|
Rank: Newbie  Groups: ForumAdmin, ProTuner, Registered Users, Subscribers Joined: 5/20/2008 Posts: 3 |
What is the method people are using to get S/K's?
|
|
Rank: ProTuner
Groups:
Joined: 5/23/2008 Posts: 4
|
what you seek in info is very classified even today.
Verify that power to the controller is on, and that all connections are secure. Select calibration. Press the "Program" button to program the controller.
------------- END OF SESSION LOG ---------------
<6C 10 F0 10 00 >08 FF 10 02 B2 >6C F0 10 7F 10 00 12 BB <6C 10 F0 2A 01 42 >6C F0 10 7F 2A 01 42 12 5D <6C 10 F0 2A 01 8B >6C F0 10 7F 2A 01 8B 12 14 <6C 10 F0 2A 01 6B >6C F0 10 7F 2A 01 6B 12 34 <6C FE F0 28 00 >6C F0 10 68 00 F6 <6C 10 F0 3C 01 >6C F0 10 7C 01 00 31 47 32 57 50 8A <6C 10 F0 3C 02 >6C F0 10 7C 02 31 32 31 34 57 46 75 <6C 10 F0 3C 03 >6C F0 10 7C 03 32 39 37 32 35 33 9D <6C 10 F0 3C 08 >6C F0 10 7C 08 00 8E B7 7C 15 <6C 10 F0 3C 09 >6C F0 10 7F 3C 09 31 67 <6C 10 F0 3C 0A >6C F0 10 7C 0A 00 8F 02 A7 9C <6C 10 F0 3C 0B >6C F0 10 7F 3C 0B 31 65 <6C 10 F0 3C 1D >6C F0 10 7F 3C 1D 31 53 <6C 10 F0 3C 14 >6C F0 10 7F 3C 14 31 5C <6C 10 F0 3C 21 >6C F0 10 7F 3C 21 31 4F <6C 10 F0 3C 22 >6C F0 10 7F 3C 22 31 4E <6C 10 F0 3C 24 >6C F0 10 7F 3C 24 31 4C <6C 10 F0 3C A0 >6C F0 10 7C A0 00 41 <6C 10 F0 27 01 >6C F0 10 67 01 38 42 7A <6C 10 F0 10 00 <6C 10 F0 2A 01 42 <6C 10 F0 2A 01 8B <6C 10 F0 2A 01 6B <6C FE F0 28 00 <6C 10 F0 3C 01
Key = 0x934D – SwapHiLoBytes(Seed)
So… for seed 0x2590 and key 0x0328
Key = 0x934D – SwapHiLoBytes(0x2590)
Key = 0x934D – 0x9025
Key = 0x0328
Seed (0A82) Key (1143)
N (934D) - 820A = 1143
__________ this however is only 1 of 256 algros.. and this algro is not 100% correct. it is just an example of what the seed and key are all about.
|
|
Rank: Administration  Groups: ForumAdmin, ProTuner, Registered Users, Subscribers Joined: 5/17/2008 Posts: 27 | |
|
Rank: ProTuner
Groups:
Joined: 5/23/2008 Posts: 4
|
that post does not disclose anything about the structure for the seed / key and method of the algro's for the GM PCM's... the algro is based on several oprands. These oprands are called by a algro structure of 13 bytes. However, there is some spoof bytes to throw off would be hackers of the databese these algro were once in. there is 256 algro designed sometime back in 1993.... I have a program that can take one single seed, with a key, and tell me exactly what algro is being used. This program was wrote by a PHD math major. In that same program, I can also take a seed, and output the key as long as I know what algro is being used.. if someone can READ and WRITE CPU32 assembly, and reverse a complete BIN in IDA rescue, then the PCM can be cracked very easy. I have already worked with one guy in Canada that wrote a program in some simple language like dephi, or something like that and once he had the program where it would up and download the 96-99 V6 PCM's he bailed out on development. Turned out there is at least several different boot loaders for the V6 PCM product line. Why? because the PCM is using AMD Flash and Intel flash chips ( 28F400 ) in the same product line. One loads from the bottom, the other from the top. the bootloader directs all this action. To actually get a seed / key pair can only be done with a sniff trace. the key is not in the PCM. the algro is not in the PCM. HOWEVER, the algro to be used to up and download the PCM is in the BIN file. Not the complete algro... just the AA= XX XX XX XX XX XX XX XX XX XX XX XX XX ... where AA is the algro identifier, and the XX is the actual algro calling the oprands. The oprand is like ..... do 2's completment... SwapHiLoBytes... these are oprands.
