E92 PCM Reverse Engineering
- Gatecrasher
- Posts: 272
- Joined: Sat Apr 25, 2020 6:09 am
Re: E92 PCM Reverse Engineering
User and password are at the top of the page. useriot / download. I think it's just a way to make sure people actually visit their page.
Re: E92 PCM Reverse Engineering
The login is at the top of the webpage.
I'm not sure how much I trust that pinout. I'm seeing a lot of different information with respect to pinouts.
Attached is what I've found via a online resource from my local library.
Edit: I also found this post on another forum (2014 L83 5.3 Direct Injection E92 ECM Pin Outs).
2016 Silverado 1500 4.3L V6 2018 Silverado 1500 5.3L V8
I'm not sure how much I trust that pinout. I'm seeing a lot of different information with respect to pinouts.
Attached is what I've found via a online resource from my local library.
Edit: I also found this post on another forum (2014 L83 5.3 Direct Injection E92 ECM Pin Outs).
2016 Silverado 1500 4.3L V6 2018 Silverado 1500 5.3L V8
LS1 Boost OS V3 Here. For feature suggestions post in here Development Thread. Support future development ->Patreon.
- Gatecrasher
- Posts: 272
- Joined: Sat Apr 25, 2020 6:09 am
Re: E92 PCM Reverse Engineering
The pin numbers in the PDF are wrong, but the terminal assignments match up with the AllData diagrams for my Corvette, and they diagrams you linked.
I was more focused in the internal bootmode jumpers.
I was more focused in the internal bootmode jumpers.
Re: E92 PCM Reverse Engineering
Ok, yeah. It seems interesting that they are soldered and not on a switch or something. It would be quite difficult to determine what they connect to. I have yet to try removing the main CPU, but I'm sure I will try when I get a chance.
I imagine one would only want to resort to that if the PCM they have is in a very bad state.
I imagine one would only want to resort to that if the PCM they have is in a very bad state.
LS1 Boost OS V3 Here. For feature suggestions post in here Development Thread. Support future development ->Patreon.
- Gatecrasher
- Posts: 272
- Joined: Sat Apr 25, 2020 6:09 am
Re: E92 PCM Reverse Engineering
There's actually two VINs in the parameter block. Three, if you count the one that only has the last 8 characters. There's some memory and calibration flags that might allow rewriting one or both in the right circumstances, but I haven't figured out exactly how it all works yet.
The MEC looks like a dead end though. I've only found one place that allows writing it, and you can only do that if it's not already zero.
The MEC looks like a dead end though. I've only found one place that allows writing it, and you can only do that if it's not already zero.
Code: Select all
void Mode3B_A0_MEC(uint *MEC_New_Value)
{
if (EE_MEC != 0) {
EE_WriteValues(&EE_MEC,(uint)*(byte *)MEC_New_Value);
return;
}
Mode1A3B_PassFailFlag = 0;
return;
}
-
- Posts: 583
- Joined: Thu Feb 13, 2020 11:32 pm
- cars: Mainly GM trucks, a Cruze and an Equinox for dailys..
Re: E92 PCM Reverse Engineering
This might be a dumb question.. Is this in the OS? or the boot code?? OS we could write to change that..Gatecrasher wrote:There's actually two VINs in the parameter block. Three, if you count the one that only has the last 8 characters. There's some memory and calibration flags that might allow rewriting one or both in the right circumstances, but I haven't figured out exactly how it all works yet.
The MEC looks like a dead end though. I've only found one place that allows writing it, and you can only do that if it's not already zero.
Code: Select all
void Mode3B_A0_MEC(uint *MEC_New_Value) { if (EE_MEC != 0) { EE_WriteValues(&EE_MEC,(uint)*(byte *)MEC_New_Value); return; } Mode1A3B_PassFailFlag = 0; return; }
- Gatecrasher
- Posts: 272
- Joined: Sat Apr 25, 2020 6:09 am
Re: E92 PCM Reverse Engineering
It's in the OS. It seems like it would be an easy fix. Just NOP the branch statement at 324b04 so it always runs the write procedure.
But if you're talking about custom flashes, couldn't you just write the parameter blocks with whatever VIN you want?
Code: Select all
00324afc 89 8d 85 22 lbz r12,-0x7ade(r13)=>EE_MEC = ??
00324b00 2c 0c 00 00 cmpwi r12,0x0
00324b04 41 82 00 10 beq LAB_00324b14
00324b08 88 83 00 00 lbz r4,0x0(MEC_New_Value)
00324b0c 38 6d 85 22 subi MEC_New_Value=>EE_MEC,r13,0x7ade = ??
00324b10 4b fd fd 24 b EE_WriteValues undefined EE_WriteValues(undefin
-- Flow Override: CALL_RETURN (CALL_TERMINATOR)
LAB_00324b14 XREF[1]: 00324b04(j)
00324b14 39 80 00 00 li r12,0x0
00324b18 99 8e b6 d5 stb r12,-0x492b(r14)=>Mode1A3B_PassFailFlag = ??
00324b1c 4e 80 00 20 blr
Re: E92 PCM Reverse Engineering
What is MEC? I missed that in your first post about security access.
LS1 Boost OS V3 Here. For feature suggestions post in here Development Thread. Support future development ->Patreon.
-
- Posts: 583
- Joined: Thu Feb 13, 2020 11:32 pm
- cars: Mainly GM trucks, a Cruze and an Equinox for dailys..
Re: E92 PCM Reverse Engineering
If you write your own write kernel it would be pretty easy I'd guess?? I play around with sps kernels and with that I can only write the OS and calibration files.. I can use 3b to write the vin,shop ID, and programming date. Can't always write the vin for some reason though. I did a little playing around with brute forcing the immo to unlock the ecu to put in another vehicle a while back to.Gatecrasher wrote:It's in the OS. It seems like it would be an easy fix. Just NOP the branch statement at 324b04 so it always runs the write procedure.
But if you're talking about custom flashes, couldn't you just write the parameter blocks with whatever VIN you want?Code: Select all
00324afc 89 8d 85 22 lbz r12,-0x7ade(r13)=>EE_MEC = ?? 00324b00 2c 0c 00 00 cmpwi r12,0x0 00324b04 41 82 00 10 beq LAB_00324b14 00324b08 88 83 00 00 lbz r4,0x0(MEC_New_Value) 00324b0c 38 6d 85 22 subi MEC_New_Value=>EE_MEC,r13,0x7ade = ?? 00324b10 4b fd fd 24 b EE_WriteValues undefined EE_WriteValues(undefin -- Flow Override: CALL_RETURN (CALL_TERMINATOR) LAB_00324b14 XREF[1]: 00324b04(j) 00324b14 39 80 00 00 li r12,0x0 00324b18 99 8e b6 d5 stb r12,-0x492b(r14)=>Mode1A3B_PassFailFlag = ?? 00324b1c 4e 80 00 20 blr
- Gatecrasher
- Posts: 272
- Joined: Sat Apr 25, 2020 6:09 am
Re: E92 PCM Reverse Engineering
Manufacturer's Enable Counter. It's a sort of security mechanism used at the assembly plant. If the MEC is anything other than zero, a lot of secure functions are automatically unlocked. Stuff like VIN writing. One of the last programming steps when the car leaves the assembly line is to set the MEC to zero and arm all the module security functions. There's also a fail safe that the MEC decrements by one on each ignition cycle. So even if it escapes the plant with a non-zero value, the MEC should decrement itself to zero after no more than 255 ignition cycles.bubba2533 wrote:What is MEC? I missed that in your first post about security access.
The GM spec says it should never be possible to reset the MEC with normal service commands, but that's obviously bullshit since some of their own SPS procedures mess with it. I've got a 2016 BCM where I can set it to anything I want using a normal mode 3B write. There was another module I came across where I could rewrite it, but I can't remember what it is. HMI maybe?
It sounds like they started clamping down on that after 2017 when they realized cybersecurity was a real thing they should take seriously.