I just want to know one thing... Where do the seed and/or keys for mode $27 access reside in these? Is it generated via external hardare within the PCM? Or, is it stored on the flash somewhere?
I just want to know one thing... Where do the seed and/or keys for mode $27 access reside in these? Is it generated via external hardare within the PCM? Or, is it stored on the flash somewhere?
Old rusty 88 Camaro
350 w/ Edelbrock victor EFI intake + 1000 CFM TB
'279 PCM with a custom tune and code patches by me
TKO 500, 1LE performance package, etc...
for these older ones it is stored in a serial eeprom seperate from the main flash. 97/98 LS1's are the same.
I count sheep in hex...
Thanks.
Crap. Sort of figured there was some external device that stored them since the QSPI routines appeared to be used to load the seed/key pairs. I would also assume that each time security access is requested, that a new seed/key pair is loaded?
Old rusty 88 Camaro
350 w/ Edelbrock victor EFI intake + 1000 CFM TB
'279 PCM with a custom tune and code patches by me
TKO 500, 1LE performance package, etc...
will hptuners ever offfer support for the 97-98 lt1's?
I have been able to scan a 97 lt1 with the hp scanner but am not 100% sure if the readings are correct?
Roadracing Crew Chief - World Superbike, British Superbike, Moto America.
Another Q in regards to the 98/99 vortec PCMs. Do you need to do anything special to enable writes to the chip when flashing? I was looking at the trace feeding the VPP on the flash chip, and its tied to basically ground in the PCM through a pull down resistor. The trace then goes off to somewhere else on the board. Kind of makes me think there is a secret output that needs to be enabled to supply the 12V needed to enable erase/writes.
Old rusty 88 Camaro
350 w/ Edelbrock victor EFI intake + 1000 CFM TB
'279 PCM with a custom tune and code patches by me
TKO 500, 1LE performance package, etc...
I hear rumors that EFIconnection.com is working on a kit to allow the use of the newer '411 PCMs on the LT1 motors.Originally Posted by Fox95
I was thinking of using a '411 myself, as its a nice piece of hardware, but I already have most of the engine calibration mapped out on my older black box PCM, so Ill be using that instead.
Old rusty 88 Camaro
350 w/ Edelbrock victor EFI intake + 1000 CFM TB
'279 PCM with a custom tune and code patches by me
TKO 500, 1LE performance package, etc...
interesting info, thanks for that...
Roadracing Crew Chief - World Superbike, British Superbike, Moto America.
I decided to return to this. I never really did persue writing or working on any flash utilities. But, Ive been tuning with only a pocket programmer, which is the most painfully sloooooow way to tune. Takes close to 10 minutes to reflash a 29SF400 chip.
So, Ive been taking a second look. I did some tracing and found that the Vpp of the flash chip is controlled by the voltage regulator IC, which is in turn mapped to Port F in the MCU. Set PF4 to 1, and voila, 12 V on the Vpp. I also have the OBD comms mapped out, so I have some idea of how to write an interface. This is all fine and good, but I would ideally like to work on a basic freeware util to allow interfacing with the black boxes in general, which leads back to the security keys.
I assume that each PCM has a unique seed and key assigned to it, correct? If so, how complicated is the function that generates teh key from the seed? Is it something relatively basic, or is it complicated? IOW, with a few seed/key pairs, would it be possible to generate a generic algo to get any key from a seed?
Old rusty 88 Camaro
350 w/ Edelbrock victor EFI intake + 1000 CFM TB
'279 PCM with a custom tune and code patches by me
TKO 500, 1LE performance package, etc...
you realize we support the vortec, right?
just about all ECM's flash chips require a Vpp "signal" to enable flashing.
it is very hard to guess the seed/key algo - but it's not impossible
Chris...
I count sheep in hex...
are you talking about this part? Attachment 18930
http://www.hptuners.com/forum/showthread.php?t=1960
Last edited by AJxtcman; 07-12-2009 at 07:59 PM.
Yes, I realize that you support it. But, the level of control that Im looking for is typically well outside of whats offered by most commercial tuning packages (no offense). I actually hacked the OBD and engine portions of the calibration so I could essentially have access to everything. It seems like a lot of work, but in my experience, its really the only way to get the car to run the way I want it to.
This was underscored by how poorly the motor ran when I first started it up with the stock calibration. The reasons where beyond just fueling and spark. It actually really had to do with the fueling logic and how the airmass/transient airmass calcs are handled. With my setup, the fueling took far too long to respond. Even with all the lag removed and the fueling done in real time, I still couldn't rev the engine fast without a bang out the intake. I ultimately had to patch the code for the transient airmass calcs to allow for the type of non-linear control needed with a large CFM progressive TB and performance manifold. It seems like a lot of work, but it pays. Once you know how things work, it only takes a few days to do a complete tune.
Right now Im tuning with tunerpro RT and using 5 seperate definition files for the spark, system, fuel, closed loop/emmissions, and PID idle control. I would like to use HP Tuners, but to my knowledge, its not customizable, correct?
Also, another reason for the freeware stuff is that its nice to tinker with these and really learn how they work, and not just how to work them.
Old rusty 88 Camaro
350 w/ Edelbrock victor EFI intake + 1000 CFM TB
'279 PCM with a custom tune and code patches by me
TKO 500, 1LE performance package, etc...
Ive seen that thread (good read, BTW). The info there is also within the PCM itself when you examine the OBD routines. But, there is still the sticky point of the seed/keys. When the PCM is socketed, its easy to bypass them, but it would be nice not to have to remove the chip and trick the computer into sending the key or bypassing the security algo.
Old rusty 88 Camaro
350 w/ Edelbrock victor EFI intake + 1000 CFM TB
'279 PCM with a custom tune and code patches by me
TKO 500, 1LE performance package, etc...
Just install a Road Runner. You can tune using that and the Mansur Emutility to give you unlimited bin access. Last I checked the RR "guts" kit was compatible with the 98-00 black box PCM.
Jaime
I actually tried the RR in a blackbox. Its VERY difficult to package within the case and requires modifications to the RR unit to make it fit. I did get it to work for a time, but ran into trouble with the unit. There also may be long term durability issues as the unit is squished between the boards, and may overheat in certain situations. The chips get warm when the unit is being programmed by an external USB connection.
Heres a pic of the PCM socketed. I dont quite remember where I got the socket from, but its a ZIFF type that I mounted on the outside of teh case, and used 30 ga. wire to connect it to the pad for the flash chip. The sockets are the same ones used on the PP-II adapters, and are sold in bulk by some companies. I haven't seen them sold indiv. for quite some time, though. There are also surface mount sockets as well that are clamshell types that mount directly where the chip goes. Those may be a more economical choice.
Last edited by dimented24x7; 07-14-2009 at 02:13 AM.
Old rusty 88 Camaro
350 w/ Edelbrock victor EFI intake + 1000 CFM TB
'279 PCM with a custom tune and code patches by me
TKO 500, 1LE performance package, etc...
Ahh. I should have known you would have tried it.
Jaime
Ok, so I was playing with some seed/key pairs presumably posted for the '411 LS1 PCMs, and just by looking at the seed/key pairs a pattern became apparent. With some scribbling I came up with the algo for generating those few keys from the seeds. Basically its swap teh low and high bytes of the seed and subtract the result from 0x934D, which yeilds the key, at least with the few samples I have. Now, will my 98 PCM use a similar type algo for its seed/key pairs? IOW, are the seed/key algos generally based on teh same concept, or are there a variety of different algos in use?
Old rusty 88 Camaro
350 w/ Edelbrock victor EFI intake + 1000 CFM TB
'279 PCM with a custom tune and code patches by me
TKO 500, 1LE performance package, etc...