Hiya Folks,
I am curious if any of you have any experience with dumping/programming these. I think the 2019+ have the crazy encryption and have noticed the 2017 Camaro ZL1 came with these so maybe there is a prayer of reading one. I am currently on a nationwide hunt for one in a junkyard. The controllers are reasonable in price new, blank. I'd like to find one already programmed. If anyone has suggestions or if anyone has logged SPS I would be grateful for advise/direction
Thanks for the reply, I think he was dealing with a T87 and not a T87a. I have a 2015 8 spd T87 here and can pretty much do at will whatever on the bench. It appears all of the 10 speeds are T87a. I don't have one here but am eager to have a gander at it is all. I don't need it, just want it If I can talk to it, then maybe I want a trans
They are cheap enough new https://www.rockauto.com/en/catalog/che ... (tcu),8480 and I assume I can sps it on the bench if I have to but not even sure of that. Is it going to want the entire vehicle to be plugged in for sps to work?
The T87A has an internal bootloader which is used for uploading the encrypted calibrations to them. You cannot upload a custom kernel to it either, the device rejects and code uploaded to ram and attempting to execute.
Although this is assuming a non tuned unit. A tuned T87A may be more vulnerable as its had its boot code modified.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Thanks Tazzi,
This is most interesting. I will keep on my quest to get one from the J/Y. Does it seem to you that the OS and calibration data could be used in an earlier T87? Would it even help my quest to trap the sps data during programming? We know the sps uses a compressed/compiled format for the earlier stuff, are we lucky enough that it is the same? The late '18 and up has what appears to do 2 compressions, I am hoping the '17 T87a is a bit more relaxed and is why I am trying to find one compared to trying sps. I would bet sps would convert to a newer strategy....hmmmmm, maybe the gm website would show if they have changed/updated the OS.
Thanks for your time
In-Tech wrote:Thanks Tazzi,
This is most interesting. I will keep on my quest to get one from the J/Y. Does it seem to you that the OS and calibration data could be used in an earlier T87? Would it even help my quest to trap the sps data during programming? We know the sps uses a compressed/compiled format for the earlier stuff, are we lucky enough that it is the same? The late '18 and up has what appears to do 2 compressions, I am hoping the '17 T87a is a bit more relaxed and is why I am trying to find one compared to trying sps. I would bet sps would convert to a newer strategy....hmmmmm, maybe the gm website would show if they have changed/updated the OS.
Thanks for your time
Any T87A is encrypted. When you compare calibrations on these new encrypted style units, you will see blocks of identical data which I am assuming is part of the verification signature. Monitoring the SPS session doesnt do much, since no bootloader/kernel is sent, its uploads the calibrations to ram at specific location and the internal kernel does the rest.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
So how is someone like HP Tuners unlocking these things? Do they somehow force it into an unencrypted mode? I'd be pretty shocked if they cracked the actual encryption. I'd think GM would hit them with a DMCA violation if that was the case.
Gatecrasher wrote:So how is someone like HP Tuners unlocking these things? Do they somehow force it into an unencrypted mode? I'd be pretty shocked if they cracked the actual encryption. I'd think GM would hit them with a DMCA violation if that was the case.
Good question, the DMCA is something I am very familiar with being sued for over 15 BILLION dollars at one point. The controller cannot run encrypted, it has to be run in ram unecnrypted. I am hoping if I can suck out of rom.<<<<<<< very may things people call flash things different things these days. It's all just stuff on a chip. Including the maprom which is their mathco, bleh. Of course I am listening to Pink Floyd while I type
If I can talk to it, then maybe I want a trans 
