Open source GM OBD2 flash tool using a ELM327 device

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
Locked
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by Tazzi »

160plus wrote:I was really good with lego's as a child :wtf:
That literally just made my day :lol:

Great work mate!!!
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
160plus
Posts: 90
Joined: Thu Sep 21, 2017 3:00 pm

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by 160plus »

Looking for some input on adding brute force to the app. I have a counter setup to run every hex combinations but I need a range of values to run them with in. Would starting at FFFF and counting down until the value is less then 4 bytes cover every possible combination? Will it matter if the counter goes up or down in value? The easiest way I have found to do this in Android is to set a counter to start at FFFF and then convert FFFF to base 10; then count down in base 10 and convert each answer back to Hex and plug that value into the PCM.

Are there other formals for calculating the key based on the seed from commercial tuning programs any one has figured out I could also add in before going to an actual brute force style calculator?

Thoughts or any suggestions would be helpful here.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by antus »

Start at FFFF as an integer data type and count down by subtracting one per iteration. Stop at 0001 (as 0000 means unlocked). Choose the format at display time and use hex on screen as its what most people are familiar with but definitely dont store it in your output format and write code to directly manipulate it. Thats poor coding style.

Remember to check the PCM response code and handle it appropriately for the retries.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
160plus
Posts: 90
Joined: Thu Sep 21, 2017 3:00 pm

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by 160plus »

antus wrote:Start at FFFF as an integer data type and count down by subtracting one per iteration. Stop at 0001 (as 0000 means unlocked). Choose the format at display time and use hex on screen as its what most people are familiar with but definitely dont store it in your output format and write code to directly manipulate it. Thats poor coding style.

Remember to check the PCM response code and handle it appropriately for the retries.
This is an example of the countdown method, it's not sending any thing it's just counting down in hex, does this look like it would cover every possible combination?

https://youtu.be/cwc_PKAm8-4

Is there a specific amount of time i should wait between key tries? I've read some posts that suggest it's once per 10 seconds and others that have said 2 incorrect ties in less then 10 seconds puts the pcm into a time out before you can try again.
160plus
Posts: 90
Joined: Thu Sep 21, 2017 3:00 pm

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by 160plus »

Need to tweek the timing a tad bit but the "Key Cracker" does work. I'll likely give an option to save the key to a file or even better yet......the app can text the key to the device your using :thumbup:
Currently the app runs even if it's in the background, I will likely add a "save last key tried" feature so you could work on cracking a pcm over the course of several weeks rather then in 1 go. Would also save a huge headache and a bunch of time if the Bluetooth dropped out and you didn't know what the last key tried was.

I'll test this theory tomorrow but this should actually work on even a cheap $5 Elm327 clone.

Once I get the coding cleaned I'd be happy to share it, if you'd like to try it send me a PM or drop me an email.

https://www.youtube.com/watch?v=4IMKAgl ... e=youtu.be
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by Tazzi »

On the LS1 ECUs, you can do two key tries before a 10second delay is required :)

Just checked the vid.. looks like its getting the job done!
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
160plus
Posts: 90
Joined: Thu Sep 21, 2017 3:00 pm

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by 160plus »

Tazzi wrote:On the LS1 ECUs, you can do two key tries before a 10second delay is required :)

Just checked the vid.. looks like its getting the job done!
I sat down at lunch, made a few changes and moved some blocks around in my app and I'm not sure how.....but I'm not suffering any time out now. I can fire off keys about 4 seconds apart with out hitting any timeout. I've restarted every thing and run this on 3 different pcm's and none of them are giving me a lockout now between key tries. I've even run a simulation with the correct key being about 15 tries off and the app clicks right though them and is able to get the correct unlock response of 6C F0 10 67 02 34 4B.

So.....I have no idea what I did per-say, I mean I know what i changed in the app but how can this not be hitting the time out window now for too many tries? This shouldn't be possible should it?
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by Tazzi »

Hmm, no should definitely not be possible.

Can you copy the 15 key responses into here? I can double check there actual response.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
160plus
Posts: 90
Joined: Thu Sep 21, 2017 3:00 pm

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by 160plus »

Tazzi wrote:Hmm, no should definitely not be possible.

Can you copy the 15 key responses into here? I can double check there actual response.
Start vale was A6EF the correct key was A6D6 so it's a few more then 15 lines. This was just done on a 0411 pcm. So far I have tried this on the 0411, 0896, 9462 and 6243 pcm's. Some of these I can manage to go a LOT faster on then others but all are done sending keys faster then 1 per second.

