Software On ELM Street - OBD2 Software Development

[vn5000]

When you first turn an ls1 pcm on there is a 10 sec security lockout ,after that you get 2 attempts in quick succession then your locked out for another 10 sec .
I couldnt get my seed key finder working any faster than planethax's

[Tazzi]

When you first turn an ls1 pcm on there is a 10 sec security lockout ,after that you get 2 attempts in quick succession then your locked out for another 10 sec .
I couldnt get my seed key finder working any faster than planethax's

10 Second security lockout... guessing it must throw a 0x33 for security denied. Will still try it out anyways...who knows, could be an exploit right at the beginning if requested fast enough? (yeah I know, hopeful thinking).
Id be interested to see what the tech2 does for writing when the pcm is just turned on before writing.

So at 10sec a key, would be a max of 8640 per day. Could take longer than 6days in total then.
I guess manually extracting is an option as well.

[VX L67 Getrag]

I don't think manually extracting is an option as those bytes are in the section that need the key to access I believe.

[vn5000]

After the first ign on 10 sec timeout you get 2 attempts every 10 seconds until correct key is rxd by pcm , and from memory the 2 x 2701 commands need to be within 1 - 2 sec of each other

0x37 security timeout
0x35 wrong key
0x34 correct key

[vn5000]

0x36 exceed no of attempts

[Tazzi]

After the first ign on 10 sec timeout you get 2 attempts every 10 seconds until correct key is rxd by pcm , and from memory the 2 x 2701 commands need to be within 1 - 2 sec of each other

0x37 security timeout
0x35 wrong key
0x34 correct key

Will implement and test that out today.

[Tazzi]

From PlanetHax:
67 02 34 = correct key
67 02 35 = incorrect key
67 02 36 = incorrect key, second try, wait 10 seconds
67 02 37 = incorrect key format - out of bounds (00-FF)

[Jayme]

I played around a while ago with extracting the key via the built in message which pulls 1 byte from a specific memory location, and the message works, except not on the addresses where the key resides haha. you can read out a fair bit of the calibration one byte at a time even when its still locked though lol.

[Tazzi]

I played around a while ago with extracting the key via the built in message which pulls 1 byte from a specific memory location, and the message works, except not on the addresses where the key resides haha. you can read out a fair bit of the calibration one byte at a time even when its still locked though lol.

Thats pretty neat! I guess some of a cal is better than nothing.

[Tazzi]

No worries.. tick that off the list.

Capture.PNG (34.24 KiB) Viewed 5010 times