generally mode 5 enables mode 6, and mode 6 is where you can write a code segment to ram and execute it.
generally mode 5 enables mode 6, and mode 6 is where you can write a code segment to ram and execute it.
I think there is an execute command too, but it might be tied to mode 5. It is a little different than the ee pcm, but still hackable. WHat will be much more harder is to create custom subroutine that is uploaded and writes data to the eeprom. Some stuff is availble for programming but I guess the more sensitive stuff is omitted.
The software address of the override pin is to be located at $644b bit $02. It should be set so you can enter mode6. I think mode 5 unocks the ccm so you can enter mode 6. Still not quite clear.
ALso the ccm seems to respond differently to F0 and F1 functional addresses. F0 is general communication and F1 is for special functions.
It will be great to get some sniff data from T2 logs of some of the more intersting stuff as options and vin querings and device control.
Correct. F0 is for when the CCM polls the ALDL for an external device (such as a Tech 2). If there is no response to the F0 poll, nothing happens, the CCM continues to operate as normal. But if that poll is answered by an F1 command, then it executes whatever that command is before returning to normal operation. The CCM sends this F0 poll once per second.
1990 Corvette (Manual)
1994 Corvette (Automatic)
1995 Corvette (Manual)
good find, kur4o. we can trace that back and find the pin for sure - just dump that address with eehack and fiddle pins until it flips the bit.The software address of the override pin is to be located at $644b bit $02. It should be set so you can enter mode6. I think mode 5 unocks the ccm so you can enter mode 6. Still not quite clear.
i'm certain that GM wouldn't let you run mode 6 commands without a mode 5 unlock first unless that hardware pin was grounded, so obviously you'd need to unlock the CCM with software during 'initial low mileage' state and that must be done with a mode 5 request. if it was just a hardware pin unlock they wouldn't bother putting that low mileage code in at all
Interesting; why is it 40 57 0000 69? According to my documents this poll should only be 3 bytes, 40 55 6B. Where are the extra two bytes of 00 coming from?
Last edited by NomakeWan; 09-18-2021 at 07:58 PM.
1990 Corvette (Manual)
1994 Corvette (Automatic)
1995 Corvette (Manual)
It could simply be an impedance mismatch on the serial line causing noisy comms. All I know is it's working in the car only when the PCM has power. Also, aren't the uveprom based ECMs all 160 baud? Is it possibly trying to talk to an LT5 ECM? Just a WAG.
I've been digging through the processor datasheet looking for port register addresses. I think the key in switch pin may be a good point of reference because it triggers a wake interrupt. I'll try tracing it back.
Only the pre-90 ECMs supported 160 baud. In 1990 with the introduction of the CCM, they all moved to 8192 baud (and went from Pin E on the ALDL connector to Pin M for good measure).
Also, figured out the weirdness with your poll. Your poll does make sense since the checksum is different. But both my documentation and an idle scan from a guy on Corvette Forums show the idle poll to be 40 55 6B instead. However, my documentation is from 1989 when the CCM was first introduced, and that user had a 1990 Corvette.
I went back and looked at a log that steveo had me take of idle traffic on one of my cars, and got 40 57 FF FF 6B as my CCM poll. I'm not sure which of my two cars this was since I didn't make a note of it.
I did however take other logs that were marked. My '94 showed the following polls:
94 Key Off: 40570C025B
94 Key On Engine Off: 4057FFFF6B
94 Key On Engine On: 4057FFFF6B
All very interesting. It would appear GM added two bits at some point after 1990. I wonder what the difference in poll is between key off and key on?
Last edited by NomakeWan; 09-18-2021 at 08:00 PM.
1990 Corvette (Manual)
1994 Corvette (Automatic)
1995 Corvette (Manual)
Some y0body idle traffic.F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
[F0 56 F1 C9]
10 59 08 4F 02 00 3E
40 57 FF FF 6B
41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
10 59 08 4F 02 00 3E
40 57 FF FF 6B
41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
10 59 08 4F 02 00 3E
40 57 FF FF 6B
41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
10 59 08 4F 02 00 3E
40 57 FF FF 6B
41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
10 59 08 4F 02 00 3E
40 57 FF FF 6B
41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
[F0 56 F1 C9]
10 59 08 4F 02 00 3E
40 57 FF FF 6B
41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
10 59 08 4F 02 00 3E
40 57 FF FF 6B
41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
10 59 08 4F 02 00 3E
40 57 FF FF 6B
41 67 02 F2 00 4F 4E 01 00 46 1A C3 88 00 42 FF FF 00 A0 A0 9B
10 59 08 4F 02 00 3E 40 57 FF
41
67
02 rpm
F2 ad map
00 tps
4F coolant
4E mat
01 options 1
00 options 2
46
1A
C3
88 inj flow rate
00 mph
42 oil temp
FF tcnt
FF tcnt
00 ad trans temp
A0
A0
9B
10
59
08 option byte
4F coolant
02 rpm
00 mph
3E
You can try to fake the pcm sending some of the above replies than shut the bus by sending f1 mode 8 message.
I am looking for a sniff of y-body t2 session which never worked since t2 tries to shut the ccm. I want to trace the command send.
kur4o brings up a good point; the other problem is that my documentation from '89 that covers the '90 model lists $41 as being 61 for length, while our 94~95 cars are 67. So there's clearly more data in the regular poll response than before, and that brings up the excellent question of what all that extra data is. Rats.
As for idle data, here's key-on-engine-off data you can inject if you want to pretend to be the PCM and respond to 4057FFFF6B:
416702F6006F580100782010880052FFFF5AA0A07E
EDIT: And thanks to kur4o's above post, here's the layout for that poll response. I'm only missing the definitions for four sections ("tcnt?" and the two "A0" bytes), and of course the breakdown of what all the bits in the two Status/Option bytes represent.
41 ECM to CCM Poll Response
67 Message Length
02 RPM (45 RPM appears to be as low as it goes on $EE)
F6 MAP
00 TPS
6F CTS
58 IAT
01 Status Byte 1
00 Status Byte 2?
78 Engine Revolutions
20 Injector On Time (Byte 1)
10 Injector On Time (Byte 2)
88 Injector Scaler
00 VSS
52 Oil Temp
FF ?
FF ?
5A Auto Trans Temp
A0 ?
A0 ?
7E Checksum
Last edited by NomakeWan; 09-18-2021 at 08:26 PM.
1990 Corvette (Manual)
1994 Corvette (Automatic)
1995 Corvette (Manual)
Bookmarks