PCM Hammer Release 014

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: PCM Hammer Release 014

Post by Gampy »

Welp, I CRS and it appears I've lost the link to the error codes so I have no idea what went wrong on the kernel upload.
[03:38:24:444] RX: 6C F0 10 76 00 78
Help!
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
In-Tech
Posts: 779
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: PCM Hammer Release 014

Post by In-Tech »

Thanks Gampy, let me know what I can do to help.
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: PCM Hammer Release 014

Post by Gampy »

Is the LB7 ??(E54)?? bench harness the same as a P01 harness??

Somewhere there is a list of response codes (error codes) that the PCM returns, any pointers to it would be very helpful, I seem to have lost it.
For example:
Upload request responds with 44 ... for success.
Unlock request responds with 34 ... for success.

Thanks
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
In-Tech
Posts: 779
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: PCM Hammer Release 014

Post by In-Tech »

Ah, ok I'll have a look around. I've not seen that one, would be good for the arsenal :)
In-Tech
Posts: 779
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: PCM Hammer Release 014

Post by In-Tech »

Gampy wrote:Is the LB7 ??(E54)?? bench harness the same as a P01 harness??

Somewhere there is a list of response codes (error codes) that the PCM returns, any pointers to it would be very helpful, I seem to have lost it.
For example:
Upload request responds with 44 ... for success.
Unlock request responds with 34 ... for success.

Thanks
Ooops, sorry. Yes I am using the same p01 bench harness to talk to it. I would love that list if you find it. I am looking too.
In-Tech
Posts: 779
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: PCM Hammer Release 014

Post by In-Tech »

J2190 (Physical) supports modes $10 thru $3F and $80 thru $BF

Mode $10 - Initiate Diagnostics Operation
Mode $11 - Request Module Reset
Mode $12 - Request Diagnostic Freeze Frame Data
Mode $13 - Request Diagnostic Trouble Code Information
Mode $14 - Clear Diagnostic Information
Mode $17 - Request Status of Diagnostic Trouble Codes
Mode $19 - Request Diagnostic Trouble Codes by Status
Mode $20 - Return to Normal Mode
Mode $21 - Request Diagnostic Data
Mode $22 - Request Diagnostic Data by PID
Mode $23 - Request Diagnostic Data by Memory Address
Mode $24 - Request Scaling and Offset / PID
Mode $25 - Stop Transmitting Requested Data
Mode $26 - Specifiy Data Rates
Mode $27 - Security Access Mode
Mode $28 - Disable Normal Message Transmission
Mode $29 - Enable Normal Message Transmission
Mode $2A - Request Diagnostic Data Packets
Mode $2B - Dynamically Define Data Packet by Single Data Offsets
Mode $2C - Dynamically Define Diagnostic Data Packet
Mode $2F - Input/Output Control by PID
Mode $30 - Input/Output Control by Data Value ID
Mode $31 - Enter/Start Diagnostic Routine by Test Number
Mode $32 - Exit/Stop Diagnostic Routine by Test Number
Mode $33 - Request Diagnostic Routine Results by Test Number
Mode $34 - Request Download - tool to module
Mode $35 - Request Upload - module to tool
Mode $36 - Block Transfer Message
Mode $37 - Request Data Transfer Exit
Mode $38 - Enter Diagnostic Routine by Address
Mode $39 - Exit Diagnostic Routine by Address
Mode $3A - Request Diagnostic Routine Results
Mode $3B - Write Data Block
Mode $3C - Read Data Block
Mode $3F - Test Device Present
Mode $7F - General Response Message
Mode $A0 - Request High Speed Mode
Mode $A1 - Begin High Speed Mode
Mode $A2 - Programming Prompt
Mode $AE - Request Device Control


PCM Mode Responses:
The response will always be $40 greater than the request mode.

Response $41 - Report Powertrain Diagnostic Data
Response $42 - Report Powertrain Freeze Frame Data
Response $43 - Report Emission Related Diagnositc Powertrain Trouble Codes
Response $44 - Emission-Related Diagnostic Information Cleared
Response $45 - Report Oxygen Sensor Monitoring Test Resluts
Response $46 - Report On-Board Monitoring Test Results for Non-Continuously Monitored Systems
Response $47 - Report On-Board Monitoring Test Results for Continuously Monitored Systems
Response $48 - Report Control of On-Board System, Test, or Component
Response $49 - Report Vehicle Information


PCM Mode $7F Response Codes:

