First, I want to wish everyone a happy holidays as we leave 2005, and start 2006.

In the last few weeks, I have been staying up extremely late working on the cracking the algorithums to the GM PCM product line. I did not do it by myself, my wife actually wrote the formulas in MatLab, and between her math skills, and my understanding of how OBDII code works, we together cracked all 256 formulas for the Seed and Key process of the PCM. This one area has kept many companies from going forward with software and hardware for editing the PCM on GM cars and trucks.

My reason for doing this was HP Tuners has made posts that they will not be supporting 2.0L EcoTec platforms on 1.x hardware and software. The P12 PCM is a VPW interface, with 8 CAL segments just like the 04 V6 PCM. There is no reason that 1.x hardware and software cannot work with productline.

My intentions with the new information I have is use my VPW (AVT716 if you are intertested in what I have) interface that works on all GM VPW PCM's to upload and download. This will allow raw BIN files to come out of the PCM and upload back to the PCM. HP Tuners also decided with 2.x software to encrypt the BIN files coming from their software. I know exactly why they do this, and it the other reason a VPW interface needs to be on the market that can bring BIN files from the PCM and back to the PCM, for a before and after comparsion. Table mapping becomes alot easier. All the companies that have editing software today can upload and download every PCM that they have bootloaders, and seed and key algros for. So they sit there and reverse each others tables. All they have to do is buy a cable for that product line and get a before PCM BIN, and then an after PCM BIN of the editing of the tables.

I need a programmer that knows flash chips. I need a bootloader and to understand how it works. I have a bootloader for a 28F010 now today, but the V6 PCM;s have a 28F400, and I think the 1 meg PCM's have a different flash chip also.

So, anyone interested in helping with this will get me closer to being able to edit the LS4 5.3L engine, and the LSJ 2.0L supercharged engine. These are not supported today, and I need to be able to tune these for my installs.

Loyde

Well you lost me after Happy Holidays

I wish you the best in working with all the new PCMs...I'd like to do a modern engine swap someday like the ecotec. It looks like you are having fun with it.

I can't help you crack the codes. I will offer my encouragement, keep up the good work.

I can't begin to imagine the time and aggravation involved in doing this. I know we'll all appreciate it in the end!

------------------
4 Indys, 1 is A/C delete
84 Black/Silver T-top custom
85 GT speedster project
86 GT Yellow
88 GT White, T-top, 5 speed.

However......
"Time is the most precious and perishable of my possessions."

Buy IRM, again! at www.fierowarehouse.com

didn't you post about this before?

I swear I have read about this.

quote Originally posted by pokeyfiero: didn't you post about this before? I swear I have read about this.

I only had a V8 algro, and it is really not 100% correct. It gets passed around the internet alot, and I see why it works on "most" LS1 PCMs, but not all of them.

I posted in the past I cracked the checksums for the V6 PCMs to "fix" DHP code in a PCM so it can be tuned with HP tuners software. I no longer do this for people however. I have tried to fix my damage with DHP back to friendship level at the least. I respect Charles and his hard work in hacking PCM's as we know it today. It requires 100's of hours of reading, and buying very expensive software to do some crazy operations on formulas. He is NOT helping me at this time with the work I am currently doing, and I do not expect him to.

Just recently I got V2Spy. It can sniff the communications of the upload and download of the VPW data transfer up to the point of 4X operation. Then it cannot sniff that datastream again until it drops back out of 4x to 10.4Kbs... Then the hardware to sniff with is the AVT 716. I will get my VPW interface to run at 10.4 during the entire write session so I can capture the whole process soon. ( I hope )...

Loyde

oh I understand now. yeah right!!!!

I barely have a clue what your talking about, but I did read an article about some discussion about legislation requiring auto manufactures to release the source code for all the on board electronics. It's called the "right to repair" as it's getting increasingly difficult and expensive for third party mechanics to work on new cars.

Manufacturers are not happy with the idea obviously but maybe it will help with what you are trying to do?

