There is a Mode 6 that includes an execute, but the Mode 6 doesn't have the same warnings on it that the Mode 5 does, which makes me think it cannot be used to access the same regions that are used by Mode 5. Here it is for reference anyway:Originally Posted by kur4o
ccmmode6.jpg
1990 Corvette (Manual)
1994 Corvette (Automatic)
1995 Corvette (Manual)
generally mode 5 enables mode 6, and mode 6 is where you can write a code segment to ram and execute it.
I think there is an execute command too, but it might be tied to mode 5. It is a little different than the ee pcm, but still hackable. WHat will be much more harder is to create custom subroutine that is uploaded and writes data to the eeprom. Some stuff is availble for programming but I guess the more sensitive stuff is omitted.
The software address of the override pin is to be located at $644b bit $02. It should be set so you can enter mode6. I think mode 5 unocks the ccm so you can enter mode 6. Still not quite clear.
ALso the ccm seems to respond differently to F0 and F1 functional addresses. F0 is general communication and F1 is for special functions.
It will be great to get some sniff data from T2 logs of some of the more intersting stuff as options and vin querings and device control.
Correct. F0 is for when the CCM polls the ALDL for an external device (such as a Tech 2). If there is no response to the F0 poll, nothing happens, the CCM continues to operate as normal. But if that poll is answered by an F1 command, then it executes whatever that command is before returning to normal operation. The CCM sends this F0 poll once per second.
1990 Corvette (Manual)
1994 Corvette (Automatic)
1995 Corvette (Manual)
The test bench keeps getting more involved. Seems like the CCM is spamming the aldl in a loop trying to query the ECM / PCM for configuration info at startup. As such it won't respond to the hush command so eehack / flashhack can talk to it. According to the FSM it does this until DTC 41 - loss of aldl comms is set. I tested in-car by pulling both PCM fuses and get the same thing as on the bench. This is what eehack sees when I run an idle scan and wake the module by giving it 12 volts on E4.
Can't seem to get it to set DTC 41 on the test bench so I'm going to try to rig up a couple additional connectors so I can get my spare PCM in the loop and hopefully shut it up.Code:START IDLE SCAN LOG ::: GAP4796ms 4796ms to 4806ms (10ms) :: 10590000 ::: GAP9ms 4815ms to 4823ms (8ms) :: 00009797 ::: GAP4ms 4827ms to 4838ms (11ms) :: 4057000069 ::: GAP168ms 5006ms to 5014ms (8ms) :: 10590000000097 ::: GAP21ms 5035ms to 5046ms (11ms) :: 4057000069 ::: GAP151ms 5197ms to 5208ms (11ms) :: 10590000 ::: GAP4ms 5212ms to 5222ms (10ms) :: 00009797 ::: GAP4ms 5226ms to 5238ms (12ms) :: 4057000069 ::: GAP164ms 5402ms to 5414ms (12ms) :: 10590000000097 ::: GAP21ms 5435ms to 5446ms (11ms) :: 4057000069 ::: GAP150ms 5596ms to 5607ms (11ms) :: 10590000 ::: GAP5ms 5612ms to 5622ms (10ms) :: 00009797 ::: GAP4ms 5626ms to 5638ms (12ms) :: 4057000069 ::: GAP167ms 5805ms to 5814ms (9ms) :: 10590000000097 ::: GAP21ms 5835ms to 5846ms (11ms) :: 4057000069 ::: GAP150ms 5996ms to 6007ms (11ms) :: 10590000 ::: GAP5ms 6012ms to 6022ms (10ms) :: 00009797 ::: GAP4ms 6026ms to 6038ms (12ms) :: 4057000069 ::: GAP164ms 6202ms to 6214ms (12ms) :: 10590000000097 ::: GAP21ms 6235ms to 6246ms (11ms) :: 4057000069 ::: GAP149ms 6395ms to 6406ms (11ms) :: 10590000 ::: GAP4ms 6410ms to 6422ms (12ms) :: 00009797 ::: GAP4ms 6426ms to 6437ms (11ms) :: 4057000069 ::: GAP166ms 6603ms to 6614ms (11ms) :: 10590000000097 ::: GAP21ms 6635ms to 6646ms (11ms) :: 4057000069 ::: GAP150ms 6796ms to 6806ms (10ms) :: 10590000 ::: GAP4ms 6810ms to 6822ms (12ms) :: 00009797 ::: GAP4ms 6826ms to 6837ms (11ms) :: 4057000069 ::: GAP167ms 7004ms to 7014ms (10ms) :: 10590000000097 ::: GAP20ms 7034ms to 7046ms (12ms) :: 4057000069 ::: GAP149ms 7195ms to 7205ms (10ms) :: 10590000 ::: GAP5ms 7210ms to 7221ms (11ms) :: 00009797 ::: GAP4ms 7225ms to 7237ms (12ms) :: 4057000069 ::: GAP167ms 7404ms