P11 GM PCM

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

P11 GM PCM

Post by DWS »

I'm working with a 2003 Cavalier PCM with Serv no 12576162 and calibration number 12571650. Hoping to get to the point to read/write to the flash chip and attempt to reverse engineer the code to atleast disable security. It appears these are commonly used around 2003-2005.

Appears the flash is DE28F800F3B125 which if I remember right from the data sheet is 8mbit.

Cpu comes up as 185 K62K

Figured I'd keep atleast a log here of progress. I'd like to get it possible to flash over the OBD2 interface, but I'll take what I can get as I figure things out. Been getting some great help on FB already and have atleast a loose plan in mind.

Image
Image
Last edited by DWS on Fri Oct 15, 2021 12:20 pm, edited 1 time in total.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
MudDuck514
Posts: 397
Joined: Wed Jul 05, 2017 8:30 am
cars: 2001 Pontiac Grand AM SE
LD9 2.4l I4, 4T40E
2005 Chevrolet Venture
LA1 3400 V6, 4T65E
Location: North TX, USA

Re: P11 GM PCM

Post by MudDuck514 »

Welcome.

I see you made it over from Facebook.

Mike S
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: P11 GM PCM

Post by DWS »

Yep, been working with a member from there on FB. I have a BDM coming, and I get to trace out points from the BGA on a spare PCM that's coming in the mail. Hopefully with his help I'll be able to communicate with the CPU/Flash chip and be able to pull the BIN and see how that all is structured and such.

I don't see an introduction section, but here's a quick blurt of my background

Schooling: PC Tech (HW & SW but way higher level than this stuff)
I've been soldering, installing mod chips, repairing traces, pcbs, game consoles, etc since highschool (15 years ago or so).
Done quite a bit on the software side, started with GW Basic (1987), Q Basic, VB6, VB.net, C#, C++ (tiny touch of C too), java, php, etc)
I've done a little work reverse engineering network packets, compiled java (byte code), and touched a little in asm.
I have a cheap Chinese solder rework station, works well enough for most things though. Have a Hakko china clone for a bench top solder sucker. I've touched a tiny bit into the Arduino stuff too since I have a wood stove and wanted to control the fan on it and the fan for under the house (keep pipes from freezing), so it monitors 3 temp sensors and 2 fans through two solid state relays.

I've generally have a can-do attitude, as long as I don't loose interest, I generally pull through on things pretty well. Always have 1000 projects going at once though, can't keep life simple xD.

Current plan is to read the bin, and check over it and see if I can make sense of the code/data. Maybe flash it unmodified onto another spare PCM I bought to validate the process works fine and the car fires up (has security). Then I can work on where to change the flag for security and such. Since I've worked with packets a bit, and bytecode, I've gotten somewhat used to converting hex values around and such so I think I'll have atleast a little success poking at the BIN.

Anyway, thanks for the warm welcome, hopefully the research I find can help make pcmhammer better, or even be able to help others down the road.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
MudDuck514
Posts: 397
Joined: Wed Jul 05, 2017 8:30 am
cars: 2001 Pontiac Grand AM SE
LD9 2.4l I4, 4T40E
2005 Chevrolet Venture
LA1 3400 V6, 4T65E
Location: North TX, USA

Re: P11 GM PCM

Post by MudDuck514 »

There are several people on here that have been helping to develop PCMHammer.
Other than the primary developers, there are a few that had taken a crack at adding FWD V6 and I4 support, but seem to have gotten stuck with getting a kernal to load as they use a smaller amount of on-board ram.
I for one wish someone could get the P04 and P08 PCM support completed as I have a 2001 Grand AM 2.4l TwinCam and a 2005 Chevy Venture that I would love to be able to tweak!

Mike
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: P11 GM PCM

Post by DWS »

Yea I was reading up on that a little, something about the update has to be applied and it starts executing right away, so a tiny os/kernel needs to be wrote to finish the update process. It's updated in blocks of my understanding, so the max block size is the max size for the os if I'm grasping it right.

Once the hardware part is figured out, I suspect the software side wouldn't be too hard to figure out, just time to figure stuff out.

Also, I've asked this a few times, but any idea where the P11, P01, P04, etc numbers come from? I'd like to know why I'm calling them by those numbers =).
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: P11 GM PCM

Post by DWS »

Here's some fitment data for this PCM according to GM's site.

Image

Looking at ebay, based on serv number, these calibrations come up:

12571650
12596601
12579654
12587611
12593508
12598562
12584709

Also 04-05 Chevy Malibu 2.2L vin 4 has same serv number, but GM didn't list them for some reason. Here's a few calibrations according to ebay listings (when they rarely say what it's from). Might have a slight reversion to the hardware? Some of the calibrations match across the 2 fitments, so that leads me to believe the hardware is atleast compatible.
12596601
12593507
12583742

According to the GM part number, the Malibu PCM has this interchange:

Image
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: P11 GM PCM

Post by NSFW »

Welcome aboard. That was me on Facebook, sorry it took me a while to catch up over here.

Googling "12200051" (from the big chip in the lower-left corner of the second image) gives some hints that it's probably a CPU from Freescale (now NXP) but I couldn't find a datasheet. With luck it's a Motorola 68k derivative, and a lot of PCM Hammer can probably be reused to flash it. If you can extract the .bin from the flash chip, try asking Ghidra to disassembling it as Motorola 68k code.

If that doesn't work, look for other CPU types that were made by Freescale / NXP during the early 2000s, try disassembling using those approaches (Ghidra supports a lot of CPU types) and see if one of them produces believable assembly code.

Ghidra: https://ghidra-sre.org/
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: P11 GM PCM

Post by DWS »

I've been working with a guy on FB that has pulled the flash from quite a few PCM's that were once impossible. He shot me over a couple bin files that match my calibration number so I tried one disassembler but the asm output didn't look right, lot of commands unrecognized (MC68332 based if I remember right). I'll have to poke at the BINs using Ghidra. I'm not sure where he got the bin's from, but once I get my hardware in the mail I should be able to pull the flash memory off my PCM (and 2 others) and dump the bin. Should be interesting to compare the 5 files. Hopefully the asm makes sense to me for the most part so I can actually help with the code side of things. I pulled the CPU so I could get the pin out to read it, so I'll have to swap the flash chip over to the PCM I bought that's an exact match to grab the exact dump for the car I have. I think if I go through the key relearning process that shouldn't be really needed though if I understand how the PCM and BCM are paired. Might have to put my VIN in the flash though to make it happy and figure out the check sums etc.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: P11 GM PCM

Post by DWS »

Wanted to give an update. Me and 2 other guys (hw and a sw guy) got one of the P11 PCM's to read/write. The orig got killed to figure out the pin out, and the 3rd I have is a different calibration number and the board marking inside is slightly different. It appears to have a watchdog active, but was able to read that one too. Haven't tried to write to it yet though.

I guess not bad for my first real hardware "hacking" I've done (with help).

Here's an image, kind of hiding the pins since it's a team effort, I'm not sure if it's going to be released in the open or not. I need to get a 90 degree pin header for the board lol. Did have trouble with wires around 3in long, so I went nuts and made them as short as possible (within reason).

FYI, boot section is write protected, have to poke at that or manually pull the write enable pin on the chip up. I think the specs said it goes to +12v and it has a pretty short life span at those voltages (60hr something like that). Now I get to poke at the bin file and see if I can make sense of it, how to modify, rebuild checksums, etc. Lot of work for a derby tune, but I like the complete control I have using this route. Hopefully I'll be able to rewrite the main code that runs the engine, a common thing people want in the derby world is map/maf sensor delete and run engine purely off TPS and intake temp sensor. Not sure if fully possible, but the theory in my head says it should be.

Image
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: P11 GM PCM

Post by kur4o »

You can look at this program for checksums and file structure.

It will give you some head start, and maybe you can configure some stuff for others to use.

https://github.com/joukoy/UniversalPatc ... r-Full.Zip

and the forum thread is here

viewtopic.php?f=42&t=6642
Post Reply