is this possible? copy and save oem cals

American Delco GM ECUs and PCMs, ALDL, OBD 1.5.
Posts: 8
Joined: Sun Jul 08, 2018 11:43 am

Re: is this possible? copy and save oem cals

Postby nightjoker7 » Mon Feb 08, 2021 6:25 am

A DID $90 write may only be performed under two circumstances:1) When preceded by a ClearDiagnosticInformation ($04) Service during the same ignition cycle - or -2) When the controller has been programmed within the last three ignition cycles There are no DID $90 write restrictions when the MEC is non-zero.

User avatar
Posts: 2423
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: is this possible? copy and save oem cals

Postby Tazzi » Mon Feb 08, 2021 11:14 am

nightjoker7 wrote:A DID $90 write may only be performed under two circumstances:1) When preceded by a ClearDiagnosticInformation ($04) Service during the same ignition cycle - or -2) When the controller has been programmed within the last three ignition cycles There are no DID $90 write restrictions when the MEC is non-zero.


VIN can be written at any time so long as you can do the security unlock (Seed/key). :thumbup:
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Posts: 8
Joined: Sun Jul 08, 2018 11:43 am

Re: is this possible? copy and save oem cals

Postby nightjoker7 » Mon Feb 08, 2021 2:45 pm

Tazzi wrote:
nightjoker7 wrote:A DID $90 write may only be performed under two circumstances:1) When preceded by a ClearDiagnosticInformation ($04) Service during the same ignition cycle - or -2) When the controller has been programmed within the last three ignition cycles There are no DID $90 write restrictions when the MEC is non-zero.


VIN can be written at any time so long as you can do the security unlock (Seed/key). :thumbup:


The above info I posted is specific to global a modules that already have a vin in them.

Posts: 63
Joined: Sat Apr 25, 2020 6:09 am

Re: is this possible? copy and save oem cals

Postby Gatecrasher » Tue Feb 09, 2021 1:50 am

I was screwing around with some immobilizer functions on a 2016 Global A BCM, and I noticed one of the first thing SPS does is write the MEC to 0x10. It sets it back to 0 at the end of the process. Makes me wonder if you could use that to get around any write restrictions on an ECM. I'd test it on my spare E92, but I don't have a bench harness built yet.

Posts: 250
Joined: Thu Feb 13, 2020 11:32 pm

Re: is this possible? copy and save oem cals

Postby ironduke » Tue Feb 09, 2021 1:59 am

Gatecrasher wrote:I was screwing around with some immobilizer functions on a 2016 Global A BCM, and I noticed one of the first thing SPS does is write the MEC to 0x10. It sets it back to 0 at the end of the process. Makes me wonder if you could use that to get around any write restrictions on an ECM. I'd test it on my spare E92, but I don't have a bench harness built yet.


If you have a log of the writing of the MEC could you post it up, I was wondering about that but never came across where it changed it but I do see where they were looking for it at the end.. Didn't see them write to it though..