|
|
Rank: Administration  Groups: ForumAdmin, ProTuner, Registered Users, Subscribers Joined: 5/17/2008 Posts: 27 |
t will take a little time but I can trace through the code and see what it is doing. It would be much easier if it was in Delphi. I could easily port it to .NET and create a standalone utility to create the key response packet. I have everything I need to do it. To actually get a seed / key pair can only be done with a sniff trace. the key is not in the PCM. the algro is not in the PCM. HOWEVER, the algro to be used to up and download the PCM is in the BIN file. Not the complete algro... just the AA= XX XX XX XX XX XX XX XX XX XX XX XX XX ... where AA is the algro identifier, and the XX is the actual algro calling the oprands. The oprand is like ..... do 2's completment... SwapHiLoBytes... these are oprands. This part sounds really interesting. J2190 section 5.14 (Mode 0x27 -Security Access Mode) states that when you send the key "Optional data bytes may be specified by the vehicle manufacture." Is this what you are referring to?? They also state that the second byte must be an odd number when requesting the seed and when sending the key the second byte must be a even number one greater than the odd number sent in the seed request. It might be possible to use a BDM to trace the code in the PCM to see what address it jumps to when processing the parameters passed with the seed. The meaning of the parameters should be in that part of the firmware. Noting good is ever easy. It is odd that the flash chips would change the addressing. When you design a system you just wire up the address lines to the CPU and then the data lines. To reverse the addressing you would have to connect the address lines in reverse order. If guess if the pin out of the chips were different and they did not want to update the board they could have fixed it in software. There is probably a trick to figuring out the addressing scheme if this is the case.
|
|
Rank: Administration  Groups: ForumAdmin, ProTuner, Registered Users, Subscribers Joined: 5/17/2008 Posts: 27 |
Here is a trace from tool dumping a 411 ECM's ROM... 06/01/08 - Updated to account for checksum ---------------------------------------------------------------------------- XX 10 F0 = Message from tool to ECM XX F0 10 = Message from ECM to tool F0 = Test tool address 10 = ECM Address NOTE: The last digit is the checksum Trace ECM ROM read //Request data from block 0A 6C 10 F0 3C 0A 45 //Response with data in red 6C F0 10 7C 0A 00 C0 28 CE 8F //Read another block 6C 10 F0 3C 01 8A 6C F0 10 7C 01 00 31 47 31 59 59 C3 //Read another block 6C 10 F0 3C 02 AD 6C F0 10 7C 02 31 32 53 35 32 35 94 //Read another block 6C 10 F0 3C 03 B0 6C F0 10 7C 03 31 32 35 31 37 31 6D //Read another block 6C 10 F0 3C 0B 58 6C F0 10 7C 0B 00 8E CD 51 EB //Read another block 6C 10 F0 3C 0C 0B 6C F0 10 7C 0C 00 8E CE 74 DA //Read another block 6C 10 F0 3C 0D 16 6C F0 10 7C 0D 00 8E CB F4 F7 //Read another block 6C 10 F0 3C 0E 31 6C F0 10 7C 0E 00 F8 2C FB 10 //Read another block 6C 10 