PowerPCM_Flasher: my tool for E38 and E67

Programs / Tools / Scripts
Posts: 46
Joined: Wed Feb 19, 2020 9:58 pm

PowerPCM_Flasher: my tool for E38 and E67

Postby daniel2345 » Fri Feb 21, 2020 5:00 am

Hello,

Please let me introduce myself. I’m an almost 40 year’s old embedded electronics and embedded Software automotive engineer from Germany.

Beside my family, work and house i do a lot of Tuning / ECU stuff in my spare time. I’m active in Volvo Tuning since almost 20 years now, doing a lot with Bosch and Denso ECUs (ME7, ME9, EDC15, EDC16). Mostly drag racing stuff.

A Friend of me is doing a lot with 60's/70's US Cars, usually building engines with rotor ignition and carburettor.
For his new Project (A-Team VAN G20), he decided to go on an LS3 Engine. It Comes with E38 AcDelco ECU.

He asks me, if I’m able to code out CAN Bus Nodes, Diagnostics, checks, and other stuff which is not needed in such a scenario.

So after a short search in the web, I ended up here and at gearhead-efi often and found out E38 has Motorola MPC56x Processor.
Same as Bosch ME9, also external Flash. Lots of experience with plus I developed stuff for this CPU at work 15 years ago.

So i said yes, i think i can do such things for my friend.

I started building CAN Based readout and flash tool.
It implements GMLAN Protocol, which is some fancy dialect of UDS Protocol for me.
I developed a ram based flashloader and tools for MPC56x with UDS years ago.

Took me some nights, but the info here and all around the web together with years of experience accelerated it a lot.

So I decided to give something back.




Here it is, my Flashtool PowerPCM_Flasher. It is Version 0.0.0.1. So be aware of bugs, there will be a lot ;)

PowerPCM_Flasher_0.0.0.1_connect.JPG
connect
PowerPCM_Flasher_0.0.0.1_connect.JPG (44.94 KiB) Viewed 3848 times
PowerPCM_Flasher_0.0.0.1_upload.JPG
upload
PowerPCM_Flasher_0.0.0.1_upload.JPG (59.65 KiB) Viewed 3848 times
PowerPCM_Flasher_0.0.0.1_download.JPG
download
PowerPCM_Flasher_0.0.0.1_download.JPG (45.75 KiB) Viewed 3848 times


You will need Microsoft .NET 2.0 installed.
You probably will need Microsoft VC2005 runtimes installed.

Tool has been tested on XP, Win7 32Bit & 64Bit and Win10 64Bit with above installed.

Edit: Update to Version 0.0.0.6

PowerPCM_Flasher_0006.zip
Tool 0.0.0.6
(35.08 KiB) Downloaded 142 times


PowerPCM_Flasher_0.0.0.5.JPG
GUI 0.0.0.5
PowerPCM_Flasher_0.0.0.5.JPG (89.51 KiB) Viewed 3571 times








Unfortunately for you all, i use a CAN Device called "Dice", it’s the Volvo Diagnostic Tool.
It is a non Standard J2534 Device, meaning the Software Interface is J2534, but not the Hardware side.
So i can include other J2534 Devices via lib or dll to my tool if you send the Tools to me.
The fee is probably that i will Keep them :D

Dice can be bought as china item for around 100$.

I have lying around an old ELM USB Cable, I’m trying to incorporate that for my next release.

So if anybody has Volvo Dice and GM E38 Car around, please feel free to test and report.
The "TSDiCE32.dll" needs to be in the same Folder as the exe.

Update: any J2534 PassThru Device like GM MDI can be used. Testing is up to you :)




Currently only E38 is supported. It reads full Flash binary (2MB) in two minutes and flashes only calibration area (~15s).
So you can read, edit with your favourite tool (Tunerpro, XDF Format) and then flash that back.

Update: E67 has been testet successful.


It is almost impossible to brick those ECUs when only flashing calibration. Thatswhy I decided so.



Tool is free for everyone, but not to be commercially used or reverse engineered.


List with stuff I plan for future Releases is about to come, but I’m waiting for Feedback also.


Have fun,

daniel2345




Edit: Changelog + toDo List:


Next things for tool:

- Which Interfaces are common in GM-Flash Scene? Where to get? -> GM MDI and VX Nano should be integrated / tested
- USB Elm Support -> half way
- PassThru DLL Support -> done, needs to be tested alot
- File-Structure Check, Checksums and CVN correction -> done
- E67 Support -> done and tested for E67 with Seed&Key Algo $89
- bugfixes, printouts fully english instead of some german leftovers
Last edited by daniel2345 on Thu Mar 05, 2020 5:46 pm, edited 11 times in total.

Posts: 46
Joined: Wed Feb 19, 2020 9:58 pm

Re: PowerPCM_Flasher: my tool for E38 and E67

Postby daniel2345 » Fri Feb 21, 2020 5:34 am

I think it does not need a manual. Choose tool from drop down, click connect.
Connection to ecu is established, flashloader is send and executed.

Now you can read or write.
Write only if full 2MB binary file has been loaded privious!

After read or write, click disconnect.

If soemthing went wrong, ecu will not "talk" anymore, but react to CAN recovery Messages.
This is emplemented too, check "recovery" Checkbox before connect.

I tested everything on desk, no real GM E38 car is in my Garage :)


For E67: does it usualy use the same Seed&Key algo like E38? My desk E67 is not happy with algo.
But maybe it has some "Tunerlock" as you call that. If other algo, is someone willing to contribute?
It is not the 255 Algo Thing like LS1 PCMs ;)


Personaly i would beeing interested in GM E38 or GM E67 description files (in automotive industry we use A2L files).
And functional Software description also.
Last edited by daniel2345 on Wed Feb 26, 2020 10:22 pm, edited 2 times in total.

Posts: 85
Joined: Thu Feb 13, 2020 11:32 pm

Re: PowerPCM_Flasher: my tool for E38 and E67

Postby ironduke » Fri Feb 21, 2020 6:26 am

Hi, this looks very interesting.. For a J2534 device you could probably use one of the toyota ones.. I had one that worked fine with the E38 and gm sps programming up until I tried to update it and bricked it.. lol.. I'll paste a link below of one that looks just like the one I have..

https://www.amazon.com/RONSHIN-V13-00-0 ... 67&sr=8-22

For the seed and key issue on the E67, I did write a VERY ugly program using processing(what I was using at the time) to brute force a key of an E38 ecu that I bricked, Could take a few days.. I don't know if the E67 responces are similar to the E38 but if nobody offers up something better I can send it to you.. I did warn ya it's real ugly.. I wrote it just to unlock this one ECU.. It uses an elm327 which you already have..

Site Admin
User avatar
Posts: 6182
Joined: Sat Feb 28, 2009 8:34 pm

Re: PowerPCM_Flasher: my tool for E38 and E67

Postby antus » Fri Feb 21, 2020 7:51 am

Welcome to the forums! Thats quite an excellent first post! :) There is a GM MDI, which might work without too much trouble. I use that for anything that needs J2534 and have never had a problem with it. Its bashed on bosch hardware, and supports the whole spec. As for elm, they tend to be incredibly slow and can only handle small packets - im not sure what size you need for this flash. There is also the obdlink which is more expensive but also quite improved. Then there is an xpro interface some forum members are going to be releasing soon. vcx nano comes up time to time as a cheap option, but there are lots of clones out there which dont work properly which makes them hard to recommend as its hard to know what your getting.

The algo for the E67 should be known, and should be one of the ones you describe. You might need to brute force it over a couple of days then post up the seed and key and we can see if anyone can match it to an algo. But like you say if you have checked the existing algos its probably tunerlocked.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 46
Joined: Wed Feb 19, 2020 9:58 pm

Re: PowerPCM_Flasher: my tool for E38 and E67

Postby daniel2345 » Fri Feb 21, 2020 10:43 am

ironduke wrote:Hi, this looks very interesting.. For a J2534 device you could probably use one of the toyota ones.. I had one that worked fine with the E38 and gm sps programming up until I tried to update it and bricked it.. lol.. I'll paste a link below of one that looks just like the one I have..

https://www.amazon.com/RONSHIN-V13-00-0 ... 67&sr=8-22

For the seed and key issue on the E67, I did write a VERY ugly program using processing(what I was using at the time) to brute force a key of an E38 ecu that I bricked, Could take a few days.. I don't know if the E67 responces are similar to the E38 but if nobody offers up something better I can send it to you.. I did warn ya it's real ugly.. I wrote it just to unlock this one ECU.. It uses an elm327 which you already have..



Thanks for your Input. The Toyota Device is also very cheap, aroud 20$. Uses FT232RQ - Need to check that.
It will probably populate a COM Port for the OS and send Bytes via CAN. Maybe same as ELM. With luck only one "COM to CAN" Driver needed :)
Or at least an "FTDI to CAN" Driver.

Thanks for the offer with your brute force tool. I made the same thing, im half through the 65536 possibilities...
Funny that we had the same idea :)

Posts: 46
Joined: Wed Feb 19, 2020 9:58 pm

Re: PowerPCM_Flasher: my tool for E38 and E67

Postby daniel2345 » Fri Feb 21, 2020 10:51 am

antus wrote:Welcome to the forums! Thats quite an excellent first post! :) There is a GM MDI, which might work without too much trouble. I use that for anything that needs J2534 and have never had a problem with it. Its bashed on bosch hardware, and supports the whole spec. As for elm, they tend to be incredibly slow and can only handle small packets - im not sure what size you need for this flash. There is also the obdlink which is more expensive but also quite improved. Then there is an xpro interface some forum members are going to be releasing soon. vcx nano comes up time to time as a cheap option, but there are lots of clones out there which dont work properly which makes them hard to recommend as its hard to know what your getting.

The algo for the E67 should be known, and should be one of the ones you describe. You might need to brute force it over a couple of days then post up the seed and key and we can see if anyone can match it to an algo. But like you say if you have checked the existing algos its probably tunerlocked.


Thank you for your welcome. :)

GM MDI sounds very usefull then. Ill check how to get that.

Yes, the ELM was always only an emergency backup device for me.
I have chosen a block size of 0x400 (1024), this is common in Bosch ECUs.

Ill test it tomorrow.

Obdlink, ok. Ill go for the ELM for now, then have a look at the GM MDI.



E67: brute force is running, im very curious what is inside ecu :)

User avatar
Posts: 2180
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: PowerPCM_Flasher: my tool for E38 and E67

Postby Tazzi » Fri Feb 21, 2020 11:40 am

Awesome work!

Not sure what you mean by not full J2534? Is Dice not a proper J2534 tool?

Also, valid E67 seed/key should be:
09:14:17.5 MsgType=2, >[.H..]00 00 06 41 67 01 8B 58 [0008]
09:14:17.6 MsgType=1, <[.H..]00 00 02 41 27 02 64 97 [0008] FramePad
Image

User avatar
Posts: 402
Joined: Fri Feb 02, 2018 3:13 pm

Re: PowerPCM_Flasher: my tool for E38 and E67

Postby NSFW » Fri Feb 21, 2020 5:12 pm

Welcome to the forum!

You might consider taking the code from the Devices and Ports directories of the PcmLibrary and PcmLibraryWindowsForms projects here:

https://github.com/LegacyNsfw/PcmHacks/ ... velop/Apps

That gives a Device base class with derived classes for all of the interfaces mentioned above. If you revise your app to use the Device class instead of talking to the Dice hardware directly, you can support the same set of devices. And maybe write a DiceDevice class for compatibility with that hardware.

The ELM and J2534 device classes are pretty mature, the XPro works but is still changing regularly (and the hardware isn't for sale yet), and the AVT code used to work... but something went wrong there and we need to investigate. Future changes will probably be small though, and you can pull the fixes from the PcmHack code when the bugs get worked out.
Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

Posts: 85
Joined: Thu Feb 13, 2020 11:32 pm

Re: PowerPCM_Flasher: my tool for E38 and E67

Postby ironduke » Fri Feb 21, 2020 11:51 pm

Just trying to get it to run.. Looks like it won't be able to run on my windows 10 machine.. Can't seen to find the version of visual c++ I need in order to run this..

Error box info when trying to run it below...

System.Drawing
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.9136 (WinRelRS6.050727-9100)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

---------------------------------------------------------------------------------------------------
Info from sxsTrace pasted below..