I find this whole subject of ECM manipulation to be fascinating.
I recently purchased the OBD2 version of TunerCat, but have yet to even install it. Holiday madness and such.

If you are getting in there and reverse engineering the code, then you have my admiration.
Wish I knew enough to help. Unfortunately...

I give you an A+ Loyde. Good jorb.

Anyway speaking of pcm's, give me a call next week sometime when you have a chance. Need to talk about getting amirs program done. Im about ready to put this beast of an L67 back in his formula. They have been separated now for about a year.

oh and Merry birthday Jesus, and happy haunakha and kwanzaa and whatever else. 2005 sucked. I hope 06 will be better

[This message has been edited by fieroX (edited 12-24-2005).]

Good luck with that, I don't know what you said though . BTW, you have a PM!

quote Originally posted by fieroX: 2005 sucked. I hope 06 will be better

I hate odd numbered years, 06 has to be better.

Sweet, now that part of the code cracking is done, will you be working on Engine harnesses?

quote Originally posted by jscott1: I barely have a clue what your talking about, but I did read an article about some discussion about legislation requiring auto manufactures to release the source code for all the on board electronics. It's called the "right to repair" as it's getting increasingly difficult and expensive for third party mechanics to work on new cars. Manufacturers are not happy with the idea obviously but maybe it will help with what you are trying to do?

And it's a buncha BS so Autozone , Pepboys etc can take the fruits of the manufacturers labor and take it for free, build cheaper parts since they didn't have to pay for development and make more money... No one needs to have the PCM source code to repair a vehicle. Right to Repair is a money grab attempt by the parts industry. Everything I need to fix any modern car is available to me for a price. They are selling the bill on the idea that it should all be free.

Good work FastFieros! Really dont have a clue whats going on but good work and a "+" for you!

Jason

does it use a standard checksum or something custom? and is it in binary,hex,dec etc..

quote Originally posted by FastFieros: First, I want to wish everyone a happy holidays as we leave 2005, and start 2006. In the last few weeks, I have been staying up extremely late working on the cracking the algorithums to the GM PCM product line. I did not do it by myself, my wife actually wrote the formulas in MatLab, and between her math skills, and my understanding of how OBDII code works, we together cracked all 256 formulas for the Seed and Key process of the PCM. This one area has kept many companies from going forward with software and hardware for editing the PCM on GM cars and trucks. My reason for doing this was HP Tuners has made posts that they will not be supporting 2.0L EcoTec platforms on 1.x hardware and software. The P12 PCM is a VPW interface, with 8 CAL segments just like the 04 V6 PCM. There is no reason that 1.x hardware and software cannot work with productline. My intentions with the new information I have is use my VPW (AVT716 if you are intertested in what I have) interface that works on all GM VPW PCM's to upload and download. This will allow raw BIN files to come out of the PCM and upload back to the PCM. HP Tuners also decided with 2.x software to encrypt the BIN files coming from their software. I know exactly why they do this, and it the other reason a VPW interface needs to be on the market that can bring BIN files from the PCM and back to the PCM, for a before and after comparsion. Table mapping becomes alot easier. All the companies that have editing software today can upload and download every PCM that they have bootloaders, and seed and key algros for. So they sit there and reverse each others tables. All they have to do is buy a cable for that product line and get a before PCM BIN, and then an after PCM BIN of the editing of the tables. I need a programmer that knows flash chips. I need a bootloader and to understand how it works. I have a bootloader for a 28F010 now today, but the V6 PCM;s have a 28F400, and I think the 1 meg PCM's have a different flash chip also. So, anyone interested in helping with this will get me closer to being able to edit the LS4 5.3L engine, and the LSJ 2.0L supercharged engine. These are not supported today, and I need to be able to tune these for my installs. Loyde

I converted that to binary, might be easier to understand
0111010101101110011001010111001001110011001000000110020101101100011100110110111100100000011001000110010101
lol since EVERYONE is complaining, lol I shortened it, but it still makes just as much sense

[This message has been edited by 86GT3.4DOHC (edited 12-25-2005).]

quote Originally posted by 86GT3.4DOHC: I converted that to binary, might be easier to understand 01000110011010010111001001110011011101 {SNIP}

Thanks for making the thread so easy to read, anus.

