Welcome Guest Search | Active Topics |

Seed and Key findingOptions ·View
n0dih
#1 Posted : Monday, May 26, 2008 2:18:41 PM
Rank: Newbie



Groups: ForumAdmin, ProTuner, Registered Users, Subscribers

Joined: 5/20/2008
Posts: 3
What is the method people are using to get S/K's?

FastFieros
#2 Posted : Tuesday, May 27, 2008 7:08:44 PM
Rank: ProTuner

Groups:

Joined: 5/23/2008
Posts: 4
what you seek in info is very classified even today.

Verify that power to the controller is on,
and that all connections are secure.
Select calibration.
Press the "Program" button to program the controller.

------------- END OF SESSION LOG ---------------

<6C 10 F0 10 00
>08 FF 10 02 B2
>6C F0 10 7F 10 00 12 BB
<6C 10 F0 2A 01 42
>6C F0 10 7F 2A 01 42 12 5D
<6C 10 F0 2A 01 8B
>6C F0 10 7F 2A 01 8B 12 14
<6C 10 F0 2A 01 6B
>6C F0 10 7F 2A 01 6B 12 34
<6C FE F0 28 00
>6C F0 10 68 00 F6
<6C 10 F0 3C 01
>6C F0 10 7C 01 00 31 47 32 57 50 8A
<6C 10 F0 3C 02
>6C F0 10 7C 02 31 32 31 34 57 46 75
<6C 10 F0 3C 03
>6C F0 10 7C 03 32 39 37 32 35 33 9D
<6C 10 F0 3C 08
>6C F0 10 7C 08 00 8E B7 7C 15
<6C 10 F0 3C 09
>6C F0 10 7F 3C 09 31 67
<6C 10 F0 3C 0A
>6C F0 10 7C 0A 00 8F 02 A7 9C
<6C 10 F0 3C 0B
>6C F0 10 7F 3C 0B 31 65
<6C 10 F0 3C 1D
>6C F0 10 7F 3C 1D 31 53
<6C 10 F0 3C 14
>6C F0 10 7F 3C 14 31 5C
<6C 10 F0 3C 21
>6C F0 10 7F 3C 21 31 4F
<6C 10 F0 3C 22
>6C F0 10 7F 3C 22 31 4E
<6C 10 F0 3C 24
>6C F0 10 7F 3C 24 31 4C
<6C 10 F0 3C A0
>6C F0 10 7C A0 00 41
<6C 10 F0 27 01
>6C F0 10 67 01 38 42 7A
<6C 10 F0 10 00
<6C 10 F0 2A 01 42
<6C 10 F0 2A 01 8B
<6C 10 F0 2A 01 6B
<6C FE F0 28 00
<6C 10 F0 3C 01





Key = 0x934D – SwapHiLoBytes(Seed)



So… for seed 0x2590 and key 0x0328



Key = 0x934D – SwapHiLoBytes(0x2590)

Key = 0x934D – 0x9025

Key = 0x0328



Seed (0A82) Key (1143)

N (934D) - 820A = 1143

__________ this however is only 1 of 256 algros.. and this algro is not 100% correct. it is just an example of what the seed and key are all about.
Roger
#3 Posted : Wednesday, May 28, 2008 12:19:32 AM
Rank: Administration


Groups: ForumAdmin, ProTuner, Registered Users, Subscribers

Joined: 5/17/2008
Posts: 27

You might find this post interesting...

http://www.hptuners.com/forum/showthread.php?t=1960

FastFieros
#4 Posted : Wednesday, May 28, 2008 9:22:38 PM
Rank: ProTuner

Groups:

Joined: 5/23/2008
Posts: 4

Roger wrote:

You might find this post interesting...

http://www.hptuners.com/forum/showthread.php?t=1960

that post does not disclose anything about the structure for the seed / key and method of the algro's for the GM PCM's...

the algro is based on several oprands. These oprands are called by a algro structure of 13 bytes. However, there is some spoof bytes to throw off would be hackers of the databese these algro were once in.

there is 256 algro designed sometime back in 1993....

I have a program that can take one single seed, with a key, and tell me exactly what algro is being used. This program was wrote by a PHD math major. In that same program, I can also take a seed, and output the key as long as I know what algro is being used..

if someone can READ and WRITE CPU32 assembly, and reverse a complete BIN in IDA rescue, then the PCM can be cracked very easy.

I have already worked with one guy in Canada that wrote a program in some simple language like dephi, or something like that and once he had the program where it would up and download the 96-99 V6 PCM's he bailed out on development. Turned out there is at least several different boot loaders for the V6 PCM product line. Why? because the PCM is using AMD Flash and Intel flash chips ( 28F400 ) in the same product line. One loads from the bottom, the other from the top. the bootloader directs all this action.

To actually get a seed / key pair can only be done with a sniff trace. the key is not in the PCM. the algro is not in the PCM. HOWEVER, the algro to be used to up and download the PCM is in the BIN file. Not the complete algro... just the AA= XX XX XX XX XX XX XX XX XX XX XX XX XX ... where AA is the algro identifier, and the XX is the actual algro calling the oprands. The oprand is like ..... do 2's completment... SwapHiLoBytes... these are oprands.

 

 

Roger
#5 Posted : Thursday, May 29, 2008 7:11:16 PM
Rank: Administration


Groups: ForumAdmin, ProTuner, Registered Users, Subscribers

Joined: 5/17/2008
Posts: 27

 

t will take a little time but I can trace through the code and see what it is doing. It would be much easier if it was in Delphi. I could easily port it to .NET and create a standalone utility to create the key response packet.  I have everything I need to do it.

To actually get a seed / key pair can only be done with a sniff trace. the key is not in the PCM. the algro is not in the PCM. HOWEVER, the algro to be used to up and download the PCM is in the BIN file. Not the complete algro... just the AA= XX XX XX XX XX XX XX XX XX XX XX XX XX ... where AA is the algro identifier, and the XX is the actual algro calling the oprands. The oprand is like ..... do 2's completment... SwapHiLoBytes... these are oprands.

This part sounds really interesting. J2190 section 5.14 (Mode 0x27 -Security Access Mode) states that when you send the key "Optional data bytes may be specified by the vehicle manufacture." Is this what you are referring to?? They also state that the second byte must be an odd number when requesting the seed and when sending the key the second byte must be a even number one greater than the odd number sent in the seed request. It might be possible to use a BDM to trace the code in the PCM to see what address it jumps to when processing the parameters passed with the seed. The meaning of the parameters should be in that part of the firmware. Noting good is ever easy.

It is odd that the flash chips would change the addressing. When you design a system you just wire up the address lines to the CPU and then the data lines. To reverse the addressing you would have to connect the address lines in reverse order. If guess if the pin out of the chips were different and they did not want to update the board they could have fixed it in software. There is probably a trick to figuring out the addressing scheme if this is the case.

 

 

 

Roger
#6 Posted : Saturday, May 31, 2008 3:30:06 PM
Rank: Administration


Groups: ForumAdmin, ProTuner, Registered Users, Subscribers

Joined: 5/17/2008
Posts: 27

Here is a trace from tool dumping a 411 ECM's ROM...  06/01/08 - Updated to account for checksum

----------------------------------------------------------------------------

 

XX 10 F0 = Message from tool to ECM
XX F0 10 = Message from ECM to tool
 
F0 = Test tool address
10 = ECM Address
 
NOTE: The last digit is the checksum
 
Trace ECM ROM read
 
//Request data from block 0A
6C 10 F0 3C 0A 45
//Response with data in red
6C F0 10 7C 0A 00 C0 28 CE 8F
 
