Ok, this might be obvious to some, but honestly I have posed the question to many and got no answer.

What it the purpose in life for the Seed/Key? In all honesty, it ISN'T security, it is too easy to get. So what else? Simply to ensure the right .bin goes with the right PCM?

Just wondering!

Ok, this might be obvious to some, but honestly I have posed the question to many and got no answer.

What it the purpose in life for the Seed/Key? In all honesty, it ISN'T security, it is too easy to get. So what else? Simply to ensure the right .bin goes with the right PCM?

Just wondering!

Seeds grow plants......and keys open locks.:hihi:

It actually is security cause it can take weeks sometimes (trying every 8 seconds) to get a match....

the seed and key are in HEX and actually represent WAY MORE combinations than they than they appear to.

You need to have BOTH the seed and key "correct" to open the lock.

The possible combinations are huge considering the 4 hex digits in each part.

Remember HEX is base 16....not base 10.

Chuck CoW

Each controller uses a different seed/key algorithm. This ensures that you can't accidentaly try to program a LS1 PCM with a Diesel tune, nor can anyone just blatantly reprogram the PCM without figuring out each controllers security algo.

For example (and this is very simplified).
Assume a LS1 PCM sends back a seed of $2000. The algo to calculate the unlock key is simply to add 1, EFILive would send back a key of $2001 and bingo the PCM is unlocked and you can proceed to reflash the ECM.
Now, lets say on a Diesel ECM the algo was to add 2, then EFILive would send back a key of $2002.
This way there is no way the Diesel ECM would allow the LS1 tune to be flashed as the key would be wrong, EFILive knows what controller it is trying to flash and therefore the algo to calcualte the key will only work on that controller type.
Each PCM has a brute force timer to stop multiple requests of invalid keys, so if you send the wrong key twice then the PCM won't allow another attempt for 10 seconds, multiply that by 65533 possible key values and it kind of drags out a bit.
For myself, I can have the flash chip off, reprogrammed in a EPROM burner and back on in about 20mins with a valid seed/key pair if the PCM was locked.

I don't think GM's intention behind the seed/key was fort knox type security, it serves it's simple purpose well. I have tried to figure out if there is any backdoors left open by GM but there isn't, they thought it out quite well.

Cheers,
Ross

Where is the S/K stored? Is it software in the flash or in another E^2 somewhere else? Or is it in the processesors' EEPROM?


Each controller uses a different seed/key algorithm. This ensures that you can't accidentaly try to program a LS1 PCM with a Diesel tune, nor can anyone just blatantly reprogram the PCM without figuring out each controllers security algo.

For example (and this is very simplified).
Assume a LS1 PCM sends back a seed of $2000. The algo to calculate the unlock key is simply to add 1, EFILive would send back a key of $2001 and bingo the PCM is unlocked and you can proceed to reflash the ECM.
Now, lets say on a Diesel ECM the algo was to add 2, then EFILive would send back a key of $2002.
This way there is no way the Diesel ECM would allow the LS1 tune to be flashed as the key would be wrong, EFILive knows what controller it is trying to flash and therefore the algo to calcualte the key will only work on that controller type.
Each PCM has a brute force timer to stop multiple requests of invalid keys, so if you send the wrong key twice then the PCM won't allow another attempt for 10 seconds, multiply that by 65533 possible key values and it kind of drags out a bit.
For myself, I can have the flash chip off, reprogrammed in a EPROM burner and back on in about 20mins with a valid seed/key pair if the PCM was locked.

I don't think GM's intention behind the seed/key was fort knox type security, it serves it's simple purpose well. I have tried to figure out if there is any backdoors left open by GM but there isn't, they thought it out quite well.

Cheers,
Ross

I am with N0dih

1999 CK10906
Delivering Dealer :
ISUZU GENERAL MOTORS AUSTRALIA LTD.
858 LORIMER ST.
MELBOURNE , AU 3207



************************************************** ********************

VIT2 data

************************************************** ********************

ssecuhn =
vin = %s %s ----------
snoet =
vmecuhn = 0
ssecusvn = 0
ecu_adr = 10
num_part = 0
numcms = 1
blocklen = 112
disp_type = 1
protocol = 1
swcompat_id = ffffffff
diagdata_id = 65535
shopcode =
progdate = 00000000
pinnum = 0
numseeds = 1
event_type = 1
seed = 4cde
config_area_size = 0
id = a7
chksum = 5789
table_len = 0
nav_info = 0000004d
reserved = 0
post_prog_instructions =

OSDI # = 9365095T
PCM # = 9366810
# of cal Segments = 7
Security Algorithim = 16
Read Algorithim = 5
Program Algorithim = 7







************************************************** ********************
This is from a Cadillac Northstar

************************************************** ********************

VIT1 data

************************************************** ********************

ssecuhn =
vin =
snoet =
vmecuhn =
ssecusvn = 65535
ecu_adr = 10
num_part = 1
partno = 12585589
partnum = 12585589
sub_asm = 12585667-54635
sub_asm = 12573807-7051
cvn_in_vit1 = 1
numcms = 1
blocklen = 0
disp_type = 0
protocol = 1
swcompat_id = ffffffff
diagdata_id = 65535
shopcode =
progdate = FFFFFFFF
pinnum = 0
numseeds = 1
seed = 4CDE
ecu_config_data_length = 0
id = a7
chksum = 0
table_len = 0
nav_info = FFFFFFFF, FFFFFFFF, FFFFFFFF, FFFFFFFF, FFFFFFFF
reserved = -1
numcms = 1
config_area_size = 0
devicetype = J2534
requesttype = dr-request

************************************************** ********************
The rest is http://i224.photobucket.com/albums/dd25/AJxtcman/smilies/secret.gif

Oh I guess I will post this. It is the Speed limiter
http://i224.photobucket.com/albums/dd25/AJxtcman/PCM%20Stuff/Tables/Compare2.jpg

http://i224.photobucket.com/albums/dd25/AJxtcman/PCM%20Stuff/Tables/OBD2PCM.jpg

Yeah I am just a caddy tech that doesn't know anything :hihi:

For myself, I can have the flash chip off, reprogrammed in a EPROM burner and back on in about 20mins with a valid seed/key pair if the PCM was locked.

Cheers,
Ross

I was unaware of that. So I can have the seed and key changed when I get the RoadRunner in the SIMTEC 5.G PCM?

Where is the S/K stored? Is it software in the flash or in another E^2 somewhere else? Or is it in the processesors' EEPROM?
It's stored on the flash (for most ECM's), but that is the point, to gain access to the flash (via the OBD-II port) you need to know the key to get in, you can't 'get' the key from the flash without knowing the key.
Pretty much like locking your keys in the car, you can't get in via the door without the key. Once in the car, you can get the key to get in the door, but at that point you are already in :Eyecrazy:

I was unaware of that. So I can have the seed and key changed when I get the RoadRunner in the SIMTEC 5.G PCM?
Yes you could do that once you pull the flash off. I have several of those PCM's here but I have just never had the chance to pull the flash off the PCB to look at how the flash is arranged (apart from being Intel backwards :chair:)

Cheers,
Ross

Yes you could do that once you pull the flash off. I have several of those PCM's here but I have just never had the chance to pull the flash off the PCB to look at how the flash is arranged (apart from being Intel backwards :chair:)

Cheers,
Ross

Backwards?
What is it that you need to give me a VDF or what ever you call it?
I have more.
http://i224.photobucket.com/albums/dd25/AJxtcman/PCM%20Stuff/Tables/Hex2.jpg

http://i224.photobucket.com/albums/dd25/AJxtcman/PCM%20Stuff/PCM%20types/SIMTEC2.jpg

Backwards?
What I meant was given these Siemens ECM's are using the C166 CPU's (from memory) it means 16 bit values are stored backwards (little-endian), aka, 'what where they thinking'.

This is used on 2000 to 2003 It uses 2 Infineon processors. The first is a SAK - C167CR - LM GA The second is a SAK - C167CR - 4RM The C167CR/SR are high-end members of the Infineon full featured single-chip 16-bit microcontrollers. High CPU performance is combined with peripheral functionality and enhanced I/O-capabilities. A wide variety of on-chip features such as large on-chip ROM, multi-functional standard peripherals, and application-specific peripherals (e.g. optional CAN) is available. The C167CR features an on-chip CAN module which has been designed to fulfill the requirements of automotive and industrial control applications. http://datasheet.digchip.com/216/216-11717-0-SAK-C167CR-4R33M.pdf


http://i224.photobucket.com/albums/dd25/AJxtcman/PCM%20Stuff/PCM%20types/33.jpg

http://i224.photobucket.com/albums/dd25/AJxtcman/PCM%20Stuff/PCM%20types/44.jpg

http://i224.photobucket.com/albums/dd25/AJxtcman/PCM%20Stuff/PCM%20types/SIMTEC.jpg

This is a P07
Hey guys

This is the 04 to 05 Northstar FWD PCM

This is known as a P07 PCM

http://i224.photobucket.com/albums/dd25/AJxtcman/PCM%20Stuff/HPIM0211.jpg

http://i224.photobucket.com/albums/dd25/AJxtcman/PCM%20Stuff/PCM%20types/HPIM3640.jpg

http://i224.photobucket.com/albums/dd25/AJxtcman/PCM%20Stuff/PCM%20types/HPIM3637.jpg

AM29F200BB

-55SE

0339ABA J

1997 AMD

----------------------------------------------------------------------------

AM29F800BB

-55SE

0343FBA HH

1996 AMD

-----------------------------------------------------

The two processors are

Infineon

SAK-C167CS-LM

BOSCH

BA SIEMENS 97
__________________________________________________ ___

This is a P07 and a E22 side by side
http://i224.photobucket.com/albums/dd25/AJxtcman/PCM%20Stuff/PCM%20types/PCM.jpg

http://i224.photobucket.com/albums/dd25/AJxtcman/PCM%20Stuff/PCM%20types/PCMS-1.jpg

FWD Northstar vs a RWD Northstar for 2004 and 2005

What I meant was given these Siemens ECM's are using the C166 CPU's (from memory) it means 16 bit values are stored backwards (little-endian), aka, 'what where they thinking'.

stored backwards is what I ws thinking.

Every 2000 and 2001 FWD Northstar uses 2 segments. The large segment is 421 kb and common in all 2000 and 2001. The VIN specific/Build is all in a smaller file. 76 kb

Every 2002 and 2003 uses one large file again, but it has a different cal ID. The small file is 76 kb again.

76 kb and I can't get a VDF built. I am spending tooooooooo much time looking at over 100 different cals and determining what = what

:angel_innocent:


It's stored on the flash (for most ECM's), but that is the point, to gain access to the flash (via the OBD-II port) you need to know the key to get in, you can't 'get' the key from the flash without knowing the key.
Pretty much like locking your keys in the car, you can't get in via the door without the key. Once in the car, you can get the key to get in the door, but at that point you are already in :Eyecrazy:

This is a P07 and a E22 side by side
Is it just me or do they look like the same thing?
I assume internally they are different given one does the trans control too.

Cheers,
Ross

Is it just me or do they look like the same thing?
I assume internally they are different given one does the trans control too.

Cheers,
Ross

I scanned a 2004 FWD Caddy. I built it as a 2003 and I had proper communication. I had a 2000 that I built as a 2004 and I had proper communication. If the protocol is incorrect the Tech II will state Wrong Vehicle Selected. This git me thinking. Same CPU in both Hmmmmm. I wonder if I could install the P07 in a 2005 RWD Caddy and get the Tech II to communicate with the PCM over GMLAN.
:bad:
I had no communication on the GMLAN
I filled the intake with gas and had to clean that mess up.

I am about ready to by software for the 2006 and up Northstar's. Then I will work backwards to get the 2004 and 2005 RWD Northstar's hammered out and then into the 2000 to 2003 to get those done. I am just missing too much. I had a friend help me with the big file and he found one line. I think it was injector rate vs voltage. I sent him the wrong file. I should have sent the smaller one.

Keep hacking guys, thats what we like to see :)
When you get bored you can start on the dodge ECU's

I had heard Dodge had that rolling encryption making tuning hard, I also heard that another tuning shop had used TunerCat OBD1 to make a def file it and was using that to tune them, but not sure what they used to flash unless they did it the old fashioned way, with my heat gun.... :gossip: Has a great effect of rendering any "password" or S/K useless.... Like Ross said, like having your keys and being already inside the car.....


Keep hacking guys, thats what we like to see :)
When you get bored you can start on the dodge ECU's

Well, pulling ECM's apart for tuning is common place on some European makes, hopefully GM will never make us have to resort to that, lets keep the seed/key system they have now running for a bit longer please!
http://wiki.obdtuning.com/index.php?title=BDM-Instruktion

Cheers,
Ross

Ross do you have access to TIS and a Tech II or a MDI?

Yes, TIS2WEB (ACDelco TDS) plus a Mongoose and TechII.

Well, pulling ECM's apart for tuning is common place on some European makes
... which often is due to the fact that the tuning information is stored on (E)PROMs, which can only be changed by removing ... ;) GM's solution is much nicer ... :)

Not so I'm afraid, the reason is that by pulling the ECM apart like shown in those photo's means you do not have to worry about figuring out the reflash process, some of those European cars have encryption on the comms which would make reflashing via the OBD-II Port very hard (if not impossible).
On those ECM's shown they are all PowerPC based, given that, with the BDM port on the PowerPC you can dump the entire contents of the flash (internal or external) without worrying about any OBD-II comms.

Cheers,
Ross

Yes, TIS2WEB (ACDelco TDS) plus a Mongoose and TechII.

Great Ross

I will send you an email on a process I use to flash custom tune with TIS.
Maybe you already know how.

Thanks but I really have no need, these days I rarely ever do actual tuning!
I have a feeling I know what you do though as all files that get flashed are cached on the PC :hihi:

Cheers,
Ross

I got the idea about 2 years ago after reading about SPAT zip files.

Then I had some issues and dropped it.

I got talking with some friends and it just clicked.

I had a Seed of $5F0D and I did "something" and now it is $0000. Is this now Security locked or is it open?

I will try to get more info on what I did.

You could disable the Seed/Key by setting the PCM Vulnerability flag.

That will shut down the seed/ key side of things.

There are two sides to locking a pcm, those who do and those who don't.

Funny, as recently a tuning shop asked me if i could disable pcm locking on LS1's......good result.....:)

Mick

I had a Seed of $5F0D and I did "something" and now it is $0000. Is this now Security locked or is it open?

I will try to get more info on what I did.

I believe thats the OBD2 response for the correct key.

The Seed is back to $5F0D. Hmmmm BCC isn't listed

Manufacturers counter back to a number greater than zero could have made it show a 0000 request. Then after the counter goes back down to 0, then it would report the key. 0000 means unlocked, HOWEVER there is a bug on some TIS programming events that will do that on diesel and it needs a key still.

I see where the key is. But where does the algorithm live in the data in the EEPROM/ScanTool? I'm guessing that it must be somewhere in the binary file that was show in an earlier post that showed the seed key. I'm looking for where it tells you to add, subtract, concatenate, or whatever it wants you to do to generate the seed key from the seed....

What are you working on?

I am trying to unlock a transmission control unit so that I can flash it. I have sent the command to get the seed and successfully received it, which is four bytes.

Your earlier post with snap shots of the binary file really got me going. There are similar binary files (that live in the factory diagnostic tool) for this ECU that I have mined for other data, and I'm guessing one of these binary files contains the algorithm, hash tables, etc. necessary to compute the seed key from the seed. It's just the data/algorithm is hidden somewhere in the file and I am trying to mine it.

Thanks!!!!

BTW, it is a Mercedes transmission.

http://www.checksumm.com/ or http://www.checksumm.com/chiptuning/

You will find the way GM do seed/key routines will be totally different to Merc.

What hex offset can I find the seed/key algorithm?

The algo will not be stored anywhere in the bin file or the cpu. It is just a number put there by the manufacturer, but you need the algo to find out what number they put there.

The algo will not be stored anywhere in the bin file or the cpu. It is just a number put there by the manufacturer, but you need the algo to find out what number they put there.

I guess I don't full understand. So the Bin will have a number, the number is sent to the software which calculates a response based on the algorithm, and then sends it back to the ecu to gain access? Can't I get that seed number off of a stock unlocked ECU if I know the hex offset and transfer that to my locked ecu?

Eric you will need a match set

So in the BIN are a matched set seed&key. The software calculates a key from the seed, which matches the key in the bIN? If I grab a ecu from picknpull for 25 bucks I should be able to get a matching pair from reading the BIN?

So in the BIN are a matched set seed&key. The software calculates a key from the seed, which matches the key in the bIN? If I grab a ecu from picknpull for 25 bucks I should be able to get a matching pair from reading the BIN?

Still wondering if this is possible. Can someone shoot me a PM with a valid seed/key combo for a GM v8?

Still wondering if this is possible. Can someone shoot me a PM with a valid seed/key combo for a GM v8?

What year, make, model, engine and the OS

What year, make, model, engine and the OS

well its a 2001 chevy corvette z06, but it has a ls2 swap. How can I determine the OS?

Send me the file and I will fix it

Send me the file and I will fix it

I can put in a fail safe, but I think EFILive doesn't like it. If I remember correctly HPT doesn't mind. If I put this pair in then you will be able to read and write and all should be happy.

I can put in a fail safe, but I think EFILive doesn't like it. If I remember correctly HPT doesn't mind. If I put this pair in then you will be able to read and write and all should be happy.

awsome. I'll pull the chip today and get the file to you. Thanks a million