Awhile back there was a very detailed thread on EFILive site on how to gain access to a locked PCM. The thread was removed at the request of tuning shops and resellers. Did anyone happen to copy that information? I would like to be able unlock pcms of customers. I believe I have the required hardware with benchtop flashing cable and an avt 852. I have been playing with couple free pieces of software, not very special. HPTuners has some very old posts from when they were devopling their software with all the commands to get the info I want. I think I need a good communication program, a means of setting up the software to try each of the 65536 keys, and a means of recognizing when it has found the right one. Oh yeah, and a clue how to accomplish this!
Planethax developed some software for use with the elm327, I have yet to make it succesfully work, but this is what I am after. Does not have to be that fancy, just do the job.

I think the ability is there in the LS1 Flash Tool that is yet to be finished. Read the thread and maybe contact Antus to see how it needs to be set up to do the Seed/Key search.

http://www.gearhead-efi.com/Fuel-Injection/showthread.php?2073-LS1-Flash-Tool-Released

I contacted antus over on his forum about the flash tool. Does not sound like finishing the ls1 flash tool is a priority and no completion in the foreseeable future was the message I got. He is busy on some other project. Too bad, his tool has lots of potential.

Well it seemed to be a top priority when we started selling the cables, not sure how that changed or people would not have bought cables... :rolleye:

I've seen the Seed/Key search talked about, if you read the threads there it may have the info or version number that did it?

What PCMs do you need to unlock?
LS1 PCMs can be unlocked easily in under 15 min using other methods, I have unlocked several.

A while ago I was searching for the method to unlock newer PCMs (E38, E40, E67) which can't be unlocked with the method I use, but didn't find anything. Well, I know how it's done but don't know what hardware and software is used. There are people doing that but nobody shares, it's like finding the holy grail

I would like to be able to do 0411(p01) and p59 pcms. I would be interested to know how you do it in 15 mins?

I would like to be able to do 0411(p01) and p59 pcms. I would be interested to know how you do it in 15 mins?
I first desolder the flash chip, then overwrite the whole flash with a stock tune using a universal programmer. Last step is to solder the chip back to the PCM

Doing this you can read and write as usual.
I have a lot of practice soldering electronics, for an untrained individual it may take longer than 15 min. If you have no experience with this kind of work you can easily damage the PCM

How much would this equipment cost starting from scratch? Not the solution I had in mind but something to consider.

Like $150 for the programmer with the adapter plus the hot air station

I am very new to obd2 stuff, so what do yall mean when you say its locked? I have never heard of this before. I have seen several tuning threads in this section but never saw anyone mention unlocking a pcm first.

EFILive, HPTuners, and various handheld tuners modify the seed/key as a way of locking the pcm. I am not sure exactly what they do, I think it changes the location the data is stored at. When I try to access it with software I do have it shows finding the original seed but key it generates does not match. I have been able to put together that key algorithm for ls pcms is:

KEY = 934D - SwapHiLo(Seed)
So the formula goes like this
SEED = 0A69
KEY = 934D - SwapHiLo(SEED)
KEY = 934D - SwapHiLo(0A69)
KEY = 934D - 690A
KEY = 2A43
If resulting number is negative, use 1934d.

http://www.miniwebtool.com/hex-calculator/

it does not modify anything when just reading a ecm out. edit. I reread what you wrote. I see what your saying, just not how I would word it.
The ecm sends a seed, and you must reply with the correct key.

There are 256 seed/key combinations plus a few extra orphans as I understand it. There will be a tool like antus's released soon that will do 411's, and if the dev can find the time, many more GM ecms

dimented24x7's tool? Played with black box version.

I have no idea what the seed or key are, or what they even mean in reguards to a pcm. But if I am understanding it right, basicly once you tune a pcm with their software, it mods the code to where nothing else but their software can change or re-tune it?

It's not an inherent locking in the software, it's the tuner who chooses to lock the PCM using the software.

The procedure used to lock a PCM is very simple, as is the seed/key algorithm.
The PCM has a combination of one seed and one key stored in flash memory. When a programming device requests read/write access to the flash chip, the PCM first sends a seed to the device. The software must calculate the key and send it to the PCM.
If the key matches what the PCM has then grants access to the flash contents.

A tuning software can change the stored seed/key to another unknown value which can only be calculated by the same cable. It uses a different algorithm so no other programming device will be able to generate the correct key, thus preventing read/write access to the flash memory. Not even the dealer can unlock a tunerlocked PCM

this is how it looks unlocking pcm

sent: 6C 10 F0 27 01
recieved: 6C F0 10 67 01 33 A2
sent: 6C 10 F0 27 02 73 38
recieved: 6C F0 10 67 02 34


when you recieve 67 02 34 the pcm is unlocked, 34 means unlock

If you recieve something else key is wrong


If the key is wrong there is 10 sec delay before you can try again.
you will know this when you send 27 01 you will get refuse message and not get the seed.

You should always do seed request first, before you can try the key.

it should be easy to compile a brute force script,

Sounds easy when you know what your doing! Im pretty new to this side of things, have relied on someone else's software to do it for me. What software are you using to communicate with pcm?

you can try avt hex terminal if you have avt cable
for elm327 there is small program called stnterm.exe


this is how it looks using the avt term

Request:
05 6C 10 F0 27 01
Answer:
01 60 08 00 6C F0 10 67 01 33 A2
Request:
07 6C 10 F0 27 02 73 38
Answer:
01 60 07 00 6C F0 10 67 02 34



for now i didn`t figure it out how to make this process automated
if you can find someone who can write small program will be great

Brute force or just find someone with the tables that exist in the wild.

Brute force would be my prefered method. I have been trying to write some code to do it but my lack of experiance in this department is the limiting factor. Tables that exist in the wild? Not following, care to explain?

Still working on this if anyone has anything to add.