Could you trim your line length a bit so people can read the posts without scrolling?

[This message has been edited by edhering (edited 12-25-2005).]

thats crazy binary, for second i thought i saw a 2.....

loyde, that was completely almost sensical to me..... gl with your endeavours, i bet that 2.0sc motor would be awesome in a fiero, it was sweet in the redline i test drove once again, you da man.

quote Originally posted by edhering: Thanks for making the thread so easy to read, anus. Could you trim your line length a bit so people can read the posts without scrolling?

I shortened it up a bit

you mean trim? like its too wide for you screen? Doesnt everone have widescreen displays and 1920x1200 resolution? :P guess not.
I have no idea what so ever how im supposed to make the posts narrower
though I will try to hit enter more often. The text should word-wrap I would think but if you;re
saying it doesnt, Ive been doing this all along and no one has ever mentioned
it before. And if that post above is still to long I can convert it to octal if you prefer.

quote Originally posted by 86GT3.4DOHC: I shortened it up a bit .

It's still too wide for my screen. Normal text will word wrap, but there has to be a space in there somewhere for it to break. Otherwise it defaults to some number far in excess of 1024 or some other "normal" width.

Happy Holidays!

I guessing there are no Intel chip specialists here on PFF...

The flash chip is the 28F400 in the 3800SC PCM, but the EcoTec PCM has the 28F800. 512k vs 1 meg.

I know what a bootloader looks like, and I know it runs in the MCU, but I am just not sure if I send it in S19 format, or Hex. I cant just play at sending commands to the PCM. Once you write $FF in the flash chip, you better have a valid program right behind it, or the PCM is a nice paper weight.

Loyde

quote Originally posted by jscott1: I barely have a clue what your talking about, but I did read an article about some discussion about legislation requiring auto manufactures to release the source code for all the on board electronics. It's called the "right to repair" as it's getting increasingly difficult and expensive for third party mechanics to work on new cars. Manufacturers are not happy with the idea obviously but maybe it will help with what you are trying to do?

Do you have a link to this article? I'd be very interested...

PS - intel sucks.

The article is based on J2534 most likely.

J2534 has to be purchased from SAE. I was going to get it, but then found that the legislation is all about "pass thur" programming only. Link on J2534 from SAE
http://www.sae.org/servlets/productDetail?PROD_TYP=STD&PROD_CD=J2534/1_200412

The Tech 2 is pass thur programming. This is what all the automotive shops want for a cheaper price than a Tech 2. So, some guidelines were put in place to build hardware and software that protects GM's seed and key algor, and then, should not be used for DOWNLOADING the PCM. Seems SAE and EPA find that downloading the PCM is not a diagnostic featured needed in J2534. IF you happen to find the white paper on J2534, please send me the link. It is only $50 from SAE, but I didnt see needing to buy it since it only covers uploading.

White paper J2190-1 is the one to read for better understanding of PCM programming. Here it is if you like http://www.fastfieros.com/obdii/j2190_1.pdf ( right click save as is faster )

Loyde

[This message has been edited by FastFieros (edited 12-25-2005).]

Why not just give GM a phone call for the code? Customer Service??? Tell them you got it all figured out except for a
few bytes here and there before posting it on the internet..

[This message has been edited by Spoon (edited 12-25-2005).]

Actually, I have a inside contact or two for GM employee's... One of them response last week was

"Unfortunately, that type of information is confidential. I cannot provide any assistance on downloading or modifying a calibration. I would love to, but any modification would make the vehicle non compliant for emissions."

