PCM Hammer Release 014

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: PCM Hammer Release 014

Post by Gampy »

Since LSDroid appears to work, would you please use it to do a fresh new full read and either post the bin or PM it to me.

I'd like to have a look see at it ...

Thank you.
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: PCM Hammer Release 014

Post by Gampy »

My theory is ... PCM Hammer's IsUnlocked() is flawed!

MgFoster's seed request response is,
[11:29:22:367] RX: 6C F0 10 67 01 37 F0
a valid seed.

Looking at PCM Hammers code the IsUnlocked() expected byte sequence is pretty much just that,
6C F0 10 67 01 37
as seen here .../Protocol.Security.cs#L115.

So I created a binary with a seed/key pair of $37F0/$A316 and wrote it to a P01, PCM Hammer could not unlock this PCM, it sees it as already unlocked ...
I then removed the call to IsUnlocked() here .../Vehicle.cs#L296, PCM Hammer was then able to unlock this PCM.

So, is this
6C F0 10 67 01 37
a valid IsUnlocked() expected byte sequence ??
Seems to me that effectively invalidates the $37xx range of seeds.
Last edited by Gampy on Tue Jan 26, 2021 5:59 am, edited 1 time in total.
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: PCM Hammer Release 014

Post by ironduke »

edited to delete my nonsense, lol.. hopefully nobody went off on a wild goose chase.. If so , I apologize..
MgFoster
Posts: 8
Joined: Thu Jan 21, 2021 2:41 pm
cars: E39, E28, W123, C10

Re: PCM Hammer Release 014

Post by MgFoster »

Sorry I haven't gotten you that full read from LS droid. I've just been crazy busy! Looks like you found the issue though, good stuff!
User avatar
antus
Site Admin
Posts: 8239
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: PCM Hammer Release 014

Post by antus »

It should be

Code: Select all

Code $33 - Security Access Denied
Code $34 - Security Access Allowed
Code $35 - Invalid Key
Code $36 - Exceed Number of Attempts
Code $37 - Required Time Delay Not Expired 
But I think we need to look at the response in a recovery flash or when MEC > 0, as I think that piece of code is designed for that scenario. Perhaps it should not be verifying the initial bytes, but rather exact bytes. I am not sure exactly what its trying to match but I think removing it rather than fixing it might break another use case.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
MgFoster
Posts: 8
Joined: Thu Jan 21, 2021 2:41 pm
cars: E39, E28, W123, C10

Re: PCM Hammer Release 014

Post by MgFoster »

Full read from LS droid
Attachments
1_26_21.bin
(512 KiB) Downloaded 146 times
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: PCM Hammer Release 014

Post by Gampy »

I have no plans on removing IsUnlocked() for other then testing, I don't understand enough about the Recovery types and or process.
Just needed to prove my findings.

I know of only one Recovery mode, that is the one when the main (the larger one) Calibration segment is erased ... It causes the PCM to constantly spit out (ping) a code of
6CF010A20163
(A2 01). I have asked about the others and got no responses.

At my current level of understanding of this process, that is what I would check for first, before anything else ... It would happen so fast under normal circumstances it would barely be noticed if not in recovery mode.
Why, because this 'ping' really tosses things in the gutter if it is in recovery mode, and if it's not, it's instantly known!

But like I said, I don't have a full enough understanding to be sure ...

MgFoster,
Thank you for the bin, that confirms my suspicions, the seed/key is in fact 37F0/A316.
And just to slap the 'For Sure' button on it, I wrote it to a PCM and PCM Hammer cannot unlock it ...

If you are interested, here is your bin with a different seed/key pair.
I took the original key (A316), used it for the seed and generated a new key. The new Seed/Key pair is A316/7CAA.
All you need to write is the parameter segment ... I do not know if LSDroid has a 'write parameter' or not.
Attachments
1_26_21-SeedKey_A316-7CAA.bin
(512 KiB) Downloaded 146 times
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
MgFoster
Posts: 8
Joined: Thu Jan 21, 2021 2:41 pm
cars: E39, E28, W123, C10

Re: PCM Hammer Release 014

Post by MgFoster »

It has a "Write Calibration Data". So I should try to do that with LS droid and then attempt to read/write with PCM Hammer?
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: PCM Hammer Release 014

Post by Gampy »

MgFoster wrote:It has a "Write Calibration Data". So I should try to do that with LS droid and then attempt to read/write with PCM Hammer?
It's not in the Calibration data so I don't think that will get it done ...
The write command would probably have the word "Parameter" in it.
It's possible LSDroid doesn't have a "Write Parameter Data" ... It's not a typical segment to write, however I'm sure LSDroid has a "Write Full" or "Clone" option, however that is pretty drastic just for a parameter write.

If you want, I could build you a custom one off PCM Hammer that would get you past the Unlock issue, that would allow you to write the Parameter Segment.
Then PCM Hammer 014 will work for you.
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: PCM Hammer Release 014

Post by Gampy »

Well, it appears there are at least two ways to resolve this issue ...

The rights or wrongs of the ways I'll let those that get paid the big bucks debate!

1. Check response length.

Code: Select all

        /// <summary>
        /// Indicates whether or not the reponse indicates that the PCM is unlocked.
        /// </summary>
        public bool IsUnlocked(byte[] response)
        {
            ResponseStatus status;
            byte[] unlocked = { Priority.Physical0, DeviceId.Tool, DeviceId.Pcm, Mode.Seed + Mode.Response, 0x01, 0x37 };

            if (TryVerifyInitialBytes(response, unlocked, out status))
            {
-               return true;
+               // To short to be a seed?
+               if (response.Length < 7)
+               {
+                   return true;
+               }
            }

            return false;
        }
or

2. Add the Checksum to the expected byte sequence. (unlocked)

Code: Select all

        /// <summary>
        /// Indicates whether or not the reponse indicates that the PCM is unlocked.
        /// </summary>
        public bool IsUnlocked(byte[] response)
        {
            ResponseStatus status;
-           byte[] unlocked = { Priority.Physical0, DeviceId.Tool, DeviceId.Pcm, Mode.Seed + Mode.Response, 0x01, 0x37 };
+           byte[] unlocked = { Priority.Physical0, DeviceId.Tool, DeviceId.Pcm, Mode.Seed + Mode.Response, 0x01, 0x37, 0xB8 };

            if (TryVerifyInitialBytes(response, unlocked, out status))
            {
                return true;
            }

            return false;
        }
I test on 3 PCMs,
1. HW:9386530 - A typical P01
2. HW:12570558 - Intel P59 with a SeedKey pair of 37F0/A316
3. HW:12583659 - AMD P59 with a SeedKey pair of 37F0/A316 and in Recovery mode (erased Calibration), the only recovery mode I know how to force.

If it's in recovery mode the seed is 0000.
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
Post Reply