Reflash via the PC serial port

The 1996 and 1997 v6 PCMs have a "hardware test mode" that has various functions, including a P4-style Mode 5 and Mode 6 (download and execute) function. I took advantage of this function to allow reflashing the PCM via the serial interface. Basically, at initial key-on, there are TPS, ECT and IAT conditions and a Trans range input (or clutch for manual trans) setting that have to be met to cause the PCM to enter hardware test mode. Once it does that, it will stay in that mode for up to 5 seconds, waiting for input on the serial line. I modified my PCM using Steve Ravet's BDM reflash program to elimiate the ECT and IAT requirements (as well as increase the SCI baud rate), so that at initial key-on, when the clutch is released and the TPS is all the way to the floor, hardware test mode is entered and I can start reflashing. These conditions have to be met at initial key-on, or else hardware test mode will not be entered.

Although most v6 PCMs have SCI code in them, this hardware test mode was eliminated after 1997. With a little work most PCMs could be made to function this way. I believe the serial line is connected to the OBD-II underdash connector in most vehicles - consult the factory service manual.

The files named 16211539BSXN on the ftp site contain the .bin file for the PCM as well as a disassebly of that .bin. In addition, there is source code and executable for a CYGWIN command line program that can be used to reflash the entire PCM or a segment thereof.

The PCM checks for hardware test mode conditions starting at line 0xEB58. From there it does an SCI routine and enters an endless loop waiting for input from the SCI. This is used to load a "bootloader" into RAM. When loading is complete, the "bootloader" executes from RAM, erases and reprograms the flashROM. The PCM is then reset, and we're in business.

What you need to reflash via the serial port

• 1996/1997 GM v6 PCM (service number 16207326, ...)
• RS-232 to ALDL cable. These are sold by akmcables.com. Any of the OBD2 cables or kits should work. If you're so inclined, you can build one yourself from the schematic
• The download program. This reads the flash and stores it in a file on your computer
• The reflash program. This reads a file and writes it to the PCM flash.
• Modify the hardware test mode code to eliminate the IAT (inlet air temp) and ECT (engine coolant temp) conditions. (possibly not necessary?). The code to enter hardware test mode starts at address 0xeb58:

  seg000:0000EB58	; CHECK	IF HARDWARE TEST ENABLED
  seg000:0000EB58
  seg000:0000EB58	sub_EB58:				; CODE XREF: sub_DC36+90
  seg000:0000EB58			movem.l	d0/a0,-(sp)
  seg000:0000EB5C			cmpi.w	#$DC29,(word_FFFF87D6).w ; $DC29 - IAT ADC
  seg000:0000EB62			bls.s	loc_EBA2
  seg000:0000EB64			cmpi.w	#$A3D,(word_FFFF87D4).w	; ECT ADC
  seg000:0000EB6A			bcc.s	loc_EBA2	; BRANCH IF >= 2621, ELSE
  seg000:0000EB6C			cmpi.w	#$FAE1,(word_FFFF87C0).w ; TPS ADC
  seg000:0000EB72			bls.s	loc_EBA2	; BRANCH IF < $FAE1, ELSE
  seg000:0000EB74			move.b	#1,(byte_FFFF8FCF).w ; SET HARDWARE TEST MODE
  seg000:0000EB7A			btst	#0,(byte_FFFF8E58).w ; PORTA STATUS (INPUTS) - TRANS RANGE SW D
  seg000:0000EB80			bne.s	loc_EBA6	; BRANCH IF SET	(RETURN), ELSE
  seg000:0000EB82			jsr	sub_1A56E	; GO CONFIGURE TIMER CHIP
  seg000:0000EB88			jsr	sub_14DD0	; GO CALCULATE SOMETHING AND WRITE IT TO TIMER CHIP
  seg000:0000EB8E			movea.l	#$155E,a0	; INDEX
  seg000:0000EB94			jsr	sub_AF12	; GO DO	AN SPI ROUTINE
  seg000:0000EB9A			jsr	sub_ED8E	; GO DO	AN SCI ROUTINE
  seg000:0000EBA0			bra.s	loc_EBA6	; RETURN
  seg000:0000EBA2
  seg000:0000EBA2	loc_EBA2:				; CODE XREF: sub_EB58+A
  seg000:0000EBA2						; sub_EB58+12	...
  seg000:0000EBA2			clr.b	(byte_FFFF8FCF).w ; CLEAR HARDWARE TEST	MODE
  seg000:0000EBA6
  seg000:0000EBA6	loc_EBA6:				; CODE XREF: sub_EB58+28
  seg000:0000EBA6						; sub_EB58+48
  seg000:0000EBA6			movem.l	(sp)+,d0/a0
  seg000:0000EBAA			rts
  seg000:0000EBAA	; End of function sub_EB58
  

  The bls and bcc instructions at addresses 0xeb62 and 0xeb6a should be replaced with nop instructions (0x4ef1)

The source code

The source has been released under the GNU GPL General Purpose License. This means it's distributable for free or for profit. If modifications are made and the resulting binaries are distributed, either freely or for profit, then the source modifications must also be provided for free. The intent is to encourage commercial users and developers to contribute their improvements back to the DIY community.

The .zip file with source code: serial_flash.zip

zipfile contents:

flash.asm               m68k assembly for the bootloader
flash.bin               the assembled bootloader
myserial.c              serial functions
pcmflash.c              the main program
pcmflash.h              the main program
program.c               for getting the identity of the flash device

Other Files:

16211539BSXN.bin        binary image of 1996 v6 PCM code
16211539BSXN.lst        disassembly of above code