Disabling VATS in '97 Cavalier

American Delco GM ECUs and PCMs, ALDL, OBD 1.5.
Post Reply
brandonlw
Posts: 3
Joined: Mon Sep 26, 2016 12:24 pm
cars: 1997 Chevrolet Cavalier

Disabling VATS in '97 Cavalier

Post by brandonlw »

I have a 1997 Chevrolet Cavalier, and I would like to disable the anti-theft system in it by patching the code in the PCM. It uses a Delco 16228016 PCM, and an Intel AB28F400BX flash chip.

I have desoldered this chip and dumped it via a Willem EEPROM programmer. I can tell via disassembly that it's a Motorola 68k-ish CPU, and I've identified the vector table and what I think is the main loop. However, I haven't gotten much further than that.

I was hoping I could find dumps of similar PCMs and study where the VATS check is, so I'd know what to change (and where the appropriate checksums might be), but unfortunately I haven't found any. Are there similar dumps out there with XDFs or any sort of documentation that might help me with where to find this block of code, and probably more importantly, where any checksums are? Or if not, do you have any tips that could help me in this reverse-engineering endeavor?

Also, one thing I've noticed (which I haven't found on any other public dump) is a signature at the end -- A5 5A A5 A5. I've seen the A5 A5 before in other dumps, and I've seen the word before it be some sort of checksum, but here it appears to be a constant...strange.

I'm not sure how smart it is since it contains the VIN, but I've included the dump in this post in case any of you want to take a peek.

I would *greatly* appreciate any input, links, or help you can provide.
Attachments
ecm1_swapped.bin
(512 KiB) Downloaded 353 times
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Disabling VATS in '97 Cavalier

Post by antus »

A5 = 10100101
5A = 01011010

Its probably a pattern used in manufacturing to tell if the calibration segment has been initialised. Probably if you deleted the segment and that tag it'd boot up in an unlocked recovery mode.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
brandonlw
Posts: 3
Joined: Mon Sep 26, 2016 12:24 pm
cars: 1997 Chevrolet Cavalier

Re: Disabling VATS in '97 Cavalier

Post by brandonlw »

I've figured out where the main checksum is ($8004) and how it's calculated (16-bit sum of $0000-$4000 and $8010-$7FFFF), so if I knew where the anti-theft flag/setting is, I think I could change it.

I've also been digging around in the OBD2 communication -- it uses registers 0xFFFFF600-0xFFFFF60E. I think this gets me to the code related to all the stuff that can normally be retrieved via a scan tool. But -- I still don't know where the flag/setting would be to enable/disable anti-theft.

How do people who make XDFs normally find this flag? Every dump I've seen so far isn't close enough to mine to find it via comparing BINs.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Disabling VATS in '97 Cavalier

Post by antus »

This sound similar to the 0411. The register address you mention match the 0411 DLC chip. You would find the vats routine, probably a call to it from the data receive routine.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
brandonlw
Posts: 3
Joined: Mon Sep 26, 2016 12:24 pm
cars: 1997 Chevrolet Cavalier

Re: Disabling VATS in '97 Cavalier

Post by brandonlw »

Is the VATS enabled/disabled status normally returned via a scan tool request? I didn't see anything like that in the documentation, but it wouldn't surprise me if I overlooked it.
Post Reply