ULink NT & 2 byte Seed/Key ECU unlock

[MPC001]

Have been a member here for almost 7 years now, soaked up a lot, and getting more time now so hoping to contribute to the awesome body of knowledge & work - especially with a CAN Bus area now.

Apologies if I go over old ground here.

6 months back I got a ULink NT by @usbbdm as many would be familiar with. I wanted to deeper dive into GM E38/E67/E40/T42 etc ECM/TCM's (ECU's) via CAN & BDM if needed. Most of my digging in the past had been via commercial tuning tools etc. & ULink NT looked like it could open new doors and it has.

Initially had some challenges with seed/key access playing with T42 TCM's (I have a few and they are lower cost to brick than E38's), where the seed was reported as 0x0000 and the standard algo 73 key would not work. Consulting the GM docs it became clear that a seed of 0x0000 should mean the MEC (Manufacturers Enable Counter) was non zero (apparently this is a GM Standard) and the TCM was not locked & didn't need a seed/key - a 1AA0 command confirmed the MEC was 0xFC. (or NV Memory/EEPROM/NVRAM has been corrupted and the seed/key area zeroed or contains some odd hex values like 0x0000, 0x1234, 0xEEEE, 0xFFFF etc). (Have seen the MEC mentioned by Tazzi & Antus & others IIRC).

ULink NT didn't handle this or non algo keys as it stood. Getting on to usbbdm via chat and some follow up emails, he quickly added to the changes to the SW to:

1/. Input non standard keys in the algo box - i.e. replace algo 73 in this case with 4 character hex like "62B1" (62B1 was the key in question and would also work)(This took usbbdm all of a minute to revise and I had a recompiled .exe to test within minutes. Very helpful dude!)
2/. If ULink NT SW detects the seed is 0x0000 it will then attempt to read/write without using Service $27 security process (1/. still works if you know the key to use).
3/. If it turns out the seed/key area in the NVM has been corrupted & key not known, he has added a "scankey" command to "brute force" check through the 64k possibilities starting at whatever key value you want to start at like "scankey 0001" then it increments every 10sec.

Also works AOK on E38 and would guess any GM CAN ECU with 2 byte seed/keys. Not sure if 2/. works with 5 byte devices as my only T92 is a perfectly dead brick. ("scankey" of course not viable )

Have also been digging into E38 ETC Slaves if any one is interested. ULink NT now offers an alternative to TIS for Slave OS/Cal pair loading via CAN or BDM (with the back off).

FWIW - hope this is of interest & help to some folks.

[kidturbo]

Thanks for the updates. It does help. I haven't tested, but noticed the new extended seed key option in his latest release.

The T87/A Ulink CANbus options I have tested with so far, works fine so long as you have a clean and properly terminated 60ohm bus. Did brick a few in GMboot mode doing unlocks early on, but as previously stated, developer resolved problems quickly. At worst I learned how to use the original Jtag parts as the tool was designed. Made me crack open a few other random cases just to see how it works.

For Ulink CANbus options, the high speed transfers are quick, and read back check is nice. If this code was migrated to a more user friendly hardware, removing the 2515 board and jumper wires, I think it has serious future uses as a bench or in car programmer. Could use some cleaner instructions in a few parts, but once you use it a couple times, ya catch on quickly.