pcmhacking.net

Posted: **Tue Sep 19, 2023 6:14 am**

Can anyone point out where the physical unlock pin is located on a 16228016?
Photo of the 16228016 PCB is attached.

Posted: **Tue Sep 19, 2023 8:21 am**

I should have asked, does anyone know the location of the physical unlock pin location on a P08?

Posted: **Tue Sep 19, 2023 9:11 am**

Edit; Had an eyelid test between writing and posting, missed your second post ...

That's a P08, I don't think it has been found yet ... I would try looking where Antus posted the BDM hookup info, if it has been found, that is whom would of, and most likely when.

I'll see if I can trace it out in a bit, that is if I can remember how and what CPU pin it is, I'm not sure I can, I'm going to have to reflash my brain back to the V6 ability for pcm hammer. thread days ...

-Enjoy

Posted: **Wed Sep 20, 2023 11:21 am**

According to my notes, the pin that we short on P01 is connected to Address 12 on the flash chip. Address 12 comes in to play for values of 4096 decimal and above. So essentially its corrupting reads above the boot sector.

If the P08 has the equivalent boot tests and functionality and a bootloader in the first 4K of flash, grounding addresss pin A12 should do the same. Maybe there is a via on the PCB thats easier to identify and connect to on the P08 like the P01 and P59.

I think this is A12 and anywhere on this path should trigger it if available. Note that although it should be safe, hardware damage is still possible, so you are testing this at your own risk.

I can test it later in the day on my side.

Posted: **Wed Sep 20, 2023 12:37 pm**

Confirming it works, sort of. It doesnt stay in boot mode for very long. ~5 seconds after you trigger it, it disconnects ground it reboots fully back to normal operation. You'll need to hold it and release once the flash process is started, probably during the kernel upload, before the kernel starts communicating with the flash chip. PCMHammer takes some time to attempt recovery mode, so I'd suggest holding this, starting the process, then release it as soon as you see the kernel upload log message. It might take a couple of goes to get it.

You may also be able to try different address pins and see of you can get an A2 01 (OS) or A2 02 (Calibration) boot recovery mode, instead of A2 00 (Boot). I tried a few other address pins and couple got me A0 00, so I dont think this PCM has A0 01 or A0 02 which are the ones that stay open for in the P01/P59 until you power cycle or the flash process starts. We could disasm the boot sector and see, but it doesn't test as expected and we are on an earlier generation here. If you try this make sure you only ever ground address pins, ground power pins and it'll likely kill it.

Code: Select all

[12:03:04.180] E8 FF 10 03
[12:03:06.212] E8 FF 10 03
[12:03:08.243] E8 FF 10 03
[12:03:10.274] E8 FF 10 03
[12:03:12.306] E8 FF 10 03
[12:03:14.337] E8 FF 10 03
[12:03:16.368] E8 FF 10 03
[12:03:18.399] E8 FF 10 03
[12:03:20.430] E8 FF 10 03
[12:03:22.462] E8 FF 10 03
[12:03:24.493] E8 FF 10 03
[12:03:26.524] E8 FF 10 03
[12:03:28.556] E8 FF 10 03
[12:03:30.587] E8 FF 10 03
[12:03:32.618] E8 FF 10 03
[12:03:34.650] E8 FF 10 03
[12:03:36.680] E8 FF 10 03
[12:03:38.712] E8 FF 10 03
[12:03:40.743] E8 FF 10 03
[12:03:42.774] E8 FF 10 03
[12:03:44.806] E8 FF 10 03
[12:03:46.837] E8 FF 10 03
[12:03:48.868] E8 FF 10 03
[12:03:50.900] E8 FF 10 03
[12:03:52.931] E8 FF 10 03
[12:03:55.001] 6C FE 10 A2 00
[12:03:55.189] 6C FE 10 A2 00
[12:03:55.378] 6C FE 10 A2 00
[12:03:55.566] 6C FE 10 A2 00
[12:03:55.755] 6C FE 10 A2 00
[12:03:55.943] 6C FE 10 A2 00
[12:03:56.131] 6C FE 10 A2 00
[12:03:56.320] 6C FE 10 A2 00
[12:03:56.508] 6C FE 10 A2 00
[12:03:56.696] 6C FE 10 A2 00
[12:03:56.885] 6C FE 10 A2 00
[12:03:57.074] 6C FE 10 A2 00
[12:03:57.262] 6C FE 10 A2 00
[12:03:57.451] 6C FE 10 A2 00
[12:03:57.639] 6C FE 10 A2 00
[12:03:57.827] 6C FE 10 A2 00
[12:03:58.016] 6C FE 10 A2 00
[12:03:58.204] 6C FE 10 A2 00
[12:03:58.392] 6C FE 10 A2 00
[12:03:58.581] 6C FE 10 A2 00
[12:03:58.769] 6C FE 10 A2 00
[12:03:58.958] 6C FE 10 A2 00
[12:03:59.147] 6C FE 10 A2 00
[12:03:59.335] 6C FE 10 A2 00
[12:03:59.523] 6C FE 10 A2 00
[12:03:59.885] 88 15 10 01
[12:03:59.894] 88 3B 10 43 01
[12:03:59.902] A8 49 10 01 00
[12:03:59.972] E8 FF 10 03
[12:04:00.012] A8 49 10 41 00
[12:04:00.135] 88 15 10 41
[12:04:02.003] E8 FF 10 03
[12:04:02.010] 88 3B 10 43 04
[12:04:04.035] E8 FF 10 03
[12:04:06.065] E8 FF 10 03

About 4.5 seconds of boot recovery mode shown above to get the process started in.

Posted: **Thu Sep 21, 2023 12:01 am**

Yea, the P08's boot different, easily noted with a bus logger as Antus has posted.

The problem here is the OsID is missing for the P08 he is working on ... I have sent him a test build!

Flash pin versus CPU pin, I knew I'd get it wrong somehow!

Guess I'm wrong way Gampy now ... Time to haul it in and close up shop!

-Enjoy

Posted: **Sun Sep 24, 2023 6:47 am**

Sorry for the belated response. Thanks, very helpful information.

Posted: **Sun Sep 24, 2023 7:28 am**

Better late than never ...

See PM.

-Enjoy

pcmhacking.net

16228016 physical Unlock Pin Location

16228016 physical Unlock Pin Location

Re: 16228016 physical Unlock Pin Location

Re: 16228016 physical Unlock Pin Location

Re: 16228016 physical Unlock Pin Location

Re: 16228016 physical Unlock Pin Location

Re: 16228016 physical Unlock Pin Location

Re: 16228016 physical Unlock Pin Location

Re: 16228016 physical Unlock Pin Location