P04 BIN Editing (disabling security)

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

P04 BIN Editing (disabling security)

Post by DWS »

I'm using a BDM to read/write to a P04 PCM, Serv 12583827 HW 12582720 to be exact (orig for a 2005 Impala 3400). I'm looking to keep the stock tune for now, but disable security. Stock setting at $7D570 is $01 and in my 2001 Malibu it cranks no fire. Changing to $00 it cranks, fires up and dies after about 2 secs. Changed to $02 and back to crank no fire. I'm updating the checksum as well when editing. Any tips/advice on what the correct "disabled" setting would be? I didn't change the VIN number to my vehicle or anything, maybe that's a conflict with the BCM causing the issue? The car isn't going on the road, ultimately will be a derby car and scrapped when finished. I attached the bin I'm editing (doing this on a spare PCM so I don't kill the one that works). The address was from universal patcher and it appears it's effecting security so I think the address is correct.

Any help would be great, slowly learning this stuff.
Attachments
12583827 12582720 2005 Impala 3400 Stock.bin
(512 KiB) Downloaded 143 times
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: P04 BIN Editing (disabling security)

Post by antus »

I cant say for sure but running for 2 seconds and dieing might be security disabled and it might be the tune is so far out you stall. The fact you can see the behavior change makes me think your doing the right thing and its something else.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: P04 BIN Editing (disabling security)

Post by DWS »

I read on another site the injector disable time needs to be set to 0 as well to disable security. Default is 4 (matches what the thread said) and when I tried it, it seems to take more cranking before a fire, and it runs for a shorter time. I must be in the right area, but clearly missing something.

The engine does have a miss, I haven't looked fully into the cause, but this 2nd PCM has the same miss. If I give it some throttle it revs up fine till the fuel injectors get turned off (guessing didn't test with a noid light). I've been told the 3400 tune can run the 3100 so I wouldn't think it's just the tune causing the stalling.

Digging into the ASM, I'm seeing a few other memory addresses being referenced around the same point as the main security enabled memory address, so I might have to toy around with those values a bit.

On a side note, I've soldered a header on the orig PCM and dumped the bin file. It's a different os/config so I could poke at that too and see what I can find. Ultimate goal is to delete BCM, and make the engine run off the bare min number of sensors (open loop, no o2, etc). I'm looking to build a stand alone harness (replaces the wiring on the engine to PCM with a couple leads that goes to the battery to power everything up). Clearly security is going to be the #1 issue to get worked out.

The P04 I'm having a bit more luck in the ASM code than the P11 PCM, there seems to be more research done on the P04 so some values/addresses are known. Always fun to try to dive into a new thing and be one of only a few that have ever done anything like this.

I have another P04 PCM as well that currently has a 3800 tune on it. I suspect any of the 3 should work on the car. The 2 newer ones have AMD flash chips and don't require adding 12v to the chip to flash it. I'm not sure if the chip type really matters much on the actual program side of things, but I'll probably try to clone the stock PCM to one of the spares (intel to amd flash) and see what happens.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: P04 BIN Editing (disabling security)

Post by antus »

To compare notes, we found on the P59s where they came out with Intel and then moved to Amd, that if you install an earlier Intel OS to a later AMD chip then you loose the ability to update vats through the operating system, and any other run time data that would be saved to flash cant. The car still runs, and you can still reflash it over the OBD as the flash software sends the routines supporting the other type of flash chip in over OBD2. Your experience on the P04 might be the same. The P59 AMD OS have code for both Intel and AMD flash built in.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: P04 BIN Editing (disabling security)

Post by DWS »

Yea I was guessing that would be the case since the amd chip doesn't need the 12v trick to reflash with the bdm, but the intel chip appears it does need it. I figured the code to update the flash would be different then. Good to know the flash should work besides that feature though.

I've poked around bytecode a little in the past (compiled java), but there's quite a few references in the code I don't quite get. Like I see a references to memory that makes sense like $0007D570, but there's also references with similar addresses but start with F's, say $FFF6E780. I suspect the prefix makes the memory address flip to another chip or something along those lines, or maybe it's an internal memory storage in the cpu. They seem to be used like global variables.

Here's a clip from Ghidra to give an example.

