Corvette CCM Reverse Engineering Anyone?

[-=Jeff=-]

F0 is "CCM is requesting the presence of external devices" and is the "heartbeat" call for connecting to a Corvette data bus. The CCM makes this call by itself. If you reply to this F0 call with an F1 call ("External device requesting control of CCM"), that gets you in business.

Looking through this thread again i found that too..

On the Corvette, the only interaction the CCM has with the ECM as far as data goes is a call/response for specific pieces of data. The CCM makes a $40 call, which is a request to the ECM for that specific datagram (on the 90 it is literally just 40 55 6B, which is Datagram-Length-Checksum; on the 92-96 there is also a handshake that we do not fully understand added). If the ECM is online, it accepts this $40 call and responds with $41, which is the datagram containing all the information the CCM wants. It is this $41 call that my code is able to emulate. I detect the incoming call and respond accordingly.

so then if I understand correctly, went the F0 is sent, the ECM is not responding with F1, it just does the 41 response to the 40 from the CCM

My code is designed to work properly on a 1994-1996 CCM the way it was written. If you are using it on a 1992 CCM, please be sure that all the appropriate values have been changed per the instructions in the header. The 1992-1993 CCM uses a shorter response than the 1994-1995 does, but listens for the same handshake. The 90 of course has a shorter handshake it listens for, and a shorter $41 response.

Yes I have it modified, here it is if you would be so kind to double check it

Code:

/* CCM Interaction Test Sketch for Arduino Mega 2560
This sketch pretends to be the PCM for a 1994 to 1995 Chevrolet Corvette.
It listens for the CCM poll request bytes (40 57 XX XX Checksum),
then sends the appropriate diagnostic string upon receipt.
The diagnostic string is idle values except for coolant temp,
which is either static (236F) or variable (based on ADC0 input).

This sketch works on the 1994 to 1995 Corvette. It may work for 1996.

1990-1991 Corvettes use shorter polls (40 55 6B) and have shorter responses.
To use for a 1990-1991 Corvette, change the sliding window to 3 bytes
and just use the following match code without checksum ifs:
((window[0] == 0x40) && (window[1] == 0x55) && (window[2] == 0x6B))
Then comment out the top lines with output[21] and use the ones
with output[15]. If using dynamic CTS, change output[20] in the
last line of code to output[14].

The 1992-1993 Corvettes use the same poll as the 94-96, but their response
is shorter. To use for a 92-93 Corvette, just comment out the top
lines with output[21] and use the ones with output[18]. If using
dynamic CTS, change output[20] in the last line of code to output[17].

This sketch only works on the Arduino Mega 2560 family.
This is because we're using Serial1, UCSR1B, RXEN1, RXCIE1.
If you want to try it on a different board, change these accordingly.
*/

#include <avr/io.h>
#include <wiring_private.h>
#include <FastLED.h>

byte window[5]; //define the 5-byte-wide sliding window
//byte output[21]= {0x41, 0x67, 0x02, 0xF5, 0x00, 0xCD, 0x87, 0x01, 0x00, 0x00, 0x00, 0x00, 0x88, 0x00, 0x48, 0xFF, 0xFF, 0x00, 0xFF, 0xFF, 0x40}; //define the static CTS message
//byte output[21]= {0x41, 0x67, 0x02, 0xF5, 0x00, 0x87, 0x87, 0x01, 0x00, 0x00, 0x00, 0x00, 0x88, 0x00, 0x48, 0xFF, 0xFF, 0x00, 0xFF, 0xFF, 0x86}; //define the dynamic CTS message
byte output[18]= {0x41, 0x64, 0x01, 0xF3, 0x00, 0xCD, 0x60, 0x01, 0x00, 0x6F, 0x0F, 0xD6, 0x83, 0x00, 0x51, 0xFF, 0xFF, 0x13}; //define 1992-1993 Corvette static CTS message
//byte output[18]= {0x41, 0x64, 0x01, 0xF3, 0x00, 0x5A, 0x60, 0x01, 0x00, 0x6F, 0x0F, 0xD6, 0x83, 0x00, 0x51, 0xFF, 0xFF, 0x86}; //define 1992-1993 Corvette dynamic CTS message
//byte output[15]= {0x41, 0x61, 0x00, 0xEC, 0x00, 0xCD, 0x39, 0x01, 0x00, 0x00, 0x00, 0xB4, 0x00, 0x39, 0x45}; //define 1990-1991 Corvette static CTS message
//byte output[15]= {0x41, 0x61, 0x00, 0xEC, 0x00, 0x39, 0x39, 0x01, 0x00, 0x00, 0x00, 0xB4, 0x00, 0x39, 0x12}; //define 1990-1991 Corvette dynamic CTS message

