P11 GM PCM
-
- Posts: 129
- Joined: Tue Oct 12, 2021 10:04 am
- cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
- Location: USA
- Contact:
P11 GM PCM
I'm working with a 2003 Cavalier PCM with Serv no 12576162 and calibration number 12571650. Hoping to get to the point to read/write to the flash chip and attempt to reverse engineer the code to atleast disable security. It appears these are commonly used around 2003-2005.
Appears the flash is DE28F800F3B125 which if I remember right from the data sheet is 8mbit.
Cpu comes up as 185 K62K
Figured I'd keep atleast a log here of progress. I'd like to get it possible to flash over the OBD2 interface, but I'll take what I can get as I figure things out. Been getting some great help on FB already and have atleast a loose plan in mind.
Appears the flash is DE28F800F3B125 which if I remember right from the data sheet is 8mbit.
Cpu comes up as 185 K62K
Figured I'd keep atleast a log here of progress. I'd like to get it possible to flash over the OBD2 interface, but I'll take what I can get as I figure things out. Been getting some great help on FB already and have atleast a loose plan in mind.
Last edited by DWS on Fri Oct 15, 2021 12:20 pm, edited 1 time in total.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
-
- Posts: 397
- Joined: Wed Jul 05, 2017 8:30 am
- cars: 2001 Pontiac Grand AM SE
LD9 2.4l I4, 4T40E
2005 Chevrolet Venture
LA1 3400 V6, 4T65E - Location: North TX, USA
Re: P11 GM PCM
Welcome.
I see you made it over from Facebook.
Mike S
I see you made it over from Facebook.
Mike S
-
- Posts: 129
- Joined: Tue Oct 12, 2021 10:04 am
- cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
- Location: USA
- Contact:
Re: P11 GM PCM
Yep, been working with a member from there on FB. I have a BDM coming, and I get to trace out points from the BGA on a spare PCM that's coming in the mail. Hopefully with his help I'll be able to communicate with the CPU/Flash chip and be able to pull the BIN and see how that all is structured and such.
I don't see an introduction section, but here's a quick blurt of my background
Schooling: PC Tech (HW & SW but way higher level than this stuff)
I've been soldering, installing mod chips, repairing traces, pcbs, game consoles, etc since highschool (15 years ago or so).
Done quite a bit on the software side, started with GW Basic (1987), Q Basic, VB6, VB.net, C#, C++ (tiny touch of C too), java, php, etc)
I've done a little work reverse engineering network packets, compiled java (byte code), and touched a little in asm.
I have a cheap Chinese solder rework station, works well enough for most things though. Have a Hakko china clone for a bench top solder sucker. I've touched a tiny bit into the Arduino stuff too since I have a wood stove and wanted to control the fan on it and the fan for under the house (keep pipes from freezing), so it monitors 3 temp sensors and 2 fans through two solid state relays.
I've generally have a can-do attitude, as long as I don't loose interest, I generally pull through on things pretty well. Always have 1000 projects going at once though, can't keep life simple xD.
Current plan is to read the bin, and check over it and see if I can make sense of the code/data. Maybe flash it unmodified onto another spare PCM I bought to validate the process works fine and the car fires up (has security). Then I can work on where to change the flag for security and such. Since I've worked with packets a bit, and bytecode, I've gotten somewhat used to converting hex values around and such so I think I'll have atleast a little success poking at the BIN.
Anyway, thanks for the warm welcome, hopefully the research I find can help make pcmhammer better, or even be able to help others down the road.
I don't see an introduction section, but here's a quick blurt of my background
Schooling: PC Tech (HW & SW but way higher level than this stuff)
I've been soldering, installing mod chips, repairing traces, pcbs, game consoles, etc since highschool (15 years ago or so).
Done quite a bit on the software side, started with GW Basic (1987), Q Basic, VB6, VB.net, C#, C++ (tiny touch of C too), java, php, etc)
I've done a little work reverse engineering network packets, compiled java (byte code), and touched a little in asm.
I have a cheap Chinese solder rework station, works well enough for most things though. Have a Hakko china clone for a bench top solder sucker. I've touched a tiny bit into the Arduino stuff too since I have a wood stove and wanted to control the fan on it and the fan for under the house (keep pipes from freezing), so it monitors 3 temp sensors and 2 fans through two solid state relays.
I've generally have a can-do attitude, as long as I don't loose interest, I generally pull through on things pretty well. Always have 1000 projects going at once though, can't keep life simple xD.
