Corvette CCM Reverse Engineering Anyone?

**steveo** · 10-23-2021

That looks totally normal, and in fact the ECM response is right there.

In Steveo log there is something wrong with that, it doesn`t follow the earlier discovered patterns. Maybe the pcm-ccm communication is stuck at that theft loop and untill finished there will be no broadcasting.

you're right, i see the ecm responding, but if the CCM saw the ECM's reply as okay, wouldn't it begin sending the usual F0 56 xx [checksum] where xx is the current id of the bus master

if certain CCM configurations wont work with certain ECM configurations, i'd definitely like to understand what's going on there, otherwise people using this software to help with CCM replacement might not have much luck

Maybe the pcm-ccm communication is stuck at that theft loop

theft loop ?

**kur4o** · 10-23-2021

I suspect theft communication is critical and before it got initialized ccm wont go over normal communication mode and will loop the pcm till hadshake is good, Also at reset or ign on if modules are powered at different time it might be an issue.

spfautsch points at the start of the thread that the ccm polls change from 0000 to xxxx to ffff and than works as normal.

Actually that poll is some seed to pcm and pcm will return key at 41 response word_1983

**NomakeWan** · 10-23-2021

Originally Posted by kur4o

I suspect theft communication is critical and before it got initialized ccm wont go over normal communication mode and will loop the pcm till hadshake is good, Also at reset or ign on if modules are powered at different time it might be an issue.

spfautsch points at the start of the thread that the ccm polls change from 0000 to xxxx to ffff and than works as normal.

Actually that poll is some seed to pcm and pcm will return key at 41 response word_1983

This looks like a winner and exactly what I would need to know if I were to make a middleman to drive the dash. If it's a call-response key exchange, then I'd need to be able to respond accordingly. Great work so far, looking forward to more updates!

I agree that it looks like an anti-theft loop. The lack of F0 polls is typical for when the CCM is in key-off-engine-off mode. It only starts polling for a scan tool with F0 polls once in a key-on state. As spfautsch stated, this is likely more complex a dance than just applying +12V to all the +V pins. It will likely need to be done as if this were a real car in-place, including the VATS resistor (and key switch!) and having Battery12V be on before Ignition12V.

This could also explain why EEHack and other scan tools get a bunch of "junk" data if the VATS resistor isn't reading correctly at key on; the CCM isn't doing F0 polls, so you're shouting into the void and getting whatever data back just happens to be on the line rather than what you're actually asking for.

**kur4o** · 10-24-2021

Some initial theory how it works.

Pcm responds for 2 seconds with 0000 at reset. Maybe some time for initialization.

Ccm sends seed to pcm.
Pcm process seed and convert to key. Respond with some random timer data.
ccm sends key
pcm matches precalculated key with ccm key. If all good pcms sends FFFF.

I think if the pcm response with ffff, that might fool that all is good. Anyway it is the pcm that needs to start the engine. CCm doesn`t care much.

Steveo you can give it a try with some fake pcm responses.

**NomakeWan** · 03-03-2023

Originally Posted by kur4o

Some initial theory how it works.

Pcm responds for 2 seconds with 0000 at reset. Maybe some time for initialization.

Ccm sends seed to pcm.
Pcm process seed and convert to key. Respond with some random timer data.
ccm sends key
pcm matches precalculated key with ccm key. If all good pcms sends FFFF.

I think if the pcm response with ffff, that might fool that all is good. Anyway it is the pcm that needs to start the engine. CCm doesn`t care much.

Steveo you can give it a try with some fake pcm responses.

I wanted to bring this post back to say that it's precisely correct. I was looking through my FSM while analyzing a totally separate system and stumbled onto this description of the FEDS security system buried in one of the chapters:

feds1.jpg feds2.jpg

So it would appear that the "FFFF" response from the PCM side is "...a message noting that FEDS has been successfully completed is sent to the CCM."

**-=Jeff=-** · 03-05-2023

That is a good find!!

As for my project, it has been on hold due to weather and other things I needed to address on the car. I have a logger setup like spfautsch (hardware) but in the interim I will be using a variation of what NomakeWAN had done. I just need to wire it in and find a good spot to get 12v for the Mega. This will get me the Digital Coolant Display I am after. Long term I like the idea of logging data if the logger version spfautsch has proves out. I should be able to mess with that over the summer while the car is out.

