Page 1 of 2 12 LastLast
Results 1 to 15 of 27

Thread: Gm Seed key algorithms

  1. #1
    Electronic Ignition!
    Join Date
    Oct 2014
    Posts
    14

    Smile Gm Seed key algorithms

    This was posted elsewhere, sharing here. Judging by the source I would not doubt its authenticity.
    Attached Files Attached Files

  2. #2
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,469
    Great find. It does save me a lot of work, reinventing the wheel.

    Too bad Gm changed the algorithm recently.

    Now it is time to make a chart with the PCM hardware id and OS/engine RPO vs algorithm number.

  3. #3
    Administrator
    Join Date
    May 2011
    Location
    Lakes Region, NH
    Age
    54
    Posts
    3,844
    This was posted elsewhere, sharing here. Judging by the source I would not doubt its authenticity.
    Thank you for sharing. However, I saw nothing in the document to indicate it's source.


    Now it is time to make a chart with the PCM hardware id and OS/engine RPO vs algorithm number.
    What a neat idea.
    I am interested in seed / key algo for a BCM. Does it follow the same format as the PCM routine posted earlier?

  4. #4
    Fuel Injected!
    Join Date
    Dec 2015
    Age
    42
    Posts
    72

  5. #5
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Hi, New just now to this site and have a question... I am very interested in the seed/key algorithm. I began to write a program to do an automatic decode. The line "• 0x2A = Complement – if HH>LL use 2’s complement, else use 1’s complement" agrees with what I have done, but later in the document the line "Thus, given the seed 0x1234: a) ~0x1234 = 0xEDCB b) 0xEDCB ROR 3 = 0x7DB9 c) 0x7DB9 " shows him using a 1s complement. I believe the calculation is off. Hope this thread is still active.
    Also wonder if a '97 Camaro 5.7 would be covered by one of the algorithms. If yes which of the 256. I have worked out where the seed and key is stored in the internal HC11 EEPROM. Just need to find a way to access it.

    Hope there is still interest in a key gen...

    Tom

  6. #6
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,469
    Quote Originally Posted by Tom H View Post
    Also wonder if a '97 Camaro 5.7 would be covered by one of the algorithms.
    Tom
    It is number $05. It should be stored at $e00 address. You can communicate with both sides of the pcm to extract more data. Tside id is $10, Eside id is $18

    It is always good to have more tools available. If you need some other pcm algo number, I can dig it out for you.

  7. #7
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Thank you Kur40. I had figured the key & seed to be at $E00 thru $E03. Thank you for confirmation.
    I will finish the keygen and try it out with $05. Great help!
    I have a large part of the OBDII code dis-assembled and working to comment. Is this interesting to others? If yes, where should the result be posted when I complete it.

  8. #8
    Administrator
    Join Date
    May 2011
    Location
    Lakes Region, NH
    Age
    54
    Posts
    3,844
    This is a generous offer. A tool to test seed/key algos could be useful.

    How large is the disassembly file? If not too large you can upload it to its own thread and I or a mod can make it a sticky. If it's too large to upload send me a PM and we'll figure out another path.

  9. #9
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Ok will do. I am not so sure of how the site works though. Once commented (estimate about a week or so) I will be in touch with size. I have found many of the code parameters from the OBD code. When I see a malf that pertains to an input I use that to describe the location it is in. Are there known sources for content of ram? Some are obvious others I am not so sure.
    A sample of some of the code I am working on...

    ************************************************
    * DISABLE NORMAL MESSAGE TRANSMISSION
    * MODE 28
    ************************************************
    D2F5 02 ; MINIMUM REQUEST LENGTH
    D2F6 02 ; MAXIMUM REQUEST LENGTH

    D2F7 F6 18 7C LDAB $187C ; DLC REQUEST DATA 1 FROM BUFFER
    D2FA C1 00 CMPB #$00 ; LEVEL 0 ONLY SUPPORTED
    D2FC 27 05 BEQ $D303 ;

    D2FE BD DC 15 JSR $DC15 ; SUB-FUNCTION NOT SUPPORTED/INVALID FORMAT
    D301 20 0B BRA $D30E ; TRANSMIT GENERAL RESPONSE MESSAGE

