Universalpatcher with Logger & Analyzer

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
Post Reply
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Universalpatcher with Logger & Analyzer

Post by kur4o »

Version 0.20.18

A big update to j-console monitoring and some fixes and improvements to script language.

-connect a j-device to 2 protocols simultaneously and monitor and send custom commands to both.
-extensive configuration of how j-device connects.
.select pins
.set custom filters
.set command flags
.set custom configurations
-run scripts with commands in a loop with setting different variables that can increase or decrease.
-many other small improvements and fixes

a screenshot and some sample vpw scripts for testing.
2protocols.JPG
2protocols.JPG (110.97 KiB) Viewed 10932 times
Attachments
mode_09_read.txt
(229 Bytes) Downloaded 132 times
3c_read.txt
(387 Bytes) Downloaded 111 times
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Universalpatcher with Logger & Analyzer

Post by kur4o »

This script will test a module for all known algos and will break on success. Than you can input seed/key combo in the algo tab and find the algo number for the module.

It is set for module with ID=10[pcm] to test for bcm change to 10 to 40 in script, on these lines 6c 10 f0

You can also test it for any in car module, abs,airbag,ipc just need to find the correct id.

HOW TO LOAD SCRIPTS.

Open logger ->settings tab->select device and connect->goto vpw console->check all checkboxes->upload script button->select the script you want to upload.

Once the algo for a module is found than a mode23 script can be used to read the module memory RAM or ROM.

How to find modules id that are present on the bus.
after this command is send
[14:48:01.031] 6C FE F0 28 00
each module will respond with its id[3rd byte]
6C F0 10 68 00
6C F0 40 68 00
6C F0 AE 68 00
6C F0 99 68 00

In case there is more than 10 modules connected this value can be increased to capture all ids
6c fe f0 28 00:10:100 Increase 10 to the max modules that are connected.


I AM LOOKING FOR SOME CAN TESTERS with j2534 device.
An incar high speed CAN logging test will be very informative. Does the program locks up on very heavy can traffic.

Open logger->j-console->set protocol to CAN->baud 500000->timestamps checked->connect

Some CAN logs will help with CAN analyzer that is being under development.

For gmlan logs low speed can
setprotocol SW_CAN_PS->baud 33333-> setpins 00000100->connect

If the program don`t lockup on HSCAN you can monitor both LS and HS can buses[MDI is preferred here]

Open logger->j-console->set protocol to CAN->baud 500000->timestamps checked->connect

Than
setprotocol 2
SW_CAN_PS->baud 33333-> setpins 00000100->connect protocol 2
Attachments
$10_brute_unlock_var_algo.txt
(417 Bytes) Downloaded 131 times
User avatar
joukoy
Posts: 392
Joined: Tue Dec 17, 2019 3:27 am
cars: Pontiac Firebird 1978

Re: Universalpatcher with Logger & Analyzer

Post by joukoy »

Version 0.21.0 adds graphics to logger.
In 0.21.1 zoom is enabled, by dragging area in graphics
Attachments
Logger-Graphics-2022-10-23 174450.jpg
Logger-Graphics-2022-10-23 174450.jpg (108.4 KiB) Viewed 10448 times
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Universalpatcher with Logger & Analyzer

Post by antus »

wow, looking really good!
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: Universalpatcher with Logger & Analyzer

Post by gmtech825 »

kur4o wrote:This script will test a module for all known algos and will break on success. Than you can input seed/key combo in the algo tab and find the algo number for the module.

It is set for module with ID=10[pcm] to test for bcm change to 10 to 40 in script, on these lines 6c 10 f0

You can also test it for any in car module, abs,airbag,ipc just need to find the correct id.

HOW TO LOAD SCRIPTS.

Open logger ->settings tab->select device and connect->goto vpw console->check all checkboxes->upload script button->select the script you want to upload.

Once the algo for a module is found than a mode23 script can be used to read the module memory RAM or ROM.

How to find modules id that are present on the bus.
after this command is send
[14:48:01.031] 6C FE F0 28 00
each module will respond with its id[3rd byte]
6C F0 10 68 00
6C F0 40 68 00
6C F0 AE 68 00
6C F0 99 68 00

In case there is more than 10 modules connected this value can be increased to capture all ids
6c fe f0 28 00:10:100 Increase 10 to the max modules that are connected.


I AM LOOKING FOR SOME CAN TESTERS with j2534 device.
An incar high speed CAN logging test will be very informative. Does the program locks up on very heavy can traffic.

Open logger->j-console->set protocol to CAN->baud 500000->timestamps checked->connect

Some CAN logs will help with CAN analyzer that is being under development.

For gmlan logs low speed can
setprotocol SW_CAN_PS->baud 33333-> setpins 00000100->connect

If the program don`t lockup on HSCAN you can monitor both LS and HS can buses[MDI is preferred here]

Open logger->j-console->set protocol to CAN->baud 500000->timestamps checked->connect

Than
setprotocol 2
SW_CAN_PS->baud 33333-> setpins 00000100->connect protocol 2

I missed this post...are you still looking to test can networks? I would love a script for reading BCM ram/rom
User avatar
joukoy
Posts: 392
Joined: Tue Dec 17, 2019 3:27 am
cars: Pontiac Firebird 1978

Re: Universalpatcher with Logger & Analyzer

Post by joukoy »

Version 0.21.2 have also Histogram in logger.
Currently it might be little bit difficult to use, please send ideas how it should work.
Attachments
Histogram-Graphics-2022-10-24 184759.jpg
Histogram-Graphics-2022-10-24 184759.jpg (91.87 KiB) Viewed 10398 times
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Universalpatcher with Logger & Analyzer

Post by kur4o »

gmtech825 wrote: I missed this post...are you still looking to test can networks? I would love a script for reading BCM ram/rom
Definitely some testing will be nice. Once we dial the multiframe encoding, more advanced scripts can be used on CAN.

Currently an incar test can be done. Once a can protocol is connected, either HS or LS LAN, go to

logger->action->Query CAN devices

Than see at can tab if there is a list of CAN ids on the bus.
exo3901
Posts: 13
Joined: Fri Feb 11, 2022 2:00 am

Re: Universalpatcher with Logger & Analyzer

Post by exo3901 »

I understand official support is not available yet. I am hoping to help get it there though. Using version 20.26 but it does not look like anything pertaining to my scenario was added in later versions.

I am trying to get the PID search to read E40 and T42 PIDs. It looks like there is more changes needed above and beyond just editing the xml files. I have changed the e40-platform.xml, t42-platform.xml, and PidSearch.xml files which has thus far allowed the PidSearch to return results for the E40(did not explore T42 any further as of yet). For E40 purposes, I am getting the correct PIDNumber output. Bytes, Subroutine, RamAddress columns are all not working correctly. Byte is showing only a value of 1. Subroutine is including the function address and also the bytes. Nothing showing for RamAddress. I included a screenshot of the E40 results I am getting. The byte value is after the subroutine address which is different than Gen3.

E40 pid table for the subject OS starts at B4EF2
T42 pid table for the subject OS starts are 5435E

Logs from bin files used are:
E40 -

Code: Select all

Reading Platform config: e40-platform.xml [OK]
Loading file: e40.xml [OK]

Pontiac 2006 GTO ECM 12603159 - Copy.bin (e40 (v 3))

Segments:
 BootBlock   PN:  12596655, Ver:   AA, Nr: 99 [0000 - 1FFF, 2000 - 3FFF], Size: 4000
 OS          PN:  12603159, Ver:   AB, Nr: 1  [8000 - 1FFFF, 40000 - FFFFF], Size: D8000
 System      PN:  92186764, Ver:   AB, Nr: 2  [20000 - 20ABB], Size: ABC
 Fuel        PN:  92186766, Ver:   AB, Nr: 3  [20ABC - 22AB1], Size: 1FF6
 Speedo      PN:  92186760, Ver:   AB, Nr: 4  [22AB2 - 22BB9], Size: 108
 EngineDiag  PN:  92186762, Ver:   AB, Nr: 5  [22BBA - 26FED], Size: 4434
 Engine      PN:  92186758, Ver:   AB, Nr: 6  [26FEE - 3FFFF], Size: 19012
 EEPROM_DATA PN:  12596003, Ver: YMMY         [6000 - 7FFF], Size: 2000
 Eeprom: HH0
 PCM: 12596003
 PCMid2: 12603390
 VIN: 6G2VX12U86L545630
 trace code: 86YMMYM052762V0L
 BCC: YMMY
 Programdate: 20051213
Checksums:
 BootBlock   Checksum 1: 44E8 [OK] Checksum 2: 8B44 [OK] [stock]
 OS          Checksum 1: 993D [OK] Checksum 2: 83F8 [OK] [stock]
 System      Checksum 1: 3F5F [OK] Checksum 2: 0E24 [OK] [modded/R]
 Fuel        Checksum 1: BD92 [OK] Checksum 2: AFA8 [OK] [stock]
 Speedo      Checksum 1: ED24 [OK] Checksum 2: A147 [OK] [modded/R]
 EngineDiag  Checksum 1: B9EA [OK] Checksum 2: 879F [OK] [stock]
 Engine      Checksum 1: FBCB [OK] Checksum 2: 48A8 [OK] [modded/R]
 EEPROM_DATA 
Seeking tables...Configuration not found: TableSeek-e40.xml
T42 -

Code: Select all

Reading Platform config: t42-platform.xml [OK]
Loading file: t42.xml [OK]

Pontiac 2006 GTO TCM 24236195 - Copy.bin (t42 (v 3))

Segments:
 BootBlock   PN:  24230354, Ver:   AA, Nr: 0  [0000 - 3FFF, 8000 - FFFF], Size: C000
 OS          PN:  24236195, Ver:   AA, Nr: 1  [10000 - 1FFFF, 40000 - AFFFF], Size: 80000
 System      PN:  92187302, Ver:   AD, Nr: 2  [20000 - 21FFF], Size: 2000
 Trans       PN:  92187304, Ver:   AC, Nr: 3  [22000 - 31FFF], Size: 10000
 Diag        PN:  92187306, Ver:   AC, Nr: 4  [32000 - 3FFFF], Size: E000
 EEPROM_DATA PN:       BK?                    [6000 - 7FFF], Size: 2000
 PCM: 24229459
 PCMid2: 24236194
 VIN: 6G2VX12U86L545630
 trace code: BKYMDBK052850071
 BCC: YMDB
 Tool: *GMHOLDEN*
 Programdate: 20051213
Checksums:
 BootBlock   Checksum 1: 4825 [OK] Checksum 2: E0EF [OK] [stock]
 OS          Checksum 1: DE64 [OK] Checksum 2: BCD9 [OK] [stock]
 System      Checksum 1: 7F40 [OK] Checksum 2: 0C48 [OK] [stock]
 Trans       Checksum 1: 29E8 [OK] Checksum 2: 69CF [OK] [modded/R]
 Diag        Checksum 1: 2CD7 [OK] Checksum 2: 9ED8 [OK] [stock]
 EEPROM_DATA 
DTC search: can't find DTC code table
Seeking tables...Configuration not found: TableSeek-t42.xml

PIDs not found

Looking through github, I believe the next step is to modify the Pidsearch.cs file. Unfortunately, I do not have the skills to make changes past the .xml files nor have I been able to discover any other files that need to be updated, though I presume there are others.

E40 search string being used in e40-platform.xml:

Code: Select all

<PidSearchString>00 00 * * * * 04 00 00 00 00 01 * * * * 04 00 * * 00 02 * * * * 02 00 00 00 00 03 * * * * 02 00 00 00 00 04</PidSearchString>
  <PidSearchStep>10</PidSearchStep>
T42 search string being used in t42-platform.xml:

Code: Select all

<PidSearchString>00 00 * * * * 04 00 00 00 00 01 * * * * 04 00 00 00 00 02 * * * * 04 00 00 00 00 02</PidSearchString>
  <PidSearchStep>10</PidSearchStep>
PidSearch.xml modified to insert e40 search:

Code: Select all

<PidSearchConfig>
    <XMLFile>e40</XMLFile>
    <SearchString>00 00 * * * * 04 00 00 00 00 01 * * * * 04 00 * * 00 02 * * * * 02 00 00 00 00 03 * * * * 02 00 00 00 00 04</SearchString>
    <Step>10</Step>
  </PidSearchConfig>
PidSearch.xml modified to insert T42 search:

Code: Select all

<PidSearchConfig>
    <XMLFile>t42</XMLFile>
    <SearchString>00 00 * * * * 04 00 00 00 00 01 * * * * 04 00 00 00 00 02 * * * * 04 00 00 00 00 02</SearchString>
    <Step>10</Step>
  </PidSearchConfig>
If there is anything I need to include, please let me know. I'll gather what I can.
Attachments
E40 pidsearch results.JPG
E40 pidsearch results.JPG (133.3 KiB) Viewed 10103 times
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Universalpatcher with Logger & Analyzer

Post by kur4o »

On e40 we have

Code: Select all

00 00 00 0B 49 54 04 00 00 00 
00 01 00 05 69 1A 04 00 00 00 
00 02 00 09 0D F4 02 00 00 00 
00 03 00 09 50 42 02 00 00 00 
00 04 00 0A 8D 2A 01 00 00 00 
00 05 00 05 9A 8E 01 00 00 00 
00 06 00 08 60 32 01 00 00 00
00 00 -pid number
00 0B 49 54 -subroutine address
04 00 00 00 -size

Pattern seems consistent across all bins.

On ls1 pcms the ram address was hardcoded by some opcodes [move address to d0]. Not sure if that is possible with e40, need to look at some disassembly.

Current pid search is too limited, and most of the ls1 stuff is built in. Maybe we need to expand it to full blown search since lots of CAN ecm also have some pid tables, that can be used.

If you have some solid patterns already, we can hardcode them if not possible to add them by simple search.
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Universalpatcher with Logger & Analyzer

Post by kur4o »

Found some code patterns for ram address lookup for e40 It is move word to d1 + some others for a byte and a dword. I think a full blown search needs to be added, since e38 and newer pcms follows similar format, so we can easily expand it to cover most newer stuff.
Post Reply