void setup() {
  analogReference(DEFAULT); //Switch to default reference explicitly
  pinMode(A0, INPUT); //Make sure A0 is an input explicitly
  bitSet (DIDR0, ADC0D); //Disable digital buffer on A0
  bitSet (DIDR0, ADC1D); //Disable digital buffer on A1
  bitSet (DIDR0, ADC2D); //Disable digital buffer on A2
  bitSet (DIDR0, ADC3D); //Disable digital buffer on A3
  bitSet (DIDR0, ADC4D); //Disable digital buffer on A4
  bitSet (DIDR0, ADC5D); //Disable digital buffer on A5
  bitSet (DIDR0, ADC6D); //Disable digital buffer on A6
  bitSet (DIDR0, ADC7D); //Disable digital buffer on A7
  bitSet (DIDR1, AIN0D); //Disable digital buffer on AIN0
  bitSet (DIDR1, AIN1D); //Disable digital buffer on AIN1
  bitSet (DIDR2, ADC8D); //Disable digital buffer on A8
  bitSet (DIDR2, ADC9D); //Disable digital buffer on A9
  bitSet (DIDR2, ADC10D); //Disable digital buffer on A10
  bitSet (DIDR2, ADC11D); //Disable digital buffer on A11
  bitSet (DIDR2, ADC12D); //Disable digital buffer on A12
  bitSet (DIDR2, ADC13D); //Disable digital buffer on A13
  bitSet (DIDR2, ADC14D); //Disable digital buffer on A14
  bitSet (DIDR2, ADC15D); //Disable digital buffer on A15
  analogRead(0); //Burn an analog reading on A0
    Serial1.begin(8192); //Open UART1 at 8192 baud
    UBRR1H = (uint8_t)(121>>8); //Switch to 8192 baud at 1x
    UBRR1L = (uint8_t)121; //Switch to 8192 baud at 1x
    cbi(UCSR1A, U2X0); //disable 2x mode
    cbi(UCSR1A, MPCM0); //disable multi-processor mode
    cbi(UCSR1B, TXEN1); //disable transmitter for now
    cbi(UCSR1B, TXCIE1); //disable transmit interrupts for now
    FastPin<18>::setInput(); //tri-state TX1
}

void loop() {
    if (Serial1.available()) {
        // Slide the 5-byte window
        for (uint8_t i = 0; i < 4; i++) {
            window[i] = window[i + 1];
        }
        // Add new bytes as they come in
        window[4] = Serial1.read();

        // Check the first two bytes for a match
        if ((window[0] == 0x40) && (window[1] == 0x57)) {
            // Calculate the checksum byte
            byte cs = 0;
            for (uint8_t i = 0; i < 4; i++) {
                cs += window[i];
            }
            cs = 0xFF - cs;
            cs += 0x01;
            // If checksum byte matches, send diagnostic data
            if (cs == window[4]) {
                cbi(UCSR1B, RXEN1); //disable receiver
                cbi(UCSR1B, RXCIE1); //disable receive interrupts
                window[0] = 0x00; //poison the sliding window
                delay(2); //delay to allow ALDL line to settle
                FastPin<18>::setOutput(); //reenable TX1 as Output
                sbi(UCSR1B, TXEN1); //enable transmitter
                sbi(UCSR1B, TXCIE1); //enable transmit interrupts
                Serial1.write(output, sizeof(output)); //write the PCM diagnostic message
                Serial1.flush(); //wait until transmit completes
                cbi(UCSR1B, TXEN1); //disable transmitter
                cbi(UCSR1B, TXCIE1); //disable transmit interrupts
                FastPin<18>::setInput(); //tri-state TX1
                sbi(UCSR1B, RXEN1); //reenable receiver
                sbi(UCSR1B, RXCIE1); //reenable receive interrupts
            }
        }
    }
    //Read A0 to check status of potentiometer, save to cts byte
    //output[5] = analogRead(0)>>2;
    //Calculate new checksum and save to checksum byte
    byte checksum = 0;
    for (uint8_t i = 0; i < 20; i++) {
      checksum += output[i];
    }
    checksum = 0xFF - checksum;
    checksum += 0x01;
    output[17] = checksum;
}

EDIT.. I think this line is wrong and I missed the modification specifically the 20
for (uint8_t i = 0; i < 20; i++)

it should be:
for (uint8_t i = 0; i < 17; i++)

[NomakeWan]

so then if I understand correctly, went the F0 is sent, the ECM is not responding with F1, it just does the 41 response to the 40 from the CCM

Correct. ECMs do not request the ability to control the CCM. Frankly, when running the engine they're far too busy to be worrying about that. The CCM only needs a few pieces of data from the ECM for use with the digital dash and HVAC, so that's why the $40/$41 calls exist. It's these calls that fail when people do engine swaps or use aftermarket ECUs, which was why I created that code.

EDIT.. I think this line is wrong and I missed the modification specifically the 20
for (uint8_t i = 0; i < 20; i++)

it should be:
for (uint8_t i = 0; i < 17; i++)

Actually it should be entirely commented out. You're using the static message, and that stuff at the bottom is only for the dynamic message (connecting a potentiometer to A0 and outputting the potentiometer value to the Coolant Temp Sensor byte). The static message types already have the correct lengths ready to go.

[-=Jeff=-]

Yeah I though that too ( entire thing) but if if I left it, it would just keep churning the same Checksum over and over. Now if I do change to dynamic, I will re enable it.

for now, I will disable and try it tonight again

[NomakeWan]

Yeah I though that too ( entire thing) but if if I left it, it would just keep churning the same Checksum over and over. Now if I do change to dynamic, I will re enable it.

for now, I will disable and try it tonight again

The checksum is part of the ALDL protocol specification and is merely there so that both ends of the conversation can be sure that the message they just received is not corrupted. It has nothing to do with security or authentication or handshakes.

It is perfectly fine for the checksum to remain the same if the message remains the same. The CCM expects this to be the case. That is the entire point of the static messages I included--they can be used to quickly and easily demo the code to show it working without any extra hardware or wiring.

[-=Jeff=-]

The checksum is part of the ALDL protocol specification and is merely there so that both ends of the conversation can be sure that the message they just received is not corrupted. It has nothing to do with security or authentication or handshakes.

It is perfectly fine for the checksum to remain the same if the message remains the same. The CCM expects this to be the case. That is the entire point of the static messages I included--they can be used to quickly and easily demo the code to show it working without any extra hardware or wiring.

yes understood, but with dynamic, if any value in the message changes the checksum changes.. we are good and on the same page

[NomakeWan]

I have an update!

I was able to run experiments on my '95, and have concluded that the security was likely beefed up after the 90-91 CCM, just as was suspected. While on a 90-91 you may be able to communicate with the CCM without an ECM on the bus or without the right PASSkey available, that is no longer the case on a 92-96. On my vehicle, if the ECM was not on the bus, no F0 messages would be displayed. Additionally, if the incorrect PASSkey was inserted (I just unplugged the harness to test this), no F0 messages would be displayed. This means not only is the CCM looking for the resistance of the key to be correct, but it is also looking for that $40/$41 'handshake' from the ECM to be there and return FF FF as expected.

As such, I apologize for suggesting it's just the sequencing. That may have been true for 1990-1991, but it is no longer the case for 1992-1996.

That being said, it is possible that grounding the reman pin will eliminate the need for these additional security features. I have not removed my CCM from my vehicle, so I have not mucked around with that pin.

[-=Jeff=-]

I got it to work on one of the 1992 CCMs with your Arduino code but not the PASSKey. But no joy on the second one so far

[-=Jeff=-]

I have an UPDATE!!!!!!

NomakeWan, I got your code working (static) it works FANTASTIC!!! Makes the 1992 CCM happy enough to Read the BIN, so I have the other one attached.

I still need to work through the PASSKey, BUT is it confirmed 4 minute wait between times? I have 4 more codes to try. Then I will work through them again..

M6 file has PASSKey
A4 does not yet

[-=Jeff=-]

So I attempted to program one of the CCMs.. I have the jumper connected to the located pad and a ground ( on the connector) and it shows it is still hardware locked. So I am assuming I need to have the PASSKey to be correct?

Edit: I have yet to try the CCM I know the PASSKey for I might try it tonight or continue to work through the PASSKey values on the one that is unknown.

[NomakeWan]

NomakeWan, I got your code working (static) it works FANTASTIC!!! Makes the 1992 CCM happy enough to Read the BIN, so I have the other one attached.

I still need to work through the PASSKey, BUT is it confirmed 4 minute wait between times? I have 4 more codes to try. Then I will work through them again..

M6 file has PASSKey
A4 does not yet

That's awesome! I wonder if 94-96 is the only one that doesn't do F0 messages when PASSkey is wrong. Maybe they enhanced the security in the 92-93 to require the ECM to be on the bus, but kept the ability to talk to it without PASSkey like in the 90-91. But for a fact the F0 messages won't appear on a 94-96 if the CCM is in the PASSkey lockout period.

