Page 1 of 2 12 LastLast
Results 1 to 15 of 22

Thread: Getting seed/key on locked pcm brute force style

  1. #1
    Fuel Injected!
    Join Date
    Jun 2013
    Posts
    199

    Getting seed/key on locked pcm brute force style

    Awhile back there was a very detailed thread on EFILive site on how to gain access to a locked PCM. The thread was removed at the request of tuning shops and resellers. Did anyone happen to copy that information? I would like to be able unlock pcms of customers. I believe I have the required hardware with benchtop flashing cable and an avt 852. I have been playing with couple free pieces of software, not very special. HPTuners has some very old posts from when they were devopling their software with all the commands to get the info I want. I think I need a good communication program, a means of setting up the software to try each of the 65536 keys, and a means of recognizing when it has found the right one. Oh yeah, and a clue how to accomplish this!
    Planethax developed some software for use with the elm327, I have yet to make it succesfully work, but this is what I am after. Does not have to be that fancy, just do the job.

  2. #2
    RIP EagleMark's Avatar
    Join Date
    Feb 2011
    Location
    North Idaho
    Age
    63
    Posts
    10,477
    I think the ability is there in the LS1 Flash Tool that is yet to be finished. Read the thread and maybe contact Antus to see how it needs to be set up to do the Seed/Key search.

    http://www.gearhead-efi.com/Fuel-Inj...-Tool-Released

    1990 Chevy Suburban 5.7L Auto ECM 1227747 $42!
    1998 Chevy Silverado 5.7L Vortec 0411 Swap to RoadRunner!
    -= =-

  3. #3
    Fuel Injected!
    Join Date
    Jun 2013
    Posts
    199
    I contacted antus over on his forum about the flash tool. Does not sound like finishing the ls1 flash tool is a priority and no completion in the foreseeable future was the message I got. He is busy on some other project. Too bad, his tool has lots of potential.

  4. #4
    RIP EagleMark's Avatar
    Join Date
    Feb 2011
    Location
    North Idaho
    Age
    63
    Posts
    10,477
    Well it seemed to be a top priority when we started selling the cables, not sure how that changed or people would not have bought cables...

    I've seen the Seed/Key search talked about, if you read the threads there it may have the info or version number that did it?

    1990 Chevy Suburban 5.7L Auto ECM 1227747 $42!
    1998 Chevy Silverado 5.7L Vortec 0411 Swap to RoadRunner!
    -= =-

  5. #5
    What PCMs do you need to unlock?
    LS1 PCMs can be unlocked easily in under 15 min using other methods, I have unlocked several.

    A while ago I was searching for the method to unlock newer PCMs (E38, E40, E67) which can't be unlocked with the method I use, but didn't find anything. Well, I know how it's done but don't know what hardware and software is used. There are people doing that but nobody shares, it's like finding the holy grail

  6. #6
    Fuel Injected!
    Join Date
    Jun 2013
    Posts
    199
    I would like to be able to do 0411(p01) and p59 pcms. I would be interested to know how you do it in 15 mins?

  7. #7
    Quote Originally Posted by mecanicman View Post
    I would like to be able to do 0411(p01) and p59 pcms. I would be interested to know how you do it in 15 mins?
    I first desolder the flash chip, then overwrite the whole flash with a stock tune using a universal programmer. Last step is to solder the chip back to the PCM

    Doing this you can read and write as usual.
    I have a lot of practice soldering electronics, for an untrained individual it may take longer than 15 min. If you have no experience with this kind of work you can easily damage the PCM

  8. #8
    Fuel Injected!
    Join Date
    Jun 2013
    Posts
    199
    How much would this equipment cost starting from scratch? Not the solution I had in mind but something to consider.

  9. #9
    Like $150 for the programmer with the adapter plus the hot air station

  10. #10
    Fuel Injected! JeepsAndGuns's Avatar
    Join Date
    Sep 2011
    Location
    alabama
    Age
    41
    Posts
    1,702
    I am very new to obd2 stuff, so what do yall mean when you say its locked? I have never heard of this before. I have seen several tuning threads in this section but never saw anyone mention unlocking a pcm first.
    79 Jeep Cherokee, AMC 401, T-18 manual trans, hydroboost, 16197427 MPFI system---the toy

    93 Jeep YJ Wrangler, 4.0L, 5 speed, 8.8 rear, homebrew hub conversion and big brakes, hydroboost, 2.5in OME lift, 31x10.50's---the daily driver

    99 Jeep WJ Grand Cherokee limited, 4.0L, auto, 2wd, leather and power everything, 99% stock---the long distance highway ride.

  11. #11
    Fuel Injected!
    Join Date
    Jun 2013
    Posts
    199
    EFILive, HPTuners, and various handheld tuners modify the seed/key as a way of locking the pcm. I am not sure exactly what they do, I think it changes the location the data is stored at. When I try to access it with software I do have it shows finding the original seed but key it generates does not match. I have been able to put together that key algorithm for ls pcms is:

    KEY = 934D - SwapHiLo(Seed)
    So the formula goes like this
    SEED = 0A69
    KEY = 934D - SwapHiLo(SEED)
    KEY = 934D - SwapHiLo(0A69)
    KEY = 934D - 690A
    KEY = 2A43
    If resulting number is negative, use 1934d.

    http://www.miniwebtool.com/hex-calculator/

  12. #12
    Fuel Injected!
    Join Date
    Dec 2013
    Age
    35
    Posts
    41
    it does not modify anything when just reading a ecm out. edit. I reread what you wrote. I see what your saying, just not how I would word it.
    The ecm sends a seed, and you must reply with the correct key.

    There are 256 seed/key combinations plus a few extra orphans as I understand it. There will be a tool like antus's released soon that will do 411's, and if the dev can find the time, many more GM ecms

  13. #13
    Fuel Injected!
    Join Date
    Jun 2013
    Posts
    199
    dimented24x7's tool? Played with black box version.

  14. #14
    Fuel Injected! JeepsAndGuns's Avatar
    Join Date
    Sep 2011
    Location
    alabama
    Age
    41
    Posts
    1,702
    I have no idea what the seed or key are, or what they even mean in reguards to a pcm. But if I am understanding it right, basicly once you tune a pcm with their software, it mods the code to where nothing else but their software can change or re-tune it?
    79 Jeep Cherokee, AMC 401, T-18 manual trans, hydroboost, 16197427 MPFI system---the toy

    93 Jeep YJ Wrangler, 4.0L, 5 speed, 8.8 rear, homebrew hub conversion and big brakes, hydroboost, 2.5in OME lift, 31x10.50's---the daily driver

    99 Jeep WJ Grand Cherokee limited, 4.0L, auto, 2wd, leather and power everything, 99% stock---the long distance highway ride.

  15. #15
    Fuel Injected!
    Join Date
    Oct 2013
    Posts
    1,022
    It's not an inherent locking in the software, it's the tuner who chooses to lock the PCM using the software.

Similar Threads

  1. Delta force tuning software/interface.
    By Playtoy_18 in forum Ford EFI Systems
    Replies: 18
    Last Post: 12-15-2018, 02:27 AM
  2. Replies: 7
    Last Post: 04-29-2013, 05:01 AM
  3. Tunercat--Cal Locked Message.
    By Lextech in forum TunerCat OBDII
    Replies: 4
    Last Post: 04-28-2013, 01:31 AM
  4. Hardware modifications GM style...
    By Six_Shooter in forum GM EFI Systems
    Replies: 23
    Last Post: 02-03-2012, 09:59 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •