Yeah possibly.
I got into the menus at the beginning after waiting for a period of time. Been trying to reset the bugger.
So I tried my first key.. which was wrong.. so had to wait longer again.. Second key.. wrong
Then it said I had 10:40:00 security wait. So I started mucking with the EEPROM bytes and cleared off a whole bunch which let me back into the reset menu again as it must have cleared the counter.
But now after I wiped the VIN (Just messing around), I cant get the Tech2 to go back into the PIM settings since it believes the VIN is completely blanked and a whole bunch of other data is buggered as well. Not sure why it has not updated with the new eeprom information. Some of it shows up.. eg Part number, identifier ect. But its still retaining the old data.
Im just about to hook it all up again.. and read out all of the available DID's and see whats there. I wonder if if this has a seed/key combo over CAN like ecu's have.
GM Reverse Engineering
Re: TECH2 Logging
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: TECH2 Logging
Ahh.. the PIM has finally accepted the new details.. woop woop (stupid F'in capacitor *grumble grumble grumble*)
Soooo.
644 03 7F 3B A2 00 00 00 00 ‘This response means key incorrect
644 03 7F 3B A4 00 00 00 00 'This response means conditions not met (security timer active)
Brute forcing this is honestly not even an option here... there must be another way.
Soooo.
644 03 7F 3B A2 00 00 00 00 ‘This response means key incorrect
644 03 7F 3B A4 00 00 00 00 'This response means conditions not met (security timer active)
Brute forcing this is honestly not even an option here... there must be another way.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: TECH2 Logging
Sooo. From what I can tell from the logs so far...
1. A key MUST be coded to the BCM first
2. Reset ECU
3. Reset PIM
4. Begin relink.
5. It requests the BCM security key
6. Enter key and then it begins linking BCM to PIM/ECU
7. It unlocks BCM and... secret PIM ID? Theres only the BCM and PIM on the bus.. yet there are three ID's being used! F1 (BCM), F6 (PIM) and F5 (WTF?).
8. It CLEARS the old PIM security code on the BCM to ready it for the new one (I think...)
9. Requests the user to "turn ignition off"
10. Need to enter PIM security code (Have not succeeded in doing this yet!)
This PIM says that it has had the "reset" occured once before. I think this PIM is a bit "iffy" and the code was not written to it properly or something similar. I can see a 3digit code.. but then it has a 00 at the end.. which doesnt seem right!
1. A key MUST be coded to the BCM first
2. Reset ECU
3. Reset PIM
4. Begin relink.
5. It requests the BCM security key
6. Enter key and then it begins linking BCM to PIM/ECU
7. It unlocks BCM and... secret PIM ID? Theres only the BCM and PIM on the bus.. yet there are three ID's being used! F1 (BCM), F6 (PIM) and F5 (WTF?).
8. It CLEARS the old PIM security code on the BCM to ready it for the new one (I think...)
9. Requests the user to "turn ignition off"
10. Need to enter PIM security code (Have not succeeded in doing this yet!)
This PIM says that it has had the "reset" occured once before. I think this PIM is a bit "iffy" and the code was not written to it properly or something similar. I can see a 3digit code.. but then it has a 00 at the end.. which doesnt seem right!
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: TECH2 Logging
WoooooooHooooooooooooooooooooooooooooooooooooooooooooooooooo
Found the stupid VZ V6 pim security key.
Also managed to make the PIM clear the "timer" and allow for instant retry. HUGE amount of mucking around though.. have done almost 100+ reprograms today *Sigh*.
Sooooo. Now, that means. The BCM has reset it self (From what I can see). And the PIM has now been reset.
I unfortunately missed out on recording the PIM being reset.. since I was just trying random keys until one worked. But I think.. I can write back the original bin.. and retry again.
*Edit
Found the troublesome bytes. All sorted.
Resetting the PIM is all hunky dory. Looks like the PIM's security code gets wiped. So, I would assume the ECU's security code is written to the PIM. And then the PIM writes the code to the BCM (Maybe?).
AAhhhh.. I dunno. Since the security key of one of the devices must be kept.. I would assume that would be the ecu.
The bcm key remains the same for that device, some sort of 2byte key gets wiped (I think its the security key) and then waits for the PIM input.. soooo Ill give that a crack next.
Found the stupid VZ V6 pim security key.
Also managed to make the PIM clear the "timer" and allow for instant retry. HUGE amount of mucking around though.. have done almost 100+ reprograms today *Sigh*.
Sooooo. Now, that means. The BCM has reset it self (From what I can see). And the PIM has now been reset.
I unfortunately missed out on recording the PIM being reset.. since I was just trying random keys until one worked. But I think.. I can write back the original bin.. and retry again.
*Edit
Found the troublesome bytes. All sorted.
Resetting the PIM is all hunky dory. Looks like the PIM's security code gets wiped. So, I would assume the ECU's security code is written to the PIM. And then the PIM writes the code to the BCM (Maybe?).
AAhhhh.. I dunno. Since the security key of one of the devices must be kept.. I would assume that would be the ecu.
The bcm key remains the same for that device, some sort of 2byte key gets wiped (I think its the security key) and then waits for the PIM input.. soooo Ill give that a crack next.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: TECH2 Logging
Mission Accomplished
- VZ_V6_OK_TO_START.PNG (6.7 KiB) Viewed 9925 times
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: TECH2 Logging
So the overall method.
1. There MUST be a coded key present! PRIORITY NUMBER 1!
2. BCM security key and immob code for NEW BCM and PIM must be known.
3. The ECU and PIM must be reset first.
4. Select which device has been reset. In my case, I said BCM,PIM and ECU.
5. Enter BCM security key on request (This confirms and wipes the old PIM key from ECU.. I think.. still need to reconfirm now).
6. Enter CUSTOM NEW PIM key.. I entered 0000, which saved a immob key of 0000.
7. New immob key is written to BCM, PIM and ECU.
I imagine all other PIM's/ecu/bcm relinking requires a similar effort.
1. There MUST be a coded key present! PRIORITY NUMBER 1!
2. BCM security key and immob code for NEW BCM and PIM must be known.
3. The ECU and PIM must be reset first.
4. Select which device has been reset. In my case, I said BCM,PIM and ECU.
5. Enter BCM security key on request (This confirms and wipes the old PIM key from ECU.. I think.. still need to reconfirm now).
6. Enter CUSTOM NEW PIM key.. I entered 0000, which saved a immob key of 0000.
7. New immob key is written to BCM, PIM and ECU.
I imagine all other PIM's/ecu/bcm relinking requires a similar effort.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: TECH2 Logging
i had the same issue on a car recently, wanted to put a new ECM in, but i didn't know the old PIN for the ECM the car came from, so couldn't relink it in even though i had the one for the current car. Couldn't do anything. I could reset PIM and relink but would fail on ECM as the PIN is different and hadn't reset the ECM because i didn't know the old PIN.
Re: TECH2 Logging
Last one before I finish for the day.
Good news and bad news..
Good news:
BCM security key and Immob key can be pulled out over comms for BCM and ECU.
Corrupt PIMs from link procedures can be recovered.
Corrupt ECU immob key can be reset and recovered
Bad News:
Second hand PIM's are about as useful as shit on a stick without their immob key.
I checked ALL DID's, and tables and absolutely everything possible for the PIM and they have made sure its not visible at any point in time. There are no unlock algos, no hidden menus on either ALDL or CAN.
Good news and bad news..
Good news:
BCM security key and Immob key can be pulled out over comms for BCM and ECU.
Corrupt PIMs from link procedures can be recovered.
Corrupt ECU immob key can be reset and recovered
Bad News:
Second hand PIM's are about as useful as shit on a stick without their immob key.
I checked ALL DID's, and tables and absolutely everything possible for the PIM and they have made sure its not visible at any point in time. There are no unlock algos, no hidden menus on either ALDL or CAN.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: TECH2 Logging
Ahhhhhh... we can solve that one now (I think!)The1 wrote:i had the same issue on a car recently, wanted to put a new ECM in, but i didn't know the old PIN for the ECM the car came from, so couldn't relink it in even though i had the one for the current car. Couldn't do anything. I could reset PIM and relink but would fail on ECM as the PIN is different and hadn't reset the ECM because i didn't know the old PIN.
Any reason you wanted to fit a new ECM? Old one doing something iffy?
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: TECH2 Logging
old one died.
I have this info out of a manual. As i only kept getting 0513 DTC which is obviously the ECM key not matching the rest.
DTC Description
This diagnostic procedure supports the following DTCs:
• DTC P0513 – Wrong Transponder Key
• DTC P0633 – Immobiliser Function Not Programmed
• DTC P1629 – Immobiliser Fuel Enable Signal Not Received
• DTC P1632 – Immobiliser Fuel Disable Signal Received
• DTC P1677 – Immobiliser Function Not Enabled
• DTC P1678 – Engine Control Module Identification Failed
• DTC P1679 – Immobiliser Environment Identification Failed
Circuit Description
The engine control module (ECM), the powertrain interface module (PIM) and the body control module (BCM) are integral
part of the vehicle theft deterrent system. The theft deterrent system authenticates the security code programmed into
each of these modules to prevent unauthorised vehicle operation. This authentication process includes the following
steps:
1 At predetermined conditions, the BCM sends a security code to the PIM.
2 When the ignition is switched on, the PIM receives and compares this security code from the BCM against the
security code programmed into the PIM.
3 Once the PIM receives the correct security code from the BCM, it sends a security code to the ECM.
4 The ECM receives and compares this security code from the PIM against the security code programmed into the
ECM.
5 The authentication process is complete once the ECM receives the correct security code from the PIM within the
specified time frame.
6 The ECM allows normal vehicle operation.
NOTE
If any of these authentication processes fail, the
vehicle will not start and DTCs will set.
I have this info out of a manual. As i only kept getting 0513 DTC which is obviously the ECM key not matching the rest.
DTC Description
This diagnostic procedure supports the following DTCs:
• DTC P0513 – Wrong Transponder Key
• DTC P0633 – Immobiliser Function Not Programmed
• DTC P1629 – Immobiliser Fuel Enable Signal Not Received
• DTC P1632 – Immobiliser Fuel Disable Signal Received
• DTC P1677 – Immobiliser Function Not Enabled
• DTC P1678 – Engine Control Module Identification Failed
• DTC P1679 – Immobiliser Environment Identification Failed
Circuit Description
The engine control module (ECM), the powertrain interface module (PIM) and the body control module (BCM) are integral
part of the vehicle theft deterrent system. The theft deterrent system authenticates the security code programmed into
each of these modules to prevent unauthorised vehicle operation. This authentication process includes the following
steps:
1 At predetermined conditions, the BCM sends a security code to the PIM.
2 When the ignition is switched on, the PIM receives and compares this security code from the BCM against the
security code programmed into the PIM.
3 Once the PIM receives the correct security code from the BCM, it sends a security code to the ECM.
4 The ECM receives and compares this security code from the PIM against the security code programmed into the
ECM.
5 The authentication process is complete once the ECM receives the correct security code from the PIM within the
specified time frame.
6 The ECM allows normal vehicle operation.
NOTE
If any of these authentication processes fail, the
vehicle will not start and DTCs will set.