OK, everyone with a FastFieros PCM is advise that it was intended for "OFF ROAD USE ONLY" ! Where have you seen that statement a few times.

Loyde

quote Originally posted by FastFieros: OK, everyone with a FastFieros PCM is advise that it was intended for "OFF ROAD USE ONLY" !

Crap...

I just put the drop springs in the front end and took the tail end coil-overs down as far as they would go.
Time to bring the 4x4 "look" back I guess.

Can’t help with the ECM flash though, it's about 2 pay grades above my current level of understanding; Ok, 3-4 actually.
Congrats to your wife on cracking the code. That in and of itself you'd think would make companies like HPT and TunerCat at least want to see if there was the opportunity to go in on getting those computer able to be played with by the above average tuner.
If the door has been opened, & its just taking a little hardware “fudging” to get what you need, sounds like you are well on the way.

I can’t believe that they won’t even consider it. With the "tuner" market being what it is, I'd think that they'd be at your door with offers in hand to get this figured out. Sounds like a pretty seriously untapped market.

Good Luck and Merry Christmas.

--Allen

quote Originally posted by mcaanda: Crap... I just put the drop springs in the front end and took the tail end coil-overs down as far as they would go. Time to bring the 4x4 "look" back I guess. Can’t help with the ECM flash though, it's about 2 pay grades above my current level of understanding; Ok, 3-4 actually. Congrats to your wife on cracking the code. That in and of itself you'd think would make companies like HPT and TunerCat at least want to see if there was the opportunity to go in on getting those computer able to be played with by the above average tuner. If the door has been opened, & its just taking a little hardware “fudging” to get what you need, sounds like you are well on the way. I can’t believe that they won’t even consider it. With the "tuner" market being what it is, I'd think that they'd be at your door with offers in hand to get this figured out. Sounds like a pretty seriously untapped market. Good Luck and Merry Christmas. --Allen

Hey, I will cross ship you another PCM if you just email me those codes and what changes you want in it....I learn to forgive and forget a long time ago.. I been married 3 times.

My wife is smart with MatLab, but she sure could not have done it without me finally cracking the ONE and only one I could figure out on paper... The 3800SC algro.. I set there and messed with that thing for hours trying to get the seed of $4172 to equal key $44D9. Finally, when I did that on paper, she was like " you did not give me enough data to write the formulas". I was like, if I had know the darn data to begin with, I would have cracked the formulas in May of this year. Well with that, we figured out the rest of the formulas, and there is 256.. Its funny, I have emailed a couple of tuners and they think there is only 63. I believe they need to dig a little deeper on their code.

Merry Christmas...

Loyde

quote Originally posted by FastFieros: I set there and messed with that thing for hours trying to get the seed of $4172 to equal key $44D9...

I haven't got any idea what you're talking about, but I'm impressed nonetheless. Good job!

Hey Loyde,

Happy New Year to you and Linglin.

I can't help with the reprogramming you need but I can change a headlight if you need it! Just let me know!

John & Galia

Frequently I get lost trying to follow threads in the technical section, but this one has totally blown me away. Based on the vast majority of responses I have read, I'm not in the boat alone.

------------------
Ron
Freedom isn't Free, it's always earned.
My imagination is the only limiting factor to my Fiero. Well, there is that money issue.

quote Originally posted by Formula: does it use a standard checksum or something custom? and is it in binary,hex,dec etc..

A CheckSum is easy. It is usually just adding a block of data and substracting a few bytes...

A piece of the V6 checksum is

Add $0000-$3FFF skip the OSID minus AAFF = a HEX result. This result is in the BIN file. There is a flag to turn off checksum reading, but the PCM can go to a no start situation if that is not done right. Remember DHP sent several PCM's out in the begaining because they flagged CSUM off. Then the OSID was flagged wrong also so no one could figure out what year model the code came from. This can cause a no start.

Then you have to remember if it is Little Endian or Big Endian

I have been studing this stuff off and on for about 3 years now, but usually very late at night since I have to do the hardware part of installs in the day.

