Reading eeprom from delco PCM, MC68336 based
-
- Posts: 43
- Joined: Fri Mar 20, 2015 4:34 am
- cars: saturn
Reading eeprom from delco PCM, MC68336 based
Hi All,
I'm trying to get my auto PCM on my '02 saturn programmed to be a manual. I swapped to a manual years ago, but I need to do this in order to eliminate some transmission related DTC's to pass e-test (used to sniff the pipe before, now they read the codes). I'm an EE with embedded background, so no stranger to electronics, but my experience with delco PCM's is very limited. Here is my status so far:
-local dealerships claim not to be able to flash program via the tech-2 with the options I want. This is BS, but can't convince them of that.
-I purchased a used manual PCM from a JY but haven't been able to get it married to the BCM (it's a passlock 2 system, from what I read, and I have tried all the relearn procedures to no avail).
-even if I can get the manual PCM married to my BCM it's for an SOHC and I have the DOHC...so while it may work for testing, I can't confirm it will run it correctly enough to not have DTC's
-snooped inside my auto pcm and confirmed it has an MC68336 CPU and 28f800 eeprom
-I have a version of IDAPro to disassemble the bin and a willem programmer
-I don't have a BDM
Goals:
1) I would like to read my auto eeprom, and identify where the passlock information is stored
2) If I can extract the passlock information above, I can then program the manual eeprom with that passlock info, hopefully "forcing" the passlock relearn
3) Identify the main engine loop and lookup tables, then create a hybrid bin of the auto pcm's engine management portion, and the rest of the code from the manual pcm
Questions:
-What is the best method to read/write the eeproms? using the willem is lots of wiring, and the address lines are likely swapped for "encryption" so it may work, but is cumbersome. Has anyone used the BDM port to read/write from similar PCM's? If so, could you provide some details?
-How can I go about finding similar PCM bins to compare mine to? When I go to disassemble this code, I would like to have similar bins so that I can compare sections of code and start to understand it.
Thanks for any help you may be able to provide.
Ivan
I'm trying to get my auto PCM on my '02 saturn programmed to be a manual. I swapped to a manual years ago, but I need to do this in order to eliminate some transmission related DTC's to pass e-test (used to sniff the pipe before, now they read the codes). I'm an EE with embedded background, so no stranger to electronics, but my experience with delco PCM's is very limited. Here is my status so far:
-local dealerships claim not to be able to flash program via the tech-2 with the options I want. This is BS, but can't convince them of that.
-I purchased a used manual PCM from a JY but haven't been able to get it married to the BCM (it's a passlock 2 system, from what I read, and I have tried all the relearn procedures to no avail).
-even if I can get the manual PCM married to my BCM it's for an SOHC and I have the DOHC...so while it may work for testing, I can't confirm it will run it correctly enough to not have DTC's
-snooped inside my auto pcm and confirmed it has an MC68336 CPU and 28f800 eeprom
-I have a version of IDAPro to disassemble the bin and a willem programmer
-I don't have a BDM
Goals:
1) I would like to read my auto eeprom, and identify where the passlock information is stored
2) If I can extract the passlock information above, I can then program the manual eeprom with that passlock info, hopefully "forcing" the passlock relearn
3) Identify the main engine loop and lookup tables, then create a hybrid bin of the auto pcm's engine management portion, and the rest of the code from the manual pcm
Questions:
-What is the best method to read/write the eeproms? using the willem is lots of wiring, and the address lines are likely swapped for "encryption" so it may work, but is cumbersome. Has anyone used the BDM port to read/write from similar PCM's? If so, could you provide some details?
-How can I go about finding similar PCM bins to compare mine to? When I go to disassemble this code, I would like to have similar bins so that I can compare sections of code and start to understand it.
Thanks for any help you may be able to provide.
Ivan
- antus
- Site Admin
- Posts: 8253
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: Reading eeprom from delco PCM, MC68336 based
There are some links to some information on the forums here, but by the sounds of it you have already found that.
http://pcmhacking.net/forums/viewtopic. ... urn#p30995
The passlock2 data is likely in the 'eeprom' which may or may not be a real eeprom. If its real no doubt you can find it and read it and compare between cars and swap the segment to prove you have it right. If its not real its probably in a block of data at 0x4000 or 0x6000 which should be identifiable by the VIN being also in that block.
I dont know of any tool which can read the bin, so you might need to lift the chip and do the wiring.
Alternatively, and im not sure if this would work, you could buy an MDI interface from somewhere like aliexpress (find the ones that clearly show 2 reasonably heavily populated PCBs as there used to be fakes around in MDI boxes), and license the SPS flashing tools for a short period from https://www.acdelcotds.com/acdelco/action/subscribehome . Assuming your car is supported that might provide some options. What it takes to update the vin in the pcm and if that is required to force in the right program I cant say, so the risk would be yours. Perhaps it'll just provide the options you need, or perhaps you'd need to overwrite a bin image before its written to force it or similar.
http://pcmhacking.net/forums/viewtopic. ... urn#p30995
The passlock2 data is likely in the 'eeprom' which may or may not be a real eeprom. If its real no doubt you can find it and read it and compare between cars and swap the segment to prove you have it right. If its not real its probably in a block of data at 0x4000 or 0x6000 which should be identifiable by the VIN being also in that block.
I dont know of any tool which can read the bin, so you might need to lift the chip and do the wiring.
Alternatively, and im not sure if this would work, you could buy an MDI interface from somewhere like aliexpress (find the ones that clearly show 2 reasonably heavily populated PCBs as there used to be fakes around in MDI boxes), and license the SPS flashing tools for a short period from https://www.acdelcotds.com/acdelco/action/subscribehome . Assuming your car is supported that might provide some options. What it takes to update the vin in the pcm and if that is required to force in the right program I cant say, so the risk would be yours. Perhaps it'll just provide the options you need, or perhaps you'd need to overwrite a bin image before its written to force it or similar.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
-
- Posts: 43
- Joined: Fri Mar 20, 2015 4:34 am
- cars: saturn
Re: Reading eeprom from delco PCM, MC68336 based
Thanks for the info, I do know that it's a 28f800, so it is an eeprom. Is this the only programmable device in these PCM's usually?
Are there any example bins where I might find the passlock data? Is it possible that it's just the VIN that has to match between the PCM and BCM? I would assume passlock related stuff needn't go to the PCM, the BCM really cares about this data.
Ivan
Are there any example bins where I might find the passlock data? Is it possible that it's just the VIN that has to match between the PCM and BCM? I would assume passlock related stuff needn't go to the PCM, the BCM really cares about this data.
Ivan
Re: Reading eeprom from delco PCM, MC68336 based
I think it would be easier to focus on editing the calibration and just mask the auto related DTC's. that way you can leave the security stuff alone, leave the original pcm in there, and still have no DTC's on their scan tool.
-
- Posts: 43
- Joined: Fri Mar 20, 2015 4:34 am
- cars: saturn
Re: Reading eeprom from delco PCM, MC68336 based
masking the DTC's is really all I need to do, is there any documentation on how to do this?
Thanks, Ivan
Thanks, Ivan
- antus
- Site Admin
- Posts: 8253
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: Reading eeprom from delco PCM, MC68336 based
Not really. Its different between cars, and it sounds like nobody has exactly what you need for yours.
This is a different car completely but same era. So if your prepared to read off the flash and take a look, check for similar to this:
The vin and PCM serial have been changed to protect the innocent. Read off 2 of them and compare. A couple of numbers there will likely be what you need to copy between pcms. Then there is probably also a checksum.
Most people wouldnt go that deep, but you say your an electronic engineer, so if your prepared to try thats what you'll need to sus out.
Of course that doesnt solve the location of the DTCs and checksums around that issue.
This is a different car completely but same era. So if your prepared to read off the flash and take a look, check for similar to this:
Code: Select all
Address | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 0123456789ABCDEF
-----------+-------------------------------------------------+-----------------
0x00004000 | 28 DB B8 25 00 8F 3A 22 31 45 42 31 31 48 4D 43 | (..%..:"1EB11HMC
0x00004010 | 31 30 34 30 BC 00 39 56 05 7D 94 14 44 53 4B 57 | 1670..9V.}..DSKW
0x00004020 | 00 36 48 38 56 58 4B 36 39 46 32 4C 30 30 30 30 | .6H8VXK69F2L0000
0x00004030 | 30 30 1C 28 00 00 00 00 00 00 00 FF 00 00 FF FF | 00.(............
0x00004040 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 | ................
0x00004050 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
0x00004060 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
0x00004070 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
0x00004080 | FF FF FF FF FF FF FF FF A5 A0 7F FF FF FF 00 00 | ................
0x00004090 | 00 03 EE EA 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0x000040A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0x000040B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0x000040C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF | ................
0x000040D0 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
0x000040E0 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
0x000040F0 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
Most people wouldnt go that deep, but you say your an electronic engineer, so if your prepared to try thats what you'll need to sus out.
Of course that doesnt solve the location of the DTCs and checksums around that issue.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Re: Reading eeprom from delco PCM, MC68336 based
Is this thing OBD1 or OBD2? If the former, you might be able to use the OSE Flash Tool to read the Flash (I believe 28f800 is Flash, not EEPROM, despite the digits "28").
Joe.
Joe.
-
- Posts: 43
- Joined: Fri Mar 20, 2015 4:34 am
- cars: saturn
Re: Reading eeprom from delco PCM, MC68336 based
This is OBD2 (from an '02 Saturn SL2)
I haven't posted much in the last few days because I've been trying unsuccessfully to get my willem programmer working.
I have flywired all the eeprom lines and the cpu reset line out to connector, the other side of which I have connected to a dip socket. The plan is to use the connector to read/write the flash at will.
However, my willem programmer is crap..and is poorly supported these days. I got an arduino MEGA2560 board that has more than enough I/O to program the eeprom. My first goal is to get the eeprom read, then I'll upload the bin.
Is there any interest in having an eeprom programmer in the community to read and write the flash directly? If so, what are the common devices most folks would want to read?
Thanks, Ivan
I haven't posted much in the last few days because I've been trying unsuccessfully to get my willem programmer working.
I have flywired all the eeprom lines and the cpu reset line out to connector, the other side of which I have connected to a dip socket. The plan is to use the connector to read/write the flash at will.
However, my willem programmer is crap..and is poorly supported these days. I got an arduino MEGA2560 board that has more than enough I/O to program the eeprom. My first goal is to get the eeprom read, then I'll upload the bin.
Is there any interest in having an eeprom programmer in the community to read and write the flash directly? If so, what are the common devices most folks would want to read?
Thanks, Ivan
- antus
- Site Admin
- Posts: 8253
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: Reading eeprom from delco PCM, MC68336 based
Its a very similar platform to the '0411 which is why I suspect a lot of characteristics will carry over. It may not be too hard to get a read over obd2. I expect the process will be very similar to what ive implemented here http://pcmhacking.net/forums/viewtopic.php?f=3&t=3111 but to use that you'd need an avt 852 cable. Then probably the security algo would be different so you'd need to brute force that. Then some of the addressing in the app might need to be changed. Probably it'd connect to the pcm and pass back serial, vin etc now as is, and fail at unlock.
As for demand for a programmer, there probably is some demand. Most people would want it for the '0411 which is a 28F400BX. It seems to be the same family, just double the capacity. Then in '05 they brought out a 1mbyte pcm with an 28F800BX in it, or with AMD flash support although I havnt seen one of these in the real world yet.
You'd be competing with the GQ-4X programmer for about $130au, there is probably more value for others in making it easyer to connect to the chip in place, if you can make that work. The '0411 have all of the pins available on an un-populated header on the edge of the pcb, but I suspect you still cant in circuit flash due to the cpu interfearing with the data bus.
As for demand for a programmer, there probably is some demand. Most people would want it for the '0411 which is a 28F400BX. It seems to be the same family, just double the capacity. Then in '05 they brought out a 1mbyte pcm with an 28F800BX in it, or with AMD flash support although I havnt seen one of these in the real world yet.
You'd be competing with the GQ-4X programmer for about $130au, there is probably more value for others in making it easyer to connect to the chip in place, if you can make that work. The '0411 have all of the pins available on an un-populated header on the edge of the pcb, but I suspect you still cant in circuit flash due to the cpu interfearing with the data bus.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
-
- Posts: 43
- Joined: Fri Mar 20, 2015 4:34 am
- cars: saturn
Re: Reading eeprom from delco PCM, MC68336 based
Does anyone have internal pictures of the '0411 that they'd be willing to share?
I'm actually trying to read and program the eeprom via the unpopulated "header" in my case, which is just some solder pads near the eeprom. I suspect if I were to leave the CPU running it would indeed interfere with my programmer, so I'm going to try using the BDM pads and hold the CPU in reset. The only line I may have contention with is the eeprom's reset line, so I may have to temporarily disconnect this from the cpu while I'm reading/writing.
I made a little progress with my eeprom programmer lastnight, I believe I have the code written to read the eeprom and dump it over the serial interface...will try more this evening. At this point given my skillset I'm probably faster to code up my own eeprom programmer than wait for a GQ-4X, unless anyone knows of where I can get one in Canada...
Ivan
I'm actually trying to read and program the eeprom via the unpopulated "header" in my case, which is just some solder pads near the eeprom. I suspect if I were to leave the CPU running it would indeed interfere with my programmer, so I'm going to try using the BDM pads and hold the CPU in reset. The only line I may have contention with is the eeprom's reset line, so I may have to temporarily disconnect this from the cpu while I'm reading/writing.
I made a little progress with my eeprom programmer lastnight, I believe I have the code written to read the eeprom and dump it over the serial interface...will try more this evening. At this point given my skillset I'm probably faster to code up my own eeprom programmer than wait for a GQ-4X, unless anyone knows of where I can get one in Canada...
Ivan