PowerPCM_Flasher: my tool for E38 and E67

Programs / Tools / Scripts
Post Reply
daniel2345
Posts: 51
Joined: Wed Feb 19, 2020 9:58 pm

PowerPCM_Flasher: my tool for E38 and E67

Post by daniel2345 »

Hello,

Please let me introduce myself. I’m an almost 40 year’s old embedded electronics and embedded Software automotive engineer from Germany.

Beside my family, work and house i do a lot of Tuning / ECU stuff in my spare time. I’m active in Volvo Tuning since almost 20 years now, doing a lot with Bosch and Denso ECUs (ME7, ME9, EDC15, EDC16). Mostly drag racing stuff.

A Friend of me is doing a lot with 60's/70's US Cars, usually building engines with rotor ignition and carburettor.
For his new Project (A-Team VAN G20), he decided to go on an LS3 Engine. It Comes with E38 AcDelco ECU.

He asks me, if I’m able to code out CAN Bus Nodes, Diagnostics, checks, and other stuff which is not needed in such a scenario.

So after a short search in the web, I ended up here and at gearhead-efi often and found out E38 has Motorola MPC56x Processor.
Same as Bosch ME9, also external Flash. Lots of experience with plus I developed stuff for this CPU at work 15 years ago.

So i said yes, i think i can do such things for my friend.

I started building CAN Based readout and flash tool.
It implements GMLAN Protocol, which is some fancy dialect of UDS Protocol for me.
I developed a ram based flashloader and tools for MPC56x with UDS years ago.

Took me some nights, but the info here and all around the web together with years of experience accelerated it a lot.

So I decided to give something back.




Here it is, my Flashtool PowerPCM_Flasher. It is Version 0.0.0.1. So be aware of bugs, there will be a lot ;)
connect
connect
PowerPCM_Flasher_0.0.0.1_connect.JPG (44.94 KiB) Viewed 41050 times
upload
upload
PowerPCM_Flasher_0.0.0.1_upload.JPG (59.65 KiB) Viewed 41050 times
download
download
PowerPCM_Flasher_0.0.0.1_download.JPG (45.75 KiB) Viewed 41050 times
You will need Microsoft .NET 2.0 installed.
You probably will need Microsoft VC2005 runtimes installed.

Tool has been tested on XP, Win7 32Bit & 64Bit and Win10 64Bit with above installed.

Edit: Update to Version 0.0.0.6
PowerPCM_Flasher_0006.zip
Tool 0.0.0.6
(35.08 KiB) Downloaded 2936 times
GUI 0.0.0.5
GUI 0.0.0.5
PowerPCM_Flasher_0.0.0.5.JPG (89.51 KiB) Viewed 40773 times






Unfortunately for you all, i use a CAN Device called "Dice", it’s the Volvo Diagnostic Tool.
It is a non Standard J2534 Device, meaning the Software Interface is J2534, but not the Hardware side.
So i can include other J2534 Devices via lib or dll to my tool if you send the Tools to me.
The fee is probably that i will Keep them :D

Dice can be bought as china item for around 100$.

I have lying around an old ELM USB Cable, I’m trying to incorporate that for my next release.

So if anybody has Volvo Dice and GM E38 Car around, please feel free to test and report.
The "TSDiCE32.dll" needs to be in the same Folder as the exe.

Update: any J2534 PassThru Device like GM MDI can be used. Testing is up to you :)




Currently only E38 is supported. It reads full Flash binary (2MB) in two minutes and flashes only calibration area (~15s).
So you can read, edit with your favourite tool (Tunerpro, XDF Format) and then flash that back.

Update: E67 has been testet successful.


It is almost impossible to brick those ECUs when only flashing calibration. Thatswhy I decided so.



Tool is free for everyone, but not to be commercially used or reverse engineered.


List with stuff I plan for future Releases is about to come, but I’m waiting for Feedback also.