I wish I had studied C++ and VB in the pass. I tried once, but found it very boring. Now, reading assembly is just way overtaxing on the mind. The BIN has to be broke down in IDA data rescue, and I can barely use that software. Its all assembly language.

This bootloader I seek starts out in assembly, then it is converted to hex, but then, I am unclear if it is sent to the PCM as S19 record, or you send the hex. Here is a piece of the one I have for the 28F010

BLOCKSIZE equ 1024
FLASHBASEADDR equ 0
FLASHSIZE equ $40000
DONEADDR equ FLASHBASEADDR+FLASHSIZE

* Set the origin of the program to $FFC090.
org $FFFFC090

* Check out the voltage and accessory chip IDs.
ori.w #$700,SR ;Enable interrupts
bsr.w WHATISTHIS ;???
bsr.w CHKVOLTAND ;Check voltage and ???
movea.w #FLASHBASEADDR,A0 ;Set A0 = 0
bsr.w CHKFLCODES ;Verify that Flash is right type

READLOOP:
andi.w #$F8FF,SR ;Disable interrupts
move.w #0,D0 ;(was a 0)
bsr.w TIMEDELAY ;(#8: time delay 0)
ori.w #$700,SR ;Enable interrupts
move.b #$65,D0 ;Define condition code = 65
bsr.w SENDMESSAGE ;send the 65 response
move.w #$200,($FF9000).L ;Set DLCP = flush byte, 1X mode
andi.w #$F8FF,SR ;Disable interrupts
moveq.l #5,D7 ;subroutine #5 (get next message)
bsr.w EXECSUBROUTINE
ori.w #$700,SR ;Enable interrupts

From this it is checking the battery voltage before any flash attempt is made,
it is setting the mode transfer to 1X which is 10.4Kps...

Then it goes on and on to the address of the chip structure, and this is where I have to change all this to the 28F400 and I know the P12 PCM now is the 28F800.

Anyone ! Anyone !

Loyde

you are the man loyd u can do it!

What's even more impressive is that your wife understands what you're talking about.

just.. damn.

Well im following you a little more but.. still think this pretty much sums it up

But keep up the good work

Why not alter the code that you have for the ECM that is looking for the battery voltage, for what it is to which you seek? I know that it’s going to take a little code writing, but it shouldn’t be too difficult.

I see in the code that you are setting initial values to 0, flushing the ECM of what can be possible old / prior data so that any and all new information that is received by the ECM is that of the current query, and checking to ensure that the flash being received is correct. ie:

movea.w #FLASHBASEADDR,A0 ;Set A0 = 0
bsr.w CHKFLCODES ;Verify that Flash is right type

This would seem that the ECM is able to “respond to commands” for which it is being asked dependent on the input to which is being received, ie verify if the “flash” is of the correct type. You can get a yes / no answer to this….yes / no?

This also peeked my interest:

bsr.w EXECSUBROUTINE

Is this not an executable command of a subroutine that is listed in the memory of the chip? If you were able to access this memory and write a subroutine to which gave you a say, “0” for the hex code required, or a 1 for the S19 record as required by the chip, would this not be able to guide you in the quest to list what it is that the chip is seeking as an input?

Using this, you’d be able to slip in a subroutine to an existing routine to which you have access and control over obtaining a value you desire.

Or….ahh damn it, I just accidentally deleted it and its late. If this has been of any help LMK, and I will ponder it a little more over my Eggo Waffles and coffee in the morning.
I'll get w/ ya later on the ECM stuff here a bit later this week. Im going to be out of town for some time here very shortly, so it might be best to take care of that a little later on after I return.

Here's the bunny with a pancake on its head for ya just incase I was completely and totally off key:

[This message has been edited by mcaanda (edited 12-26-2005).]

I am sure these guys could help
far better then we can
and would be very interested in your results

http://www.diy-efi.org/

good luck

------------------
Question wonder and be wierd
are you kind?