Code $00 - Affirmative Response
Code $10 - General Reject
Code $11 - Mode Not Supported
Code $12 - Sub-Function Not Supported or Invalid format
Code $21 - Busy - Repeat Request
Code $22 - Conditions Not Correct or Request Sequence Error
Code $23 - Routine Not Complete
Code $31 - Request Out of Range
Code $33 - Security Access Denied
Code $34 - Security Access Allowed
Code $35 - Invalid Key
Code $36 - Exceed Number of Attempts
Code $37 - Required Time Delay Not Expired
Code $40 - Download Not Accepted
Code $41 - Improper Download Type
Code $42 - Can't Download to Specified Address
Code $43 - Can't Download Number of Bytes Requested
Code $44 - Ready for Download
Code $50 - Upload not Accepted
Code $51 - Improper Upload Type
Code $52 - Can't Upload from Specified Address
Code $53 - Can't Upload Number of Bytes Requested
Code $54 - Ready for Upload
Code $61 - Normal Exit with Results Available
Code $62 - Normal Exit without Results Available
Code $63 - Abnormal Exit with Results
Code $64 - Abnormal Exit without Results
Code $71 - Transfer Suspended
Code $72 - Transfer Aborted
Code $73 - Block Transfer Complete/Next BLock
Code $74 - Illegal Address in Block Transfer
Code $75 - Illegal Byte Count in Block Transfer
Code $76 - Illegal Block Tranfser Type
Code $77 - Block Transfer Data Checksum Error
Code $78 - Block Transfer Message Correctly Received
Code $79 - Incorrect Byte Count During Block Transfer
In-Tech
Posts: 779
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: PCM Hammer Release 014

Post by In-Tech »

I did a little logging of my own.

Send 0x6 bytes to the device
05 6C 10 F0 27 01 <<<<<<<<<< Seed request

Get 0xb bytes from the device
31 60 08 00 6C F0 10 67 01 BF FD <<<<<<<<<< Seed is BFFD

Get 0x9 bytes from the device
31 60 06 00 6C F0 10 A2 01 <<<<<<<<<<< Mode $A2 - Programming Prompt

Send 0x5 bytes to the device
04 8C FE F0 3F <<<<<<<<<< Device present

Get 0x4 bytes from the device
31 60 01 60 <<<<<<<<<< Ok I'll wait

Send 0x6 bytes to the device
05 6C 10 F0 27 01 <<<<<<<<<< Seed request

Get 0xb bytes from the device
31 60 08 00 6C F0 10 67 01 00 00 <<<<<<<<<< Seed is 0000, do what you want to me

Send 0x5 bytes to the device
04 8C FE F0 3F

Send 0x5 bytes to the device
04 6C FE F0 A0 <<<<<<<<<< Hi Speed Mode request

Get 0x9 bytes from the device
31 60 06 00 6C F0 10 E0 AA <<<<<<<<<< High speed mode granted

Send 0x5 bytes to the device
04 8C FE F0 3F <<<<<<<<<< Device present

Get 0x4 bytes from the device
31 60 01 60 <<<<<<<<<< Ok I'll wait

Send 0x5 bytes to the device
04 6C FE F0 A1 <<<<<<<<<< Mode $A1 - Begin High Speed Mode

Send 0xb bytes to the device
0A 6C 10 F0 34 00 03 32 FF 91 3E <<<<<<<<<< request permission to send in 0x332 byte to 0xFF913E

Get 0xa bytes from the device
31 60 07 00 6C F0 10 74 00 44 <<<<<<<<<< permission granted

Send 0x341 bytes to the device
12 03 3E 6D 10 F0 36 80 03 32 FF 91 3E <<<<<<<<<< echo of sending in kernel to FF913E, kernel following

After kernel sent in,
Get 0xa bytes from the device
31 60 07 00 6C F0 10 76 80 78

I then read it out... small snippet.

Get 0x432 bytes from the device
31 60 12 04 0D 00 6D F0 10 36 01 04 00 00 00 00 1`....mð.6......
00 FF A8 00 00 00 08 00 00 00 0F D8 00 00 0F D8 .ÿ¨........Ø...Ø
00 00 0F D8 00 00 0F D8 00 00 0F D8 00 00 0F D8 ...Ø...Ø...Ø...Ø
00 00 0F D8 00 00 0F D8 00 00 0F D8 00 00 0F D8 ...Ø...Ø...Ø...Ø
31 60 00 00 0F D8 00 00 0F D8 00 00 0F D8 00 00 1`...Ø...Ø...Ø..
0F D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .Ø..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 10 10 00 00 10 10 00 00 10 10 00 00 ................
31 60 10 10 00 00 10 10 00 00 10 14 00 00 10 10 1`..............
00 00 10 10 00 00 10 10 00 00 10 10 00 00 10 10 ................
00 00 10 10 00 00 10 10 00 00 10 10 00 00 10 10 ................
00 00 10 10 00 00 10 10 00 00 10 10 00 00 10 10 ................

00000000 00FF A800 0000 0800 0000 0FD8 0000 0FD8 ................
00000010 0000 0FD8 0000 0FD8 0000 0FD8 0000 0FD8 ................
00000020 0000 0FD8 0000 0FD8 0000 0FD8 0000 0FD8 ................
00000030 0000 0FD8 0000 0FD8 0000 0FD8 0000 0FD8 ................
00000040 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060 0000 1010 0000 1010 0000 1010 0000 1010 ................
00000070 0000 1010 0000 1014 0000 1010 0000 1010 ................
00000080 0000 1010 0000 1010 0000 1010 0000 1010 ................
00000090 0000 1010 0000 1010 0000 1010 0000 1010 ................


[03:38:23:534] Requesting permission to upload kernel.
[03:38:23:554] TX: 6C 10 F0 34 00 10 00 FF 80 00
[03:38:23:554] RX: 6C F0 10 74 00 44
[03:38:23:564] Found response, Success
[03:38:23:564] Upload permission granted.
[03:38:23:564] Going to load a 7930 byte kernel to 0xFF8000
[03:38:23:564] Sending end block payload with offset 0x1000, start address 0xFF9000, length 0xEFA.
[03:38:23:634] TX: 6D 10 F0 36 00 0E FA FF 90 00 >>>>>>>>>> echo of sending in kernel to FF9000, kernel following

After kernel sent in,
[03:38:24:444] RX: 6C F0 10 76 00 78

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

It appears this is messing up PCM Hammer
Ignoring message: UnexpectedResponse 6C F0 10 76 00 78

It's used to seeing this:
[08:15:00:775] RX: 6D F0 10 76 00 73
[08:15:00:785] Found response, Success

The 78 is still supposed to be a valid response
Code $71 - Transfer Suspended
Code $72 - Transfer Aborted
Code $73 - Block Transfer Complete/Next BLock
Code $74 - Illegal Address in Block Transfer
Code $75 - Illegal Byte Count in Block Transfer
Code $76 - Illegal Block Tranfser Type
Code $77 - Block Transfer Data Checksum Error
Code $78 - Block Transfer Message Correctly Received
Code $79 - Incorrect Byte Count During Block Transfer

Where's the 6C coming from? I've seen that in other responses but only when a 6C was sent in :wtf:

I'm probably not looking at it correctly, anyway, let me know whatever I can do to help.
In-Tech
Posts: 779
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: PCM Hammer Release 014

Post by In-Tech »

Basically it looks like PCM Hammer doesn't send in the second packet of the kernel because it was never satisfied the first one was received correctly.
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: PCM Hammer Release 014

Post by Gampy »

__I think__ I know what's going on ...

I suspect it doesn't do multiple packet uploads.

@In-Tech do you compile your own PcmHammer??

The first thing I would try if I had a ??E54?? (LB7 ECU) setting here is educate PcmHammer that 0x78 is also a valid response and see what happens.
Though I suspect that will lead to my above suspicions.

That leads us to a PcmHammer re-write that would first upload a intelligent Mode36 kernel that is less then or equal to 1024 bytes that could then receive multiple packets thus a larger kernel.
Basically the same obstruction the P04 has for moving forward.

-Enjoy
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
In-Tech
Posts: 779
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: PCM Hammer Release 014

Post by In-Tech »

Hello Gampy,
Thanks for the reply and I'm sure this is elementary to you guys, is there a quick tutorial or link for reading about compiling PCM Hammer? In the early 2000's I used to compile(DOS, Windows and Linux) a hardware/software emulator when it needed updating so I'm not completely unfamiliar, it's just been a while. While I am asking for the world...what should I disassemble the kernel with? It would be a dream if it was 8bit type opcodes and then words for addresses. It will still boil down to Motorola 68something I would assume. Anyone have an opcode map? For me I think I learn faster, disassembling and tracing so I understand, then make adjustments accordingly. This would be fun :wall: :mrgreen:
Post Reply