Chrysler engineers were on a roll when they left all kinds of backdoors in the PCM firmware. In this post I walk you through this simple yet powerful method to change RAM values in SBEC3 engine controller units.
Keep in mind that other running subroutines constantly update RAM values and overwrite bogus data rather quickly. Nevertheless the opportunity is given.
Warning: changing RAM values that are important for ignition calculation can and will adversely influence engine performance. In the worst case it could damage the engine!
Let’s get right into it.
The described SCI ID 29 command works in low-speed mode only.
Below is the disassembled code snippet responsible for processing a RAM write request.
ROM:12520 ; =============== S U B R O U T I N E =======================================
ROM:12520
ROM:12520 ; SCI ID 29 WRITE RAM
ROM:12520 ; ------------------
ROM:12520 ; TX: 29 XX YY ZZ
ROM:12520 ; RX: 29 XX YY ZZ RR
ROM:12520 ;
ROM:12520 ; XX YY: RAM offset (0000 - 07FF/0FFF)
ROM:12520 ; ZZ: RAM value to write
ROM:12520 ; RR: result
ROM:12520 ;
ROM:12520 ; Result:
ROM:12520 ; * F0 = RAM offset out of range
ROM:12520 ; * F1 = no security clearance
ROM:12520 ; * E5 = success
ROM:12520
ROM:12520 WriteRAM:
ROM:12520 ldaa SCI_RX_01 ; A = RAM offset HB
ROM:12524 cmpa #08h ; compare A to value (max. RAM offset HB)
ROM:12526 ldab SCI_RX_02 ; B = RAM offset LB
ROM:1252A tde ; E = D (A and B)
ROM:1252C ldaa #0F1h ; load A with result value | $F1 = no security clearance
ROM:1252E brclr SEED_STATUS, #01h, loc_12540 ; branch if PCM is locked
ROM:12534 ldaa #0F0h ; load A with result value | $F0 = RAM offset out of range
ROM:12536 bcc loc_12540 ; branch if previous compare result (max. RAM offset HB) is greater or equal (carry clear)
ROM:12538 ldab SCI_RX_03 ; B = RAM value
ROM:1253C stab E, Z ; store B to RAM
ROM:1253E ldaa #0E5h ; load A with result value | $E5 = success
ROM:12540
ROM:12540 loc_12540:
ROM:12540 clr SCI_RX_ID ; clear ID-byte
ROM:12544 jmp SCI_WRITE ; write SCI byte from A
ROM:12544 ; End of function WriteRAM
Not surprisingly, the PCM checks if we have security clearance before it gracefully lets us mess up RAM content.
The previous post shows how to get security clearance with SCI ID 2B and SCI ID 2C.
Testing
Some PCMs allow RAM-reading in low-speed mode with a slightly modified version of the ROM-read command. The value returned from an offset is not the same as in high-speed mode.
TX: 26 0F XX YY
RX: 26 0F XX YY ZZ
0F: following offset is located in RAM area
XX YY: RAM offset + 80 00
ZZ: RAM value at given offset
RAM is usually 6 kB in size. This command lets the user read the whole RAM area.
Let’s pick the RAM offset 03 28 and read what is stored there.
TX: 26 0F 83 28
RX: 26 0F 83 28 00
First try to replace 00 with FF at this offset without security clearance. Note that with SCI ID 29 command there’s no need to add 80 00 to the offset, it is handled by the subroutine. Also with this command only a portion of RAM area is writable.
TX: 29 03 28 FF ; request RAM write at 03 28 offset, new value = FF
RX: 29 03 28 FF F1 ; no security clearance
As expected the PCM refused the request. Let’s elevate the security level and try writing again.
TX: 2B ; request security seed
RX: 2B C2 55 42 ; received seed = C2 55, checksum = 42
TX: 2C 99 6C 31 ; send back seed solution = 99 6C, checksum = 31
RX: 2C 99 6C 31 00 ; success
TX: 29 03 28 FF ; request RAM write at 03 28 offset, new value = FF
RX: 29 03 28 FF E5 ; success
Finally, read current RAM value at 03 28 offset.
TX: 26 0F 83 28
RX: 26 0F 83 28 FF
Success.
Chrysler Scanner 