E54 PCM, force load of paramater block from flash to sram?

[antus]

These are broken PCMs with bad security data in the field. User can only use SPS on them if they boot jumper for the boot loader. From testing with pcmhammer we found they are sending 0000 as seed, and accepting 0000 as key, even though it is out of spec. After sending a 0000 key they will accept the kernel and accept a flash. If you treat 0000 as respond as locked to the kernel upload. When the users boot jumpers them and flashes with SPS it does not restore the damaged security / paramater block. I am thinking PCM Hammer will be able to fix these PCMs with a clone write to put a new param block on them with this unlock workaround.

Having said that, I got a failure to erase last night after I implemented the message above and sent a key=0000. Kernel ran but erase failed. Erase was working before I intentionally broke the param block to simulate what the user in the field is seeing with his. So now there is another thing to look it. Lots to do, not sure when I'll get a chance to take the next look now. Ive got a branch in the app, but Im not ready to push that code yet. Was at the end of a long day at dayjob last night, and I need to think about how real this fail to erase is, and if I should open pandoras box looking at it, since we're operating with out of spec pcms with bad software flashes on them from other software.