unlocked E41( and t87a) swapping to another vehicle

Bosch Motronic etc ECUs and PCMs
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by gmtech825 »

Gampy wrote:I don't know the proper phrasing either ...

However, the addition of 0x is invalid, it is not a hex value in total, it is an ASCII hex encoded string ... :)
yeah exactly why i'm not pretending to know anything!
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by gmtech825 »

ironduke wrote:My thoughts were to copy the immo reset procedure that happens using sps.. I've got a failed log for an E92 here somewhere I'll post it up..

off of memory, it looks like it asks the bcm something..
Then it looks like it tries to unlock the ecm.. Mine fails since it doesn't have the original vin?? Looking to find the original vin and then I'll try again..
Assuming if it unlocks then you have to wait 10 minutes, then either write a new immo key or cycle the key and it should learn the immo from the bcm?? Not sure since I haven't had it work yet on the bench and haven't thought to log a good one.. I did see somewhere that it does not need a tester present command during the 10 minute wait..
E92.bench.immo.learn4.log.txt
yeah i see that, i'm not sure what it's polling the BCM for though
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: unlocked E41( and t87a) swapping to another vehicle

Post by ironduke »

gmtech825 wrote:
ironduke wrote:My thoughts were to copy the immo reset procedure that happens using sps.. I've got a failed log for an E92 here somewhere I'll post it up..

off of memory, it looks like it asks the bcm something..
Then it looks like it tries to unlock the ecm.. Mine fails since it doesn't have the original vin?? Looking to find the original vin and then I'll try again..
Assuming if it unlocks then you have to wait 10 minutes, then either write a new immo key or cycle the key and it should learn the immo from the bcm?? Not sure since I haven't had it work yet on the bench and haven't thought to log a good one.. I did see somewhere that it does not need a tester present command during the 10 minute wait..
E92.bench.immo.learn4.log.txt
yeah i see that, i'm not sure what it's polling the BCM for though
I'm not sure either, lol.. but.. I changed the code below to send the immo code I found in the bin near the vin number in the eprom and got a different response, left the logs in the garage, I'll post them up here later if it'll help..
7E0 07 AE 7E 80 39313331 >>> Instead of that I had it send the 31 32 33 37 code and it responsed with a 07 E8 05 7F AE FE..

I waited 12 minutes and then sent it 7E0 07 AE 7E 40 39313331 0x40 is the write immo code... and it worked, I got back another AE FE code.. Powered t he ECM down with ign, then battery feed, powered it back up and now it unlocks with that 9131 code..

Now sps2 makes it further trying to do the immo learn but the BCM errored out.. Not sure what it's polling the BCM for but the BCM and ECM are non matching years and there is no immo/theft module on the low speed bus so that's 2 reasons it could be failing..
If you knew the immo code it needed to unlock, AND the immo code the BCM was looking for you might be able to get it done..
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by gmtech825 »

yeah i'd be interested in the log if it's not too much trouble. I'm somewhat confused when you say that it worked yet you got back the AE FE response...isn't that a negative response?
User avatar
Gampy
Posts: 2330
Joined: Sat Dec 15, 2018 7:38 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by Gampy »

ironduke wrote:and it responsed with a 07 E8 05 7F AE FE..

I waited 12 minutes and then sent it 7E0 07 AE 7E 40 39313331 0x40 is the write immo code... and it worked, I got back another AE FE code.. Powered t he ECM down with ign, then battery feed, powered it back up and now it unlocks with that 9131 code..
I don't know everything, but everything that I do know says, 7F is failure!
The bytes following are typically what and/or why, depending on what/when/where and how ...
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: unlocked E41( and t87a) swapping to another vehicle

Post by ironduke »

the log that worked.. sorry I was operating off memory with the earlier post..

7E007AE7E8031323335 // unlocked with 1235 and waited 12 minutes. Found 1235 in the bin near the vin and serial number
7E802 EE 7E AAAAAAAAAA
7E0021AA0
7E8035AA000AAAAAAAA // just polling the enable counter, been trying to write to it without success..
7E80160AAAAAAAAAAAA
7E007AE7E4039313331 // went a 40 command to write immo and wrote 9131
7E8 02 EE 7E AAAAAAAAAA // accepted? same response as unlocking??

//////////////////// ignition off, wait 30, then remove battery power..

7E007AE7E8039313331 // Unlocked with the new immo..
7E802EE7EAAAAAAAAAA
7E0021AA0
7E8035AA000AAAAAAAA
7E80160AAAAAAAAAAAA

Once it is unlocked it sends that EE 7E response if you keep on trying to unlock it with any code..
There is in fact a 10 second timer like Tazzi stated.. I build a quick brute force program, needs that delay between attempts or everything getsa 7f response even if you send the right immo code..

Edited... I still can't chaneg the damn vin on this.. I can write the vin it has and get a goot response but I can't change it.. unlocking the immo doesn't make a bit of difference with that, didn't think it would.. somehow I was able to "unlock" this E92 vin and change the vin, lol.. trying to find my notes on how I did it before.. Trying an full OS and calibration write and then change the vin, that works on some of the newer E38 OS's that lock you out of writing the vin..
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: unlocked E41( and t87a) swapping to another vehicle

Post by Tazzi »

Ok so here is the part that probably only the devs of GM understand in terms of security.

The immobiliser value, (Our 4 digit value) can programmed to match a second hand vehicles value, BUT, this does not mean its completely security linked o that car.

The reason for this, is this prevents criminals from programming a replacement module on the bench, then just going and plugging it into someones car to drive away.

There is a second part to it called the "environment identifier". This is unique to every vehicle and can only be learnt when IN the vehicle.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: unlocked E41( and t87a) swapping to another vehicle

Post by ironduke »

Tazzi wrote:Ok so here is the part that probably only the devs of GM understand in terms of security.

The immobiliser value, (Our 4 digit value) can programmed to match a second hand vehicles value, BUT, this does not mean its completely security linked o that car.

The reason for this, is this prevents criminals from programming a replacement module on the bench, then just going and plugging it into someones car to drive away.

There is a second part to it called the "environment identifier". This is unique to every vehicle and can only be learnt when IN the vehicle.
I've heard of that from GM manuals and such, and with about as much detail as you've provided, lol.. I kind of hoped that was done the same time you performed the immo learn..
Send the correct immo key to unlock, wait 10-12 minutes and then on the next key cycle it learns the immo and identifier.. You don't know of specific steps for the enviroment identifier, right?

I tried something on my bench unit and I think it's screwed up fairly well.. I did figure out how to program the immo I want, but I have a 14 E92 and an older BCM wired up on the bench, thought I'd try sending the immo key to unlock the ecu, wait the 10-12 minutes and then cycle the ign on both of them.. I was hoping to sniff what happened and if it's in the log then I cant see it, but I'll try to keep breaking down some of the messages.. It did to something since I can't unlock the E92 ecm with what used to be there for an immo code.. What is funny is I know where in the bin file the immo is, something like 0x3d4 offset from 0x10000 and 0x20000 depending on which page of eeprom it wrote too.. I changed the immo a few times and saw where it was writing it, well when I tried the ECM and BCM those numbers didn't change but now I can't unlock it... every response from trying to unlock is 7F AE E3 FE 05 instead of the 7F AE E3 FE 03 I had been getting.. Trying brute force but not too optomistic.. I'll find out about this same time tomorrow, already been running a couple hours, and that's only if it's still somewhere between 0000 and 9999....
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: unlocked E41( and t87a) swapping to another vehicle

Post by Tazzi »

I have not gone further into it since I no longer have a global A car to mess with it.

But I believe there is a combination between linking, wait time, commands and key cycles for the learn to take place.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by gmtech825 »

7F AE E3 FE 05 is the same response I get when I try to send the unlock code to the bench ECM without a BCM present.
Tazzi wrote:I have not gone further into it since I no longer have a global A car to mess with it.

But I believe there is a combination between linking, wait time, commands and key cycles for the learn to take place.
if you look at the DBC description I posted it describes vaues for the identifiers, but I haven't spent any time trying to make sense of it.
You've had success with global A and reusing modules from a different vehicle without setting identifier codes?
Post Reply