t87a unlocking

[veee8]

Yeah 2019 is a funky model year across the board for GM controllers. It is right where they started transitioning several different things, so it is worth double checking what the vehicle actually has. HPT's supported vehicle list isn't completely accurate for this stuff.

[jodeyb]

Well, here we go again, I've been tracking this post through its development of what appears to be a solution to unlocking the 87a in a way that hptuners can recognize, and I must say this is quite impressive. I haven't had time to play with changing the dll in the ways layed out by iron duke, and may not as I have been using boot mode to tune my modules while still factory locked.

This brings me to my next question, I would like to write my own dlls for certain controllers such as GM's E41, as I am trying to unlock an early 18 which can not be tuned without. I know it is not the same controller as I started the thread about but it does adhere to a lot of the same protocols as well as blending it with a lot of the new ones, and this could result in a pile of good information.

Currently before just jumping in head under water with trying to create my own dll, I am trying to learn to send UDS protocol messages over the can bus, as I believe this is all the dlls created are doing. Sending a series of messages quickly enough to keep the ecu in the correct programming modes and go through "unlocking' type security handshakes with seed/key algo's? Probably best I get the correct understanding of the flow control per UDS

I did notice that the Usbjtag software has a can logger mode and I have played around with it a little bit watching messages go by but I would like to be able to send raw messages which does not seem possible to do. So I have started playing with Universal Patcher again and the logger they implement, but am having some problems, and this is the only place I know to ask as my pcm hacking account has not been approved by antus yet.

I am using an obdxpro vx which I use for SPS and DPS programming regularly and is recommended to use with Universal Patcher softwares. I have the can bus lines terminated with a second 120 ohm resistor to achieve the 60 ohm requirement (I am assuming that is the requirement as ulink requires double termination). I am constantly getting a write message error and am receiving no traffic on the bus in return.

If anyone has an alternative solution or knows something that I do not as I am almost certain this is a user error problem I would appreciate it. I should also add that I can read the vin with my generic scanner app and UP but I am still not seeing any traffic.

[Ironduke]

Well, here we go again, I've been tracking this post through its development of what appears to be a solution to unlocking the 87a in a way that hptuners can recognize, and I must say this is quite impressive. I haven't had time to play with changing the dll in the ways layed out by iron duke, and may not as I have been using boot mode to tune my modules while still factory locked.

This brings me to my next question, I would like to write my own dlls for certain controllers such as GM's E41, as I am trying to unlock an early 18 which can not be tuned without. I know it is not the same controller as I started the thread about but it does adhere to a lot of the same protocols as well as blending it with a lot of the new ones, and this could result in a pile of good information.

Currently before just jumping in head under water with trying to create my own dll, I am trying to learn to send UDS protocol messages over the can bus, as I believe this is all the dlls created are doing. Sending a series of messages quickly enough to keep the ecu in the correct programming modes and go through "unlocking' type security handshakes with seed/key algo's? Probably best I get the correct understanding of the flow control per UDS

I did notice that the Usbjtag software has a can logger mode and I have played around with it a little bit watching messages go by but I would like to be able to send raw messages which does not seem possible to do. So I have started playing with Universal Patcher again and the logger they implement, but am having some problems, and this is the only place I know to ask as my pcm hacking account has not been approved by antus yet.

I am using an obdxpro vx which I use for SPS and DPS programming regularly and is recommended to use with Universal Patcher softwares. I have the can bus lines terminated with a second 120 ohm resistor to achieve the 60 ohm requirement (I am assuming that is the requirement as ulink requires double termination). I am constantly getting a write message error and am receiving no traffic on the bus in return.

If anyone has an alternative solution or knows something that I do not as I am almost certain this is a user error problem I would appreciate it. I should also add that I can read the vin with my generic scanner app and UP but I am still not seeing any traffic.

Just a couple notes on your comment.

You no longer need to use gmboot mode to write your own files. With the latest dll that comes with the latest version of ulink the unlock will not only allow hpt write but it will allow regular CAN write using the ulink nt. Select either t87aCAN or t87aCAN1, there's a post about which bootloader needs which version but once it's unlocked you no longer need to short the pins and feed the 5 volts.. just a regular bench connection. As of yet as far as I know nobody has tried in vehicle yet but with some tweaks and silence bus messages it should be very easy to accomplish.

The dll is a LOT more involved than seed and key, regular NOT locked ecm's and TCM's use seed and key to unlock and then write unencrypted files to them. The newer ecm's and tcm's like the T87a,T93, and E90 use seed and key but also the files have to be signed and they are also usually compressed/encrypted. The dll for the T87a used a special mode built into that particular chip that lets us read and write back the flash and usbbdm has broken down/decoded the boot kernel and modified it to allow unsigned flashing. I am not remotely close to being able to do that. All I did was modify the script file that automates the procedure a little bit as directed to include some eeprom changes. I'm not touching the dll or modifying his dll in any way.

I have no idea if other tcm's or ecm's are being unlocked in a similar way or there are other methods out there.

[veee8]

Be aware that the OS 24293216 did not play nice with the current U-Link software for the unlock. It does not allow CAN connection with the U-Link. GM Boot does work for read and write though.
It also required a little different values to work with HPT then the usual changes that have worked on all of the other 17-19 T87A's I have done.
Hopefully that will be fixed in a future release.

[usbbdm]

Be aware that the OS 24293216 did not play nice with the current U-Link software for the unlock. It does not allow CAN connection with the U-Link. GM Boot does work for read and write though.
It also required a little different values to work with HPT then the usual changes that have worked on all of the other 17-19 T87A's I have done.
Hopefully that will be fixed in a future release.

What do you mean? I have two targets xml for unblocked T87a. If one does not work then try the other. Do you mean the boot block is not supported? If so send me the whole back up and I can add support to it.

[veee8]

What do you mean? I have two targets xml for unblocked T87a. If one does not work then try the other. Do you mean the boot block is not supported? If so send me the whole back up and I can add support to it.

Sent you the file a little over a week ago by email. You mentioned you were having trouble with your T87A to be able to test with. Neither CAN target work with this OS, and you were able to see that there was a failure in the log when attempting to ID with remote Zoom session.

[usbbdm]

What do you mean? I have two targets xml for unblocked T87a. If one does not work then try the other. Do you mean the boot block is not supported? If so send me the whole back up and I can add support to it.

Sent you the file a little over a week ago by email. You mentioned you were having trouble with your T87A to be able to test with. Neither CAN target work with this OS, and you were able to see that there was a failure in the log when attempting to ID with remote Zoom session.

Need to get another TCU to try.

[veee8]

The service number on that particular TCM is 24290348 which has been superceded by GM to 24046814

[Ironduke]

The service number on that particular TCM is 24290348 which has been superceded by GM to 24046814

I'm more curious what the boot segment is..
You did try CAN and CAN1 as only one of those will work depending on which boot segment you have.. You might have a different one, last I knew usbbdm only had 3 different ones to work with.

[jodeyb]

well just to clear things up I got ahold of usbbdm and talked to him after making my post and he gave me quite a bit of information that was incredibly useful, basically if we can find the "gm boot mode" that works the same way as the t87a then it can be read and written. Even without being in boot mode it can be read and written, and I have some toys coming in the mail that may be able to get it done but it may never be able to be done with the ulink, unless a newer daughter board is released? And even then its a big maybe as I don't really understand the hardware involved with the usb side of things, only the can sheild board am I familiar with.

That being said, I have plenty of reason to believe that gm boot mode should be able to be found in the early 17-19 controllers such as the one I am currently working with, even tho I have been focused more on the software side of things just to hone in my understanding of how messages should appear over the bus and teach myself to manually debug small issues. The true gen 6 type controllers didn't start till at least 19 in all applications as far as I can find, and t93 is I believe the first true gen 6 transmission controller, so I would think that the factory boot mode could be found on the 17 controller I am working with.

I am going to start teaching myself to write kernels now, and I plan on a bricked ecu or two in the growing stages but I truly believe I can get it done. My first attempt will be once I get my new toys in the mail and then I will try to work it over to the ulink if at all possible, but I need to do some more research on exactly what jumping the pins is doing to activate boot mode. I mean the 5 volt power supply is a good sign that it is powering the cpu directly? but I'll quit yapping for now.