to 7414ms (10ms) :: 10590000000097 ::: GAP20ms 7434ms to 7446ms (12ms) :: 4057000069 ::: GAP148ms 7594ms to 7605ms (11ms) :: 10590000 ::: GAP5ms 7610ms to 7621ms (11ms) :: 00009797 ::: GAP4ms 7625ms to 7637ms (12ms) :: 4057000069 ::: GAP167ms 7804ms to 7813ms (9ms) :: 10590000000097 ::: GAP21ms 7834ms to 7845ms (11ms) :: 4057000069 ::: GAP151ms 7996ms to 8006ms (10ms) :: 10590000 ::: GAP4ms 8010ms to 8021ms (11ms) :: 00009797 ::: GAP4ms 8025ms to 8037ms (12ms) :: 4057000069 ::: GAP168ms 8205ms to 8213ms (8ms) :: 10590000000097 ::: GAP21ms 8234ms to 8246ms (12ms) :: 4057000069 ::: GAP151ms 8397ms to 8405ms (8ms) :: 10590000 ::: GAP4ms 8409ms to 8421ms (12ms) :: 00009797 ::: GAP5ms 8426ms to 8437ms (11ms) :: 4057000069 ::: GAP168ms 8605ms to 8613ms (8ms) :: 10590000000097 ::: GAP21ms 8634ms to 8646ms (12ms) :: 4057000069 ::: GAP150ms 8796ms to 8805ms (9ms) :: 10590000 ::: GAP4ms 8809ms to 8821ms (12ms) :: 00009797 ::: GAP4ms 8825ms to 8837ms (12ms) :: 4057000069 ::: GAP168ms 9005ms to 9013ms (8ms) :: 10590000000097 ::: GAP21ms 9034ms to 9046ms (12ms) :: 4057000069 ::: GAP150ms 9196ms to 9205ms (9ms) :: 10590000 ::: GAP4ms 9209ms to 9221ms (12ms) :: 00009797 ::: GAP4ms 9225ms to 9237ms (12ms) :: 4057000069 ::: GAP164ms 9401ms to 9413ms (12ms) :: 10590000000097 ::: GAP21ms 9434ms to 9446ms (12ms) :: 4057000069 ::: GAP150ms 9596ms to 9605ms (9ms) :: 10590000 ::: GAP4ms 9609ms to 9621ms (12ms) :: 00009797 FINISH IDLE SCAN LOG
Apparently there are two separate voltage sensing circuits. From the FSM book 1 part 2, section 8D page 7:
01 - fuel level (gallons)
02 - IP dimmer value (adc counts)
03 - ambient light sensor (adc counts)
04 - rear defogger timer (seconds)
05 - vehicle speed (mph)
06 - PASS key (adc counts)
07 - ignition voltage (volts, tenths)
08 - switched battery voltage (volts, tenths)
09 - cluster lamp dimming (pwm)
10 - cluster lcd backlight dimming (pwm)
11 - radio & climate control backlight dimming (pwm)
12 - led dimming (pwm)
13 - vehicle configuration
14 - vehicle configuration
15 - oil monitor effective revolutions
16 - ccm software version
good find, kur4o. we can trace that back and find the pin for sure - just dump that address with eehack and fiddle pins until it flips the bit.The software address of the override pin is to be located at $644b bit $02. It should be set so you can enter mode6. I think mode 5 unocks the ccm so you can enter mode 6. Still not quite clear.
i'm certain that GM wouldn't let you run mode 6 commands without a mode 5 unlock first unless that hardware pin was grounded, so obviously you'd need to unlock the CCM with software during 'initial low mileage' state and that must be done with a mode 5 request. if it was just a hardware pin unlock they wouldn't bother putting that low mileage code in at all
Interesting; why is it 40 57 0000 69? According to my documents this poll should only be 3 bytes, 40 55 6B. Where are the extra two bytes of 00 coming from?
Last edited by NomakeWan; 09-18-2021 at 07:58 PM.
1990 Corvette (Manual)
1994 Corvette (Automatic)
1995 Corvette (Manual)
It could simply be an impedance mismatch on the serial line causing noisy comms. All I know is it's working in the car only when the PCM has power. Also, aren't the uveprom based ECMs all 160 baud? Is it possibly trying to talk to an LT5 ECM? Just a WAG.
I've been digging through the processor datasheet looking for port register addresses. I think the key in switch pin may be a good point of reference because it triggers a wake interrupt. I'll try tracing it back.
Only the pre-90 ECMs supported 160 baud. In 1990 with the introduction of the CCM, they all moved to 8192 baud (and went from Pin E on the ALDL connector to Pin M for good measure).
Also, figured out the weirdness with your poll. Your poll does make sense since the checksum is different. But both my documentation and an idle scan from a guy on Corvette Forums show the idle poll to be 40 55 6B instead. However, my documentation is from 1989 when the CCM was first introduced, and that user had a 1990 Corvette.
I went back and looked at a log that steveo had me take of idle traffic on one of my cars, and got 40 57 FF FF 6B as my CCM poll. I'm not sure which of my two cars this was since I didn't make a note of it.
I did however take other logs that were marked. My '94 showed the following polls:
94 Key Off: 40570C025B
94 Key On Engine Off: 4057FFFF6B
94 Key On Engine On: 4057FFFF6B
All very interesting. It would appear GM added two bits at some point after 1990. I wonder what the difference in poll is between key off and key on?
Last edited by NomakeWan; 09-18-2021 at 08:00 PM.
1990 Corvette (Manual)
1994 Corvette (Automatic)
1995 Corvette (Manual)
Some y0body idle traffic.F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
[F0 56 F1 C9]
10 59 08 4F 02 00 3E
40 57 FF FF 6B
41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
10 59 08 4F 02 00 3E
40 57 FF FF 6B
41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
10 59 08 4F 02 00 3E
40 57 FF FF 6B
41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
10 59 08 4F 02 00 3E
40 57 FF FF 6B
41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
10 59 08 4F 02 00 3E
40 57 FF FF 6B
41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
[F0 56 F1 C9]
10 59 08 4F 02 00 3E
40 57 FF FF 6B
41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
10 59 08 4F 02 00 3E
40 57 FF FF 6B
41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
10 59 08 4F 02 00 3E
40 57 FF FF 6B
41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
10 59 08 4F 02 00 3E 40 57 FF
41
67
02 rpm
F2 ad map
00 tps
4F coolant
4E mat
01 options 1
00 options 2
46
1A
C3
88 inj flow rate
00 mph
42 oil temp
FF tcnt
FF tcnt
00 ad trans temp
A0
A0
9B
10
59
08 option byte
4F coolant
02 rpm
00 mph
3E
You can try to fake the pcm sending some of the above replies than shut the bus by sending f1 mode 8 message.
I am looking for a sniff of y-body t2 session which never worked since t2 tries to shut the ccm. I want to trace the command send.
kur4o brings up a good point; the other problem is that my documentation from '89 that covers the '90 model lists $41 as being 61 for length, while our 94~95 cars are 67. So there's clearly more data in the regular poll response than before, and that brings up the excellent question of what all that extra data is. Rats.
As for idle data, here's key-on-engine-off data you can inject if you want to pretend to be the PCM and respond to 4057FFFF6B:
416702F6006F580100782010880052FFFF5AA0A07E
EDIT: And thanks to kur4o's above post, here's the layout for that poll response. I'm only missing the definitions for four sections ("tcnt?" and the two "A0" bytes), and of course the breakdown of what all the bits in the two Status/Option bytes represent.
41 ECM to CCM Poll Response
67 Message Length
02 RPM (45 RPM appears to be as low as it goes on $EE)
F6 MAP
00 TPS
6F CTS
58 IAT
01 Status Byte 1
00 Status Byte 2?
78 Engine Revolutions
20 Injector On Time (Byte 1)
10 Injector On Time (Byte 2)
88 Injector Scaler
00 VSS
52 Oil Temp
FF ?
FF ?
5A Auto Trans Temp
A0 ?
A0 ?
7E Checksum
Last edited by NomakeWan; 09-18-2021 at 08:26 PM.
1990 Corvette (Manual)
1994 Corvette (Automatic)
1995 Corvette (Manual)
I did it the old fashioned, brute force method. Luckily the ground on the blue PCM connector is not necessary so I had just enough connectors. I should really buy some bodies for these so I'm not having to count pins when setting this all up.
It's probably premature, but NomakeWan do you know what PASSKey pellets yours have?
IMG_20210918_121934825.jpg
We has test bench. Let the games begin. Sadly the first order of business will be getting another cup of coffee and returning the last one to the water table.
I do! The '94 has 15, and the '95 has 9.
1990 Corvette (Manual)
1994 Corvette (Automatic)
1995 Corvette (Manual)
Please forgive my lazy, not wanting to read to try and figure out on my own. Can one change how many bytes are read with a mode 2? Or use some other command to get a smaller range?
Whatever the case, see below responses to f1 02 644b while shorting the key in pin to ground.
Now I guess I need to figure out where the processor is reading that from.Code:DATA=200111407F7F7F8F8F8F1111118181812020200101010000007F9F0000800006000100004010FFFF0602000087004900000000E30004FFFF00FFFF0000000000 < C11 grounded DATA=200111407F7F7F8F8F8F1111118080802020200101010000007F9F0000800006000100004010FFFF0602000087004900000000E30004FFFF00FFFF0000000000 < C11 floating
you can use a mode 3 request. mode 2 reads 64 bytes, mode 3 just reads that single byte.
Posting Permissions
Reply With Quote
Bookmarks