Posts: 63
Joined: Sat Apr 25, 2020 6:09 am

Re: is this possible? copy and save oem cals

Postby Gatecrasher » Tue Feb 09, 2021 2:34 am

Code: Select all
Enable MixedFormatFrames (ignore failure)!
  13:21:54.5  MsgType=1, <[.H..]00 00 01 01 FE 3E [0006] FramePad
  13:21:54.6  MsgType=1, <[.H..]00 00 02 41 22 90 A1 [0007] FramePad
  13:21:54.6  MsgType=2, >[.H..]00 00 01 01 FE [0005] ExtAddress TxDone
  13:21:54.6  MsgType=2, >[.H..]00 00 01 01 [0004] TxDone
  13:21:54.6  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
  13:21:54.6  MsgType=2, >[.H..]00 00 06 41 62 90 A1 80 00 02 [0010]
  13:21:56.3  MsgType=1, <[.H..]00 00 02 41 22 80 45 [0007] FramePad
  13:21:56.3  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
  13:21:56.3  MsgType=2, >[.H..]00 00 06 41 62 80 45 02 [0008]
  13:21:56.3  MsgType=1, <[.H..]00 00 02 41 27 01 [0006] FramePad
  13:21:56.3  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
  13:21:56.3  MsgType=2, >[.H..]00 00 06 41 67 01 2E 66 [0008]
  13:21:56.3  MsgType=1, <[.H..]00 00 02 41 27 02 66 68 [0008] FramePad
  13:21:56.3  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
  13:21:56.3  MsgType=2, >[.H..]00 00 06 41 7F 27 35 [0007]
  13:21:56.3  MsgType=1, <[.H..]00 00 02 41 27 01 [0006] FramePad
  13:21:56.3  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
  13:21:56.3  MsgType=2, >[.H..]00 00 06 41 67 01 2E 66 [0008]
  13:21:56.3  MsgType=1, <[.H..]00 00 02 41 27 02 B0 35 [0008] FramePad
  13:21:56.3  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
  13:21:56.3  MsgType=2, >[.H..]00 00 06 41 67 02 [0006]
  13:21:56.4  MsgType=1, <[.H..]00 00 02 41 1A A0 [0006] FramePad
  13:21:56.4  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
  13:21:56.4  MsgType=2, >[.H..]00 00 06 41 5A A0 00 [0007]
  13:21:56.4  MsgType=1, <[.H..]00 00 02 41 3B A0 10 [0007] FramePad
  13:21:56.4  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
  13:21:56.4  MsgType=2, >[.H..]00 00 06 41 7B A0 [0006]
  13:21:56.4  MsgType=1, <[.H..]00 00 02 41 AE 04 80 00 03 00 00 [0011] FramePad
  13:21:56.4  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
  13:21:56.4  MsgType=2, >[.H..]00 00 06 41 EE 04 [0006]


I was trying to link a used key to a used BCM so I could get it into a run state for bench work. It was a failure for a few different reasons. I don't want to de-rail the thread with the details.

It's also interesting that SPS fails with the first security key it tries. The second key succeeds.

That mode $AE lets you power up the module enough to do some testing, but a lot of the bus messages are zeroed out.

Posts: 250
Joined: Thu Feb 13, 2020 11:32 pm

Re: is this possible? copy and save oem cals

Postby ironduke » Tue Feb 09, 2021 3:20 am

So it's just a regular 3b write command after it's unlocked.. nice!!! That's interesting..
I've just been screwing around on the bench and it seems certain Os's don't like letting you change the vin with just a regular 3B90 command after an unlock.. With those OS's I found out after an OS write than you can change the vin afterwards, next time I have an E92 or E38 with the newer OS I'll try writing the enable to 10.. Hadn't seen that in any of my logs.. thanks!!!!

Posts: 63
Joined: Sat Apr 25, 2020 6:09 am

Re: is this possible? copy and save oem cals

Postby Gatecrasher » Tue Feb 09, 2021 5:08 am

You read some of the leaked docs and they talk about the MEC like it's this hard lockdown that shall never be touched once something leaves the plant. Then you see this SPS process just casually re-writing it before it even does any actual work. The whole thing failed and aborted almost immediately because I didn't have a keyless entry (K84) module hooked up. But it still unlocked the BCM and screwed around with that MEC.

Posts: 16
Joined: Thu Feb 19, 2015 12:54 am

Re: is this possible? copy and save oem cals

Postby dmaxben » Mon Feb 15, 2021 7:50 am

Gatecrasher wrote:You read some of the leaked docs and they talk about the MEC like it's this hard lockdown that shall never be touched once something leaves the plant. Then you see this SPS process just casually re-writing it before it even does any actual work. The whole thing failed and aborted almost immediately because I didn't have a keyless entry (K84) module hooked up. But it still unlocked the BCM and screwed around with that MEC.


What year and OS BCM was this?

I just tried writing the MEC to 0x10 and the BCM rejected it. (241, 03 3B A0 10)

Yes, I had security access granted.

Posts: 63
Joined: Sat Apr 25, 2020 6:09 am

Re: is this possible? copy and save oem cals

Postby Gatecrasher » Mon Feb 15, 2021 9:40 am

It came out of a wrecked 16 Corvette. PN 13510531. Looks like they only ever issued one OS for this thing. 13511493. It's about as crude as you can get for this test, so maybe that's working in my favor? I've got just the BCM on my desk, hooked to an MDI. I'm copying and pasting commands one by one with the DrewTech J2534 software. I set a periodic tester present message at a rate of 4.5 seconds, and sent a mode $28 to disable normal communication, mainly to keep the logging noise down. I could have set a filter instead. Everything else was done in the scratchpad field on the DrewTech software.

Just for fun, I cut power to it since I don't have a way to gracefully shut it down yet. MEC was still at 0x10 after a restart. I guess it didn't decrement to 0x0F because it wasn't a proper ignition cycle. I definitely didn't return to 0 though. The write stuck.

Are you doing this over high speed or low speed CAN? Mine was done on high speed. The BCM will respond to some things on low speed, but doesn't seem to like doing diagnostics on that bus.

Code: Select all
14:28.412109,CAN,0x00000001,00 00 02 41 01 3E
14:28.423638,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:32.605241,CAN,0x00000001,00 00 02 41 02 1A A0 00 00 00 00 00      //Check MEC
14:32.613478,CAN,0x00000000,00 00 06 41 03 5A A0 00 00 00 00 00      //MEC at 0
14:32.912563,CAN,0x00000001,00 00 02 41 01 3E
14:32.923454,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:37.412543,CAN,0x00000001,00 00 02 41 01 3E
14:37.423278,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:41.912521,CAN,0x00000001,00 00 02 41 01 3E
14:41.923064,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:46.412504,CAN,0x00000001,00 00 02 41 01 3E
14:46.422880,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:47.948231,CAN,0x00000001,00 00 02 41 02 27 01 00 00 00 00 00      //Request seed
14:47.952796,CAN,0x00000000,00 00 06 41 04 67 01 2E 66 00 00 00      //Receive seed
14:50.912555,CAN,0x00000001,00 00 02 41 01 3E
14:50.922688,CAN,0x00000000,00 00 06 41 01 7E 01 2E 66 00 00 00      
14:51.042595,CAN,0x00000001,00 00 02 41 04 27 02 B0 35 00 00 00      //Send key
14:51.052679,CAN,0x00000000,00 00 06 41 02 67 02 2E 66 00 00 00      //Key accepted
14:55.412922,CAN,0x00000001,00 00 02 41 01 3E
14:55.422497,CAN,0x00000000,00 00 06 41 01 7E 02 2E 66 00 00 00
14:59.912831,CAN,0x00000001,00 00 02 41 01 3E
14:59.922297,CAN,0x00000000,00 00 06 41 01 7E 02 2E 66 00 00 00
15:04.412804,CAN,0x00000001,00 00 02 41 01 3E
15:04.422113,CAN,0x00000000,00 00 06 41 01 7E 02 2E 66 00 00 00
15:08.009065,CAN,0x00000001,00 00 02 41 03 3B A0 10 00 00 00 00      //Write to MEC
15:08.011937,CAN,0x00000000,00 00 06 41 02 7B A0 2E 66 00 00 00      //MEC accepted
15:08.912418,CAN,0x00000001,00 00 02 41 01 3E
15:08.921923,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:13.412390,CAN,0x00000001,00 00 02 41 01 3E
15:13.421725,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:17.912372,CAN,0x00000001,00 00 02 41 01 3E
15:17.921513,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:22.412347,CAN,0x00000001,00 00 02 41 01 3E
15:22.421333,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:26.912327,CAN,0x00000001,00 00 02 41 01 3E
15:26.921125,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:27.970045,CAN,0x00000001,00 00 02 41 02 1A A0 00 00 00 00 00      //Re-read MEC
15:27.981105,CAN,0x00000000,00 00 06 41 03 5A A0 10 66 00 00 00      //MEC at 10
15:31.412368,CAN,0x00000001,00 00 02 41 01 3E
15:31.420937,CAN,0x00000000,00 00 06 41 01 7E A0 10 66 00 00 00

PreviousNext

Return to US ALDL ECUs

Who is online

Users browsing this forum: No registered users and 4 guests