Open source GM OBD2 flash tool using a ELM327 device

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
Locked
uknomeprk
Posts: 29
Joined: Thu Aug 04, 2011 1:47 pm
cars: 95 Astro 5.3 LM7
Location: Chicago, IL

Open source GM OBD2 flash tool using a ELM327 device

Post by uknomeprk »

I've scoured the internet in search of an open source PCM flash tool. The closest i've come to seeing one was made by planethax (with help) on this site. I've gathered a treasure trove of information regarding GM obd2 VPW protocol and the intel 28f400B but haven't been able to get my bin. That said, please help gurus and weekend warriors alike.

First here's what i've been working with OBDallinone elm327 USB, hyperteminal, Putty, a 2002 411 PCM, and open knowledge from everyone whos posted on a forum in the last 10+ years. Truthfully my intention is only to remove VATS (for now).

Heres the HYPERTERMINAL setup, putty of course is the same. User beware this can be tricky also don't bother messing with this unless you have your seed/key and are totally prepared to buy a new PCM. If your new to this I highly suggest you read http://elmelectronics.com/DSheets/ELM327DS.pdf .

Baud 38400
parity none
Data bits 8
Stop Bits 1
Flow control none

Here's the supposed procedure for a upload from the 411 PCM to a device (but it doesn't work) any suggestions? Also not sure what PCMs this works on.

AT RV -- CHECK VOLTAGE (MAKE SURE ITS 12 VOLTS. MULTIMETER AND CAL. IF NEEDED)
AT SP2 -- SET ELM TO J1850
AT H1 -- SET HEADERS ON

AT SH 6C FE F0 -- SET HEADER
3F -- TEST DEVICE PRESENT RX(NO DATA) why no data?

AT SH 6C F0 10 -- SET HEADER TO
27 01 -- GET SEED RX(6C F0 10 67 01 66 7E 52) your seed will be different
27 02 14 E7 -- SEND CORRECT KEY RX(6C F0 10 67 02 34 4B) your key will be different

AT SH 6C FE F0 -- SET HEADER
3F -- TEST DEVICE PRESENT RX(NO DATA) why no data?

AT SH 6C F0 10 -- SET HEADER TO
A1 -- REQUEST HIGH SPEED MODE

You only have a short time before it returns to normal speed automatically <5 sec.

AT SH 6D 10 F1 --
36 00 00 80 FF 80 00 -- (eg. 128 bytes, start loc FF8000)

after failure or success make sure to do this

AT SH 6C F0 10 -- SET HEADER TO
A0 -- RETURN TO NORMAL MODE
AT D -- RESETS ELM

Help? suggestions?
vn5000
Posts: 551
Joined: Fri Jul 17, 2009 2:11 pm
cars: vn v8 commodore
Location: GOLD COAST QLD

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by vn5000 »

You should find this file very helpfull.
Once youve got the read sorted ill give you a write file. :thumbup:
To set the elm to high speed use ATBRD with a devisor of 23 and this will give you 115200 baud.
Last edited by vn5000 on Sat Aug 27, 2011 12:43 am, edited 1 time in total.
uknomeprk
Posts: 29
Joined: Thu Aug 04, 2011 1:47 pm
cars: 95 Astro 5.3 LM7
Location: Chicago, IL

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by uknomeprk »

Wow thats good info! :D thanks.
uknomeprk
Posts: 29
Joined: Thu Aug 04, 2011 1:47 pm
cars: 95 Astro 5.3 LM7
Location: Chicago, IL

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by uknomeprk »

Well, got a lot of testing/reading to do to verify messages TX and RX strings and what they mean/do mostly that I don't missstype an entry. The more that's written down the easier it will be to create error and success messages when the FLASH program is developed (crossing fingers). If anyone following this has some info post it don't be shy. Here is some more light reading for anyone new or interested in this.... GM J1850 VPW Message structure http://www.obddiagnostics.com/obdinfo/msg_struct.html the above PDF link explains it best in my opinion page 35. Use and read the attachment below to further understand the structure and commands if you don't already its an enlightening read.

Note: I did not create this oo calc file and unfortunately I can't remember who did. So, all apologies to it's creator for no citation at the same time thanks for keeping information/knowledge free for everyone .
Attachments
PCM com .ods
(20.3 KiB) Downloaded 1311 times
jezzab
Posts: 18
Joined: Thu Nov 04, 2010 3:18 pm

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by jezzab »

You normally have to upload a bootloader in motorola code which will start the actual download
User avatar
Doctor Bob
Posts: 195
Joined: Mon Mar 02, 2009 10:58 pm
cars: VN, VT
Location: Melbourne Vic.
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by Doctor Bob »

see if this helps...
the text file is a log while programming with ls1edit
the other is tech info from GM

Cheers Rob
Attachments
vt-prog.txt
(252.88 KiB) Downloaded 1491 times
flashbe.doc
(120.5 KiB) Downloaded 1491 times
uknomeprk
Posts: 29
Joined: Thu Aug 04, 2011 1:47 pm
cars: 95 Astro 5.3 LM7
Location: Chicago, IL

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by uknomeprk »

Jezzab thanks, I think I have a "bootloader" (upload routine) that will work, just need to get the right COM setup in VB (visual Basic) working to test it. If you or anyone has a bootloader for gm obd2 I'd love to check it out. DR. Bob very interesting stuff thanks.

Anyway still hard at work on VB stuff I'll give a detailed update (most likely accompanied with a lot of questions) on progress after a lot more testing.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by antus »

The bootloader is already in the pcm. You need to unlock the pcm, upload your code to ram, set the bootloader to execute from ram next cycle, then reset the pcm, then talk to your own code on the pcm, and take it from there.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
uknomeprk
Posts: 29
Joined: Thu Aug 04, 2011 1:47 pm
cars: 95 Astro 5.3 LM7
Location: Chicago, IL

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by uknomeprk »

antus wrote:The bootloader is already in the pcm. You need to unlock the pcm, upload your code to ram, set the bootloader to execute from ram next cycle, then reset the pcm, then talk to your own code on the pcm, and take it from there.
I like the info antus i'm still learning every step of the way on this project. Maybe you can help with this one; I'm defiantly in over my head but I'm going to ride this out to completion. I have a few questions for you and everyone. The upload procedure from many accounts is like this generically.
---------------------------------
disable chatter 28 00
Seed/Key
High speed A1
Mode $34
Transmit our "upload from PCM" routine/code with mode $36
Question 1
The code to access the memory mode $36 is obviously the nuts and bolts for download (control) but i haven't seen any way to compile a code. I've only seen data logs with the information to be transmitted, Is there such a document for code compilation ?
question 2
The data for mode $36 (upload) I have is long and by all accounts of GM code compilation defies the normal transmission procedure. The question is can I just keep sending the upload routine bit by bit or do i need to break the code down to 8 bit with checksums.
---------------------------------
Here's part of the code.
Yellow = Checksum?
Red = Header
Green = Mode
Blue = Upload code (NOTE: Arbitrary Code)
11 FF 3E 6D 10 F0 36 80 03 32 FF FE 0C 4E 70 60 39 00 39 00 00 01 10 13 FC 00 03 00 FF F6 0C 13 0D 61 10 39 00 FF F6 FC 00 00 00 FF F6 0E 02 00 00 E0 0C 00 00 E010 39 00 FF F6 0F 61 00 00 A8 61 00 02 32 0C 91 3E 61 20 00 FF 94 27 66 00 00 2A 20 7C 00 FF 94 40 20 39 00 FF 94 27 66 BE 00 FF 94 44 61 00

- :comp:
Last edited by uknomeprk on Tue Aug 30, 2011 4:04 pm, edited 2 times in total.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by antus »

Q1. You dont really need to compile code, you can write it by hand and assemble it. Its motorola 68332 assembler. Or better yet, disassemble existing code, and figure out what it does and why, and use that as a road map to create your own. Or use it as is, but you may or may not open yourself up to legal issues with that.

Q2. You do need to break it down. Im told the max packet size is quite small on an elm. But this is as much as I know so far.

I fully intend to write a free flash tool also, but have broken my socketed pcm so am sorting out some new hardware first. I know attempting to flash it will very likely brick it over and over before its right so I want to be able to pull the chip to recover the pcm before I get stuck in to the code experimentation. Im not sure where that line you posted came from, so Im not sure if those first bytes are elm instructions or what....?
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Locked