Page 2 of 35 FirstFirst 123456712 ... LastLast
Results 16 to 30 of 511

Thread: Corvette CCM Reverse Engineering Anyone?

  1. #16
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    I found the disassembly I made while ago.

    The ram is located at $6000-65ff the eeprom is located at $7000-$71ff main code is at 8000-ffff, first part containing some calibration details, than main code.

    We have $200 bytes of eeprom.

    NomakeWan can you make an updated dump of the ccm you have. Hope thay gathered some mileage, so we can identify some stuff pretty quick, if the eeprom increase at some places.

    I think figuring some commands and sequences will not be hard at all when we label the eeprom.

    As far as the secret pin. It is most likely connected to the a/d channels of processor and will have some 12v voltage, when grounded it will override something in the code.

    Figuring other grounding inputs inputs and tracing the pcb patterns will likely find the secret pin.

  2. #17
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    FOund the mode5 code in the bin, but there is not much that it can do. It seems the ccm enters some loop where you can upload custom code. It still doesn`t make sense since there is no execute visible in the loop.

    Also I think I spot the bit that prevents the mode5 entering. It will be esily patched if we have access to writing a custom bin.

    Now the main question. What should I expect from mode 5.


    Edit;

    I think some polling of the ccm will be great. Sending different modes and submodes commands over the aldl bus and recording the reponse.

    The CCM ID is f1 or f0. There is also tons of other ids in the code, but it will take some time to figure the usage.
    Last edited by kur4o; 09-15-2021 at 11:43 PM.

  3. #18
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    757
    Quote Originally Posted by kur4o View Post
    NomakeWan can you make an updated dump of the ccm you have. Hope thay gathered some mileage, so we can identify some stuff pretty quick, if the eeprom increase at some places.
    Sure, I can do that later today. I've put plenty of miles on the car since I took those dumps.

    Quote Originally Posted by kur4o View Post
    FOund the mode5 code in the bin, but there is not much that it can do. It seems the ccm enters some loop where you can upload custom code. It still doesn`t make sense since there is no execute visible in the loop.

    Also I think I spot the bit that prevents the mode5 entering. It will be esily patched if we have access to writing a custom bin.

    Now the main question. What should I expect from mode 5.
    ccmmode5.jpg
    1990 Corvette (Manual)
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  4. #19
    Fuel Injected!
    Join Date
    Nov 2017
    Location
    Californiacation
    Age
    57
    Posts
    811
    Quote Originally Posted by NomakeWan View Post

    Quote Originally Posted by spfautsch
    I wonder if diagnostic enable might be the "magic" pin.

    Sadly not.
    Momentary 12v on key up to the diagnostic pin should put it in boot mode, not ground.
    -Carl

  5. #20
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    757
    Quote Originally Posted by In-Tech View Post
    Momentary 12v on key up to the diagnostic pin should put it in boot mode, not ground.
    I'm not sure what you're trying to say. The diagnostic pin is already 12V (through an internal pull-up resistor). The only available option for this pin is to ground it, which puts the CCM into diagnostic mode. Here is the relevant section from the FSM. It also addresses spfautsch's earlier comment about some CCM-related DTCs not setting the SYS light.

    ccmdiagnosticmode.jpg
    1990 Corvette (Manual)
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  6. #21
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    757
    Quote Originally Posted by spfautsch View Post
    So a bit of background to start. My '95 Y body has been plagued with intermittent battery drain issues pretty much as long as I've owned it. It's progressively grown worse until finally I was able to identify the circuit reliably - CCM2 / fuse # 39 drawing ~120ma continuous. Normally it would be in the 5a range when the DAB is powered and then drop to < 10ma. Now it never drops below 100ma and will kill the battery in 2-4 days. Since I've recently expanded my collection of antique vehicles and plan to do away with my 505k mile daily driver, I need to be able to depend on this car as a backup. I just celebrated my 50th birthday, and the "gift" that comes with that milestone is that it's getting to be less fun getting in and out of this car. When I happen to forget to grab the keys, or turn said square key only to hear the starter solenoid clicking, well I've invented some new expletives for that situation.
    Forgot to mention, but the FSM includes a full list of power draw values for reference. I'll post it below.

    Unfortunately they don't post current draw readings for what happens when there's no key in the car but the PKE is being activated by a nearby transmitter.

    It makes me wonder if your key-in-ignition system or your PKE are malfunctioning. Either one of those could cause the CCM to refuse to sleep, though as the diagram says, a key-in-ignition fault would allow the CCM to sleep after 30 minutes.

    ccmcurrent.jpg
    1990 Corvette (Manual)
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  7. #22
    Fuel Injected!
    Join Date
    Nov 2017
    Location
    Californiacation
    Age
    57
    Posts
    811
    Quote Originally Posted by NomakeWan View Post
    I'm not sure what you're trying to say. The diagnostic pin is already 12V (through an internal pull-up resistor). The only available option for this pin is to ground it, which puts the CCM into diagnostic mode. Here is the relevant section from the FSM. It also addresses spfautsch's earlier comment about some CCM-related DTCs not setting the SYS light.

    ccmdiagnosticmode.jpg
    Yes, I understand and I will post my GM documentation when I find it. The Mefi4 is very very similar to the obd1 LT1 computers electronically and when I need to convert a 4 into a 4a or 4b this is how we get it into boot mode for programming the entire 256k and not just the calibration data, and yes, still ground for diagnostic mode. Maybe this doesn't work on the LT1 computer but I bet it does. I only have obd2 LT1 puters here or I would already know :)
    -Carl

  8. #23
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    757
    Quote Originally Posted by In-Tech View Post
    Yes, I understand and I will post my GM documentation when I find it. The Mefi4 is very very similar to the obd1 LT1 computers electronically and when I need to convert a 4 into a 4a or 4b this is how we get it into boot mode for programming the entire 256k and not just the calibration data, and yes, still ground for diagnostic mode. Maybe this doesn't work on the LT1 computer but I bet it does. I only have obd2 LT1 puters here or I would already know :)
    I look forward to seeing that documentation. What I have on the CCM (as posted earlier) says that the "secret" pin for resetting EEPROM values is internal to the CCM, not something that can be accessed externally via any means. This makes sense since the CCM controls the odometer, and you wouldn't want someone to just be able to plug a stolen GM tool into the ALDL port and change the odometer at will.

    Quote Originally Posted by kur4o View Post
    NomakeWan can you make an updated dump of the ccm you have. Hope thay gathered some mileage, so we can identify some stuff pretty quick, if the eeprom increase at some places.
    Here's a fresh one from my '95, taken just now.
    Attached Files Attached Files
    1990 Corvette (Manual)
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  9. #24
    Fuel Injected! spfautsch's Avatar
    Join Date
    Apr 2015
    Location
    Montgomery City, MO
    Age
    52
    Posts
    883
    This is all really cool guys, thanks!

    I was able to dump the memory on both modules in-car today. What a PITA those connectors are in the cramped space they left us to work in!

    Honestly, I'm more concerned with why I was unable to talk to the serial port on the test bench. My intuition is leaning me towards the absence of the LCD module, but that's just a wild-assed-guess. I have an idea of someone who might be able to confirm / deny this but won't bog you down with those details.

    I'm fried from a long day so will post more thoughts on the dumps tomorrow, but as I was fearing, the "remanufactured" module has a foreign VIN and the ultra-low mileage of 2675 when booted up. Yay, my car just increased in value by $300.00. :-\ How does one total a C4 before it's first oil change? Perhaps Vince Niel can elaborate. But for now I'll digress.

    I suspect I see where the odometer counter is stored in triplicate at the "top" of the eeprom.

    Truth be told, I'm not terribly optimistic that clearing / programming these pieces is a realistic goal. I'm not inclined to give up yet, but honestly this module is a mother-bear to get to. Presumably by design. I'm not even 100% sure it's the cause of my battery drain, though I have noticed that before dumping these today my battery had stabilized at 12.49v for the last 10 days with the CCM removed. Normally it's down to 12.0-11.8 after that long. And I've only left the keys in the ignition two or three times in the past couple years. It's a habit I never break unless the battery / engine / transmission is removed and the car is rendered immobilized.

    Edit: NomakeWan I saw your comment about the PKE possibly waking the CCM and I've considered this more than once. My neighbors across the street still have a Bill Clinton era 900mhz cordless phone, and I've always been suspicious the half-octave harmonics from it have been annoying the PKE. Whatever the case, I have a sacrificial CCM board, and wish to exploit it to it's full potential.
    Attached Files Attached Files

  10. #25
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    757
    I'm not surprised at all that a "remanufacturer" didn't bother to actually, yanno, remanufacture the CCM. The only way they could do that correctly would be to request information from you prior to shipment, which they obviously did not do. This leads to a huge issue in that anyone who uses a reman from that company would be committing odometer fraud at worst and have a branded title at best. Big freakin' yikes. So for your second unit, attempting to locate the reman terminal as well as all the requisite memory locations for a Mode 5 request might actually be worth it.

    But for CCMs that are still good and still in a car, I don't see the point. I agree that for those, it would be a waste of time and energy. The only reason to mess around with that would be to do something nefarious, so it's probably best left alone.

    On my end, I've worked out a test program that should allow me to inject arbitrary data into the ALDL port and override the dash. I'm working on the Arduino code now, so hopefully in the next week or so I'll be able to test it by just unplugging my PCM, plugging the Arduino into the ALDL port, and then turning a knob on my potentiometer to set the speedometer on the dash to whatever I want. I've never done tight timing serial comms before, so it'll be a fun exercise. And if it works, then we know that we can make anything work with the CCM going forward. So if someone had, say, Holley EFI, and wanted their dash to work, no problem. Cheapie Arduino board, set your outputs on the Holley to those needed for the datastream, have Arduino interpret those outputs into the datastream the CCM expects, and go.
    1990 Corvette (Manual)
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  11. #26
    Fuel Injected! spfautsch's Avatar
    Join Date
    Apr 2015
    Location
    Montgomery City, MO
    Age
    52
    Posts
    883
    Quote Originally Posted by kur4o View Post
    FOund the mode5 code in the bin, but there is not much that it can do. It seems the ccm enters some loop where you can upload custom code. It still doesn`t make sense since there is no execute visible in the loop.
    What if it doesn't need to execute any code? The documentation for mode 5 reads as upload to ram. In these dumps a copy of the eeprom data is present at 0xB600. What if the code works solely on the copy in ram, and the eeprom compare / write procedure is triggered before sleep mode is entered, or by some other mechanism (key off, etc.) so as not to wear out the eeprom?

    I have considered the fraud tangent and that does trouble me somewhat. State laws are different on the subject, but in Missouri the lines become somewhat blurry once the vehicle is more than 10 years old. At that point the prosecutor has to prove intent to defraud. So you get back to the same moral dilemna that exists where we ask do guns kill people or do people kill people.

    Hoping to have a thorough look at things this weekend. I'm incredibly perturbed that the remanned CCM wasn't remanned. I'm almost certain nothing at all has been done with it because the security light never went out, telling me it's probably programmed for a different VATS pellet.

  12. #27
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    Found that eeprom is located at b600 $200 bytes long. At reset the values from eeprom are copied to ram at $7000. Than at some point some of the values are again copied to regular ram area.6000-7000.

    There is also some other small area 0-ff used as ram. It is also utilized when mode 5 is entered[used as stack].

    Found 2 subroutines in the communication stuff that writes values to eeprom. Too complex yet to figure. Maybe some submode of somthing since are labeled as mode2 and mode3, maybe it is a submode of something else.

    spfautsch,
    When you have time, you can play with custom send messages through eehack raw commands.
    You can poll the ccm with all modes and submodes, looking for response, negative answers and so on.

    Do you have the p/n of ccms. I found that each year uses different p/n. On the 95 files you dumped with NomakeWan, there is only 2 byte difference at 8000. maybe this contains options or something like that. Will be really interested to see what is stored on the eprom.

  13. #28
    Fuel Injected! spfautsch's Avatar
    Join Date
    Apr 2015
    Location
    Montgomery City, MO
    Age
    52
    Posts
    883
    I'm working on trying to get the board to function on the test bench so I can do this without going back and forth to the garage. Once I have that figured out I'll start trying some aldl messages.

    I don't have all the equipment with me to test that so I'm working on mapping the ADC pins on the processor. It appears there's an unused analog input on E8 / AN6. The components aren't populated so it isn't actually connected to E8 but the pads and traces are there for it to be.

    I can't tell for sure but it appears there's a voltage sense circuit on both AN0 and AN7. One heads towards the power supply section and the other receives power from rail side of the fuel level sense resistor. I'll have to dig into this with the board powered up to figure out which is which. One might be for battery voltage and the other for the 5v rail / brown out detection.

    The rest are accounted for as such:

    E7 - IP Dimmer - AN3
    E9 - Fuel level - AN2
    E10 - Ambient light sensor - AN5
    E11 - DIC buttons - AN1
    E12 - PASS resistor - AN4

    Part # on the ones I have is 16223622. The other pn RockAuto has a cross reference for is 16230561.

  14. #29
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    757
    Quote Originally Posted by kur4o View Post
    Found that eeprom is located at b600 $200 bytes long. At reset the values from eeprom are copied to ram at $7000. Than at some point some of the values are again copied to regular ram area.6000-7000.

    There is also some other small area 0-ff used as ram. It is also utilized when mode 5 is entered[used as stack].

    Found 2 subroutines in the communication stuff that writes values to eeprom. Too complex yet to figure. Maybe some submode of somthing since are labeled as mode2 and mode3, maybe it is a submode of something else.

    spfautsch,
    When you have time, you can play with custom send messages through eehack raw commands.
    You can poll the ccm with all modes and submodes, looking for response, negative answers and so on.

    Do you have the p/n of ccms. I found that each year uses different p/n. On the 95 files you dumped with NomakeWan, there is only 2 byte difference at 8000. maybe this contains options or something like that. Will be really interested to see what is stored on the eprom.
    My '94 is an automatic with auto climate control. My '95 (the one that I did the new dump for) is a manual with auto climate control. I hooked my Tech 2 up to the '95 and it did display the transmission type as one of the CCM options, so that should be at least part of it.

    I can't get a dump of the 94 right this second because it's in storage. As soon as I get a chance I'll get you a second dump, since yes, it's accumulated mileage since the first dump as well.
    1990 Corvette (Manual)
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  15. #30
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,007
    good stuff guys, keep it coming.

    we could definitely get some core info on the available data in the eeprom region by comparing different dumps from different cars.

    i would assume they are programmed using gm code that is uploaded to ram just like the 8051 is programmed so we would definitely have to find that pin to renable it. once that's found we likely wouldn't need a full comms loop like the 8051 since we aren't reprogramming the main rom, we could likely get it in one shot.

    it's possible we could steal some code from $EE to help. we'd need to look at the routines that comms mode 12 calls which sets the VIN and calibration ID in the processor's eeprom. it's likely that we could just change the addressing and figure out how to overwrite whatever we want.

Similar Threads

  1. car bogs down when switching into reverse/D
    By CAMMED LT1 in forum GM EFI Systems
    Replies: 4
    Last Post: 09-27-2021, 12:34 AM
  2. 12212156 code reverse engineering project in Ghidra
    By dzidaV8 in forum OBDII Tuning
    Replies: 8
    Last Post: 01-13-2020, 11:04 AM
  3. Help!! 93 Lt1 6M Reverse lockout
    By noeysuarez in forum GM EFI Systems
    Replies: 3
    Last Post: 09-14-2017, 08:17 AM
  4. 4l60e reverse boost valve location and procedure
    By JTodd in forum Introductions
    Replies: 1
    Last Post: 04-19-2013, 01:20 AM
  5. T56 reverse lockout options with TBI PCM
    By CDeeZ in forum GM EFI Systems
    Replies: 1
    Last Post: 02-26-2013, 05:06 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •