Corvette CCM Reverse Engineering Anyone?

[spfautsch]

I forget which bit it is, but I know kur4o identified it somewhere in the first few pages. Here's steve's check in flashhack:

Code:

COMM::Sent message: F1580370CA7A
COMM::Recieved reply: F15703FEB7
CCM Software unlock: NO
COMM::Sent message: F15803644B05
COMM::Recieved reply: F157032293
CCM Hardware unlock: YES

The second read to $644b is checking for the bit that's changed when the reman pin is grounded.

The first is the eeprom lock, which is toggled back to FE when > ~100 miles are accumulated.

I'm having a difficult time building flashhack so may be beating my head against a wall most of the evening.

[-=Jeff=-]

I'm not sure if the security light does in fact go out, per steve's edit (from 10-30-2021)

I'll try to get my testbench up tonight and verify.

Edit: one thing you might test is that the pin you're thinking is for reman has 5v on it. It's entirely possible (though I would think unlikely) that the location is different on older CCMs. It's also possible that flashhack is looking for a register to change that is at a different address. If so we may have to enlist kur4o to work his disassembly magic.

Good to know but looking on my 1992 CCm vs the photo of your 94.. they are the same.. I have not cracked open the 90-91. the 92-93 are the same addresses as 94-95 so it should work, but will check the 5v and check it on my know VATS CCM

Just an observation on this - if you re-read pages 14-16 here where steve was having difficulty getting the heartbeat on a testbench, I theorized (but never confirmed) that the key handshake stuff is bypassed if VATS is disabled in the PCM tune. I had VATS disabled in all my tunes including my testbench PCMs. I'll experiment with this tonight, as I feel like it's an important detail we should clear up.

The reason I disabled VATS was because if I happened to have my serial adapter connected to my laptop but didn't have eehack logging, the car would start but die immediately, which I believe is how VATS works on the PCM side of the theft deterrent "loop".

At any rate, it sounds like this is something that only applies to the flash based PCMs.

I will look at the simulated message, I am know which Bit is VATS from the ECM to CCM, I will try to flip it and see what happens

[-=Jeff=-]

I forget which bit it is, but I know kur4o identified it somewhere in the first few pages. Here's steve's check in flashhack:

Code:

COMM::Sent message: F1580370CA7A
COMM::Recieved reply: F15703FEB7
CCM Software unlock: NO
COMM::Sent message: F15803644B05
COMM::Recieved reply: F157032293
CCM Hardware unlock: YES

The second read to $644b is checking for the bit that's changed when the reman pin is grounded.

The first is the eeprom lock, which is toggled back to FE when > ~100 miles are accumulated.

I'm having a difficult time building flashhack so may be beating my head against a wall most of the evening.

I will look at my BIN Dump from the M6 then take a new dump from the A4. I will however check the pins to verify it is driven low

[spfautsch]

I will look at the simulated message, I am know which Bit is VATS from the ECM to CCM, I will try to flip it and see what happens

I was addressing this to NomakeWan to explain his observations - if you're getting a F0 heartbeat with the arduino simulating the ECM and can connect with flashhack you should be good to go.

[-=Jeff=-]

anyone know a good HEX Compare tool? going to pull the Data from the 2 CCMs with the jumper to see what changed, I assume that should show the change with the reman Pin right?

[-=Jeff=-]

I'm not sure if the security light does in fact go out, per steve's edit (from 10-30-2021)



I'll try to get my testbench up tonight and verify.

Edit: one thing you might test is that the pin you're thinking is for reman has 5v on it. It's entirely possible (though I would think unlikely) that the location is different on older CCMs. It's also possible that flashhack is looking for a register to change that is at a different address. If so we may have to enlist kur4o to work his disassembly magic.

