Thank you for sharing. However, I saw nothing in the document to indicate it's source.This was posted elsewhere, sharing here. Judging by the source I would not doubt its authenticity.
What a neat idea.Now it is time to make a chart with the PCM hardware id and OS/engine RPO vs algorithm number.
I am interested in seed / key algo for a BCM. Does it follow the same format as the PCM routine posted earlier?
Hi, New just now to this site and have a question... I am very interested in the seed/key algorithm. I began to write a program to do an automatic decode. The line "• 0x2A = Complement – if HH>LL use 2’s complement, else use 1’s complement" agrees with what I have done, but later in the document the line "Thus, given the seed 0x1234: a) ~0x1234 = 0xEDCB b) 0xEDCB ROR 3 = 0x7DB9 c) 0x7DB9 " shows him using a 1s complement. I believe the calculation is off. Hope this thread is still active.
Also wonder if a '97 Camaro 5.7 would be covered by one of the algorithms. If yes which of the 256. I have worked out where the seed and key is stored in the internal HC11 EEPROM. Just need to find a way to access it.
Hope there is still interest in a key gen...
Tom
It is number $05. It should be stored at $e00 address. You can communicate with both sides of the pcm to extract more data. Tside id is $10, Eside id is $18Originally Posted by Tom H
It is always good to have more tools available. If you need some other pcm algo number, I can dig it out for you.
Thank you Kur40. I had figured the key & seed to be at $E00 thru $E03. Thank you for confirmation.
I will finish the keygen and try it out with $05. Great help!
I have a large part of the OBDII code dis-assembled and working to comment. Is this interesting to others? If yes, where should the result be posted when I complete it.
This is a generous offer. A tool to test seed/key algos could be useful.
How large is the disassembly file? If not too large you can upload it to its own thread and I or a mod can make it a sticky. If it's too large to upload send me a PM and we'll figure out another path.
Ok will do. I am not so sure of how the site works though. Once commented (estimate about a week or so) I will be in touch with size. I have found many of the code parameters from the OBD code. When I see a malf that pertains to an input I use that to describe the location it is in. Are there known sources for content of ram? Some are obvious others I am not so sure.
A sample of some of the code I am working on...
************************************************
* DISABLE NORMAL MESSAGE TRANSMISSION
* MODE 28
************************************************
D2F5 02 ; MINIMUM REQUEST LENGTH
D2F6 02 ; MAXIMUM REQUEST LENGTH
D2F7 F6 18 7C LDAB $187C ; DLC REQUEST DATA 1 FROM BUFFER
D2FA C1 00 CMPB #$00 ; LEVEL 0 ONLY SUPPORTED
D2FC 27 05 BEQ $D303 ;
D2FE BD DC 15 JSR $DC15 ; SUB-FUNCTION NOT SUPPORTED/INVALID FORMAT
D301 20 0B BRA $D30E ; TRANSMIT GENERAL RESPONSE MESSAGE
D303 F7 18 C9 STAB $18C9 ; REPLY DATA BUFFER 1 IS LEVEL
D306 14 7D 80 BSET @$7D,$80 ; DISABLE BACKGROUND MESSAGES
D309 C6 02 LDAB #$02 ; SET REPLY LENGTH
D30B F7 18 C7 STAB $18C7 ;
D30E BD DE 88 JSR $DE88 ; TRANSMIT REPLY
D311 39 RTS ; DONE
************************************************
* ENABLE NORMAL MESSAGE TRANSMISSION
* MODE 29
************************************************
D312 01 ; MINIMUM REQUEST LENGTH
D313 01 ; MAXIMUM REQUEST LENGTH
D314 15 7D 80 BCLR @$7D,$80 ; ENABLE BACKGROUND MESSAGES
D317 C6 01 LDAB #$01 ; SET REPLY LENGTH
D319 F7 18 C7 STAB $18C7 ;
D31C BD DE 88 JSR $DE88 ; TRANSMIT REPLY
D31F 39 RTS ; DONE
Posting Permissions
Reply With Quote
Bookmarks