This was posted elsewhere, sharing here. Judging by the source I would not doubt its authenticity.
Printable View
This was posted elsewhere, sharing here. Judging by the source I would not doubt its authenticity.
Great find. It does save me a lot of work, reinventing the wheel.
Too bad Gm changed the algorithm recently.
Now it is time to make a chart with the PCM hardware id and OS/engine RPO vs algorithm number.
Thank you for sharing. However, I saw nothing in the document to indicate it's source.Quote:
This was posted elsewhere, sharing here. Judging by the source I would not doubt its authenticity.
What a neat idea.Quote:
Now it is time to make a chart with the PCM hardware id and OS/engine RPO vs algorithm number.
I am interested in seed / key algo for a BCM. Does it follow the same format as the PCM routine posted earlier?
Hi, New just now to this site and have a question... I am very interested in the seed/key algorithm. I began to write a program to do an automatic decode. The line "• 0x2A = Complement – if HH>LL use 2’s complement, else use 1’s complement" agrees with what I have done, but later in the document the line "Thus, given the seed 0x1234: a) ~0x1234 = 0xEDCB b) 0xEDCB ROR 3 = 0x7DB9 c) 0x7DB9 " shows him using a 1s complement. I believe the calculation is off. Hope this thread is still active.
Also wonder if a '97 Camaro 5.7 would be covered by one of the algorithms. If yes which of the 256. I have worked out where the seed and key is stored in the internal HC11 EEPROM. Just need to find a way to access it.
Hope there is still interest in a key gen...
Tom
It is number $05. It should be stored at $e00 address. You can communicate with both sides of the pcm to extract more data. Tside id is $10, Eside id is $18
It is always good to have more tools available. If you need some other pcm algo number, I can dig it out for you.
Thank you Kur40. I had figured the key & seed to be at $E00 thru $E03. Thank you for confirmation.
I will finish the keygen and try it out with $05. Great help!
I have a large part of the OBDII code dis-assembled and working to comment. Is this interesting to others? If yes, where should the result be posted when I complete it.
This is a generous offer. A tool to test seed/key algos could be useful.
How large is the disassembly file? If not too large you can upload it to its own thread and I or a mod can make it a sticky. If it's too large to upload send me a PM and we'll figure out another path.
Ok will do. I am not so sure of how the site works though. Once commented (estimate about a week or so) I will be in touch with size. I have found many of the code parameters from the OBD code. When I see a malf that pertains to an input I use that to describe the location it is in. Are there known sources for content of ram? Some are obvious others I am not so sure.
A sample of some of the code I am working on...
************************************************
* DISABLE NORMAL MESSAGE TRANSMISSION
* MODE 28
************************************************
D2F5 02 ; MINIMUM REQUEST LENGTH
D2F6 02 ; MAXIMUM REQUEST LENGTH
D2F7 F6 18 7C LDAB $187C ; DLC REQUEST DATA 1 FROM BUFFER
D2FA C1 00 CMPB #$00 ; LEVEL 0 ONLY SUPPORTED
D2FC 27 05 BEQ $D303 ;
D2FE BD DC 15 JSR $DC15 ; SUB-FUNCTION NOT SUPPORTED/INVALID FORMAT
D301 20 0B BRA $D30E ; TRANSMIT GENERAL RESPONSE MESSAGE
D303 F7 18 C9 STAB $18C9 ; REPLY DATA BUFFER 1 IS LEVEL
D306 14 7D 80 BSET @$7D,$80 ; DISABLE BACKGROUND MESSAGES
D309 C6 02 LDAB #$02 ; SET REPLY LENGTH
D30B F7 18 C7 STAB $18C7 ;
D30E BD DE 88 JSR $DE88 ; TRANSMIT REPLY
D311 39 RTS ; DONE
************************************************
* ENABLE NORMAL MESSAGE TRANSMISSION
* MODE 29
************************************************
D312 01 ; MINIMUM REQUEST LENGTH
D313 01 ; MAXIMUM REQUEST LENGTH
D314 15 7D 80 BCLR @$7D,$80 ; ENABLE BACKGROUND MESSAGES
D317 C6 01 LDAB #$01 ; SET REPLY LENGTH
D319 F7 18 C7 STAB $18C7 ;
D31C BD DE 88 JSR $DE88 ; TRANSMIT REPLY
D31F 39 RTS ; DONE
Hi,
I wrote a program to take the PCM seed and generate 256 keys (one for each of the algorithms) and throw it in a file. I ran into a problem with the complement instruction. The document defines it as
• 0x2A = Complement – if HH>LL use 2’s complement, else use 1’s complement
When I follow this, my key is off by one. I think this is because the high and low are reversed (LL > HH) or the sign is flipped (HH<LL). The difference is between one's and two's complement. I don't have the resources to figure this out.
When I run the program as it is in the attachment, I get the correct result for algorithm 0x5.
Hope this is of use to someone.
Cheers,
Tom
2`s complement is [ffff-value]+1. Are you are doing it that way.
Here is some basic disassembly I made for 96 lt4,and 94-95 lt1. The eside of 96-97 is almost identical to 94-95 code with some extra tables added and some obd2 test crap. You can take it for a starting point to figure out some of the unexplored area.
http://www.gearhead-efi.com/Fuel-Inj...ll=1#post68150
I see your coding skills are above average. If you want we can write a program that can read/write that pcm with an elm device. I have all the data needed on the pcm side. Actually the process is identical to 94-95 pcm, just the communication protocol is different and some extra step is needed on t-side bank switching.
Easiest for 1's and 2's for me is ...
calc_acc = ~calc_seed; // One's
calc_acc = -calc_seed; // Two's
Thank you for your post, I will look through the thread. I would like to write that program you suggest.
I have disassembled all the code but making sense of it is not easy. In some ways the OBDII makes things easier because there are more points of reference.
I started on this project many years ago and got side tracked by other things. I came back to it with the intent of figuring it all out. We will see how far we can get.
I will start a thread soon with the OBDII code and see if there is interest here.
Oh... because you have almost the same hardware, I have a question. There is an analog mux between the 'hc11 a/ds and the inputs. It looks to me as if this is a dual 8:1 mux or perhaps two chips.
My commenting looks like this...
68B0 CE 10 02 LDX #$1002 ; EXTERNAL ANALOG MULTIPLEXER
68B3 1D 00 07 BCLR $00,X,$07 ; SELECT NO INPUT
68B6 86 02 LDAA #$02 ; NO CHANGE TO 5MSB
68B8 AA 00 ORRA $00,X ; SELECT INPUT 2
68BA A7 00 STAA $00,X ;
68BC 86 05 LDAA #$05 ; START A/D ON CH5
68BE B7 10 30 STAA $1030 ; REAL TIME DELAY
68C1 3D MUL ;
68C2 3D MUL ;
68C3 3D MUL ;
68C4 01 NOP ;
68C5 B6 10 31 LDAA $1031 ;
68C8 B7 01 09 STAA $0109 ; RAW ENGINE COOLANT SENSOR ANALOG
What can you tell me about the hardware analog mux? Do we know a part number/brand. All I see on the chips are house numbers.
