Reading eeprom from delco PCM, MC68336 based

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
iblackford
Posts: 43
Joined: Fri Mar 20, 2015 4:34 am
cars: saturn

Reading eeprom from delco PCM, MC68336 based

Post by iblackford »

Hi All,

I'm trying to get my auto PCM on my '02 saturn programmed to be a manual. I swapped to a manual years ago, but I need to do this in order to eliminate some transmission related DTC's to pass e-test (used to sniff the pipe before, now they read the codes). I'm an EE with embedded background, so no stranger to electronics, but my experience with delco PCM's is very limited. Here is my status so far:

-local dealerships claim not to be able to flash program via the tech-2 with the options I want. This is BS, but can't convince them of that.
-I purchased a used manual PCM from a JY but haven't been able to get it married to the BCM (it's a passlock 2 system, from what I read, and I have tried all the relearn procedures to no avail).
-even if I can get the manual PCM married to my BCM it's for an SOHC and I have the DOHC...so while it may work for testing, I can't confirm it will run it correctly enough to not have DTC's
-snooped inside my auto pcm and confirmed it has an MC68336 CPU and 28f800 eeprom
-I have a version of IDAPro to disassemble the bin and a willem programmer
-I don't have a BDM

Goals:
1) I would like to read my auto eeprom, and identify where the passlock information is stored
2) If I can extract the passlock information above, I can then program the manual eeprom with that passlock info, hopefully "forcing" the passlock relearn
3) Identify the main engine loop and lookup tables, then create a hybrid bin of the auto pcm's engine management portion, and the rest of the code from the manual pcm

Questions:
-What is the best method to read/write the eeproms? using the willem is lots of wiring, and the address lines are likely swapped for "encryption" so it may work, but is cumbersome. Has anyone used the BDM port to read/write from similar PCM's? If so, could you provide some details?
-How can I go about finding similar PCM bins to compare mine to? When I go to disassemble this code, I would like to have similar bins so that I can compare sections of code and start to understand it.

Thanks for any help you may be able to provide.
Ivan
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Reading eeprom from delco PCM, MC68336 based

Post by antus »

There are some links to some information on the forums here, but by the sounds of it you have already found that.

http://pcmhacking.net/forums/viewtopic. ... urn#p30995

The passlock2 data is likely in the 'eeprom' which may or may not be a real eeprom. If its real no doubt you can find it and read it and compare between cars and swap the segment to prove you have it right. If its not real its probably in a block of data at 0x4000 or 0x6000 which should be identifiable by the VIN being also in that block.

I dont know of any tool which can read the bin, so you might need to lift the chip and do the wiring.

Alternatively, and im not sure if this would work, you could buy an MDI interface from somewhere like aliexpress (find the ones that clearly show 2 reasonably heavily populated PCBs as there used to be fakes around in MDI boxes), and license the SPS flashing tools for a short period from https://www.acdelcotds.com/acdelco/action/subscribehome . Assuming your car is supported that might provide some options. What it takes to update the vin in the pcm and if that is required to force in the right program I cant say, so the risk would be yours. Perhaps it'll just provide the options you need, or perhaps you'd need to overwrite a bin image before its written to force it or similar.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
iblackford
Posts: 43
Joined: Fri Mar 20, 2015 4:34 am
cars: saturn

Re: Reading eeprom from delco PCM, MC68336 based

Post by iblackford »

Thanks for the info, I do know that it's a 28f800, so it is an eeprom. Is this the only programmable device in these PCM's usually?

Are there any example bins where I might find the passlock data? Is it possible that it's just the VIN that has to match between the PCM and BCM? I would assume passlock related stuff needn't go to the PCM, the BCM really cares about this data.

Ivan
User avatar
Jayme
Posts: 2585
Joined: Sun Mar 01, 2009 8:59 am
Location: North Coast, NSW

Re: Reading eeprom from delco PCM, MC68336 based

Post by Jayme »

I think it would be easier to focus on editing the calibration and just mask the auto related DTC's. that way you can leave the security stuff alone, leave the original pcm in there, and still have no DTC's on their scan tool.
iblackford
Posts: 43
Joined: Fri Mar 20, 2015 4:34 am
cars: saturn

Re: Reading eeprom from delco PCM, MC68336 based

Post by iblackford »

masking the DTC's is really all I need to do, is there any documentation on how to do this?

Thanks, Ivan
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Reading eeprom from delco PCM, MC68336 based

Post by antus »

Not really. Its different between cars, and it sounds like nobody has exactly what you need for yours.

This is a different car completely but same era. So if your prepared to read off the flash and take a look, check for similar to this:

Code: Select all

  Address  | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 0123456789ABCDEF
-----------+-------------------------------------------------+-----------------
0x00004000 | 28 DB B8 25 00 8F 3A 22 31 45 42 31 31 48 4D 43 | (..%..:"1EB11HMC
0x00004010 | 31 30 34 30 BC 00 39 56 05 7D 94 14 44 53 4B 57 | 1670..9V.}..DSKW
0x00004020 | 00 36 48 38 56 58 4B 36 39 46 32 4C 30 30 30 30 | .6H8VXK69F2L0000
0x00004030 | 30 30 1C 28 00 00 00 00 00 00 00 FF 00 00 FF FF | 00.(............
0x00004040 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 | ................
0x00004050 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
0x00004060 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
0x00004070 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
0x00004080 | FF FF FF FF FF FF FF FF A5 A0 7F FF FF FF 00 00 | ................
0x00004090 | 00 03 EE EA 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0x000040A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0x000040B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0x000040C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF | ................
0x000040D0 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
0x000040E0 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
0x000040F0 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | ................
The vin and PCM serial have been changed to protect the innocent. Read off 2 of them and compare. A couple of numbers there will likely be what you need to copy between pcms. Then there is probably also a checksum.

Most people wouldnt go that deep, but you say your an electronic engineer, so if your prepared to try thats what you'll need to sus out.

Of course that doesnt solve the location of the DTCs and checksums around that issue.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
j_ds_au
Posts: 384
Joined: Sun Jan 25, 2015 4:21 pm
Location: Sydney

Re: Reading eeprom from delco PCM, MC68336 based

Post by j_ds_au »

Is this thing OBD1 or OBD2? If the former, you might be able to use the OSE Flash Tool to read the Flash (I believe 28f800 is Flash, not EEPROM, despite the digits "28").

Joe.
iblackford
Posts: 43
Joined: Fri Mar 20, 2015 4:34 am
cars: saturn

Re: Reading eeprom from delco PCM, MC68336 based

Post by iblackford »

This is OBD2 (from an '02 Saturn SL2)

I haven't posted much in the last few days because I've been trying unsuccessfully to get my willem programmer working.

I have flywired all the eeprom lines and the cpu reset line out to connector, the other side of which I have connected to a dip socket. The plan is to use the connector to read/write the flash at will.

However, my willem programmer is crap..and is poorly supported these days. I got an arduino MEGA2560 board that has more than enough I/O to program the eeprom. My first goal is to get the eeprom read, then I'll upload the bin.

Is there any interest in having an eeprom programmer in the community to read and write the flash directly? If so, what are the common devices most folks would want to read?

Thanks, Ivan
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Reading eeprom from delco PCM, MC68336 based

Post by antus »

Its a very similar platform to the '0411 which is why I suspect a lot of characteristics will carry over. It may not be too hard to get a read over obd2. I expect the process will be very similar to what ive implemented here http://pcmhacking.net/forums/viewtopic.php?f=3&t=3111 but to use that you'd need an avt 852 cable. Then probably the security algo would be different so you'd need to brute force that. Then some of the addressing in the app might need to be changed. Probably it'd connect to the pcm and pass back serial, vin etc now as is, and fail at unlock.

As for demand for a programmer, there probably is some demand. Most people would want it for the '0411 which is a 28F400BX. It seems to be the same family, just double the capacity. Then in '05 they brought out a 1mbyte pcm with an 28F800BX in it, or with AMD flash support although I havnt seen one of these in the real world yet.

You'd be competing with the GQ-4X programmer for about $130au, there is probably more value for others in making it easyer to connect to the chip in place, if you can make that work. The '0411 have all of the pins available on an un-populated header on the edge of the pcb, but I suspect you still cant in circuit flash due to the cpu interfearing with the data bus.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
iblackford
Posts: 43
Joined: Fri Mar 20, 2015 4:34 am
cars: saturn

Re: Reading eeprom from delco PCM, MC68336 based

Post by iblackford »

Does anyone have internal pictures of the '0411 that they'd be willing to share?

I'm actually trying to read and program the eeprom via the unpopulated "header" in my case, which is just some solder pads near the eeprom. I suspect if I were to leave the CPU running it would indeed interfere with my programmer, so I'm going to try using the BDM pads and hold the CPU in reset. The only line I may have contention with is the eeprom's reset line, so I may have to temporarily disconnect this from the cpu while I'm reading/writing.

I made a little progress with my eeprom programmer lastnight, I believe I have the code written to read the eeprom and dump it over the serial interface...will try more this evening. At this point given my skillset I'm probably faster to code up my own eeprom programmer than wait for a GQ-4X, unless anyone knows of where I can get one in Canada...:)

Ivan
Post Reply