F0 3C 0F 2C 6C F0 10 7C 0F 00 F8 2D FF 42 //Read another block 6C 10 F0 3C 10 5A 6C F0 10 7C 10 00 8F 07 7E 9E //Read another block 6C 10 F0 3C 11 47 6C F0 10 7C 11 00 8E DA EE 3C //Disable normal message transmission 6C FE F0 28 00 10 6C F0 10 68 00 9F // Test device present message 8C FE F0 3F 2C 8C FE F0 3F 2C // Request Seed // The 01 can be any odd number 6C 10 F0 27 01 B0 //Respone: Seed = 14 E3 6C F0 10 67 01 14 E3 8B // Send Key – Key = B0 39 // The 02 is 01 + 1 from the previous request for the seed 6C 10 F0 27 02 B0 39 8D //Accepted with extra data 34 6C F0 10 67 02 34 4B //Test device present message 8C FE F0 3F 2C 8C FE F0 3F 2C 8C FE F0 3F 2C 8C FE F0 3F 2C 8C FE F0 3F 2C 8C FE F0 3F 2C // A0 – message define by manufacture 6C FE F0 A0 97 6C F0 10 E0 AA 7F //Test device present message 8C FE F0 3F 2C 8C FE F0 3F 2C 8C FE F0 3F 2C 8C FE F0 3F 2C 8C FE F0 3F 2C // A1 – message define by manufacture 6C FE F0 A1 8A // 6C 10 F1 19 DA FF 36 6C F1 10 59 00 00 FF 10 6C 10 F0 14 16 6C F0 10 54 C3 48 3B 10 04 10 49 68 13 10 11 00 46 68 33 10 A1 B7 68 49 10 10 01 1D 68 86 10 02 50 88 1B 10 10 00 00 46 88 29 10 01 00 5B 88 2B 10 0B 00 00 F1 88 3B 10 03 80 E7 88 4B 10 11 00 16 88 63 10 02 00 A0 88 83 10 0A 00 00 EB A8 0B 10 20 01 D3 A8 83 10 13 00 00 58 A8 F3 10 11 02 2B C8 4B 10 14 00 E8 48 3B 10 04 10 49 68 33 10 A1 B7 68 86 10 02 50 C8 53 10 22 8E A5 E8 FF 10 03 B3 88 2B 10 0B 00 00 F1 88 3B 10 03 80 E7 88 63 10 02 00 A0 49 92 10 01 BE 89 32 10 22 4F A9 24 10 03 82 AB 24 10 05 00 46 C9 15 10 01 C1 C9 58 10 3C EF C9 63 10 20 16 CB E4 10 20 00 AD C9 FE 10 06 82 88 63 10 10 FF 48 8A EA 10 20 81 00 9E 8A EA 10 A0 82 00 8A 8A EA 10 20 83 00 06 49 92 10 01 BE 89 32 10 22 4F 8A EA 10 20 84 00 FF 8A EA 10 20 89 00 C4 8A EA 10 A0 8E 00 FD 8A EA 10 20 8F 00 71 8A EA 10 A0 B7 00 2A 8A EA 10 20 CB 00 B6 88 63 10 10 FF 48 8A EA 10 20 81 00 9E 8A EA 10 A0 82 00 8A 8A EA 10 20 D5 00 ED 8A EA 10 20 E9 00 5B A9 24 10 03 82 AB 24 10 05 00 46 A8 FB 10 01 00 00 00 31 0D 48 3B 10 04 10 49 68 33 10 A1 B7 68 86 10 02 50 8A EA 10 20 83 00 06 8A EA 10 20 84 00 FF 8A EA 10 20 89 00 C4 8A EA 10 A0 8E 00 FD 8A EA 10 20 8F 00 71 88 2B 10 0B 00 00 F1 88 3B 10 03 80 E7 88 63 10 02 00 A0 8A EA 10 A0 B7 00 2A 8A EA 10 20 CB 00 B6 8A EA 10 20 D5 00 ED 8A EA 10 20 E9 00 5B A8 FB 10 02 47 31 59 59 40 A8 FB 10 03 31 32 53 35 FE A8 FB 10 04 32 35 31 32 91 A8 FB 10 05 35 31 37 31 9B C9 15 10 01 C1 C8 3B 10 10 02 04 C8 3B 10 3C 80 1A C9 58 10 3C EF C9 63 10 20 16 CB E4 10 20 00 AD C9 FE 10 06 82 C9 58 10 0B F6 C9 B2 10 3C 70 CB EB 10 20 9B E1 E9 2A 10 3C EE 49 92 10 01 BE 89 32 10 22 4F A9 24 10 03 82 AB 24 10 05 00 46 C9 15 10 01 C1 C9 58 10 3C EF C9 58 10 0B F6 C9 63 10 20 16 88 63 10 10 FF 48 8A EA 10 20 81 00 9E 8A EA 10 A0 82 00 8A C9 B2 10 3C 70 CB E4 10 20 00 AD CB EB 10 20 9B E1 C9 FE 10 06 82 E9 2A 10 3C EE 48 3B 10 04 10 49 68 33 10 A1 B7 68 86 10 02 50 8A EA 10 20 83 00 06 8A EA 10 20 84 00 FF 8A EA 10 20 89 00 C4 8A EA 10 A0 8E 00 FD 8A EA 10 20 8F 00 71 88 2B 10 0B 00 00 F1 88 3B 10 03 80 E7 88 63 10 02 00 A0 8A EA 10 A0 B7 00 2A 8A EA 10 20 CB 00 B6 8A EA 10 20 D5 00 ED 8A EA 10 20 E9 00 5B E8 FF 10 03 B3 49 92 10 01 BE 89 32 10 22 4F A9 24 10 03 82 AB 24 10 05 00 46 C9 15 10 01 C1 C9 58 10 3C EF C9 58 10 0B F6 C9 63 10 20 16 88 63 10 10 FF 48 8A EA 10 20 81 00 9E 8A EA 10 A0 82 00 8A C9 B2 10 3C 70 CB E4 10 20 00 AD CB EB 10 20 9B E1 C9 FE 10 06 82 E9 2A 10 3C EE 48 3B 10 04 10 49 68 33 10 A1 B7 68 86 10 02 50 8A EA 10 20 83 00 06 8A EA 10 20 84 00 FF 8A EA 10 20 89 00 C4 8A EA 10 A0 8E 00 FD 8A EA 10 20 8F 00 71 88 2B 10 0B 00 00 F1 88 3B 10 03 80 E7 88 63 10 02 00 A0 8A EA 10 A0 B7 00 2A 8A EA 10 20 CB 00 B6 8A EA 10 20 D5 00 ED 8A EA 10 20 E9 00 5B 49 92 10 01 BE 89 32 10 22 4F A9 24 10 03 82 AB 24 10 05 00 46 C9 15 10 01 C1 C9 58 10 3C EF C9 58 10 0B F6 C9 63 10 20 16 88 63 10 10 FF 48 8A EA 10 20 81 00 9E 8A EA 10 A0 82 00 8A C9 B2 10 3C 70 CB E4 10 20 00 AD CB EB 10 20 9B E1 C9 FE 10 06 82 E9 2A 10 3C EE 48 3B 10 04 10 49 68 33 10 A1 B7 68 86 10 02 50 8A EA 10 20 83 00 06 8A EA 10 20 84 00 FF 8A EA 10 20 89 00 C4 8A EA 10 A0 8E 00 FD 8A EA 10 20 8F 00 71 88 2B 10 0B 00 00 F1 88 3B 10 03 80 E7 88 63 10 02 00 A0 8A EA 10 A0 B7 00 2A 8A EA 10 20 CB 00 B6 8A EA 10 20 D5 00 ED 8A EA 10 20 E9 00 5B E8 FF 10 03 B3 49 92 10 01 BE 89 32 10 22 4F A9 24 10 03 82 AB 24 10 05 00 46 C9 15 10 01 C1 C9 58 10 3C EF C9 58 10 0B F6
|
|
Rank: Administration  Groups: ForumAdmin, ProTuner, Registered Users, Subscribers Joined: 5/17/2008 Posts: 27 |
It the trace from my previous post command 3C is used to read blocks 01-03 are read to get the vinf before requesting they seed. Also a value is read from 0A and 0B-11. I think that the VIN and what ever is at the other memory location help with creating the key. Does anyone know what these blocks map to in a 411 ECM? BTW: I was able to unlock the ECM using the OMNITuner foundation once I new the key. //Request data from block 0A 6C 10 F0 3C 0A 45 //Response with data in red 6C F0 10 7C 0A 00 C0 28 CE 8F //Read another block 6C 10 F0 3C 01 8A 6C F0 10 7C 01 00 31 47 31 59 59 C3 //Read another block 6C 10 F0 3C 02 AD 6C F0 10 7C 02 31 32 53 35 32 35 94 //Read another block 6C 10 F0 3C 03 B0 6C F0 10 7C 03 31 32 35 31 37 31 6D //Read another block 6C 10 F0 3C 0B 58 6C F0 10 7C 0B 00 8E CD 51 EB //Read another block 6C 10 F0 3C 0C 0B 6C F0 10 7C 0C 00 8E CE 74 DA //Read another block 6C 10 F0 3C 0D 16 6C F0 10 7C 0D 00 8E CB F4 F7 //Read another block 6C 10 F0 3C 0E 31 6C F0 10 7C 0E 00 F8 2C FB 10 //Read another block 6C 10 F0 3C 0F 2C 6C F0 10 7C 0F 00 F8 2D FF 42 //Read another block 6C 10 F0 3C 10 5A 6C F0 10 7C 10 00 8F 07 7E 9E //Read another block 6C 10 F0 3C 11 47 6C F0 10 7C 11 00 8E DA EE 3C
|
|
Rank: ProTuner  Groups: ProTuner, Registered Users, Subscribers Joined: 5/20/2008 Posts: 25 |
Verify that power to the controller is on, and that all connections are secure. Select calibration. Press the "Program" button to program the controller.
------------- END OF SESSION LOG ---------------
<8C FE F0 3F [0004] <6C FE F0 28 00 [0005] >88 83 10 0A 00 00 [0006] >6C F0 10 68 00 [0005] <6C 10 F0 3C 01 [0005] >6C F0 10 7C 01 00 31 47 36 4B 59 [0011] <8C FE F0 3F [0004] <6C 10 F0 3C 02 [0005] >6C F0 10 7C 02 35 34 39 31 33 55 [0011] <6C 10 F0 3C 03 [0005] >6C F0 10 7C 03 31 30 30 30 31 37 [0011] <6C 10 F0 3C 08 [0005] <6C 10 F0 3C 09 [0005] >6C F0 10 7C 09 00 00 00 00 [0009] <6C 10 F0 3C 0A [0005] >6C F0 10 7C 0A 00 C0 0A 2D [0009] <6C 10 F0 3C 0B [0005] >6C F0 10 7C 0B 00 BF FA 30 [0009] <6C 10 F0 3C 0C [0005] >6C F0 10 7F 3C 0C 31 [0007] <6C 10 F0 3C 1D [0005] >6C F0 10 7F 3C 1D 31 [0007] <6C 10 F0 3C 14 [0005] >6C F0 10 7C 14 59 41 4C 55 [0009] <6C 10 F0 3C 21 [0005] >6C F0 10 7F 3C 21 31 [0007] <6C 10 F0 3C 22 [0005] >6C F0 10 7F 3C 22 31 [0007] <6C 10 F0 3C 24 [0005] >6C F0 10 7F 3C 24 31 [0007] <6C 10 F0 3C A0 [0005] >6C F0 10 7C A0 00 [0006] <6C 10 F0 27 01 [0005] >6C F0 10 67 01 4C DE [0007]
Method #2
|
|
Rank: Administration  Groups: ForumAdmin, ProTuner, Registered Users, Subscribers Joined: 5/17/2008 Posts: 27 |
I actually finally figured it out and it is not like anything I have seen in the forums. = Roger wrote:It the trace from my previous post command 3C is used to read blocks 01-03 are read to get the vinf before requesting they seed. Also a value is read from 0A and 0B-11. I think that the VIN and what ever is at the other memory location help with creating the key. Does anyone know what these blocks map to in a 411 ECM? BTW: I was able to unlock the ECM using the OMNITuner foundation once I new the key. //Request data from block 0A 6C 10 F0 3C 0A 45 //Response with data in red 6C F0 10 7C 0A 00 C0 28 CE 8F //Read another block 6C 10 F0 3C 01 8A 6C F0 10 7C 01 00 31 47 31 59 59 C3 //Read another block 6C 10 F0 3C 02 AD 6C F0 10 7C 02 31 32 53 35 32 35 94 //Read another block 6C 10 F0 3C 03 B0 6C F0 10 7C 03 31 32 35 31 37 31 6D //Read another block 6C 10 F0 3C 0B 58 6C F0 10 7C 0B 00 8E CD 51 EB //Read another block 6C 10 F0 3C 0C 0B 6C F0 10 7C 0C 00 8E CE 74 DA //Read another block 6C 10 F0 3C 0D 16 6C F0 10 7C 0D 00 8E CB F4 F7 //Read another block 6C 10 F0 3C 0E 31 6C F0 10 7C 0E 00 F8 2C FB 10 //Read another block 6C 10 F0 3C 0F 2C 6C F0 10 7C 0F 00 F8 2D FF 42 //Read another block 6C 10 F0 3C 10 5A 6C F0 10 7C 10 00 8F 07 7E 9E //Read another block 6C 10 F0 3C 11 47 6C F0 10 7C 11 00 8E DA EE 3C
|
|
Rank: Newbie
Groups: ProTuner, Registered Users, Subscribers
Joined: 7/20/2009 Posts: 1
|
Im also interested in the seed/keys, but more specifically, how they are derived. IOW, how can I find a key just having the seed? Im doing some work on trying to create a freeware application to allow reflashing of a PCM, and the seed/keys are still a bit of a sticky issue. Obviously for some of the '411 PCMs, the keys can be found by flipping the high/low bytes of the seed and subtracting the result from $934D. I found this out myself earlier, and its also posted further up in this thread. Does anyone know if the algos all use this type of logic? Or, is each one unique and different in how they key is derived from the seed? Right now the first PCM Im going to work on flashing is the 98/99 vortec black boxes. These are the ones I know the most about. I reversed most of the engine management code as well as almost all the code that handles the VPW communications (with respect to reflashing and such), so I have some idea of what needs to be done to get the PCM to ultimately transfer control to a memory resident program to allow for reflashing. But, I do not know yet how to generally get a key for the black boxes given the seed. So far, I only have the seed/key pair from my PCM that I socketed. My other thought is to maybe create an applet that would generate random, unique keys and present them to the PCM to find out which one unlocks it. Given the delays imposed by the PCM when a forced entry is taking place, it would take at most 4 days to unlock the PCM. This could be easily done using a benchtop power supply to let the PCM just run outside the car until the key is found, assuming the PCM only uses one seed/key pair.
|
|
Rank: Newbie
Groups: ProTuner, Registered Users, Subscribers
Joined: 1/12/2010 Posts: 4
|
n0dih wrote:What is the method people are using to get S/K's?
I built a small program in freebasic to talk to the ecm through a ELM322 box and just keep trying them till it worked, with the approriate timeout delays for exceeding attempts in 10 seconds of course.
|
|
Rank: Administration  Groups: ForumAdmin, ProTuner, Registered Users, Subscribers Joined: 5/17/2008 Posts: 27 |
sabercatpuck wrote:n0dih wrote:What is the method people are using to get S/K's?
I built a small program in freebasic to talk to the ecm through a ELM322 box and just keep trying them till it worked, with the approriate timeout delays for exceeding attempts in 10 seconds of course. That sounds pretty interesting. How long does it take on average to find a key? Have you tried it on something locked by HP Tuner or EFI Live?
You might be able to speed it up by rigging up something to cycle to power to the PCM between tries. There are several companies selling USB IO controllers that would do the job. Roger
|
|
Rank: Newbie
Groups: ProTuner, Registered Users, Subscribers
Joined: 1/12/2010 Posts: 4
|
By my calculations it should take less than 4 days of constant running. You can do 2 tries every 10 seconds at least on the 99 Saturn S series box that I am trying it out on (that is an auto tranny 1.9L DOHC). The seed key pair on it ended up being 63 AC (seed) and 1e 7c (key). As for trying to cycle the power if I read things right on mode 27, it is supposed to also lock the PCM for the first 10 seconds after power on so that would likely just be a good way to try and blow up the PCM by inrushing it 30,000 times. Although in reguards to building a key finder, I was thinking it might be possible to build it into a small pic or microcontroller and then just drive arround with it till it kicks back the key, though I would want to test that out first and make sure it did not interfere with the driving of the car if you went that way, would not go over well if your ECM got stupid while moving allong at 60 MPH down the highway.
|
|
Rank: Administration  Groups: ForumAdmin, ProTuner, Registered Users, Subscribers Joined: 5/20/2008 Posts: 6 |
I like the thought of unlocking PCM's. Has a nice ring to it...LOL.... The time frame part is no issue when your pcm is unsuppport, as all you want is in. What type of flash was in the Saturn? Cheers Mick Rev it up, Drop the clutch, See what happens.....
|
|
Rank: Newbie
Groups: ProTuner, Registered Users, Subscribers
Joined: 1/12/2010 Posts: 4
|
If memory serves me it was an Intel 29F010. The tranny side only used the first half, the engine side used bank switching to move in three different upper portions of memory. Quick glance looks like part 2 had most of the cal info since there appears to be at least a few tables
|
|
Rank: Newbie
Groups: Registered Users, Subscribers
Joined: 1/15/2010 Posts: 6
|
Sabercat: I have a 500kb log from your program trying to get into my ls1 pcm. However i also know the seed key because i used my efilive cable. Is there any way we can speed up your program to try the seed i know is good, to verify your program is working?
|
|
Rank: Newbie
Groups: ProTuner, Registered Users, Subscribers
Joined: 1/12/2010 Posts: 4
|
If you had one of the newer versions before they got yanked, it asked where you wanted to start from. I did not spend the time to remember (been a really long time since I did much programming) how to get it to take a hex number in so I just left it up to us to remember to add &h before the number to specify it as hex.
|
|
Rank: Newbie
Groups: Registered Users, Subscribers
Joined: 2/3/2010 Posts: 3
|
<p>&lt;p&gt; Tre-Cool wrote:&lt;/p&gt; &lt;p&gt;Sabercat: I have a 500kb log from your program trying to get into my ls1 pcm. However i also know the seed key because i used my efilive cable.&lt;/p&gt; &lt;p&gt;Is there any way we can speed up your program to try the seed i know is good, to verify your program is working?&lt;/p&gt; &lt;p&gt;&amp;nbsp;&lt;/p&gt; &lt;p&gt;&amp;nbsp;&lt;/p&gt; &lt;p&gt; &lt;/p&gt; &lt;p&gt;I have made a similar app, Sabercat had helped me with it.&lt;/p&gt; &lt;p&gt;I have a few more options and its a bit bulkier.&lt;/p&gt; &lt;p&gt;You can choose where to start your key from, whether to incrememnt or decrememnt, it also gets your VIN and OSID as well.&lt;/p&gt; &lt;p&gt;&amp;nbsp;&lt;/p&gt; &lt;p&gt;I just joined here so need to look around and get familiar with the structure and rules.&lt;/p&gt; &lt;p&gt;&amp;nbsp;&lt;/p&gt; &lt;p&gt;I will upload in appropriate spot if rules allow it.&lt;/p&gt; &lt;p&gt;&amp;nbsp;&lt;/p&gt; &lt;p&gt;&amp;nbsp;&lt;/p&gt;</p> <p><img height="669" width="375" src="/userfiles/image/PflashUP1.jpg" alt="" /></p> planethax attached the following image(s):  PflashUP1.jpg (119kb) downloaded 74 time(s).
|
|
Rank: Newbie
Groups: Registered Users, Subscribers
Joined: 2/3/2010 Posts: 3
|
Wow, not sure what the heck happened there lol, not used to this board I guess.
anyways
I have made a similar app, Sabercat had helped me with it. I have a few more options and its a bit bulkier. You can choose where to start your key from, whether to incrememnt or decrememnt, it also gets your VIN and OSID as well. I just joined here so need to look around and get familiar with the structure and rules. I will upload in appropriate spot if rules allow it.
|
|
Rank: Newbie
Groups: Registered Users, Subscribers
Joined: 1/15/2010 Posts: 6
|
Hi planethax, i downloaded your program the other day to try on an ls1 computer i have connected to a bench harness, however it doesnt seem to work on the ls1 computers or atleast the custom efilive OS installed on the pcm. let me know if you need any testing done.
|
|
Guest |