Have fun,

daniel2345




Edit: Changelog + toDo List:


Next things for tool:

- Which Interfaces are common in GM-Flash Scene? Where to get? -> GM MDI and VX Nano should be integrated / tested
- USB Elm Support -> half way
- PassThru DLL Support -> done, needs to be tested alot
- File-Structure Check, Checksums and CVN correction -> done
- E67 Support -> done and tested for E67 with Seed&Key Algo $89
- bugfixes, printouts fully english instead of some german leftovers
Last edited by daniel2345 on Thu Mar 05, 2020 5:46 pm, edited 11 times in total.
daniel2345
Posts: 51
Joined: Wed Feb 19, 2020 9:58 pm

Re: PowerPCM_Flasher: my tool for E38 and E67

Post by daniel2345 »

I think it does not need a manual. Choose tool from drop down, click connect.
Connection to ecu is established, flashloader is send and executed.

Now you can read or write.
Write only if full 2MB binary file has been loaded privious!

After read or write, click disconnect.

If soemthing went wrong, ecu will not "talk" anymore, but react to CAN recovery Messages.
This is emplemented too, check "recovery" Checkbox before connect.

I tested everything on desk, no real GM E38 car is in my Garage :)


For E67: does it usualy use the same Seed&Key algo like E38? My desk E67 is not happy with algo.
But maybe it has some "Tunerlock" as you call that. If other algo, is someone willing to contribute?
It is not the 255 Algo Thing like LS1 PCMs ;)


Personaly i would beeing interested in GM E38 or GM E67 description files (in automotive industry we use A2L files).
And functional Software description also.
Last edited by daniel2345 on Wed Feb 26, 2020 10:22 pm, edited 2 times in total.
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: PowerPCM_Flasher: my tool for E38 and E67

Post by ironduke »

Hi, this looks very interesting.. For a J2534 device you could probably use one of the toyota ones.. I had one that worked fine with the E38 and gm sps programming up until I tried to update it and bricked it.. lol.. I'll paste a link below of one that looks just like the one I have..

https://www.amazon.com/RONSHIN-V13-00-0 ... 67&sr=8-22

For the seed and key issue on the E67, I did write a VERY ugly program using processing(what I was using at the time) to brute force a key of an E38 ecu that I bricked, Could take a few days.. I don't know if the E67 responces are similar to the E38 but if nobody offers up something better I can send it to you.. I did warn ya it's real ugly.. I wrote it just to unlock this one ECU.. It uses an elm327 which you already have..
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: PowerPCM_Flasher: my tool for E38 and E67

Post by antus »

Welcome to the forums! Thats quite an excellent first post! :) There is a GM MDI, which might work without too much trouble. I use that for anything that needs J2534 and have never had a problem with it. Its bashed on bosch hardware, and supports the whole spec. As for elm, they tend to be incredibly slow and can only handle small packets - im not sure what size you need for this flash. There is also the obdlink which is more expensive but also quite improved. Then there is an xpro interface some forum members are going to be releasing soon. vcx nano comes up time to time as a cheap option, but there are lots of clones out there which dont work properly which makes them hard to recommend as its hard to know what your getting.

The algo for the E67 should be known, and should be one of the ones you describe. You might need to brute force it over a couple of days then post up the seed and key and we can see if anyone can match it to an algo. But like you say if you have checked the existing algos its probably tunerlocked.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
daniel2345
Posts: 51
Joined: Wed Feb 19, 2020 9:58 pm

Re: PowerPCM_Flasher: my tool for E38 and E67

Post by daniel2345 »

ironduke wrote:Hi, this looks very interesting.. For a J2534 device you could probably use one of the toyota ones.. I had one that worked fine with the E38 and gm sps programming up until I tried to update it and bricked it.. lol.. I'll paste a link below of one that looks just like the one I have..

https://www.amazon.com/RONSHIN-V13-00-0 ... 67&sr=8-22

For the seed and key issue on the E67, I did write a VERY ugly program using processing(what I was using at the time) to brute force a key of an E38 ecu that I bricked, Could take a few days.. I don't know if the E67 responces are similar to the E38 but if nobody offers up something better I can send it to you.. I did warn ya it's real ugly.. I wrote it just to unlock this one ECU.. It uses an elm327 which you already have..

Thanks for your Input. The Toyota Device is also very cheap, aroud 20$. Uses FT232RQ - Need to check that.
It will probably populate a COM Port for the OS and send Bytes via CAN. Maybe same as ELM. With luck only one "COM to CAN" Driver needed :)
Or at least an "FTDI to CAN" Driver.

