Software On ELM Street - OBD2 Software Development

[Tazzi]

Attempted to go into the V8 GEN IV menu.. and it fires off:
7E0 01 20 -Request if ECU is present
7E8 01 60 00 00 00 00 00 00 -ecu present
7E0 02 1A 9A - Tech asks 'what are you?'
7E8 03 7F 1A 78 00 00 00 00 -ecu..7F... fail?
7E8 04 5A 9A 83 02 00 00 00 -ecu.. response to ecu message.. 5A (1A+40), 9A mode, 83 02.. = Identifier: 8302

The says "ecu mismatch". So one of those frames is signifying that it is a VZ V6 ecu.. and not the V8 GEN IV.
Also.. the GENIV communicate over CAN 11bit 500kb/s.. so thats that mystery solved.
Ill try "fake" a pcm response back.. but I dont have high hopes at such crazy speeds.. Im hoping there is a good 40ms slack that the tech2 will give me to respond back (changing headers ect).

But.. need to know what the identifier is for a GENIV ecu! Will take too long to brute force the tech2 since I manually have to quit each time.

[Tazzi]

Its got your name on it! Lookout this pim has got a MAPLESS tune on it haha

Awesome

Before I go mangle that.. Ill try do some ALDL reverse engineering on this side, see if we cant bypass this silly bcm security code (I imagine it asks the bcm.. not the PIM) and see if we cant reset and edit the vin first. As Ill just reprogram that one to match the LS1 pcm here.. and then (hopefully thats all it needs). Then try and link the bcm to the ecu/pim.

From what I can tell, each module has:
BCM = Security code + VIN
PIM = VIN
ECU = VIN and security code

So the BCM/PIM check their vins.. if all good, PIM then fires off the security code to the ecu.. which ecu deciphers and answers back with OK if all good.
Wont be able to check whats in the PIM till I start faking some responses back to the tech2

[Jayme]

hmmmm one day when im near my mates house I can get you the identifier for his 6.0L. that is assuming it will talk to my avt if I send the above packets....

[Tazzi]

Im hoping one of the boys on here will have one on the bench to fire off those frames:
All I need is the response to: 7E0 02 1A 9A

which should look similar to:
7E8 03 7F 1A 78 00 00 00 00
7E8 04 5A 9A 83 02 00 00 00

Ill give it a crack anyways.. could be simply 8303? lol

[Tazzi]

sooo as for unlocking the pcm.. Sending 27 01 gets back:
7E8 04 67 01 64 E4 00 00 00

so my seed is 64 E4
.. and Id hope my key is: AE E9

... annnnnddd... it doesnt accept it.. I keep getting "7E8 03 7F 27 36 00 00 00 00 " when trying to send back a key.. so Id assume iv formatting this wrong somehow since 7F is a "wooaaahhaa.. what was that!"

[Tazzi]

To disable ecu chatter...
101 FE 01 28 AA AA AA AA AA -tech2
7E8 01 68 00 00 00 00 00 00 -ecu response

Then all chatter stops until
101 FE 01 20 AA AA AA AA AA


I also tried the "ECU reset". And the tech2 said "System Already Reset!"
So I guess this has been tinkered with previously. Iv got another couple to try out though. Didnt unlock the ecu for that funny enough...

And clicking on "BCM link to PCM/PIM" goes straight to "Lost communication".. it must look for the bcm! I didnt know the CANDI module could communicate over ALDL?

[Tazzi]

I think.. the header 101 needs to be used.. and the extended address FE needs to be set first. before any enhanced pids can be requested or unlock the ecu... maybe..
*edit
101 = All Node CAN Id and FE = All Node functional system

and 7F 27 36 = Exceeded Number Of Attempts
and 7F 27 35 = Incorrect
So.. it was working.. I just got it wrong lol.. soo lets set this to find the seed/key then since I dont have the key... oculd take up to 5days if Im not wrong?

Anyone have a seed/key from a VZ v6? Be good to start collecting them.

[Tazzi]

I should.. hopefully.. have the key in 44mins.. We will see.

[Jayme]

what makes you say 44 mins? does the VZ v6 ecu not have a lockout timer for an incorrect attempt?

[VX L67 Getrag]

2 seed-keys I have for E55 are;3E 49 seed = 67 34 key
& 89 84 seed = DD CA key

I hope that helps?