Cheers,
Tom
Code:FSR:1000 ; ===========================================================================
FSR:1000
FSR:1000 ; Segment type: Pure dataFSR:1000 ; segment FSR
FSR:1000 org $1000
FSR:1000 PORTA: fcb $44 ; DATA XREF: __RESET-AC0Dw
FSR:1000 ; __RESET-A8B4r ...
FSR:1000 ; Port A data
FSR:1000 ; cleared at reset
FSR:1001 DDRA: fcb $F8 ; DATA XREF: __RESET-AC1Bw
FSR:1001 ; STATBYTESETsub_62B2+Aw
FSR:1001 ; Data Direction Port A
FSR:1001 ; loaded with $F8
FSR:1002 PORTG: fcb $F0 ; DATA XREF: __RESET-AC0Aw
FSR:1002 ; ADR_PLUSsub_ECEE+F9r ...
FSR:1002 ; Port G Data
FSR:1002 ; cleared with reset
FSR:1002 ; 0 ; 1 ; 2 ; 3 ; 4
FSR:1003 DDRG: fcb $F ; DATA XREF: __RESET-AC16w
FSR:1003 ; STATBYTESETsub_62B2+Fw
FSR:1003 ; Data Direction PortG
FSR:1003 ; loaded with $07
FSR:1004 PORTB: fcb $FF ; Port B Data
FSR:1005 PORTF: fcb $FF ; Data Port F
FSR:1006 PORTC: fcb $FF ; Data Port C
FSR:1007 DDRC: fcb $FF ; Data Direction for Port C
FSR:1008 PORTD: fcb $2D ; DATA XREF: __RESET-AC07w
FSR:1008 ; OC4I+5E2r ...
FSR:1008 ; Port D Data
FSR:1008 ; cleared at reset
FSR:1009 DDRD: fcb $3F ; DATA XREF: __RESET-AC11w
FSR:1009 ; STATBYTESETsub_62B2+14w
FSR:1009 ; Data Direction for Port D
FSR:1009 ; loaded with $3E
FSR:100A PORTE: fcb $49 ; I ; Port E Data
FSR:100B CFORC: fcb 0 ; DATA XREF: STATBYTESETsub_62B2+42w
FSR:100B ; Compare Force Register
FSR:100C OC1M: fcb 8 ; DATA XREF: __RESET-ABF8w
FSR:100C ; STATBYTESETsub_62B2+28w ...
FSR:100C ; OC1 Action Mask Register
FSR:100C ; loaded with $08
FSR:100D OC1D: fcb 0 ; DATA XREF: __RESET-ABF4w
FSR:100D ; STATBYTESETsub_62B2+2Cw
FSR:100D ; OC1 Action Data Register
FSR:100D ; cleared at reset
FSR:100E TCNTH: fcb $11 ; DATA XREF: __RESET-A5DCr
FSR:100E ; __RESET-A5D3r ...
FSR:100E ; Timer Counter Register (High)
FSR:100F TCNTL: fcb $A2 ; â ; Timer Counter Register (Low)
FSR:1010 TIC1H: fcb $FF ; Input Capture 1 Register (High)
FSR:1011 TIC1L: fcb $FF ; Input Capture 1 Register (Low)
FSR:1012 TIC2H: fcb $FF ; Input Capture 2 Register (High)
FSR:1013 TIC2L: fcb $FF ; Input Capture 2 Register (Low)
FSR:1014 TIC3H: fcb $FF ; DATA XREF: IC3I:loc_5055r
FSR:1014 ; IC3I:loc_5070r
FSR:1014 ; Input Capture 3 Register (High)
FSR:1015 TIC3L: fcb $FF ; Input Capture 3 Register (Low)
FSR:1016 TOC1H: fcb $CF ; ¦ ; DATA XREF: __RESET-A5D6w
FSR:1016 ; OC1I:loc_50E9r ...
FSR:1016 ; Output Compare 1 Register (High)
FSR:1017 TOC1L: fcb $2F ; / ; Output Compare 1 Register (Low)
FSR:1018 TOC2H: fcb $FF ; Output Compare 2 Register (High)
FSR:1019 TOC2L: fcb $FF ; Output Compare 2 Register (Low)
FSR:101A TOC3H: fcb $FF ; Output Compare 3 Register (High)
FSR:101B TOC3L: fcb $FF ; Output Compare 3 Register (Low)
FSR:101C TOC4H: fcb $AC ; ì ; DATA XREF: __RESET-A5CDw
FSR:101C ; OC4Ir ...
FSR:101C ; Output Compare 4 Register (High)
FSR:101D TOC4L: fcb $43 ; C ; Output Compare 4 Register (Low)
FSR:101E TCO5H: fcb $CF ; ¦ ; DATA XREF: OC1I:loc_50FEw
FSR:101E ; Output Compare 5 Register (High)
FSR:101F TCO5L: fcb $2F ; / ; Output Compare 5 Register (Low)
FSR:1020 TCTL1: fcb 3 ; DATA XREF: __RESET-ABEFw
FSR:1020 ; STATBYTESETsub_62B2+31w ...
FSR:1020 ; Timer Control Register 1
FSR:1020 ; loaded with $03
FSR:1021 TCTL2: fcb 1 ; DATA XREF: __RESET-ABEAw
FSR:1021 ; Timer Control Register 2
FSR:1021 ; loaded with $01
FSR:1022 TMSK1: fcb 0 ; DATA XREF: __RESET-A5C8w
FSR:1022 ; MAINsub_4F8D+973w ...
FSR:1022 ; Timer Interrupt Mask Register 1
FSR:1023 TFLG1: fcb $F8 ; DATA XREF: __RESET-A5DFw
FSR:1023 ; OC4I+Bw ...
FSR:1023 ; Timer Interrupt Flag Register 1
FSR:1024 TMSK2: fcb 3 ; DATA XREF: __RESET-AC3Dw
FSR:1024 ; ALDL_sub_B822+1F5w ...
FSR:1024 ; Timer Interrupt Mask Register 2
FSR:1024 ; loaded with $03
FSR:1025 TFLG2: fcb $C0 ; DATA XREF: ALDL_sub_B822+3EEw
FSR:1025 ; DOWNLOAD_BIN_00_01sub_BCB0:loc_BCD9r ...
FSR:1025 ; Timer Interrupt Flag Register 2
FSR:1026 PACTL: fcb 0 ; Pulse Accumulator Control Register
FSR:1027 PACNT: fcb 0 ; Pulse Accumulator Count Register
FSR:1028 SPCR: fcb $54 ; DATA XREF: __RESET-ABD6w
FSR:1028 ; OC4I+C4w ...
FSR:1028 ; Serial Peripheral Control Register
FSR:1028 ; loaded with $44
FSR:1029 SPSR: fcb $80 ; DATA XREF: OC4I+D2r
FSR:1029 ; OC4I+E8r ...
FSR:1029 ; Serial Peripheral Status Register
FSR:102A SPDR: fcb 0 ; DATA XREF: OC4I+D5w
FSR:102A ; OC4I+E1r ...
FSR:102A ; SPI Data Register
FSR:102B BAUD: fcb $13 ; DATA XREF: __RESET-AC02w
FSR:102B ; STATBYTESETsub_62B2+19w
FSR:102B ; Baud Rate
FSR:102B ; loaded with $13
FSR:102C SCCR1: fcb 0 ; DATA XREF: STATBYTESETsub_62B2+3Fw
FSR:102C ; SCI Control Register
FSR:102D SCCR2: fcb 8 ; DATA XREF: __RESET-A5E4w
FSR:102D ; OC4I+5D8w ...
FSR:102D ; SCCR2 - SCI Control Register 2 $102D
FSR:102D ; RESET: 0 0 0 0 0 0 0 0
FSR:102D ;
FSR:102D ; $80 TIE - Transmit Interrupt Enable
FSR:102D ; 0 = TDRE interrupts disabled
FSR:102D ; 1 = SCI interrupt requested when TDRE status flag is set
FSR:102D ; $40 TCIE - Transmit Complete Interrupt Enable
FSR:102D ; 0 = TC interrupts disabled
FSR:102D ; 1 = SCI interrupt requested when TC status flag is set
FSR:102D ; $20 RIE - Receiver Interrupt Enable
FSR:102D ; 0 = RDRF and OR interrupts disabled
FSR:102D ; 1 = SCI interrupt requested when RDRF flag or the OR status flag is set
FSR:102D ; $10 ILIE - Idle-Line Interrupt Enable
FSR:102D ; 0 = IDLE interrupts disabled
FSR:102D ; 1 = SCI interrupt requested when IDLE status flag is set
FSR:102D ; $08 TE - Transmitter
FSR:102D ; 0 = Transmitter disabled
FSR:102D ; 1 = Transmitter enabled
FSR:102D ; $04 RE - Receiver Enable
FSR:102D ; 0 = Receiver disabled
FSR:102D ; 1 = Receiver enabled
FSR:102D ; $02 RWU - Receiver Wakeup Control
FSR:102D ; 0 = Normal SCI receiver
FSR:102D ; 1 = Wakeup enabled and receiver interrupts inhibited
FSR:102D ; $01 SBK - Send Break At least one c
FSR:102E SCSR: fcb 0 ; DATA XREF: __RESET-A5ECr
FSR:102E ; MAINsub_4F8D+FF9r ...
FSR:102E ; SCSR - SCI Status Register $102E
FSR:102E ; TDRE TC RDRF IDLE OR NF FE -
FSR:102E ; RESET: 1 1 0 0 0 0 0 0
FSR:102E ;
FSR:102E ; $80 TDRE - Transmit Data Register Empty Flag
FSR:102E ; This flag is set when SCDR is empty. Clear the TDRE flag by reading SCSR and then
FSR:102E ; writing to SCDR.
FSR:102E ; 0 = SCDR busy
FSR:102E ; 1 = SCDR empty
FSR:102E ; $40 TC - Transmit Complete Flag
FSR:102E ; 0 = Transmitter busy
FSR:102E ; 1 = Transmitter idle
FSR:102E ; $20 RDRF - Receive Data Register Full Flag
FSR:102E ; . 0 = SCDR empty
FSR:102E ; 1 = SCDR full
FSR:102E ; $10 IDLE - Idle Line Detected Flag
FSR:102E ; 0 = RxD line is active
FSR:102E ; 1 = RxD line is idle
FSR:102E ; $08 OR - Overrun Error Flag
FSR:102E ; 0 = No overrun
FSR:102E ; 1 = Overrun detected
FSR:102E ; $04 NF - Noise Error Flag
FSR:102E ; 0 = Unanimous decision
FSR:102E ; 1 = Noise detected
FSR:102E ; $02 FE - Framing Error
FSR:102E ; 0 = Stop bit detected
FSR:102E ; 1 = Zero detected
FSR:102E ; $01 empty
FSR:102F SCDR: fcb $6D ; DATA XREF: __RESET-A5E9r
FSR:102F ; MAINsub_4F8D+FFCw ...
FSR:102F ; SCDR - SCI Data Register $102F
FSR:102F ; Bit 7 6 5 4 3 2 1 Bit 0
FSR:102F ; R7/T7 R6/T6 R5/T5 R4/T4 R3/T3 R2/T2 R1/T1 R0/T0
FSR:102F ; RESET: I I I I I I I I
FSR:1030 ADCTL: fcb $87 ; DATA XREF: __RESET-AB26w
FSR:1030 ; __RESET-AB0Aw ...
FSR:1030 ; A_D Control Register
FSR:1031 ADR1: fcb $73 ; DATA XREF: __RESET-AB1Fr
FSR:1031 ; __RESET-AB03r ...
FSR:1031 ; ADR
FSR:1031 ; #5-0 AD TPS
FSR:1031 ; #5 01 AD MAP
FSR:1031 ; #5-2 AD COOLANT=byte_109, filtr....
FSR:1031 ; #5-3 AD =byte_10a,Byte_255 fitr Byte_256-258,word_25d-26b
FSR:1031 ; #6 L02 ad
FSR:1031 ; #7 R02 ad
FSR:1031 ; #7-1 AD ??=byte_118,filt=1b15,1b16
FSR:1031 ; #7-7?? ad TRANSMISSION INPUT VOLTS
FSR:1031 ; #$10 ad ac press, egr ad pos
FSR:1032 ADR2: fcb $73 ; DATA XREF: OC4I+69r
FSR:1032 ; ADR_PLUS_IGN_OFF_CHECKsub_EA91+40r
FSR:1032 ; A_D Result Register 2
FSR:1033 ADR3: fcb $72 ; DATA XREF: OC4I+6Er
FSR:1033 ; ADR_PLUS_IGN_OFF_CHECKsub_EA91+13r ...
