PCMHammer P04

[antus]

Going to add this here since this thread is about P04 dev which is close enough to P08. So I managed to damage the param block in on my P08 with some develop kernel code. It ended up looking like this:

This was an interesting one to recover. Trying to use regular off the shelf tools, seed = 0000 was returned, which usually means unlocked. I could guess that if the see was coming up as 0000 then probably the key was 0000 as well. But no tool that I had available would attempt to send a custom key if the seed was 0000, they would just proceed to the next step and get the mode 36 rejected.

So, this where the P08 BDM came in to it. Those details are here: viewtopic.php?f=42&t=6215&hilit=p08+bdm ... 00#p123110

All good I thought, I could erase, and write the flash without error. I failed to check exactly if the 0x4000 sector was recovered, because I could see the boot sector was all FF after the erase, and populated after the write. I naively assumed (dangerous!) that is was fully successful and moved on.

Today I hooked up the P08 ready to continue where I left off. Same problem - couldnt unlock. I looked at the debug console still 0x0000 seed, and still skipping the unlock. So I modified PCMHammer to not return if seed=0000 and set a custom key of 0000. Bingo! I was in. The screen shot above shows what was read. There were various retrying on the 0x4000 sector, obviously the chip was still not in a good state. And BDM was not going to get me out of this. I feared damage to the flash chip. So before giving up, I hooked up one of my commercial tools, and pcmhammer at the same time with 2 different interfaces. I put an hour long sleep in pcmhammer so it'd go silent after sending the key. I then let PCMHammer perform the unlock, and then started the write entire in the other tool. This worked! And running through a proper erase process got the flash chip back in to a healthy state. So now, time to break it with alpha quality code again lol. Hope this helps someone if they ever find themselves in a similar position.

[Jakefunny]

I was able to erase a block and write 2 bytes (more on this later) on my P04.
I'm working from an older version of PCM Hammer that doesn't use a loader for P04. I'm also using my testing/debug kernel.

Parameter Block 0x006000 - 0x007FFF on one of my P04 is empty (0xFF) so I wrote 2 bytes to the beginning of it. Worked perfectly
Reason I can only write 2 bytes is because that's limitation of my kernel at the moment.
I followed that up with a Block Erase for 0x006000 and read the flash. The 2 bytes I changed went back to 0xFF 0xFF.

Next I'll add to my kernel the ability to write more than 2 bytes.

The Erase function from my kernel (Using Easy68k)

P04_Erase_Kernel.JPG (25.32 KiB) Viewed 3312 times

[Jakefunny]

Good news from my endeavors. I am able to erase and write to a P04.
Code still has some issues but its enough to fully program the flash and come back to fix any miss writes.
As you can see from the log, it had to rewrite the Last OS sector twice.
It doesn't matter what kind of write I do, its always the last OS sector... Probably another timing issue.