We might need him.. here is my 92 CCM A4, only difference in the unit other than several power cycles, it the reman wire attached.. there are more areas that are different than I expected but I think the Reman pin is a different address. I will work on the 1990 and 1991 this weekend, will pull the BINs then add the wire and Pull the BINs again

EDIT: I am thinking on this one between $62CE and $6306 there might be the data we are looking for. I know the 90 is different and expect the 91 to be different from the 1990

[spfautsch]

I'm still crippled out of using flashhack at the moment so can't give much in the way of specifically directed assistance, but there's an 02 read request that will dump (if memory serves) 64 bytes starting at the address specified. Maybe try that i.e. F1580262CE[chksum] while grounding / ungrounding the reman pin and look for a byte where only one bit changes. eehack will work for this as well (including generating the checksum for you) but I'm similarly not able to run it due to a recent OS upgrade.

Sorry can't be of more help at the moment, delving into Qt compilation madness for the next few hours.

[-=Jeff=-]

No worries

[-=Jeff=-]

More updates

Yeah the 1990-1993 reman pin looks to be the same location, I am guessing the CCM hardware is the same at least 1990-1993, I assume the the same based off the picture of the 1994-6

I have dumped a 1991 (with and without reman pin pulled low) but I will say the software readable pin is in a different location than the 1994. I would really like to get the info for both. Honestly I would like to reprogram the 1991 as an experiment for my 1990. otherwise, being able to reprogram these will be useful for those that may fail

Anyway the $644B where the bit is for the 1994, is not used (from what I can tell) there is stuff in the 63xx-64xx locations that change, but it is not just one spot. here is where i think the help is needed the disassemble them further. I am happy to help, I have 4 CCMs not in cars.

Odd thing. I reprogrammed the Mega to work with the 1990 (static message) that works!!! Thanks again NomakeWan. but I reprogrammed it for the 1992 and it doesn't work, I have 2 files, so not quite sure why it does not work, but will look at that later.

So that is where I stand with these

EDIT: looking at the 94_ccm posted, assuming that was no Reman ground, it is $0e, I saw an address in the 1991 $6324 it is $5e with no ground but $50 with ground.. so maybe that one? there are a couple other too, 1992 is not a clear, if I am even in the right ball park

[spfautsch]

I'm working on brute forcing the vats on the AngryCorvair donor CCM right now. When I have a good read off it what I'm planning on doing is just disabling steve's register checks and let the 05 unlock request dictate the process.

In the mean time, what you could do to test the reman pin is working is to do something innocuous like read the bin so the program silences the module for you. Then go to the advanced tab in flashhack, click the Comm button at the bottom and then over in the command field send (device) f1 (comm) 05 with no payload and see what the CCM responds with.

Well cool, it looks like the donor CCM uses passkey 3. So happy it wasn't 15 as I'm right there with you that messing with trim pots is a PITA.

Edit: Also, at least on these newer modules it appears the penalty period is only 2-1/2 minutes - though I think it might be different if the theft deterrent is armed and gets triggered.

[-=Jeff=-]

Ok I will do that later today, I did buy a set of VATS resistors. So no more trim pot just moving a jumper now. I would like to see the hardware detect removed as it looks like the reman pin is the same. I think the CCM is the same 1990-93 with the EPROM (UV) setting its personality

[spfautsch]

I'll try to borrow my wife's windows laptop and pollute it with the Qt build tools so I can get you a modified binary. steveo if you beat me to it I won't be ashamed - just comment out lines 135 through 138 in processor_ccm.cpp. When we can get kur4o's eyes on these rom dumps maybe he can clarify the reman pin register locations and re-enable the checks.

I will start working up some more thorough documentation on test bench setup and what I discover. However, for starters here's what I recommend as a bare minimum test bench configuration.

always on power to f1 or f2 (doesn't matter which)
switched (ign) power to e5
ground to e16 or e15 (doesn't matter which)
serial to e13 or f12 (doesn't matter which)
vats resistor between e12 and f5
led or small lamp indicator between +12v supply and c6 (led will need current limiting resistor)
switched ground to c12 to simulate driver's door opening
ecm / pcm or arduino simulator connected to serial data (e13 / f12)

It seems like waking the CCM with the driver's door pin is crucial to helping the security loop on the newer units work properly. I'll have to do a bunch more research but this is just something my memory has been refreshed with today.

Edit: jeff to touch on something you mentioned previously, it seems completely feasible to create an arduino sketch that could automate the process of brute-force passkey discovery. Good idea!

[-=Jeff=-]

For the app I have Windows and MacOS if that helps

[spfautsch]

I wouldn't want to task you to screw with compiling it on either. steveos replied to an email so maybe he'll build it without the register checks, otherwise I'll work on building it on windows.

One thing I just confirmed - grounding the reman pin does not allow the protected areas of ram / rom (i.e. the passkey value) to be read. So it will have to be brute forced if unknown.

AngryCorvair thanks again for the donation, it's been extremely useful to me today! At 204,401 miles and having lived in the sunshine state for any amount of time, I bet that was one tired C4!

[-=Jeff=-]

no reman pin:

Code:

flashhack Version 1.2
DEBUG::Sending raw command: [DEV:f1] 05
DEBUG::SERIAL: Opened port COM7
DEBUG::SERIAL: Port info: USB Serial Port - FTDI
Serial# ALDL6336A
VID/PID: 403/6001
Reconnecting to ALDL bus, please wait....
DEBUG::Listening for ALDL heartbeat to determine current bus master...
DEBUG::Got heartbeat frame for current master f1
DEBUG::Silencing bus master device f1
DEBUG::Found heartbeat, sending mode 8 request with predelay 4
COMM::Sent message: F15608B1
COMM::Attained bus silence, stable connection is now likely.
Successfully connected to the ALDL bus.
COMM::Sent message: F15605B4
COMM::Recieved reply: F1570500B3
Got reply to command: [DEV:f1] 05 00
COMM::Sent message: F15608B1
COMM::Packet error: Timeout waiting for reply payload.
DEBUG::Trying to reconnect to bus...
COMM::Sent message: F15608B1
COMM::Packet error: Timeout waiting for reply payload.
DEBUG::Trying to reconnect to bus...
COMM::Sent message: F15608B1
COMM::Packet error: Timeout waiting for reply payload.
DEBUG::Trying to reconnect to bus...
COMM::Sent message: F15608B1
COMM::Packet error: Timeout waiting for reply payload.
DEBUG::Trying to reconnect to bus...
ERROR! No reply to keepalive request.

Reman Pin:

Code:

flashhack Version 1.2
DEBUG::Sending raw command: [DEV:f1] 05
Reconnecting to ALDL bus, please wait....
DEBUG::Listening for ALDL heartbeat to determine current bus master...
DEBUG::Got heartbeat frame for current master f1
DEBUG::Silencing bus master device f1
DEBUG::Found heartbeat, sending mode 8 request with predelay 4
COMM::Sent message: F15608B1
COMM::Attained bus silence, stable connection is now likely.
Successfully connected to the ALDL bus.
COMM::Sent message: F15605B4
COMM::Recieved reply: F15705AA09
Got reply to command: [DEV:f1] 05 AA
COMM::Sent message: F15608B1
COMM::Packet error: Timeout waiting for reply payload.
DEBUG::Trying to reconnect to bus...
COMM::Sent message: F15608B1
COMM::Reply was not as expected: f15608b1 vs F1105900
DEBUG::Trying to reconnect to bus...
COMM::Sent message: F15608B1
COMM::Packet error: Timeout waiting for reply payload.
DEBUG::Trying to reconnect to bus...
COMM::Sent message: F15608B1
COMM::Packet error: Timeout waiting for reply payload.
DEBUG::Trying to reconnect to bus...
ERROR! No reply to keepalive request.

EDIT with reman pin, the LCD cycled power. I have a cluster connected