (T8TSTRID, SetVin10, 8, T8MESSAGETIMEOUT)) {
printf("Unable to write VIN\r\n");
return FALSE;
}
for (k = 0; k < 8; k++ ) printf("0x%02X ", SetVin10[k] );
printf("\r\n");
if (!can_wait_timeout(T8ECU_ID, T8RxMsg, 8, T8MESSAGETIMEOUT))
return FALSE;
for (k = 0; k < 8; k++ ) printf("0x%02X ", T8RxMsg[k] );
printf("\r\n");
// wait_ms(100);
if (!can_send_timeout (T8TSTRID, SetVin21, 8, T8MESSAGETIMEOUT)) {
printf("Unable to write VIN\r\n");
return FALSE;
}
for (k = 0; k < 8; k++ ) printf("0x%02X ", SetVin21[k] );
printf("\r\n");
// wait_ms(100);
if (!can_send_timeout (T8TSTRID, SetVin22, 8, T8MESSAGETIMEOUT)) {
printf("Unable to write VIN\r\n");
return FALSE;
}
for (k = 0; k < 8; k++ ) printf("0x%02X ", SetVin22[k] );
printf("\r\n");
if (!can_wait_timeout(T8ECU_ID, T8RxMsg, 8, T8MESSAGETIMEOUT))
return FALSE;
for (k = 0; k < 8; k++ ) printf("0x%02X ", T8RxMsg[k] );
printf("\r\n");
return TRUE;
// GMLANTesterPresentT8();
// wait_ms(2000);
//
}
//
// t8_authenticate
//
// sends an authentication message to the T7 ECU
// but doesn't display anything.
//
// inputs: none
// return: bool TRUE if there was a message, FALSE if no message.
//
bool t8_authenticate(char level)
{
uint16_t seed, key;
if (!GMLANSecurityAccessRequest(level, seed)) {
printf("Unable to request SEED value for security access\r\n");
return FALSE;
}
if ( seed == 0x0000 ) {
printf("T8 ECU is already unlocked\r\n");
return TRUE;
}
key = (seed >> 5) | (seed << 11);
key += 0xB988;
if (level == 0xFD) {
key /= 3;
key ^= 0x8749;
key += 0x0ACF;
key ^= 0x81BF;
} else if (level == 0xFB) {
key ^= 0x8749;
key += 0x06D3;
key ^= 0xCFDF;
}
/* CIM KEY CALCULATION
uint16_t key = (seed + 0x9130);
key = (key >> 8) | (key << 8);
key -= 0x3FC7;
*/
if (!GMLANSecurityAccessSendKey(level, key)) {
printf("Unable to send KEY value for security access\r\n");
return FALSE;
}
printf("Key Accepted\r\n");
return TRUE;
}
//
// t8_dump
//
// dumps the T8 BIN File
// but doesn't displays anything.
//
// inputs: none
// return: bool TRUE if there was a message, FALSE if no message.
//
bool t8_dump()
{
uint16_t i = 0, k = 0;
char T8TxMsg[8];
char T8RxMsg[8];
timer.reset();
timer.start();
printf("Creating FLASH dump file...\r\n");
//
GMLANTesterPresentT8();
//
if (!GMLANprogrammingSetupProcess())
return FALSE;
//
wait_ms(500);
printf("Requesting Security Access\r\n");
if (!t8_authenticate(0x01)) {
printf("Unable to get Security Access\r\n");
return FALSE;
}
printf("Security Access Granted\r\n");
wait_ms(500);
GMLANTesterPresentT8();
//
char BootLoader[] = T8Bootloader;
if(!GMLANprogrammingUtilityFileProcess(BootLoader))
return FALSE;
//
uint32_t StartAddress = 0x0;
uint16_t txpnt = 0;
char iFrameNumber = 0x21;
//
printf("Downloading FLASH BIN file...\r\n");
printf("Creating FLASH dump file...\r\n");
FILE *fp = fopen("/local/original.bin", "w"); // Open "original.bin" on the local file system for writing
if (!fp) {
perror ("The following error occured");
return TERM_ERR;
}
printf(" 0.00 %% complete.\r");
TesterPresent.start();
while (StartAddress < 0x100000) { // 0x100000
T8TxMsg[0] = 0x06;
T8TxMsg[1] = 0x21;
T8TxMsg[2] = 0x80; // Blocksize
T8TxMsg[3] = (char) (StartAddress >> 24);
T8TxMsg[4] = (char) (StartAddress >> 16);
T8TxMsg[5] = (char) (StartAddress >> 8);
T8TxMsg[6] = (char) (StartAddress);
T8TxMsg[7] = 0xaa;
#ifdef DEBUG
printf("block %#.3f\r\n",timer.read());
#endif
if (!can_send_timeout (T8TSTRID, T8TxMsg, 7, T8MESSAGETIMEOUT)) {
printf("Unable to download FLASH\r\n");
return FALSE;
}
if (!can_wait_timeout(T8ECU_ID, T8RxMsg, 8, T8MESSAGETIMEOUT))
return FALSE;
#ifdef DEBUG
printf("first %#.3f\r\n",timer.read());
for (k = 0; k < 8; k++ ) printf("0x%02X ", T8RxMsg[k] );
printf("\r\n");
