Corvette CCM Reverse Engineering Anyone?

[spfautsch]

Just wanted to drop back in with a non-technical post now that I've accomplished what I set out to do - have a replacement ccm that's actually programmable. Open source tools are just the icing on the cake. As I've indirectly stated previously, I'm not interested in the odometer tangent any farther than it pertains to being able to erase the mode 5 lockout.

First off, huge thanks to NomakeWan, steveo and kur4o for your insatiable curiosity and immense knowledge and patience. Without your contribution I'd surely still be banging my head against the wall. Blue Streak Electronics can also be begrudgingly thanked for making the ridiculous mistake of selling me a part through RockAuto that was supposedly "plug-and-play, no programming required". Shame on you.

Even if I find later that I haven't fixed my battery drain issue, I'm extremely happy with the outcome. I may or may not try advertising ccm reprogramming services over on cf at a very cheap rate, mainly to generate a source for donor eeprom / uveprom dumps. If anyone objects voice your opinion here. I just want to learn more, and if I can do that while providing a service at a reasonable price, no-one loses.

NomakeWan if you want to take it further and perhaps engineer a patched ROM for the 411 swap guys you have my blessing and support. I'm not planning on desoldering the uveprom, but I'd be happy to loan the module to you if you so desired. No strings attached except that steveo has first dibs.

[steveo]

i think i should take your work and develop the tool that can read/write the eeprom as a bin
then someone could read an existing ccm and clone it or develop an xdf
if you want to maintain radio silence regarding the "reman pin" we could just make people ask us to prove they aren't just trying to screw over a potential car buyer by fudging the mileage?
just some thoughts what do you think

[NomakeWan]

Thanks for the offer, but you overestimate my abilities. I think kur4o is the only one among us who would be capable of working on a patched ROM. My ability to decipher assembly is almost nonexistent (I know how to run diffs and look for similar routines to already-known routines but that's about it), and my ability to write assembly is nil. So as much as I would love to help, I am unfortunately without the requisite skill. Not to mention I'd need to know how the bus works on the C5 (which I don't, except that the E&C bus on them apparently still uses 8192 ALDL, albeit at a different voltage level), and I'd need first-hand experience with the '411 (which I don't have either).

I will however be continuing to work with the Arduino angle. If I can at least get that working, it opens up the possibility of letting people run a piggyback to make their CCM happy regardless of what ECM/PCM they're running. Speeduino, Holley, Haltech, '411, you name it. All you need are certain specific outputs and a piggyback can translate those into the answer the CCM is looking for. I think that's the winning angle...but it could also be because that's the limit of my understanding. ;)

Excellent work to all, and I look forward to further progress!

[steveo]

could you assist with differences between the 1994 and 1995 CCMs and maybe trying to find some 'vette people to get us a few extra example eeprom dumps? i'd like my tools to work with both, and i think i read that they're different. a clean dump from your 1994 and 1995 vette with some feature documentation might be pretty helpful to start

[NomakeWan]

could you assist with differences between the 1994 and 1995 CCMs and maybe trying to find some 'vette people to get us a few extra example eeprom dumps? i'd like my tools to work with both, and i think i read that they're different. a clean dump from your 1994 and 1995 vette with some feature documentation might be pretty helpful to start

Sure. What's a "clean dump," though? How is a clean dump different from the dumps of my 94 and 95 I already made? I want to make sure I get you guys what you need.

[kur4o]

Test 2

ldy 18 ce XXXX
ldab c6 YY
ldx off_ffb0 fe ff b0 update fix

jsr 0,x ad 00 fix
rtn 39

XXXX start address of read
YY length

I am sure this one will work. Than we can work out how to make an echo message of the upload.

If you want mode 6 response with aa

18 ce f4 9d c6 01 fe ff b0 ad 00 39

[spfautsch]

18 ce f4 9d c6 01 fe ff b0 ad 00 39

Sorry. Again, please verify what I sent is what was intended.

Code:

TX+F15605B4
RX+F15705AA09
TX+F16406600018CEF49DC601FEFFB0AD003974
RX+NO REPLY

Also, it has occurred to me I probably haven't uploaded a "clean" read either, but I'm getting an imagemagik runtime error when I try uploading. Will try to upload to my wp site later.

Nevermind, I guess the upload worked regardless.

[steveo]

Test 2

ldy 18 ce XXXX
ldab c6 YY
ldx off_ffb0 fe ff b0 update fix

jsr 0,x ad 00 fix
rtn 39

XXXX start address of read
YY length

I am sure this one will work. Than we can work out how to make an echo message of the upload.

If you want mode 6 response with aa

18 ce f4 9d c6 01 fe ff b0 ad 00 39

kur4o i'm trying to figure out how this works so i can use it, can you help ?

LDX loc_FFB0 ... the rom contains 0x7EF0 there, and then we jump there, but 0x7EF0 contains gibberish

maybe i'm missing something

[steveo]

Sure. What's a "clean dump," though? How is a clean dump different from the dumps of my 94 and 95 I already made? I want to make sure I get you guys what you need.

yeah, those
i don't have them, can you remind me where you posted them ?

[spfautsch]

steveo it's over in the flashhack thread [link].

I'm at the office today so won't be able to test anything until this evening.

I didn't mean to make it sound like I was checking out on the project. I do intend to build an .xdf for these. From what I've been able to gather, the 94-96 models are interchangeable. I might try buying a used one for a 90-91 and 92-93 just to verify the location of the reman pin.

I also intend to figure out the vats authentication so the key code can be read on the test bench. I suspect the unit wants to see the key in pin go off at the same time the two ign inputs go high before it checks the adc count. I just haven't taken the time to locate some dpdt switches and make some additional test leads.

I think I need to give some thought to whether to disclose the location or not. Frankly, it's pretty obvious and I'd hate to be the guy that started an avalanche of stupid. On the other hand I think as long as we omit the odometer from the .xdf that should raise the difficulty level enough to keep things sane. People should have to do some work if they want to enjoy the free stuff. What do you guys think?

I will make a suggestion on the write / erase routines steveo. There's so little that needs to be written and the eeprom block is so small, I'd suggest reading the whole thing to memory and diffing with the .bin, then only erasing / writing the necessary bytes. I know it complicates things, but I don't think we want to overwrite the erase counter on a used unit. Just my $0.02.

Edit: after thinking a bit more, it may make sense to only write $b600-$b66c (odometer), $b67f-$b6ca (oil life, vats, option bytes, lockout bit) and the VIN at $b7ef until we know more about what the 33 bytes at $b6cb are.