Universalpatcher with Logger & Analyzer
Re: Universalpatcher with Logger & Analyzer
Version 0.20.18
A big update to j-console monitoring and some fixes and improvements to script language.
-connect a j-device to 2 protocols simultaneously and monitor and send custom commands to both.
-extensive configuration of how j-device connects.
.select pins
.set custom filters
.set command flags
.set custom configurations
-run scripts with commands in a loop with setting different variables that can increase or decrease.
-many other small improvements and fixes
a screenshot and some sample vpw scripts for testing.
A big update to j-console monitoring and some fixes and improvements to script language.
-connect a j-device to 2 protocols simultaneously and monitor and send custom commands to both.
-extensive configuration of how j-device connects.
.select pins
.set custom filters
.set command flags
.set custom configurations
-run scripts with commands in a loop with setting different variables that can increase or decrease.
-many other small improvements and fixes
a screenshot and some sample vpw scripts for testing.
- Attachments
-
- mode_09_read.txt
- (229 Bytes) Downloaded 134 times
-
- 3c_read.txt
- (387 Bytes) Downloaded 117 times
Re: Universalpatcher with Logger & Analyzer
This script will test a module for all known algos and will break on success. Than you can input seed/key combo in the algo tab and find the algo number for the module.
It is set for module with ID=10[pcm] to test for bcm change to 10 to 40 in script, on these lines 6c 10 f0
You can also test it for any in car module, abs,airbag,ipc just need to find the correct id.
HOW TO LOAD SCRIPTS.
Open logger ->settings tab->select device and connect->goto vpw console->check all checkboxes->upload script button->select the script you want to upload.
Once the algo for a module is found than a mode23 script can be used to read the module memory RAM or ROM.
How to find modules id that are present on the bus.
after this command is send
[14:48:01.031] 6C FE F0 28 00
each module will respond with its id[3rd byte]
6C F0 10 68 00
6C F0 40 68 00
6C F0 AE 68 00
6C F0 99 68 00
In case there is more than 10 modules connected this value can be increased to capture all ids
6c fe f0 28 00:10:100 Increase 10 to the max modules that are connected.
I AM LOOKING FOR SOME CAN TESTERS with j2534 device.
An incar high speed CAN logging test will be very informative. Does the program locks up on very heavy can traffic.
Open logger->j-console->set protocol to CAN->baud 500000->timestamps checked->connect
Some CAN logs will help with CAN analyzer that is being under development.
For gmlan logs low speed can
setprotocol SW_CAN_PS->baud 33333-> setpins 00000100->connect
If the program don`t lockup on HSCAN you can monitor both LS and HS can buses[MDI is preferred here]
Open logger->j-console->set protocol to CAN->baud 500000->timestamps checked->connect
Than
setprotocol 2
SW_CAN_PS->baud 33333-> setpins 00000100->connect protocol 2
It is set for module with ID=10[pcm] to test for bcm change to 10 to 40 in script, on these lines 6c 10 f0
You can also test it for any in car module, abs,airbag,ipc just need to find the correct id.
HOW TO LOAD SCRIPTS.
Open logger ->settings tab->select device and connect->goto vpw console->check all checkboxes->upload script button->select the script you want to upload.
Once the algo for a module is found than a mode23 script can be used to read the module memory RAM or ROM.
How to find modules id that are present on the bus.
after this command is send
[14:48:01.031] 6C FE F0 28 00
each module will respond with its id[3rd byte]
6C F0 10 68 00
6C F0 40 68 00
6C F0 AE 68 00
6C F0 99 68 00
In case there is more than 10 modules connected this value can be increased to capture all ids
6c fe f0 28 00:10:100 Increase 10 to the max modules that are connected.
I AM LOOKING FOR SOME CAN TESTERS with j2534 device.
An incar high speed CAN logging test will be very informative. Does the program locks up on very heavy can traffic.
Open logger->j-console->set protocol to CAN->baud 500000->timestamps checked->connect
Some CAN logs will help with CAN analyzer that is being under development.
For gmlan logs low speed can
setprotocol SW_CAN_PS->baud 33333-> setpins 00000100->connect
If the program don`t lockup on HSCAN you can monitor both LS and HS can buses[MDI is preferred here]
Open logger->j-console->set protocol to CAN->baud 500000->timestamps checked->connect
Than
setprotocol 2
SW_CAN_PS->baud 33333-> setpins 00000100->connect protocol 2
- Attachments
-
- $10_brute_unlock_var_algo.txt
- (417 Bytes) Downloaded 137 times
Re: Universalpatcher with Logger & Analyzer
Version 0.21.0 adds graphics to logger.
In 0.21.1 zoom is enabled, by dragging area in graphics
In 0.21.1 zoom is enabled, by dragging area in graphics
- Attachments
-
- Logger-Graphics-2022-10-23 174450.jpg (108.4 KiB) Viewed 10681 times
- antus
- Site Admin
- Posts: 8250
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: Universalpatcher with Logger & Analyzer
wow, looking really good!
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Re: Universalpatcher with Logger & Analyzer
kur4o wrote:This script will test a module for all known algos and will break on success. Than you can input seed/key combo in the algo tab and find the algo number for the module.
It is set for module with ID=10[pcm] to test for bcm change to 10 to 40 in script, on these lines 6c 10 f0
You can also test it for any in car module, abs,airbag,ipc just need to find the correct id.
HOW TO LOAD SCRIPTS.
Open logger ->settings tab->select device and connect->goto vpw console->check all checkboxes->upload script button->select the script you want to upload.
Once the algo for a module is found than a mode23 script can be used to read the module memory RAM or ROM.
How to find modules id that are present on the bus.
after this command is send
[14:48:01.031] 6C FE F0 28 00
each module will respond with its id[3rd byte]
6C F0 10 68 00
6C F0 40 68 00
6C F0 AE 68 00
6C F0 99 68 00
In case there is more than 10 modules connected this value can be increased to capture all ids
6c fe f0 28 00:10:100 Increase 10 to the max modules that are connected.
I AM LOOKING FOR SOME CAN TESTERS with j2534 device.
An incar high speed CAN logging test will be very informative. Does the program locks up on very heavy can traffic.
Open logger->j-console->set protocol to CAN->baud 500000->timestamps checked->connect
Some CAN logs will help with CAN analyzer that is being under development.
For gmlan logs low speed can
setprotocol SW_CAN_PS->baud 33333-> setpins 00000100->connect
If the program don`t lockup on HSCAN you can monitor both LS and HS can buses[MDI is preferred here]
Open logger->j-console->set protocol to CAN->baud 500000->timestamps checked->connect
Than
setprotocol 2
SW_CAN_PS->baud 33333-> setpins 00000100->connect protocol 2
I missed this post...are you still looking to test can networks? I would love a script for reading BCM ram/rom
Re: Universalpatcher with Logger & Analyzer
Version 0.21.2 have also Histogram in logger.
Currently it might be little bit difficult to use, please send ideas how it should work.
Currently it might be little bit difficult to use, please send ideas how it should work.
- Attachments
-
- Histogram-Graphics-2022-10-24 184759.jpg (91.87 KiB) Viewed 10631 times
Re: Universalpatcher with Logger & Analyzer
Definitely some testing will be nice. Once we dial the multiframe encoding, more advanced scripts can be used on CAN.gmtech825 wrote: I missed this post...are you still looking to test can networks? I would love a script for reading BCM ram/rom
Currently an incar test can be done. Once a can protocol is connected, either HS or LS LAN, go to
logger->action->Query CAN devices
Than see at can tab if there is a list of CAN ids on the bus.
Re: Universalpatcher with Logger & Analyzer
I understand official support is not available yet. I am hoping to help get it there though. Using version 20.26 but it does not look like anything pertaining to my scenario was added in later versions.
I am trying to get the PID search to read E40 and T42 PIDs. It looks like there is more changes needed above and beyond just editing the xml files. I have changed the e40-platform.xml, t42-platform.xml, and PidSearch.xml files which has thus far allowed the PidSearch to return results for the E40(did not explore T42 any further as of yet). For E40 purposes, I am getting the correct PIDNumber output. Bytes, Subroutine, RamAddress columns are all not working correctly. Byte is showing only a value of 1. Subroutine is including the function address and also the bytes. Nothing showing for RamAddress. I included a screenshot of the E40 results I am getting. The byte value is after the subroutine address which is different than Gen3.
E40 pid table for the subject OS starts at B4EF2
T42 pid table for the subject OS starts are 5435E
Logs from bin files used are:
E40 -
T42 -
Looking through github, I believe the next step is to modify the Pidsearch.cs file. Unfortunately, I do not have the skills to make changes past the .xml files nor have I been able to discover any other files that need to be updated, though I presume there are others.
E40 search string being used in e40-platform.xml:
T42 search string being used in t42-platform.xml:
PidSearch.xml modified to insert e40 search:
PidSearch.xml modified to insert T42 search:
If there is anything I need to include, please let me know. I'll gather what I can.
I am trying to get the PID search to read E40 and T42 PIDs. It looks like there is more changes needed above and beyond just editing the xml files. I have changed the e40-platform.xml, t42-platform.xml, and PidSearch.xml files which has thus far allowed the PidSearch to return results for the E40(did not explore T42 any further as of yet). For E40 purposes, I am getting the correct PIDNumber output. Bytes, Subroutine, RamAddress columns are all not working correctly. Byte is showing only a value of 1. Subroutine is including the function address and also the bytes. Nothing showing for RamAddress. I included a screenshot of the E40 results I am getting. The byte value is after the subroutine address which is different than Gen3.
E40 pid table for the subject OS starts at B4EF2
T42 pid table for the subject OS starts are 5435E
Logs from bin files used are:
E40 -
Code: Select all
Reading Platform config: e40-platform.xml [OK]
Loading file: e40.xml [OK]
Pontiac 2006 GTO ECM 12603159 - Copy.bin (e40 (v 3))
Segments:
BootBlock PN: 12596655, Ver: AA, Nr: 99 [0000 - 1FFF, 2000 - 3FFF], Size: 4000
OS PN: 12603159, Ver: AB, Nr: 1 [8000 - 1FFFF, 40000 - FFFFF], Size: D8000
System PN: 92186764, Ver: AB, Nr: 2 [20000 - 20ABB], Size: ABC
Fuel PN: 92186766, Ver: AB, Nr: 3 [20ABC - 22AB1], Size: 1FF6
Speedo PN: 92186760, Ver: AB, Nr: 4 [22AB2 - 22BB9], Size: 108
EngineDiag PN: 92186762, Ver: AB, Nr: 5 [22BBA - 26FED], Size: 4434
Engine PN: 92186758, Ver: AB, Nr: 6 [26FEE - 3FFFF], Size: 19012
EEPROM_DATA PN: 12596003, Ver: YMMY [6000 - 7FFF], Size: 2000
Eeprom: HH0
PCM: 12596003
PCMid2: 12603390
VIN: 6G2VX12U86L545630
trace code: 86YMMYM052762V0L
BCC: YMMY
Programdate: 20051213
Checksums:
BootBlock Checksum 1: 44E8 [OK] Checksum 2: 8B44 [OK] [stock]
OS Checksum 1: 993D [OK] Checksum 2: 83F8 [OK] [stock]
System Checksum 1: 3F5F [OK] Checksum 2: 0E24 [OK] [modded/R]
Fuel Checksum 1: BD92 [OK] Checksum 2: AFA8 [OK] [stock]
Speedo Checksum 1: ED24 [OK] Checksum 2: A147 [OK] [modded/R]
EngineDiag Checksum 1: B9EA [OK] Checksum 2: 879F [OK] [stock]
Engine Checksum 1: FBCB [OK] Checksum 2: 48A8 [OK] [modded/R]
EEPROM_DATA
Seeking tables...Configuration not found: TableSeek-e40.xml
Code: Select all
Reading Platform config: t42-platform.xml [OK]
Loading file: t42.xml [OK]
Pontiac 2006 GTO TCM 24236195 - Copy.bin (t42 (v 3))
Segments:
BootBlock PN: 24230354, Ver: AA, Nr: 0 [0000 - 3FFF, 8000 - FFFF], Size: C000
OS PN: 24236195, Ver: AA, Nr: 1 [10000 - 1FFFF, 40000 - AFFFF], Size: 80000
System PN: 92187302, Ver: AD, Nr: 2 [20000 - 21FFF], Size: 2000
Trans PN: 92187304, Ver: AC, Nr: 3 [22000 - 31FFF], Size: 10000
Diag PN: 92187306, Ver: AC, Nr: 4 [32000 - 3FFFF], Size: E000
EEPROM_DATA PN: BK? [6000 - 7FFF], Size: 2000
PCM: 24229459
PCMid2: 24236194
VIN: 6G2VX12U86L545630
trace code: BKYMDBK052850071
BCC: YMDB
Tool: *GMHOLDEN*
Programdate: 20051213
Checksums:
BootBlock Checksum 1: 4825 [OK] Checksum 2: E0EF [OK] [stock]
OS Checksum 1: DE64 [OK] Checksum 2: BCD9 [OK] [stock]
System Checksum 1: 7F40 [OK] Checksum 2: 0C48 [OK] [stock]
Trans Checksum 1: 29E8 [OK] Checksum 2: 69CF [OK] [modded/R]
Diag Checksum 1: 2CD7 [OK] Checksum 2: 9ED8 [OK] [stock]
EEPROM_DATA
DTC search: can't find DTC code table
Seeking tables...Configuration not found: TableSeek-t42.xml
PIDs not found
Looking through github, I believe the next step is to modify the Pidsearch.cs file. Unfortunately, I do not have the skills to make changes past the .xml files nor have I been able to discover any other files that need to be updated, though I presume there are others.
E40 search string being used in e40-platform.xml:
Code: Select all
<PidSearchString>00 00 * * * * 04 00 00 00 00 01 * * * * 04 00 * * 00 02 * * * * 02 00 00 00 00 03 * * * * 02 00 00 00 00 04</PidSearchString>
<PidSearchStep>10</PidSearchStep>
Code: Select all
<PidSearchString>00 00 * * * * 04 00 00 00 00 01 * * * * 04 00 00 00 00 02 * * * * 04 00 00 00 00 02</PidSearchString>
<PidSearchStep>10</PidSearchStep>
Code: Select all
<PidSearchConfig>
<XMLFile>e40</XMLFile>
<SearchString>00 00 * * * * 04 00 00 00 00 01 * * * * 04 00 * * 00 02 * * * * 02 00 00 00 00 03 * * * * 02 00 00 00 00 04</SearchString>
<Step>10</Step>
</PidSearchConfig>
Code: Select all
<PidSearchConfig>
<XMLFile>t42</XMLFile>
<SearchString>00 00 * * * * 04 00 00 00 00 01 * * * * 04 00 00 00 00 02 * * * * 04 00 00 00 00 02</SearchString>
<Step>10</Step>
</PidSearchConfig>
- Attachments
-
- E40 pidsearch results.JPG (133.3 KiB) Viewed 10336 times
Re: Universalpatcher with Logger & Analyzer
On e40 we have
00 00 -pid number
00 0B 49 54 -subroutine address
04 00 00 00 -size
Pattern seems consistent across all bins.
On ls1 pcms the ram address was hardcoded by some opcodes [move address to d0]. Not sure if that is possible with e40, need to look at some disassembly.
Current pid search is too limited, and most of the ls1 stuff is built in. Maybe we need to expand it to full blown search since lots of CAN ecm also have some pid tables, that can be used.
If you have some solid patterns already, we can hardcode them if not possible to add them by simple search.
Code: Select all
00 00 00 0B 49 54 04 00 00 00
00 01 00 05 69 1A 04 00 00 00
00 02 00 09 0D F4 02 00 00 00
00 03 00 09 50 42 02 00 00 00
00 04 00 0A 8D 2A 01 00 00 00
00 05 00 05 9A 8E 01 00 00 00
00 06 00 08 60 32 01 00 00 00
00 0B 49 54 -subroutine address
04 00 00 00 -size
Pattern seems consistent across all bins.
On ls1 pcms the ram address was hardcoded by some opcodes [move address to d0]. Not sure if that is possible with e40, need to look at some disassembly.
Current pid search is too limited, and most of the ls1 stuff is built in. Maybe we need to expand it to full blown search since lots of CAN ecm also have some pid tables, that can be used.
If you have some solid patterns already, we can hardcode them if not possible to add them by simple search.
Re: Universalpatcher with Logger & Analyzer
Found some code patterns for ram address lookup for e40 It is move word to d1 + some others for a byte and a dword. I think a full blown search needs to be added, since e38 and newer pcms follows similar format, so we can easily expand it to cover most newer stuff.