Begin Activation Context Generation.
Input Parameter:
Flags = 0
ProcessorArchitecture = AMD64
CultureFallBacks = en-US;en
ManifestPath = C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\PowerPCM_Flasher_0002.exe
AssemblyDirectory = C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\
Application Config File =
-----------------
INFO: Parsing Manifest File C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\PowerPCM_Flasher_0002.exe.
INFO: Manifest Definition Identity is (null).
INFO: Reference: Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"
INFO: Resolving reference Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0".
INFO: Resolving reference for ProcessorArchitecture x86.
INFO: Resolving reference for culture Neutral.
INFO: Applying Binding Policy.
INFO: No publisher policy found.
INFO: No binding policy redirect found.
INFO: Begin assembly probing.
INFO: Did not find the assembly in WinSxS.
INFO: Attempt to probe manifest at C:\WINDOWS\assembly\GAC_32\Microsoft.VC80.DebugCRT\8.0.50608.0__1fc8b3b9a1e18e3b\Microsoft.VC80.DebugCRT.DLL.
INFO: Attempt to probe manifest at C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\Microsoft.VC80.DebugCRT.DLL.
INFO: Attempt to probe manifest at C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\Microsoft.VC80.DebugCRT.MANIFEST.
INFO: Attempt to probe manifest at C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\Microsoft.VC80.DebugCRT\Microsoft.VC80.DebugCRT.DLL.
INFO: Attempt to probe manifest at C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\Microsoft.VC80.DebugCRT\Microsoft.VC80.DebugCRT.MANIFEST.
INFO: Did not find manifest for culture Neutral.
INFO: End assembly probing.
ERROR: Cannot resolve reference Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0".
ERROR: Activation Context generation failed.
End Activation Context Generation.

=================
Begin Activation Context Generation.
Input Parameter:
Flags = 0
ProcessorArchitecture = Wow32
CultureFallBacks = en-US;en
ManifestPath = C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\PowerPCM_Flasher_0002.exe
AssemblyDirectory = C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\
Application Config File =
-----------------
INFO: Parsing Manifest File C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\PowerPCM_Flasher_0002.exe.
INFO: Manifest Definition Identity is (null).
INFO: Reference: Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"
INFO: Resolving reference Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0".
INFO: Resolving reference for ProcessorArchitecture WOW64.
INFO: Resolving reference for culture Neutral.
INFO: Applying Binding Policy.
INFO: No publisher policy found.
INFO: No binding policy redirect found.
INFO: Begin assembly probing.
INFO: Did not find the assembly in WinSxS.
INFO: Attempt to probe manifest at C:\WINDOWS\assembly\GAC_32\Microsoft.VC80.DebugCRT\8.0.50608.0__1fc8b3b9a1e18e3b\Microsoft.VC80.DebugCRT.DLL.
INFO: Did not find manifest for culture Neutral.
INFO: End assembly probing.
INFO: Resolving reference for ProcessorArchitecture x86.
INFO: Resolving reference for culture Neutral.
INFO: Applying Binding Policy.
INFO: No publisher policy found.
INFO: No binding policy redirect found.
INFO: Begin assembly probing.
INFO: Did not find the assembly in WinSxS.
INFO: Attempt to probe manifest at C:\WINDOWS\assembly\GAC_32\Microsoft.VC80.DebugCRT\8.0.50608.0__1fc8b3b9a1e18e3b\Microsoft.VC80.DebugCRT.DLL.
INFO: Attempt to probe manifest at C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\Microsoft.VC80.DebugCRT.DLL.
INFO: Attempt to probe manifest at C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\Microsoft.VC80.DebugCRT.MANIFEST.
INFO: Attempt to probe manifest at C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\Microsoft.VC80.DebugCRT\Microsoft.VC80.DebugCRT.DLL.
INFO: Attempt to probe manifest at C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\Microsoft.VC80.DebugCRT\Microsoft.VC80.DebugCRT.MANIFEST.
INFO: Did not find manifest for culture Neutral.
INFO: End assembly probing.
ERROR: Cannot resolve reference Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0".
ERROR: Activation Context generation failed.
End Activation Context Generation.

Posts: 46
Joined: Wed Feb 19, 2020 9:58 pm

Re: PowerPCM_Flasher: my tool for E38 and E67

Postby daniel2345 » Sat Feb 22, 2020 2:00 am

Tazzi wrote:Awesome work!

Not sure what you mean by not full J2534? Is Dice not a proper J2534 tool?

Also, valid E67 seed/key should be:
09:14:17.5 MsgType=2, >[.H..]00 00 06 41 67 01 8B 58 [0008]
09:14:17.6 MsgType=1, <[.H..]00 00 02 41 27 02 64 97 [0008] FramePad


Thanks. :)

The Dice pretends to be J2534, but if you use the delivered DLL it does not answer in a standard way.
I always wanted to check why it does so and if the DLL can be patched, but never found the time to do so.


Thanks a lot for the seed&key. Appears not to fit E38 algo also....

Next

Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest