GM E38 E67 E40 Kernel/Bootloader Development Extravaganza

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

ironduke wrote:In-tech.. try 3f80 for the key..

No idea if that's a fail safe or default or whatever that is but when I sort of bricked my ecu that's the seed I had and that's the key that finally unlocked it..

I found out after letting my brute force unlocker run on it for 2-3 days.. lol..

I did that trying to push 2011 or 2012 os and cals into a 2008 ecu... I wasn't doing it the right way.. is there a right way?? lol

Tazzi, I am kind of surprised the SUM was incorrect, I thought the ecu ran a SUM check on itself to verify the cals, although it may have been disabled? GM uses the CVN to check for altered calibrations and I read somewhere that those can be fudged but the SUM has to be good for it to run the code..
do you know where this bin came from? efi live? hptuner? etc??
Not sure where the file came from. Was just one pulled out of a locked ecu (using to check its able to handle locked ecus).
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
In-Tech
Posts: 778
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by In-Tech »

ironduke wrote:In-tech.. try 3f80 for the key..

No idea if that's a fail safe or default or whatever that is but when I sort of bricked my ecu that's the seed I had and that's the key that finally unlocked it..

I found out after letting my brute force unlocker run on it for 2-3 days.. lol..
Kinda funny key was same as seed, lol

I'm using efilives brute program atm on a different locked e38 so next time I pause that for a bit, I'll try that key. My USB BDM NT showed up so I hope to experiment with that in the next couple days.
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by kur4o »

First the cvn is calculated and stored and than the sum is calculated and stored. The sum actually sums the cvn word too. but the cvn doesn`t add the sum checksum word. They need to follow this exact sequence when updating.

The cvns are too time consuming to do on the pcm and it will take forever on reset for the pcm to boot. I am almost sure that pcm uses sums and the cvns are only for display. Still need a confirmation.

Can you post that bin to look at. It might have the sums disabled if it have some custom locked POS.

Newer OSs use different location for storing seed/ key, than the earlier ones. When you upgrade the OS without updating the seed/key location in the eeprom area you get some semi bricked condition.

Actually there is more than 2 combos for OS-eeprom data formats. Cloning needs to take that into account.
In-Tech
Posts: 778
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by In-Tech »

In-Tech wrote:
ironduke wrote:In-tech.. try 3f80 for the key..

No idea if that's a fail safe or default or whatever that is but when I sort of bricked my ecu that's the seed I had and that's the key that finally unlocked it..

I found out after letting my brute force unlocker run on it for 2-3 days.. lol..
Kinda funny key was same as seed, lol

I'm using efilives brute program atm on a different locked e38 so next time I pause that for a bit, I'll try that key. My USB BDM NT showed up so I hope to experiment with that in the next couple days.
Good news this morning, woke up and brute force worked and efi erased it and was able to write all 8 modules and vin to it, traceability is still fubar.

I then tried the 3F80 key and it worked on this other tuner locked one. Kinda KISS to use the key as the same value as the seed. Guess you don't have to worry about forgetting. I don't have a way to correctly clone these yet(Tazzi hint :P ) but hopefully soon. Progress is always good :)

Good info Kur4o

p.s. edit. I just tried reading it with HP and it wouldn't read unless I put in the 3F80 key so looks to be an efi thing. Oh, and btw. I don't care about reading tuner locked files. I always start with my own or a stock gm file. I just like to have working computers on the shelf and not paperweights. :mrgreen:
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

Nice one!

Ill have to look at adding that as a recommended second attempt for the E38s.

Ill try a couple other files shortly and see if they also have the same problem. Maybe was a once off.. honestly dunno!!

Just opened a dozen more.. all valid for both CVN and SUM. So maybe it was a corrupt flash.. or someone maybe edited by hand? Or some other app?
Trying to find the bin I opened but might have been on the laptop which is currently boot looping after win10 latest update :roll:

*Edit
Ok I found it. Looks like hand edit I think to turn off VATS. So its just someone elses muck up. I didnt check for fault codes before doing the unlock, so wonder if there was one pending if the ECU does a check?

I also got it mixed up. The CRC was wrong, but SUM was correct (I had these labelled backwards in my app). Which probably makes sense since if they are hand editing.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tre-Cool
Posts: 265
Joined: Tue Oct 16, 2012 12:17 pm
cars: VY SS UTE, VX Drag Car
Location: Perth
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tre-Cool »

this might not mean much, but heres a bunch of e38 seed/keys that i've brute forced.

seed- 4071
2c8f

seed - 11CC
Key - 12C8

seed - 559D
key - 53BB

seed - 41DF
Key - 6762

seed - 11CC
Key - FF56

seed - 11CC
Key - B342

seed - 7909
Key - EAC9

seed - 441E
key - 653A

seed - 11CC
key - 19AE
In-Tech
Posts: 778
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by In-Tech »

Thanks Tre-Cool, I saved those for future.

Obviously mine/ironduke to add is:

seed - 3F80
key - 3F80

What are you guys using for brute force? The only thing I have at the moment is in efilive's software and works. I am just getting back into this coding stuff so I had contemplated doing a simple program in VB(cuz I can scrape my way through that) but if you guys have anything you feel like sharing, that would be great.

Shoot, I just noticed I've only been a member on this site for less than a month and I am enjoying the hell outta myself digging into the fun :)
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

Another late night special update.

Folder check on boot implemented. Warning will display if these folders cannot be created.

And tunerlock form fully working. Application will allow entering a custom key up to 5 times before cancelling the attempt.

And on that note... I would say.. we.. are... done! Will do a final test/run in my ute tomorrow as a final run through.
And also throw a new icon onto it, pop it into a package installer and should be ready for release. :thumbup:
tunerlockkey.PNG
tunerlockkey.PNG (73.37 KiB) Viewed 3258 times
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by Tazzi »

Also this is an example of two bins where the ECU has swapped the parameter block between the two memory sectors.

This is from the same ecu, but simple after the ecu has changed where this block has stored itself (For whatever reason).

I noticed it when comparing the reads. I did them a while ago, and cant remember if I did post this.
Attachments
GM E38 13-03-2020 12-42 AM.bin
(2 MiB) Downloaded 202 times
GM E38 12-03-2020 1-01 AM.bin
(2 MiB) Downloaded 193 times
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: GM E38 E67 Kernel/Bootloader Development Extravaganza

Post by ironduke »

Tre-Cool I'm pasting a clip of the code I am using in the bootloader/kernel code I have.. I can post up the hole thing but the algo is there for E38..

For brute forcing I just wrote up some processing code that tries every possible key and waits 10 seconds in between tries.. you need to wait 10 seconds or it spits out an error.. 65535 possibles at 10 seconds each is 7 days, lol..


void getkey() { // prior to this I send a 2701 and put the response into String seed
seed = seed.replace(">", ""); // get rid of > if present.
seed = trim(seed); // get rid of spaces if present.
seed=seed.substring(4,8); // pull just the key from the string..
seeds=unhex(seed);
if (Debug) println( seed + " Converts to: " + seeds);

key = 0;
key = ((seeds & 0x0000FF00) >> 8) | ((seeds & 0x000000FF) << 8); // swap hi/low
key = key + 0x7D58; // add 0x7D58
key = ~key; // bitwise NOT
key = key & 0xFFFF; // only use the first 4 bytes
key = key + 0x8001; // add 0x8001
key = ((key & 0x0000FF00) >> 8) | ((key & 0x000000FF) << 8); // swap hi/low
if (Debug) println(" key to unlock ECU is :" + hex(key,4) );
// key needs to be used with 2702 as hex(key,4) myPort.write("2702" + hex(key,4));

}
Post Reply