Code: Select all

    if (((DAT_ffffaf1c & 0x80) != 0) && (cVar2 = FUN_00017fd4(), cVar2 != '\0')) {
      DAT_ffffaf1c = DAT_ffffaf1c & 0x7f;
      DAT_ffffaf1c = DAT_ffffaf1c | 0x40;
      goto LAB_0004c706;
    }
Here's a different section of code where I can show the asm and the source code (guessing it's C++ or similar). I can work off the source code a lot faster since that's what I'm used to, but been looking at the asm too a bit to try to link what is what in my head better lol.

Code: Select all

                             LAB_0004c5e0                                    XREF[3]:     0004c564 (j) , 0004c56c (j) , 
                                                                                          0004c580 (j)   
        0004c5e0 08  38  00       btst.b     0x3 ,(DAT_ffffab48 ).w
                 03  ab  48
        0004c5e6 66  00  01  1e    bne.w      LAB_0004c706
        0004c5ea 08  f8  00       bset.b     0x5 ,(DAT_ffffaf1c ).w
                 05  af  1c
        0004c5f0 60  00  01  14    bra.w      LAB_0004c706

Code: Select all

    if ((DAT_ffffab48 & 8) == 0) {
      DAT_ffffaf1c = DAT_ffffaf1c | 0x20;
    }
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: P04 BIN Editing (disabling security)

Post by kur4o »

On gearhead there was some list published for different settings vs OS for v6 pcms.

Usually you set the vats to 00, zero the injector disable timer, and turn off all vtd DTC.

Tested on 2002 model. Later models can use different logic.
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: P04 BIN Editing (disabling security)

Post by DWS »

Yep, that's what the current status is, 00 for vats, injector timer, and related DTC's that show up in the list I set to 3 Not reported (DTC Disabled) and set MIL to disabled.

Just loaded the bin up and looks like the last settings (DTC's) weren't updated. Gonna try to flash the updated bin and hopefully it works. Here's the DTC list, maybe something isn't listed that I need.

Image

Here's some extra info from the 3100 stock bin I'm using from the car.

Code: Select all

Segments:
 OS          PN: 12201457 [0000 - 7FFFD], Size: 7FFFE
 EEPROM_data PN: 12201464 [4000 - 5FFF], Size: 2000
 vin: 1G1ND52J8Y6328xxx
 trace: 8D1K560138
 PCM1: 12201464
 PCM2: 9357440
 seed: 69F9
 key: FC7F
Checksums:
 OS          Checksum 1: 26680E86 [OK] Checksum2: 0000ECDE [modded]
I saw gearhead had some bins and such, I signed up but waiting approval and such. Maybe one of the bins just happen to come from a vehicle with the right engine and no security. Not too worried about the actual tune, and the transmission code/segment doesn't matter since derby guy's "hot wire" the transmission manually for 1st gear and is less wiring.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: P04 BIN Editing (disabling security)

Post by DWS »

Yay, success, the DTC's weren't updated which caused the start and die issue even with VATS disabled. This is on the stock 2000 Malibu 3100 tune. I suspect the 3400 tune would also work, I just wasn't using the software quite right. Now to order supplies and build a stand alone harness for the car with extra lead wire for the computer cuz dang it's a pain to connect and disconnect with next to no extra slack.

Thanks for the advice/help! At some point I'll probably try to tune it in open loop, but not today lol.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: P04 BIN Editing (disabling security)

Post by antus »

The adresses like $FFF6E780 are also sometimes written as $F6E780. It think its a 24 bit address space and the disassemblers set the electrically out of range bits high. You are correct they are different chips. Some of it is RAM, some of it are registers for other chips. For example see the registers for the DLC (data link controller, the chip that runs the VPW data bus) for the P01 and P59 here: https://github.com/LegacyNsfw/PcmHacks/ ... mmon.h#L17
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
DWS
Posts: 129
Joined: Tue Oct 12, 2021 10:04 am
cars: Tons of Toyotas, 2003 cavi derby car, ford trucks, etc.
Location: USA
Contact:

Re: P04 BIN Editing (disabling security)

Post by DWS »

I've seen that in the code, nice to have it validated. Any simple way to tell ram vs other chips apart? Guessing something like $F6xxxx vs $F7xxxx would be what determines that.

I haven't messed with any of the OBD2 stuff, for sure a big learning curve to get that far. For now mainly focused on what's mainly on the flash chip and what runs the engine.

I guess I get to play around a little with trying to tune this engine. The primary o2 sensor is broken on it, so I'm guessing I'll have to get a replacement, maybe a wide band with a display. Wanting to tune for open loop.
Ford EEC-V Bin Converter (bank swapping and padding): viewtopic.php?f=41&t=8342
Post Reply