How to Bypass and Remove Tuner lock from an LS Pcm

[160plus]

The following method will work to temporally bypass the security check commonly used as a method to lock a pcm by tuner's wanting to hide their work. It will also work to unlock a pcm if the KEY becomes corrupted for what ever reason. You will be able to read the bin file out from the pcm with commercial tools, you will also be able to write back to the pcm with commercial tools but it will have to be done in a "Recovery" mode FULL FLASH. Now depending on the software you use to flash the pcm it may also change the Seed and Key back to stock values that can be calculated in a normal manner but again that will depend on the tool used and what version of the software you are running.

This method will work on the P01 512K pcm as well as on the P59 1mb pcm


ENJOY

[youtube]https://www.youtube.com/watch?v=oGeMK6LvQck[/youtube]

[160plus]

This can also be taken a step further when using the previous method in conjunction with an Android App I have been developing over the last couple of months. The P01 pcm's can have the tuner lock easily removed in just a couple of minutes, the same method to force unlock the pcm I covered in my previous post is used. While the PCM is in the unlocked state it won't respond to normal commands but it can be written to if your program is expecting the PCM to be in this state.

The P59 can also be done with a similar method but it is a lot more involved on the software side. In time a method for this pcm will also be added into LS Droid but for the time being this should be considered exclusive to the P01 pcm's only.

I need to clean up a few things in the App and write up some basic usage instructions but expect this to be avaible for download in the next week or two https://github.com/LegacyNsfw/PcmHacks/ ... roid_Tools.

[youtube]https://www.youtube.com/watch?v=11GoY_rElKc[/youtube]

[julespatch]

Nice! I'll try this out in the next few days. thank you mate

[Tre-Cool]

very cool, with the age of the old ls1 controllers now I stopped locking my stuff a while ago. I don't even bother locking the e38's now too.

I still however have to unlock a bunch of them for other shops though.

[VX L67 Getrag]

If this works in the way it does as described, even if the controller is bricked if you force it to recieve the key pass message it will force a write entire of full file(if selected) & then recover bricked controllers.

I wonder where the pin is located on the E38 controllers to be able to do the same thing?

[Dylan]

Unlocked plenty with that pin, although I've never tried to write while in recovery like that

[antus]

It wont fix a full brick, the boot portion of the os needs to run and believe the initial calibration is not loaded then it gets ready for the initial load on the factory floor. The jump shorts an address pin that breaks the cal segment programmed check (higher address) but only while its pulled low at power on when the check occurs. When you go to read or write the full chip is normally accessible again.

[MudDuck514]

Hi all,

Will this Android App work with USB devices (such as the AllPro you all have been working on) or ONLY Bluetooth devices?

If only Bluetooth, how difficult is it to add theBT Module to the AllPro USB? (I noticed someone had ordered BOTH in the main dev thread)

Mike.

[Vampyre]

any idea where this pin runs to, I want to try this on a v6 pcm but schematic is different

[Thomas]

Hi
I tried this with a friends ecu. Manage to bypass the lock and read the ecu but after saving the tune it wouldn’t open it because the file was tuner locked. Have you had that before?
I’m using hp tuner