T87a 10 speed Trans controller

[In-Tech Profile]

Hiya Folks,
I am curious if any of you have any experience with dumping/programming these. I think the 2019+ have the crazy encryption and have noticed the 2017 Camaro ZL1 came with these so maybe there is a prayer of reading one. I am currently on a nationwide hunt for one in a junkyard. The controllers are reasonable in price new, blank. I'd like to find one already programmed. If anyone has suggestions or if anyone has logged SPS I would be grateful for advise/direction

[VX L67 Getrag Profile Website]

There was this thread & he was testing a couple, but they were T87 & not the later T87a so probably not helpful...

viewtopic.php?f=28&t=7089&p=105237&hilit=t87#p105237

[In-Tech Profile]

Thanks for the reply, I think he was dealing with a T87 and not a T87a. I have a 2015 8 spd T87 here and can pretty much do at will whatever on the bench. It appears all of the 10 speeds are T87a. I don't have one here but am eager to have a gander at it is all. I don't need it, just want it If I can talk to it, then maybe I want a trans
They are cheap enough new https://www.rockauto.com/en/catalog/chevrolet,2017,camaro,6.2l+v8+supercharged,3434300,transmission-automatic,automatic+transmission+control+unit+(tcu),8480 and I assume I can sps it on the bench if I have to but not even sure of that. Is it going to want the entire vehicle to be plugged in for sps to work?

[Tazzi]

I played around with this recently.

The T87A has an internal bootloader which is used for uploading the encrypted calibrations to them. You cannot upload a custom kernel to it either, the device rejects and code uploaded to ram and attempting to execute.

Although this is assuming a non tuned unit. A tuned T87A may be more vulnerable as its had its boot code modified.

[In-Tech Profile]

Thanks Tazzi,
This is most interesting. I will keep on my quest to get one from the J/Y. Does it seem to you that the OS and calibration data could be used in an earlier T87? Would it even help my quest to trap the sps data during programming? We know the sps uses a compressed/compiled format for the earlier stuff, are we lucky enough that it is the same? The late '18 and up has what appears to do 2 compressions, I am hoping the '17 T87a is a bit more relaxed and is why I am trying to find one compared to trying sps. I would bet sps would convert to a newer strategy....hmmmmm, maybe the gm website would show if they have changed/updated the OS.
Thanks for your time

[Tazzi]

Thanks Tazzi,
This is most interesting. I will keep on my quest to get one from the J/Y. Does it seem to you that the OS and calibration data could be used in an earlier T87? Would it even help my quest to trap the sps data during programming? We know the sps uses a compressed/compiled format for the earlier stuff, are we lucky enough that it is the same? The late '18 and up has what appears to do 2 compressions, I am hoping the '17 T87a is a bit more relaxed and is why I am trying to find one compared to trying sps. I would bet sps would convert to a newer strategy....hmmmmm, maybe the gm website would show if they have changed/updated the OS.
Thanks for your time

Any T87A is encrypted. When you compare calibrations on these new encrypted style units, you will see blocks of identical data which I am assuming is part of the verification signature. Monitoring the SPS session doesnt do much, since no bootloader/kernel is sent, its uploads the calibrations to ram at specific location and the internal kernel does the rest.

[In-Tech Profile]

Hiya Tazzi,
Thanks for the reply. Do you think I am at a point where I should just try a BDM dump approach? What would your move be?

As soon as I youtubed some videos of these trans, I want one. Of course I want to have full control though

[Gatecrasher Profile]

So how is someone like HP Tuners unlocking these things? Do they somehow force it into an unencrypted mode? I'd be pretty shocked if they cracked the actual encryption. I'd think GM would hit them with a DMCA violation if that was the case.

[In-Tech Profile]

So how is someone like HP Tuners unlocking these things? Do they somehow force it into an unencrypted mode? I'd be pretty shocked if they cracked the actual encryption. I'd think GM would hit them with a DMCA violation if that was the case.

Good question, the DMCA is something I am very familiar with being sued for over 15 BILLION dollars at one point. The controller cannot run encrypted, it has to be run in ram unecnrypted. I am hoping if I can suck out of rom.<<<<<<< very may things people call flash things different things these days. It's all just stuff on a chip. Including the maprom which is their mathco, bleh. Of course I am listening to Pink Floyd while I type

[In-Tech Profile]

Sorry, I guess my goal is like HpTuners...... to be able to take a perfect OS and put into a similar controller without the gm protection.