pcmhacking.net

I'm somewhat new to GM engine controllers, but have spent a lot of time "hacking" jeep engine controllers. I'm in the process of swapping a Vortec 3500 series motor (P12) into my Jeep. At some point I may upgrade to a 3700 series motor (E67/P12 PCM), but this is the best I could get at a reasonable price. The P12 PCM appears identical to the E40 PCM, but I can't get a good read on the CPU. Assuming they both use a 68000 series processor (like my Sega Genesis), will the kernels and software work? Do you already support this PCM?

I did some searches for this information, but couldn't find much. The github wiki is really great. If I get an answer I might add a "what's not supported" section. I'm also interested in the E67, but that seems more complicated.

I appreciate any feedback, and plan on contributing if this swap happens. Thanks!

Im not aware of anything free for those pcms at this stage, or any development. Currently pcmhammer only has P01 and P59 support, with P04 in early development. Most that era PCM from GM is M68K but the differences are more around register mapping of the DLC, Watchdog and RAM mapping. If your skilled with that kind of development, you could attempt to get it working on your pcm, and we would help.

I've got a P12 bench setup. I tried to change the VIN, but the key request is always denied. Do you have any software that uses brute force / time to unlock the PCM or know of an alternate algorithm that works for E40, E67, P12... PCM/ECUs?

Sending unlock request (254B, 6E02) and it gets a code 35 which (based on ISO 14230) means invalid key.

I went ahead an put together a python script to go through each potential key. If anyone's got something better please let me know, because this could take over a week.

Do you have a sample seed/key pair for a P12? we can probably use a sample to identify the algo.

Sorry for the delayed reply. I modified a version of PCMhammer to search through the different Algos and it found that 91 worked to unlock the P12 PCM. I didn't make it keep going to see if multiple algos worked for this specific PCM.

Going one step further, I'm able to update the VIN#!

Request to upload the kernel was denied.

[07:20:17:788] Sending upload request for kernel size 8212, loadaddress FF8000
[07:20:17:789] TX: STPX H:6C10F0, R:1, D:34001000FF8000
[07:20:17:866] RX: 6C F0 10 7F 34 00 10 00 FF 80 12
[07:20:17:870] Found response, Refused


Any ideas on ways to figure out the correct request?

Why can't we simply transmit and upload request for everything?

Most OBD2 devices can't send a message long enough to contain the kernel, so it has to be sent in chunks.

The problem you're seeing right now is probably due to the address of the upload request (FF8000) being outside of the memory range that the RAM chip is mapped to.

If you could sniff a read or write operation with another tool (Tech2, HPT, EFI Live...) you could get the address that their kernel is uploaded to.

Or, since you seem to be handy with C#, you could create a loop that tries to upload the kernel to a bunch of different addresses, and then halts when it gets a success response. For example, start by trying to upload to 0xFF0000, and work upward 0x40 bytes at a time.

Do we know what CPU chip is in the ECU you're using? And what data link controller (DLC) chip?

I'm not sure what the hardware is. Here is the properties

OS ID: 12606400
[06:01:14:121] Calibration ID: 12606398
[06:01:18:047] Hardware ID query failed: Error
[06:01:18:217] Serial Number: 6046KH0D0
[06:01:18:296] Broad Cast Code: YNBC
[06:01:18:348] MEC: 0

Here is the hardware ID transmission data
TX: STPX H:6C10F0, R:1, D:3C04
[06:01:14:173] RX: 6C F0 10 7C 04 33 38 36

it corresponds to "386" in ASCII. Not sure if that means anything. I'm having some trouble opening up the PCM, and don't want to brake it.

I like your address search idea. I'll give it a shot.