VX/VY Flash PCM EEPROM Writing and Mapping
Posted: Fri May 07, 2010 8:09 pm
One of the current flashtool tasks has been to get EEPROM writing happening. So to start with I went hunting for routines in the factory code to do it and discovered mode 12 in the VX/VY PCMs. Its a limited EEPROM write mode and you must have already unlocked the PCM using mode 13. The limiting part is it restricts you to only being able to program a certain number of bytes at certain address'. Mode 12 has 9 sub functions that can write to different parts of the EEPROM. There are two tables, one that says for each sub function the address you can write from (0x9152) and the other how many bytes you can write (0x9164).
So after discovering the tables I set about trying to work out what each sub function of Mode 12 does. This is where I am at...
Mode 12 Func 1 - Change the seed/key (4 bytes from 0xE1C)
Mode 12 Func 2 - Control Byte Of Sorts? (1 byte from 0xE7F)
Mode 12 Func 3 - Change the VIN (17 bytes from 0xE20)
Mode 12 Func 4 - Not Used (0 bytes from 0xE31)
Mode 12 Func 5 - Not Used (0 bytes from 0xE31)
Mode 12 Func 6 - Not Used (0 bytes from 0xE31)
Mode 12 Func 7 - ? (10 bytes from 0xE31)
Mode 12 Func 8 - ? (4 bytes from 0xE3B)
Mode 12 Func 9 - ? (12 bytes from 0xE3F)
So part of this is also trying to map out whats in the EEPROM (See attached bin dump including EEPROM of my test bench PCM). The mapping that I have worked out so far of the EEPROM located at 0xE00 to 0xEFF is as follows...
E00 to E07 = Code Base (8Bytes)
E08 to E1B =Some sort of production date code??
E1C/E1D = Seed
E1E/E1F = Key
E20 to E30 = VIN (17Bytes)
E31 to E3A = TIS Key
E3B to E3E = Program Date of PCM
E3F to E4A = Vehicle Data (Engine Type, Trans Type)
E4B to E7E = Free
E7F = MEC
E80 to EBC = Diagnostic Fault Code Logging
EBD = Diagnostic Code Checksum
EBE to EC0 = BCM Security Bytes
EC1 to EC3 = ??
EC4 to EFF = Free
All of this does not really help the flashtool PCM reprogramming as i would like to rewrite the entire EEPROM so am part way through writing a routine to upload via mode 6. But thought it would still be worthwhile to try and map out the EEPROM. If anyone has any other info to share add it here
So after discovering the tables I set about trying to work out what each sub function of Mode 12 does. This is where I am at...
Mode 12 Func 1 - Change the seed/key (4 bytes from 0xE1C)
Mode 12 Func 2 - Control Byte Of Sorts? (1 byte from 0xE7F)
Mode 12 Func 3 - Change the VIN (17 bytes from 0xE20)
Mode 12 Func 4 - Not Used (0 bytes from 0xE31)
Mode 12 Func 5 - Not Used (0 bytes from 0xE31)
Mode 12 Func 6 - Not Used (0 bytes from 0xE31)
Mode 12 Func 7 - ? (10 bytes from 0xE31)
Mode 12 Func 8 - ? (4 bytes from 0xE3B)
Mode 12 Func 9 - ? (12 bytes from 0xE3F)
So part of this is also trying to map out whats in the EEPROM (See attached bin dump including EEPROM of my test bench PCM). The mapping that I have worked out so far of the EEPROM located at 0xE00 to 0xEFF is as follows...
E00 to E07 = Code Base (8Bytes)
E08 to E1B =Some sort of production date code??
E1C/E1D = Seed
E1E/E1F = Key
E20 to E30 = VIN (17Bytes)
E31 to E3A = TIS Key
E3B to E3E = Program Date of PCM
E3F to E4A = Vehicle Data (Engine Type, Trans Type)
E4B to E7E = Free
E7F = MEC
E80 to EBC = Diagnostic Fault Code Logging
EBD = Diagnostic Code Checksum
EBE to EC0 = BCM Security Bytes
EC1 to EC3 = ??
EC4 to EFF = Free
All of this does not really help the flashtool PCM reprogramming as i would like to rewrite the entire EEPROM so am part way through writing a routine to upload via mode 6. But thought it would still be worthwhile to try and map out the EEPROM. If anyone has any other info to share add it here