ULink NT & 2 byte Seed/Key ECU unlock

[MPC001]

Have been a member here for almost 7 years now, soaked up a lot, and getting more time now so hoping to contribute to the awesome body of knowledge & work - especially with a CAN Bus area now.

Apologies if I go over old ground here.

6 months back I got a ULink NT by @usbbdm as many would be familiar with. I wanted to deeper dive into GM E38/E67/E40/T42 etc ECM/TCM's (ECU's) via CAN & BDM if needed. Most of my digging in the past had been via commercial tuning tools etc. & ULink NT looked like it could open new doors and it has.

Initially had some challenges with seed/key access playing with T42 TCM's (I have a few and they are lower cost to brick than E38's), where the seed was reported as 0x0000 and the standard algo 73 key would not work. Consulting the GM docs it became clear that a seed of 0x0000 should mean the MEC (Manufacturers Enable Counter) was non zero (apparently this is a GM Standard) and the TCM was not locked & didn't need a seed/key - a 1AA0 command confirmed the MEC was 0xFC. (or NV Memory/EEPROM/NVRAM has been corrupted and the seed/key area zeroed or contains some odd hex values like 0x0000, 0x1234, 0xEEEE, 0xFFFF etc). (Have seen the MEC mentioned by Tazzi & Antus & others IIRC).

ULink NT didn't handle this or non algo keys as it stood. Getting on to usbbdm via chat and some follow up emails, he quickly added to the changes to the SW to:

1/. Input non standard keys in the algo box - i.e. replace algo 73 in this case with 4 character hex like "62B1" (62B1 was the key in question and would also work)(This took usbbdm all of a minute to revise and I had a recompiled .exe to test within minutes. Very helpful dude!)
2/. If ULink NT SW detects the seed is 0x0000 it will then attempt to read/write without using Service $27 security process (1/. still works if you know the key to use).
3/. If it turns out the seed/key area in the NVM has been corrupted & key not known, he has added a "scankey" command to "brute force" check through the 64k possibilities starting at whatever key value you want to start at like "scankey 0001" then it increments every 10sec.

Also works AOK on E38 and would guess any GM CAN ECU with 2 byte seed/keys. Not sure if 2/. works with 5 byte devices as my only E92 is a perfectly dead brick. ("scankey" of course not viable )

Have also been digging into E38 ETC Slaves if any one is interested. ULink NT now offers an alternative to TIS for Slave OS/Cal pair loading via CAN or BDM (with the back off).

FWIW - hope this is of interest & help to some folks.

[kidturbo]

Thanks for the updates. It does help. I haven't tested, but noticed the new extended seed key option in his latest release.

The T87/A Ulink CANbus options I have tested with so far, works fine so long as you have a clean and properly terminated 60ohm bus. Did brick a few in GMboot mode doing unlocks early on, but as previously stated, developer resolved problems quickly. At worst I learned how to use the original Jtag parts as the tool was designed. Made me crack open a few other random cases just to see how it works.

For Ulink CANbus options, the high speed transfers are quick, and read back check is nice. If this code was migrated to a more user friendly hardware, removing the 2515 board and jumper wires, I think it has serious future uses as a bench or in car programmer. Could use some cleaner instructions in a few parts, but once you use it a couple times, ya catch on quickly.

[qrunchi]

I just wanted to say, I got the Ulink-NT recently, and amazing!
I was able to read my 2016 Delco E80 PCM in my Cadillac ATS with no issues at all. I got the shadow reading for my seed AND key in all areas, downloaded the full 6MB bin and also was able to clone to a junkyard ECU of same model to have a backup. Amazing little tool.
I used it with a cheap MCP2515 CAN module and everything worked for under $100....

Now if I can only find an A2L or XDF or something for definition of the engine file.... then I would be set for good

[MPC001]

For Ulink CANbus options, the high speed transfers are quick, and read back check is nice. If this code was migrated to a more user friendly hardware, removing the 2515 board and jumper wires, I think it has serious future uses as a bench or in car programmer. Could use some cleaner instructions in a few parts, but once you use it a couple times, ya catch on quickly.

yes. Challenge is always the hardware cost.

[MPC001]

I just wanted to say, I got the Ulink-NT recently, and amazing!
I was able to read my 2016 Delco E80 PCM in my Cadillac ATS with no issues at all. I got the shadow reading for my seed AND key in all areas, downloaded the full 6MB bin and also was able to clone to a junkyard ECU of same model to have a backup. Amazing little tool.
I used it with a cheap MCP2515 CAN module and everything worked for under $100....

Now if I can only find an A2L or XDF or something for definition of the engine file.... then I would be set for good

[veee8]

Post up the bin file and I will compare it against my A2L's to see if there is anything useful.

[antus]

On the MEC, Manufacturers Enable Counter. Its set non zero on the production line (not sure if always or only some or older PCMs) in virgin PCMs so the factory can flash in the first calibration and security data including seed/key for later use. It also means like you found if param block is corrupt and erased to FF you get 255 shutdown power cycles before it locks.

For keys instead of just scanning all keys another option is scanning the 256 algos that are known (there are several implementations around the net) but some algos have a reference to type of PCM in them so might be need for can versus vpw (table_gmlan.h). When brute forcing you can check the response to see if you need the 10 second delay, on vpw you get 3 attempts then need the 10 second break so that brute force could be optimised by 20 seconds per 3 keys if can is the same.