Corvette CCM Reverse Engineering Anyone?

[kur4o]

Found that eeprom is located at b600 $200 bytes long. At reset the values from eeprom are copied to ram at $7000. Than at some point some of the values are again copied to regular ram area.6000-7000.

There is also some other small area 0-ff used as ram. It is also utilized when mode 5 is entered[used as stack].

Found 2 subroutines in the communication stuff that writes values to eeprom. Too complex yet to figure. Maybe some submode of somthing since are labeled as mode2 and mode3, maybe it is a submode of something else.

spfautsch,
When you have time, you can play with custom send messages through eehack raw commands.
You can poll the ccm with all modes and submodes, looking for response, negative answers and so on.

Do you have the p/n of ccms. I found that each year uses different p/n. On the 95 files you dumped with NomakeWan, there is only 2 byte difference at 8000. maybe this contains options or something like that. Will be really interested to see what is stored on the eprom.

[spfautsch]

I'm working on trying to get the board to function on the test bench so I can do this without going back and forth to the garage. Once I have that figured out I'll start trying some aldl messages.

I don't have all the equipment with me to test that so I'm working on mapping the ADC pins on the processor. It appears there's an unused analog input on E8 / AN6. The components aren't populated so it isn't actually connected to E8 but the pads and traces are there for it to be.

I can't tell for sure but it appears there's a voltage sense circuit on both AN0 and AN7. One heads towards the power supply section and the other receives power from rail side of the fuel level sense resistor. I'll have to dig into this with the board powered up to figure out which is which. One might be for battery voltage and the other for the 5v rail / brown out detection.

The rest are accounted for as such:

E7 - IP Dimmer - AN3
E9 - Fuel level - AN2
E10 - Ambient light sensor - AN5
E11 - DIC buttons - AN1
E12 - PASS resistor - AN4

Part # on the ones I have is 16223622. The other pn RockAuto has a cross reference for is 16230561.

[NomakeWan]

Found that eeprom is located at b600 $200 bytes long. At reset the values from eeprom are copied to ram at $7000. Than at some point some of the values are again copied to regular ram area.6000-7000.

There is also some other small area 0-ff used as ram. It is also utilized when mode 5 is entered[used as stack].

Found 2 subroutines in the communication stuff that writes values to eeprom. Too complex yet to figure. Maybe some submode of somthing since are labeled as mode2 and mode3, maybe it is a submode of something else.

spfautsch,
When you have time, you can play with custom send messages through eehack raw commands.
You can poll the ccm with all modes and submodes, looking for response, negative answers and so on.

Do you have the p/n of ccms. I found that each year uses different p/n. On the 95 files you dumped with NomakeWan, there is only 2 byte difference at 8000. maybe this contains options or something like that. Will be really interested to see what is stored on the eprom.

My '94 is an automatic with auto climate control. My '95 (the one that I did the new dump for) is a manual with auto climate control. I hooked my Tech 2 up to the '95 and it did display the transmission type as one of the CCM options, so that should be at least part of it.

I can't get a dump of the 94 right this second because it's in storage. As soon as I get a chance I'll get you a second dump, since yes, it's accumulated mileage since the first dump as well.

[steveo]

good stuff guys, keep it coming.

we could definitely get some core info on the available data in the eeprom region by comparing different dumps from different cars.

i would assume they are programmed using gm code that is uploaded to ram just like the 8051 is programmed so we would definitely have to find that pin to renable it. once that's found we likely wouldn't need a full comms loop like the 8051 since we aren't reprogramming the main rom, we could likely get it in one shot.

it's possible we could steal some code from $EE to help. we'd need to look at the routines that comms mode 12 calls which sets the VIN and calibration ID in the processor's eeprom. it's likely that we could just change the addressing and figure out how to overwrite whatever we want.

[spfautsch]

The test bench keeps getting more involved. Seems like the CCM is spamming the aldl in a loop trying to query the ECM / PCM for configuration info at startup. As such it won't respond to the hush command so eehack / flashhack can talk to it. According to the FSM it does this until DTC 41 - loss of aldl comms is set. I tested in-car by pulling both PCM fuses and get the same thing as on the bench. This is what eehack sees when I run an idle scan and wake the module by giving it 12 volts on E4.

