GM Reverse Engineering

[Tazzi]

I'd be pretty interested, been playing with it a bit lately but haven't had much success - same as your experience. I was doing an E38 the other day and couldn't get it to relearn even though it appears to work from others reports. I didn't have hours to spend trying different things at the time tho so it still on the cards haha.

I may.. or may not have spent most of yesterday attacking it!... and still no luck.

Its weird that I can see that the PIM gets unlocked fine by the tech2 so I dont see how it has any "Security wait time". I can even reprogram VIN and other stuff, but it gets held up on the PIM reset.
I reckon.. its a stupid limitation built into the tech2/scantools to prevent spamming. I guess we will see!

[Tazzi]

New problem. Have updated security access. Now I am getting "Disarm Theft Deterrent System", "Security status: Passive Armed".

hmm... may leave it for a few hours and see i that warning buggers off.

*Edit
Ahh.. need to hook up a key I reckon. I actually got one to this BCM.. need to grab the wiring diragrams and see where the ignition ring goes to.

[Tazzi]

2hours an 40mins later.. still same "security time active". Not a happy camper...

[Holden202T]

I reckon that's like with my VZ, once I left it unlocked with the window down, and like 30 minutes later I opened the door and the alarm went off.

[Tazzi]

I reckon that's like with my VZ, once I left it unlocked with the window down, and like 30 minutes later I opened the door and the alarm went off.

Im wondering.. If I need the key signal going into the BCM before the PIM will actually let me reset it.


Soooo, Iv hooked up the key. Cracked the bastard open and solder the ground to the common ground. And the signal to the BCM's signal line. Annnnnnnnd, now when clicking on "BCM->ECU/PIM relink" I get into the BCM security menu.

Iv just read out the BCM security number.. so I should (Hopefully?) be able to progress further.

Im not sure whether to try do all three at once, or to try link one at a time. Im also not sure what the PIM's gonna do since its still on security lockdown!

[Tazzi]

Ahhh.. over 3hours and it finally opened up!! Can now enter the PIM security code... lets have a crack..

*Edit.
Yeaahhhh... it now says....5:40:00.....

Tried turning it off then back on.. but still has same time. I think its about time to open it up.

[Tazzi]

Alright can read eeprom successfully. And can see a whole bunch of data.. I also spy the VIN sitting in there.... but none of the data I see currently matches up with how the PIM was identifying the "Time out".

When going into the reset menu.. the tech2 would send:
F6 57 01 03 AF

Which originally got a response of: (Time out was 2:40:00)
F6 5C 01 03 15 07 01 01 00 8C

After entering incorrectly it is 5:40:00 with the new response below:
F6 5C 01 03 1D 08 01 01 00 83

I dont see 1507 or 1D08 in the bin at all. Pity I didnt think of grabbing a read before hand.
Anyone that wants to checkout the dump, let me know and Ill send it on through.

*Edit
Also the bin mentions "OPEL". Odd...

[Tazzi]

The chip is a 93C46W6.

I can read it out.. but I cant seem to write back to it. Well.. at least not while its on the board. I have a feeling the board is sapping the power and wont let me wipe/write to it.
Will try desolder it, and write to it.

Might be needing to solder an eeprom clip of something to the board so I can easily write to the device.

I could try writing when the module is powered up.. I just dont like the idea of it. Feel like ill release the magical smoke that makes everything run.

[Tazzi]

Alright.. a little bit of progress.

Can make the PIM clear its "wait" time immediately. But.. now to find the correct..

*Edit.
Looks like I have to wait for the PIM's capacitor or whatever to completely die out first since I have updated the eeprom and the affects havent taken hold yet. It still believes the VIN is blank even through Iv put it back!

*Edit 2

Yeeeeep. Looks like its rooted.. will see if I can reprogram it over CAN maybe..

[Gareth]

In a workshop environment, the issues you are describing point straight at a fucked PIM, most respond to what you are doing fast with no fuss, others are hit and miss, others are just plain, well, female?

I have replaced heaps of VZ (6&8) PIM's, my eyes still roll thinking about the pot luck we often have programming them in. Has it got something to do with why they fail in the first place?