#endif
txpnt = 0;
for (k = 4; k < 8; k++ ) file_buffer[txpnt++] = T8RxMsg[k];
uint8_t DataFrames = 0x12;
iFrameNumber = 0x21;
char T8TxFlo[] = T8FLOCTL;
#ifdef DEBUG
printf("flowCtrl %#.3f\r\n",timer.read());
#endif
can_send_timeout (T8TSTRID, T8TxFlo, 8, T8MESSAGETIMEOUT);
for (i = 0; i < DataFrames; i++) {
if (!can_wait_timeout(T8ECU_ID, T8RxMsg, 8, T8MESSAGETIMEOUT))
return FALSE;
#ifdef DEBUG
printf("Consec %#.3f\r\n",timer.read());
for (k = 0; k < 8; k++ ) printf("0x%02X ", T8RxMsg[k] );
printf("\r\n");
#endif
iFrameNumber++;
for (k = 1; k < 8; k++ ) file_buffer[txpnt++] = T8RxMsg[k];
}
fwrite((file_buffer), 1, 0x80, fp);
if (ferror (fp)) {
fclose (fp);
printf ("Error writing to the FLASH BIN file.\r\n");
return TERM_ERR;
}
StartAddress +=0x80;
printf("%6.2f\r", (100.0*(float)StartAddress)/(float)(0x100000) );
if (TesterPresent.read_ms() > 2000) {
GMLANTesterPresentT8();
TesterPresent.reset();
ACTIVITYLEDON;
}
}
printf("%6.2f\r\n", (float)100 );
timer.stop();
printf("SUCCESS! Getting the FLASH dump took %#.1f seconds.\r\n",timer.read());
fclose(fp);
return TRUE;
}
bool t8_erase()
{
printf("Erasing T8 ECU FLASH...\r\n");
printf("SUCCESS: The FLASH has been erased.\r\n");
return TRUE;
}
bool t8_flash_raw()
{
timer.reset();
timer.start();
printf("Checking the FLASH BIN file...\r\n");
timer.stop();
printf("SUCCESS! Programming the FLASH took %#.1f seconds.\r\n",timer.read());
return TRUE;
}
bool t8_flash()
{
uint16_t i = 0, j = 0, k = 0;
timer.reset();
timer.start();
printf("FLASHing T8 BIN file...\r\n");
//
GMLANTesterPresentT8();
//
if (!GMLANprogrammingSetupProcess())
return FALSE;
//
wait_ms(500);
printf("Requesting Security Access\r\n");
if (!t8_authenticate(0x01)) {
printf("Unable to get Security Access\r\n");
return FALSE;
}
printf("Security Access Granted\r\n");
wait_ms(500);
GMLANTesterPresentT8();
//
char BootLoader[] = T8BootloaderProg;
if(!GMLANprogrammingUtilityFileProcess(BootLoader))
return FALSE;
//
// All steps needed to transfer and start a bootloader ('Utility File' in GMLAN parlance)
// bool GMLANprogrammingUtilityFileProcess(char UtilityFile[]) {
// uint16_t i = 0, j = 0, k = 0;
uint32_t StartAddress = 0x020000;
uint16_t txpnt = 0;
char iFrameNumber = 0x21;
char GMLANMsg[8];
char data2Send[0xE0];
//
// fopen modified.hex here, check it is OK and work out how much data I need to send
// need lots of fcloses though
printf("Checking the FLASH BIN file...\r\n");
FILE *fp = fopen("/local/modified.hex", "r"); // Open "modified.hex" on the local file system for reading
if (!fp) {
printf("Error: I could not find the BIN file MODIFIED.HEX\r\n");;
return TERM_ERR;
}
// obtain file size - it should match the size of the FLASH chips:
fseek (fp , 0 , SEEK_END);
uint32_t file_size = ftell (fp);
rewind (fp);
// read the initial stack pointer value in the BIN file - it should match the value expected for the type of ECU
uint32_t stack_long = 0;
if (!fread(&stack_long,4,1,fp)) return TERM_ERR;
stack_long = (stack_long >> 24) | ((stack_long << 8) & 0x00FF0000) | ((stack_long >> 8) & 0x0000FF00) | (stack_long << 24);
//
if (file_size != T8FLASHSIZE || stack_long != T8POINTER) {
fclose(fp);
printf("The BIN file does not appear to be for a T8 ECU :-(\r\n");
printf("BIN file size: %#010x, FLASH chip size: %#010x, Pointer: %#010x.\r\n", file_size, T7FLASHSIZE, stack_long);
return TERM_ERR;
}
// It is possible to save some time by only sending the program code and CAL data
// This is just a rough calculation, and slight overestimate of the number of blocks of data needed to send the BIN file
uint32_t blocks2Send;
fseek(fp,0x020140,SEEK_SET);
if (!fread(&blocks2Send,4,1,fp)) return TERM_ERR;
