pcmhacking.net

I've scoured the internet in search of an open source PCM flash tool. The closest i've come to seeing one was made by planethax (with help) on this site. I've gathered a treasure trove of information regarding GM obd2 VPW protocol and the intel 28f400B but haven't been able to get my bin. That said, please help gurus and weekend warriors alike.

First here's what i've been working with OBDallinone elm327 USB, hyperteminal, Putty, a 2002 411 PCM, and open knowledge from everyone whos posted on a forum in the last 10+ years. Truthfully my intention is only to remove VATS (for now).

Heres the HYPERTERMINAL setup, putty of course is the same. User beware this can be tricky also don't bother messing with this unless you have your seed/key and are totally prepared to buy a new PCM. If your new to this I highly suggest you read http://elmelectronics.com/DSheets/ELM327DS.pdf .

Baud 38400
parity none
Data bits 8
Stop Bits 1
Flow control none

Here's the supposed procedure for a upload from the 411 PCM to a device (but it doesn't work) any suggestions? Also not sure what PCMs this works on.

AT RV -- CHECK VOLTAGE (MAKE SURE ITS 12 VOLTS. MULTIMETER AND CAL. IF NEEDED)
AT SP2 -- SET ELM TO J1850
AT H1 -- SET HEADERS ON

AT SH 6C FE F0 -- SET HEADER
3F -- TEST DEVICE PRESENT RX(NO DATA) why no data?

AT SH 6C F0 10 -- SET HEADER TO
27 01 -- GET SEED RX(6C F0 10 67 01 66 7E 52) your seed will be different
27 02 14 E7 -- SEND CORRECT KEY RX(6C F0 10 67 02 34 4B) your key will be different

AT SH 6C FE F0 -- SET HEADER
3F -- TEST DEVICE PRESENT RX(NO DATA) why no data?

AT SH 6C F0 10 -- SET HEADER TO
A1 -- REQUEST HIGH SPEED MODE

You only have a short time before it returns to normal speed automatically <5 sec.

AT SH 6D 10 F1 --
36 00 00 80 FF 80 00 -- (eg. 128 bytes, start loc FF8000)

after failure or success make sure to do this

AT SH 6C F0 10 -- SET HEADER TO
A0 -- RETURN TO NORMAL MODE
AT D -- RESETS ELM

Help? suggestions?

You should find this file very helpfull.
Once youve got the read sorted ill give you a write file.
To set the elm to high speed use ATBRD with a devisor of 23 and this will give you 115200 baud.

Wow thats good info! thanks.

Well, got a lot of testing/reading to do to verify messages TX and RX strings and what they mean/do mostly that I don't missstype an entry. The more that's written down the easier it will be to create error and success messages when the FLASH program is developed (crossing fingers). If anyone following this has some info post it don't be shy. Here is some more light reading for anyone new or interested in this.... GM J1850 VPW Message structure http://www.obddiagnostics.com/obdinfo/msg_struct.html the above PDF link explains it best in my opinion page 35. Use and read the attachment below to further understand the structure and commands if you don't already its an enlightening read.

Note: I did not create this oo calc file and unfortunately I can't remember who did. So, all apologies to it's creator for no citation at the same time thanks for keeping information/knowledge free for everyone .

You normally have to upload a bootloader in motorola code which will start the actual download

see if this helps...
the text file is a log while programming with ls1edit
the other is tech info from GM

Cheers Rob

Jezzab thanks, I think I have a "bootloader" (upload routine) that will work, just need to get the right COM setup in VB (visual Basic) working to test it. If you or anyone has a bootloader for gm obd2 I'd love to check it out. DR. Bob very interesting stuff thanks.

Anyway still hard at work on VB stuff I'll give a detailed update (most likely accompanied with a lot of questions) on progress after a lot more testing.

The bootloader is already in the pcm. You need to unlock the pcm, upload your code to ram, set the bootloader to execute from ram next cycle, then reset the pcm, then talk to your own code on the pcm, and take it from there.

antus wrote:The bootloader is already in the pcm. You need to unlock the pcm, upload your code to ram, set the bootloader to execute from ram next cycle, then reset the pcm, then talk to your own code on the pcm, and take it from there.

I like the info antus i'm still learning every step of the way on this project. Maybe you can help with this one; I'm defiantly in over my head but I'm going to ride this out to completion. I have a few questions for you and everyone. The upload procedure from many accounts is like this generically.
---------------------------------
disable chatter 28 00
Seed/Key
High speed A1
Mode $34
Transmit our "upload from PCM" routine/code with mode $36
Question 1
The code to access the memory mode $36 is obviously the nuts and bolts for download (control) but i haven't seen any way to compile a code. I've only seen data logs with the information to be transmitted, Is there such a document for code compilation ?
question 2
The data for mode $36 (upload) I have is long and by all accounts of GM code compilation defies the normal transmission procedure. The question is can I just keep sending the upload routine bit by bit or do i need to break the code down to 8 bit with checksums.
---------------------------------
Here's part of the code.
Yellow = Checksum?
Red = Header
Green = Mode
Blue = Upload code (NOTE: Arbitrary Code)
11 FF 3E 6D 10 F0 36 80 03 32 FF FE 0C 4E 70 60 39 00 39 00 00 01 10 13 FC 00 03 00 FF F6 0C 13 0D 61 10 39 00 FF F6 FC 00 00 00 FF F6 0E 02 00 00 E0 0C 00 00 E010 39 00 FF F6 0F 61 00 00 A8 61 00 02 32 0C 91 3E 61 20 00 FF 94 27 66 00 00 2A 20 7C 00 FF 94 40 20 39 00 FF 94 27 66 BE 00 FF 94 44 61 00

-

Q1. You dont really need to compile code, you can write it by hand and assemble it. Its motorola 68332 assembler. Or better yet, disassemble existing code, and figure out what it does and why, and use that as a road map to create your own. Or use it as is, but you may or may not open yourself up to legal issues with that.

Q2. You do need to break it down. Im told the max packet size is quite small on an elm. But this is as much as I know so far.

I fully intend to write a free flash tool also, but have broken my socketed pcm so am sorting out some new hardware first. I know attempting to flash it will very likely brick it over and over before its right so I want to be able to pull the chip to recover the pcm before I get stuck in to the code experimentation. Im not sure where that line you posted came from, so Im not sure if those first bytes are elm instructions or what....?