By all means any one reading this please check the log over and see if it's correct. If it is.....lets just say I can go a lost faster then you might think.
E8 FF 10 03 B3
E8 FF 10 03 B3
E8 FF 10 03 B3
E8 FF 10 03 B3
E8 FF 10 03 B3
68 6A F1 01 00 17
48 6B 10 41 00 BF BF B9 94 2B
6C 10 F0 27 01 B0
6C F0 10 67 01 77 EC 7B
E8 FF 10 03 B3
6C 10 F0 27 02 A6 EF 3A
6C F0 10 67 02 35 56
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 77 EC 7B
6C 10 F0 27 02 A6 EE 27
6C F0 10 67 02 36 71
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 37 B8
E8 FF 10 03 B3
6C 10 F0 27 02 A6 ED 00
6C F0 10 67 02 37 6C
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 37 B8
E8 FF 10 03 B3
6C 10 F0 27 02 A6 EC 1D
6C F0 10 67 02 37 6C
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 37 B8
6C 10 F0 27 02 A6 EB 4E
6C F0 10 67 02 37 6C
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 77 EC 7B
E8 FF 10 03 B3
6C 10 F0 27 02 A6 EA 53
6C F0 10 67 02 35 56
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 77 EC 7B
6C 10 F0 27 02 A6 E9 74
6C F0 10 67 02 36 71
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 37 B8
E8 FF 10 03 B3
6C 10 F0 27 02 A6 E8 69
6C F0 10 67 02 37 6C
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 37 B8
E8 FF 10 03 B3
6C 10 F0 27 02 A6 E7 D2
6C F0 10 67 02 37 6C
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 37 B8
6C 10 F0 27 02 A6 E6 CF
6C F0 10 67 02 37 6C
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 77 EC 7B
E8 FF 10 03 B3
6C 10 F0 27 02 A6 E5 E8
6C F0 10 67 02 35 56
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 77 EC 7B
6C 10 F0 27 02 A6 E4 F5
6C F0 10 67 02 36 71
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 37 B8
E8 FF 10 03 B3
6C 10 F0 27 02 A6 E3 A6
6C F0 10 67 02 37 6C
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 37 B8
E8 FF 10 03 B3
6C 10 F0 27 02 A6 E2 BB
6C F0 10 67 02 37 6C
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 37 B8
6C 10 F0 27 02 A6 E1 9C
6C F0 10 67 02 37 6C
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 77 EC 7B
E8 FF 10 03 B3
6C 10 F0 27 02 A6 E0 81
6C F0 10 67 02 35 56
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 77 EC 7B
6C 10 F0 27 02 A6 DF 70
6C F0 10 67 02 36 71
E8 FF 10 03 B3
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 37 B8
6C 10 F0 27 02 A6 DE 6D
6C F0 10 67 02 37 6C
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 37 B8
E8 FF 10 03 B3
6C 10 F0 27 02 A6 DD 4A
6C F0 10 67 02 37 6C
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 37 B8
6C 10 F0 27 02 A6 DC 57
6C F0 10 67 02 37 6C
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 77 EC 7B
E8 FF 10 03 B3
6C 10 F0 27 02 A6 DB 04
6C F0 10 67 02 35 56
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 77 EC 7B
E8 FF 10 03 B3
6C 10 F0 27 02 A6 DA 19
6C F0 10 67 02 36 71
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 37 B8
6C 10 F0 27 02 A6 D9 3E
6C F0 10 67 02 37 6C
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 37 B8
E8 FF 10 03 B3
6C 10 F0 27 02 A6 D8 23
6C F0 10 67 02 37 6C
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 37 B8
6C 10 F0 27 02 A6 D7 98
6C F0 10 67 02 37 6C
E8 FF 10 03 B3
6C 10 F0 27 01 B0
6C F0 10 67 01 77 EC 7B
E8 FF 10 03 B3
6C 10 F0 27 02 A6 D6 85
6C F0 10 67 02 34 4B
E8 FF 10 03 B3
E8 FF 10 03 B3
E8 FF 10 03 B3
6C F0 10 60 FD
E8 FF 10 03 B3
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by Tazzi »

Ah I see the problem/confusion.. so see this quick break down:

6C 10 F0 27 01 B0 -Request Seed
6C F0 10 67 01 77 EC 7B - ECU respond with see 77 EC
6C 10 F0 27 02 A6 EF 3A - Attempt key A6 EF
6C F0 10 67 02 35 56 - Response code 35 (Incorrect)

6C 10 F0 27 01 B0 -Request Seed
6C F0 10 67 01 77 EC 7B - ECU respond with see 77 EC
6C 10 F0 27 02 A6 EE 27- Attempt key A6 EE
6C F0 10 67 02 36 71 - Response code 36 (Incorrect 2nd attempt)

6C 10 F0 27 01 B0 -Request Seed
6C F0 10 67 01 37 B8 - NO seed provided.. response of 37 (security timeout not met)
6C 10 F0 27 02 A6 ED 00 - Attempt key of A6 ED (Seed request failed anyways)
6C F0 10 67 02 37 6C - Response code 37 (security timeout not met)

You can see the seed response from the ECU changed on that third attempt.. the actual response is 1 byte shorter than the other seed responses since its not actually providing the seed anymore, the ECU responded saying mode 37 which is essentially the ECUs way saying of "Mate, give me a 10second break you talkative bugga!". :thumbup:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Locked