pcmhacking.net

Tazzi wrote:Ah I see the problem/confusion.. so see this quick break down:

6C 10 F0 27 01 B0 -Request Seed
6C F0 10 67 01 77 EC 7B - ECU respond with see 77 EC
6C 10 F0 27 02 A6 EF 3A - Attempt key A6 EF
6C F0 10 67 02 35 56 - Response code 35 (Incorrect)

6C 10 F0 27 01 B0 -Request Seed
6C F0 10 67 01 77 EC 7B - ECU respond with see 77 EC
6C 10 F0 27 02 A6 EE 27- Attempt key A6 EE
6C F0 10 67 02 36 71 - Response code 36 (Incorrect 2nd attempt)

6C 10 F0 27 01 B0 -Request Seed
6C F0 10 67 01 37 B8 - NO seed provided.. response of 37 (security timeout not met)
6C 10 F0 27 02 A6 ED 00 - Attempt key of A6 ED (Seed request failed anyways)
6C F0 10 67 02 37 6C - Response code 37 (security timeout not met)

You can see the seed response from the ECU changed on that third attempt.. the actual response is 1 byte shorter than the other seed responses since its not actually providing the seed anymore, the ECU responded saying mode 37 which is essentially the ECUs way saying of "Mate, give me a 10second break you talkative bugga!".

Your calculations were correct, made some changes to the way it works and now stops after the 02 36 71 response for 10 seconds. I let it run last night and it ran 4400 keys with out getting one 37 response code.

I've added a couple of things to make it a bit safer from a time stand point, the app stores and updates every 3rd key tried in a local db in the app that can be viewed even if the app is shut down and restarted so your able to pick back up from the last key that worked. Using every 3rd key worked out well with the security timer cool down so that the last key saved is one that didn't receive a response 37 code so even if the app were to start beating against the security timer for what ever reason the last know key that wasn't smashing the timer is whats saved. I also added a counter that well....counts the number of keys tried. Trying to figure out how many keys have been used in Hex makes my head hurt. If any one would be kind enough to give me the maximum number of keys possible between FFFF and 0000 I could also put in a timer that could give an estimated time to unlock. I think that could be a nice touch if your only letting the app run for a couple of hours at a time to get an idea of how much time it'll actually take.

I've also added a save file to the app that records the full log for every Send/Receive the app makes. Since space on a phone is a bit more limited then on a PC I'm wondering if I should include all the lines or perhaps have it omit the 27 01 and the line with the seed response, that would make the log about 33% smaller. Any ways here's a sample of the log, see if you guys think this is good the way I have it or if some lines can be deleted.

If I omit the sending lines it looks like this......

Lets talk 3B commands

Code: Select all
LS1 Memory blocks (3C and 3B commands):
00 - N/A
01 - VIN 1 (ASCII)
02 - VIN 2 (ASCII)
03 - VIN 3 (ASCII)
04 - HDW No. (UINT32)
05 - Serial No 1 (ASCII)
06 - Serial No 2 (ASCII)
07 - Serial No 3 (ASCII)

I've been able to figure out how to use 3B commands to change the vin, Bcc etc but I can not figure out the formatting to use 3B commands to change Serial Number 1,2 or 3

I get a 7F that I think is telling me Code $12 - "Sub-Function Not Supported or Invalid format"

Send: 3C 04
Reciv:6C F0 10 7C 04 00 8F 3A 22 7D

Send: 3B 04 00 8F 3A 22
Reciv: 6C F0 10 7F 3B 04 00 8F 3A 22 12 18

I get the 7F error on the 512K pcm as well as the 1mb pcm. I have tried various formats and with the pcm locked(no key sent) and unlocked(Key used)......although the other 3b commands work even if the key isn't sent. Any one have a suggestion? I'm running out of idea's on getting a permanent serial number change on the 1mb pcm.

Yep, thats right. It actually is not supported. There is nothing in the OS to support that.

Great thread guys. I agree the elm isn't ideal for a lot of this type of thing. I used so a bit then gave up on it a few years back when I needed a VPW transceiver. Ended up making our own (my son and I) out of a arduino mini. Similar to the designs shown earlier in this thread. I think it could do 4x mode. I'll have to try it.

We Have Been using the arduino bases transceiver in modules We make that translate between the class2serial and BMW can bus for engine swaps. I have a northstar pcm I use on my test bench. Decided to poke at it a bit. Used the info in this thread and the arduino transceiver to do the seed key thing. Got the key for the ecu yesterday. Was kind of fun.

In my opinion a simple transceiver is easier to work with than the elm. Then your code can do the filtering. And don't have to anticipate the ascii responses from the elm. At least that has been my experience. was curious to hook up with others playing with class2serial.

I've been working on some utilities to help with reverse engineering:

https://github.com/LegacyNsfw/PcmHacks

My hope is to extract GM's reflashing kernel from a recorded session, open it up in IDA, figure out how it works, write a new one in C, as post that on Github as well. If anyone has anything to contribute to such an effort, please let me know. Hopefully we'll have open-source software around the same time people like Thaniel get the hardware stuff figured out.

Has anyone figured out the seed/key algorithm yet?
Or the checksum algorithm?

Also, does anyone know whether these devices can support VPW without the overhead of ELM's devices?

https://smile.amazon.com/dp/B074365Q6H/

I would expect they do, but what protocol do you need to talk to it with? J2534 is very capable, but that comes at the cost of complexity to write for it.
The flash code is very hard to understand without hardware docs, but it is not impossible.
Most security algos are known, dont worry about that.

I have some experience with J2534 so I'm not too worried about that. What worries me more is devices that support the J2534 API (on the application-software side) but that don't actually support J1850 VPW (on the vehicle side). For example I talked with Tactrix about VPW support and they don't have it. That's a shame because their hardware has been popular for Subarus for years, and they're a US company. Installing device drivers from random Chinese sources for devices on ebay that come with pirated Toyota and GM software just doesn't seem as safe.

Do you have hardware docs for the PCM, or do you know where I can find them? I was thinking I'd reverse engineer an existing kernel, or as many as I can get my hands on. But any info would be helpful. I'm not expecting this to be easy.

160plus sent me some seed/key info so it looks like that's covered. It'll be on github as soon as I get an interface that I can test it with. Or maybe the documentation will go up sooner, if 160 wants to post it.

New user here, but spoke with 160plus on LS1tech and have been reading this forum for quite a while just never got around to registering.

NSFW: I'm going to PM you with a link to a zip file that has some potentially useful information i've gathered on the 68000 series along with some saved HTML pages of forum posts about the process. Hopefully they're useful. Theres several utilities and programming documentation from motorola in there. Hope it helps.

Also on the j2534 comment... I have one of the clone toyota MVCI devices, wonder if theres a way to extract just the j2534 DLL from the china install CD and set it up with just that. I can try it later on today on an XP virtual machine if you'd like.

Well every one's found their way to this thread....now we just need Thaniel to drop the bomb. He's the one that figured out what I was missing