PowerPCM_Flasher: my tool for E38 and E67

[daniel2345]

Welcome to the forum!

You might consider taking the code from the Devices and Ports directories of the PcmLibrary and PcmLibraryWindowsForms projects here:

https://github.com/LegacyNsfw/PcmHacks/ ... velop/Apps

That gives a Device base class with derived classes for all of the interfaces mentioned above. If you revise your app to use the Device class instead of talking to the Dice hardware directly, you can support the same set of devices. And maybe write a DiceDevice class for compatibility with that hardware.

The ELM and J2534 device classes are pretty mature, the XPro works but is still changing regularly (and the hardware isn't for sale yet), and the AVT code used to work... but something went wrong there and we need to investigate. Future changes will probably be small though, and you can pull the fixes from the PcmHack code when the bugs get worked out.

I have the source zip on my computer, thanks for the hint and that you allow me to do so
Unfortunately i really really really don't like C# and classes at all, coming from microcontroller development

But i will check it and if it can be integrated, for sure.

Using one library for communication in tools will surely have benefits...

[daniel2345]

My E67 bruteforce was successful this night. The seed&key does not match E38, of course.
Ill check tonight if i can find out any similarities between the two pairs i have now

@Ironduke: It is made with VS2005, so using .Net2.0 and VC2005 runtimes should do it.
I tested it on Windows10 Laptop, old XP Pc and Windows7 also.

Ill check which runtimes are installed this evening.

Working on ELM integration was the plan also.

[Gampy]

Hi daniel2345,

Welcome to the forum.

Are you willing to share the Seed/Key??

[kur4o]

Personaly i would beeing interested in GM E38 or GM E67 description files (in automotive industry we use A2L files).
And functional Software description also.

These are non existent for gm pcms, and the description files you are used to from bosch are also non existent. You will be on a steep learning curve since there isn1t much similarities to what you are used to.
You will also found it much easier later when you gain enough knowledge.
This will get you a good start how the pcm operates and what tables are in there. Unfortunately it is only a report file, so there isn`t any addresses for the tables.

escalade 2007.rar

(190.35 KiB) Downloaded 398 times

The algo used for e38 and e67 is $89 table1, at least on the first service numbers. Later revisions might have switched to other algos.
What service number is your e67.

the algo is
rotate left 6bits
swap bytes of result and add $AA17
rotate right 2 bits
add $2a8e


You said you have experience with some bosch stuff. I am working on s side project to run ls1 coils on me7 controller. The problem is that dwell must be optimized for the coils. I have zero idea what to look for and how to find it. Only managed to pull the bin with home made cable and some nice open source program called nefmoto. If you are willing to collaborate on a joint project we can merge best of both.

[ironduke]

I have a different algo for E38 ecu's.. Send up or post up your seed and I'll tell you what I get for a key.. Or use the info below and see if it spits out a good key for you..

unsigned int E38(unsigned int seeds)
{
int key = 0;
key = ((seeds & 0x0000FF00) >> 8) | ((seeds & 0x000000FF) << 8); // swap hi/low
key = key + 0x7D58; // add 0x7D58
key = ~key; // bitwise NOT
key = key & 0xFFFF; // only use the first 4 bytes
key = key + 0x8001; // add 0x8001
key = ((key & 0x0000FF00) >> 8) | ((key & 0x000000FF) << 8); // swap hi/low
return key;
}

[kur4o]

On 2010-on e38s the algo is switched to $92. There is also different flashing routine used. Is it some software update only or some pcm revision.
$92 algo is

swap seed bytes add 7d58
1`s complement
add 8001
rotate left 8bits

It looks the same as ironduke had posted.

[Tazzi]

On 2010-on e38s the algo is switched to $92. There is also different flashing routine used. Is it some software update only or some pcm revision.
$92 algo is

swap seed bytes add 7d58
1`s complement
add 8001
rotate left 8bits

It looks the same as ironduke had posted.

Must depend on the operating system used?
Our Holden VE-VF (2006 through to 2018) all use the same algo for the entire range.

[daniel2345]

Hey guys. The night was not very productive.

I ended up with being able to send and receive with the ELM.
But when it comes to "fast" sending for readout and write, it got stucked, loses frames.

But not unexpected. Some slow downs or more checks have to be integrated.
I will work on that tonight.

But: E67 works as expected.
When unlocking it, flashloader works as prepared. Readout and flash calibration was successful.
So at least some progress



The Seed&key thing gets ugly. I did not expected that.
My guess is, that the used Algo number depends on service number of ecu?

My E67 uses $89, my E38 uses $92.

E38 Service # 12633238:
19.9740 1 7E8 Rx d 8 04 67 01 31 EA AA AA AA
20.2068 1 7E0 Rx d 8 04 27 02 77 18 00 00 00

E67 Service # 12625453:
4.8615 1 7E8 Rx d 8 04 67 01 66 0B AA AA AA
4.9936 1 7E0 Rx d 8 04 27 02 8B 74 00 00 00


Tazzis seems not to fit one of both?



For the communication: how should a generic J2534 device work?
I see something is read out from the registry in windows. Does it put its dll location there and all calls are standardized with generic Header?

The Volvo Dice does not do that correct. In PcmHammer all known Dices are in the listbox and connection fails with dll load...

[daniel2345]

Personaly i would beeing interested in GM E38 or GM E67 description files (in automotive industry we use A2L files).
And functional Software description also.

These are non existent for gm pcms, and the description files you are used to from bosch are also non existent. You will be on a steep learning curve since there isn1t much similarities to what you are used to.
You will also found it much easier later when you gain enough knowledge.
This will get you a good start how the pcm operates and what tables are in there. Unfortunately it is only a report file, so there isn`t any addresses for the tables.

escalade 2007.rar

Wow, thanks for that. I know non european manufactors often use their own file types and description formats.
Like Denso. But they can always produce A2L and docu. I was hoping AcDelco did similar.
But maybe not public leaked then...

But as you said, learning is expected and welcome

You said you have experience with some bosch stuff. I am working on s side project to run ls1 coils on me7 controller. The problem is that dwell must be optimized for the coils. I have zero idea what to look for and how to find it. Only managed to pull the bin with home made cable and some nice open source program called nefmoto. If you are willing to collaborate on a joint project we can merge best of both.

You are probably for KFSZT - Kennfeld Schließzeit - which simply means Map Dwell translated.
It is dwell(uBatt, nEng). I can find that in any ME7 image in a few seconds.
Send me a PM, we can chat there.

[antus]

From what ive seen the algo tends to be by the hardware platform type. Id expect e38 to be one algo and e67 another. I think delphi did create a2l but they are not public. The elm is a very slow and crap interface. It'll be really slow to use. J2534 is described in C so you need something like pcmhammers j2534.dll by forum member tazzi which can load the vendor dll and make calls in to it while that dll can be loaded in called from your language of choice. You could probably load the vendor dll direct too if you wanted too.