E92 PCM Reverse Engineering

Gatecrasher · Post by **Gatecrasher** » Wed Aug 31, 2022 7:20 am

User and password are at the top of the page. useriot / download. I think it's just a way to make sure people actually visit their page.

bubba2533 · Post by **bubba2533** » Wed Aug 31, 2022 7:55 am

The login is at the top of the webpage.

I'm not sure how much I trust that pinout. I'm seeing a lot of different information with respect to pinouts.

Attached is what I've found via a online resource from my local library.

Edit: I also found this post on another forum (2014 L83 5.3 Direct Injection E92 ECM Pin Outs).

2016 Silverado 1500 4.3L V6

2018 Silverado 1500 5.3L V8

Gatecrasher · Post by **Gatecrasher** » Wed Aug 31, 2022 9:12 am

The pin numbers in the PDF are wrong, but the terminal assignments match up with the AllData diagrams for my Corvette, and they diagrams you linked.

I was more focused in the internal bootmode jumpers.

bubba2533 · Post by **bubba2533** » Wed Aug 31, 2022 9:25 am

Ok, yeah. It seems interesting that they are soldered and not on a switch or something. It would be quite difficult to determine what they connect to. I have yet to try removing the main CPU, but I'm sure I will try when I get a chance.

I imagine one would only want to resort to that if the PCM they have is in a very bad state.

Gatecrasher · Post by **Gatecrasher** » Fri Sep 02, 2022 12:02 am

There's actually two VINs in the parameter block. Three, if you count the one that only has the last 8 characters. There's some memory and calibration flags that might allow rewriting one or both in the right circumstances, but I haven't figured out exactly how it all works yet.

The MEC looks like a dead end though. I've only found one place that allows writing it, and you can only do that if it's not already zero.

Code: Select all

void Mode3B_A0_MEC(uint *MEC_New_Value)

{
  if (EE_MEC != 0) {
    EE_WriteValues(&EE_MEC,(uint)*(byte *)MEC_New_Value);
    return;
  }
  Mode1A3B_PassFailFlag = 0;
  return;
}

ironduke · Post by **ironduke** » Fri Sep 02, 2022 12:05 am

Gatecrasher wrote:There's actually two VINs in the parameter block. Three, if you count the one that only has the last 8 characters. There's some memory and calibration flags that might allow rewriting one or both in the right circumstances, but I haven't figured out exactly how it all works yet.

The MEC looks like a dead end though. I've only found one place that allows writing it, and you can only do that if it's not already zero.
Code: Select all
void Mode3B_A0_MEC(uint *MEC_New_Value)

{
  if (EE_MEC != 0) {
    EE_WriteValues(&EE_MEC,(uint)*(byte *)MEC_New_Value);
    return;
  }
  Mode1A3B_PassFailFlag = 0;
  return;
}

This might be a dumb question.. Is this in the OS? or the boot code?? OS we could write to change that..

Gatecrasher · Post by **Gatecrasher** » Fri Sep 02, 2022 12:50 am

It's in the OS. It seems like it would be an easy fix. Just NOP the branch statement at 324b04 so it always runs the write procedure.

Code: Select all

        00324afc 89 8d 85 22     lbz        r12,-0x7ade(r13)=>EE_MEC                         = ??
        00324b00 2c 0c 00 00     cmpwi      r12,0x0
        00324b04 41 82 00 10     beq        LAB_00324b14
        00324b08 88 83 00 00     lbz        r4,0x0(MEC_New_Value)
        00324b0c 38 6d 85 22     subi       MEC_New_Value=>EE_MEC,r13,0x7ade                 = ??
        00324b10 4b fd fd 24     b          EE_WriteValues                                   undefined EE_WriteValues(undefin
                             -- Flow Override: CALL_RETURN (CALL_TERMINATOR)
                             LAB_00324b14                                    XREF[1]:     00324b04(j)  
        00324b14 39 80 00 00     li         r12,0x0
        00324b18 99 8e b6 d5     stb        r12,-0x492b(r14)=>Mode1A3B_PassFailFlag          = ??
        00324b1c 4e 80 00 20     blr

But if you're talking about custom flashes, couldn't you just write the parameter blocks with whatever VIN you want?

bubba2533 · Post by **bubba2533** » Fri Sep 02, 2022 2:23 am

What is MEC? I missed that in your first post about security access.

ironduke · Post by **ironduke** » Fri Sep 02, 2022 2:31 am

Gatecrasher wrote:It's in the OS. It seems like it would be an easy fix. Just NOP the branch statement at 324b04 so it always runs the write procedure.

Code: Select all

        00324afc 89 8d 85 22     lbz        r12,-0x7ade(r13)=>EE_MEC                         = ??
        00324b00 2c 0c 00 00     cmpwi      r12,0x0
        00324b04 41 82 00 10     beq        LAB_00324b14
        00324b08 88 83 00 00     lbz        r4,0x0(MEC_New_Value)
        00324b0c 38 6d 85 22     subi       MEC_New_Value=>EE_MEC,r13,0x7ade                 = ??
        00324b10 4b fd fd 24     b          EE_WriteValues                                   undefined EE_WriteValues(undefin
                             -- Flow Override: CALL_RETURN (CALL_TERMINATOR)
                             LAB_00324b14                                    XREF[1]:     00324b04(j)  
        00324b14 39 80 00 00     li         r12,0x0
        00324b18 99 8e b6 d5     stb        r12,-0x492b(r14)=>Mode1A3B_PassFailFlag          = ??
        00324b1c 4e 80 00 20     blr

But if you're talking about custom flashes, couldn't you just write the parameter blocks with whatever VIN you want?

If you write your own write kernel it would be pretty easy I'd guess?? I play around with sps kernels and with that I can only write the OS and calibration files.. I can use 3b to write the vin,shop ID, and programming date. Can't always write the vin for some reason though. I did a little playing around with brute forcing the immo to unlock the ecu to put in another vehicle a while back to.

Gatecrasher · Post by **Gatecrasher** » Fri Sep 02, 2022 2:49 am

bubba2533 wrote:What is MEC? I missed that in your first post about security access.

Manufacturer's Enable Counter. It's a sort of security mechanism used at the assembly plant. If the MEC is anything other than zero, a lot of secure functions are automatically unlocked. Stuff like VIN writing. One of the last programming steps when the car leaves the assembly line is to set the MEC to zero and arm all the module security functions. There's also a fail safe that the MEC decrements by one on each ignition cycle. So even if it escapes the plant with a non-zero value, the MEC should decrement itself to zero after no more than 255 ignition cycles.

The GM spec says it should never be possible to reset the MEC with normal service commands, but that's obviously bullshit since some of their own SPS procedures mess with it. I've got a 2016 BCM where I can set it to anything I want using a normal mode 3B write. There was another module I came across where I could rewrite it, but I can't remember what it is. HMI maybe?

It sounds like they started clamping down on that after 2017 when they realized cybersecurity was a real thing they should take seriously.

E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering

Re: E92 PCM Reverse Engineering