Corvette CCM Reverse Engineering Anyone?

**steveo** · 09-18-2021

The software address of the override pin is to be located at $644b bit $02. It should be set so you can enter mode6. I think mode 5 unocks the ccm so you can enter mode 6. Still not quite clear.

good find, kur4o. we can trace that back and find the pin for sure - just dump that address with eehack and fiddle pins until it flips the bit.

i'm certain that GM wouldn't let you run mode 6 commands without a mode 5 unlock first unless that hardware pin was grounded, so obviously you'd need to unlock the CCM with software during 'initial low mileage' state and that must be done with a mode 5 request. if it was just a hardware pin unlock they wouldn't bother putting that low mileage code in at all

**NomakeWan** · 09-18-2021

Interesting; why is it 40 57 0000 69? According to my documents this poll should only be 3 bytes, 40 55 6B. Where are the extra two bytes of 00 coming from?

**spfautsch** · 09-18-2021

It could simply be an impedance mismatch on the serial line causing noisy comms. All I know is it's working in the car only when the PCM has power. Also, aren't the uveprom based ECMs all 160 baud? Is it possibly trying to talk to an LT5 ECM? Just a WAG.

I've been digging through the processor datasheet looking for port register addresses. I think the key in switch pin may be a good point of reference because it triggers a wake interrupt. I'll try tracing it back.

**NomakeWan** · 09-18-2021

Only the pre-90 ECMs supported 160 baud. In 1990 with the introduction of the CCM, they all moved to 8192 baud (and went from Pin E on the ALDL connector to Pin M for good measure).

Also, figured out the weirdness with your poll. Your poll does make sense since the checksum is different. But both my documentation and an idle scan from a guy on Corvette Forums show the idle poll to be 40 55 6B instead. However, my documentation is from 1989 when the CCM was first introduced, and that user had a 1990 Corvette.

I went back and looked at a log that steveo had me take of idle traffic on one of my cars, and got 40 57 FF FF 6B as my CCM poll. I'm not sure which of my two cars this was since I didn't make a note of it.

I did however take other logs that were marked. My '94 showed the following polls:

94 Key Off: 40570C025B
94 Key On Engine Off: 4057FFFF6B
94 Key On Engine On: 4057FFFF6B

All very interesting. It would appear GM added two bits at some point after 1990. I wonder what the difference in poll is between key off and key on?

**kur4o** · 09-18-2021

F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
[F0 56 F1 C9]

10 59 08 4F 02 00 3E

40 57 FF FF 6B

41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B

10 59 08 4F 02 00 3E

40 57 FF FF 6B

41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B

10 59 08 4F 02 00 3E

40 57 FF FF 6B

41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B

10 59 08 4F 02 00 3E

40 57 FF FF 6B

41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B

10 59 08 4F 02 00 3E

40 57 FF FF 6B

41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B

[F0 56 F1 C9]

10 59 08 4F 02 00 3E

40 57 FF FF 6B

41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B

10 59 08 4F 02 00 3E

40 57 FF FF 6B

41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B

10 59 08 4F 02 00 3E

40 57 FF FF 6B

41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B

10 59 08 4F 02 00 3E 40 57 FF

41
67

02 rpm
F2 ad map
00 tps
4F coolant
4E mat
01 options 1
00 options 2
46
1A
C3
88 inj flow rate
00 mph
42 oil temp
FF tcnt
FF tcnt
00 ad trans temp
A0
A0

9B

10
59

08 option byte
4F coolant
02 rpm
00 mph

3E

Some y0body idle traffic.

You can try to fake the pcm sending some of the above replies than shut the bus by sending f1 mode 8 message.

I am looking for a sniff of y-body t2 session which never worked since t2 tries to shut the ccm. I want to trace the command send.

**NomakeWan** · 09-18-2021

kur4o brings up a good point; the other problem is that my documentation from '89 that covers the '90 model lists $41 as being 61 for length, while our 94~95 cars are 67. So there's clearly more data in the regular poll response than before, and that brings up the excellent question of what all that extra data is. Rats.

As for idle data, here's key-on-engine-off data you can inject if you want to pretend to be the PCM and respond to 4057FFFF6B:

416702F6006F580100782010880052FFFF5AA0A07E

EDIT: And thanks to kur4o's above post, here's the layout for that poll response. I'm only missing the definitions for four sections ("tcnt?" and the two "A0" bytes), and of course the breakdown of what all the bits in the two Status/Option bytes represent.

41 ECM to CCM Poll Response
67 Message Length
02 RPM (45 RPM appears to be as low as it goes on $EE)
F6 MAP
00 TPS
6F CTS
58 IAT
01 Status Byte 1
00 Status Byte 2?
78 Engine Revolutions
20 Injector On Time (Byte 1)
10 Injector On Time (Byte 2)
88 Injector Scaler
00 VSS
52 Oil Temp
FF ?
FF ?
5A Auto Trans Temp
A0 ?
A0 ?
7E Checksum

**spfautsch** · 09-18-2021

I did it the old fashioned, brute force method. Luckily the ground on the blue PCM connector is not necessary so I had just enough connectors. I should really buy some bodies for these so I'm not having to count pins when setting this all up.

It's probably premature, but NomakeWan do you know what PASSKey pellets yours have?

IMG_20210918_121934825.jpg

We has test bench. Let the games begin. Sadly the first order of business will be getting another cup of coffee and returning the last one to the water table.