Code:

START IDLE SCAN LOG
::: GAP4796ms
4796ms to 4806ms (10ms) :: 10590000
::: GAP9ms
4815ms to 4823ms (8ms) :: 00009797
::: GAP4ms
4827ms to 4838ms (11ms) :: 4057000069
::: GAP168ms
5006ms to 5014ms (8ms) :: 10590000000097
::: GAP21ms
5035ms to 5046ms (11ms) :: 4057000069
::: GAP151ms
5197ms to 5208ms (11ms) :: 10590000
::: GAP4ms
5212ms to 5222ms (10ms) :: 00009797
::: GAP4ms
5226ms to 5238ms (12ms) :: 4057000069
::: GAP164ms
5402ms to 5414ms (12ms) :: 10590000000097
::: GAP21ms
5435ms to 5446ms (11ms) :: 4057000069
::: GAP150ms
5596ms to 5607ms (11ms) :: 10590000
::: GAP5ms
5612ms to 5622ms (10ms) :: 00009797
::: GAP4ms
5626ms to 5638ms (12ms) :: 4057000069
::: GAP167ms
5805ms to 5814ms (9ms) :: 10590000000097
::: GAP21ms
5835ms to 5846ms (11ms) :: 4057000069
::: GAP150ms
5996ms to 6007ms (11ms) :: 10590000
::: GAP5ms
6012ms to 6022ms (10ms) :: 00009797
::: GAP4ms
6026ms to 6038ms (12ms) :: 4057000069
::: GAP164ms
6202ms to 6214ms (12ms) :: 10590000000097
::: GAP21ms
6235ms to 6246ms (11ms) :: 4057000069
::: GAP149ms
6395ms to 6406ms (11ms) :: 10590000
::: GAP4ms
6410ms to 6422ms (12ms) :: 00009797
::: GAP4ms
6426ms to 6437ms (11ms) :: 4057000069
::: GAP166ms
6603ms to 6614ms (11ms) :: 10590000000097
::: GAP21ms
6635ms to 6646ms (11ms) :: 4057000069
::: GAP150ms
6796ms to 6806ms (10ms) :: 10590000
::: GAP4ms
6810ms to 6822ms (12ms) :: 00009797
::: GAP4ms
6826ms to 6837ms (11ms) :: 4057000069
::: GAP167ms
7004ms to 7014ms (10ms) :: 10590000000097
::: GAP20ms
7034ms to 7046ms (12ms) :: 4057000069
::: GAP149ms
7195ms to 7205ms (10ms) :: 10590000
::: GAP5ms
7210ms to 7221ms (11ms) :: 00009797
::: GAP4ms
7225ms to 7237ms (12ms) :: 4057000069
::: GAP167ms
7404ms to 7414ms (10ms) :: 10590000000097
::: GAP20ms
7434ms to 7446ms (12ms) :: 4057000069
::: GAP148ms
7594ms to 7605ms (11ms) :: 10590000
::: GAP5ms
7610ms to 7621ms (11ms) :: 00009797
::: GAP4ms
7625ms to 7637ms (12ms) :: 4057000069
::: GAP167ms
7804ms to 7813ms (9ms) :: 10590000000097
::: GAP21ms
7834ms to 7845ms (11ms) :: 4057000069
::: GAP151ms
7996ms to 8006ms (10ms) :: 10590000
::: GAP4ms
8010ms to 8021ms (11ms) :: 00009797
::: GAP4ms
8025ms to 8037ms (12ms) :: 4057000069
::: GAP168ms
8205ms to 8213ms (8ms) :: 10590000000097
::: GAP21ms
8234ms to 8246ms (12ms) :: 4057000069
::: GAP151ms
8397ms to 8405ms (8ms) :: 10590000
::: GAP4ms
8409ms to 8421ms (12ms) :: 00009797
::: GAP5ms
8426ms to 8437ms (11ms) :: 4057000069
::: GAP168ms
8605ms to 8613ms (8ms) :: 10590000000097
::: GAP21ms
8634ms to 8646ms (12ms) :: 4057000069
::: GAP150ms
8796ms to 8805ms (9ms) :: 10590000
::: GAP4ms
8809ms to 8821ms (12ms) :: 00009797
::: GAP4ms
8825ms to 8837ms (12ms) :: 4057000069
::: GAP168ms
9005ms to 9013ms (8ms) :: 10590000000097
::: GAP21ms
9034ms to 9046ms (12ms) :: 4057000069
::: GAP150ms
9196ms to 9205ms (9ms) :: 10590000
::: GAP4ms
9209ms to 9221ms (12ms) :: 00009797
::: GAP4ms
9225ms to 9237ms (12ms) :: 4057000069
::: GAP164ms
9401ms to 9413ms (12ms) :: 10590000000097
::: GAP21ms
9434ms to 9446ms (12ms) :: 4057000069
::: GAP150ms
9596ms to 9605ms (9ms) :: 10590000
::: GAP4ms
9609ms to 9621ms (12ms) :: 00009797
FINISH IDLE SCAN LOG

Can't seem to get it to set DTC 41 on the test bench so I'm going to try to rig up a couple additional connectors so I can get my spare PCM in the loop and hopefully shut it up.

Apparently there are two separate voltage sensing circuits. From the FSM book 1 part 2, section 8D page 7:

01 - fuel level (gallons)
02 - IP dimmer value (adc counts)
03 - ambient light sensor (adc counts)
04 - rear defogger timer (seconds)
05 - vehicle speed (mph)
06 - PASS key (adc counts)
07 - ignition voltage (volts, tenths)
08 - switched battery voltage (volts, tenths)
09 - cluster lamp dimming (pwm)
10 - cluster lcd backlight dimming (pwm)
11 - radio & climate control backlight dimming (pwm)
12 - led dimming (pwm)
13 - vehicle configuration
14 - vehicle configuration
15 - oil monitor effective revolutions
16 - ccm software version

[-=Jeff=-]

Here are some CCM p/n:
1990 - 16146688 or 16138909
1991 - 16155502
1992 - 16193458, 88999216, 16159188, 16159191
1993 - 16193458, 88999216, 16159188, 16159191

[cruiserbrett]

I read through a lot of this thread during the last two days and wanted to compliment the efforts! Awesome. I love the efforts to map so much of the functions D50FB5E1-3F5A-4A40-8A5A-1A824C38234C.jpgof the CCM, and I don’t even have a corvette. I wish I had 1/50th the skill set here-I want to make the ‘8708 run Two injector tbi, but just can’t figure out how to map registers.

I don’t have much to add to this thread, but if the green 32 pin connector needed is 12089591, I have a yellow version.

Happy to send out a few to anyone in need to further this effort.

[-=Jeff=-]

NomakeWan,

I used your demo code you posted, I think it worked but not sure, however I was able to capture a bin from one of the 1992 CCMs. I have worked through about 5 PASSKey codes but no luck yet. Reason I say I am not sure the demo code worked for me is that my cluster was still showing a SYS on the LCD. but the BIN Dump is Legit. I just need to figure out the PASSKey.

I used the picture found in this thread showing how to connect the diode and resistor, which looked to be a 1K. so I think it was correct.

next plan is to add another Port and grab the RX to see the data. EDIT = this will use the 94-95 xdf. the 90-91 is different

[NomakeWan]

NomakeWan,

I used your demo code you posted, I think it worked but not sure, however I was able to capture a bin from one of the 1992 CCMs. I have worked through about 5 PASSKey codes but no luck yet. Reason I say I am not sure the demo code worked for me is that my cluster was still showing a SYS on the LCD. but the BIN Dump is Legit. I just need to figure out the PASSKey.

Your dash showed SYS because you have TONS of other componentry that the CCM expects to be there which just plain isn't. If you were to jump the service connector to read codes, you'd find the CCM codes would be all things like "HVAC LED CIRCUIT OPEN" and "PHOTODIODE CIRCUIT OPEN" and things like that.

The way to know if it worked is just to look at the raw data on the bus while it's idle. If you see bus messages starting with F0, then you're active. The fact that you were able to dump the BIN suggests that was the case.

EDIT: CCM does have a code for "PASSkey invalid key detected," so that'll throw SYS as well.