//Read another block
6C 10 F0 3C 01 8A
6C F0 10 7C 01 00 31 47 31 59 59 C3
 
//Read another block
6C 10 F0 3C 02 AD
6C F0 10 7C 02 31 32 53 35 32 35 94
 
//Read another block
6C 10 F0 3C 03 B0
6C F0 10 7C 03 31 32 35 31 37 31 6D
 
//Read another block
6C 10 F0 3C 0B 58
6C F0 10 7C 0B 00 8E CD 51 EB
 
//Read another block
6C 10 F0 3C 0C 0B
6C F0 10 7C 0C 00 8E CE 74 DA
 
//Read another block
6C 10 F0 3C 0D 16
6C F0 10 7C 0D 00 8E CB F4 F7
 
//Read another block
6C 10 F0 3C 0E 31
6C F0 10 7C 0E 00 F8 2C FB 10
 
//Read another block
6C 10 F0 3C 0F 2C
6C F0 10 7C 0F 00 F8 2D FF 42
 
//Read another block
6C 10 F0 3C 10 5A
6C F0 10 7C 10 00 8F 07 7E 9E
 
//Read another block
6C 10 F0 3C 11 47
6C F0 10 7C 11 00 8E DA EE 3C
 
//Disable normal message transmission
6C FE F0 28 00 10
6C F0 10 68 00 9F
 
// Test device present message
8C FE F0 3F 2C
8C FE F0 3F 2C
 
// Request Seed
// The 01 can be any odd number
6C 10 F0 27 01 B0
//Respone: Seed = 14 E3
6C F0 10 67 01 14 E3 8B
 
// Send Key – Key = B0 39
// The 02 is 01 + 1 from the previous request for the seed
6C 10 F0 27 02 B0 39 8D
//Accepted with extra data 34
6C F0 10 67 02 34 4B
 
//Test device present message
8C FE F0 3F 2C
8C FE F0 3F 2C
8C FE F0 3F 2C
8C FE F0 3F 2C
8C FE F0 3F 2C
8C FE F0 3F 2C
 
// A0 – message define by manufacture
6C FE F0 A0 97
6C F0 10 E0 AA 7F
 
//Test device present message
8C FE F0 3F 2C
8C FE F0 3F 2C
8C FE F0 3F 2C
8C FE F0 3F 2C
8C FE F0 3F 2C
 
// A1 – message define by manufacture
6C FE F0 A1 8A
 
//
6C 10 F1 19 DA FF 36
6C F1 10 59 00 00 FF 10
6C 10 F0 14 16
6C F0 10 54 C3
48 3B 10 04 10 49
68 13 10 11 00 46
68 33 10 A1 B7
68 49 10 10 01 1D
68 86 10 02 50
88 1B 10 10 00 00 46
88 29 10 01 00 5B
88 2B 10 0B 00 00 F1
88 3B 10 03 80 E7
88 4B 10 11 00 16
88 63 10 02 00 A0
88 83 10 0A 00 00 EB
A8 0B 10 20 01 D3
A8 83 10 13 00 00 58
A8 F3 10 11 02 2B
C8 4B 10 14 00 E8
48 3B 10 04 10 49
68 33 10 A1 B7
68 86 10 02 50
C8 53 10 22 8E A5
E8 FF 10 03 B3
88 2B 10 0B 00 00 F1
88 3B 10 03 80 E7
88 63 10 02 00 A0
49 92 10 01 BE
89 32 10 22 4F
A9 24 10 03 82
AB 24 10 05 00 46
C9 15 10 01 C1
C9 58 10 3C EF
C9 63 10 20 16
CB E4 10 20 00 AD
C9 FE 10 06 82
88 63 10 10 FF 48
8A EA 10 20 81 00 9E
8A EA 10 A0 82 00 8A
8A EA 10 20 83 00 06
49 92 10 01 BE
89 32 10 22 4F
8A EA 10 20 84 00 FF
8A EA 10 20 89 00 C4
8A EA 10 A0 8E 00 FD
8A EA 10 20 8F 00 71
8A EA 10 A0 B7 00 2A
8A EA 10 20 CB 00 B6
88 63 10 10 FF 48
8A EA 10 20 81 00 9E
8A EA 10 A0 82 00 8A
8A EA 10 20 D5 00 ED
8A EA 10 20 E9 00 5B
A9 24 10 03 82
AB 24 10 05 00 46
A8 FB 10 01 00 00 00 31 0D
48 3B 10 04 10 49
68 33 10 A1 B7
68 86 10 02 50
8A EA 10 20 83 00 06
8A EA 10 20 84 00 FF
8A EA 10 20 89 00 C4
8A EA 10 A0 8E 00 FD
8A EA 10 20 8F 00 71
88 2B 10 0B 00 00 F1
88 3B 10 03 80 E7
88 63 10 02 00 A0
8A EA 10 A0 B7 00 2A
8A EA 10 20 CB 00 B6
8A EA 10 20 D5 00 ED
8A EA 10 20 E9 00 5B
A8 FB 10 02 47 31 59 59 40
A8 FB 10 03 31 32 53 35 FE
A8 FB 10 04 32 35 31 32 91
A8 FB 10 05 35 31 37 31 9B
C9 15 10 01 C1
C8 3B 10 10 02 04
C8 3B 10 3C 80 1A
C9 58 10 3C EF
C9 63 10 20 16
CB E4 10 20 00 AD
C9 FE 10 06 82
C9 58 10 0B F6
C9 B2 10 3C 70
CB EB 10 20 9B E1
E9 2A 10 3C EE
49 92 10 01 BE
89 32 10 22 4F
A9 24 10 03 82
AB 24 10 05 00 46
C9 15 10 01 C1
C9 58 10 3C EF
C9 58 10 0B F6
C9 63 10 20 16
88 63 10 10 FF 48
8A EA 10 20 81 00 9E
8A EA 10 A0 82 00 8A
C9 B2 10 3C 70
CB E4 10 20 00 AD
CB EB 10 20 9B E1
C9 FE 10 06 82
E9 2A 10 3C EE
48 3B 10 04 10 49
68 33 10 A1 B7
68 86 10 02 50
8A EA 10 20 83 00 06
8A EA 10 20 84 00 FF
8A EA 10 20 89 00 C4
8A EA 10 A0 8E 00 FD
8A EA 10 20 8F 00 71
88 2B 10 0B 00 00 F1
88 3B 10 03 80 E7
88 63 10 02 00 A0
8A EA 10 A0 B7 00 2A
8A EA 10 20 CB 00 B6
8A EA 10 20 D5 00 ED
8A EA 10 20 E9 00 5B
E8 FF 10 03 B3
49 92 10 01 BE
89 32 10 22 4F
A9 24 10 03 82
AB 24 10 05 00 46
C9 15 10 01 C1
C9 58 10 3C EF
C9 58 10 0B F6
C9 63 10 20 16
88 63 10 10 FF 48
8A EA 10 20 81 00 9E
8A EA 10 A0 82 00 8A
C9 B2 10 3C 70
CB E4 10 20 00 AD
CB EB 10 20 9B E1
C9 FE 10 06 82
E9 2A 10 3C EE
48 3B 10 04 10 49
68 33 10 A1 B7
68 86 10 02 50
8A EA 10 20 83 00 06
8A EA 10 20 84 00 FF
8A EA 10 20 89 00 C4
8A EA 10 A0 8E 00 FD
8A EA 10 20 8F 00 71
88 2B 10 0B 00 00 F1
88 3B 10 03 80 E7
88 63 10 02 00 A0
8A EA 10 A0 B7 00 2A
8A EA 10 20 CB 00 B6
8A EA 10 20 D5 00 ED
8A EA 10 20 E9 00 5B
49 92 10 01 BE
89 32 10 22 4F
A9 24 10 03 82
AB 24 10 05 00 46
C9 15 10 01 C1
C9 58 10 3C EF
C9 58 10 0B F6
C9 63 10 20 16
88 63 10 10 FF 48
8A EA 10 20 81 00 9E
8A EA 10 A0 82 00 8A
C9 B2 10 3C 70
CB E4 10 20 00 AD
CB EB 10 20 9B E1
C9 FE 10 06 82
E9 2A 10 3C EE
48 3B 10 04 10 49
68 33 10 A1 B7
68 86 10 02 50
8A EA 10 20 83 00 06
8A EA 10 20 84 00 FF
8A EA 10 20 89 00 C4
8A EA 10 A0 8E 00 FD
8A EA 10 20 8F 00 71
88 2B 10 0B 00 00 F1
88 3B 10 03 80 E7
88 63 10 02 00 A0
8A EA 10 A0 B7 00 2A
8A EA 10 20 CB 00 B6
8A EA 10 20 D5 00 ED
8A EA 10 20 E9 00 5B
E8 FF 10 03 B3
49 92 10 01 BE
89 32 10 22 4F
A9 24 10 03 82
AB 24 10 05 00 46
C9 15 10 01 C1
C9 58 10 3C EF
C9 58 10 0B F6
Roger
#7 Posted : Sunday, June 01, 2008 8:56:30 PM
Rank: Administration


Groups: ForumAdmin, ProTuner, Registered Users, Subscribers

Joined: 5/17/2008
Posts: 27

It the trace from my previous post command 3C is used to read blocks 01-03 are read to get the vinf before requesting they seed. Also a value is read from 0A and 0B-11. I think that the VIN and what ever is at the other memory location help with creating the key. Does anyone know what these blocks map to in a 411 ECM?

BTW: I was able to unlock the ECM using the OMNITuner foundation once I new the key.

 

//Request data from block 0A
6C 10 F0 3C 0A 45
//Response with data in red
6C F0 10 7C 0A 00 C0 28 CE 8F
 
//Read another block
6C 10 F0 3C 01 8A
6C F0 10 7C 01 00 31 47 31 59 59 C3
 
//Read another block
6C 10 F0 3C 02 AD
6C F0 10 7C 02 31 32 53 35 32 35 94
 
//Read another block
6C 10 F0 3C 03 B0
6C F0 10 7C 03 31 32 35 31 37 31 6D
 
//Read another block
6C 10 F0 3C 0B 58
6C F0 10 7C 0B 00 8E CD 51 EB
 
//Read another block
6C 10 F0 3C 0C 0B
6C F0 10 7C 0C 00 8E CE 74 DA
 
//Read another block
6C 10 F0 3C 0D 16
6C F0 10 7C 0D 00 8E CB F4 F7
 
//Read another block
6C 10 F0 3C 0E 31
6C F0 10 7C 0E 00 F8 2C FB 10
 
//Read another block
6C 10 F0 3C 0F 2C
6C F0 10 7C 0F 00 F8 2D FF 42
 
//Read another block
6C 10 F0 3C 10 5A
6C F0 10 7C 10 00 8F 07 7E 9E
 
//Read another block
6C 10 F0 3C 11 47
6C F0 10 7C 11 00 8E DA EE 3C
 

CalEditor
#8 Posted : Tuesday, January 06, 2009 4:37:35 AM
Rank: ProTuner



Groups: ProTuner, Registered Users, Subscribers

Joined: 5/20/2008
Posts: 25
Verify that power to the controller is on,
and that all connections are secure.
Select calibration.
Press the "Program" button to program the controller.


------------- END OF SESSION LOG ---------------

<8C FE F0 3F [0004]
<6C FE F0 28 00 [0005]
>88 83 10 0A 00 00 [0006]
>6C F0 10 68 00 [0005]
<6C 10 F0 3C 01 [0005]
>6C F0 10 7C 01 00 31 47 36 4B 59 [0011]
<8C FE F0 3F [0004]
<6C 10 F0 3C 02 [0005]
>6C F0 10 7C 02 35 34 39 31 33 55 [0011]
<6C 10 F0 3C 03 [0005]
>6C F0 10 7C 03 31 30 30 30 31 37 [0011]
<6C 10 F0 3C 08 [0005]
<6C 10 F0 3C 09 [0005]
>6C F0 10 7C 09 00 00 00 00 [0009]
<6C 10 F0 3C 0A [0005]
>6C F0 10 7C 0A 00 C0 0A 2D [0009]
<6C 10 F0 3C 0B [0005]
>6C F0 10 7C 0B 00 BF FA 30 [0009]
<6C 10 F0 3C 0C [0005]
>6C F0 10 7F 3C 0C 31 [0007]
<6C 10 F0 3C 1D [0005]
>6C F0 10 7F 3C 1D 31 [0007]
<6C 10 F0 3C 14 [0005]
>6C F0 10 7C 14 59 41 4C 55 [0009]
<6C 10 F0 3C 21 [0005]
>6C F0 10 7F 3C 21 31 [0007]
<6C 10 F0 3C 22 [0005]
>6C F0 10 7F 3C 22 31 [0007]
<6C 10 F0 3C 24 [0005]
>6C F0 10 7F 3C 24 31 [0007]
<6C 10 F0 3C A0 [0005]
>6C F0 10 7C A0 00 [0006]
<6C 10 F0 27 01 [0005]
>6C F0 10 67 01 4C DE [0007]

Method #2
Roger
#9 Posted : Monday, April 06, 2009 11:09:06 AM
Rank: Administration


Groups: ForumAdmin, ProTuner, Registered Users, Subscribers

Joined: 5/17/2008
Posts: 27

I actually finally figured it out and it is not like anything I have seen in the forums.  =

 

Roger wrote:

It the trace from my previous post command 3C is used to read blocks 01-03 are read to get the vinf before requesting they seed. Also a value is read from 0A and 0B-11. I think that the VIN and what ever is at the other memory location help with creating the key. Does anyone know what these blocks map to in a 411 ECM?

BTW: I was able to unlock the ECM using the OMNITuner foundation once I new the key.

 

 

//Request data from block 0A
6C 10 F0 3C 0A 45
//Response with data in red
6C F0 10 7C 0A 00 C0 28 CE 8F
 
//Read another block
6C 10 F0 3C 01 8A
6C F0 10 7C 01 00 31 47 31 59 59 C3
 
//Read another block
6C 10 F0 3C 02 AD
6C F0 10 7C 02 31 32 53 35 32 35 94
 
//Read another block
6C 10 F0 3C 03 B0
6C F0 10 7C 03 31 32 35 31 37 31 6D
 
//Read another block
6C 10 F0 3C 0B 58
6C F0 10 7C 0B 00 8E CD 51 EB
 
//Read another block
6C 10 F0 3C 0C 0B
6C F0 10 7C 0C 00 8E CE 74 DA
 
//Read another block
6C 10 F0 3C 0D 16
6C F0 10 7C 0D 00 8E CB F4 F7
 
//Read another block
6C 10 F0 3C 0E 31
6C F0 10 7C 0E 00 F8 2C FB 10
 
//Read another block
6C 10 F0 3C 0F 2C
6C F0 10 7C 0F 00 F8 2D FF 42
 
//Read another block
6C 10 F0 3C 10 5A
6C F0 10 7C 10 00 8F 07 7E 9E
 
//Read another block
6C 10 F0 3C 11 47
6C F0 10 7C 11 00 8E DA EE 3C
 
dimented24x7
#10 Posted : Tuesday, July 21, 2009 11:03:08 PM
Rank: Newbie

Groups: ProTuner, Registered Users, Subscribers

Joined: 7/20/2009
Posts: 1

Im also interested in the seed/keys, but more specifically, how they are derived. IOW, how can I find a key just having the seed? Im doing some work on trying to create a freeware application to allow reflashing of a PCM, and the seed/keys are still a bit of a sticky issue. Obviously for some of the '411 PCMs, the keys can be found by flipping the high/low bytes of the seed and subtracting the result from $934D. I found this out myself earlier, and its also posted further up in this thread. Does anyone know if the algos all use this type of logic? Or, is each one unique and different in how they key is derived from the seed?

Right now the first PCM Im going to work on flashing is the 98/99 vortec black boxes. These are the ones I know the most about. I reversed most of the engine management code as well as almost all the code that handles the VPW communications (with respect to reflashing and such), so I have some idea of what needs to be done to get the PCM to ultimately transfer control to a memory resident program to allow for reflashing. But, I do not know yet how to generally get a key for the black boxes given the seed. So far, I only have the seed/key pair from my PCM that I socketed.

My other thought is to maybe create an applet that would generate random, unique keys and present them to the PCM to find out which one unlocks it. Given the delays imposed by the PCM when a forced entry is taking place, it would take at most 4 days to unlock the PCM. This could be easily done using a benchtop power supply to let the PCM just run outside the car until the key is found, assuming the PCM only uses one seed/key pair.

sabercatpuck
#11 Posted : Tuesday, January 12, 2010 9:47:39 AM
Rank: Newbie

Groups: ProTuner, Registered Users, Subscribers

Joined: 1/12/2010
Posts: 4

n0dih wrote:
What is the method people are using to get S/K's?

I built a small program in freebasic to talk to the ecm through a ELM322 box and just keep trying them till it worked, with the approriate timeout delays for exceeding attempts in 10 seconds of course.

Roger
#12 Posted : Tuesday, January 12, 2010 1:44:16 PM
Rank: Administration


Groups: ForumAdmin, ProTuner, Registered Users, Subscribers

Joined: 5/17/2008
Posts: 27

sabercatpuck wrote:

n0dih wrote:
What is the method people are using to get S/K's?

I built a small program in freebasic to talk to the ecm through a ELM322 box and just keep trying them till it worked, with the approriate timeout delays for exceeding attempts in 10 seconds of course.

That sounds pretty interesting. How long does it take on average to find a key? Have you tried it on something locked by HP Tuner or EFI Live?
You might be able to speed it up by rigging up something to cycle to power to the PCM between tries. There are several companies selling USB IO controllers that would do the job.

Roger

sabercatpuck
#13 Posted : Wednesday, January 13, 2010 12:30:03 AM
Rank: Newbie

Groups: ProTuner, Registered Users, Subscribers

Joined: 1/12/2010
Posts: 4

By my calculations it should take less than 4 days of constant running.  You can do 2 tries every 10 seconds at least on the 99 Saturn S series box that I am trying it out on (that is an auto tranny 1.9L DOHC).  The seed key pair on it ended up being 63 AC (seed) and 1e 7c (key).  As for trying to cycle the power if I read things right on mode 27, it is supposed to also lock the PCM for the first 10 seconds after power on so that would likely just be a good way to try and blow up the PCM by inrushing it 30,000 times.  Although in reguards to building a key finder, I was thinking it might be possible to build it into a small pic or microcontroller and then just drive arround with it till it kicks back the key, though I would want to test that out first and make sure it did not interfere with the driving of the car if you went that way, would not go over well if your ECM got stupid while moving allong at 60 MPH down the highway.

AussieLS1evil
#14 Posted : Wednesday, January 13, 2010 11:42:11 PM
Rank: Administration


Groups: ForumAdmin, ProTuner, Registered Users, Subscribers

Joined: 5/20/2008
Posts: 6

I like the thought of unlocking PCM's. Has a nice ring to it...LOL....

The time frame part is no issue when your pcm is unsuppport, as all you want is in.

What type of flash was in the Saturn?

Cheers

Mick

 

 

Rev it up, Drop the clutch, See what happens.....Smile
sabercatpuck
#15 Posted : Thursday, January 14, 2010 12:08:06 AM
Rank: Newbie

Groups: ProTuner, Registered Users, Subscribers

Joined: 1/12/2010
Posts: 4
If memory serves me it was an Intel 29F010. The tranny side only used the first half, the engine side used bank switching to move in three different upper portions of memory. Quick glance looks like part 2 had most of the cal info since there appears to be at least a few tables
tre-cool
#16 Posted : Friday, January 15, 2010 7:56:18 AM
Rank: Newbie

Groups: Registered Users, Subscribers

Joined: 1/15/2010
Posts: 6

Sabercat: I have a 500kb log from your program trying to get into my ls1 pcm. However i also know the seed key because i used my efilive cable.

Is there any way we can speed up your program to try the seed i know is good, to verify your program is working?

 

 

sabercatpuck
#17 Posted : Friday, January 15, 2010 8:03:22 AM
Rank: Newbie

Groups: ProTuner, Registered Users, Subscribers

Joined: 1/12/2010
Posts: 4
If you had one of the newer versions before they got yanked, it asked where you wanted to start from. I did not spend the time to remember (been a really long time since I did much programming) how to get it to take a hex number in so I just left it up to us to remember to add &h before the number to specify it as hex.
planethax
#18 Posted : Wednesday, February 03, 2010 12:25:30 PM
Rank: Newbie

Groups: Registered Users, Subscribers

Joined: 2/3/2010
Posts: 3

&lt;p&gt;&amp;lt;p&amp;gt;

Tre-Cool wrote:
&amp;lt;/p&amp;gt; &amp;lt;p&amp;gt;Sabercat: I have a 500kb log from your program trying to get into my ls1 pcm. However i also know the seed key because i used my efilive cable.&amp;lt;/p&amp;gt; &amp;lt;p&amp;gt;Is there any way we can speed up your program to try the seed i know is good, to verify your program is working?&amp;lt;/p&amp;gt; &amp;lt;p&amp;gt;&amp;amp;nbsp;&amp;lt;/p&amp;gt; &amp;lt;p&amp;gt;&amp;amp;nbsp;&amp;lt;/p&amp;gt; &amp;lt;p&amp;gt;
&amp;lt;/p&amp;gt; &amp;lt;p&amp;gt;I have made a similar app, Sabercat had helped me with it.&amp;lt;/p&amp;gt; &amp;lt;p&amp;gt;I have a few more options and its a bit bulkier.&amp;lt;/p&amp;gt; &amp;lt;p&amp;gt;You can choose where to start your key from, whether to incrememnt or decrememnt, it also gets your VIN and OSID as well.&amp;lt;/p&amp;gt; &amp;lt;p&amp;gt;&amp;amp;nbsp;&amp;lt;/p&amp;gt; &amp;lt;p&amp;gt;I just joined here so need to look around and get familiar with the structure and rules.&amp;lt;/p&amp;gt; &amp;lt;p&amp;gt;&amp;amp;nbsp;&amp;lt;/p&amp;gt; &amp;lt;p&amp;gt;I will upload in appropriate spot if rules allow it.&amp;lt;/p&amp;gt; &amp;lt;p&amp;gt;&amp;amp;nbsp;&amp;lt;/p&amp;gt; &amp;lt;p&amp;gt;&amp;amp;nbsp;&amp;lt;/p&amp;gt;&lt;/p&gt; &lt;p&gt;&lt;img height=&quot;669&quot; width=&quot;375&quot; src=&quot;/userfiles/image/PflashUP1.jpg&quot; alt=&quot;&quot; /&gt;&lt;/p&gt;

planethax attached the following image(s):
PflashUP1.jpg (119kb) downloaded 74 time(s).
planethax
#19 Posted : Wednesday, February 03, 2010 12:28:39 PM
Rank: Newbie

Groups: Registered Users, Subscribers

Joined: 2/3/2010
Posts: 3
Wow, not sure what the heck happened there lol, not used to this board I guess.

anyways

I have made a similar app, Sabercat had helped me with it.
I have a few more options and its a bit bulkier.
You can choose where to start your key from, whether to incrememnt or decrememnt, it also gets your VIN and OSID as well.
I just joined here so need to look around and get familiar with the structure and rules.
I will upload in appropriate spot if rules allow it.
tre-cool
#20 Posted : Monday, February 07, 2011 4:27:48 PM
Rank: Newbie

Groups: Registered Users, Subscribers

Joined: 1/15/2010
Posts: 6

Hi planethax, i downloaded your program the other day to try on an ls1 computer i have connected to a bench harness, however it doesnt seem to work on the ls1 computers or atleast the custom efilive OS installed on the pcm.

let me know if you need any testing done.

Users browsing this topic
Guest
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Information is provided as is and no assumption should be made of its accuracy. Use this information at your own risk. Digital Inflection Corporation provides not warranties or guaranties and is will not be liable for information contained on this site. If you do not agree with these terms than please do not use this site or information it contains.  Please see the terms of use statement for additional restrictions.