GM 16216588 - Hacking
Posted: Sat Apr 23, 2016 4:19 am
Hi All!
After chatting with Antus, I wanted to start up a thread to get some insight on getting into this PCM. I'm attempting to pick up where a few others left off and first figure out the Seed/Key or security algorithm before I get an AVT cable and get into reading/writing at 4x speeds. I'm going to list every thing I have done so far and the specs on this unit and see where it goes. TIA!
The current dilemma i'm trying to sort through is why this PCM seems to respond to normal ELM 322/327 requests for a SEED and KEY response but doesn't unlock with any of the 256 GM algorithms. Maybe going back a few steps will help me better understand this? I have a great understanding of the OBD-I setup and the reverse/assembly and data mapping, but flash memory is all new to me.
GM 16216588
6.5L GM Diesel 4L80E 1996-2000 (OBD-2 J1850 VPW)
High Res Board Image:
(Following is quoted from an old site "1000cows" that is no longer active)
"Parts on the OBD-2 version of the board:
16055199 = voltage regulator
16166240 = quad driver module with diagnostics
16034993 = stepper motor driver
20686 = SAE J1850 transceiver and controller
66285 = PLCC-68, Delphi IOR, mapped at $1400
16202476 = PLCC-68, MC68HC11F1. 1024 RAM & 448k EEPROM
39985 = PLCC-68, timer I/O module
16183784 = Intel PLCC32 AN28F010 128k x 8 flash memory module
16206550 = ?
I/O Assignments:
AN0 = APP
AN1 = APP
AN2 = Transmission force current monitor
AN3 = APP
AN4 = battery voltage
AN5 = boost pressure, via Sallen-Key filter
AN6 = analogue mux
AN7 = EGR/baro pressure, via Sallen-Key filter
PAI = 4004 pulse per mile VSS input
TIC1 = Pin C15, VSS
TIC2 = Pin C12, transmission input shaft speed, through
84523 buffer
TIC3 = 8X CMP signal (low-res pump encoder signal). Also
fed into 16180988 IC.
TIC4 = 4X CKP signal (from engine CKP). Also fed into
16180988 IC.
TOC4 = backup injector pulse width generation
TOC3 = I/O pin disables injector from TIO chip, timer
channel used for 160 Hz task scheduler
TOC2 = TCC PWM generation
PD5 = powerdown to power supply IC
PG0 = ODM2-7
PG1 = ITS-9 (ITS phase)
PG2 = ITS-6 (ITS phase)
PG3 = Firmware bank selection
AN Mux:
MUX0 = pin B8, glow plug voltage monitor
MUX1 = pin B11, fuel temperature signal
MUX2 = pin A12, diagnostic switch input
MUX3 = Pin C8, ECTS voltage
MUX4 = pin B9, spare, 220k pulldown
MUX5 = pump calibration
MUX6 = QDM1-14 fault input
MUX7 = pin C13, glow plug relay supply voltage
MUX8 = QDM2-14 fault input
MUX9 = pin B4, A/C request
MUX10 = pin B12, intake air temperature
MUX11 = pin D10, optical sensor 5V power supply
MUX12 = Pin B5, unused, 20V range, 3k pullup to key power
MUX13 = pin C9, Transmission temperature sensor
MUX14 = APP 2 sensor 5V power supply
MUX15 = Flash memory Vpp monitor
IOR:
1800.7 = PCS Low Drive
1800.6 = TCC on/off output (4L60E)
1800.5 = shift solenoid
1800.4 = shift solenoid
1800.3 = EGR vent valve
1800.2 = Service Throttle Lamp
1800.1 = ITS Enable
1800.0 = Glow plug relay enable
1802.7 = AMUX3
1802.6 = AMUX2
1802.5 = AMUX1
1802.4 = AMUX0
1802.3 = Pin E2 - 4WD axle switch
1802.2 = Pin E3 - Performance shift mode switch
1802.1 = Pin E4 - Manual shift mode switch
1802.0 = Pin F3 - cruise on/off
1804.7 = Pin F11 - cruise resume/accel
1804.6 = Pin F15 - cruise set/coast
1804.5 = Pin E10 - PRNDL B
1804.4 = Pin E9 - PRNDL C
1804.3 = Pin E8 - PRNDL A
1804.2 = Pin F5 - TCC Brake Switch
1804.1 = Pin A6 - Brake Switch
1804.0 = Pin A6 - PTO request
1807.3 = MIL
1807.2 = Read pump trim resistor enable
1807.1 = Pin C9 Transmission Temp Pullup Select
1807.0 = Pin C8 IATS Pullup Select
1808 (PWM) = PCS current control
180A (PWM) = Boost modulator control
180C (PWM) = spare, not sure what it is used for yet. Probably the 3-2 shift solenoid, 4L60E.
180E (PWM) = EGR frequency
TIO:
16FA.1 = ODM chip select to retrieve diagnostic
status
16FA.2 = ODM chip select to retrieve diagnostic
status
1472 = closure time response
147C = timing delay counter
147E = fuel quantity counter
1480 = split pulse delay counter
1482 = pilot quantity counter (first pulse)
140C = MAF time-since-last-pulse (pin C3 of the 32 pin
BROWN connector, NOT pin E1 (or sometimes called pin C1 of connector C3). THIS
IS WRONG in some service schematics!
140A = MAF pulse counter
This is a 68HC11 processor which should be very similar to
that used in the OBD-I version. It is a bit unusual (to my mind) to use a 68HC11
on the OBD-II ECM when pretty much all of the OBD-II petrol ECM's went to
68332's. I guess Ford pushed the EEC-V (8065, a 8096 variant) just into the
2000's before going over to the PowerPC's so why not, I guess. Just to be a pain
in the arse, the flash memory has some of its address lines swapped around.
There's space for two 32k memory pages (bank swapped using pin PG3) and one 24k
non-banked page shared between calibration and common (non-banked) code.
Communication is via SAE J1850 instead of SCI."
Some of the address swapping info is on another site along with a direct flash dump done thru HC11 UART and the dos program prog11.exe:
See later posts in this thread for more info on this.
http://www.gearhead-efi.com/Fuel-Inject ... 6588-Flash
Deviations for different years:
-'96-'97 do not have EVO/Passlock
-'98+ has a security learn procedure and waits for go/no-go from the EVO/Passlock in the ignition key cylinder
-L56/Light Duty sometimes had a MAF but it can be tuned out since it was used for EGR
-Later years (unknown exactly) implemented real-time cylinder misfire detection
Added 4/23/2016 : Wiring pinouts for a '99 PCM. Thanks to Glagulator @ DieselPlace! Note, don't follow the service manuals for this unit...they aren't all correct but this is. I was able to repin a harness connector from a 350 truck and shave off the locating pins of the connector to make my bench test setup.
After chatting with Antus, I wanted to start up a thread to get some insight on getting into this PCM. I'm attempting to pick up where a few others left off and first figure out the Seed/Key or security algorithm before I get an AVT cable and get into reading/writing at 4x speeds. I'm going to list every thing I have done so far and the specs on this unit and see where it goes. TIA!
The current dilemma i'm trying to sort through is why this PCM seems to respond to normal ELM 322/327 requests for a SEED and KEY response but doesn't unlock with any of the 256 GM algorithms. Maybe going back a few steps will help me better understand this? I have a great understanding of the OBD-I setup and the reverse/assembly and data mapping, but flash memory is all new to me.
GM 16216588
6.5L GM Diesel 4L80E 1996-2000 (OBD-2 J1850 VPW)
High Res Board Image:
(Following is quoted from an old site "1000cows" that is no longer active)
"Parts on the OBD-2 version of the board:
16055199 = voltage regulator
16166240 = quad driver module with diagnostics
16034993 = stepper motor driver
20686 = SAE J1850 transceiver and controller
66285 = PLCC-68, Delphi IOR, mapped at $1400
16202476 = PLCC-68, MC68HC11F1. 1024 RAM & 448k EEPROM
39985 = PLCC-68, timer I/O module
16183784 = Intel PLCC32 AN28F010 128k x 8 flash memory module
16206550 = ?
I/O Assignments:
AN0 = APP
AN1 = APP
AN2 = Transmission force current monitor
AN3 = APP
AN4 = battery voltage
AN5 = boost pressure, via Sallen-Key filter
AN6 = analogue mux
AN7 = EGR/baro pressure, via Sallen-Key filter
PAI = 4004 pulse per mile VSS input
TIC1 = Pin C15, VSS
TIC2 = Pin C12, transmission input shaft speed, through
84523 buffer
TIC3 = 8X CMP signal (low-res pump encoder signal). Also
fed into 16180988 IC.
TIC4 = 4X CKP signal (from engine CKP). Also fed into
16180988 IC.
TOC4 = backup injector pulse width generation
TOC3 = I/O pin disables injector from TIO chip, timer
channel used for 160 Hz task scheduler
TOC2 = TCC PWM generation
PD5 = powerdown to power supply IC
PG0 = ODM2-7
PG1 = ITS-9 (ITS phase)
PG2 = ITS-6 (ITS phase)
PG3 = Firmware bank selection
AN Mux:
MUX0 = pin B8, glow plug voltage monitor
MUX1 = pin B11, fuel temperature signal
MUX2 = pin A12, diagnostic switch input
MUX3 = Pin C8, ECTS voltage
MUX4 = pin B9, spare, 220k pulldown
MUX5 = pump calibration
MUX6 = QDM1-14 fault input
MUX7 = pin C13, glow plug relay supply voltage
MUX8 = QDM2-14 fault input
MUX9 = pin B4, A/C request
MUX10 = pin B12, intake air temperature
MUX11 = pin D10, optical sensor 5V power supply
MUX12 = Pin B5, unused, 20V range, 3k pullup to key power
MUX13 = pin C9, Transmission temperature sensor
MUX14 = APP 2 sensor 5V power supply
MUX15 = Flash memory Vpp monitor
IOR:
1800.7 = PCS Low Drive
1800.6 = TCC on/off output (4L60E)
1800.5 = shift solenoid
1800.4 = shift solenoid
1800.3 = EGR vent valve
1800.2 = Service Throttle Lamp
1800.1 = ITS Enable
1800.0 = Glow plug relay enable
1802.7 = AMUX3
1802.6 = AMUX2
1802.5 = AMUX1
1802.4 = AMUX0
1802.3 = Pin E2 - 4WD axle switch
1802.2 = Pin E3 - Performance shift mode switch
1802.1 = Pin E4 - Manual shift mode switch
1802.0 = Pin F3 - cruise on/off
1804.7 = Pin F11 - cruise resume/accel
1804.6 = Pin F15 - cruise set/coast
1804.5 = Pin E10 - PRNDL B
1804.4 = Pin E9 - PRNDL C
1804.3 = Pin E8 - PRNDL A
1804.2 = Pin F5 - TCC Brake Switch
1804.1 = Pin A6 - Brake Switch
1804.0 = Pin A6 - PTO request
1807.3 = MIL
1807.2 = Read pump trim resistor enable
1807.1 = Pin C9 Transmission Temp Pullup Select
1807.0 = Pin C8 IATS Pullup Select
1808 (PWM) = PCS current control
180A (PWM) = Boost modulator control
180C (PWM) = spare, not sure what it is used for yet. Probably the 3-2 shift solenoid, 4L60E.
180E (PWM) = EGR frequency
TIO:
16FA.1 = ODM chip select to retrieve diagnostic
status
16FA.2 = ODM chip select to retrieve diagnostic
status
1472 = closure time response
147C = timing delay counter
147E = fuel quantity counter
1480 = split pulse delay counter
1482 = pilot quantity counter (first pulse)
140C = MAF time-since-last-pulse (pin C3 of the 32 pin
BROWN connector, NOT pin E1 (or sometimes called pin C1 of connector C3). THIS
IS WRONG in some service schematics!
140A = MAF pulse counter
This is a 68HC11 processor which should be very similar to
that used in the OBD-I version. It is a bit unusual (to my mind) to use a 68HC11
on the OBD-II ECM when pretty much all of the OBD-II petrol ECM's went to
68332's. I guess Ford pushed the EEC-V (8065, a 8096 variant) just into the
2000's before going over to the PowerPC's so why not, I guess. Just to be a pain
in the arse, the flash memory has some of its address lines swapped around.
There's space for two 32k memory pages (bank swapped using pin PG3) and one 24k
non-banked page shared between calibration and common (non-banked) code.
Communication is via SAE J1850 instead of SCI."
Some of the address swapping info is on another site along with a direct flash dump done thru HC11 UART and the dos program prog11.exe:
See later posts in this thread for more info on this.
http://www.gearhead-efi.com/Fuel-Inject ... 6588-Flash
Deviations for different years:
-'96-'97 do not have EVO/Passlock
-'98+ has a security learn procedure and waits for go/no-go from the EVO/Passlock in the ignition key cylinder
-L56/Light Duty sometimes had a MAF but it can be tuned out since it was used for EGR
-Later years (unknown exactly) implemented real-time cylinder misfire detection
Added 4/23/2016 : Wiring pinouts for a '99 PCM. Thanks to Glagulator @ DieselPlace! Note, don't follow the service manuals for this unit...they aren't all correct but this is. I was able to repin a harness connector from a 350 truck and shave off the locating pins of the connector to make my bench test setup.