    D303 F7 18 C9 STAB $18C9 ; REPLY DATA BUFFER 1 IS LEVEL
    D306 14 7D 80 BSET @$7D,$80 ; DISABLE BACKGROUND MESSAGES

    D309 C6 02 LDAB #$02 ; SET REPLY LENGTH
    D30B F7 18 C7 STAB $18C7 ;
    D30E BD DE 88 JSR $DE88 ; TRANSMIT REPLY

    D311 39 RTS ; DONE


    ************************************************
    * ENABLE NORMAL MESSAGE TRANSMISSION
    * MODE 29
    ************************************************
    D312 01 ; MINIMUM REQUEST LENGTH
    D313 01 ; MAXIMUM REQUEST LENGTH

    D314 15 7D 80 BCLR @$7D,$80 ; ENABLE BACKGROUND MESSAGES

    D317 C6 01 LDAB #$01 ; SET REPLY LENGTH
    D319 F7 18 C7 STAB $18C7 ;
    D31C BD DE 88 JSR $DE88 ; TRANSMIT REPLY

    D31F 39 RTS ; DONE

  10. #10
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477

    GM seedkey.doc ??error??

    Hi,
    I wrote a program to take the PCM seed and generate 256 keys (one for each of the algorithms) and throw it in a file. I ran into a problem with the complement instruction. The document defines it as
    • 0x2A = Complement – if HH>LL use 2’s complement, else use 1’s complement
    When I follow this, my key is off by one. I think this is because the high and low are reversed (LL > HH) or the sign is flipped (HH<LL). The difference is between one's and two's complement. I don't have the resources to figure this out.

    When I run the program as it is in the attachment, I get the correct result for algorithm 0x5.

    Hope this is of use to someone.

    Cheers,
    Tom
    Attached Files Attached Files

  11. #11
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,469
    2`s complement is [ffff-value]+1. Are you are doing it that way.

    Here is some basic disassembly I made for 96 lt4,and 94-95 lt1. The eside of 96-97 is almost identical to 94-95 code with some extra tables added and some obd2 test crap. You can take it for a starting point to figure out some of the unexplored area.
    http://www.gearhead-efi.com/Fuel-Inj...ll=1#post68150

    I see your coding skills are above average. If you want we can write a program that can read/write that pcm with an elm device. I have all the data needed on the pcm side. Actually the process is identical to 94-95 pcm, just the communication protocol is different and some extra step is needed on t-side bank switching.

  12. #12
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Easiest for 1's and 2's for me is ...

    calc_acc = ~calc_seed; // One's
    calc_acc = -calc_seed; // Two's

    Thank you for your post, I will look through the thread. I would like to write that program you suggest.
    I have disassembled all the code but making sense of it is not easy. In some ways the OBDII makes things easier because there are more points of reference.

    I started on this project many years ago and got side tracked by other things. I came back to it with the intent of figuring it all out. We will see how far we can get.

    I will start a thread soon with the OBDII code and see if there is interest here.

    Oh... because you have almost the same hardware, I have a question. There is an analog mux between the 'hc11 a/ds and the inputs. It looks to me as if this is a dual 8:1 mux or perhaps two chips.
    My commenting looks like this...

    68B0 CE 10 02 LDX #$1002 ; EXTERNAL ANALOG MULTIPLEXER
    68B3 1D 00 07 BCLR $00,X,$07 ; SELECT NO INPUT
    68B6 86 02 LDAA #$02 ; NO CHANGE TO 5MSB
    68B8 AA 00 ORRA $00,X ; SELECT INPUT 2
    68BA A7 00 STAA $00,X ;

    68BC 86 05 LDAA #$05 ; START A/D ON CH5
    68BE B7 10 30 STAA $1030 ; REAL TIME DELAY
    68C1 3D MUL ;
    68C2 3D MUL ;
    68C3 3D MUL ;
    68C4 01 NOP ;
    68C5 B6 10 31 LDAA $1031 ;
    68C8 B7 01 09 STAA $0109 ; RAW ENGINE COOLANT SENSOR ANALOG

    What can you tell me about the hardware analog mux? Do we know a part number/brand. All I see on the chips are house numbers.

    Cheers,
    Tom

  13. #13
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,469
    Code:
    FSR:1000 ; ===========================================================================
    FSR:1000
    FSR:1000 ; Segment type: Pure dataFSR:1000 ; segment FSR
    FSR:1000 org $1000
    FSR:1000 PORTA: fcb $44 ; DATA XREF: __RESET-AC0Dw
    FSR:1000 ; __RESET-A8B4r ...
    FSR:1000 ; Port A data
    FSR:1000 ; cleared at reset
    FSR:1001 DDRA: fcb $F8 ; DATA XREF: __RESET-AC1Bw
    FSR:1001 ; STATBYTESETsub_62B2+Aw
    FSR:1001 ; Data Direction Port A
    FSR:1001 ; loaded with $F8
    FSR:1002 PORTG: fcb $F0 ; DATA XREF: __RESET-AC0Aw
    FSR:1002 ; ADR_PLUSsub_ECEE+F9r ...
    FSR:1002 ; Port G Data
    FSR:1002 ; cleared with reset
    FSR:1002 ; 0 ; 1 ; 2 ; 3 ; 4
    FSR:1003 DDRG: fcb $F ; DATA XREF: __RESET-AC16w
    FSR:1003 ; STATBYTESETsub_62B2+Fw
    FSR:1003 ; Data Direction PortG
    FSR:1003 ; loaded with $07
    FSR:1004 PORTB: fcb $FF ; Port B Data
    FSR:1005 PORTF: fcb $FF ; Data Port F
    FSR:1006 PORTC: fcb $FF ; Data Port C
    FSR:1007 DDRC: fcb $FF ; Data Direction for Port C
    FSR:1008 PORTD: fcb $2D ; DATA XREF: __RESET-AC07w
    FSR:1008 ; OC4I+5E2r ...
    FSR:1008 ; Port D Data
    FSR:1008 ; cleared at reset
    FSR:1009 DDRD: fcb $3F ; DATA XREF: __RESET-AC11w
    FSR:1009 ; STATBYTESETsub_62B2+14w
    FSR:1009 ; Data Direction for Port D
    FSR:1009 ; loaded with $3E
    FSR:100A PORTE: fcb $49 ; I ; Port E Data
    FSR:100B CFORC: fcb 0 ; DATA XREF: STATBYTESETsub_62B2+42w
    FSR:100B ; Compare Force Register
    FSR:100C OC1M: fcb 8 ; DATA XREF: __RESET-ABF8w
    FSR:100C ; STATBYTESETsub_62B2+28w ...
    FSR:100C ; OC1 Action Mask Register
    FSR:100C ; loaded with $08
    FSR:100D OC1D: fcb 0 ; DATA XREF: __RESET-ABF4w
    FSR:100D ; STATBYTESETsub_62B2+2Cw
    FSR:100D ; OC1 Action Data Register
    FSR:100D ; cleared at reset
    FSR:100E TCNTH: fcb $11 ; DATA XREF: __RESET-A5DCr
    FSR:100E ; __RESET-A5D3r ...
    FSR:100E ; Timer Counter Register (High)
    FSR:100F TCNTL: fcb $A2 ; â ; Timer Counter Register (Low)
    FSR:1010 TIC1H: fcb $FF ; Input Capture 1 Register (High)
    FSR:1011 TIC1L: fcb $FF ; Input Capture 1 Register (Low)
    FSR:1012 TIC2H: fcb $FF ; Input Capture 2 Register (High)
    FSR:1013 TIC2L: fcb $FF ; Input Capture 2 Register (Low)
    FSR:1014 TIC3H: fcb $FF ; DATA XREF: IC3I:loc_5055r
    FSR:1014 ; IC3I:loc_5070r
    FSR:1014 ; Input Capture 3 Register (High)
    FSR:1015 TIC3L: fcb $FF ; Input Capture 3 Register (Low)
    FSR:1016 TOC1H: fcb $CF ; ¦ ; DATA XREF: __RESET-A5D6w
    FSR:1016 ; OC1I:loc_50E9r ...
    FSR:1016 ; Output Compare 1 Register (High)
    FSR:1017 TOC1L: fcb $2F ; / ; Output Compare 1 Register (Low)
    FSR:1018 TOC2H: fcb $FF ; Output Compare 2 Register (High)
    FSR:1019 TOC2L: fcb $FF ; Output Compare 2 Register (Low)
    FSR:101A TOC3H: fcb $FF ; Output Compare 3 Register (High)
    FSR:101B TOC3L: fcb $FF ; Output Compare 3 Register (Low)
    FSR:101C TOC4H: fcb $AC ; ì ; DATA XREF: __RESET-A5CDw
    FSR:101C ; OC4Ir ...
    FSR:101C ; Output Compare 4 Register (High)
    FSR:101D TOC4L: fcb $43 ; C ; Output Compare 4 Register (Low)
    FSR:101E TCO5H: fcb $CF ; ¦ ; DATA XREF: OC1I:loc_50FEw
    FSR:101E ; Output Compare 5 Register (High)
    FSR:101F TCO5L: fcb $2F ; / ; Output Compare 5 Register (Low)
    FSR:1020 TCTL1: fcb 3 ; DATA XREF: __RESET-ABEFw
    FSR:1020 ; STATBYTESETsub_62B2+31w ...
    FSR:1020 ; Timer Control Register 1
    FSR:1020 ; loaded with $03
    FSR:1021 TCTL2: fcb 1 ; DATA XREF: __RESET-ABEAw
    FSR:1021 ; Timer Control Register 2
    FSR:1021 ; loaded with $01
    FSR:1022 TMSK1: fcb 0 ; DATA XREF: __RESET-A5C8w
    FSR:1022 ; MAINsub_4F8D+973w ...
    FSR:1022 ; Timer Interrupt Mask Register 1
    FSR:1023 TFLG1: fcb $F8 ; DATA XREF: __RESET-A5DFw
    FSR:1023 ; OC4I+Bw ...
    FSR:1023 ; Timer Interrupt Flag Register 1
    FSR:1024 TMSK2: fcb 3 ; DATA XREF: __RESET-AC3Dw
    FSR:1024 ; ALDL_sub_B822+1F5w ...
    FSR:1024 ; Timer Interrupt Mask Register 2
    FSR:1024 ; loaded with $03
    FSR:1025 TFLG2: fcb $C0 ; DATA XREF: ALDL_sub_B822+3EEw
    FSR:1025 ; DOWNLOAD_BIN_00_01sub_BCB0:loc_BCD9r ...
    FSR:1025 ; Timer Interrupt Flag Register 2
    FSR:1026 PACTL: fcb 0 ; Pulse Accumulator Control Register
    FSR:1027 PACNT: fcb 0 ; Pulse Accumulator Count Register
    FSR:1028 SPCR: fcb $54 ; DATA XREF: __RESET-ABD6w
    FSR:1028 ; OC4I+C4w ...
    FSR:1028 ; Serial Peripheral Control Register
    FSR:1028 ; loaded with $44
    FSR:1029 SPSR: fcb $80 ; DATA XREF: OC4I+D2r
    FSR:1029 ; OC4I+E8r ...
    FSR:1029 ; Serial Peripheral Status Register
    FSR:102A SPDR: fcb 0 ; DATA XREF: OC4I+D5w
    FSR:102A ; OC4I+E1r ...
    FSR:102A ; SPI Data Register
    FSR:102B BAUD: fcb $13 ; DATA XREF: __RESET-AC02w
    FSR:102B ; STATBYTESETsub_62B2+19w
    FSR:102B ; Baud Rate
    FSR:102B ; loaded with $13
    FSR:102C SCCR1: fcb 0 ; DATA XREF: STATBYTESETsub_62B2+3Fw
    FSR:102C ; SCI Control Register
    FSR:102D SCCR2: fcb 8 ; DATA XREF: __RESET-A5E4w
    FSR:102D ; OC4I+5D8w ...
    FSR:102D ; SCCR2 - SCI Control Register 2 $102D
    FSR:102D ; RESET: 0 0 0 0 0 0 0 0
    FSR:102D ;
    FSR:102D ; $80 TIE - Transmit Interrupt Enable
    FSR:102D ; 0 = TDRE interrupts disabled
    FSR:102D ; 1 = SCI interrupt requested when TDRE status flag is set
    FSR:102D ; $40 TCIE - Transmit Complete Interrupt Enable
    FSR:102D ; 0 = TC interrupts disabled
    FSR:102D ; 1 = SCI interrupt requested when TC status flag is set
    FSR:102D ; $20 RIE - Receiver Interrupt Enable
    FSR:102D ; 0 = RDRF and OR interrupts disabled
    FSR:102D ; 1 = SCI interrupt requested when RDRF flag or the OR status flag is set
    FSR:102D ; $10 ILIE - Idle-Line Interrupt Enable
    FSR:102D ; 0 = IDLE interrupts disabled
    FSR:102D ; 1 = SCI interrupt requested when IDLE status flag is set
    FSR:102D ; $08 TE - Transmitter
    FSR:102D ; 0 = Transmitter disabled
    FSR:102D ; 1 = Transmitter enabled
    FSR:102D ; $04 RE - Receiver Enable
    FSR:102D ; 0 = Receiver disabled
    FSR:102D ; 1 = Receiver enabled
    FSR:102D ; $02 RWU - Receiver Wakeup Control
    FSR:102D ; 0 = Normal SCI receiver
    FSR:102D ; 1 = Wakeup enabled and receiver interrupts inhibited
    FSR:102D ; $01 SBK - Send Break At least one c
    FSR:102E SCSR: fcb 0 ; DATA XREF: __RESET-A5ECr
    FSR:102E ; MAINsub_4F8D+FF9r ...
    FSR:102E ; SCSR - SCI Status Register $102E
    FSR:102E ; TDRE TC RDRF IDLE OR NF FE -
    FSR:102E ; RESET: 1 1 0 0 0 0 0 0
    FSR:102E ;
    FSR:102E ; $80 TDRE - Transmit Data Register Empty Flag
    FSR:102E ; This flag is set when SCDR is empty. Clear the TDRE flag by reading SCSR and then
    FSR:102E ; writing to SCDR.
    FSR:102E ; 0 = SCDR busy
    FSR:102E ; 1 = SCDR empty
    FSR:102E ; $40 TC - Transmit Complete Flag
    FSR:102E ; 0 = Transmitter busy
    FSR:102E ; 1 = Transmitter idle
    FSR:102E ; $20 RDRF - Receive Data Register Full Flag
    FSR:102E ; . 0 = SCDR empty
    FSR:102E ; 1 = SCDR full
    FSR:102E ; $10 IDLE - Idle Line Detected Flag
    FSR:102E ; 0 = RxD line is active
    FSR:102E ; 1 = RxD line is idle
    FSR:102E ; $08 OR - Overrun Error Flag
    FSR:102E ; 0 = No overrun
    FSR:102E ; 1 = Overrun detected
    FSR:102E ; $04 NF - Noise Error Flag
    FSR:102E ; 0 = Unanimous decision
    FSR:102E ; 1 = Noise detected
    FSR:102E ; $02 FE - Framing Error
    FSR:102E ; 0 = Stop bit detected
    FSR:102E ; 1 = Zero detected
    FSR:102E ; $01 empty
    FSR:102F SCDR: fcb $6D ; DATA XREF: __RESET-A5E9r
    FSR:102F ; MAINsub_4F8D+FFCw ...
    FSR:102F ; SCDR - SCI Data Register $102F
    FSR:102F ; Bit 7 6 5 4 3 2 1 Bit 0
    FSR:102F ; R7/T7 R6/T6 R5/T5 R4/T4 R3/T3 R2/T2 R1/T1 R0/T0
    FSR:102F ; RESET: I I I I I I I I
    FSR:1030 ADCTL: fcb $87 ; DATA XREF: __RESET-AB26w
    FSR:1030 ; __RESET-AB0Aw ...
    FSR:1030 ; A_D Control Register
    FSR:1031 ADR1: fcb $73 ; DATA XREF: __RESET-AB1Fr
    FSR:1031 ; __RESET-AB03r ...
    FSR:1031 ; ADR
    FSR:1031 ; #5-0 AD TPS
    FSR:1031 ; #5 01 AD MAP
    FSR:1031 ; #5-2 AD COOLANT=byte_109, filtr....
    FSR:1031 ; #5-3 AD =byte_10a,Byte_255 fitr Byte_256-258,word_25d-26b
    FSR:1031 ; #6 L02 ad
    FSR:1031 ; #7 R02 ad
    FSR:1031 ; #7-1 AD ??=byte_118,filt=1b15,1b16
    FSR:1031 ; #7-7?? ad TRANSMISSION INPUT VOLTS
    FSR:1031 ; #$10 ad ac press, egr ad pos
    FSR:1032 ADR2: fcb $73 ; DATA XREF: OC4I+69r
    FSR:1032 ; ADR_PLUS_IGN_OFF_CHECKsub_EA91+40r
    FSR:1032 ; A_D Result Register 2
    FSR:1033 ADR3: fcb $72 ; DATA XREF: OC4I+6Er
    FSR:1033 ; ADR_PLUS_IGN_OFF_CHECKsub_EA91+13r ...
    FSR:1033 ; A_D Result Register 3
    FSR:1034 ADR4: fcb $73 ; DATA XREF: OC4I+73r
    FSR:1034 ; ADR_PLUS_IGN_OFF_CHECKsub_EA91+52r
    FSR:1034 ; A_D Result Register 4
    FSR:1035 BPROT: fcb $11 ; DATA XREF: __RESET-AC3Aw
    FSR:1035 ; __RESET:loc_4290w
    FSR:1035 ; Block Protect Register
    FSR:1035 ; byte_200=$AA load with $10
    FSR:1035 ; byte_200=$55 load with word_201E first byte
    FSR:1035 ; byte_200=not $AA or $55 load with $11
    FSR:1036 RESERV36: fcb 0 ; RESERVED
    FSR:1037 RESERV37: fcb 0 ; RESERVED
    FSR:1038 OPT2: fcb 0 ; DATA XREF: __RESET-ABDBw
    FSR:1038 ; STATBYTESETsub_62B2+4Bw
    FSR:1038 ; System Configuration Options 2
    FSR:1038 ; cleared at reset
    FSR:1039 OPTION: fcb $99 ; DATA XREF: __RESET-AC42w
    FSR:1039 ; System Configuration Options
    FSR:1039 ; loaded with $99
    FSR:103A COPRST: fcb 0 ; DATA XREF: sub_3B04+25w
    FSR:103A ; sub_3B04+2Aw ...
    FSR:103A ; Arm_Reset COP Timer Circuitry
    FSR:103B PPROG: fcb 0 ; DATA XREF: MAINsub_4F8D+109Ew
    FSR:103B ; MAINsub_4F8D+10AAw ...
    FSR:103B ; EEPROM Program Control Register
    FSR:103C HPRIO: fcb $35 ; DATA XREF: __RESET-AC20w
    FSR:103C ; STATBYTESETsub_62B2+23w
    FSR:103C ; Highest Priority I-Bit Int and Misc
    FSR:103C ; loaded with $15
    FSR:103D INIT: fcb 1 ; DATA XREF: __RESET-AC47w
    FSR:103D ; RAM and I_O Mapping Register
    FSR:103D ; loaded with $01
    FSR:103E TEST1: fcb 0 ; Factory Test

    These are the registers ID you might be missing.
    The multiplexer configuration varies by pcms so I can`t help much on that. Maybe a some high res pictures on the 97 pcm board can be used for comparison.
    Code:
    ldx #PORTG [$1002] ; L02 AD
    bclr 0,x 7
    ldaa #3
    oraa 0,x
    staa 0,x
    sei
    ldaa #6
    staa ADCTL [$1030] ; A_D Control Register
    mul
    mul
    mul
    nop
    ldaa ADR1 [$1031] ; A_D Result Register 1
    staa byte_124
    Does this make more sense. Anyway you should trace the channels on the board hardware. Robertisaar has done that on similar 94 v6 pcm, but he is not very active lately.


    Most of the code is data coversion, table lookup and interpolation. There is a lot of obd2 stuff that really does nothing. Much easier is to focus on result of the subroutine and the purpose of it.


    Easiest for 1's and 2's for me is ...

    calc_acc = ~calc_seed; // One's
    calc_acc = -calc_seed; // Two's
    Does this add 1 to the final result. You said it is off by one. Is it off by +1 or -1 on 2`s complement.
    Last edited by kur4o; 01-11-2019 at 11:29 PM.

  14. #14
    Fuel Injected!
    Join Date
    Jan 2019
    Location
    Canada
    Posts
    477
    Hi,

    In the '97 code, A/D uses this sort of code with a small change to the code "ORRA" to other values. Each represents a different analog... I *think* I know which they are but need to be more sure. There are only two of the four channels of a/d used but each has (i think) an 8:1 analog mux in front. That would get to 16 analog values o2 sensors, engine coolant temp, air temp, corvette oil temp, transmission temp, battery voltage and so on. I almost have a complete list now. If I can find a list of the PIDs somewhere that would almost solve this. <sigh>
    <edit> Just for clarity.. #$1002 is port G. Code clears the lower 3 bits which switch the mux. Code then ORs the lower 3 bits so as not to change the upper 5. Then runs the a/d and waits real time for the conversion to finish. The case I show is for MAP sensor (I think) <edit>

    My bench test ECM setup is almost done. I cracked open a doner ECM, pinned out all the wires to barrier strips. Things are much easier with a good test setup. I will inject signal into the unit to resolve inputs IF I can't find good PID info.

    * A/D 5, INPUT 1
    6773 CE 10 02 LDX #$1002 ; EXTERNAL ANALOG MULTIPLEXER
    6776 1D 00 07 BCLR $00,X,$07 ; CLEAR THE INPUT SELECTION BITS

    6779 86 01 LDAA #$01 ; NO CHANGE TO 5 MSB
    677B AA 00 ORRA $00,X ; SELECT INPUT 1
    677D A7 00 STAA $00,X ;

    677F 86 05 LDAA #$05 ; START A/D CH5
    6781 B7 10 30 STAA $1030 ; READ MANAFOLD ABSOLUTE PRESSURE?
    6784 3D MUL ; REAL TIME DELAY
    6785 3D MUL ;
    6786 3D MUL ;
    6787 01 NOP ; TOTAL OF 31 CYCLES
    6788 B6 10 31 LDAA $1031 ; READ MAP SENSOR
    678B 81 0B CMPA #$0B ; TEST ANALOG
    678D 22 38 BHI $67C7 ; BRANCH

    Your question re complement: In c, c++ the ~operator does a not function. That is flip each bit. That's it... one's complement. Two's complement changes sign thus negating the value gives you two's comp.
    The code I sent has been fixed such that it works for my case. The problem I raise is that the way I fixed it leaves one end case as a question. Depending on how you fix it will give a different result for HH = LL case
    I believe the document had a typo and the code is now OK. but without testing that case....

    I have not used boards like this before. How do you insert those frames with code in them??
    -Tom

  15. #15
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,469
    If I can find a list of the PIDs somewhere that would almost solve this.
    I sent you a pm.

    I will inject signal into the unit to resolve inputs
    Most of the code runs on a valid opti signal. So you need to generate that type of signal first to unlock the full code running for all kind of experiments.
    Most of the inputs and switches will report changes without the opti signal. If you go through the obd1 disassembly you will notice that the main engine running irq loop is 90% the same with the obd2 stuff. That will help you to quickly identify most of the engine related stuff. The map, tps and other sensor AD conversion is identical.

    Two's complement changes sign thus negating the value gives you two's comp.
    AT least on the 2`s complement checksum calculations when you negate the number, you add 1 to it. So when you add the checksum to the calculated sum you get zero. Maybe that`s the case here.

    How do you insert those frames with code in them??
    You type "[CODE] ...data... paranthesis/CODE]"
    On the advanced reply menu there is the # symbol that will do the same.
    Maybe that is the case here.

Similar Threads

  1. Getting seed/key on locked pcm brute force style
    By mecanicman in forum OBDII Tuning
    Replies: 21
    Last Post: 06-29-2014, 08:24 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •