Time to move forward (Diagrams, and OBD-II reprogramming) [Archive] - GrandAmGT.com Forum

PDA

View Full Version : Time to move forward (Diagrams, and OBD-II reprogramming)


DarkKnight
04-27-2004, 12:06 AM
Have you ever tried to do something to your car only to find that the information or part you need, is hard to find or prohibitively expensive? Since I started my project some time ago (for those that don't know I'm putting a 3100/4t45e into my 87 Z24) I have come across numerous barriers to my progress. A lot of people wanted only to make a profit by reaming me on a price for some help. Others have the info I need, but are unwilling to share because they want their car to be "unique" or they think that it will give them that "advantage" on the track. Sometimes it's like :banghead

The community cannot move forward unless people are sharing everything they have learned.

So, now for the techinical part. I'm going to offer what info I have by providing some answers to those who are looking, and making it easy to find. Recently I tried to get some wiring diagrams for the GAGT's PCM. I guess that my request was mostly misunderstood, but neverless it proved to be a pain to get what I needed, when as it turns out, I actually already had in my possesion what I was seeking and didn't know it. :rolleyes:

I have the *complete* schematics/wiring diagrams for the '00 GAGT electrical system. Everything from the ABS, PCM, EMCB, BCM, Lights, ICP, and anything else on that car. I'm sure most of it applies to the '99-04 GAGT's as well. The file zipped is about 14 megs, and contains roughly 50 diagrams. Anyone who wants it is welcome to ask.

Come over to http://www.domesticcrew.com/660board (<- my 3X00-J body board) or send me an e-mail and I'll give you a link to access the file. If anyone has a place to host the file that can afford the bandwidth, your welcome to host it and post the link here. We don't have the bandwith to share a file that large with the entire community, so I can't post it publicly, and I ask that anyone that gets the link doesn't post it publically or share it either. With that said, I'd be grateful for someone to host it for me so it can be given to everyone.

Now for what I need from the community. Since my car doesn't have all the extra electronics that come normally on a GT (i.e. the BCM, ABS, etc.) I need to program the PCM to not look for them, as well as some other smaller stuff. This is the same thing that they do with OBD-I PCMs, and reprogramming OBD-II units is definitly something of interest to the entire modern tuning community. There are compaines out there (like DHP) that offer custom tuning for your OBD-II PCMs, but it's starts at what $350? The professional machine currently used to reprogram OBD-II units runs about $1800. At $350 a piece, you only need to reprogram 6 units to pay for the machine, so why is it so much?? That however, is not the point of my thread. There are only two ways to reprogram the computer. You can do it through the PCM with an adapter like the one from B&B (which is only $120 I think), but it doesn't include *any* software, so it's pretty much usless for our needs. Or you have to extract the chip and program it though a eeprom burner. Seeing as how there are a lot of eeprom burners, and it doesn't require the sophisticated security needed for programming through the PCM, it seems to me like the better option.

I took a look inside my '00 GT PCM, and this is what I found. (for those not brave enough to look themselves ;))

http://domesticcrew.com/tony/misc/flash.jpg
http://domesticcrew.com/tony/misc/obd2.jpg

The chip at the top is an

Intel flash rom
512Kb
44 pin
16236995
AB28F400BX
E 5012
U9470536Q

I have the datasheet for anyone that wants it. That chip contains the programming for the computer. It has (or should have) the calibration tables as well. That means that anyone who can read and write to these chips can tune thier own car, and/or delete unwanted features such as the DRL, passkey, traction control etc. Just imagine the possibilites!! If anyone knows how to build a burner for this chip and can give me a parts list & scematic, or knows where to get one cheap, then by all means tell me. I want OBD-II, the GT platform, and car modding to move forward, this is a good step in the right direction. :thumbs:

wade walter
04-27-2004, 02:51 AM
dude, yer pretty friggin' smart :thumbs:

ryGT1
04-27-2004, 07:57 AM
Ya know, my boss uses an eprom programmer at work to program Meridian Home Theater systems, hes an EE guy... I'll ask him about this today, and see if we can come up with something.

erimar77
04-27-2004, 09:23 AM
well, you can buy eprom burners here:

http://www.needhams.com/

Is the chip soldered on or in a socket? If it's soldered on, you'll need to find a way to either extract it or connect wires to it.

DarkKnight
04-27-2004, 10:21 AM
Thanks for to positive response! I wasn't sure how it would go.

If you look at the picture of the board in the upper right hand corner is the flash chip. It's a surface mount package, and it's soldered on. Not the friendliest to remove but it can be done. I'm looking into getting some sockets for these chips. I requested some samples from socket manufactures, so we'll have to see what they send me. Connecting wires to the flash chip while it's on the board would be unwise. You'd end up powering other components while your powering the chip, and bad stuff can happen. Another possible option is something I came across on DIY-EFI. They are using a debugging feature of the motorola CPU that allows direct write access to the chip. The guide that they have is talking about a slightly different model of cpu, but it is a GM OBD-II computer, and I'm almost certain that it has the required pins, just in a different spot. I need to dig up the datasheet on the motorola cpu used in the computer I have to be sure.

Here is a link to what I'm referring to http://www.diy-efi.org/gmecm/ecm_info/32bit/dumpflash

I know that if we put our resources together we *can* make tuning OBD-II units a reality for the home user. :cool:

nomojo
04-27-2004, 12:00 PM
Not to be a negative nelly or anything,

but the flash prom on that thing will almost definately be read locked, meaning you wont be able to read/download the firmware for the "tweaking" you suggest. And a 're-upload' of this info would require you to wipe the existing flash if its locked.

IMO It would make no sense for them to have to change the core programming on that flash to change a simple parameter like idle speed or something, so the parameters for the car that ARE changable will likely be stored in a seperate EEPROM to account for my first comment. This said, you're likely looking at the wrong IC, unless that thing happens to have an onboard EEPROM too.

If anyone did this on their GAGT it would wreck the warranty for sure, and you better hope you dont goof up the eeprom values. Since reverse-engineering is illegal under the DCMA in whatever countries that has jurisdiction, I dont think you'd ever be able to legally sell anything that modified the car based on its reverse engineering.

just my 2 cents; I'm not a car superstar or a lawyer. Use this information at your own risk.

cheers.

Magnum
04-27-2004, 01:51 PM
I've been following this thread, and stumbled across this today:
http://www.hptuners.com/

They offer a tool for 3.4 GA's, and with virtually limitless programming possibilities. It may be the solution many of us have been looking for - (i.e. - there is no DHP release for my '03 GAGT, or any of the Aleros or GASEs)

I don't know though. Hopefully someone with more knowledge than I in this area can chime in.

iceman
04-27-2004, 01:59 PM
Wow 500 bucks for that - that's actually quite a deal. You could make that money back doing case learns for people lol.

Good luck Darkknight

Magnum
04-27-2004, 02:13 PM
Wow 500 bucks for that - that's actually quite a deal. You could make that money back doing case learns for people lol.


You could probably also fine-tune your knock sensor to correct the KR problem you've been having.

I may just go for this. I've been waiting for an '03 DHP program for a year now, so let's face it - it's not gonna happen while I'm still mildly interested in modding this thing.

Hexx
04-27-2004, 02:46 PM
Umm I would say screw waranty. I dont have one on my 00. I think the purpose of this post is NOT to make money, but to let everyone know how to do this on your own....so reverse engineering being legal or not, doesn't apply.

That being said...I totally agree that all this info should be shared. Over at VWVortex we have have a sticky with all DIY stuff (everything/anything you can think of).

Maybe we should start one here?

iceman
04-27-2004, 02:47 PM
You could probably also fine-tune your knock sensor to correct the KR problem you've been having.

I may just go for this. I've been waiting for an '03 DHP program for a year now, so let's face it - it's not gonna happen while I'm still mildly interested in modding this thing.

No doubt. If I had the cash to spend I'd get it but money is tight right now and I'm done investing in performance.

DarkKnight
04-27-2004, 02:55 PM
Not to be a negative nelly or anything,

but the flash prom on that thing will almost definately be read locked, meaning you wont be able to read/download the firmware for the "tweaking" you suggest. And a 're-upload' of this info would require you to wipe the existing flash if its locked.

IMO It would make no sense for them to have to change the core programming on that flash to change a simple parameter like idle speed or something, so the parameters for the car that ARE changable will likely be stored in a seperate EEPROM to account for my first comment. This said, you're likely looking at the wrong IC, unless that thing happens to have an onboard EEPROM too.

If anyone did this on their GAGT it would wreck the warranty for sure, and you better hope you dont goof up the eeprom values. Since reverse-engineering is illegal under the DCMA in whatever countries that has jurisdiction, I dont think you'd ever be able to legally sell anything that modified the car based on its reverse engineering.


Couple quick things, first it doesn't have an "onboard eeprom" it *is* the eeprom. EEPROM = Electronically Erasable PROgramable Memory (i.e "Flash"). The core program and tables should be stored in that, that also why it's a 512KB chip. Second, if you look at the datasheet from intel you'll see that the only thing that is "locked" is the boot block. That is just a safty while flashing, and instructions are given to overide it. You can't read lock a flash, otherwise it would be inoperable. Third, as far as the DMCA goes, it only protect reverse enginnering of copyright protection mechanisms. Since the data on there doesn't have a copyright protection mechanism, the DMCA doesn't apply. Fourth, I'm not worried about it being legal to sell the information or code, since I'm not going to sell it, it will be given freely to anyone who is looking. That is the whole point of what I'm saying. If everyone only wants to share information if there is a profit in it for them, then the community will only be held back until someone comes along and makes a donation. Besides, the code is only illegal to give to someone who doesn't have it in the first place, which, if they don't have a PCM w/ the code in the first place then how would they use it?

Fifth, anyone who was going to attempt to do something like this shouldn't expect to keep thier warranty. This is the same with any mod, it voids the warranty on that part and anything downstream. If someone chooses to do it, then it's thier fault if something goes wrong. It's no different than if you buy a defective DHP PCM and it gas washes the cylinders ruining the block.

Umm I would say screw waranty. I dont have one on my 00. I think the purpose of this post is NOT to make money, but to let everyone know how to do this on your own....so reverse engineering being legal or not, doesn't apply.

That being said...I totally agree that all this info should be shared. Over at VWVortex we have have a sticky with all DIY stuff (everything/anything you can think of).

Maybe we should start one here?

Exactly! This is What I'm talking about. :jackson

DarkKnight
04-27-2004, 03:02 PM
I've been following this thread, and stumbled across this today:
http://www.hptuners.com/

They offer a tool for 3.4 GA's, and with virtually limitless programming possibilities. It may be the solution many of us have been looking for - (i.e. - there is no DHP release for my '03 GAGT, or any of the Aleros or GASEs)

I don't know though. Hopefully someone with more knowledge than I in this area can chime in.


I came across this while I was looking around too, and while that *is* a deal for what they have, $500 per vehicle is fairly expensive for me. You should also notice that the option for buying thier kit is greyed out on *all* Grand am models, and anything else with a 3.4, so b/c of that it's not really an option. I was hoping to do this with something I can build for $50-$75 (or less), and some free software to run it.

DarkKnight
04-27-2004, 03:23 PM
I have a thread about this going on over at GMPCM. The guy that runs the place over there is named Mick. He says that a pocket programmer - II will flash the chip if we use an adapter ($79 just for the adapter :rtfm ) along with the programmer. He says with the adapter any good flash device should be able to read and write the chip once the voltages are set correctly.

Anyone interested in view the thread over there can link to it from here

http://www.gmpcm.com/phpBB2/viewtopic.php?t=111

AaronGAGT
04-27-2004, 03:45 PM
This is probably the most intense thread i've read in a long time... technicality wise. Good luck

nomojo
04-27-2004, 06:02 PM
Couple quick things, first it doesn't have an "onboard eeprom" it *is* the eeprom. EEPROM = Electronically Erasable PROgramable Memory (i.e "Flash"). The core program and tables should be stored in that, that also why it's a 512KB chip. Second, if you look at the datasheet from intel you'll see that the only thing that is "locked" is the boot block. That is just a safty while flashing, and instructions are given to overide it. You can't read lock a flash, otherwise it would be inoperable. [ quote cut a bit to save space ]

Hey Darknight,

Let me start by saying I'm not looking for a flamewar because they're silly, and secondly that you may have misinterpreted my message as being negative. I think you're project is a neat idea, and I was simply making the post to address or bring some caveats to the forefront.

That said..

EEPROM & flash are not the same technology; You definately have the definition of EEPROM correct, but typically the write cycle life and programming speeds are different between the two technologies. Also, flash can only be erased one sector at a time (not byte by byte), whereas eeproms can. ( refer: http://www.netrino.com/Publications/Glossary/MemoryTypes.html ) . Flash is also a newer technology.

Regardless of that, I failed to notice that the word 'flash' was silkscreened on the chip, and I did not bother to read the datasheet. I was just perusing this board on a break. I thought that the chip displayed was a CPU with the onboard EEPROM & flash, whereby the EEPROM would be externally writable (to store different states, eg misfire, engine parameters, things that are updatable), and the core program stored in the seperate, contained space (flash) which would be externally read protected. It is still possible that these sorts of parameters are stored on a separate EEPROM or NVRAM chip.

Lastly, I never said the DCMA was a particularly good or safe thing; I wasnt promoting it, nor was I offering any opinion about it at all, but I can see how you
misinterpreted it because I didnt phrase it very well... I'm not exactly even sure why I brought it up, but I thought I'd mention it, because I'm sure someone around here or on another board or somewhere on the planet will spend the time to reverse engineer the thing and come up with some fancy enhancement and turn around and try to sell it for big bucks.

Finally, I think its really REALLY crummy that you cant pull an engine out from one car and put it into another car anymore without having to worry about trying to reverse engineer software in chip. Obviously, I know why its there, and why things are done the way they are (pollution control), but, still, I think its a sad day for car enthusiasts who like to tinker.

Anyways, cheers and good luck with your project

Magnum
04-27-2004, 06:22 PM
I came across this while I was looking around too, and while that *is* a deal for what they have, $500 per vehicle is fairly expensive for me. You should also notice that the option for buying thier kit is greyed out on *all* Grand am models, and anything else with a 3.4, so b/c of that it's not really an option. I was hoping to do this with something I can build for $50-$75 (or less), and some free software to run it.

huh.. You're right. I hadn't noticed that. damn... Ok, then I like you're idea better anyway. Much more affordable.

DarkKnight
04-27-2004, 06:50 PM
Hey Darknight,

Let me start by saying I'm not looking for a flamewar because they're silly, and secondly that you may have misinterpreted my message as being negative. I think you're project is a neat idea, and I was simply making the post to address or bring some caveats to the forefront.


No, man. It's all good. I wasn't trying to be rude, I'm sorry if I came across that way. :)


That said..

EEPROM & flash are not the same technology; You definately have the definition of EEPROM correct, but typically the write cycle life and programming speeds are different between the two technologies. Also, flash can only be erased one sector at a time (not byte by byte), whereas eeproms can. ( refer: http://www.netrino.com/Publications/Glossary/MemoryTypes.html ) . Flash is also a newer technology.

Your right. I know that there was a difference in the tech, but I didn't think it was relevent. Regardless, I will try to be more accurate in the future.


Regardless of that, I failed to notice that the word 'flash' was silkscreened on the chip, and I did not bother to read the datasheet. I was just perusing this board on a break. I thought that the chip displayed was a CPU with the onboard EEPROM & flash, whereby the EEPROM would be externally writable (to store different states, eg misfire, engine parameters, things that are updatable), and the core program stored in the seperate, contained space (flash) which would be externally read protected. It is still possible that these sorts of parameters are stored on a separate EEPROM or NVRAM chip.


I have a hi-res copy of the picture I took where you can examine the IC's (and p/n's) on the board for yourself. Except for the flash, I didn't see anything that looked like NVstorage.


Lastly, I never said the DCMA was a particularly good or safe thing; I wasnt promoting it, nor was I offering any opinion about it at all, but I can see how you
misinterpreted it because I didnt phrase it very well... I'm not exactly even sure why I brought it up, but I thought I'd mention it, because I'm sure someone around here or on another board or somewhere on the planet will spend the time to reverse engineer the thing and come up with some fancy enhancement and turn around and try to sell it for big bucks.

Isn't that the way it always is? All some people see when they spend time on a project is dollar signs. It's one thing to be a shop that does installs and has to charge customers, it's another to withhold the info from someone who is willing to do the work themselves just so you can make a buck. It's like the difference between linux and windows. Where would linux be if everyone involved only worked on it for money?


Finally, I think its really REALLY crummy that you cant pull an engine out from one car and put it into another car anymore without having to worry about trying to reverse engineer software in chip. Obviously, I know why its there, and why things are done the way they are (pollution control), but, still, I think its a sad day for car enthusiasts who like to tinker.


It's is a sad day, and I agree it's a pain. However, OBD-II offers much more than just better pollution control. I think with enough work from all involved it doesn't have to be so hard for people like us to do stuff like this. Just think, once we open up the GT computer for modification by hobbists, it will be like a domino effect to other platforms. What surprises me is that OBD-II has been widespread since '96, and in that 8 years no one has bothered to crack it open. I think it's about time, don't you?

In any case, lets try to stay focused here. :cool:

Gt00
04-27-2004, 06:54 PM
This is what the spirit of Hot Rodding is all about . I say GO FOR IT ! and good luck :cool:

nomojo
04-27-2004, 09:28 PM
I have a hi-res copy of the picture I took where you can examine the IC's (and p/n's) on the board for yourself. Except for the flash, I didn't see anything that looked like NVstorage.

Hmm. The parameters might be on the processor eeprom (whereever that is on the board, I still really havent looked at the image particularly well); I would think its gotta have NVRAM or EEPROM hiding somewhere, as I just cant see them having to wipe and rewrite an entire sector of the flash every time you change one parameter; that would mean having to rewrite a block of parameters each time only one changed. Then again, I could be completely out to lunch, and it might, but it just seems rather inefficient. You may not be interested in accessing the parameters anyhow (a tech2 scanner i believe can change them, cant it?), so it may be a useless point :)

Anyways, im gonna sign outta the thread because I've not cracked the PCM open myself and I dont think I can offer any more than I've already (if anything). Also, my cars' under warranty and knowing my luck, something would explode and I'd find out my car was one of the rare models installed with an ejection seat... which, would inevitably fire off, fail (as if it would work right, ... GM?) , and lead to my untimely demise. heh.

Good luck, keep fit, and have fun :)

Vintalage
04-27-2004, 10:29 PM
Definately the most interesting technical thread so far. Yes, this would open up wonderful possibilites!!! Having the car the way you want it and not avoiding road blocks when installing/removing parts that require changes to the computer.

DarkKnight
04-29-2004, 12:30 AM
Anyone have any experience using disassemblers, or programming in assembly?

To decipher the gobbled hex that is binary code, we use a software program called a disassembler. This translates the hex code into assembly language, which can then be easily (well, sort of easily) traced through and analyzed. There are links to some of the more popular disassemblers located in the GMPCM website links section. For OBDII code, one will need a much more powerful disassembler, such as IDA pro (http://www.datarescue.com/).

iceman
04-29-2004, 07:54 AM
My old roomate has, whats your question I will try to forward it on to him.

Dan00GPGT
04-29-2004, 11:39 AM
Anyone have any experience using disassemblers, or programming in assembly?

This, along with the countless hours spent developing software to flash your PCM through the OBD-II port, and the countless hours testing the resulting new code are the main reasons why the devices that only cost $100 to build sell for much more.

Pulling the code from the PCM and then trying to re-engineer it IS NOT something your average tinkerer could do around the house and do reliably. I wouldn't even know where to begin with the assembly language. GM most likely has documentation on it but without that do you really know what the code is doing?

Not trying to crap your thread out, this just isn't an easy project as many people would like to believe.

Having said that, I am all for your open source method of thinking. I did assembly language in college and wouldn't mind seeing what you have but I certainly wouldn't promise anything.

DarkKnight
04-29-2004, 10:53 PM
I'm not asking for anyone's promises either, just your best effort on what you have to offer. ;) That said, I'm not your avarage tinkerer (is that a word?) either. My immediate goal isn't reflashing through the OBD-II port, as that will prove to be too difficult to do anytime soon. I'm going to either try pulling the code through the CPU from the prom like was suggested earlier, or I'll get a prom burner and a adapter (eventually) like mick suggested on GMPCM, and read the prom directly. The only reason why I don't grab up a burner/adapter combo now is because I don't have the money, that adapter alone is $80! Otherwise, I'd do it now.

You see, you can't look at a project as big as this as a whole. If you do, you'll quickly get overwhelmed and quit. You have to see things as steps, and deal with each one as it comes when you're ready. The first step is to *get* the code from the prom, one way or another. Preferably one that doesn't destroy the chip getting it out. Once we have the code, the next step is to disassemble it. Then once we have the disassembled code, someone needs to translate it into definitions, and after it's translated I'd assume at that point Mick would help in creating a definitions file for GMPCM that would allow us to easily modify the code. I then have to reinsert the modified code, either through the CPU or a burner and test it to see if it blows my car up. Once we have made it to that point, where we are sure of what is what, then we can make the process of flashing the chips easier by doing it through the OBD port. However, that is a ways off. Until then, lets just worry about extracting the code, and identifying it's contents. ;)

My old roomate has, whats your question I will try to forward it on to him.

I'm just trying to gather resources, so when I (or someone else) gets the code out, we have someone, or a group of people to work on translating it. (i.e. Indentifying the key points).

cavingman
04-29-2004, 10:59 PM
lemme know if you guys need help. i used to reverse engineer hex on smaller programs back in the day to fake them into thinking they were registered. kinda the same thing i guess. :)