Open source GM OBD2 flash tool using a ELM327 device

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
uknomeprk
Posts: 29
Joined: Thu Aug 04, 2011 1:47 pm
cars: 95 Astro 5.3 LM7
Location: Chicago, IL

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by uknomeprk »

Today, got the ELM327 to TX/RX in hyperterminal at 115200 took some coercion but it obliged eventually. I did a lot of hyperteminal testing and I think I've reached the point where I need to turn to software to start doing some of the work for me. Especially because after A0 mode time is short. I'm going to work on some more visual basic stuff and see how far i can get. Suggestions, Logs, and documents are all welcomed, and thanks everyone for the help so far.

Here's a document for the SEED/KEY Algorithm I'm not sure how to use it maybe someone can benefit. Or better yet slap it into a VB file and post it on this forum to be implemented into a flash tool :D .

-UKNOMEPRK
Attachments
256 ALGOS.txt
(16.5 KiB) Downloaded 2308 times
User avatar
festy
Posts: 1039
Joined: Sat Apr 30, 2011 6:27 pm
cars: Alfa Romeos
Location: Narellan, NSW

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by festy »

uknomeprk wrote: Here's a document for the SEED/KEY Algorithm I'm not sure how to use it maybe someone can benefit. Or better yet slap it into a VB file and post it on this forum to be implemented into a flash tool :D .
What exactly are we looking at here? Are each of these 13 byte sequences the instructions (i.e. the "maths") for the algorithm?
Any idea what cpu family/platofrm the code is for? Are they ripped from ECU bins, or an x86 tool, or a standalone scanner type device?
With exactly 13 bytes in each, I assume some of them probably contain padding bytes - either that or there were some very creative coders writing them ;)

I plotted the byte frequency across all the algorithms (i.e. how often each byte appears), and it's a very logarithmic distribution - which may indicate what are operators and what's static data. It seemed like a fitting distraction for a friday afternoon ;)
For example, there are over 200 ocurrances of 0x14 between the 256 algorithms.
bytefreq_all.jpg
bytefreq_all.jpg (30.42 KiB) Viewed 18367 times
and the top 25 or so:
bytefreq.jpg
bytefreq.jpg (24.76 KiB) Viewed 18367 times
If you could narrow down the CPU, there's a lot better chance of making sense of it all :mrgreen:
uknomeprk
Posts: 29
Joined: Thu Aug 04, 2011 1:47 pm
cars: 95 Astro 5.3 LM7
Location: Chicago, IL

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by uknomeprk »

Well... Im not sure about anything at this point I have a 411 PCM from an 02 tahoe Osid# 12216125 Vin# 1GNEK13Z32J171183 (THANKS PlanetHAX)
my seed key is 66 7E 14 E7 here are a few more seed/key combos but im not sure if they are reliable source for seed key combos as they may be modded.

seed
key

34 D6
BD 19
4A 3C
57 03

in response to your questions festy...
what are we looking at here? = not sure
instructions (i.e. the "maths") for the algorithm = Don't know
platform the code is for? = 1996 and up ?
ECU bins, x86 tool, standalone scanner type device? = don't know my guess is a ELM

this link may help it's the codes source http://www.j-body.com/forum/archive/ind ... 30773.html

There's a few names that always pop up when I'm looking for an answer for a obd2 question: PlanetHAX, Dimented 24x7, Weatherall's Auto.... that is, just to name a few.

I'll tell you one way not to decode these algos if they are legit... staring at them like i did. It yielded me nothing but an angry girlfriend :hmm: .
User avatar
festy
Posts: 1039
Joined: Sat Apr 30, 2011 6:27 pm
cars: Alfa Romeos
Location: Narellan, NSW

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by festy »

try this, I think it might be what you're after.

function SeedtoKey(string seed) returns string Key
eg:

Code: Select all

Dim X As KeyDLL
Private Sub Command1_Click()
  Set X = New KeyDLL
  Text2.Text = X.SeedtoKey(Text1.Text)
End Sub
Attachments
Keytool.rar
keytool.dll for 411 ecu
(3.36 KiB) Downloaded 1467 times
uknomeprk
Posts: 29
Joined: Thu Aug 04, 2011 1:47 pm
cars: 95 Astro 5.3 LM7
Location: Chicago, IL

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by uknomeprk »

Still working on this when I have time, I'm new to VB and making slow but really good progress. I'm Defiantly going to need the BIG BRAINS to fine help fine tune the program, but that's the beauty of OPEN SOURCE. I plan on doing some 411 PCM testing with GMOS this weekend to see what it can do. I'll post some Screen shots later if all goes well.

Festy

I've been working on the Seed Key aspect of "GMOSEFT" that is GM Open Source ELM Flash Tool or GMOS for short. I have a few questions about the DLL file you made.

1. What platform is the DLL made VB C++ ect. ?
2. Can I get the source file? via PM or I'll send you my email?
3. Is a normal return from the seed ALGO DLL a single KEY Pair or a list of potential pairs?
User avatar
festy
Posts: 1039
Joined: Sat Apr 30, 2011 6:27 pm
cars: Alfa Romeos
Location: Narellan, NSW

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by festy »

First off, I should point out that I know very litle about GM seed/key algorithms, or GM ECUs in general - so I'm not really up to speed on what ECU is used in what cars, and couldn't even pick a '411 ECU in a lineup if it was painted pink so don't take anything I say as being right, or even on the right track ;)

I understand that there are 256 different algorithms defined by GM (or there was a set of 256 defined ~20 years ago), and each one consisting of 13 bytes - and some of those are effectively NOPs.

I think I was probably barking up the wrong tree assuming that each of the bytes was either static seeding data or a machine instruction, it's more likely that at least some if not all of them are more like pointers to functions? i.e. a 0x14 might be a reference to a function to divide by 3 and then add 4, rather than a specific assembler mneumonic. I haven't really devoted much time to looking in detail, so still just wild assumptions but it would make more sense.

Anyway - the DLL was written in VB, as you said that was what you were coding in, so a native dll to keep it simple.
The SeedtoKey function returns a single key, not a list of possible keys.
The 3 seed/key combinations you posted all use the same algorithm, which is easy to find with google.
If you try your own seed/key calculations using that algorithm but don't always get the right answer, '&' the key with 0xFF to discard all but the lowest 8 bits, that step seems to be missing in all the descriptions I came across.

But, that's the only algorithm the dll uses. I have no idea whether it's common across all 411 ECUs, or if it's just a coincidence that the 3 sets you posted all use the same one.
uknomeprk
Posts: 29
Joined: Thu Aug 04, 2011 1:47 pm
cars: 95 Astro 5.3 LM7
Location: Chicago, IL

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by uknomeprk »

Festy

I appreciate the time you've put into this, I'm definatly in the dark on the "algos"... From what I've read (take with a grain of salt) the "algos" retrieve the potential values +-8 min of trying 2trys @ 10 sec intervals vs. the seed. When I saw the frequency of the bytes that you mapped I slapped my head and thought WOW 14 shows up that much. Furthermore reading I saw something about flipping the second pair in the "ALGO" eg. AA XY = AA YX. Also I really don't understand math algorithms .

Don't know If the 256 is legit or not; If nothing else it wold be a Kick ass feature for GMOS for quick SEED/KEY retrieval. Using PHAX tool I was at around 8 hours for my seed/key. Regardless Festy, I really do appreciate any time you put into this (GMOS) right, wrong, or anything in between.

Everyone

Bottom line I'm going to need help... I'm not much of a VB coder and don't claim to be but after I get GMOS ALPHA together I'll release the code for everyone to play with. GMOS will and has to be in accordance with GPL GNU so far so good. That said there still is no guarantee that the elm327 Is even capable of a reflash. Having contacting the OBD2ALLINONE usb manufacturer they told me quote "Reprogramming the GM obd2 PCM... you can potentially make software".

If things get real, I/we might have to contact DIY master and entrepreneur Craig Moates, he might throw a bone in a crunch. Not to say he would help or not.
User avatar
festy
Posts: 1039
Joined: Sat Apr 30, 2011 6:27 pm
cars: Alfa Romeos
Location: Narellan, NSW

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by festy »

If you can't work out how to call the dll, just start a new project and add two textboxes and a button to the form.
Copy and paste the example code I posted into the form code, and add the dll to the project (under project->references or something).
Run the program, and enter your pcm's seed in textbox1. Click the button, and your key will be in textbox2.
I am really surprised that the program you used took as long as it did, it must just do an exhaustive keyspace search?
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by antus »

Yeah the planethax tool is over here https://pcmhacking.net/forums/view ... =401#p4515

It does brute force it, and the inbuilt timers in the pcm code slow it down significantly. On the plus side, it'll always get the key, whatever the algo is. But in this case the '0411 method seems to have been figured out.

The hard bit is going to be the code to upload to the pcm to provide read or flash functionality. Hard to write, hard to debug, and likely to make bricks. But possible.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
uknomeprk
Posts: 29
Joined: Thu Aug 04, 2011 1:47 pm
cars: 95 Astro 5.3 LM7
Location: Chicago, IL

Re: Open source GM OBD2 flash tool using a ELM327 device

Post by uknomeprk »

Bricking ($60 + for a new PCM) is a very REAL possibility without the right programming antus, I'd like to get your setup. I'll Pickup the stuff to socket my pcm in-case-of-brick if you don't mind sharing your setup.
Locked