Page 1 of 13 12345611 ... LastLast
Results 1 to 15 of 183

Thread: Corvette CCM Reverse Engineering Anyone?

  1. #1
    Fuel Injected! spfautsch's Avatar
    Join Date
    Apr 2015
    Posts
    775

    Corvette CCM Reverse Engineering Anyone?

    First and foremost, apologies for opening a non-tuning related topic. Mods feel free to move to an off-topic subforum, but the people who know what I'd like to frequent this one. I'd open a thread over at corvetteforum, but most of the members over there are non-technical Y body fanboys who know where to take there cars, and I need do-ers and hackers.

    So a bit of background to start. My '95 Y body has been plagued with intermittent battery drain issues pretty much as long as I've owned it. It's progressively grown worse until finally I was able to identify the circuit reliably - CCM2 / fuse # 39 drawing ~120ma continuous. Normally it would be in the 5a range when the DAB is powered and then drop to < 10ma. Now it never drops below 100ma and will kill the battery in 2-4 days. Since I've recently expanded my collection of antique vehicles and plan to do away with my 505k mile daily driver, I need to be able to depend on this car as a backup. I just celebrated my 50th birthday, and the "gift" that comes with that milestone is that it's getting to be less fun getting in and out of this car. When I happen to forget to grab the keys, or turn said square key only to hear the starter solenoid clicking, well I've invented some new expletives for that situation.

    Side story - this module is buried behind the radio head in these cars. Removing the driver's side hush panel and center console side panel are required. Also it's easiest to remove the radio head bezel and head to gain access to the connectors which have to be removed before the module will slide out. It's also probably easier to remove the driver's seat to get the center console side out. This is about a 2-1/2 hour job minimum, double that to replace all that stuff. Non-trivial to say the least.

    What I know:

    * The CCM looks to my untrained eye, identical to the older EPROM PCMs. In fact, under the memcal cover lives a soldered-in uv erasable eprom. I'm going to assume this is where the program code lives. I'm not really interested in reverse engineering this, but it seems like NomakeWan was able to dump this here.

    * On the test bench the suspect CCM is drawing the same ~120ma continuous on the CCM2 pins (green 31 & 32)

    * Replacing all the obvious SMT electrolytic capacitors changed nothing

    * I bought a "remanufactured" replacement from our friends at Rock Auto. The product description said it was "plug and play, no programming required". I found this somewhat dubious, but they only wanted $110 with a $60 core so I figured what the hell.

    * Upon receipt, I connected the supposedly remanufactured CCM to my test bench power supply and it draws the same ~120ma continuous.

    What I suspect:

    1) The "remanufactured" CCM has the same fault as my old one. Upon detailed inspection I see no evidence any internal components have been replaced and the exterior looks like it's been kicked around a salvage yard half it's life. This (replacing any components) would be really difficult to do without disturbing the conformal coating.

    or

    2) Whatever signal the module isn't seeing on the test bench is also absent in the car, and neither module has a fault

    * The odometer, VIN and numerous other critical variables are supposedly stored within which makes me believe there must be an EEPROM chip inside

    * If the remanufactured CCM is truly "plug and play", I wonder if erasing said EEPROM allows the module to automatically query the vehicle's ALDL for VIN, etc.

    I finally ponied up and bought the FSM for the car so I have all the schematics. I'm willing to spend more to get a chinese clone tech 2 or whatever's necessary to progress further. Ultimately I'd love to be able to build some open-source tools to deal with these things, or just add the functionality to steveo's flashhack (forgive me steveo!). I know there's some interest among the LS / 411 swap crowd in what these modules want to be happy. If I'm going to spend money to make my car work again, I'd be happy to share what can be learned from the process.

    Any volunteers?

  2. #2
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    473
    The CCM does contain an EEPROM where things like VIN, available options (C60 vs C68 climate control, engine type, etc) and odometer are stored. These values are volatile until 100 miles have accumulated on the odometer, after which a bit is cleared that causes the CCM to no longer accept download requests to RAM (EEPROM). Inside the CCM somewhere is a pin that, if grounded, will override this bit. I haven't taken a CCM apart so I have no clue where it would be, but I highly doubt it'll just be plainly marked so that anyone and their dog could find it since it's so critical to the integrity of the data on the CCM. Additionally, as far as I know no one has actually reverse-engineered the communication required to retrieve and/or set the values in this EEPROM. I do have a Tech 2 handy, but as neither of my Corvettes have less than 100 miles on them and I don't feel like tearing apart perfectly-working CCMs, I haven't bothered to see if my Tech 2 comes with those abilities.

    The CCM does not have any ability to query other modules to set values in EEPROM. These are only set by an external tester (Tech 1A, Tech 2, etc).

    The CCM is also what drives the digital dash on our Corvettes, and is the bus master, and the central security system for the vehicle, among many other tasks. It even handles control of the rear defroster array, independent of the climate control. Replacing the CCM with something else would be a massive undertaking.

    Replacing the PCM with something that makes the CCM happy, however, is not. It was already done by Torqhead using a '411 PCM. As for the protocol, the data you're looking for is $40 and $41, where $40 is the CCM making a regular poll of the PCM, and $41 is the response from the PCM containing all available data. The structure of this is in the image below.

    ecmccm.jpg

    I agree that having open-source tools for all of these functions should be a priority. GM certainly isn't going to support us any longer, and having Torqhead be the only ones who can sell you a solution is not optimal for those of us who would want to cobble something together ourselves. I'm still planning on reverse engineering the ABS communication so that people can recalibrate their TPS or perform the auto bleed function on 95-96 Corvettes without ponying up the cash for a Tech 2 or praying their local Chevy dealer can help for exactly that reason.
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  3. #3
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    3,464
    i'd be willing to help build a tool set into eehack or flashhack if you tell me what aldl commands are necessary, i think it would be a good idea to merge stuff like this rather than fork if you'd be into it.

    i would hope there would be some serious protection on updating the CCM's eeprom as it does contain the mileage

    These values are volatile until 100 miles have accumulated on the odometer, after which a bit is cleared that causes the CCM to no longer accept download requests to RAM (EEPROM). Inside the CCM somewhere is a pin that, if grounded, will override this bit.
    do you have any documentation of that at all ?

  4. #4
    Fuel Injected! spfautsch's Avatar
    Join Date
    Apr 2015
    Posts
    775
    Quote Originally Posted by NomakeWan View Post
    Inside the CCM somewhere is a pin that, if grounded, will override this bit.
    Mind my asking where you uncovered this tidbit? My assumption was that the eeprom would have to be erased directly with a jtag type device. This also gives me something to look for on the remanned unit.

    I'll get some high-res pics up shortly.

    Quote Originally Posted by NomakeWan View Post
    The CCM does not have any ability to query other modules to set values in EEPROM. These are only set by an external tester (Tech 1A, Tech 2, etc).
    Is this info from the FSM? Mine haven't arrived yet. I'm not disputing this statement but it seems like if it can ask the PCM for message 41 it could also ask it for the VIN, and derive the engine code from that. Though I doubt that's the case.

    Also wouldn't the VATS voltage / resistor code have to be set here?

    Am I correct to assume the odometer is stored solely in the CCM?

    Quote Originally Posted by NomakeWan View Post
    Replacing the CCM with something else would be a massive undertaking.
    Exactly. Without it you have no speedometer and the engine can't be turned over unless the starter disable relay is bypassed.

    I guess I've gotta go to eBay and get a Tech2 on the way from Hong Kong. I'm very interested to know if this remanned unit has had the eeprom cleared.

  5. #5
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    3,464
    Quote Originally Posted by spfautsch View Post
    Is this info from the FSM? Mine haven't arrived yet. I'm not disputing this statement but it seems like if it can ask the PCM for message 41 it could also ask it for the VIN, and derive the engine code from that. Though I doubt that's the case.
    i don't know much about the ccm, but based on how GM did things in those days, i don't think that's what's going on.

    Mind my asking where you uncovered this tidbit? My assumption was that the eeprom would have to be erased directly with a jtag type device. This also gives me something to look for on the remanned unit.

    I'll get some high-res pics up shortly.
    it does make some kind of sense that they'd design the unit to prevent tampering with the odometer after x miles had been travelled, it's possible there would be a workaround for that, though.

    we do have a memory dump of the CCM but it might be faster just to see what the TECH tool is doing.

  6. #6
    Fuel Injected! spfautsch's Avatar
    Join Date
    Apr 2015
    Posts
    775
    Here's a couple quick pics of the board (click for full res).





    Though I also doubt the unit can self program the VIN and options, I have seen mention of a learn procedure for the VATS resistor value over on cf. I guess I'll have a deep reading assignment on my plate when the FSM arrives.

    I'm very reluctant to drop $370 on a chinese clone tech2 for fear the only thing I'll learn is that it can't talk to this antique module.

  7. #7
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,206
    T2 won`t help much. Here is what we have as data.

    Now it needs to be cleared what is on the eprom.

    I suspect eeprom is stored in the processor, which seem as some variant of 68hc11.

    The main bin can be stored to the eprom or inside the processor too.

    Noticed some options configuration. Here we might have it at the eprom also.

    Someone posted dumps of ccm and I even managed to make a disasembly of them, but couldn`t figure anything specific.

    You can read the ccm with flashhack and post the dump too.

    Step too. Unsolder the eprom and try to det a dump of it, also put a socket, in case a deeper hackjob will be needed.

    We also need to figure what went wrong with the ccm and figure if that consuption is the result of the ccm or something else keeps it alive.

    Newer modules have something called go to sleep after predefined time elapsed. Also it sends messages to other modules to wake and sleep them. Something similar might be used here and something might be preventing the ccm to go to low power mode.


    Tom H have deeper insight about the vats exchange info between pcm and ccm. It is some password related cycling of some data that is still unclear in the dissasembly.

    There was some post somewhere in the corvette forums about repairing ccms, and updating the vins, but was paid top secret stuff. Someone might dig up the threads.

    Also adding some datalogging to eehack of that module will not be hard at all, since the stream data is available already. Not so sure about handling dtcs.
    Attached Images Attached Images

  8. #8
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,206
    Just looked at some diagrams. Freeking complex unit, operating almost anything in the car. Including driving directly the instrument panel.

    The 31 32 pins your are reffering are like pins F1 and F2 -battery input. ALso tons of inputs that wake up the module. I guess it goes to sleep when all is quiet, and the car is locked.

    Some interesting pin is d6 -diagnostic enable. Goes to DLC terminal 12. Likely when it is grounded or resistored like 4-10kohm it runs some tests.

  9. #9
    Fuel Injected! spfautsch's Avatar
    Join Date
    Apr 2015
    Posts
    775
    Thanks kur4o - saved me a bunch of money there. I've done a little bit more searching over at cf and found where they used a tech 2 to dump a PCM and then a tech 1 on the CCM so was suspicious the functionality didn't exist in the newer tool. Looking at the 1, it seems like it needs a memory card for CCM / BCM programming. :-\

    I'm looking for the aldl pin to try and dump them on the bench. Then will hook up the original one in car and see if it shows any DTCs. I wasn't seeing the SYS message, but maybe not all DTCs trigger that. I highly doubt that the remanned unit has the same fault as mine, but anything's possible. I'm pretty sure in some model years, leaving the key in the ignition would cause the CCM to never go to sleep.

    I noticed a VIN (in two places) in the two dumps NomakeWan posted in the other thread so I'm hoping to find out if the eeprom in the remanned unit has been wiped. It would really suck if the eeprom is integrated with the processor though. I don't see anything that looks like a jtag type pad except for the 5 next to the 28 pin SOIC in the lower right corner. They're just vias to bring those traces to the other plane, but the spacing seems suspiciously uniform.

    I wonder if diagnostic enable might be the "magic" pin.

  10. #10
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,206
    e13 and f12 are the aldl pins.

    There is an older 10mb tech2 card that works with older vehicles but needs custom adapter which is 600$ and never managed to run it, So tech1 with the proper cartridge might be the only option.

    ALso some dissasembly hacks can reveal all the hidden features.

  11. #11
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,206
    Why would you care about the vin that is programmed. It is never used between communication between ccm and pcm. It is the correct signal from key and the communication that is handled between pcm and ccm. If key is good. It shoul send the pcm correct signal.

    What is more important are the options that are being programmed in the ccm. They might give you troubles.

  12. #12
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    473
    Quote Originally Posted by steveo View Post
    do you have any documentation of that at all ?
    The 100 miles thing was actually confirmed several times over on Corvette Forums, including by, as I recall, people who had actually worked at GM during the C4's run. As for hard evidence of that as well as the ability to remanufacture CCMs, yes, there is this little tidbit to confirm it:

    ccmreman.jpg
    Quote Originally Posted by spfautsch View Post
    Is this info from the FSM? Mine haven't arrived yet. I'm not disputing this statement but it seems like if it can ask the PCM for message 41 it could also ask it for the VIN, and derive the engine code from that. Though I doubt that's the case.

    Also wouldn't the VATS voltage / resistor code have to be set here?

    Am I correct to assume the odometer is stored solely in the CCM?
    This info can be assumed from several data points. First, the ALDL data request commands for both the PCM and CCM are public information, available right here on Gearhead-EFI's servers. If you sift through those, you will see that the parameters you are asking about are not part of any datastream. Additionally, they are not a part of the $41 datastream. As such, we can infer that the CCM is incapable of querying other modules (such as ECM/PCM) for the data that would be stored in secured locations.

    Speaking of, yes, VATS resistor code is stored in the CCM. This value should be a part of the dump I posted, actually; that memory location is only prevented from access if no key (or the incorrect key) is inserted into the ignition. Since I only talk to the car with my car's proper key inserted, it should be there.

    Also yes, the odometer is only stored in the CCM.

    Quote Originally Posted by spfautsch View Post
    Here's a couple quick pics of the board (click for full res).



    Though I also doubt the unit can self program the VIN and options, I have seen mention of a learn procedure for the VATS resistor value over on cf.
    The three solder pads on the bottom-left appear curious to me. That said, as expected, they don't just point you at what pin you'd need to ground in order to override the EEPROM. That would be an insane security problem. Even I haven't seen any documentation pointing out where this pin would be. I'm sure GM knows, and I'm sure there must be some third-party remanufacturers who know, but I'm afraid I do not.

    As for the VATS relearn procedure, you'll note if you go back and check that those threads were referring to people who had new or remanufactured CCMs installed, and were being told that this procedure had to be done within the first 100 miles.

    Quote Originally Posted by kur4o View Post
    Some interesting pin is d6 -diagnostic enable. Goes to DLC terminal 12. Likely when it is grounded or resistored like 4-10kohm it runs some tests.
    It's not all that interesting. This is just the normal self-diagnostic pin on the ALDL connector (on a 94-96, this is pin 12, which you then jumper to pin 4, ground). When this pin is grounded, the CCM acts like a Tech 2, allowing the buttons on the dashboard to act as the Tech 2's buttons. Initially it queries ALDL devices for DTCs, then displays any available DTCs on the dashboard. Once DTC display is complete, you can either use the dash buttons to repeat the messages or can also switch modes to clear DTCs or run actuators. This functionality is detailed here: https://tech.corvettecentral.com/201...-trouble-codes

    Quote Originally Posted by spfautsch View Post
    I wonder if diagnostic enable might be the "magic" pin.
    Sadly not.
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  13. #13
    Fuel Injected! spfautsch's Avatar
    Join Date
    Apr 2015
    Posts
    775
    Quote Originally Posted by kur4o View Post
    e13 and f12 are the aldl pins.
    Thanks, that helped me make sense of the pin numbering terminology. They're numbered 1-16 right to left, so what I was calling gray 31 & 32 are F1 and 2 and grounds are on E15 and 16. I assume the gray connector is c and d. Maybe the unpopulated 40 pin IDC header is a and b?

    I'm not getting anything with only one serial pin connected, so am having to find connectors to add a second.

    Oddly, I'm finding when I power up the board without applying power to the CCM1 and CCM3 circuits, the board sometimes comes up in sleep mode, and sometimes doesn't, but seems to go to sleep eventually. Both of the two additional power circuits are unswitched to battery afaik.

  14. #14
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    473
    Quote Originally Posted by spfautsch View Post
    Thanks, that helped me make sense of the pin numbering terminology. They're numbered 1-16 right to left, so what I was calling gray 31 & 32 are F1 and 2 and grounds are on E15 and 16. I assume the gray connector is c and d. Maybe the unpopulated 40 pin IDC header is a and b?

    I'm not getting anything with only one serial pin connected, so am having to find connectors to add a second.

    Oddly, I'm finding when I power up the board without applying power to the CCM1 and CCM3 circuits, the board sometimes comes up in sleep mode, and sometimes doesn't, but seems to go to sleep eventually. Both of the two additional power circuits are unswitched to battery afaik.
    Please see below the relevant pages for pinouts related to power supply and ALDL comms.

    ccmwiring1.jpgccmwiring2.jpg
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  15. #15
    Fuel Injected! spfautsch's Avatar
    Join Date
    Apr 2015
    Posts
    775
    Quote Originally Posted by NomakeWan View Post
    The three solder pads on the bottom-left appear curious to me.
    Those are all tied together - there's another trace between the right pads on the back side. Holding a light behind the unpainted area around the pads it seems like there might be a trace leaving the right pad in a middle layer, but it dead ends on the visible layers. It reads 40mohm to ground.

    Quote Originally Posted by NomakeWan View Post
    This is just the normal self-diagnostic pin on the ALDL connector (on a 94-96, this is pin 12, which you then jumper to pin 4, ground).
    I figured that's what it was but haven't been able to look at all the schematics thus far.

    Quote Originally Posted by kur4o
    Why would you care about the vin that is programmed.
    I'm interested in knowing if the remanned unit has had the eeprom erased before I connect it to the car. Since I know my vin and how many miles are on mine I'm hoping to be able to extrapolate their location in the dump. Though I'm somewhat worried they used some sort of hash algo on the odometer reading. Edit: and it occurred to me it's probably not stored in units of miles but rather some proprietary GM unit.

    Edit: Still no luck with serial data. May have to put it back in the car to troubleshoot.

Similar Threads

  1. car bogs down when switching into reverse/D
    By CAMMED LT1 in forum GM EFI Systems
    Replies: 4
    Last Post: 3 Weeks Ago, 12:34 AM
  2. 12212156 code reverse engineering project in Ghidra
    By dzidaV8 in forum OBDII Tuning
    Replies: 8
    Last Post: 01-13-2020, 11:04 AM
  3. Help!! 93 Lt1 6M Reverse lockout
    By noeysuarez in forum GM EFI Systems
    Replies: 3
    Last Post: 09-14-2017, 08:17 AM
  4. 4l60e reverse boost valve location and procedure
    By JTodd in forum Introductions
    Replies: 1
    Last Post: 04-19-2013, 01:20 AM
  5. T56 reverse lockout options with TBI PCM
    By CDeeZ in forum GM EFI Systems
    Replies: 1
    Last Post: 02-26-2013, 05:06 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •