The seed/key pairs are word lenth, at least the ones Ive seen. It can take up to 65536 tries to guess the key, assuming the PCM your using has a static seed/key pairs. Most of the V8 PCMs do. The PCM will send you a seed, and you then, using the seed and appropriate security algorithm, you send a key.The PCM also imposes a delay after you guess incorrectly three times, so it could take a day or more to guess the seed/key pair. This an elm will work for, and is a routine that you could easily write. Check out the archives on HPTuners for more info on the seed/key pairs.
Once the PCM does grant you security access then the reflash works something like this, at least in my vortec PCM:
The PCM then expects you to request high speed data access. Once you do that, you then request to download the information from the PCM. The PCM will check and see if the engine is off, and the trans is in park. If thats met, then the PCM exits the main software loop and performs a soft reset and does diagnostics. If everything is OK, the PCM then enters a dedicated code loop in the boot sector that basically waits for and processes commands through the OBD-II port. Once the PCM is in this loop, you can then request downloads and uploads.
As for an actual reflash, the PCM DOES NOT contain the routines for a reflash. These must be transmitted to the PCM from an external device and loaded as a memory resident program within the PCM. This means that you need to obtain/write the software to allow you to reflash. Additionally, most PCMs have their flash chip locked. To unlock the flash, you have to enable an output within the PCM that sends +12V to the write protect pin, which unlocks the flash chip and allows you to interface with it, erase it, etc. In my PCM, the write protect is tied to the voltage regulator, and there is a gated output tied to the MCU that triggers the vreg to send +12V to the flash chip to unlock it. You also must have at least 12.2V at the PCM or more to reflash, or the chip will remain locked.
This isn't easy, and the ELM will likely not work for the reflashing part. Its certainly possible, though. But, you will at least need an interface that can do VPW 4x high speed data transfer as well as have the ability to transmit large blocks of data. I dont think the elm could handle anything larger than the typical dignostic OBD message frame. I got around the whole reflash issue with my vortec PCM by installing an external socket so I could use my own flash chips and PP-II to tune. If you have a single flash chip, this is an easy way to slum it rather than pay hundreds of dollars for the professional stuff. If you have a hack for your PCM (I had to generate my own), you can then use tunerpro to tune once youve written the needed XDF files.
Last edited by dimented24x7; 01-13-2010 at 01:08 AM.
Also, here is the hack that I did for the 98 vortec PCM. Although this is likey to be different from any of your OBD-II, and certainly the OBD-1.5 PCMs, it does give some idea of whats inside. I have most of the OBD-II comm. routines commented. Theyre primarily in the first part of the hack from address 0x0400 and onward. The hack is some 300,000 lines long, so you will need to use the search to find things.
Also, here is the hack that I did for the 98 vortec PCM. Although this is likey to be different from any of your OBD-II, and certainly the OBD-1.5 PCMs, it does give some idea of whats inside. I have most of the OBD-II comm. routines commented. Theyre primarily in the first part of the hack from address 0x0400 and onward. The hack is some 300,000 lines long, so you will need to use the search to find things.
i've seen that one on the moates site before. i always wondered who was cracking OBD2 PCMs in the DIY community!
1995 Monte Carlo LS 3100, 4T60E, OBD1 Conversion...for now, future plans include a 3900, T04E-46 (Knock-Off) turbo (For the 3100, ~T61 for the 3900), and a F40.
It looks like it may work. They give the option to allow non-formatted raw messages to be sent, which is what you would need when performing a reflash.
Also looks like we can communicate with the ECU through this via Hyperterminal or similar the same way as the Elm327, which means I should be able to convert all my Elm Apps I made to this.
On another note, I quickly wired up a 01 Impala ECM today, put all Bat Ign feeds to one and all grounds to one then to the battery, wired up an Dlc to the data line but I am not getting any communications, even with the Tech2 data seems to be flickering on/off.
Piss me OFF! Might be a Bad PCM, it was from the wreckers when I got the engine harness for my swap, but the PCM was removed and just sitting on drivers seat.
$60 down the tube lol, hope to have another to try this up coming week.
Pretty sure it should communicate with the just all the Bat & ign feeds to Positive and grounds to Neg, then just the Class2 line?
Turns out the Pcm wasnt bad, just missed a ground.
I am currently checking my app for getting the key, needs to e optimized for sure, it is slow.
Have tried about 800 keys this evening, only a possible approx 64200 left to try lol.
I know my Seed is
05 BC
Wish I had the key already to check if app is working.
Will suck to have it run 5 days to find out I have an error somewhere lol.
I have found a way to double the speed of the brute force attack, but still tweeking the code so I am still using my slower first version, been about 2 days and I and almost 40% done checking all keys lol.
Originally Posted by TGP37
Posting Permissions
Reply With Quote
