Seriously, if you guys are using windows, that is the first big road block.

Man, try Linux. The doors are wide open with Linux. Ubuntu is an easy first time Linux OS.

You would be very amazed how much BS control Windows forces on us all.

In example, many data files, when open in windows text editor looks like an alien language. In Linux, it is in understandable code that one can pry through.


I would never use windows to gain access to a system designed to be secured. i.e. cell phones, cameras, game systems, ect.

If you want to change PCM data w/o purchasing the equipment, try linux.

I can't say it will work for sure, I never tried it and don't feel like sifting through all that data and changing code one-by-one for hundreds of tables possibly grenading my engine.

In a month or two I will have more to say about this. I'm deeply curious now.

I have my ancient laptop (bought it brand new just before XP came out) dual booting Xubuntu and XP Pro SP3. I've messed around with it but really haven't been able to do much with it because of getting irritated with not being able to figure some stuff out. Example. I have 5 partitions on it, 1 for Windows, 3 for Xubuntu (1 main, 1 swap and I forgot the other one) and then 1 that was supposed to be in a format both Windows and Xubuntu could read to use as a place to stash stuff for both OS's to use. I guess I should go get a Linux for dummies book at the library, but right now I don't have the time to learn another OS.

So planthax, when you say Seed/Key, what exactly is that? Like a handshake to exchange data type thing by way of commands type of deal?

there is a learning curve, no doubt. But worth it in the long run. Can't say much about myself as I stopped using Ubuntu and Backtrack several months ago. Just had no real reason to use it lately. It is time consuming.

Easiest way for me to explain it as I am learning as I go,
You need a key to get bin from and to PCM With the Seed you pass it through an algorithm (if you know it, if not you use trial an error till you get it) to get the key, then use that key to be able to get bin or right bin.


I have a Linux base OS, but in this case it will not be needed.

So you bruteforce the PCM to find the key to get it to transmit it. At least that's what it looks like to me. How large is the key? Could this happen in a few minutes, or would it take a week for a PC to get the right key?

The seed/key pairs are word lenth, at least the ones Ive seen. It can take up to 65536 tries to guess the key, assuming the PCM your using has a static seed/key pairs. Most of the V8 PCMs do. The PCM will send you a seed, and you then, using the seed and appropriate security algorithm, you send a key.The PCM also imposes a delay after you guess incorrectly three times, so it could take a day or more to guess the seed/key pair. This an elm will work for, and is a routine that you could easily write. Check out the archives on HPTuners for more info on the seed/key pairs.

Once the PCM does grant you security access then the reflash works something like this, at least in my vortec PCM:

The PCM then expects you to request high speed data access. Once you do that, you then request to download the information from the PCM. The PCM will check and see if the engine is off, and the trans is in park. If thats met, then the PCM exits the main software loop and performs a soft reset and does diagnostics. If everything is OK, the PCM then enters a dedicated code loop in the boot sector that basically waits for and processes commands through the OBD-II port. Once the PCM is in this loop, you can then request downloads and uploads.

As for an actual reflash, the PCM DOES NOT contain the routines for a reflash. These must be transmitted to the PCM from an external device and loaded as a memory resident program within the PCM. This means that you need to obtain/write the software to allow you to reflash. Additionally, most PCMs have their flash chip locked. To unlock the flash, you have to enable an output within the PCM that sends +12V to the write protect pin, which unlocks the flash chip and allows you to interface with it, erase it, etc. In my PCM, the write protect is tied to the voltage regulator, and there is a gated output tied to the MCU that triggers the vreg to send +12V to the flash chip to unlock it. You also must have at least 12.2V at the PCM or more to reflash, or the chip will remain locked.

This isn't easy, and the ELM will likely not work for the reflashing part. Its certainly possible, though. But, you will at least need an interface that can do VPW 4x high speed data transfer as well as have the ability to transmit large blocks of data. I dont think the elm could handle anything larger than the typical dignostic OBD message frame. I got around the whole reflash issue with my vortec PCM by installing an external socket so I could use my own flash chips and PP-II to tune. If you have a single flash chip, this is an easy way to slum it rather than pay hundreds of dollars for the professional stuff. If you have a hack for your PCM (I had to generate my own), you can then use tunerpro to tune once youve written the needed XDF files.

Also, here is the hack that I did for the 98 vortec PCM. Although this is likey to be different from any of your OBD-II, and certainly the OBD-1.5 PCMs, it does give some idea of whats inside. I have most of the OBD-II comm. routines commented. Theyre primarily in the first part of the hack from address 0x0400 and onward. The hack is some 300,000 lines long, so you will need to use the search to find things.

Awesome info man! Much appreciated. I knew GM made some pretty good PCM's but never knew exactly what went on inside one of them. That's pretty slick

i've seen that one on the moates site before. i always wondered who was cracking OBD2 PCMs in the DIY community!

Awsome info thanx!!!!!

Here may be a chip that will handle the reflashing?

It looks like it may work. They give the option to allow non-formatted raw messages to be sent, which is what you would need when performing a reflash.

Also looks like we can communicate with the ECU through this via Hyperterminal or similar the same way as the Elm327, which means I should be able to convert all my Elm Apps I made to this.

On another note, I quickly wired up a 01 Impala ECM today, put all Bat Ign feeds to one and all grounds to one then to the battery, wired up an Dlc to the data line but I am not getting any communications, even with the Tech2 data seems to be flickering on/off.

Piss me OFF! Might be a Bad PCM, it was from the wreckers when I got the engine harness for my swap, but the PCM was removed and just sitting on drivers seat.

$60 down the tube lol, hope to have another to try this up coming week.

Pretty sure it should communicate with the just all the Bat & ign feeds to Positive and grounds to Neg, then just the Class2 line?

Turns out the Pcm wasnt bad, just missed a ground.

I am currently checking my app for getting the key, needs to e optimized for sure, it is slow.

Have tried about 800 keys this evening, only a possible approx 64200 left to try lol.

I know my Seed is
05 BC
Wish I had the key already to check if app is working.
Will suck to have it run 5 days to find out I have an error somewhere lol.

Very true. At least you got it talking

I have found a way to double the speed of the brute force attack, but still tweeking the code so I am still using my slower first version, been about 2 days and I and almost 40% done checking all keys lol.

Hopefully my key is near the middle lol.