FSR:1033 ; A_D Result Register 3
FSR:1034 ADR4: fcb $73 ; DATA XREF: OC4I+73r
FSR:1034 ; ADR_PLUS_IGN_OFF_CHECKsub_EA91+52r
FSR:1034 ; A_D Result Register 4
FSR:1035 BPROT: fcb $11 ; DATA XREF: __RESET-AC3Aw
FSR:1035 ; __RESET:loc_4290w
FSR:1035 ; Block Protect Register
FSR:1035 ; byte_200=$AA load with $10
FSR:1035 ; byte_200=$55 load with word_201E first byte
FSR:1035 ; byte_200=not $AA or $55 load with $11
FSR:1036 RESERV36: fcb 0 ; RESERVED
FSR:1037 RESERV37: fcb 0 ; RESERVED
FSR:1038 OPT2: fcb 0 ; DATA XREF: __RESET-ABDBw
FSR:1038 ; STATBYTESETsub_62B2+4Bw
FSR:1038 ; System Configuration Options 2
FSR:1038 ; cleared at reset
FSR:1039 OPTION: fcb $99 ; DATA XREF: __RESET-AC42w
FSR:1039 ; System Configuration Options
FSR:1039 ; loaded with $99
FSR:103A COPRST: fcb 0 ; DATA XREF: sub_3B04+25w
FSR:103A ; sub_3B04+2Aw ...
FSR:103A ; Arm_Reset COP Timer Circuitry
FSR:103B PPROG: fcb 0 ; DATA XREF: MAINsub_4F8D+109Ew
FSR:103B ; MAINsub_4F8D+10AAw ...
FSR:103B ; EEPROM Program Control Register
FSR:103C HPRIO: fcb $35 ; DATA XREF: __RESET-AC20w
FSR:103C ; STATBYTESETsub_62B2+23w
FSR:103C ; Highest Priority I-Bit Int and Misc
FSR:103C ; loaded with $15
FSR:103D INIT: fcb 1 ; DATA XREF: __RESET-AC47w
FSR:103D ; RAM and I_O Mapping Register
FSR:103D ; loaded with $01
FSR:103E TEST1: fcb 0 ; Factory Test
These are the registers ID you might be missing.
The multiplexer configuration varies by pcms so I can`t help much on that. Maybe a some high res pictures on the 97 pcm board can be used for comparison.
Does this make more sense. Anyway you should trace the channels on the board hardware. Robertisaar has done that on similar 94 v6 pcm, but he is not very active lately.Code:ldx #PORTG [$1002] ; L02 AD
bclr 0,x 7
ldaa #3
oraa 0,x
staa 0,x
sei
ldaa #6
staa ADCTL [$1030] ; A_D Control Register
mul
mul
mul
nop
ldaa ADR1 [$1031] ; A_D Result Register 1
staa byte_124
Most of the code is data coversion, table lookup and interpolation. There is a lot of obd2 stuff that really does nothing. Much easier is to focus on result of the subroutine and the purpose of it.
Does this add 1 to the final result. You said it is off by one. Is it off by +1 or -1 on 2`s complement.Quote:
Easiest for 1's and 2's for me is ...
calc_acc = ~calc_seed; // One's
calc_acc = -calc_seed; // Two's
Hi,
In the '97 code, A/D uses this sort of code with a small change to the code "ORRA" to other values. Each represents a different analog... I *think* I know which they are but need to be more sure. There are only two of the four channels of a/d used but each has (i think) an 8:1 analog mux in front. That would get to 16 analog values o2 sensors, engine coolant temp, air temp, corvette oil temp, transmission temp, battery voltage and so on. I almost have a complete list now. If I can find a list of the PIDs somewhere that would almost solve this. <sigh>
<edit> Just for clarity.. #$1002 is port G. Code clears the lower 3 bits which switch the mux. Code then ORs the lower 3 bits so as not to change the upper 5. Then runs the a/d and waits real time for the conversion to finish. The case I show is for MAP sensor (I think) <edit>
My bench test ECM setup is almost done. I cracked open a doner ECM, pinned out all the wires to barrier strips. Things are much easier with a good test setup. I will inject signal into the unit to resolve inputs IF I can't find good PID info.
* A/D 5, INPUT 1
6773 CE 10 02 LDX #$1002 ; EXTERNAL ANALOG MULTIPLEXER
6776 1D 00 07 BCLR $00,X,$07 ; CLEAR THE INPUT SELECTION BITS
6779 86 01 LDAA #$01 ; NO CHANGE TO 5 MSB
677B AA 00 ORRA $00,X ; SELECT INPUT 1
677D A7 00 STAA $00,X ;
677F 86 05 LDAA #$05 ; START A/D CH5
6781 B7 10 30 STAA $1030 ; READ MANAFOLD ABSOLUTE PRESSURE?
6784 3D MUL ; REAL TIME DELAY
6785 3D MUL ;
6786 3D MUL ;
6787 01 NOP ; TOTAL OF 31 CYCLES
6788 B6 10 31 LDAA $1031 ; READ MAP SENSOR
678B 81 0B CMPA #$0B ; TEST ANALOG
678D 22 38 BHI $67C7 ; BRANCH
Your question re complement: In c, c++ the ~operator does a not function. That is flip each bit. That's it... one's complement. Two's complement changes sign thus negating the value gives you two's comp.
The code I sent has been fixed such that it works for my case. The problem I raise is that the way I fixed it leaves one end case as a question. Depending on how you fix it will give a different result for HH = LL case
I believe the document had a typo and the code is now OK. but without testing that case....
I have not used boards like this before. How do you insert those frames with code in them??
-Tom
I sent you a pm.Quote:
If I can find a list of the PIDs somewhere that would almost solve this.
Most of the code runs on a valid opti signal. So you need to generate that type of signal first to unlock the full code running for all kind of experiments.Quote:
I will inject signal into the unit to resolve inputs
Most of the inputs and switches will report changes without the opti signal. If you go through the obd1 disassembly you will notice that the main engine running irq loop is 90% the same with the obd2 stuff. That will help you to quickly identify most of the engine related stuff. The map, tps and other sensor AD conversion is identical.
AT least on the 2`s complement checksum calculations when you negate the number, you add 1 to it. So when you add the checksum to the calculated sum you get zero. Maybe that`s the case here.Quote:
Two's complement changes sign thus negating the value gives you two's comp.
You type "[CODE] ...data... paranthesis/CODE]"Quote:
How do you insert those frames with code in them??
On the advanced reply menu there is the # symbol that will do the same.
Maybe that is the case here.
After playing with some of the algos and manually converting some of them to figure how it works, I found some inaccuracies in the manual.
The 1`s complement and 2`s complement are switche
The correct way to do it should be
0x2A = Complement – if HH>LL use 1’s complement, else use 2’s complement
This was checked for sure on algo 00, and verified on some other algos. It is known for sure that the formula of algo 00 is flip bits[or 1`s complement]
oo algo
2A [A9 >21]
So 1`s complemet is flip bits or [FFFF-value]
2`s complemets is flip bits and add 1, or [FFFF-value]+1
Here are some valid combos for anybody that wants to manually convert the seed.
05 [4F EE/ 53 A8
06 [4F EE/ 42 C7
07 [4F EE/ 15 29
07 [53 4C/ 89 37
10 [4F EE/ 2F 96
0D [4F EE/ 5D 94
0C [08 97/ E6 0E
22 [4F EE/ CA F2
28 [4F EE/ A4 FE
36 [4F EE/ AB 5D
12 [39 46/ 71 47
Tom H can you run 4F EE seed in your app with all the algos and post the result for comparison. I can verify it and confirm that the calc are correct.
