V6 ability for pcm hammer.

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
Vampyre
Posts: 261
Joined: Wed Dec 06, 2017 1:02 pm
cars: grand am, trans am

Re: V6 ability for pcm hammer.

Post by Vampyre »

hard part is knowing if boot sector is there

i guess ill try with my hptuners or winflash see if I wake up a P04
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: V6 ability for pcm hammer.

Post by antus »

The pcm does its factory floor checks at boot and looks for a signature at the end of the OS, and at the end of the calibration. If either is missing it can enter recovery mode with no security for the initial factory floor flash. What the short is doing, as far as I understand, is glitching an address line above the address range of the bootsector, which is enough to crash the pcm, so that the watchdog triggers and the pcm reboots or the processor does it itself on invalid opcode. On the reboot the boot sector does the checks for the cal and os signature, and because the address bus is glitched it cant seethe signatures and thinks its on the factory floor and goes in to recovery mode. These 2 things happen in the moment you have the pins shorted. Then your flash software can get in, and because you have removed the address line short the entire flash is open for read or write. Its a great hardware hack. For the P04s we'll need to confirm which address line were glitching on the P01/P59 and come up with an equivalent for the P04. The P04 has a signature but its a different couple of bytes in a different place. I expect we could adapt the hack if we need to.

@gampy some pics the expand because they are larger than about 1000px. We set the thumbnail size gigantic so for the most part you get a usable image, but can still expand if you need to. Whether people are posting high res on purpose or just straight off their phones without realising the size it ends up useable.

For BDM I think we need to just look at the processor pin outs and trace the relevant pins across the pcb and find easy places to solder on for each of them. I think the cpu is the same as in the P01 and P59 so it should be possible to sit there with a multimeter scratching the coating off pins and finding the places.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: V6 ability for pcm hammer.

Post by Gampy »

Antus,

A quote from here
antus wrote:sorry, my eyes must have been bleeding, now I look again its not FFC006, its actually FFD006 as it was in the P01/P59, so nothing to try :(
ida can show you the bytes and the instructions from the factory bin so you can identify how the hardware works. but to compile a new kernel you'd use the gnc 68k toolchain from here http://gnutoolchains.com/m68k-elf/ and run build.bat in the kernel source dir.
I would have to say your bloody eyes work better ... ;)

You were right the first time!

Code: Select all

                 move.b  #$55,($FFFFFA27).w ; 'U'
                 move.b  #$AA,($FFFFFA27).w
                 bclr    #7,($FFFFC006).w
                 bset    #7,($FFFFC006).w
-Enjoy
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
Vampyre
Posts: 261
Joined: Wed Dec 06, 2017 1:02 pm
cars: grand am, trans am

Re: V6 ability for pcm hammer.

Post by Vampyre »

what file was that from gampy?

Also tried the short pin last night with no sucesses but Ive also nvr gotten it to work on a p01/p59 so not sure what im doing wrong. Starting to think maybe i should just sit back and stay out of you guys way.
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: V6 ability for pcm hammer.

Post by Gampy »

Either one of the Grand Am GT LA1 files you uploaded.

What is the number you've attached to the filename (12201465, 12594385)??
Service Number??

[edit]
NO DON'T DO THAT!
You have helped make great progress, don't give up now ... Besides, Tell me you haven't learned a ton and I'll call ya a liar!
You've done well.

You don't need to short pin unless you have a crashed unit, that is unlikely at this stage.
If you are having Seed/Key issues that can be resolved ...
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
Vampyre
Posts: 261
Joined: Wed Dec 06, 2017 1:02 pm
cars: grand am, trans am

Re: V6 ability for pcm hammer.

Post by Vampyre »

Ive got 2 P04s that are crashed from loss of connection from my other software.

The numbers are the osids, they are found at 7FFFA-D big indian in the Bin files.

Ive learned a lot, still havnt figured out how to put it into practice since i cant even figure out how to get this damn Kernel to compile to even try and load or test anything. I hate constantly having to rely on others to do basic stuff. If others have to do the basics for me then it is easier for them to just test it also which makes me testing obsolete. I cant figure out how to decompile the bins into what you guys are reading either, apparently im missing a very import step for both of these things.
Vampyre
Posts: 261
Joined: Wed Dec 06, 2017 1:02 pm
cars: grand am, trans am

Re: V6 ability for pcm hammer.

Post by Vampyre »

Im going to keep the first post updated with info we find in case others are looking for it
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: V6 ability for pcm hammer.

Post by Gampy »

Vampyre wrote:Im going to keep the first post updated with info we find in case others are looking for it
I would recommend only facts ...

Just wanting to keep things clear.
I do not like ambiguity, ambiguity leads to regurgitated misinformation, this LS world is saturated with misinformation regurgitation.
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
Vampyre
Posts: 261
Joined: Wed Dec 06, 2017 1:02 pm
cars: grand am, trans am

Re: V6 ability for pcm hammer.

Post by Vampyre »

agreed gampy, mind posting the edits you made in the code to get seed/key working?
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: V6 ability for pcm hammer.

Post by Gampy »

Hackatooye ...

Code: Select all

                key = 0;
                switch (algo)
                {
                    case 01:
-                        algolookup = 7;//,8,40,1,2
+                        algolookup = 40;
                        break;
                    default:
                        algolookup = algo;
                        break;
                }
-            key = unchecked((ushort)KeyAlgo(seed, algolookup));
+            UInt16 flopSeed = (UInt16)((seed & 0xFFU) << 8 | (seed & 0xFF00U) >> 8);
+            key = unchecked((UInt16)KeyAlgo(flopSeed, algolookup));

            //45634
            return key;
This is a hack at best and not meant for public consumption!
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
Post Reply