Current plan is to read the bin, and check over it and see if I can make sense of the code/data. Maybe flash it unmodified onto another spare PCM I bought to validate the process works fine and the car fires up (has security). Then I can work on where to change the flag for security and such. Since I've worked with packets a bit, and bytecode, I've gotten somewhat used to converting hex values around and such so I think I'll have atleast a little success poking at the BIN.
Anyway, thanks for the warm welcome, hopefully the research I find can help make pcmhammer better, or even be able to help others down the road.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
-
- Posts: 397
- Joined: Wed Jul 05, 2017 8:30 am
- cars: 2001 Pontiac Grand AM SE
LD9 2.4l I4, 4T40E
2005 Chevrolet Venture
LA1 3400 V6, 4T65E - Location: North TX, USA
Re: P11 GM PCM
There are several people on here that have been helping to develop PCMHammer.
Other than the primary developers, there are a few that had taken a crack at adding FWD V6 and I4 support, but seem to have gotten stuck with getting a kernal to load as they use a smaller amount of on-board ram.
I for one wish someone could get the P04 and P08 PCM support completed as I have a 2001 Grand AM 2.4l TwinCam and a 2005 Chevy Venture that I would love to be able to tweak!
Mike
Other than the primary developers, there are a few that had taken a crack at adding FWD V6 and I4 support, but seem to have gotten stuck with getting a kernal to load as they use a smaller amount of on-board ram.
I for one wish someone could get the P04 and P08 PCM support completed as I have a 2001 Grand AM 2.4l TwinCam and a 2005 Chevy Venture that I would love to be able to tweak!
Mike
-
- Posts: 129
- Joined: Tue Oct 12, 2021 10:04 am
- cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
- Location: USA
- Contact:
Re: P11 GM PCM
Yea I was reading up on that a little, something about the update has to be applied and it starts executing right away, so a tiny os/kernel needs to be wrote to finish the update process. It's updated in blocks of my understanding, so the max block size is the max size for the os if I'm grasping it right.
Once the hardware part is figured out, I suspect the software side wouldn't be too hard to figure out, just time to figure stuff out.
Also, I've asked this a few times, but any idea where the P11, P01, P04, etc numbers come from? I'd like to know why I'm calling them by those numbers =).
Once the hardware part is figured out, I suspect the software side wouldn't be too hard to figure out, just time to figure stuff out.
Also, I've asked this a few times, but any idea where the P11, P01, P04, etc numbers come from? I'd like to know why I'm calling them by those numbers =).
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
-
- Posts: 129
- Joined: Tue Oct 12, 2021 10:04 am
- cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
- Location: USA
- Contact:
Re: P11 GM PCM
Here's some fitment data for this PCM according to GM's site.
Looking at ebay, based on serv number, these calibrations come up:
12571650
12596601
12579654
12587611
12593508
12598562
12584709
Also 04-05 Chevy Malibu 2.2L vin 4 has same serv number, but GM didn't list them for some reason. Here's a few calibrations according to ebay listings (when they rarely say what it's from). Might have a slight reversion to the hardware? Some of the calibrations match across the 2 fitments, so that leads me to believe the hardware is atleast compatible.
12596601
12593507
12583742
According to the GM part number, the Malibu PCM has this interchange:
Looking at ebay, based on serv number, these calibrations come up:
12571650
12596601
12579654
12587611
12593508
12598562
12584709
Also 04-05 Chevy Malibu 2.2L vin 4 has same serv number, but GM didn't list them for some reason. Here's a few calibrations according to ebay listings (when they rarely say what it's from). Might have a slight reversion to the hardware? Some of the calibrations match across the 2 fitments, so that leads me to believe the hardware is atleast compatible.
12596601
12593507
12583742
According to the GM part number, the Malibu PCM has this interchange:
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
Re: P11 GM PCM
Welcome aboard. That was me on Facebook, sorry it took me a while to catch up over here.
Googling "12200051" (from the big chip in the lower-left corner of the second image) gives some hints that it's probably a CPU from Freescale (now NXP) but I couldn't find a datasheet. With luck it's a Motorola 68k derivative, and a lot of PCM Hammer can probably be reused to flash it. If you can extract the .bin from the flash chip, try asking Ghidra to disassembling it as Motorola 68k code.
If that doesn't work, look for other CPU types that were made by Freescale / NXP during the early 2000s, try disassembling using those approaches (Ghidra supports a lot of CPU types) and see if one of them produces believable assembly code.
Ghidra: https://ghidra-sre.org/
Googling "12200051" (from the big chip in the lower-left corner of the second image) gives some hints that it's probably a CPU from Freescale (now NXP) but I couldn't find a datasheet. With luck it's a Motorola 68k derivative, and a lot of PCM Hammer can probably be reused to flash it. If you can extract the .bin from the flash chip, try asking Ghidra to disassembling it as Motorola 68k code.
If that doesn't work, look for other CPU types that were made by Freescale / NXP during the early 2000s, try disassembling using those approaches (Ghidra supports a lot of CPU types) and see if one of them produces believable assembly code.
Ghidra: https://ghidra-sre.org/
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
-
- Posts: 129
- Joined: Tue Oct 12, 2021 10:04 am
- cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
- Location: USA
- Contact:
Re: P11 GM PCM
I've been working with a guy on FB that has pulled the flash from quite a few PCM's that were once impossible. He shot me over a couple bin files that match my calibration number so I tried one disassembler but the asm output didn't look right, lot of commands unrecognized (MC68332 based if I remember right). I'll have to poke at the BINs using Ghidra. I'm not sure where he got the bin's from, but once I get my hardware in the mail I should be able to pull the flash memory off my PCM (and 2 others) and dump the bin. Should be interesting to compare the 5 files. Hopefully the asm makes sense to me for the most part so I can actually help with the code side of things. I pulled the CPU so I could get the pin out to read it, so I'll have to swap the flash chip over to the PCM I bought that's an exact match to grab the exact dump for the car I have. I think if I go through the key relearning process that shouldn't be really needed though if I understand how the PCM and BCM are paired. Might have to put my VIN in the flash though to make it happy and figure out the check sums etc.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
-
- Posts: 129
- Joined: Tue Oct 12, 2021 10:04 am
- cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
- Location: USA
- Contact:
Re: P11 GM PCM
Wanted to give an update. Me and 2 other guys (hw and a sw guy) got one of the P11 PCM's to read/write. The orig got killed to figure out the pin out, and the 3rd I have is a different calibration number and the board marking inside is slightly different. It appears to have a watchdog active, but was able to read that one too. Haven't tried to write to it yet though.
I guess not bad for my first real hardware "hacking" I've done (with help).
Here's an image, kind of hiding the pins since it's a team effort, I'm not sure if it's going to be released in the open or not. I need to get a 90 degree pin header for the board lol. Did have trouble with wires around 3in long, so I went nuts and made them as short as possible (within reason).
FYI, boot section is write protected, have to poke at that or manually pull the write enable pin on the chip up. I think the specs said it goes to +12v and it has a pretty short life span at those voltages (60hr something like that). Now I get to poke at the bin file and see if I can make sense of it, how to modify, rebuild checksums, etc. Lot of work for a derby tune, but I like the complete control I have using this route. Hopefully I'll be able to rewrite the main code that runs the engine, a common thing people want in the derby world is map/maf sensor delete and run engine purely off TPS and intake temp sensor. Not sure if fully possible, but the theory in my head says it should be.
I guess not bad for my first real hardware "hacking" I've done (with help).
Here's an image, kind of hiding the pins since it's a team effort, I'm not sure if it's going to be released in the open or not. I need to get a 90 degree pin header for the board lol. Did have trouble with wires around 3in long, so I went nuts and made them as short as possible (within reason).
FYI, boot section is write protected, have to poke at that or manually pull the write enable pin on the chip up. I think the specs said it goes to +12v and it has a pretty short life span at those voltages (60hr something like that). Now I get to poke at the bin file and see if I can make sense of it, how to modify, rebuild checksums, etc. Lot of work for a derby tune, but I like the complete control I have using this route. Hopefully I'll be able to rewrite the main code that runs the engine, a common thing people want in the derby world is map/maf sensor delete and run engine purely off TPS and intake temp sensor. Not sure if fully possible, but the theory in my head says it should be.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
Re: P11 GM PCM
You can look at this program for checksums and file structure.
It will give you some head start, and maybe you can configure some stuff for others to use.
https://github.com/joukoy/UniversalPatc ... r-Full.Zip
and the forum thread is here
viewtopic.php?f=42&t=6642
It will give you some head start, and maybe you can configure some stuff for others to use.
https://github.com/joukoy/UniversalPatc ... r-Full.Zip
and the forum thread is here
viewtopic.php?f=42&t=6642