Ive been wanting to write something to allow flashing of the '411. Sort of brainstorming on how to best to do it. On the PCM side, things dont seem too difficult. The actual handling of the flash chip is fairly easy. The '411 has an EEPROM emulator for the "flight data recorder", which records critical vehicle parameters in the event of an accident, using the flash chip. As such, most of the needed routines are there. Essentially they can be used to write the memory resident program that handles the flashing. The flash chip itself is inaccessible during a reflash due to it being set up to accept writes from the PCM, so everything has to live in the RAM.

One nice thing about the '411, or at least the cals. Ive been working with, is that, provided you dont waste the OS section, the PCM will survive a misflash of the calibration section. The PCM still starts normally and allows normal OBD comm., but in the event of a corrupt flash section, it disables the fuel delivery, inhibiting the engine and sets a faulty PCM DTC. If the OS section is corrupted, then theres a real chance of bricking the PCM since its not likely to boot up properly and be accessable. Ive verified this with a road runner. You can be ham-fisted with the calibration section, but the OS is touchy.

The main issue is what to use to do the reflash. The easiest thing at this point looks like the ELM 327. As far as I know, the flash can be done in only 1x VPW. Seems like a major wrinkle, but mainly only the calibration section will be changed. Theres no need to change the OS unless a full reflash is in order. Thus, it wont take more than a few minutes to implement a change. It also has the nice feature of an A/D, which is needed to monitor the battery voltage. If the voltage drops below 12V, the vreg cuts out, and disables the VPP on the flash, locking it.

It does have limitations in addition to the 1x VPW restriction. Unlimited length block reads are allowed, but the max transmit is 8 data bytes in block xfer mode, which means a greater percentage of the time is needed to transfer the data. Its also an RS-232, which means an adapter is needed for later USB only laptops.

As far as I know, the only other open-source alternative is really the AVT boards, but theyre expensive from what Ive seen.

 

Like WinFlash for a 411!

I'm just amazed at what you do and wanted to subscribe here...

Grew up down the street from you in Maplewood...

 

An ELM327 compatable flashing utility would be so very nice, myself I dont really care about the time it may take to flash, just the ability to do so is enough for me at this point.

 

Jet DST are not that expensive... to reverse engineer? I have seen used with one or two license left for $200. $350 new with four license...

 

I found this on another forum discussing scan tools and found it very interesting. If a fancy cell phone can clear troble codes, then a write program should not be that difficult for a software engineer... which I am not, so please don't flame me if I am oversimplifying this...

HTH!

 

thats using what is know as a generic scan tool.
it does let you look at some of the readings and run a few tests, but there is a lot more in the manufacture's specific side of it.
you can think of like this, from here >......< to here is the generic side.
from here >....................................<to here is the manufacture's specific side.

before i left the last auto shop i was at, we were looking into getting a tool to reflash PCMs. they weren't cheap, IIRC the starting price on the cheap side was ~ $1000.00.
that was just for the tool and didn't include access to a library for the software or a computer to load the update into the flash tool. it seems like with that tool you had to use either a laptop or have a desktop within a few feet of the car you were going to reflash.
if we had got one, i feel pretty sure the software would have gotten loose here.

 

He went on to say this was an add on...

It's not the answer I know! But very cool and cheap for a cell phone app.

So WinFlash will do what is needed here for an LT1 PCM with a simple cable. I have that.

Jet DST, the old TunerCat OBDII does it with a cable and a box in the middle. I still have software on PC but sold cable...

Looks like EFI Live is a box in the middle. I have that software, no cable or box.

So can this be done with just a cable? Or with OBDII or specifically 0411 just a cable? Or is the box in the middle part of the riddle? Or is the box in the middle how they limit licenses per vehicle?

Will a USB cable without box in middle handle this? That is already made for OBDII ALDL port for some LT1 that was OBDI. If that was the case then it is back to just software to flash PCM.

OP was talking about VPP and VCP. Well I recently bought old technology to burn UV erase type chips. It is the old Willem's burner updated and called GQ-4x. Does a bazillion different chips with just USB power. Although the software said external power needed I contacted them again and they assured me is was not and a software update needed. It does a lot of various voltages from very low up to 21 or 25 volt with just USB cable power to burner. Could this burner already have what is needed? But instead of burning a chip, rewire or make adapter for Zif to cable to ALDL port! I have one, cost was $100. shipped.

So if any of that handles hardware end it's up to software?

 

i agree, it is a very cool little app. something i can see being popular even with some professional wrenches.

from my understanding, "the box in the middle" is just to limit the licenses.
as an example i can use, All Data, one of the companies who supply auto repair manuals on disk for auto repair shops uses a similar setup.
with a monthly subscription you get a set of disks and a thing they call a dongle. the dongle is used as an electronic subscription key and plugs into either a printer port or a USB port. each time you start the program, the software looks for the subscription key.
some how, the software can write to the dongle because after a while the program no longer works. as long as you keep current on the subscription, they send you new updated disks every 3 months. once you load the new installation disk and it updates, it continues to work.
the way i know it has to write to the dongle is because i reset the date and tried to load an old installation disk on my home computer and installed the dongle. when i got it done and tried to run it, i got the same message that the subscription had expired.
i did a few searches on the net and read that with the right program, the dongle could be bypassed, but i never looked into it.

 

Cool!

So we have a USB cable for OBDII already!

Now can the GQ-4X do the write? Been looking through it and it's very versatile. This idea now has to be looked at by someone who understands what 0411 needs? Software is available at:
http://www.mcumall.com/comersus/stor...namicIndex.asp

Prices are cheaper through their USA affiliate, but I found the USA affiliate prices even cheaper on ebay...

 

no you cant use a chip burner to re-flash an OBD2 computer through the port. They basically have an internal flash programmer that programs the flash chip, you just send the commands to do so and what data you need programmed through the ALDL using the J1850VPW protocol. The problem is that there are some security features to make this hard to do without the right codes, those that have the info dont share.

 

OK thanks for explanation.

I am just throwing out ideas of tech that is available to see if someone capable of reverse engineering what we have. The GQ4x does VPP and VP? which I thought change voltages so I thought what it had could be put to good use. Since it can burn so many differant chips. It could probably do this PCM as well. But what your saying is not through the ALDL port because of protocol we have no info on. But if it had a direct connection, no ALDL port to go through it probably could do the flash, but still not erase... no it can erase chip if chip is erasable!

Sometimes newbies to a topic ask silly questions! But it sparks an idea to knowledagble ones who can't even answer the question it was so simple... I have learned much on things I thought I knew all on because of this. It's just another persons perspective at that time.

The thought of being able to use TP past OBDI is wonderful!

 

The need for a "box in the middle" is a requirement for the OBD-II as these dont use a standard type of serial interface like the pre-'96 computers. They use either VPW (in our case) or CAN for '03 and up. These function like LAN in that they have a CRC, collision detection, address-ability, priority levels, echo, and other network specific things so multiple devices can share one duplex'd dataline. The box basically contains a controller that translates the PCs commands into the appropriate standards and handles the communications autonomously. The PCM has a similar interface. The interface itself is an IC thats autonomous with Tx/Rx buffers and an internal controller. I have a datasheet somewhere for the ones used in the 96-02 PCMs.

 

That's pretty neat way to do it.
Would be nice to have a sniffer on one that works.

Maybe some trickery like a hardware trigger point that might bypass the security and allow a reflash? Hardware CS redirection to an external memory chip with the same addressing that could be burned conventionally.
Probably end up with a few doorstops before it is figured out though.
Just tossing ideas.

 

I've been saying for years that it may actually be easier to reverse engineer a hypertech or similar programmer and figure out how they upload code to PCM. If I had the hacking skills, money and time I'd do it, but I'm always short by two or all three of those things.

I have read on some other forums that there is a security key code that needs to be sent to the PCM. Apparently there is a utility available online that will start trying each possible key code until it figures out the right one for your computer. This sounds to me VERY similar to the common software protection scheme used on many pc computer programs. It just so happens that good hackers almost always come out with "Keygen's" which can generate a key number for you based on the same criteria that the program to be unlocked uses to generate the key number it is looking for. When we know that algorithm we should be able to have tunerpro generate the proper key code automatically.

The info is out there, the trick is getting somebody to share. I still say reversing a handheld programmer to figure out the procedure may be the way to go. After all, their tuning sucks, their programming probably isn't so masterful either. I'm taking a wild guess and predicting that a handheld programmer probably uses an 8051 uC which most most embedded programmers are familiar with(especialy the older more experienced guys).

 

I have most of the source code for the '411. Im going to use the routines as basically pre-fabbed blocks to build the flash utility. GM basically gives you everything you need. Both the comm. and flash chip handling routines. Just a matter of getting the ones I need, and writing a kernal to make it all tick.

Once you have secure access, IIRC a mode 36 call will allow an upload to memory and then a request for control. At that point, you transmit the location of the flash utility, and the PCM jumps there to continue execution.

The keys are pretty simplistic if I recall. I have the formula written somewhere. Its easier than what was on my black box. That has its keys stored in an external eeprom for added security. With that one, they have to be requested one at a time. IIRC, the '411 has them (or the basic formula) right in the flash.

The only major kinks will be handling a reflash in a later model car, as those have lots of other things on the OBD line, so it may be tricky to silence the other things on the OBD port, and handle other modules communicating with eachother. Theres also the management of the internal VPW communications processor. That actually does all the work, and needs to be given commands and serviced before the buffers overflow. I have all the routines from my black box, which uses the same chip. IIRC, its pretty involved.

 

Sounds like your almost there.

 

Mode 28 will stop the modules on the data bus from communicating and then a periodic scan tool present mode 3F will keep them from communicating.