**-=Jeff=-** · 03-23-2023

I think this is still CCM related..

First, I was looking to do the Arduino Datalogger that spfautsch has, but I was going to tweak it for my car. Well that is still a plan, just not right now. I want to play with it a bit an get it working then I will implement it in the car, hopefully.

That said, I kept my Arduino DUE/Screen in the car and added some basic stuff on an Arduino, based on NomakeWan's previous CCM simulator I changed it around to read the data off the ALDL and then send it to my DUE. now the Serial communication to the DUE is 115.2K baud, I could probably go faster, but I am bottle necked at 8192 either way that seemed to work, I used a Bidirectional level shifter to interface between the MEGA and DUE. now I got it working but oddly enough the info I got form NomakeWan showed some details of converting the temperatures.. the Data sheet show the 1 count= .75 degrees C. so with that and the 0-255 converts to -40 to 151. I did the formulas and tested in my car. but the temperature read wrong, then I did Celcius (counts *.75), still wrong. oddly enough the correct conversion was Count = Degrees F (or within a degree). Still scratching my head on that one, but here is a link to a quick Youtube with the correct Temps and my pressing the Throttle (key on Engine off)

I confirmed the temps on the display with my IR temp gun on the Coolant ports near my Temperatures sensors. this will work for me this summer..

https://youtu.be/PecCOdT0dl4

**spfautsch** · 10-23-2021

Try asking for mode 1 message 0 - byte 1 is vats status:

Code:

 1     0-2  UNIVERSAL THEFT DETERRENT STATE
                0 = PASSIVE
                1 = ACTIVE
                2 = DOORS ARMED
                3 = DOORS AND HATCH ARMED
                4 = ALARM
                5 = ALARM TIMED OUT

Or on my bench I connected a led to the security pin on C6. If it's lit solid with switched 12v on you've triggered vats. If so you'll need to remove the switched power (IGN) and leave it powered up on unswitched battery until the penalty period times out. That could be as long as 12-15 minutes. Double-check the vats resistor connections also.

You may have to trick it into passing vats by simulating a key-in, then applying power to E4. < Edit!

Another possibility is that it wants to see the left door switch triggered before key-on. I wonder if there's some mechanism involving word_1983 that changes the vats requirements. I know it worked on the test bench without any of the key-in or door open trickery, but that was after it had already passed vats while connected to my test bench PCM with said trickery.

**steveo** · 10-23-2021

ok i get it. powering the whole rig up at once might not be good enough. i'll go ahead and put a switch on IGN and play with it until it works.

**spfautsch** · 10-23-2021

Sorry for all the difficulties - I sent some extra connectors on pigtails but in hindsight I should have also sent you a LED for the security lamp output.

Another possibility - if the alarm has been triggered you'll need to disarm it by grounding D15. It's also stored in eeprom so you can't turn it off by removing power.

**steveo** · 10-23-2021

no no, im glad im approaching this blindly, ill have to write documentation for how it works so these failures are invaluable.

ill rig up an led.

so the vats resistor, is that done in hardware? if you replace the ccm, you need to change all your keys too? that sucks

**spfautsch** · 10-23-2021

The vats resistor is stored in eeprom

Code:

$b6a2: 0f aa 55 = vats resistor code (15) (aa 55 = tolerance ???)

I'm not sure what the aa and 55 bytes are but 0f is the the resistor code. These are some of the locations that return 00 with mode 2 or 3 if vats is active. The values are easy to find - I reprogrammed that unit for code 11 (0x0b) which is 4.75k ohm. I also had it programmed for 15 when I had it in the car and put the 44 miles on it.

The led just needs a 1k limiting resistor to +12v - the CCM output switches to ground.

**steveo** · 10-23-2021

this thing is funny. i will have to try some more tests. i had IGN disconnected and grounded D15, and it woke up and started trying to talk to the ECM again (but same security issue). the 'security light' never lights, i have a continuity tester with a buzzer hooked up. still ends up in the same communication state