Page 2 of 2 FirstFirst 12
Results 16 to 22 of 22

Thread: Getting seed/key on locked pcm brute force style

  1. #16
    The procedure used to lock a PCM is very simple, as is the seed/key algorithm.
    The PCM has a combination of one seed and one key stored in flash memory. When a programming device requests read/write access to the flash chip, the PCM first sends a seed to the device. The software must calculate the key and send it to the PCM.
    If the key matches what the PCM has then grants access to the flash contents.

    A tuning software can change the stored seed/key to another unknown value which can only be calculated by the same cable. It uses a different algorithm so no other programming device will be able to generate the correct key, thus preventing read/write access to the flash memory. Not even the dealer can unlock a tunerlocked PCM

  2. #17
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    this is how it looks unlocking pcm

    sent: 6C 10 F0 27 01
    recieved: 6C F0 10 67 01 33 A2
    sent: 6C 10 F0 27 02 73 38
    recieved: 6C F0 10 67 02 34


    when you recieve 67 02 34 the pcm is unlocked, 34 means unlock

    If you recieve something else key is wrong


    If the key is wrong there is 10 sec delay before you can try again.
    you will know this when you send 27 01 you will get refuse message and not get the seed.

    You should always do seed request first, before you can try the key.

    it should be easy to compile a brute force script,

  3. #18
    Fuel Injected!
    Join Date
    Jun 2013
    Posts
    199
    Sounds easy when you know what your doing! Im pretty new to this side of things, have relied on someone else's software to do it for me. What software are you using to communicate with pcm?

  4. #19
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    you can try avt hex terminal if you have avt cable
    for elm327 there is small program called stnterm.exe


    this is how it looks using the avt term

    Request:
    05 6C 10 F0 27 01
    Answer:
    01 60 08 00 6C F0 10 67 01 33 A2
    Request:
    07 6C 10 F0 27 02 73 38
    Answer:
    01 60 07 00 6C F0 10 67 02 34



    for now i didn`t figure it out how to make this process automated
    if you can find someone who can write small program will be great

  5. #20
    Fuel Injected!
    Join Date
    Dec 2013
    Age
    35
    Posts
    41
    Brute force or just find someone with the tables that exist in the wild.

  6. #21
    Fuel Injected!
    Join Date
    Jun 2013
    Posts
    199
    Brute force would be my prefered method. I have been trying to write some code to do it but my lack of experiance in this department is the limiting factor. Tables that exist in the wild? Not following, care to explain?
    Last edited by mecanicman; 06-13-2014 at 09:43 AM.

  7. #22
    Fuel Injected!
    Join Date
    Jun 2013
    Posts
    199
    Still working on this if anyone has anything to add.

Similar Threads

  1. Delta force tuning software/interface.
    By Playtoy_18 in forum Ford EFI Systems
    Replies: 18
    Last Post: 12-15-2018, 02:27 AM
  2. Replies: 7
    Last Post: 04-29-2013, 05:01 AM
  3. Tunercat--Cal Locked Message.
    By Lextech in forum TunerCat OBDII
    Replies: 4
    Last Post: 04-28-2013, 01:31 AM
  4. Hardware modifications GM style...
    By Six_Shooter in forum GM EFI Systems
    Replies: 23
    Last Post: 02-03-2012, 09:59 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •