Corvette CCM Reverse Engineering Anyone?

[spfautsch]

Sorry been busy with other projects - first was replacing laptop keyboard so I have a ctrl key again. :-)

Finally had a chance over the weekend to wire up my aldl logger to the test bench setup and capture some data. This will also give me a decent platform to continue development of the microcontroller code, since I had to do it all in the car last fall. I think I'm going to take a page out of steveo's playbook and screw it all down to a piece of plywood so I don't have to disconnect everything to use my workbench.

Anyway, here are the initial interactions between the (94) CCM and the 1333 PCM.

With VATS enabled in PCM flash, correct PASSKey:

Code:

10 59 00 00 00 00 97
40 57 00 00 69
41 67 02 00 00 87 00 00 00 00 00 00 BE 00 04 4A 74 00 A0 A0 0F
10 59 00 00 00 00 97
40 57 3F 8C 9E
41 67 02 00 00 87 00 40 00 00 00 00 BE 00 04 FF FF 00 A0 A0 8F
10 59 08 87 02 00 06
40 57 BA B9 F6
41 67 02 00 00 87 00 41 00 00 00 00 BE 00 04 FF FF 00 A0 A0 8E
10 59 08 87 02 00 06
40 57 FF FF 6B
41 67 02 00 00 87 00 49 00 00 00 00 BE 00 04 FF FF 00 A0 A0 86
10 59 08 87 02 00 06
40 57 FF FF 6B
41 67 02 00 00 87 00 49 00 00 00 00 BE 00 04 FF FF 00 A0 A0 86
10 59 08 87 02 00 06
40 57 FF FF 6B
41 67 02 00 00 87 00 49 00 00 00 00 BE 00 04 FF FF 00 A0 A0 86
10 59 08 87 02 00 06
40 57 FF FF 6B
41 67 02 00 00 87 00 49 00 00 00 00 BE 00 04 FF FF 00 A0 A0 86
10 59 08 87 02 00 06
40 57 FF FF 6B
41 67 02 00 00 87 00 49 00 00 00 00 BE 00 04 FF FF 00 A0 A0 86
F0 56 F1 C9
>F1 56 08 B1

With VATS enabled in PCM flash, incorrect / no PASSKey:

Code:

10 59 00 00 00 00 97
40 57 00 00 69
41 67 02 00 00 87 00 00 00 00 00 00 BE 00 04 47 E9 00 A0 A0 9D
10 59 00 00 00 00 97
40 57 47 E9 39
41 67 02 00 00 87 00 40 00 00 00 00 BE 00 04 E1 93 00 A0 A0 19
10 59 08 87 02 00 06
40 57 E1 93 F5
41 67 02 00 00 87 00 40 00 00 00 00 BE 00 04 7B 26 00 A0 A0 EC
10 59 08 87 02 00 06
40 57 7B 26 C8
41 67 02 00 00 87 00 48 00 00 00 00 BE 00 04 14 B8 00 A0 A0 B9
10 59 08 87 02 00 06
40 57 14 B8 9D
41 67 02 00 00 87 00 48 00 00 00 00 BE 00 04 AE 63 00 A0 A0 74
10 59 08 87 02 00 06
40 57 AE 63 58
41 67 02 00 00 87 00 48 00 00 00 00 BE 00 04 47 F4 00 A0 A0 4A
10 59 08 87 02 00 06
40 57 47 F4 2E
41 67 02 00 00 87 00 48 00 00 00 00 BE 00 04 E1 9F 00 A0 A0 05
10 59 08 87 02 00 06
40 57 E1 9F E9
41 67 02 00 00 87 00 48 00 00 00 00 BE 00 04 7B 31 00 A0 A0 D9
10 59 08 87 02 00 06
40 57 7B 31 BD

As steveo found last year, this repeats on forever because neither module ever clears the VATS check.

VATS disabled in PCM flash, incorrect / no passkey:

Code:

10 59 00 00 00 00 97
40 57 00 00 69
41 67 02 00 00 87 00 00 00 00 00 00 BE 00 04 FF FF 00 EF EF 31
10 59 00 00 00 00 97
40 57 FF FF 6B
41 67 02 00 00 87 00 41 00 00 00 00 BE 00 04 FF FF 00 EF EF F0
10 59 08 87 02 00 06
40 57 FF FF 6B
41 67 02 00 00 87 00 41 00 00 00 00 BE 00 04 FF FF 00 EF EF F0
10 59 08 87 02 00 06
40 57 FF FF 6B
41 67 02 00 00 87 00 49 00 00 00 00 BE 00 04 FF FF 00 EF EF E8
10 59 08 87 02 00 06
40 57 FF FF 6B
41 67 02 00 00 87 00 49 00 00 00 00 BE 00 04 FF FF 00 EF EF E8
10 59 08 87 02 00 06
40 57 FF FF 6B
41 67 02 00 00 87 00 49 00 00 00 00 BE 00 04 FF FF 00 EF EF E8
10 59 08 87 02 00 06
40 57 FF FF 6B
41 67 02 00 00 87 00 49 00 00 00 00 BE 00 04 FF FF 00 EF EF E8
F0 56 F1 C9
>F1 56 08 B1

VATS disabled in PCM flash, correct PASSKey:

Code:

10 59 00 00 00 00 97
40 57 00 00 69
41 67 02 00 00 87 00 00 00 00 00 00 BE 00 04 FF FF 00 EF EF 31
10 59 00 00 00 00 97
40 57 BA B9 F6
41 67 02 00 00 87 00 41 00 00 00 00 BE 00 04 FF FF 00 EF EF F0
10 59 08 87 02 00 06
40 57 FF FF 6B
41 67 02 00 00 87 00 41 00 00 00 00 BE 00 04 FF FF 00 EF EF F0
10 59 08 87 02 00 06
40 57 FF FF 6B
41 67 02 00 00 87 00 49 00 00 00 00 BE 00 04 FF FF 00 EF EF E8
10 59 08 87 02 00 06
40 57 FF FF 6B
41 67 02 00 00 87 00 49 00 00 00 00 BE 00 04 FF FF 00 EF EF E8
10 59 08 87 02 00 06
40 57 FF FF 6B
41 67 02 00 00 87 00 49 00 00 00 00 BE 00 04 FF FF 00 EF EF E8
10 59 08 87 02 00 06
40 57 FF FF 6B
41 67 02 00 00 87 00 49 00 00 00 00 BE 00 04 FF FF 00 EF EF E8
F0 56 F1 C9
>F1 56 08 B1

One thing that I noticed that can't be gleaned from the logging is that with VATS enabled in the PCM, the CCM went to sleep a lot sooner than without it.

I'll probably write up a page on my wordpress site for the logger and post back with updates as I have time to progress. To make something that works across all the 90-95 Y bodies it will need to read the VIN from the CCM at startup so the logger knows what messages are supported, etc.

[spfautsch]

Ah, that's so much better.



Now I can hang it up on the wall and reclaim my workbench when needed.



Now I just need to move / get rid of a dozen other major pieces of clutter. Anyone interested in a nice starter drum kit? Comes with a complimentary fog machine! Then I might be able to do something about the 2 year old collection of dust on my cabled weight machine.

Jeff something occurred to me as I was attempting to resurrect this setup after jostling most of the wiring - when you really piss the CCM off good it will go into a state where the alarm penalty period is doubled or even tripled, unless and until you ground pin D15 which is labeled "security disarm" or something to that effect in the FSM.

Now I just need to build a PASSKey resistor board and I'm set.

steveo, don't worry about working on flashhack. We'll be moving beyond that soon.

[-=Jeff=-]

Jeff something occurred to me as I was attempting to resurrect this setup after jostling most of the wiring - when you really piss the CCM off good it will go into a state where the alarm penalty period is doubled or even tripled, unless and until you ground pin D15 which is labeled "security disarm" or something to that effect in the FSM.

Now I just need to build a PASSKey resistor board and I'm set.

steveo, don't worry about working on flashhack. We'll be moving beyond that soon.

Good to know. I just brute force programmed a new value to it and called it good.. LOL

I also bought a set of resistors off eBay, all the correct VATS values.. https://www.ebay.com/itm/195222697918

Worth it for me.. Now I just need to wire my LT5 ECM, although the Arduino setup seems to work well.

I am haven't done too much, seeing where your Datalogger ends up, I like how that can be 'inserted' and used without a Computer. I can then log to SD card and display on my screen. I am leaning towards buying a newer screen and using the IO on screen (Nextion 4.3 intelligent)

[NomakeWan]

I've got a bizarre one for you.

So the past month I've been away from home due to family emergencies across the US. I've barely had any time to be with the car, so it just sat in the driveway. Well, after having sat for only a few weeks, I went to open it and nothing happened. Figured my keyfob was dead and unlocked it manually, but noticed the interior lights didn't come on either. Didn't have time to deal with it before hopping a plane so I used another car instead.

When I finally got back a few days ago, I checked the battery and it had 1.2V. Not a typo. Had bought the battery brand new back in May, but figured okay, maybe defective. The '90 has been sitting in our garage for even longer and it still reads 10.6V (before I put the tender back on it). So I got the battery replaced under warranty, tossed it on the car, and that brought everything back.

Except that now my odometer reads 0.

How in the actual fuck? Isn't the CCM's userspace NVRAM? It's not supposed to care if there's no voltage, right? Why would a near-dead battery cause the CCM to reset? Has anyone even heard of this? Anybody know why?

I have a dump from the '95 I took before, and I have a photo on my phone showing I hit 129,000 miles on September 17th of this year, so I won't be up shit creek reflashing it. But I'm just...flabbergasted.

[steveo]

it's definitely not supposed to do that - however if it is truly at zero miles i think you should be able to reprogram it in-car without using the 'reman pin'. i think it'd be more likely that it's a communication issue between the dash and ccm or something

[NomakeWan]

I haven't tried plugging in and asking it for a Mode 5 yet. I plan on doing that next. It started raining only a few minutes after I managed to get the battery in (which was why I was in such a hurry to do that).

But I flicked through all the dash controls to be sure--they all function correctly. Trip and Odo both read 0 (trip reading 0.0). It most certainly looks like the EEPROM has been blanked somehow.

As soon as I have an opportunity I will update with more information. I've never seen this before.

EDIT: Went back out to the car, turned the key, and the odometer was back. Confirmed with Flashhack that it's locked.

I wonder if this is a vulnerability? A code path that was not accounted for?

Basically the CCM lived with less than 5V going to its power pins for almost a month. Then I took that battery out, slapped a fresh one in, and the first thing I did was unlock the car with the keyfob, then turn on the parking lights to engage the digital dash. That's when it read 0. Had it not been starting to rain I would've run in and grabbed my laptop. But it appears that this first powerup might be going down the wrong code path for some reason.

It's all good now though--confirmed by reading it with Flashhack and by using my Tech 2 that everything's the same as it was before.

[steveo]

solar flare ?