GM E38 E67 Kernel/Bootloader Development Extravaganza

Bosch Motronic etc ECUs and PCMs
User avatar
Posts: 2130
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby Tazzi » Tue Mar 31, 2020 10:25 pm

ironduke wrote:In-tech.. try 3f80 for the key..

No idea if that's a fail safe or default or whatever that is but when I sort of bricked my ecu that's the seed I had and that's the key that finally unlocked it..

I found out after letting my brute force unlocker run on it for 2-3 days.. lol..

I did that trying to push 2011 or 2012 os and cals into a 2008 ecu... I wasn't doing it the right way.. is there a right way?? lol

Tazzi, I am kind of surprised the SUM was incorrect, I thought the ecu ran a SUM check on itself to verify the cals, although it may have been disabled? GM uses the CVN to check for altered calibrations and I read somewhere that those can be fudged but the SUM has to be good for it to run the code..
do you know where this bin came from? efi live? hptuner? etc??


Not sure where the file came from. Was just one pulled out of a locked ecu (using to check its able to handle locked ecus).
Image

Online
Posts: 137
Joined: Mon Mar 09, 2020 4:35 pm

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby In-Tech » Tue Mar 31, 2020 10:36 pm

ironduke wrote:In-tech.. try 3f80 for the key..

No idea if that's a fail safe or default or whatever that is but when I sort of bricked my ecu that's the seed I had and that's the key that finally unlocked it..

I found out after letting my brute force unlocker run on it for 2-3 days.. lol..


Kinda funny key was same as seed, lol

I'm using efilives brute program atm on a different locked e38 so next time I pause that for a bit, I'll try that key. My USB BDM NT showed up so I hope to experiment with that in the next couple days.

Posts: 156
Joined: Sun Apr 10, 2016 9:20 pm

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby kur4o » Tue Mar 31, 2020 11:12 pm

First the cvn is calculated and stored and than the sum is calculated and stored. The sum actually sums the cvn word too. but the cvn doesn`t add the sum checksum word. They need to follow this exact sequence when updating.

The cvns are too time consuming to do on the pcm and it will take forever on reset for the pcm to boot. I am almost sure that pcm uses sums and the cvns are only for display. Still need a confirmation.

Can you post that bin to look at. It might have the sums disabled if it have some custom locked POS.

Newer OSs use different location for storing seed/ key, than the earlier ones. When you upgrade the OS without updating the seed/key location in the eeprom area you get some semi bricked condition.

Actually there is more than 2 combos for OS-eeprom data formats. Cloning needs to take that into account.

Online
Posts: 137
Joined: Mon Mar 09, 2020 4:35 pm

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby In-Tech » Wed Apr 01, 2020 4:05 am

In-Tech wrote:
ironduke wrote:In-tech.. try 3f80 for the key..

No idea if that's a fail safe or default or whatever that is but when I sort of bricked my ecu that's the seed I had and that's the key that finally unlocked it..

I found out after letting my brute force unlocker run on it for 2-3 days.. lol..


Kinda funny key was same as seed, lol

I'm using efilives brute program atm on a different locked e38 so next time I pause that for a bit, I'll try that key. My USB BDM NT showed up so I hope to experiment with that in the next couple days.

Good news this morning, woke up and brute force worked and efi erased it and was able to write all 8 modules and vin to it, traceability is still fubar.

I then tried the 3F80 key and it worked on this other tuner locked one. Kinda KISS to use the key as the same value as the seed. Guess you don't have to worry about forgetting. I don't have a way to correctly clone these yet(Tazzi hint :P ) but hopefully soon. Progress is always good :)

Good info Kur4o

p.s. edit. I just tried reading it with HP and it wouldn't read unless I put in the 3F80 key so looks to be an efi thing. Oh, and btw. I don't care about reading tuner locked files. I always start with my own or a stock gm file. I just like to have working computers on the shelf and not paperweights. :mrgreen:

User avatar
Posts: 2130
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby Tazzi » Wed Apr 01, 2020 3:18 pm

Nice one!

Ill have to look at adding that as a recommended second attempt for the E38s.

Ill try a couple other files shortly and see if they also have the same problem. Maybe was a once off.. honestly dunno!!

Just opened a dozen more.. all valid for both CVN and SUM. So maybe it was a corrupt flash.. or someone maybe edited by hand? Or some other app?
Trying to find the bin I opened but might have been on the laptop which is currently boot looping after win10 latest update :roll:

*Edit
Ok I found it. Looks like hand edit I think to turn off VATS. So its just someone elses muck up. I didnt check for fault codes before doing the unlock, so wonder if there was one pending if the ECU does a check?

I also got it mixed up. The CRC was wrong, but SUM was correct (I had these labelled backwards in my app). Which probably makes sense since if they are hand editing.
Image

Posts: 135
Joined: Tue Oct 16, 2012 12:17 pm
Location: Perth

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby Tre-Cool » Thu Apr 02, 2020 2:01 am

this might not mean much, but heres a bunch of e38 seed/keys that i've brute forced.

seed- 4071
2c8f

seed - 11CC
Key - 12C8

seed - 559D
key - 53BB

seed - 41DF
Key - 6762

seed - 11CC
Key - FF56

seed - 11CC
Key - B342

seed - 7909
Key - EAC9

seed - 441E
key - 653A

seed - 11CC
key - 19AE

Online
Posts: 137
Joined: Mon Mar 09, 2020 4:35 pm

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby In-Tech » Thu Apr 02, 2020 3:16 am

Thanks Tre-Cool, I saved those for future.

Obviously mine/ironduke to add is:

seed - 3F80
key - 3F80

What are you guys using for brute force? The only thing I have at the moment is in efilive's software and works. I am just getting back into this coding stuff so I had contemplated doing a simple program in VB(cuz I can scrape my way through that) but if you guys have anything you feel like sharing, that would be great.

Shoot, I just noticed I've only been a member on this site for less than a month and I am enjoying the hell outta myself digging into the fun :)

User avatar
Posts: 2130
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby Tazzi » Thu Apr 02, 2020 3:49 am

Another late night special update.

Folder check on boot implemented. Warning will display if these folders cannot be created.

And tunerlock form fully working. Application will allow entering a custom key up to 5 times before cancelling the attempt.

And on that note... I would say.. we.. are... done! Will do a final test/run in my ute tomorrow as a final run through.
And also throw a new icon onto it, pop it into a package installer and should be ready for release. :thumbup:

tunerlockkey.PNG
tunerlockkey.PNG (73.37 KiB) Viewed 155 times
Image

User avatar
Posts: 2130
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby Tazzi » Thu Apr 02, 2020 4:10 am

Also this is an example of two bins where the ECU has swapped the parameter block between the two memory sectors.

This is from the same ecu, but simple after the ecu has changed where this block has stored itself (For whatever reason).

I noticed it when comparing the reads. I did them a while ago, and cant remember if I did post this.
Attachments
GM E38 13-03-2020 12-42 AM.bin
(2 MiB) Downloaded 15 times
GM E38 12-03-2020 1-01 AM.bin
(2 MiB) Downloaded 15 times
Image

Posts: 67
Joined: Thu Feb 13, 2020 11:32 pm

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Postby ironduke » Thu Apr 02, 2020 5:26 am

Tre-Cool I'm pasting a clip of the code I am using in the bootloader/kernel code I have.. I can post up the hole thing but the algo is there for E38..

For brute forcing I just wrote up some processing code that tries every possible key and waits 10 seconds in between tries.. you need to wait 10 seconds or it spits out an error.. 65535 possibles at 10 seconds each is 7 days, lol..


void getkey() { // prior to this I send a 2701 and put the response into String seed
seed = seed.replace(">", ""); // get rid of > if present.
seed = trim(seed); // get rid of spaces if present.
seed=seed.substring(4,8); // pull just the key from the string..
seeds=unhex(seed);
if (Debug) println( seed + " Converts to: " + seeds);

key = 0;
key = ((seeds & 0x0000FF00) >> 8) | ((seeds & 0x000000FF) << 8); // swap hi/low
key = key + 0x7D58; // add 0x7D58
key = ~key; // bitwise NOT
key = key & 0xFFFF; // only use the first 4 bytes
key = key + 0x8001; // add 0x8001
key = ((key & 0x0000FF00) >> 8) | ((key & 0x000000FF) << 8); // swap hi/low
if (Debug) println(" key to unlock ECU is :" + hex(key,4) );
// key needs to be used with 2702 as hex(key,4) myPort.write("2702" + hex(key,4));

}

PreviousNext

Return to Bosch ECUs

Who is online

Users browsing this forum: No registered users and 2 guests