Flash Protocol

[Lynoise]

So there are comands you can send over the OBDII plug that'll dump the flash ROM? As well as commands you can send over the OBDII plug to update the ROM?

Are there also commands you can use to update certain memory addresses or can you only edit by getting the image, editing it, then reflashing it?

[RoboGeek]

I played with EPROMS where you pull the chip and get the info, hexedit it, and reflash. I am considering a newer PCM for just that reason. I dont want to go to something like megasquirt just yet and I want to be able to add some advance.
OBDII allows new files to be dumped into the PCM from either a computer interface or a tool. Thats how GM does the upgrade for the supercharger setup on the 2.4 Cavy.
I am new to the ODBII also so I'm here to learn the new stuff since it will be around for a while.. ;D

[Lynoise]

OK I found some more info on programming the Flash Rom through the OBD2 port.

There is a "4x mode" (41.6 kbps not the standard 10.4 kbps that VPW uses) that needs to be used. Im not sure which devices support this mode. I have found 1 that does though..
http://www.avt-hq.com/products.htm#AVT-921 the 921, 931, and 932 support 4x mode. These devices are pretty expensive though. I wonder if the AutoTap v.2 supports 4x mode?

[RoboGeek]

The h/w wont really be the problem I dont think..
The stuff thats missing from the equation is some missing protocols, a good stable loader program etc.
I'd love to sniff a Tech 2 sometime...

Does anybody even have a loader prog yet? Freeware wise?

Her's what gary told me about whats needed.. Hope he doesn't mind me posting it ;D

1) design and build an interface with a micro and a IC (typically Motorola HC58.. ) to communicate with the bus

2) write the firmware for the interface that allows it to communicate between the PCM and the host PC and pass all the packets error-free.

3) Decipher the seed and key routines that let you access the PCM in 'secured' mode

4) Write a piece of firmware called a Loader that you must transfer to the PCMs RAM memory. The loader must copy itself into RAM, erase, program and communicate via OBD2 to the interface using whatever protocol you design . error control here is very important.

If you have a OBD2 bus sniffer, you can watch how the GM tech-2 performs this process. Most programmers 'borrow' the GM loader code and use it for all the PCM programming operations; more sophisticated folks write their own with special abilities that GM does not support (like the ability to upload the PCM memory).

[Lynoise]

I might have access to a Tech-2 ;D
Ideas on how to snoop the com and grab the loader?
Where are you RoboGeek if we are close maybe we can get together with this one.

[RoboGeek]

illinois...

you could do a pass though sniffer or a tap since theres access to the cable and port. Somebody would need to build a sniffer prog - mine are all for TCP/IP and I'm not sure how it would need to be done..

[Keith@HPTuners]

I have a tech-2.

And.. I have to say this.. This site does not promote nor support any illegal activities such as reverse engineering of products without creators written consent.

[RoboGeek]

well.. that pretty much kills the flash through the port stuff then.. :-X

[Lynoise]

What are the "legals" of using the GM code aquired through "snooping" the OBD2 port? I thought this was saposed to be public info anyways. I may be wrong. Maybe the non standard OBD2 stuff (GM only) is not public.?.

[RoboGeek]

its a 'grey' area.. you can watch what it sends and how it sends it but if you actually copy or modify the GM portion or the propriatary scanner parts then your in violation. OBDII is an open standard but theres still copyrighted stuff passing over it.

Technically thanks to the DMCA everything is copyrighted - even the binaries. So in theory even changing tables is a violation. But theres a thing called 'fair use' thats says if you buy it, you own it and you have the right to use it as you see fit. And as long as Fritz Hollings (senator) doesn't get his way theres no way to really enforce it.
And if you modify something more than 25% you can apply for a copyright.
If you want some more info check out the electronic freedom foundation.. http://www.eff.org/
That stuff will scare the pants right off ya!

[jimter]

I was working on a sniffer that used a atmega128 which supports vpw but lost interest after someone told me the tech2 upload routine was encrypted. Cryptographic algorithms are way beyond my programming ability. :-/ ime more hardware oriented than software. if someone with a lot of programming experience wants to help ill build the hardware.

[Keith@HPTuners]

The SPS->Tech 2 may be encrypted but I don't see how the tech 2->PCM could be encrypted. It's not like the PCM has decryption built in right?

We really need to come up with something here.. I'm sure if we all put our heads together we could come up with the read/write software using perhaps the B&B cable.

What do you guys think?

[Hera]

The Atmega128 doesn't directly support VPW but used in conjunction with a transciever (MC33390) you could in effect use it as a sniffer.. Every thing I have read tells me that the communication with the PCM is not encrypted... The above combination would allow you to dump the communications between the two devices... I believe with a few dumps you could figure out the start commands and seed and keys or whatever they use...

Basically, what I have figured out so far is it goes something like this:

1. Send wake signal to PCM to prepare for communcation and wait for response.

2. Send some sort of authentication and seed and keys.

3. Go into 4x mode to start programming or reading.

The MC33390 supports 4x recieve and transmit mode. Basically the only transciever that I have found that allows you to transmit also.. they go for 2 bux at digikey.

The hardware for something like this could be made rather easily, and someone with a tech 2 or other programming device could make the dumps ;D Once the algorithm has been figured out, you could do this for virtually any GM vehicle.

Kevin

[Lynoise]

I am sooo up for this.
You make the hardware and I'll write the software

[Hera]

That's good because I have been trying to figure out how in the heck I was gonna write the software.. I mean I can write the software for the MCU but the software to take the dumps and save em to disk, wasn't sure.. thought I was gonna have to break out the good old assembly language ref....

Okay, I have a week off of school starting on friday, and have a few projects to do.. this being one of them.. I will let ya know..

Kevin

[RoboGeek]

does anybody know for sure if its encrypted? Everything I read is 50-50 on whether it is or not. But alot of it is still people guessing.

I have some of the communication protocols and commands somewhere.. I'll see if I can find them..

[Hera]

So here is some information I have found seem like from a very reliable source....

Mode $01 - Request Current Powertrain Diagnostic Data
Mode $02 - Request Powertrain Freeze Frame Data
Mode $03 - Request Powertrain Diagnostic Trouble Codes
Mode $04 - Request to Clear/Reset Diagnostic Trouble Codes
Mode $05 - Request Oxygen Sensor Monitoring Test Results
Mode $06 - Request On-Board Monitoring Test Results
Mode $07 - Request Pending Powertrain Trouble Codes
Mode $08 - Request Control of On-Board System, Test, or Component
Mode $14 - Clear Diagnostic Information
Mode $17 - Request Status of Diagnostic Trouble Codes
Mode $19 - Request DTC Information by Status
Mode $20 - Return to Normal Mode
Mode $22 - Request Diagnostic Data by PID
Mode $27 - Data Link Security Access
Mode $28 - Disable Normal Message Transmission
Mode $29 - Enable Normal Message Transmission
Mode $2A - Request Diagnostic Data Packets
Mode $2C - Define Diagnostic Data Packet
Mode $34 - Request Download
Mode $35 - Request Upload
Mode $36 - Block Transfer Message
Mode $3B - Request to Write Data Block
Mode $3C - Request to Read Data Block
Mode $3F - Test Device Present
Mode $7F - General Negative Response
Mode $A0 - Request High Speed Mode
Mode $A1- Begin High Speed Mode
Mode $A2- Programming Prompt
Mode $AE- Request Device Control


Kevin

[Dr._Lightspeed]

OK here are a couple hurdles you have to jump first.
You need a proper vpw converter. One that supports 1x and 4x mode. Not a problem motorolla has several. Next you need to use a micro to control it third you need software that can commnicate at the proper speed with the micro. . The seed is an algo that changes from one base of production to the next. So even several sniffs will see the com data but the seed is diff for vehicle. To just read the flash it is enc and the tables are not laid out.

[Keith@HPTuners]

My thoughts..

Why wouldn't the B&B device work for us? It supports both data modes. All we would need to do is come up with the software.

Whatever you learn from snooping on the VPW end would have to be converted to RS232. Wouldn't it be better to listen in on a RS232 side?

[Lynoise]

The Tech II doesn’t work through serial though does it.
Also the manner in which you talk to the B&B device is a proprietary protocol so even if you did snoop something else talking over serial to a VPW box it would be different on the B&B.