Code: Select all

[01:41:55:267]  PCM Hammer (7/9/2023, 4:15 PM)
[01:41:55:276]  Monday, July 10 2023 @01:41:55:27
[01:41:55:798]  Thanks for using PCM Hammer.
[01:41:56:570]  Device Found: OBDX Pro VT
[01:41:56:751]  Voltage is: 13.07V
[01:41:56:777]  Device Successfully Initialized and Ready
[01:42:13:774]  C:\Users\stamp\Desktop\3800 ECU New.bin
[01:42:13:780]  Validating 512k file.
[01:42:13:792]  	Start	End	Stored		Needed		Verdict	Segment Name
[01:42:13:800]  	00000	7FFFF	8BF65122	8BF65122	Good	Whole File
[01:42:13:804]  Requesting operating system ID...
[01:42:13:847]  PCM and file are both for the same Hardware P04
[01:42:13:853]  PCM and file are both operating system 9352797
[01:42:13:931]  Unlock succeeded.
[01:42:13:948]  Attempting switch to VPW 4x
[01:42:13:969]  Module 0x10 (engine controller) has agreed to enter high-speed mode.
[01:42:15:114]  PCM uses a kernel loader.
[01:42:15:313]  Loader upload 100% complete.
[01:42:15:325]  Loader Version: 69000104
[01:42:15:329]  Loader uploaded to PCM succesfully.
[01:42:15:498]  Kernel upload 31% complete.
[01:42:18:424]  Kernel upload 65% complete.
[01:42:18:579]  Kernel upload 100% complete.
[01:42:19:195]  Kernel Version: 82400104
[01:42:19:200]  Kernel uploaded to PCM succesfully.
[01:42:19:218]  Changing PCM to operating system 9352797
[01:42:19:235]  Flash chip: Intel 28F400B, 512kb
[01:42:19:245]  Calculating CRCs from file.
[01:42:19:255]  Requesting CRCs from PCM.
[01:42:19:262]  	Range		File CRC		PCM CRC	Verdict	Purpose
[01:42:21:519]  060000-07FFFF	129A1DF1	404773E3	Different	OperatingSystem
[01:42:23:778]  040000-05FFFF	5E910028	5E910028	Same	OperatingSystem
[01:42:26:040]  020000-03FFFF	AC776424	AC776424	Same	OperatingSystem
[01:42:27:742]  008000-01FFFF	EA0087CC	EA0087CC	Same	Calibration
[01:42:27:752]  006000-007FFF	not needed	not needed	n/a	Parameter
[01:42:27:763]  004000-005FFF	not needed	not needed	n/a	Parameter
[01:42:28:065]  000000-003FFF	E8FC2A23	E8FC2A23	Same	Boot
[01:42:28:080]  Processing range 060000-07FFFF
[01:42:28:092]  Erasing.
[01:42:28:473]  Writing...
[01:43:27:184]  Calculating CRCs from file.
[01:43:27:199]  Requesting CRCs from PCM.
[01:43:27:213]  	Range		File CRC		PCM CRC	Verdict	Purpose
[01:43:29:477]  060000-07FFFF	129A1DF1	94123C5B	Different	OperatingSystem
[01:43:31:742]  040000-05FFFF	5E910028	5E910028	Same	OperatingSystem
[01:43:34:006]  020000-03FFFF	AC776424	AC776424	Same	OperatingSystem
[01:43:35:711]  008000-01FFFF	EA0087CC	EA0087CC	Same	Calibration
[01:43:35:724]  006000-007FFF	not needed	not needed	n/a	Parameter
[01:43:35:741]  004000-005FFF	not needed	not needed	n/a	Parameter
[01:43:36:042]  000000-003FFF	E8FC2A23	E8FC2A23	Same	Boot
[01:43:36:060]  Processing range 060000-07FFFF
[01:43:36:074]  Erasing.
[01:43:37:105]  Writing...
[01:44:35:963]  Calculating CRCs from file.
[01:44:35:985]  Requesting CRCs from PCM.
[01:44:35:999]  	Range		File CRC		PCM CRC	Verdict	Purpose
[01:44:38:268]  060000-07FFFF	129A1DF1	129A1DF1	Same	OperatingSystem
[01:44:40:537]  040000-05FFFF	5E910028	5E910028	Same	OperatingSystem
[01:44:42:805]  020000-03FFFF	AC776424	AC776424	Same	OperatingSystem
[01:44:44:515]  008000-01FFFF	EA0087CC	EA0087CC	Same	Calibration
[01:44:44:532]  006000-007FFF	not needed	not needed	n/a	Parameter
[01:44:44:552]  004000-005FFF	not needed	not needed	n/a	Parameter
[01:44:44:864]  000000-003FFF	E8FC2A23	E8FC2A23	Same	Boot
[01:44:44:891]  All relevant ranges are identical.
[01:44:44:910]  All write-request messages succeeded on the first try. You have an excellent connection to the PCM.
[01:44:44:931]  Please help by sharing your results in the PCM Hammer thread at pcmhacking.net.
[01:44:44:956]  Flash successful!
[01:44:45:053]  Clearing trouble codes.
[01:44:46:100]  Elapsed time 00:02:32.1652524

[antus]

Well done!

[Gampy]

Cool, Me too ...

P01-Intel.png (45.56 KiB) Viewed 3162 times

And,

P04_Intel.png (38.65 KiB) Viewed 3162 times

And,

P04_AMD.png (53.65 KiB) Viewed 3162 times

And,

P10_AMD.png (62.44 KiB) Viewed 3162 times

And,

P12_AMD.png (52.92 KiB) Viewed 3162 times

And,

P12b_AMD.png (53.54 KiB) Viewed 3162 times

And,

P59_Intel.png (53.83 KiB) Viewed 3162 times

And,

P59_AMD.png (64.21 KiB) Viewed 3162 times

And,

E54_Intel.png (48.38 KiB) Viewed 3162 times

-Enjoy

[MudDuck514]

Awesome job everyone.

Mike

[Tazzi]

Cool, Me too ...

-Enjoy

Doesnt seem to actually be part of PCMHammer's public releases? Unless that is just being all done and used for private usage.

[Gampy]

Cool, Me too ...

-Enjoy

Doesnt seem to actually be part of PCMHammer's public releases? Unless that is just being all done and used for private usage.

Am I allowed to finish or is that taboo ...

-Enjoy

[Tazzi]

Am I allowed to finish or is that taboo ...

-Enjoy

Define finish?
Is finished when you have done all the other series of ECUs also? Looks like your missing E38, E67, E40, E39, E55, E92, E98 .... (Im having a bit of fun here, no need to be serious).

[MudDuck514]

Am I allowed to finish or is that taboo ...

-Enjoy

Define finish?
Is finished when you have done all the other series of ECUs also? Looks like your missing E38, E67, E40, E39, E55, E92, E98 .... (Im having a bit of fun here, no need to be serious).

You forgot one!
P08 needs to be finished.

As you said, just teasing.

Mike