unlocked E41( and t87a) swapping to another vehicle

Bosch Motronic etc ECUs and PCMs
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: unlocked E41( and t87a) swapping to another vehicle

Post by ironduke »

gmtech825, I just noticed you mentioned sniffing pin 1 and looking for immo data.. The ECM isn't connected to pin 1, you were likely looking at data between the BCM and the immo module??
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by gmtech825 »

ironduke wrote:gmtech825, I just noticed you mentioned sniffing pin 1 and looking for immo data.. The ECM isn't connected to pin 1, you were likely looking at data between the BCM and the immo module??
this was logging a running vehicle on pin 1. If I'm understanding how the 29 bit can frames work, the send address was 40 which would mean the BCM was sending the message.
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: unlocked E41( and t87a) swapping to another vehicle

Post by ironduke »

gmtech825 wrote:
ironduke wrote:gmtech825, I just noticed you mentioned sniffing pin 1 and looking for immo data.. The ECM isn't connected to pin 1, you were likely looking at data between the BCM and the immo module??
this was logging a running vehicle on pin 1. If I'm understanding how the 29 bit can frames work, the send address was 40 which would mean the BCM was sending the message.
May very well be the BCM sending the message, but it wasn't sending it to the ECM since the ECM isn't on pin 1.. Just not sure if your aware of that?? This is new ground for me and I'm just trying to help.. The immo module on pin 1 can't talk to the ECM directly, it has to pass thru the BCM.. Now how that happens I have no idea..
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by gmtech825 »

yeah I'm aware of that. I'm looking at low speed network data only because the DBC data that defines the immo stuff...unfortunatley I wasn't able to find any immo DBC information for the high speed network, but I was hoping to be able to apply what I learn with low speed to the high speed network.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: unlocked E41( and t87a) swapping to another vehicle

Post by Tazzi »

just went over the open DBC format, and examples I read were not very well documented, such as the bytes/bits offset allocation is not very clear.

Anyways, it does indicate the immo data should be on message 2150367232 (0x8039 4000)
Now, my issue here.. this number is larger then the 29bit frame of 0x1F FF FF FF.. so not very sure where it thinks its getting this ID.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by gmtech825 »

Tazzi wrote:just went over the open DBC format, and examples I read were not very well documented, such as the bytes/bits offset allocation is not very clear.

Anyways, it does indicate the immo data should be on message 2150367232 (0x8039 4000)
Now, my issue here.. this number is larger then the 29bit frame of 0x1F FF FF FF.. so not very sure where it thinks its getting this ID.
i agree it's a little tough to figure out. there is a mask applied to that value i think. Playing around with this doc https://docs.google.com/spreadsheets/d/ ... 1331420379 shows that that 2150367232 is actually 2c0000...now where it gets interesting is if that shows the can ID will be 2c0000, what actually shows up on my logs is 102c00XX (XX being the module ID in my case it is 40)...I've verified that by checking an ID I can verify- the VIN.

also want to add that for an Acadia i think i found the High speed bus Immo ID is 160...Logging the same vehicle I found data 64b9767013 which almost matches that 102c00 ID on the low speed bus (64b9767003)

for a silverado I didn't capture ID 160 on the high speed at all, or even anything resembling the 102c00 message on the low speed bus.

so there is a very slight chance one could send that 160 message (if that is the correct one) over the high speed bus while sending the unlock key to the ecm on the bench and not need the BCM present...maybe

I don't have a way to test that yet
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: unlocked E41( and t87a) swapping to another vehicle

Post by Tazzi »

I guess each module can individually indicate if the environment ID is connect.. so that would probably make sense if the same ID except module reference change.
Too many modules with incorrect identifiers results in a no start condition.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by Gatecrasher »

You're right about the message ID from the DBC file. The high bit is set to identify it as a 29-bit ID. It gets masked out when the file is processed. So 0x102C0040 is indeed the immo identifier from the BCM. When I'm looking at them, I just throw the decimal ID into windows calculator in programmer mode and look at the middle two bytes.

There's also an easy trick to convert them to 11 bit IDs. Take your message, apply a mask, and then shift out the bottom 13 bits. So (0x102C0040 & 0xCFFFFFFF) >> 0xD = 0x160. The HS bus doesn't always have matching messages, but sometimes you get lucky.

On my car, the immo and environment messages look like this (IDs have been sanitized):

Code: Select all

102C0040 XXYY AABB 03		//Immo & env ID request from BCM. Immo = XXYY, Env = AABB.  Immo status = 1, env status = 1
10308060 AABB 01			//Env reply 3 from IPC. Env = AABB. Env status = 1
10306099 AABB 01			//Env reply 2 from HVAC. Env = AABB. Env status = 1
10304058 AABB 01			//Env reply 1 from SDM. Env = AABB. Env status = 1
The high speed bus only seems to have these two. You'll notice the IDs match the low speed IDs once you apply the conversion I mentioned:

Code: Select all

160 XXYY AABB 03		//Immo & env ID request from BCM. Immo = XXYY, Env = AABB.  Immo status = 1, env status = 1
182 AABB 01			//Env reply 1 from ECM. Env = AABB. Env status = 1 
Based on an old Techlink article I found, the EBCM and steering column lock can also participate in the environment ID. My car doesn't have a column lock at all, and the EBCM doesn't seem to be sending a reply.

I've found some documentation that says 1F1 has the immo pre-release password as well as a status bit.

1F1 82 0B EEFF 18 00 00 7A: Password is EEFF, status bit is the low bit of byte 1 (2nd one from the left). All the other data is general platform status stuff. Power modes, remote start request, etc.

3C1 is all powertrain immo data and 3C9 is all platform immo data. I don't have anything explaining the meaning for those messages. Every mention of those just says "see GMW7349 for details".

I've got enough spare modules to build a mostly complete duplicate of a car on my bench. I just haven't wired them all up yet. I can also log my actual car if it'll help. I've been wanting to get the bench modules synced up so they'll simulate a valid key on, engine off state anyway.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: unlocked E41( and t87a) swapping to another vehicle

Post by Tazzi »

Gatecrasher wrote:You're right about the message ID from the DBC file. The high bit is set to identify it as a 29-bit ID. It gets masked out when the file is processed. So 0x102C0040 is indeed the immo identifier from the BCM. When I'm looking at them, I just throw the decimal ID into windows calculator in programmer mode and look at the middle two bytes.

There's also an easy trick to convert them to 11 bit IDs. Take your message, apply a mask, and then shift out the bottom 13 bits. So (0x102C0040 & 0xCFFFFFFF) >> 0xD = 0x160. The HS bus doesn't always have matching messages, but sometimes you get lucky.

On my car, the immo and environment messages look like this (IDs have been sanitized):

Code: Select all

102C0040 XXYY AABB 03		//Immo & env ID request from BCM. Immo = XXYY, Env = AABB.  Immo status = 1, env status = 1
10308060 AABB 01			//Env reply 3 from IPC. Env = AABB. Env status = 1
10306099 AABB 01			//Env reply 2 from HVAC. Env = AABB. Env status = 1
10304058 AABB 01			//Env reply 1 from SDM. Env = AABB. Env status = 1
The high speed bus only seems to have these two. You'll notice the IDs match the low speed IDs once you apply the conversion I mentioned:

Code: Select all

160 XXYY AABB 03		//Immo & env ID request from BCM. Immo = XXYY, Env = AABB.  Immo status = 1, env status = 1
182 AABB 01			//Env reply 1 from ECM. Env = AABB. Env status = 1 
Based on an old Techlink article I found, the EBCM and steering column lock can also participate in the environment ID. My car doesn't have a column lock at all, and the EBCM doesn't seem to be sending a reply.

I've found some documentation that says 1F1 has the immo pre-release password as well as a status bit.

1F1 82 0B EEFF 18 00 00 7A: Password is EEFF, status bit is the low bit of byte 1 (2nd one from the left). All the other data is general platform status stuff. Power modes, remote start request, etc.

3C1 is all powertrain immo data and 3C9 is all platform immo data. I don't have anything explaining the meaning for those messages. Every mention of those just says "see GMW7349 for details".

I've got enough spare modules to build a mostly complete duplicate of a car on my bench. I just haven't wired them all up yet. I can also log my actual car if it'll help. I've been wanting to get the bench modules synced up so they'll simulate a valid key on, engine off state anyway.
Nice work! Literally none of which is documented anywhere. Its getting the modules to relearn the environment identifier which has been a pain in the ass.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by gmtech825 »

That's awesome, thanks for that info...have you found that the Immo values match with the Immo relearn value sps sends or is it encrypted in some way?
Post Reply