Yes, the PASSkey lockout period is exactly 4 minutes. If you try using a 'key' any time within that 4 minute period, the timer resets and you have to wait another 4 full minutes. You really do have to try it, stop, wait 4 full minutes, then try again.

[-=Jeff=-]

That's awesome! I wonder if 94-96 is the only one that doesn't do F0 messages when PASSkey is wrong. Maybe they enhanced the security in the 92-93 to require the ECM to be on the bus, but kept the ability to talk to it without PASSkey like in the 90-91. But for a fact the F0 messages won't appear on a 94-96 if the CCM is in the PASSkey lockout period.

Yes, the PASSkey lockout period is exactly 4 minutes. If you try using a 'key' any time within that 4 minute period, the timer resets and you have to wait another 4 full minutes. You really do have to try it, stop, wait 4 full minutes, then try again.

Yep, did that last night on my M6 CCM.. Working through the A4, I have not done a 1990 CCM on the bench that one I did was in my car. I am getting a 1991 CCM this week and I know the 92-93 is the same.

Now If I can just program one of them. The 1992 M6 one (as it sits) I have the code and I might just try that one. the other I still need to find the PASSKey which might allow the HW program.. right now with reman pulled to ground, it still says no

[NomakeWan]

maybe because mine is an 8051 rather than a 1333? are they not interchangable?

I was giving this some thought lately--the difference between the Y-body PCM and the F-body PCM. While code-wise, yes, there's the bit where the F-body is its own bus master...there may be an actual electrical difference as well. Beyond just those OBDII-related chips for the totally superfluous rear O2 sensor, I mean.

On the Y-body CCM, there is a 910 ohm pull-up resistor connected to the 64606 chip; this designates it the bus master electrically. The 1333 PCM and Bosch EBTCM (should) have no pull-up resistor connected to the 64606 chip, as no such resistor is necessary on slave devices using 64606 chips. The CCM has a 'master' pull-up just in case an external device gets connected to the bus that's using a discrete slave pull-up 75kOhm resistor.

But F-body cars have no CCM, yet I would assume here that GM would build in the same 'failsafe' that Corvettes have for ALDL bus robustness. So does the 8051 PCM have a 910 ohm pull-up resistor connected to the 64606 chip?

I'm not saying this would cause a conflict per se; I could only imagine there being an issue if someone connects a discrete slave to the data bus of an F-body that has a 1333 PCM. Or heck, maybe I'm wrong and GM just slapped the 910 ohm resistor on every single computer on the bus for giggles.

steveo, since I think you still have an 8051 open on your bench, could you confirm if there is a 910 ohm resistor connected to the DELCO 64606 chip? In spfautsch's photos of his CCM, the 64606 chip is 'topside' PCB while the 910 ohm resistor is on the 'bottomside' PCB. PCM might be the same way.

[spfautsch]

I was just in my basement dumping a bunch of diy-ltcc and pcm / ccm test bench stuff into a new storage tote and thought about this. Sorry I missed all this activity, email notification works sometimes and other times not. This week not. I'll try to catch up asap.

One item I noticed skimming over the last page is the PASSKey - as (my) memory serves you can dump (ccm) memory but the resistor value is not returned unless the security flag is cleared. So trial-and-error is likely necessary to get one working on a test bench. It sounds like NomakeWan has figured that out by now, but let me know if there's anything I can test.

[-=Jeff=-]

spfautsch,

where did you ground the Reman pin to on the CCM? one of my CCMs when I tried to program said the HW pin was not ready (grounded) I will try another, but that particular one i don't have the PASSKey figured out.. been through all the Keys and it has not gotten detected. I am trying again and letting it wait longer between codes to try

[NomakeWan]

One item I noticed skimming over the last page is the PASSKey - as (my) memory serves you can dump (ccm) memory but the resistor value is not returned unless the security flag is cleared. So trial-and-error is likely necessary to get one working on a test bench. It sounds like NomakeWan has figured that out by now, but let me know if there's anything I can test.

When I tested CCM comms in the car, I unplugged the blue connector from the PCM to remove it from the bus, and then unplugged the ignition PASSkey connector to remove the resistor from the circuit. When I tried to turn the key to run, all I got were the $10 and $40 messages. No F0, so the CCM wasn't accepting my requests for instructions. I added the PCM back to the circuit, and all that did was add $41 messages to the bus. Still no F0. Only once I waited for the security timeout to complete and plugged the PASSkey harness back in did turning the key result in F0 polls being on the bus.

So yes, the documentation I have says that any request for PASSkey locations without the correct resistance value will return $00. But on my '95, I'm not sure how you're supposed to make that request when the CCM is just blasting out $10 and $40 polls and not making any $F0 requests for external devices.