V6 ability for pcm hammer.

They go by many names, P01, P59, VPW, '0411 etc . Circa 1999 to 2006. All VPW OBD2 PCMs.
Posts: 151
Joined: Wed Dec 06, 2017 1:02 pm

Re: V6 ability for pcm hammer.

Postby Vampyre » Fri Jan 10, 2020 12:31 pm

hard part is knowing if boot sector is there

i guess ill try with my hptuners or winflash see if I wake up a P04

Site Admin
User avatar
Posts: 6040
Joined: Sat Feb 28, 2009 8:34 pm

Re: V6 ability for pcm hammer.

Postby antus » Fri Jan 10, 2020 4:17 pm

The pcm does its factory floor checks at boot and looks for a signature at the end of the OS, and at the end of the calibration. If either is missing it can enter recovery mode with no security for the initial factory floor flash. What the short is doing, as far as I understand, is glitching an address line above the address range of the bootsector, which is enough to crash the pcm, so that the watchdog triggers and the pcm reboots or the processor does it itself on invalid opcode. On the reboot the boot sector does the checks for the cal and os signature, and because the address bus is glitched it cant seethe signatures and thinks its on the factory floor and goes in to recovery mode. These 2 things happen in the moment you have the pins shorted. Then your flash software can get in, and because you have removed the address line short the entire flash is open for read or write. Its a great hardware hack. For the P04s we'll need to confirm which address line were glitching on the P01/P59 and come up with an equivalent for the P04. The P04 has a signature but its a different couple of bytes in a different place. I expect we could adapt the hack if we need to.

@gampy some pics the expand because they are larger than about 1000px. We set the thumbnail size gigantic so for the most part you get a usable image, but can still expand if you need to. Whether people are posting high res on purpose or just straight off their phones without realising the size it ends up useable.

For BDM I think we need to just look at the processor pin outs and trace the relevant pins across the pcb and find easy places to solder on for each of them. I think the cpu is the same as in the P01 and P59 so it should be possible to sit there with a multimeter scratching the coating off pins and finding the places.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 391
Joined: Sat Dec 15, 2018 7:38 am

Re: V6 ability for pcm hammer.

Postby Gampy » Fri Jan 10, 2020 10:09 pm

Antus,

A quote from here
antus wrote:sorry, my eyes must have been bleeding, now I look again its not FFC006, its actually FFD006 as it was in the P01/P59, so nothing to try :(
ida can show you the bytes and the instructions from the factory bin so you can identify how the hardware works. but to compile a new kernel you'd use the gnc 68k toolchain from here http://gnutoolchains.com/m68k-elf/ and run build.bat in the kernel source dir.

I would have to say your bloody eyes work better ... ;)

You were right the first time!
Code: Select all
                 move.b  #$55,($FFFFFA27).w ; 'U'
                 move.b  #$AA,($FFFFFA27).w
                 bclr    #7,($FFFFC006).w
                 bset    #7,($FFFFC006).w


-Enjoy

Posts: 151
Joined: Wed Dec 06, 2017 1:02 pm

Re: V6 ability for pcm hammer.

Postby Vampyre » Sat Jan 11, 2020 4:20 am

what file was that from gampy?

Also tried the short pin last night with no sucesses but Ive also nvr gotten it to work on a p01/p59 so not sure what im doing wrong. Starting to think maybe i should just sit back and stay out of you guys way.

Posts: 391
Joined: Sat Dec 15, 2018 7:38 am

Re: V6 ability for pcm hammer.

Postby Gampy » Sat Jan 11, 2020 4:34 am

Either one of the Grand Am GT LA1 files you uploaded.

What is the number you've attached to the filename (12201465, 12594385)??
Service Number??

[edit]
NO DON'T DO THAT!
You have helped make great progress, don't give up now ... Besides, Tell me you haven't learned a ton and I'll call ya a liar!
You've done well.

You don't need to short pin unless you have a crashed unit, that is unlikely at this stage.
If you are having Seed/Key issues that can be resolved ...

Posts: 151
Joined: Wed Dec 06, 2017 1:02 pm

Re: V6 ability for pcm hammer.

Postby Vampyre » Sat Jan 11, 2020 4:59 am

Ive got 2 P04s that are crashed from loss of connection from my other software.

The numbers are the osids, they are found at 7FFFA-D big indian in the Bin files.

Ive learned a lot, still havnt figured out how to put it into practice since i cant even figure out how to get this damn Kernel to compile to even try and load or test anything. I hate constantly having to rely on others to do basic stuff. If others have to do the basics for me then it is easier for them to just test it also which makes me testing obsolete. I cant figure out how to decompile the bins into what you guys are reading either, apparently im missing a very import step for both of these things.

Posts: 151
Joined: Wed Dec 06, 2017 1:02 pm

Re: V6 ability for pcm hammer.

Postby Vampyre » Sat Jan 11, 2020 3:59 pm

Im going to keep the first post updated with info we find in case others are looking for it

Posts: 391
Joined: Sat Dec 15, 2018 7:38 am

Re: V6 ability for pcm hammer.

Postby Gampy » Sun Jan 12, 2020 2:03 am

Vampyre wrote:Im going to keep the first post updated with info we find in case others are looking for it

I would recommend only facts ...

Just wanting to keep things clear.
I do not like ambiguity, ambiguity leads to regurgitated misinformation, this LS world is saturated with misinformation regurgitation.

Posts: 151
Joined: Wed Dec 06, 2017 1:02 pm

Re: V6 ability for pcm hammer.

Postby Vampyre » Sun Jan 12, 2020 4:13 am

agreed gampy, mind posting the edits you made in the code to get seed/key working?

Posts: 391
Joined: Sat Dec 15, 2018 7:38 am

Re: V6 ability for pcm hammer.

Postby Gampy » Sun Jan 12, 2020 1:00 pm

Hackatooye ...
Code: Select all
                key = 0;
                switch (algo)
                {
                    case 01:
-                        algolookup = 7;//,8,40,1,2
+                        algolookup = 40;
                        break;
                    default:
                        algolookup = algo;
                        break;
                }
-            key = unchecked((ushort)KeyAlgo(seed, algolookup));
+            UInt16 flopSeed = (UInt16)((seed & 0xFFU) << 8 | (seed & 0xFF00U) >> 8);
+            key = unchecked((UInt16)KeyAlgo(flopSeed, algolookup));

            //45634
            return key;

This is a hack at best and not meant for public consumption!

PreviousNext

Return to GM LS1 512Kbyte and 1Mbyte

Who is online

Users browsing this forum: No registered users and 1 guest