blocks2Send = (blocks2Send >> 24) | ((blocks2Send << 8) & 0x00FF0000) | ((blocks2Send >> 8) & 0x0000FF00) | (blocks2Send << 24);
printf("Start address of BIN file's Footer area = 0x%06X\r\n", blocks2Send );
blocks2Send += 0x200; // Add some bytes for the Footer itself and to account for division rounded down later
blocks2Send -= 0x020000; // Remove 0x020000 because we don't send the bootblock and adaptation blocks
printf("Amount of data to send BIN file adjusted for footer = 0x%06X Bytes\r\n", blocks2Send );
blocks2Send /= 0xE0;
printf("Number of Blocks of 0xE0 Bytes needed to send BIN file = 0x%04X\r\n", blocks2Send );
// Move BIN file pointer to start of data
fseek (fp , 0x020000 , SEEK_SET);
// Erase the FLASH
printf("Waiting for FLASH to be Erased\r\n");
if (!GMLANRequestDownload(GMLANRequestDownloadModeEncrypted)) {
printf("Unable to erase the FLASH chip!\r\n");
return FALSE;
}
// Now send the BIN file
TesterPresent.start();
printf("Sending FLASH BIN file\r\n");
printf(" 0.00 %% complete.\r");
for (i=0; i<blocks2Send; i++) {
// get a block of 0xE0 bytes in an array called data2Send
for ( j = 0; j < 0xE0; j++ ) {
//data[k] = *(bin + bin_count++);
if (!fread(&data2Send[j],1,1,fp)) {
fclose(fp);
printf("Error reading the BIN file MODIFIED.HEX\r\n");
return FALSE;
}
// encrypt data2Send array by XORing with 6 different in a ring (modulo function)
switch ( ((0xE0*i)+j) %6) {
case 1:
data2Send[j] ^= 0x68;
break;
case 2:
data2Send[j] ^= 0x77;
break;
case 3:
data2Send[j] ^= 0x6D;
break;
case 4:
data2Send[j] ^= 0x47;
break;
default: // remainder 0 and 5 both XOR with 0x39
data2Send[j] ^= 0x39;
}
}
// Send the block of data
if (!GMLANDataTransferFirstFrame(0xE6, GMLANDOWNLOAD, StartAddress)) {
fclose(fp);
printf("Unable to start BIN File Upload\r\n");
return FALSE;
}
// Send 0x20 messages of 0x07 bytes each (0x20 * 0x07 = 0xE0)
txpnt = 0;
iFrameNumber = 0x21;
for (j=0; j < 0x20; j++) {
GMLANMsg[0] = iFrameNumber;
for (k=1; k<8; k++)
GMLANMsg[k] = data2Send[txpnt++];
#ifdef DEBUG
for (k = 0; k < 8; k++ ) printf("0x%02X ", GMLANMsg[k] );
printf("\r\n");
#endif
if (!can_send_timeout(T8RequestId, GMLANMsg, 8, GMLANPTCT)) {
fclose(fp);
printf("Unable to send BIN File\r\n");
return FALSE;
}
++iFrameNumber &= 0x2F;
// wait_ms(1);
wait_us(250);
}
if (!can_wait_timeout(T8ResponseId, GMLANMsg, 8, GMLANPTCT)) {
fclose(fp);
printf("I did not receive a block acknowledge message\r\n");
return FALSE;
}
while (GMLANMsg[0] == 0x03 && GMLANMsg[1] == 0x7F && GMLANMsg[2] == 0x36 && GMLANMsg[3] == 0x78) {
printf("I'm waiting for a Block to be programmed into FLASH\r\n");
if (!can_wait_timeout(T8ResponseId, GMLANMsg, 8, GMLANPTCTENHANCED)) {
printf("I did not receive a block acknowledge message after enhanced timeout\r\n");
fclose(fp);
return FALSE;
}
}
#ifdef DEBUG
for (k = 0; k < 8; k++ ) printf("0x%02X ", GMLANMsg[k] );
printf("\r\n");
#endif
if ( GMLANMsg[0] == 0x03 && GMLANMsg[1] == 0x7F && GMLANMsg[2] == 0x36 ) {
GMLANShowReturnCode(GMLANMsg[3]);
fclose(fp);
return FALSE;
}
if (GMLANMsg[0] != 0x01 && GMLANMsg[1] != 0x76) {
printf("EXITING due to an unexpected CAN message");
fclose(fp);
return FALSE;
}
if (TesterPresent.read_ms() > 2000) {
GMLANTesterPresentT8();
TesterPresent.reset();
ACTIVITYLEDON;
}
StartAddress += 0xE0;
printf("%6.2f\r", (100.0*(float)i)/(float)(blocks2Send) );
}
// FLASHing complete
printf("%6.2f\r\n", (float)100 );
// End programming session and return to normal mode
if (!GMLANReturnToNormalMode()) {
fclose(fp);
printf("UH-OH! T8 ECU did not Return To Normal Mode!!\r\n");
return FALSE;
}
wait_ms(1000);
timer.stop();
printf("SUCCESS! FLASHing the BIN file took %#.1f seconds.\r\n",timer.read());
fclose(fp);
return TRUE;
}