E92 PCM Reverse Engineering

[bubba2533]

That's great and it looks really powerful. I'm not a great programmer so the scripts might be really helpful.

How do you know the PCM ID? Obviously it wont respond to messages unless you have the correct ID.

Also in the first example (CAN_unlock_test.txt) has what looks like comments, but I wanted to make sure that was the case. I'm not sure what the syntax is supposed to look for these files.

[Gatecrasher]

There's two separate module IDs. The CAN request IDs, and the GM specific diagnostic address. I don't know if there's any right or wrong way to get them. I've put together a list over time from several different sources. I wonder if it'd be worth posting the entire list to a dedicated thread?

The 1 byte addresses are also the 4th byte in the 29-bit low speed GMLAN message headers. So that makes it super easy to see which module is sending a given message. The 11-bit high speed GMLAN stuff lacks that helpful hint.

Here's some common ones.

Module name / CAN request ID (from tool to module) / CAN response ID (from module) / GM address
Engine control module / 7E0 / 7E8 / 11
Transmission control module / 7E2 / 7EA / 18
Fuel pump control module / 7E3 / 7EB / 13 or 15
Chassis control module / 7E3 / 7EB / 22
Electric power steering / 242 / 642 / 31
Body control module / 241 / 641 / 40
Instrument cluster / 24C / 64C / 60
Radio / 244 / 644 / 80
HMI / 252 / 652 / 8F
OnStar / 24D / 64D / 97

[kur4o]

>> ECU 0x31 on HS-CAN (ReqCANId: 0x00000242, RspCANId: 0x00000642)
>> ECU 0x97 on HS-CAN (ReqCANId: 0x0000024D, RspCANId: 0x0000064D)
>> ECU 0x18 on HS-CAN (ReqCANId: 0x000007E2, RspCANId: 0x000007EA) tcm
>> ECU 0x11 on HS-CAN (ReqCANId: 0x000007E0, RspCANId: 0x000007E8) ecm
>> ECU 0x8F on HS-CAN (ReqCANId: 0x00000252, RspCANId: 0x00000652)
>> ECU 0x45 on HS-CAN (ReqCANId: 0x0000025F, RspCANId: 0x0000065F)
>> ECU 0x28 on HS-CAN (ReqCANId: 0x00000243, RspCANId: 0x00000643) abs??
>> ECU 0x40 on HS-CAN (ReqCANId: 0x00000241, RspCANId: 0x00000641) bcm??

I found this chart on the web. Maybe the modules also advertise them with some ids, but filtering traffic is nightmare.

The script you are refering is not using comments, even you can add ones with a special character, but not sure what it was.

This part for example runs a loop within the script and checks all algos for brute unlocking the pcm.


loop:768 //here you specify the loop count

getseed:7:algo //this line specifyy you are going to test some algos and convert seed to key. getseed:7 means get seed from byte 7 on next response[zero is also counted] :algo is used as a variable here
00 00 07 E2 02 27 01 FF FF FF FF FF //get seed command
break:7:AA // break loop if byte 7 of response is AA
00 00 07 E2 04 27 02 key FF FF FF //set key and response
variable:algo:0:+1 //here you increase the algo number being tested
00 00 01 01 FE 01 3E //some 10 seconds delay is introduced here
delay:2000
00 00 01 01 FE 01 3E
delay:2000
00 00 01 01 FE 01 3E
delay:2000
00 00 01 01 FE 01 3E
delay:2000
00 00 01 01 FE 01 3E
delay:2000

endloop // break loop here

You can also specify a key algo if you know it.
example

getseed:5:28 //get seed from 5th byte and convert to key with algo 28
6c 10 f0 27 01
6c 10 f0 27 02 key // send converted key to pcm


there is 3 tables for algos being used table 0 is 0-ff table 1 is 100-1ff and table2 is 200-2ff


The other part of the loop is to read all 1a info from pcm in a loop.

variable:var1:1:80 //here you set variable :var1, :1 bytes length :80 initial value

loop:256 //here you start the loop
00 00 07 E2 02 1A var1 FF FF FF FF FF150 //use variable here :100 is expected responses count and :150 is the timeout for listening
variable:var1:1:+1 //here you increase variable by 1
delay:2000 //insert 2seconds delay before next command is issued
00 00 01 01 FE 01 3E:0:500 some idle command and :0 means zero responses are expected and :500 is the timeout of waiting for response
delay:1000
00 00 01 01 FE 01 3E:0:500
delay:500

endloop //here the loops breaks.

[ironduke]

This might be too much info? or not in the right post, lol but as far as identifying modules what I do is ping them with a 01 01 fe 02 1a b0 command and then look for responses..
any module that's programmable will respond with their ID, then 5a b0, then their did(diagnostic identifier)..
so for example an ecm would be 07 e8 03 5a b0 11
07 e8 is the ecu response id. you'd set up can filters to look for this if your going to start talking to just the ecm..
03 is the number of data bytes.. I generally have can formatting turned off all the time, just how I started so you'll see 03 with can formatting turned off.. with it on you don't see the length byte, you just see the data and count how many bytes you got.
5a b0 is just telling you that its a response to a 1a b0 message.. the ecu adds 0x40 to the first byte of the request and sends it back.. 1a b0 is responed with 5a b0...
11 is the did of the ecm.. 0x18 would be tcm and so on..
One part I'm slightly confused about is the request ID..
so.. Ecm id is 07 e8.. to send a direct message to the ecm you'd send 07 e0... say you send a 07 e0 02 27 01.. your asking for the seed from the ecm.. Well every other module will ignore that message EXCEPT the ecm..
so ecm tool id is 07 e0 , and response id is 07 e8.. so my working so far is any module is that the first byte is a 7 you subtract 8 from the second byte to send a reqest directly to it..
07 ea is TCM.. so send a message using 07 e2(0xea - 8 = e2) to send a message directly to the tcm..

Now the confusing part is other modules, radio,BCM,etc have a 6 as the first byte of the receiving id.. so
a bcm responsds to the 1a b0 command with 06 41 03 5a b0 40. Now I know 0x40 is BCM, that'll be below for your reference.. we also know that the BCM responds to requests with 06 41.. so how do we send a command to just the BCM??
when the 1st byte of the id is a 6 you subract 4 from the 1st byte.. so 0x06 - 0x04 = 0x02.. so to talk just to the bcm you need to transmit with an id 0f 02 41
as in 02 41 02 27 01 is the seed request command to the BCM..

ok, now for the fun part, below is a small piece of one of my programs, it's pretty self explanatory but you might want to copy and paste it into a text file for future reference.. Send the 1a b0, see what responds, use the did and find out what module responded.. Please also note that this can be used to figure out what module each utility file is programming.. neat, right? lol..

Almost forgot about the diagnostic id.. that is fun too, to talk to the ecm you use 07 e0 and get responses back with 07 e8.. well if your asking for some things like dtc's then the ecm responds with 05 e8.. in fact i think every module responds to dtc's requests with 05 as the first byte.. It's been awhile since ive messed with my dtc program so I could be wrong.. anyways.. enjoy.. hopefully I've helped out a little bit and didn't get too much wrong, lol..

switch (did)
{
case "5": return "Info display Mod";
case "10": return "PCM";
case "11": return "ECM";
case "13": return "FPCM/Chassis";
case "14": return "Reductant Cont Mod";
case "15": return "Fuel Pump Driver Mod";
case "16": return "GPCM";
case "17": return "Hybrid PIM";
case "1A": return "TCCM";
case "18": return "TCM";
case "19": return "Pwr Take off";
case "21": return "Adaptive Cruise";
case "22": return "Chassis Cont Mod";
case "24": return "VCIM";
case "25": return "Aux Chassis";
case "28": return "EBCM";
case "29": return "Adaptive Cruise";
case "30": return "PSCM";
case "31": return "PSCM";
case "32": return "Rear steering";
case "34": return "Steering wheel angle";
case "37": return "RDCM";
case "38": return "Susp Cont Mod";
case "39": return "Susp Cont";
case "40": return "BCM";
case "43": return "Aux BCM";
case "44": return "BECM";
case "45": return "SDGM";
case "58": return "SDM";
case "59": return "PPS";
case "60": return "IPC";
case "61": return "Info Display Mod";
case "62": return "Heads up Display";
case "64": return "Rearview Camera";
case "65": return "Night Vision";
case "66": return "Radio/Hvac Conts";
case "68": return "HVAC Conts";
case "69": return "Data recorder";
case "72": return "Headlamp Cont Mod";
case "73": return "Headlamp H Beam Cont Mod";
case "74": return "Headlamp Cont Mod";
case "75": return "Trailer Interface Cont Mod";
case "80": return "Radio";
case "81": return "Amplifier";
case "85": return "Rear Audio Cont Mod";
case "89": return "XM Mod";
case "95": return "memory seat interface Mod";
case "97": return "VCIM"; // 99 HVAC Cont Mod
case "99": return "HVAC Cont Mod";
case "0C": return "B195A Nitrogen Oxides Sen 1";
case "0D": return "B195B Nitrogen Oxides Sen 2";
case "0E": return "B136 Exh Particulate Matter Sen";
case "0F": return "M103 Turbo Vane Pos Act";
case "1B": return "Rear Diff Clutch Cont Mod K16";
case "1D": return "Generator Cont/Pwr Inverter/Drive";
case "1E": return "Pwr Inverter/Drive Motor Cont Mod";
case "1F": return "Auxiliary Trans Fluid Pump";
case "2A": return "Electronic Brake Cont Mod";
case "2B": return "Parking Brake Cont Mod";
case "2C": return "Multi -axis Acceleration Sen Mod";
case "2D": return "Trailer Brake Cont Mod";
case "3A": return "Vehicle Level Cont Mod";
case "3B": return "Air Susp Cont Mod";
case "5A": return "Rollover Sen Mod";
case "5B": return "Side Object Sen Mod-Right";
case "5C": return "Seat Belt Retractor Motor Mod -Left";
case "5D": return "Pedestrian Impact Detect Mod";
case "5E": return "Seat Belt Retractor Motor Mod-Right";
case "6D": return "k157 Video Processing Cont Mod";
case "6F": return "Chime Alarm Cont Mod";
case "8D": return "Infotainment Cont";
case "8E": return "Multimedia Player Interface Mod";
case "8F": return "Human Machine Interface Mod";
case "9A": return "Info Display Mod";
case "9B": return "Auxiliary Heater Cont Mod";
case "9C": return "Electric A/C Compressor Cont Mod";
case "9D": return "Coolant Heater Cont Mod";
case "9F": return "Parking Heater Cont Mod";
case "A0": return "Driver Door Switch Panel Cont Mod";
case "A1": return "Pass Door Switch Panel Cont Mod";
case "A2": return "Door Cont Mod -Left Rear";
case "A3": return "Door Cont Mod -Right Rear";
case "A4": return "Liftgate Cont Mod";
case "A5": return "Liftgate Cont Mod";
case "A6": return "Seat Mem Cont Mod";
case "A7": return "Rear Seat Cont Mod";
case "A8": return "Seat Mem Cont Mod(Driver)";
case "A9": return "Front Seat Heating Cont Mod";
case "AA": return "Seat Mem Cont Mod(Pass/Rear)";
case "AB": return "Pwr Sliding Door Cont Mod";
case "AC": return "Pwr Sliding Door Cont Mod";
case "AD": return "Folding Top Cont Mod";
case "AE": return "Driver Seat Mem Cont Mod";
case "AF": return "Keyless Entry Cont Mod";
case "B0": return "Remote Cont Door Lock Receiver";
case "B1": return "Folding Top Cont Mod";
case "B2": return "Assist Step Contler";
case "B8": return "Sunroof Cont Mod";
case "B9": return "Left Side Object Detect Cont Mod";
case "BA": return "Right Side Object Detect Cont Mod";
case "BB": return "Parking Assist Cont Mod";
case "BC": return "Frontview Camera Mod";
case "BD": return "Inside Rearview Mirror";
case "C0": return "Immo/Theft Deterrent Mod";
case "C1": return "Keyless Entry Cont Mod";
case "C2": return "Steering Column Lock Cont Mod";
case "C8": return "DC Charging Cont Mod";
case "CA": return "Batt Charger Cont Mod";
case "CB": return "Hybrid Pwrtrain Cont Mod 2";
case "CC": return "14V Pwr Mod";
case "CD": return "Batt Energy Cont Mod";
case "CE": return "Hybrid/ EV Pwrtrain Cont Mod";
case "CF": return "T6 Pwr Inverter Mod";
case "D1": return "Frontview Camera Mod";
case "D2": return "Long Range Radar Sen Mod";
case "D3": return "Radar Sen Mod -Short Range";
case "D4": return "Front Object Sen -Left Middle";
case "D5": return "Front Object Sen -Right Middle";
case "D6": return "Right Front Short Range Radar Sen Cont";
case "D7": return "Rear Short Range Radar Sen Mod";
case "D8": return "Radar Sen Mod -Short Range";
case "D9": return "Rear Object Sen -Right Middle";
case "DA": return "Right Rear Short Range Radar Sen Mod";
case "1C": return "Trans Range Cont Mod";


}

[bubba2533]

Any info like that is appreciated.

I got a successful response from what you said.

Code: Select all

[23:54:25.701] [637977596657014566] 00 00 01 01 FE 02 1A B0
[23:54:25.733] [637977596657331542] 00 00 01 01 FE 02 1A B0
[23:54:25.736] [637977596657362134] 00 00 07 E8 03 5A B0 11 AA AA AA AA

[kur4o]

ironduke,
that is a great info you have gathered. Adding the req/resp Ids to it will be really awesome. I think hacking the CAN communication will be a must for the whole e92 project, and it is definitely not off topic.

I have some IDA disassembly of random e92 files, will have to dig them out. I looked at some e92a files but they are really hard to do in IDA. The final conclusions is that e92a are dual core cpu, first cpu is responsible pure for CAN communication and second cpu runs engine. The code for second cpu is offset in memory range and ida refuse to disassemble it, unless you know the correct range the code resides in cpu memory layout.

The CAN part seems to disassemble without issues.

[bubba2533]

I don't quite understand the format of the messages. I try to compare to canbus documents, but I think it confuses me even more.

If I try to send:

Code: Select all

01 01 FE 02 1A B0

Without the leading "00 00" it doesn't work, so obviously it's required, but I'm not sure why.

[charlay86]

Been a while since I looked at CAN, but is it using the extended frame format with the 29bit identifier?

[kur4o]

CAN header is always 4 bytes and raw message should be 12 bytes long, sometimes you have to fill the messages with FFs to work, but not always, not sure why.
The leading 00 00 have to do with 11bit vs 29bit CAN.
11bit is 0-7ff so the header is 00 00 00 01-00 00 07 ff
29 bit is 800-1FFFFFFF and the header should be 00 00 08 00- 1F FF FF FF

Code: Select all

[10:10:43.703] 10 24 00 40 44 00 0A 01 00 00 10 00 //some idle traffic using all 4 bytes header
[10:10:43.718] 10 6B 80 40 00 00 00 00 00 00 00 00
[10:10:43.718] 10 2C 00 40 39 B7 7D 07 03
[10:10:43.734] 10 2C A0 40 00 00 00 00 36 00 0F 00
[10:10:43.750] 10 26 40 40 00 00 00 00 00 00 00 00
[10:10:43.765] 10 21 00 40 00 00 80 00 00 00 80 00
[10:10:43.765] 10 22 A0 40 00 B0 00 00 00 00 00
[10:27:40.203] 00 00 01 01 FE 01 3E //here no FFs are added and it works
[10:27:40.343] 00 00 01 01 FE 01 3E
[10:27:40.656] 00 00 01 01 FE 01 3E
[10:27:40.968] 00 00 01 01 FE 01 3E
[10:27:41.187] 00 00 07 E0 02 27 01 FF FF FF FF FF //here ffs are added, otherwise it wont work, Usually tool adds FFs, and module adds AAs

[bubba2533]

Thanks that helps. I guess I was thinking the 11 bit header meant it would only be 2 bytes, but I guess for consistency always having 4 bytes makes sense.