Gm Seed key algorithms

[Tom H]

Hi, New just now to this site and have a question... I am very interested in the seed/key algorithm. I began to write a program to do an automatic decode. The line "• 0x2A = Complement – if HH>LL use 2’s complement, else use 1’s complement" agrees with what I have done, but later in the document the line "Thus, given the seed 0x1234: a) ~0x1234 = 0xEDCB b) 0xEDCB ROR 3 = 0x7DB9 c) 0x7DB9 " shows him using a 1s complement. I believe the calculation is off. Hope this thread is still active.
Also wonder if a '97 Camaro 5.7 would be covered by one of the algorithms. If yes which of the 256. I have worked out where the seed and key is stored in the internal HC11 EEPROM. Just need to find a way to access it.

Hope there is still interest in a key gen...

Tom

[kur4o]

Also wonder if a '97 Camaro 5.7 would be covered by one of the algorithms.
Tom

It is number $05. It should be stored at $e00 address. You can communicate with both sides of the pcm to extract more data. Tside id is $10, Eside id is $18

It is always good to have more tools available. If you need some other pcm algo number, I can dig it out for you.

[Tom H]

Thank you Kur40. I had figured the key & seed to be at $E00 thru $E03. Thank you for confirmation.
I will finish the keygen and try it out with $05. Great help!
I have a large part of the OBDII code dis-assembled and working to comment. Is this interesting to others? If yes, where should the result be posted when I complete it.

[1project2many]

This is a generous offer. A tool to test seed/key algos could be useful.

How large is the disassembly file? If not too large you can upload it to its own thread and I or a mod can make it a sticky. If it's too large to upload send me a PM and we'll figure out another path.

[Tom H]

Ok will do. I am not so sure of how the site works though. Once commented (estimate about a week or so) I will be in touch with size. I have found many of the code parameters from the OBD code. When I see a malf that pertains to an input I use that to describe the location it is in. Are there known sources for content of ram? Some are obvious others I am not so sure.
A sample of some of the code I am working on...

************************************************
* DISABLE NORMAL MESSAGE TRANSMISSION
* MODE 28
************************************************
D2F5 02 ; MINIMUM REQUEST LENGTH
D2F6 02 ; MAXIMUM REQUEST LENGTH

D2F7 F6 18 7C LDAB $187C ; DLC REQUEST DATA 1 FROM BUFFER
D2FA C1 00 CMPB #$00 ; LEVEL 0 ONLY SUPPORTED
D2FC 27 05 BEQ $D303 ;

D2FE BD DC 15 JSR $DC15 ; SUB-FUNCTION NOT SUPPORTED/INVALID FORMAT
D301 20 0B BRA $D30E ; TRANSMIT GENERAL RESPONSE MESSAGE

D303 F7 18 C9 STAB $18C9 ; REPLY DATA BUFFER 1 IS LEVEL
D306 14 7D 80 BSET @$7D,$80 ; DISABLE BACKGROUND MESSAGES

D309 C6 02 LDAB #$02 ; SET REPLY LENGTH
D30B F7 18 C7 STAB $18C7 ;
D30E BD DE 88 JSR $DE88 ; TRANSMIT REPLY

D311 39 RTS ; DONE


************************************************
* ENABLE NORMAL MESSAGE TRANSMISSION
* MODE 29
************************************************
D312 01 ; MINIMUM REQUEST LENGTH
D313 01 ; MAXIMUM REQUEST LENGTH

D314 15 7D 80 BCLR @$7D,$80 ; ENABLE BACKGROUND MESSAGES

D317 C6 01 LDAB #$01 ; SET REPLY LENGTH
D319 F7 18 C7 STAB $18C7 ;
D31C BD DE 88 JSR $DE88 ; TRANSMIT REPLY

D31F 39 RTS ; DONE

[Tom H]

Hi,
I wrote a program to take the PCM seed and generate 256 keys (one for each of the algorithms) and throw it in a file. I ran into a problem with the complement instruction. The document defines it as
• 0x2A = Complement – if HH>LL use 2’s complement, else use 1’s complement
When I follow this, my key is off by one. I think this is because the high and low are reversed (LL > HH) or the sign is flipped (HH<LL). The difference is between one's and two's complement. I don't have the resources to figure this out.

When I run the program as it is in the attachment, I get the correct result for algorithm 0x5.

Hope this is of use to someone.

Cheers,
Tom

[kur4o]

2`s complement is [ffff-value]+1. Are you are doing it that way.

Here is some basic disassembly I made for 96 lt4,and 94-95 lt1. The eside of 96-97 is almost identical to 94-95 code with some extra tables added and some obd2 test crap. You can take it for a starting point to figure out some of the unexplored area.
http://www.gearhead-efi.com/Fuel-Inj...ll=1#post68150

I see your coding skills are above average. If you want we can write a program that can read/write that pcm with an elm device. I have all the data needed on the pcm side. Actually the process is identical to 94-95 pcm, just the communication protocol is different and some extra step is needed on t-side bank switching.