Corvette CCM Reverse Engineering Anyone?

**spfautsch** · 10-07-2022

Originally Posted by -=Jeff=-

where did you ground the Reman pin to on the CCM? one of my CCMs when I tried to program said the HW pin was not ready (grounded) I will try another, but that particular one i don't have the PASSKey figured out.. been through all the Keys and it has not gotten detected. I am trying again and letting it wait longer between codes to try

Ground, 0 volts. The heatsinks were usually where I'd attach the alligator clip. It's not clear from your question, but if you aren't seeing the security pin turn off (c47) I don't think it's possible to unlock for programming.

Please bear with me as I refresh my memory on this - it's been almost a year since I've looked at one and I have the worst memory.

NomakeWan I also have an 8051 PCM I can look at for the resistor you mentioned. I vaguely recall documenting something about that a while ago, possibly in this thread. There's definitely an impedance difference on the ALDL between the two.

Also jeff, here's how the odometer is stored, using your ZR-1 dump as example.

The odometer triplet is showing $00 12 46 FF FF ...

00 denotes how many FF bytes (aka erased flash cells) to skip during the read from left to right (until a tailing FF is encountered).

That makes $1246 the gross odometer reading minus the lower 4 bits, so $12460 = 74592 (decimal)

On the units I had access to, the remainder of the odometer reading was stored at $b657, in units of 0.25 miles. I referred to this as the vss counter since 1000 pulses = 1/4 mile. Yours reads $1b there, so 27 * 0.25 = 6.75. So my guess would be the ccm you dumped first is showing 74598 or 749599 miles. But its possible this second storage location is different on earlier bins. Let me know if that's close or not.

Edit: Since I just moved it, I know where my test bench cables are at, and I just happen to have a ccm thanks to AngryCorvair that I don't know the passkey value to (maybe I do, but I'll pretend I don't). Probably won't have a chance to do that until late tomorrow evening.

**-=Jeff=-** · 10-07-2022

Yes odometer is within 6 miles of that. So yeah I found that as well.

If I understand correctly, you need to have the PASSKey correct to program. I am going to try to do that with the one I know the code for. I am tempted to make an automated tester to search for the codes.

At this point if I can program one with the known PASSKey then I will live on to the 1991 one I have

**steveo** · 10-07-2022

i do remember that if the 'security light' is on, you can't reprogram it.
that is definitely annoying
there has to be a decent hack we can come up with for people with wrecker ccms they need to repurpose
how many passkey values are there anyway
what memory address is it stored at again

**steveo** · 10-07-2022

it kinda bugs me how the ECM code just goes ahead and barfs the seed/key for programming on ram dump. actually barfs the whole bin with no authentication, so one could track down the code that performs the seed/key pair. but then they scramble the address lines to the flash chip so anyone that tried to desolder it and read it would be in for some severe confusion, the thing looks damn near encrypted if you tried to read it by regular means.

somehow the CCM, though, they really went to town, and protected the passkey value in ram, so even if you dumped the whole thing and figured out where it was, no passkey ??

obviously two different development teams at work there..

**NomakeWan** · 10-07-2022

Originally Posted by steveo

i do remember that if the 'security light' is on, you can't reprogram it.
that is definitely annoying
there has to be a decent hack we can come up with for people with wrecker ccms they need to repurpose
how many passkey values are there anyway
what memory address is it stored at again

Okay so then yeah, it won't allow programming if it's in lockout, which would suggest that it won't allow read in lockout either. I do still wonder how reman facilities are doing what they do.

There are 15 possible resistance values, and on a 90-91 they are stored at B69F while on 92-96 they are stored at B6A2.

**spfautsch** · 10-07-2022

I believe they stopped using #1 (402ohms) early on due to a large number of problems, so functionally only 14.

Whatever the case, the theft deterrent was the only part of this thing they took seriously. If memory serves, in 1984 the Corvette went from the most stolen vehicle in the US to the least due to this "technological marvel".

I'm still re-reading this whole thread to refresh my memory. It's making me pine for something else to hack, and the BCM in my 2001 has been acting a little flaky the last week or two. Hmm...

**spfautsch** · 10-07-2022

Originally Posted by -=Jeff=-

Yes odometer is within 6 miles of that.

That tells me the vss counter must be in a different location for the 90-91s. Now I'd like to know the exact reading so I can look for another byte that matches. Or maybe you guys have already located that.

**-=Jeff=-** · 10-07-2022

Originally Posted by spfautsch

That tells me the vss counter must be in a different location for the 90-91s. Now I'd like to know the exact reading so I can look for another byte that matches. Or maybe you guys have already located that.

Let me pull another dump of the BIN to be sure..

**-=Jeff=-** · 10-07-2022

Originally Posted by steveo

i do remember that if the 'security light' is on, you can't reprogram it.
that is definitely annoying
there has to be a decent hack we can come up with for people with wrecker ccms they need to repurpose
how many passkey values are there anyway
what memory address is it stored at again

Cool, I have a 92 CCM I know the PASSKey that I will try to program this weekend. I also want to set up a simple bench with the 15 resistors to roll through (using a Potentiometer right now is a bit painful). I am also an automation guy by trade so debating on setting up a quick bench at home with some code to run it for me.. Plug in the CCM, then let it run through the codes and stop on the on that works, this way I could give it like 10-15min of wait time if I wanted

**spfautsch** · 10-07-2022

Actually, I just got to page 18 of this thread (posts #260-263) and it seems like it is possible to unlock / write without the vats resistor.

Maybe there's something else going on.

Sadly it's been less than a year since most of this transpired, but it feels like 5.

**-=Jeff=-** · 10-07-2022

Originally Posted by spfautsch

Actually, I just got to page 18 of this thread (posts #260-263) and it seems like it is possible to unlock / write without the vats resistor.

Maybe there's something else going on.

Sadly it's been less than a year since most of this transpired, but it feels like 5.

hmm, I will try again. I have the reman pin tied to a ground on the connector. I will have to see if I get continuity to the heat sink

EDIT Also looks like once I am able to program I can change the VATS. the unit I can connected has the reman pin to ground, but I still have the security light and those posts state the light goes out if grounded. I am wondering now if the ground I have is good

**spfautsch** · 10-07-2022

I'm not sure if the security light does in fact go out, per steve's edit (from 10-30-2021)

Originally Posted by steveo

very interesting, grounding the reman pin actually kills the security light...
edit: despite the security light being on, you're correct, it programs fine. that's helpful.

I'll try to get my testbench up tonight and verify.

Edit: one thing you might test is that the pin you're thinking is for reman has 5v on it. It's entirely possible (though I would think unlikely) that the location is different on older CCMs. It's also possible that flashhack is looking for a register to change that is at a different address. If so we may have to enlist kur4o to work his disassembly magic.

**-=Jeff=-** · 10-07-2022

Originally Posted by spfautsch

I'm not sure if the security light does in fact go out, per steve's edit (from 10-30-2021)

I'll try to get my testbench up tonight and verify.

Well either way, my CCM will not program without VATS, the programmers says the reman pin is not grounded, which lead me to ask you, knowing where you grounded and had it work, helps if I can program without knowing VATS and can change the VATS, all the better for me

**spfautsch** · 10-07-2022

Originally Posted by NomakeWan

That's awesome! I wonder if 94-96 is the only one that doesn't do F0 messages when PASSkey is wrong. Maybe they enhanced the security in the 92-93 to require the ECM to be on the bus ...

Just an observation on this - if you re-read pages 14-16 here where steve was having difficulty getting the heartbeat on a testbench, I theorized (but never confirmed) that the key handshake stuff is bypassed if VATS is disabled in the PCM tune. I had VATS disabled in all my tunes including my testbench PCMs. I'll experiment with this tonight, as I feel like it's an important detail we should clear up.

The reason I disabled VATS was because if I happened to have my serial adapter connected to my laptop but didn't have eehack logging, the car would start but die immediately, which I believe is how VATS works on the PCM side of the theft deterrent "loop".

At any rate, it sounds like this is something that only applies to the flash based PCMs.

**-=Jeff=-** · 10-07-2022

do we know the address for the Lock bit? I would like to see if the 90-91 is the same as newer.. right now I am doing the 92-93 CCM.. I wanted to confirm I could program prior to fixing the Datastream for a friend (currently is LT1 set and needs to be set for LT5)