Thanks for the offer with your brute force tool. I made the same thing, im half through the 65536 possibilities...
Funny that we had the same idea :)
daniel2345
Posts: 51
Joined: Wed Feb 19, 2020 9:58 pm

Re: PowerPCM_Flasher: my tool for E38 and E67

Post by daniel2345 »

antus wrote:Welcome to the forums! Thats quite an excellent first post! :) There is a GM MDI, which might work without too much trouble. I use that for anything that needs J2534 and have never had a problem with it. Its bashed on bosch hardware, and supports the whole spec. As for elm, they tend to be incredibly slow and can only handle small packets - im not sure what size you need for this flash. There is also the obdlink which is more expensive but also quite improved. Then there is an xpro interface some forum members are going to be releasing soon. vcx nano comes up time to time as a cheap option, but there are lots of clones out there which dont work properly which makes them hard to recommend as its hard to know what your getting.

The algo for the E67 should be known, and should be one of the ones you describe. You might need to brute force it over a couple of days then post up the seed and key and we can see if anyone can match it to an algo. But like you say if you have checked the existing algos its probably tunerlocked.
Thank you for your welcome. :)

GM MDI sounds very usefull then. Ill check how to get that.

Yes, the ELM was always only an emergency backup device for me.
I have chosen a block size of 0x400 (1024), this is common in Bosch ECUs.

Ill test it tomorrow.

Obdlink, ok. Ill go for the ELM for now, then have a look at the GM MDI.



E67: brute force is running, im very curious what is inside ecu :)
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: PowerPCM_Flasher: my tool for E38 and E67

Post by Tazzi »

Awesome work!

Not sure what you mean by not full J2534? Is Dice not a proper J2534 tool?

Also, valid E67 seed/key should be:
09:14:17.5 MsgType=2, >[.H..]00 00 06 41 67 01 8B 58 [0008]
09:14:17.6 MsgType=1, <[.H..]00 00 02 41 27 02 64 97 [0008] FramePad
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: PowerPCM_Flasher: my tool for E38 and E67

Post by NSFW »

Welcome to the forum!

You might consider taking the code from the Devices and Ports directories of the PcmLibrary and PcmLibraryWindowsForms projects here:

https://github.com/LegacyNsfw/PcmHacks/ ... velop/Apps

That gives a Device base class with derived classes for all of the interfaces mentioned above. If you revise your app to use the Device class instead of talking to the Dice hardware directly, you can support the same set of devices. And maybe write a DiceDevice class for compatibility with that hardware.

The ELM and J2534 device classes are pretty mature, the XPro works but is still changing regularly (and the hardware isn't for sale yet), and the AVT code used to work... but something went wrong there and we need to investigate. Future changes will probably be small though, and you can pull the fixes from the PcmHack code when the bugs get worked out.
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: PowerPCM_Flasher: my tool for E38 and E67

Post by ironduke »

Just trying to get it to run.. Looks like it won't be able to run on my windows 10 machine.. Can't seen to find the version of visual c++ I need in order to run this..

Error box info when trying to run it below...

System.Drawing
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.9136 (WinRelRS6.050727-9100)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

---------------------------------------------------------------------------------------------------
Info from sxsTrace pasted below..

Begin Activation Context Generation.
Input Parameter:
Flags = 0
ProcessorArchitecture = AMD64
CultureFallBacks = en-US;en
ManifestPath = C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\PowerPCM_Flasher_0002.exe
AssemblyDirectory = C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\
Application Config File =
-----------------
INFO: Parsing Manifest File C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\PowerPCM_Flasher_0002.exe.
INFO: Manifest Definition Identity is (null).
INFO: Reference: Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"
INFO: Resolving reference Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0".
INFO: Resolving reference for ProcessorArchitecture x86.
INFO: Resolving reference for culture Neutral.
INFO: Applying Binding Policy.
INFO: No publisher policy found.
INFO: No binding policy redirect found.
INFO: Begin assembly probing.
INFO: Did not find the assembly in WinSxS.
INFO: Attempt to probe manifest at C:\WINDOWS\assembly\GAC_32\Microsoft.VC80.DebugCRT\8.0.50608.0__1fc8b3b9a1e18e3b\Microsoft.VC80.DebugCRT.DLL.
INFO: Attempt to probe manifest at C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\Microsoft.VC80.DebugCRT.DLL.
INFO: Attempt to probe manifest at C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\Microsoft.VC80.DebugCRT.MANIFEST.
INFO: Attempt to probe manifest at C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\Microsoft.VC80.DebugCRT\Microsoft.VC80.DebugCRT.DLL.
INFO: Attempt to probe manifest at C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\Microsoft.VC80.DebugCRT\Microsoft.VC80.DebugCRT.MANIFEST.
INFO: Did not find manifest for culture Neutral.
INFO: End assembly probing.
ERROR: Cannot resolve reference Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0".
ERROR: Activation Context generation failed.
End Activation Context Generation.

=================
Begin Activation Context Generation.
Input Parameter:
Flags = 0
ProcessorArchitecture = Wow32
CultureFallBacks = en-US;en
ManifestPath = C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\PowerPCM_Flasher_0002.exe
AssemblyDirectory = C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\
Application Config File =
-----------------
INFO: Parsing Manifest File C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\PowerPCM_Flasher_0002.exe.
INFO: Manifest Definition Identity is (null).
INFO: Reference: Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"
INFO: Resolving reference Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0".
INFO: Resolving reference for ProcessorArchitecture WOW64.
INFO: Resolving reference for culture Neutral.
INFO: Applying Binding Policy.
INFO: No publisher policy found.
INFO: No binding policy redirect found.
INFO: Begin assembly probing.
INFO: Did not find the assembly in WinSxS.
INFO: Attempt to probe manifest at C:\WINDOWS\assembly\GAC_32\Microsoft.VC80.DebugCRT\8.0.50608.0__1fc8b3b9a1e18e3b\Microsoft.VC80.DebugCRT.DLL.
INFO: Did not find manifest for culture Neutral.
INFO: End assembly probing.
INFO: Resolving reference for ProcessorArchitecture x86.
INFO: Resolving reference for culture Neutral.
INFO: Applying Binding Policy.
INFO: No publisher policy found.
INFO: No binding policy redirect found.
INFO: Begin assembly probing.
INFO: Did not find the assembly in WinSxS.
INFO: Attempt to probe manifest at C:\WINDOWS\assembly\GAC_32\Microsoft.VC80.DebugCRT\8.0.50608.0__1fc8b3b9a1e18e3b\Microsoft.VC80.DebugCRT.DLL.
INFO: Attempt to probe manifest at C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\Microsoft.VC80.DebugCRT.DLL.
INFO: Attempt to probe manifest at C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\Microsoft.VC80.DebugCRT.MANIFEST.
INFO: Attempt to probe manifest at C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\Microsoft.VC80.DebugCRT\Microsoft.VC80.DebugCRT.DLL.
INFO: Attempt to probe manifest at C:\Users\Owner\Downloads\PowerPCM_Flasher_0002\Microsoft.VC80.DebugCRT\Microsoft.VC80.DebugCRT.MANIFEST.
INFO: Did not find manifest for culture Neutral.
INFO: End assembly probing.
ERROR: Cannot resolve reference Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0".
ERROR: Activation Context generation failed.
End Activation Context Generation.
daniel2345
Posts: 51
Joined: Wed Feb 19, 2020 9:58 pm

Re: PowerPCM_Flasher: my tool for E38 and E67

Post by daniel2345 »

Tazzi wrote:Awesome work!

Not sure what you mean by not full J2534? Is Dice not a proper J2534 tool?

Also, valid E67 seed/key should be:
09:14:17.5 MsgType=2, >[.H..]00 00 06 41 67 01 8B 58 [0008]
09:14:17.6 MsgType=1, <[.H..]00 00 02 41 27 02 64 97 [0008] FramePad
Thanks. :)

The Dice pretends to be J2534, but if you use the delivered DLL it does not answer in a standard way.
I always wanted to check why it does so and if the DLL can be patched, but never found the time to do so.


Thanks a lot for the seed&key. Appears not to fit E38 algo also....
Post Reply