Keyset for seed: 4FEE
Seed: 4FEE Key: B011 Algorithm: 0 EL327 command: 2702B011
Seed: 4FEE Key: A214 Algorithm: 1 EL327 command: 2702A214
Seed: 4FEE Key: 1F9E Algorithm: 2 EL327 command: 27021F9E
Seed: 4FEE Key: C22D Algorithm: 3 EL327 command: 2702C22D
Seed: 4FEE Key: 61DB Algorithm: 4 EL327 command: 270261DB
Seed: 4FEE Key: 53A8 Algorithm: 5 EL327 command: 270253A8
Seed: 4FEE Key: 42C7 Algorithm: 6 EL327 command: 270242C7
Seed: 4FEE Key: 1529 Algorithm: 7 EL327 command: 27021529
Seed: 4FEE Key: 90D7 Algorithm: 8 EL327 command: 270290D7
Seed: 4FEE Key: 9F95 Algorithm: 9 EL327 command: 27029F95
Seed: 4FEE Key: 0BAA Algorithm: A EL327 command: 27020BAA
Seed: 4FEE Key: B157 Algorithm: B EL327 command: 2702B157
Seed: 4FEE Key: 8EC7 Algorithm: C EL327 command: 27028EC7
Seed: 4FEE Key: 5D94 Algorithm: D EL327 command: 27025D94
Seed: 4FEE Key: A3AE Algorithm: E EL327 command: 2702A3AE
Seed: 4FEE Key: 283A Algorithm: F EL327 command: 2702283A
Seed: 4FEE Key: 2F96 Algorithm: 10 EL327 command: 27022F96
Seed: 4FEE Key: A63C Algorithm: 11 EL327 command: 2702A63C
Seed: 4FEE Key: C173 Algorithm: 12 EL327 command: 2702C173
Seed: 4FEE Key: 8DF5 Algorithm: 13 EL327 command: 27028DF5
Seed: 4FEE Key: 2E31 Algorithm: 14 EL327 command: 27022E31
Seed: 4FEE Key: 52C9 Algorithm: 15 EL327 command: 270252C9
Seed: 4FEE Key: 57B3 Algorithm: 16 EL327 command: 270257B3
Seed: 4FEE Key: 5C61 Algorithm: 17 EL327 command: 27025C61
Seed: 4FEE Key: 433C Algorithm: 18 EL327 command: 2702433C
Seed: 4FEE Key: 37B4 Algorithm: 19 EL327 command: 270237B4
Seed: 4FEE Key: 88D6 Algorithm: 1A EL327 command: 270288D6
Seed: 4FEE Key: D5A8 Algorithm: 1B EL327 command: 2702D5A8
Seed: 4FEE Key: C40D Algorithm: 1C EL327 command: 2702C40D
Seed: 4FEE Key: 546D Algorithm: 1D EL327 command: 2702546D
Seed: 4FEE Key: 2493 Algorithm: 1E EL327 command: 27022493
Seed: 4FEE Key: DD3E Algorithm: 1F EL327 command: 2702DD3E
Seed: 4FEE Key: A162 Algorithm: 20 EL327 command: 2702A162
Seed: 4FEE Key: C42C Algorithm: 21 EL327 command: 2702C42C
Seed: 4FEE Key: CAF2 Algorithm: 22 EL327 command: 2702CAF2
Seed: 4FEE Key: 4057 Algorithm: 23 EL327 command: 27024057
Seed: 4FEE Key: A6E5 Algorithm: 24 EL327 command: 2702A6E5
Seed: 4FEE Key: 0BD2 Algorithm: 25 EL327 command: 27020BD2
Seed: 4FEE Key: 0FC2 Algorithm: 26 EL327 command: 27020FC2
Seed: 4FEE Key: 0100 Algorithm: 27 EL327 command: 27020100
Seed: 4FEE Key: A4FE Algorithm: 28 EL327 command: 2702A4FE
Seed: 4FEE Key: 81C0 Algorithm: 29 EL327 command: 270281C0
Seed: 4FEE Key: 9E1F Algorithm: 2A EL327 command: 27029E1F
Seed: 4FEE Key: 1930 Algorithm: 2B EL327 command: 27021930
Seed: 4FEE Key: 0A5F Algorithm: 2C EL327 command: 27020A5F
Seed: 4FEE Key: A966 Algorithm: 2D EL327 command: 2702A966
Seed: 4FEE Key: C73C Algorithm: 2E EL327 command: 2702C73C
Seed: 4FEE Key: F986 Algorithm: 2F EL327 command: 2702F986
Seed: 4FEE Key: CA58 Algorithm: 30 EL327 command: 2702CA58
Seed: 4FEE Key: 083B Algorithm: 31 EL327 command: 2702083B
Seed: 4FEE Key: 37AF Algorithm: 32 EL327 command: 270237AF
Seed: 4FEE Key: B2D3 Algorithm: 33 EL327 command: 2702B2D3
Seed: 4FEE Key: 419B Algorithm: 34 EL327 command: 2702419B
Seed: 4FEE Key: 7FE0 Algorithm: 35 EL327 command: 27027FE0
Seed: 4FEE Key: AB5D Algorithm: 36 EL327 command: 2702AB5D
Seed: 4FEE Key: F90F Algorithm: 37 EL327 command: 2702F90F
Seed: 4FEE Key: 8333 Algorithm: 38 EL327 command: 27028333
Seed: 4FEE Key: 2C07 Algorithm: 39 EL327 command: 27022C07
Seed: 4FEE Key: 3193 Algorithm: 3A EL327 command: 27023193
Seed: 4FEE Key: 3597 Algorithm: 3B EL327 command: 27023597
Seed: 4FEE Key: 040E Algorithm: 3C EL327 command: 2702040E
Seed: 4FEE Key: 709E Algorithm: 3D EL327 command: 2702709E
Seed: 4FEE Key: 72E3 Algorithm: 3E EL327 command: 270272E3
Seed: 4FEE Key: 47A8 Algorithm: 3F EL327 command: 270247A8
Seed: 4FEE Key: 83AC Algorithm: 40 EL327 command: 270283AC
Seed: 4FEE Key: 0472 Algorithm: 41 EL327 command: 27020472
Seed: 4FEE Key: D4A6 Algorithm: 42 EL327 command: 2702D4A6
Seed: 4FEE Key: 453B Algorithm: 43 EL327 command: 2702453B
Seed: 4FEE Key: 091C Algorithm: 44 EL327 command: 2702091C
Seed: 4FEE Key: 926E Algorithm: 45 EL327 command: 2702926E
Seed: 4FEE Key: E212 Algorithm: 46 EL327 command: 2702E212
Seed: 4FEE Key: 53BA Algorithm: 47 EL327 command: 270253BA
Seed: 4FEE Key: 11E1 Algorithm: 48 EL327 command: 270211E1
Seed: 4FEE Key: C98F Algorithm: 49 EL327 command: 2702C98F
Seed: 4FEE Key: 41C8 Algorithm: 4A EL327 command: 270241C8
Seed: 4FEE Key: 9E3F Algorithm: 4B EL327 command: 27029E3F
Seed: 4FEE Key: A7AF Algorithm: 4C EL327 command: 2702A7AF
Seed: 4FEE Key: 1598 Algorithm: 4D EL327 command: 27021598
Seed: 4FEE Key: 4500 Algorithm: 4E EL327 command: 27024500
Seed: 4FEE Key: A1FD Algorithm: 4F EL327 command: 2702A1FD
Seed: 4FEE Key: ACC4 Algorithm: 50 EL327 command: 2702ACC4
Seed: 4FEE Key: A201 Algorithm: 51 EL327 command: 2702A201
Seed: 4FEE Key: 5332 Algorithm: 52 EL327 command: 27025332
Seed: 4FEE Key: FA8B Algorithm: 53 EL327 command: 2702FA8B
Seed: 4FEE Key: B0AF Algorithm: 54 EL327 command: 2702B0AF
Seed: 4FEE Key: E915 Algorithm: 55 EL327 command: 2702E915
Seed: 4FEE Key: 3650 Algorithm: 56 EL327 command: 27023650
Seed: 4FEE Key: B8F6 Algorithm: 57 EL327 command: 2702B8F6
Seed: 4FEE Key: 58ED Algorithm: 58 EL327 command: 270258ED
Seed: 4FEE Key: F495 Algorithm: 59 EL327 command: 2702F495
Seed: 4FEE Key: D46B Algorithm: 5A EL327 command: 2702D46B
Seed: 4FEE Key: 58C6 Algorithm: 5B EL327 command: 270258C6
Seed: 4FEE Key: 77F0 Algorithm: 5C EL327 command: 270277F0
Seed: 4FEE Key: 54B2 Algorithm: 5D EL327 command: 270254B2
Seed: 4FEE Key: 1D9E Algorithm: 5E EL327 command: 27021D9E
Seed: 4FEE Key: 212F Algorithm: 5F EL327 command: 2702212F
Seed: 4FEE Key: B7DD Algorithm: 60 EL327 command: 2702B7DD
Seed: 4FEE Key: 7BB6 Algorithm: 61 EL327 command: 27027BB6
Seed: 4FEE Key: F194 Algorithm: 62 EL327 command: 2702F194
Seed: 4FEE Key: 42DF Algorithm: 63 EL327 command: 270242DF
Seed: 4FEE Key: A2B4 Algorithm: 64 EL327 command: 2702A2B4
Seed: 4FEE Key: 79D3 Algorithm: 65 EL327 command: 270279D3
Seed: 4FEE Key: 9BB3 Algorithm: 66 EL327 command: 27029BB3
Seed: 4FEE Key: C601 Algorithm: 67 EL327 command: 2702C601
Seed: 4FEE Key: CD43 Algorithm: 68 EL327 command: 2702CD43
Seed: 4FEE Key: 072E Algorithm: 69 EL327 command: 2702072E
Seed: 4FEE Key: 6FF7 Algorithm: 6A EL327 command: 27026FF7
Seed: 4FEE Key: AA42 Algorithm: 6B EL327 command: 2702AA42
Seed: 4FEE Key: FFA6 Algorithm: 6C EL327 command: 2702FFA6
Seed: 4FEE Key: FB10 Algorithm: 6D EL327 command: 2702FB10
Seed: 4FEE Key: 041D Algorithm: 6E EL327 command: 2702041D
Seed: 4FEE Key: 6D61 Algorithm: 6F EL327 command: 27026D61
Seed: 4FEE Key: 8992 Algorithm: 70 EL327 command: 27028992
Seed: 4FEE Key: BBFE Algorithm: 71 EL327 command: 2702BBFE
Seed: 4FEE Key: 5197 Algorithm: 72 EL327 command: 27025197
Seed: 4FEE Key: 1081 Algorithm: 73 EL327 command: 27021081
Seed: 4FEE Key: 3C00 Algorithm: 74 EL327 command: 27023C00
Seed: 4FEE Key: A657 Algorithm: 75 EL327 command: 2702A657
Seed: 4FEE Key: 239D Algorithm: 76 EL327 command: 2702239D
Seed: 4FEE Key: 268B Algorithm: 77 EL327 command: 2702268B
Seed: 4FEE Key: 2E3B Algorithm: 78 EL327 command: 27022E3B
Seed: 4FEE Key: E375 Algorithm: 79 EL327 command: 2702E375
Seed: 4FEE Key: 365B Algorithm: 7A EL327 command: 2702365B
Seed: 4FEE Key: 6286 Algorithm: 7B EL327 command: 27026286
Seed: 4FEE Key: 55A0 Algorithm: 7C EL327 command: 270255A0
Seed: 4FEE Key: BB26 Algorithm: 7D EL327 command: 2702BB26
Seed: 4FEE Key: 5308 Algorithm: 7E EL327 command: 27025308
Seed: 4FEE Key: E4F9 Algorithm: 7F EL327 command: 2702E4F9
Seed: 4FEE Key: 06C4 Algorithm: 80 EL327 command: 270206C4
Seed: 4FEE Key: 889F Algorithm: 81 EL327 command: 2702889F
Seed: 4FEE Key: 2F29 Algorithm: 82 EL327 command: 27022F29
Seed: 4FEE Key: F2A0 Algorithm: 83 EL327 command: 2702F2A0
Seed: 4FEE Key: E8D1 Algorithm: 84 EL327 command: 2702E8D1
Seed: 4FEE Key: FD35 Algorithm: 85 EL327 command: 2702FD35
Seed: 4FEE Key: 1B4A Algorithm: 86 EL327 command: 27021B4A
Seed: 4FEE Key: B93B Algorithm: 87 EL327 command: 2702B93B
Seed: 4FEE Key: 1009 Algorithm: 88 EL327 command: 27021009
Seed: 4FEE Key: BB2E Algorithm: 89 EL327 command: 2702BB2E
Seed: 4FEE Key: CD12 Algorithm: 8A EL327 command: 2702CD12
Seed: 4FEE Key: B2F3 Algorithm: 8B EL327 command: 2702B2F3
Seed: 4FEE Key: 0EC2 Algorithm: 8C EL327 command: 27020EC2
Seed: 4FEE Key: 0C46 Algorithm: 8D EL327 command: 27020C46
Seed: 4FEE Key: 1905 Algorithm: 8E EL327 command: 27021905
Seed: 4FEE Key: 78AA Algorithm: 8F EL327 command: 270278AA
Seed: 4FEE Key: 4127 Algorithm: 90 EL327 command: 27024127
Seed: 4FEE Key: 118E Algorithm: 91 EL327 command: 2702118E
Seed: 4FEE Key: 9319 Algorithm: 92 EL327 command: 27029319
Seed: 4FEE Key: 9289 Algorithm: 93 EL327 command: 27029289
Seed: 4FEE Key: F6CC Algorithm: 94 EL327 command: 2702F6CC
Seed: 4FEE Key: 0F32 Algorithm: 95 EL327 command: 27020F32
Seed: 4FEE Key: 5256 Algorithm: 96 EL327 command: 27025256
Seed: 4FEE Key: 4FF2 Algorithm: 97 EL327 command: 27024FF2
Seed: 4FEE Key: 038B Algorithm: 98 EL327 command: 2702038B
Seed: 4FEE Key: 26D4 Algorithm: 99 EL327 command: 270226D4
Seed: 4FEE Key: D611 Algorithm: 9A EL327 command: 2702D611
Seed: 4FEE Key: 9CAB Algorithm: 9B EL327 command: 27029CAB
Seed: 4FEE Key: EDEB Algorithm: 9C EL327 command: 2702EDEB
Seed: 4FEE Key: 224F Algorithm: 9D EL327 command: 2702224F
Seed: 4FEE Key: 5EF7 Algorithm: 9E EL327 command: 27025EF7
Seed: 4FEE Key: BED4 Algorithm: 9F EL327 command: 2702BED4
Seed: 4FEE Key: D5FB Algorithm: A0 EL327 command: 2702D5FB
Seed: 4FEE Key: 333D Algorithm: A1 EL327 command: 2702333D
Seed: 4FEE Key: C934 Algorithm: A2 EL327 command: 2702C934
Seed: 4FEE Key: C79C Algorithm: A3 EL327 command: 2702C79C
Seed: 4FEE Key: 928C Algorithm: A4 EL327 command: 2702928C
Seed: 4FEE Key: 24BE Algorithm: A5 EL327 command: 270224BE
Seed: 4FEE Key: B8A4 Algorithm: A6 EL327 command: 2702B8A4
Seed: 4FEE Key: 84B9 Algorithm: A7 EL327 command: 270284B9
Seed: 4FEE Key: 8A8F Algorithm: A8 EL327 command: 27028A8F
Seed: 4FEE Key: FBF1 Algorithm: A9 EL327 command: 2702FBF1
Seed: 4FEE Key: BA0C Algorithm: AA EL327 command: 2702BA0C
Seed: 4FEE Key: E059 Algorithm: AB EL327 command: 2702E059
Seed: 4FEE Key: 55C5 Algorithm: AC EL327 command: 270255C5
Seed: 4FEE Key: AAC0 Algorithm: AD EL327 command: 2702AAC0
Seed: 4FEE Key: F1FD Algorithm: AE EL327 command: 2702F1FD
Seed: 4FEE Key: 235B Algorithm: AF EL327 command: 2702235B
Seed: 4FEE Key: B24E Algorithm: B0 EL327 command: 2702B24E
Seed: 4FEE Key: D0AB Algorithm: B1 EL327 command: 2702D0AB
Seed: 4FEE Key: F0F2 Algorithm: B2 EL327 command: 2702F0F2
Seed: 4FEE Key: 70E1 Algorithm: B3 EL327 command: 270270E1
Seed: 4FEE Key: 5875 Algorithm: B4 EL327 command: 27025875
Seed: 4FEE Key: 4E45 Algorithm: B5 EL327 command: 27024E45
Seed: 4FEE Key: 66AC Algorithm: B6 EL327 command: 270266AC
Seed: 4FEE Key: E307 Algorithm: B7 EL327 command: 2702E307
Seed: 4FEE Key: 0AA3 Algorithm: B8 EL327 command: 27020AA3
Seed: 4FEE Key: DA21 Algorithm: B9 EL327 command: 2702DA21
Seed: 4FEE Key: B149 Algorithm: BA EL327 command: 2702B149
Seed: 4FEE Key: 07E0 Algorithm: BB EL327 command: 270207E0
Seed: 4FEE Key: 54F6 Algorithm: BC EL327 command: 270254F6
Seed: 4FEE Key: 71F0 Algorithm: BD EL327 command: 270271F0
Seed: 4FEE Key: E987 Algorithm: BE EL327 command: 2702E987
Seed: 4FEE Key: 72D6 Algorithm: BF EL327 command: 270272D6
Seed: 4FEE Key: 68B7 Algorithm: C0 EL327 command: 270268B7
Seed: 4FEE Key: 1041 Algorithm: C1 EL327 command: 27021041
Seed: 4FEE Key: 1B75 Algorithm: C2 EL327 command: 27021B75
Seed: 4FEE Key: 9846 Algorithm: C3 EL327 command: 27029846
Seed: 4FEE Key: 6B35 Algorithm: C4 EL327 command: 27026B35
Seed: 4FEE Key: DAB1 Algorithm: C5 EL327 command: 2702DAB1
Seed: 4FEE Key: 9B33 Algorithm: C6 EL327 command: 27029B33
Seed: 4FEE Key: C49D Algorithm: C7 EL327 command: 2702C49D
Seed: 4FEE Key: 22C6 Algorithm: C8 EL327 command: 270222C6
Seed: 4FEE Key: FEDF Algorithm: C9 EL327 command: 2702FEDF
Seed: 4FEE Key: 1F66 Algorithm: CA EL327 command: 27021F66
Seed: 4FEE Key: DDC1 Algorithm: CB EL327 command: 2702DDC1
Seed: 4FEE Key: 01BA Algorithm: CC EL327 command: 270201BA
Seed: 4FEE Key: 81CE Algorithm: CD EL327 command: 270281CE
Seed: 4FEE Key: FA6A Algorithm: CE EL327 command: 2702FA6A
Seed: 4FEE Key: 571C Algorithm: CF EL327 command: 2702571C
Seed: 4FEE Key: B939 Algorithm: D0 EL327 command: 2702B939
Seed: 4FEE Key: 5F15 Algorithm: D1 EL327 command: 27025F15
Seed: 4FEE Key: 0657 Algorithm: D2 EL327 command: 27020657
Seed: 4FEE Key: EEA8 Algorithm: D3 EL327 command: 2702EEA8
Seed: 4FEE Key: 047B Algorithm: D4 EL327 command: 2702047B
Seed: 4FEE Key: F8C4 Algorithm: D5 EL327 command: 2702F8C4
Seed: 4FEE Key: C6E6 Algorithm: D6 EL327 command: 2702C6E6
Seed: 4FEE Key: C103 Algorithm: D7 EL327 command: 2702C103
Seed: 4FEE Key: 8E2B Algorithm: D8 EL327 command: 27028E2B
Seed: 4FEE Key: 1A29 Algorithm: D9 EL327 command: 27021A29
Seed: 4FEE Key: BA53 Algorithm: DA EL327 command: 2702BA53
Seed: 4FEE Key: 3B0A Algorithm: DB EL327 command: 27023B0A
Seed: 4FEE Key: 22EC Algorithm: DC EL327 command: 270222EC
Seed: 4FEE Key: C729 Algorithm: DD EL327 command: 2702C729
Seed: 4FEE Key: 8BB2 Algorithm: DE EL327 command: 27028BB2
Seed: 4FEE Key: 8CF0 Algorithm: DF EL327 command: 27028CF0
Seed: 4FEE Key: 4D61 Algorithm: E0 EL327 command: 27024D61
Seed: 4FEE Key: 614A Algorithm: E1 EL327 command: 2702614A
Seed: 4FEE Key: 2F0B Algorithm: E2 EL327 command: 27022F0B
Seed: 4FEE Key: 52C0 Algorithm: E3 EL327 command: 270252C0
Seed: 4FEE Key: 9192 Algorithm: E4 EL327 command: 27029192
Seed: 4FEE Key: 1861 Algorithm: E5 EL327 command: 27021861
Seed: 4FEE Key: C019 Algorithm: E6 EL327 command: 2702C019
Seed: 4FEE Key: C66F Algorithm: E7 EL327 command: 2702C66F
Seed: 4FEE Key: 81F7 Algorithm: E8 EL327 command: 270281F7
Seed: 4FEE Key: C868 Algorithm: E9 EL327 command: 2702C868
Seed: 4FEE Key: E626 Algorithm: EA EL327 command: 2702E626
Seed: 4FEE Key: 3AB7 Algorithm: EB EL327 command: 27023AB7
Seed: 4FEE Key: 938B Algorithm: EC EL327 command: 2702938B
Seed: 4FEE Key: E4A4 Algorithm: ED EL327 command: 2702E4A4
Seed: 4FEE Key: 3A41 Algorithm: EE EL327 command: 27023A41
Seed: 4FEE Key: D0E8 Algorithm: EF EL327 command: 2702D0E8
Seed: 4FEE Key: 95D5 Algorithm: F0 EL327 command: 270295D5
Seed: 4FEE Key: 3C79 Algorithm: F1 EL327 command: 27023C79
Seed: 4FEE Key: BE15 Algorithm: F2 EL327 command: 2702BE15
Seed: 4FEE Key: 65C4 Algorithm: F3 EL327 command: 270265C4
Seed: 4FEE Key: 01BC Algorithm: F4 EL327 command: 270201BC
Seed: 4FEE Key: 6CEB Algorithm: F5 EL327 command: 27026CEB
Seed: 4FEE Key: 1BC9 Algorithm: F6 EL327 command: 27021BC9
Seed: 4FEE Key: 8968 Algorithm: F7 EL327 command: 27028968
Seed: 4FEE Key: BF08 Algorithm: F8 EL327 command: 2702BF08
Seed: 4FEE Key: 2634 Algorithm: F9 EL327 command: 27022634
Seed: 4FEE Key: 9A51 Algorithm: FA EL327 command: 27029A51
Seed: 4FEE Key: DDEB Algorithm: FB EL327 command: 2702DDEB
Seed: 4FEE Key: F600 Algorithm: FC EL327 command: 2702F600
Seed: 4FEE Key: C539 Algorithm: FD EL327 command: 2702C539
Seed: 4FEE Key: BDB4 Algorithm: FE EL327 command: 2702BDB4
Seed: 4FEE Key: BF4A Algorithm: FF EL327 command: 2702BF4A
I checked the first 20 algos and the were exact match. AFter that some random algos which also matched. At the end I checked some of the last ones, and they didn`t match. I further investigate I found that upto 5f they work fine. At 60 up to end there is a mismatch. Could be some typo in the script or we are missing something. I will calculated some of them manually to see if there is something else needed.
Here are some verified from GM
30 4fee /ca58
40 4fee /83ac
50 4fee /acc4
5e 4fee /1d9e
5f 4fee /212f
60 4fee /5703
61 4fee /08ac
70 4fee /9753
7f 4fee /dcdd
80 4fee /6b9d
90 4fee /845a
a0 4fee /375f
b0 4fee /d1ae
c0 4fee /df2f
d0 4fee /96c6
e0 4fee /1164
f0 4fee /97d5
fe 4fee /4fee
ff 4fee /9432
I manually checked the algo after 60 and non of them match. So this table is valid upto 5f algo. After that it is garbish or wrong. Don`t bother trying to find an error. Just the algos after 60 don`t match at all.
Hey guys,
Are these algo's just for the PCM,
Trying to find algo's for other modules like...Cluster, BCM, EBCM, HVAC...etccc
Is there anyone that can push me in the right direction to finding these or working these out..
Thanx
I am trying to figure out the seed/key for GM Infotainment units (Radio). Any one working on this? Been studying it for a while. Looking for some help.
I am interested in what you are doing & would help if I can.
I believe that early cars (1997 and earlier: perhaps '98, '99) connect to various modules outside the PCM with serial / aldl type stream. Do later cars use class II? Do current cars use GM LAN?
Each of these may use a different algo for security.
I think that given the number of protocols, security algos and year2year changes, this may be a very difficult task.
Some inside info from GM would make this easy...
-Tom
PS: is there a repository for GM documents?? I have a few that I stumbled over now and then. The best of these are often called "worldwide engineering standards". If you know of such a cache, I would love the URL.
We have posted several GM docs in this thread.
https://drive.google.com/open?id=18E...xzQt2eiQVW7wMw
here is some examples of many radios with their seed and keys
These have the 5 byte seed/key. I must say the new algo is complex as hell and not easy to calculate, if at all possible, without having some secret keys and a .dll from GM.
The 2 byte seed/key algos are fully cracked and what you need is only the algo number and the algo table used.
How did you get those combos. Have you tried offline programming of these systems or you need online connection for the unlock request.
Do you have caches of the sps cache folder and the sps application folder to share?
Yes I have to use ACDelco to get the key from the seed for all these radios. All IOBs, IORs, and IOUs all have seed and key. Which is needed in order to program them. I can do any programming I want to them after I get the key from ACDelco and I recorded all those Seed Keys from programming all those radios for customers. That's where I got that table from. I wish I could figure out the damn algorithm for these. New units don't have a seed or key cause the MEC is set to FF. To put security on you have to set the MEC to 0. If the MEC is not set to 0, you will not get LTE on the radio. So they have to have security for them to work correctly. You can activate security on the radios but you cannot take the security off. Once you set the MEC to 0 you can't reverse it and put it back to FF ever again. Wish there was a way somehow to Set the MEC to FF then that would take security off the radios. Maybe you could within a firmware update but haven't dove into that much.