Page 7 of 35 FirstFirst ... 2345678910111217 ... LastLast
Results 91 to 105 of 511

Thread: Corvette CCM Reverse Engineering Anyone?

  1. #91
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    FOund some other stuff. Byte_70CA bit $01 if it is set you can enter m5 without pin set.

    Stock is FE, I guess if changed to FF, you will enter m5.

    Too bad at one point there is a check a 607c value[ is mileage] and is compared against 8220[stock $64=100miles].
    If it is over 70CA is rearmed to FE value

    I suppose mileage is at least 2 words, one is lower and one is upper range.

    Some eeprom examples to follow.

  2. #92
    Fuel Injected! spfautsch's Avatar
    Join Date
    Apr 2015
    Location
    Montgomery City, MO
    Age
    52
    Posts
    883
    Yes, odometer storage is some weird $h!t. Near as I can tell the first byte is how many erased bytes there are from byte 2 to where two contiguous $FF or $00 bytes are encountered. My guess is they were worried about eeprom wear leveling. And I'm 100% confident the low 4 bits of the odometer are stored in some other unit such as VSS counts or something closely related. But it's certainly stored in eeprom. Haven't taken the task of identifying that one beyond theory.

    I feel like I want to work on some other things, but none of those things are that important. I have to go into the office tomorrow and punch the timeclock so-to-speak. Maybe Tuesday I'll work on making the odometer increment by feeding the module some fake 4kppm data.

    I'm just stoked to have essentially 0wned this module without the benefit of a service tool snoop log.

  3. #93
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,008
    this is unreal progress. cant believe you had it nailed so quickly.

    i would love to build this work into a user friendly tool like flashhack when you are ready

  4. #94
    Fuel Injected! spfautsch's Avatar
    Join Date
    Apr 2015
    Location
    Montgomery City, MO
    Age
    52
    Posts
    883
    I wasn't implying you should have to do all the work of coding steveo, but you'll probably save yourself a lot of grief by keeping my paws out of your source. I'll be happy to contribute whatever I can. Most of my notes are already in this thread and I'll continue to post as I continue to map out the eeprom. The only ask I have is perhaps a bench mode option that will listen and reply with some fake PCM responses to make the unit be happy, and quiet.

    I've yet to do simple stuff like talking to the unit with "normal" comms to see if it has any dtcs, etc. Been too focused on cracking the eeprom nut.

    Edit: The lower 4 bits of the odometer appear to be stored at $6b57 in units of 1/4 mile. Odd that it's in the same location on all the dumps we have. If I were worried about wear leveling I'd have allocated a number of cells, but the odds of all four dumps using the same byte out of any number larger than 2 seems pretty low.

  5. #95
    Fuel Injected! spfautsch's Avatar
    Join Date
    Apr 2015
    Location
    Montgomery City, MO
    Age
    52
    Posts
    883
    Here's current progress on eeprom mapping. Some items are fairly easily confirmed, some a developed theory, and some just a wild-assed-guess. The number of question marks added after the info is relative to my confidence.

    Code:
    $b600: 01 2b ff 8d ff ff ff ff 00 00 00 00 00 00 00 00 00 00 = odometer minus low 4 bits = 0x2B8D0 178384 mi
    $b612: 01 2b ff 8d ff ff ff ff 00 00 00 00 00 00 00 00 00 00
    $b624: 01 2b ff 8d ff ff ff ff 00 00 00 00 00 00 00 00 00 00
    $b636: 00 (33 bytes)
    $b657: 05 = vss counter * 1k = 1.25 mi ?
    $b658: 00 (21 bytes)
    $b66d: 01 31 ff d6 ff ff ff ff ff ff ff ff ff ff ff ff ff ff = erase counter ??
    $b67f: 4a 9f
    $b681: 44 dc = olm remaining engine revolutions ??
    $b683: 02 d6 37 48 2d 5b 34 c7 04 67 36 1e 17 91 49 46 31 01 1d a1 48 2e 40 5e 39 18 35 af 12 (dtc history ???????)
    $b6a0: 13 04 = olm remaining miles ??
    $b6a2: 0f aa 55 = vats resistor code (15) (aa 55 = tolerance ???)
    $b6a5: 01 (32 bytes)
    $b6c5: ff 3a 
    $b6c7: 02 manual trans ??
    $b6c8: 00 00
    $b6ca: fe = mode5 lockout
    $66cb: 40 00 10 00 00 00 80 00 20 00 08 01 80 40 20 10 08 04 02 80 00 08 04 02 01 00 00 00 00 20 00 80 00 (33 bytes ff in 94 eeprom - poss. custom PCM polling msg ?????)
    $b6ec: ff (259 bytes) unused
    $b7ef: <vin> (17 bytes)
    If anyone spots missing bytes or overlapping addresses please point it out and I'll clean it up. The hex editor I use doesn't support copying the hex conversion so a lot of this was typed while tabbing between my notes and ghex.

    The erase counter is just an educated guess - I've noticed it increment several times after starting the engine and letting it idle, and most recently after resetting the oil life monitor (olm).

    The oil life monitor stuff seems pretty straightforward, but I'm somewhat confused as to why the two counters are stored so far apart, and what the jumble of info between them might be. As such I'm giving this one two question marks. Whatever the case, I've noticed the remaining revolutions decrement from dump to dump when the engine has been running. After I cleared the olm from the dic controls the revolution counter was reset to 20000 (0x4320 hex) and the miles to 5885 (0x16fd).

    On the vats code, I've no idea what the following two bytes are - my guess is tolerance. But the key code is stored at $b6a2 in the clear based on having dumps from two with 15s and one with a 9. Also, per NomakeWan's previously posted info, when the eeprom is read without the correct vats resistor the 02 request returns 00 00 00 for these bytes. And there appears to be an authentication routine for this, it's not as simple as hooking up a trim pot and finding the resistance. It appears a specific sequence must be recognized - i.e. key-in pin goes low, vats read, ign1 and ign3 go high and key-in also goes high. Just a guess but I tried all 14 values about 3 different ways last night and was unable to read these bytes from the salvage ccm.

    Since we have no dumps from ZR-1s and all we have appear to be equipped with the C68 climate control, that's about as far as I can go on vehicle options. I do have a message out to someone I know with a 90's ZR-1, but he may or may not be willing / able to help.

    One other bit I've noticed but haven't found in my notes yet is that the alarm status (aka utd status) seems to be stored in eeprom as well. My assumption is if I arm the utd and then disconnect the battery that the doors will lock when I hook it back up.

    Plans are to try tickling the vss input with a tone generator today to see if the vss counter at $7057 / $6b57 increments. After that I might do something completely idiotic and try to zero the odometer triplet and erase the mode5 lockout bit / byte (on the salvage ccm).

    steveo I notice an oddity when trying to read only the eeprom range with flashack. If I specify module f1 with offset b600 and 200 bytes (all hex) it complains.

    Code:
    ERROR! Some parameters are nonsensical.  Please check your settings in the advanced tab.
    Not a show stopper but would save me a bunch of time dumping memory.
    Last edited by spfautsch; 09-30-2021 at 06:54 PM. Reason: corrected address typos in eeprom map

  6. #96
    Fuel Injected!
    Join Date
    Mar 2013
    Posts
    1,470
    Don`t take the addresses too much, since they might be valid only for 95 ccms. The 94 code is a litlle bit different and some of the data might be located at other places. There is also different p/ns per years mainly. If it is a 94 cmm it should work with all engines.

    I still have no clue on the eeprom registers. In the disassembly they are used but can`t say what they do and how it is done. Interesting is that on ee code the vin is written straight without setting any registers. I guess it is unlocked for writing.

  7. #97
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    757
    Two things on the analysis.

    First, engine revolutions and miles are not the only factors used for the oil life monitor. Oil temperature also affects the calculation. How this is actually used however is a mystery; is it a multiplier that increases recorded revolutions/miles? Or are particular temperature deltas stored in EEPROM? Not a clue, but the FSM says oil temp is used in the oil life calculation so it's something to consider.

    For the VATS thing, what's likely happening on your salvage CCM is you're actually running into the security lockout. Every time an "incorrect key" is attempted to be used, a timer of 3 minutes starts. Every failed attempt resets this timer. So if you're using the trim pot method, you must wait 5 minutes between attempts. It's easy to forget about this limitation on the bench since you don't have the car's dashboard and relays giving you the feedback you expect.

    EDIT: Also, I forgot, but thanks to user BlackW1dow we have some CCM poll data from the 1992 Corvette. From his idle scan logs, the CCM poll request is the same as the 94-96 (40 57 FF FF 6B), but the ECM response is longer than the 1990-1991 yet shorter than the 1994-1996. An example response from his car is here:

    41 64 01 F3 00 5A 60 01 00 6F 0F D6 83 00 51 FF FF 86

    From this, I assume that the layout is:
    Device MessageLength RPM MAP TPS CTS IAT StatusBit1 StatusBit2 Revs InjectorOn1 InjectorOn2 InjectorScaler VSS OTS ?? ?? Checksum
    Last edited by NomakeWan; 09-28-2021 at 06:48 PM.
    1990 Corvette (Manual)
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  8. #98
    Fuel Injected! spfautsch's Avatar
    Join Date
    Apr 2015
    Location
    Montgomery City, MO
    Age
    52
    Posts
    883
    Quote Originally Posted by NomakeWan View Post
    First, engine revolutions and miles are not the only factors used for the oil life monitor. Oil temperature also affects the calculation.
    Thanks, that might account for some of that info. I'd forgotten about oil temp being factored in. On the salvage ccm it's almost all zeros, but I also noticed the remaining miles was set to 7500 on it (I haven't messed with resetting it). I suppose this might be a ccm from a legitimate low-miles garage queen. It also has a really small # in the presumed erase counter.

    Quote Originally Posted by NomakeWan View Post
    what's likely happening on your salvage CCM is you're actually running into the security lockout.
    I've considered that but I've been removing power between attempts and I'm not seeing any changes in the eeprom between attempts so I'm not sure how it would know there was a "penalty period" remaining. I don't have enough switches and buttons to simulate a key-on event on the test bench, but I might attempt it because I'd really like to confirm what vats resistor it wants. It's certainly not 15.

    Edit: Anyone know how to query this thing for vehicle speed via mode1? I can't tell if it thinks it's moving or not.

  9. #99
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    757
    Quote Originally Posted by spfautsch View Post
    Edit: Anyone know how to query this thing for vehicle speed via mode1? I can't tell if it thinks it's moving or not.
    http://gearhead-efi.com/gearhead-efi/def/aldl/A297.DS
    1990 Corvette (Manual)
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  10. #100
    Fuel Injected! spfautsch's Avatar
    Join Date
    Apr 2015
    Location
    Montgomery City, MO
    Age
    52
    Posts
    883
    Thank you! I've been searching for that for days.

    Interesting, the option bits in message 1 look like it might align perfectly with $b6c6 - $b6c7 if bit 2 set = manual, bit 1 clear = LT1.

    I wasn't seeing byte 13 of message 0 change, so I'm going to assume the ccm doesn't think it should record the miles since vats is still active and the engine doesn't appear to be running. Curious how your arduino experiment works out, but I'll just put the seat back in the car and test that way.

    Edit: Interesting stuff, somewhat miffed that I failed to locate it on my own. Will save me dozens of hours of pounding the pavement. Option bits align perfectly with $b6c6-$b6c9. Interesting that there's an option for electronic throttle control, which wasn't available until 1997 model year if my assumption is correct. This info is a gold mine. FX3 and LTPMS option bits which were very rare back in the day, hints on how to enable diagnostic mode. Poof, mind blown. I feel like I've just turned the corner on the home stretch.

    Edit2: The mileage calculation even confirms my odometer conversion thoughts. The odometer data presented in message 0 won't give the least significant 4 bits either.

  11. #101
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    757
    Unfortunately my Arduino experiments hit a brick wall. The read function, as always, works perfectly; it correctly detects the CCM poll message and reacts to it accordingly. But the transmit is not working. I built a circuit according to the diagram featured here, though I did have to use three 2N3906 transistors since I didn't have an extra 2N2906 layout around; don't think that's actually important but maybe I'm wrong. Anyway, using this circuit the receive works perfectly fine, but the transmission never reaches the ALDL. I know this because I've wired the Arduino directly into pins 1, 3 and 29 of the Blue connector on the PCM harness and kept my laptop plugged into the ALDL port monitoring idle traffic. There is never any response on the ALDL from my Arduino even though it's clearly seeing the CCM poll and running through its transmission routine. So for now, I'm stumped. I'll try finding a 2N2906 and see if that actually makes a difference.

    Also, as a note, my '94 has FX3. Both my '94 and '95, as you surmised, have C68.

    EDIT: I did a bunch of debugging for my Arduino. The problem must be hardware-related. Since I'm using a Mega 2560 I have several other hardware UARTs to mess with, so I looped TX1 into RX3 and outputted the contents of RX3's buffer to the Arduino IDE Serial Monitor. When plugged into the ALDL, the serial monitor output is exactly the same as the output for the TX part of my code. So my code is correctly identifying the CCM's poll request, and is correctly responding to that request by dumping the 21 bytes of data out the TX pin. Yet for some reason, that transmission is not actually making it onto the ALDL bus.

    Looking again at that website I linked above, his schematic lists 2 2N3906 transistors and 1 2N2906 transistor. Yet his photograph of the system in operation shows 4 2N3906 transistors. A 2N2906 is TO-18, not TO-92 like the 2N3906 transistors (and all 4 transistors in his photograph). So his schematic appears to be incorrect if the photograph he has is indeed a functioning system reading from 8192 ALDL. Great. So back to digging around to see if there's a "correct" way to hook an AVR up to a half-duplex one-wire UART like this.
    Last edited by NomakeWan; 09-29-2021 at 09:35 AM.
    1990 Corvette (Manual)
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

  12. #102
    LT1 specialist steveo's Avatar
    Join Date
    Aug 2013
    Posts
    4,008
    Quote Originally Posted by spfautsch View Post
    steveo I notice an oddity when trying to read only the eeprom range with flashack. If I specify module f1 with offset b600 and 200 bytes (all hex) it complains.
    yeah the way it's written right now is 'memory size' is the total size of the chip and 'memory offset' is just the start of useful data, so what you're actually telling it is the rom is 0x0200 bytes long, but to ignore the first 0xB600 bytes.
    i realize the labelling isn't great. i can definitely add a few more parameters to make stuff better for this project.

  13. #103

  14. #104
    Fuel Injected! spfautsch's Avatar
    Join Date
    Apr 2015
    Location
    Montgomery City, MO
    Age
    52
    Posts
    883
    After a couple short drives, it seems like the ccm's code isn't working on the data at $7000. After putting 3.0 miles on mine nothing in this area of ram or eeprom changed, and message 0 was still showing the same eeprom mileage that was off by 1 mile. After disconnecting the battery the 3 miles disappeared.

    It turns out there's some kind of timer (kur4o mentioned this from disassembly) so it only writes to eeprom after a certain amount of run or off time (haven't figured it out completely). On the second drive I stopped after 1.1 miles to talk to a friend and that mileage has been written to $b657. But after sitting in my garage for ~45 minutes it still hasn't written the additional 1.3 miles to eeprom.

    I suspect there's also a traveled miles trigger because I ran across a user over on cf that had battery drain issues and the ccm was crashing after a certain number of miles (which reset the odometer back n miles until the trigger was again reached). This sounds like a bad capacitor on the 12v rail, which is needed for eeprom programming voltage.

    I suspect after a lot of erase cycles the wear leveling logic might move this byte to one of the many adjacent zeroed bytes, but I think eeprom is good for ~1m write / erases so I doubt there are that many of these still in service after that many write cycles.

    Quote Originally Posted by steveo View Post
    by the way, is the end goal of this to have an XDF that covers the eeprom and we edit it like that ?
    I hadn't thought about that as a possibility. I don't know tunerpro that well but is it possible to write complex conversion routines? The odometer storage methodology is very unique - skipping ff bytes apparently if there's data in byte 1 of the structure. The rest of the option bits and the vats code would be easy to do in an XDF - there really aren't many needed. This way the write tool wouldn't need to know anything about different eeprom options, etc. as I'm sure there are probably different protocols used on older units and possibly different eeprom layouts year to year.

    I've also considered omitting the odometer capability altogether. If it can be done only by editing the bin by hand that will make it discouraging enough that every Y-body Bill isn't pulling his ccm out to roll the miles back.

    Quote Originally Posted by NomakeWan View Post
    Also, as a note, my '94 has FX3. Both my '94 and '95, as you surmised, have C68.
    I doubt the FX3 controller is connected to the aldl, and it's not connected to the ccm so it's probably an option for other / future platforms. I just found it interesting that they included provisions so early for that, ETC, and the power seat bits - one for driver and passenger. This was probably used later for the driver customization stuff triggered by different keyfobs.

    On your arduino stuff, here's a schematic of what I used on the Volkswagen k-line / obduino. I think it should work for GM 8192 baud also but no guarantees. The transistors you're using are all small signal PNP, but I think the to-18 might be intended for RF / Microwave frequencies so the gain may be different from the to-92 version which is just a general purpose small signal transistor. Edit: If you wanted, I've no plans to re-use this so I'd be happy to throw the components in an envelope and snail-mail them.

  15. #105
    Fuel Injected!
    Join Date
    Jul 2019
    Location
    Orange, CA
    Posts
    757
    The FX3 controller is not on the bus; it's got a diagnostic pin on pin 3 for flashing codes but that's it. LTPWS, similarly, only has a diagnostic pin for blinking codes and is not actually on the serial bus. I just mention it in case the option is listed in the CCM (since if so, it would be present in the 94 dump but not the 95).

    It appears that K-Line is based around 10V high 0V lo signaling, which I figured from the comparators in your schematic. I appreciate the offer but I'm going to continue doing debugging on my end. If I really run into a wall I'll just post the sketch here and let you all mess with it.
    1990 Corvette (Manual)
    1994 Corvette (Automatic)
    1995 Corvette (Manual)

Similar Threads

  1. car bogs down when switching into reverse/D
    By CAMMED LT1 in forum GM EFI Systems
    Replies: 4
    Last Post: 09-27-2021, 12:34 AM
  2. 12212156 code reverse engineering project in Ghidra
    By dzidaV8 in forum OBDII Tuning
    Replies: 8
    Last Post: 01-13-2020, 11:04 AM
  3. Help!! 93 Lt1 6M Reverse lockout
    By noeysuarez in forum GM EFI Systems
    Replies: 3
    Last Post: 09-14-2017, 08:17 AM
  4. 4l60e reverse boost valve location and procedure
    By JTodd in forum Introductions
    Replies: 1
    Last Post: 04-19-2013, 01:20 AM
  5. T56 reverse lockout options with TBI PCM
    By CDeeZ in forum GM EFI Systems
    Replies: 1
    Last Post: 02-26-2013, 05:06 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •