GM Tunerlock Info
If you've ever received an error message trying to read the tune out of a module that said something like "x35 invalid key" or "x36 exceeded attempts" you've likely figured out that you're locked out of that module and can't read and write anything to it. This page will explain what that means, why it is like that and how to get around it (without getting too technical).
This information is primarily focused on GM vehicles, and specifically the gen 3 and 4 LS PCMs and other vehicles that share them. This information along with my custom software, bench harnesses, and other consulting services is meant to help you unlock a module without having to ship it off, but I do offer a full service tunerlock removal service that keeps the custom tune intact or fully restores the module (in the case of corruption) if you prefer that instead. For more information email james@customecm.com or contact through my Facebook page at www.facebook.com/customecm
What is a tuner lock?
Manufacturers employ a variety of ways to keep unauthorized people and tools from reading, writing, and modifying the software on their modules. One of the most basic ways is requiring a password to enable the reading/writing, called a key. To make it simple and not use the same password on them all or require keeping a database of every password for millions of modules they use a "password hint" (called a seed) which the tool talking to the module takes and calculates the proper key with a special algorithm. Tuning companies figured out a way to calculate these keys for different modules, and that is what lets us read and write customizations to the software on the modules using their tools.
So what is a tunerlock? Essentially it is just changing the key (password) stored in the module without changing the seed (the hint). Any time that one to one relationship of a seed and key is broken, that algorithm no longer works and tools can't calculate the key and unlock the module. This can happen a couple different ways. Tuning softwares like EFIlive and HPtuners and some others allow you to change it to keep people from seeing your tuning work, or sometimes incompatible software flashes will corrupt this information and essentially tunerlock it. (more on that later).
How do I remove the lock?
So what can you do if you're locked out of the module? Typically it's a multiple step process. You need to:
1) figure out what the custom or corrupted key is.
2) manually use that key to unlock the module (most tuning software has mechanisms for this)
3) restore a proper seed-key relationship
Finding the key:
The key can be found a few different ways.
1) First and easiest is to just ask whoever locked it (if you know who that is). They can either unlock it for you or look in their tune file information for it and give it to you
2) Second option is to try different keys over and over until the correct one is found (this is called a brute force attack). Most GM modules up to 2016 or so had 65535 possible keys and the modules only allow you to try one or two keys every 10 seconds, so it can take days of constantly trying keys to get the right one. (which is why I've written software to do this for you, visit my Custom Software tab for more info on that). ***NOTE: I HIGHLY RECOMMEND THIS TO BE DONE ON A BENCH PROGRAMMING HARNESS AND NOT IN THE VEHICLE.***
3) Open the module up and read the flash directly using a BDM/JTAG type tool, which is impractical for most people.
4) Some modules like the P01 and P59 that ran most gen 3 LS motors and 4.3 V6s from 99-07 have a special trick to bypass the security altogether. Essentially you ground the same recovery pin as outline on my GM Bricked PCM Recovery page and then READ instead of write and you'll get the tune off it as is.
5) IF you find yourself locked out of an E38 after trying to reflash to a different year OS, such as a 2010 OS onto a 2007 E38, often the key is either 3F80, 43D4, or just mirroring the seed, so give those a try before jumping into a lengthy brute force or ECM replacement!
What do you do with the key once you have found it:
Once you have the key and can unlock the module, you ideally restore a factory seed/key relationship for easy tuning in the future. Some software packages make this easy and let you restore it in the PCM security functions (EFIlive), and some make it hard (HPtuners). HPtuners being more popular I will focus on how to restore a proper key with HPtuners.
When you read a tune you did not lock yourself with HPtuners by checking the custom key option on the read dialog, it will unlock and read and tune just fine and even let you save it, but once it tries to display the tune it detects it is a locked tune and since it wasn't your interface that locked it you get an error message and the tune closes. This makes it pretty difficult to restore the key and write it back due to the way the licensing works. You need a license for the module to write to it, but if you can't open the file you can't license to it.
Essentially the way around that is an unlimited license for a year/model or vehicle type group. ***PLEASE DO THIS AT YOUR OWN RISK, YOU CAN CAUSE A LOT OF HAVOC PRETTY QUICK WITH LICENSING, CORRUPTION, ETC, IF DONE WRONG*** You can take an unlocked file (I recommend same vehicle type, engine, year and OS number) and use the write vin/tunerlock/vats option if available, or write entire for the other modules HPtuners is able to lock that don't have this option. You need the unlimited so you have the license for the target module and for the file you're writing from both. As I've said this can get you into a mess pretty quick, but it is effective to at least get the ECM to a tunable state. You can find compatible files in my Stock Tune File Repository . If one does not exist you can pay a small fee and I'll get one for your VIN even in the right format.
Obviously this isn't terribly feasible outside of tuner shops with lots of unlocked vehicle categories. Luckily I have developed a few different ways I can help on a case by case basis for anyone in this circumstance, which I have limited to those that have purchased and are using my brute force key finder program at this time.
A note on avoiding corruption of modules (and locking yourself out in the process)
If you have a "stock vehicle" that wasn't tuned that's telling you it is locked or you tried to write an ECM without locking it and it becomes locked, then it's likely the wrong operating system was written over the ECM and it has effectively become corrupted. Many tuning tools and even GM's own SPS don't write the full module all at the same time and over the years the different service numbers of modules may have had the locations the seed and key are stored move around. When you do a full write of an incompatible operating system, it now is looking for those values in a new place in memory, so it is essentially pointing at junk data now that doesn't adhere to the seed-key algorithm I mentioned above.
The best way to avoid locking yourself out is to only flash to and from things that were originally on ECMs with the same service numbers. Here are some of the most common compatibilities:
1) P01: Only two service numbers here early P01 (ending in 4896) can be flashed to a later 01+ P01 tune fine (0411). I haven't had the need to test flashing the opposite direction yet.
2) P59: I have not found any issues flashing between any year of the blue/green connector P59s.
3) E38: Keep to flashing files from these year groups to the service numbers listed:
a) 2006-2007 E38 (service number ending in 121)
b) 2008 E38 (service number ending in 384)
c) 2009 E38 (service number ending in 455)
d) 2010+ E38 (service number ending in 238)
- I know of at least two exceptions to this rule. There may be more, but I have not run across them yet.
1) Early 2009 G8 GT with the 6.0L uses a 2008 E38 ECM ending in 384. Late 2009 uses the 2009 (455) ECM
2) 2010 2500HD trucks with the LY6 (not the L96) still used a 2009 (455) E38 ECM
Others I'm not 100% sure on yet, as I learned early on messing with E38s to be super careful. E38s are by far the most prevalent ones I get in that were accidentally locked by corruption.