is this possible? copy and save oem cals

American Delco GM ECUs and PCMs, ALDL, OBD 1.5.
nightjoker7
Posts: 8
Joined: Sun Jul 08, 2018 11:43 am

Re: is this possible? copy and save oem cals

Post by nightjoker7 »

A DID $90 write may only be performed under two circumstances:1) When preceded by a ClearDiagnosticInformation ($04) Service during the same ignition cycle - or -2) When the controller has been programmed within the last three ignition cycles There are no DID $90 write restrictions when the MEC is non-zero.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: is this possible? copy and save oem cals

Post by Tazzi »

nightjoker7 wrote:A DID $90 write may only be performed under two circumstances:1) When preceded by a ClearDiagnosticInformation ($04) Service during the same ignition cycle - or -2) When the controller has been programmed within the last three ignition cycles There are no DID $90 write restrictions when the MEC is non-zero.
VIN can be written at any time so long as you can do the security unlock (Seed/key). :thumbup:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
nightjoker7
Posts: 8
Joined: Sun Jul 08, 2018 11:43 am

Re: is this possible? copy and save oem cals

Post by nightjoker7 »

Tazzi wrote:
nightjoker7 wrote:A DID $90 write may only be performed under two circumstances:1) When preceded by a ClearDiagnosticInformation ($04) Service during the same ignition cycle - or -2) When the controller has been programmed within the last three ignition cycles There are no DID $90 write restrictions when the MEC is non-zero.
VIN can be written at any time so long as you can do the security unlock (Seed/key). :thumbup:
The above info I posted is specific to global a modules that already have a vin in them.
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: is this possible? copy and save oem cals

Post by Gatecrasher »

I was screwing around with some immobilizer functions on a 2016 Global A BCM, and I noticed one of the first thing SPS does is write the MEC to 0x10. It sets it back to 0 at the end of the process. Makes me wonder if you could use that to get around any write restrictions on an ECM. I'd test it on my spare E92, but I don't have a bench harness built yet.
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: is this possible? copy and save oem cals

Post by ironduke »

Gatecrasher wrote:I was screwing around with some immobilizer functions on a 2016 Global A BCM, and I noticed one of the first thing SPS does is write the MEC to 0x10. It sets it back to 0 at the end of the process. Makes me wonder if you could use that to get around any write restrictions on an ECM. I'd test it on my spare E92, but I don't have a bench harness built yet.
If you have a log of the writing of the MEC could you post it up, I was wondering about that but never came across where it changed it but I do see where they were looking for it at the end.. Didn't see them write to it though..
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: is this possible? copy and save oem cals

Post by Gatecrasher »

Code: Select all

Enable MixedFormatFrames (ignore failure)!
  13:21:54.5  MsgType=1, <[.H..]00 00 01 01 FE 3E [0006] FramePad 
  13:21:54.6  MsgType=1, <[.H..]00 00 02 41 22 90 A1 [0007] FramePad 
  13:21:54.6  MsgType=2, >[.H..]00 00 01 01 FE [0005] ExtAddress TxDone 
  13:21:54.6  MsgType=2, >[.H..]00 00 01 01 [0004] TxDone 
  13:21:54.6  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:54.6  MsgType=2, >[.H..]00 00 06 41 62 90 A1 80 00 02 [0010] 
  13:21:56.3  MsgType=1, <[.H..]00 00 02 41 22 80 45 [0007] FramePad 
  13:21:56.3  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:56.3  MsgType=2, >[.H..]00 00 06 41 62 80 45 02 [0008] 
  13:21:56.3  MsgType=1, <[.H..]00 00 02 41 27 01 [0006] FramePad 
  13:21:56.3  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:56.3  MsgType=2, >[.H..]00 00 06 41 67 01 2E 66 [0008] 
  13:21:56.3  MsgType=1, <[.H..]00 00 02 41 27 02 66 68 [0008] FramePad 
  13:21:56.3  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:56.3  MsgType=2, >[.H..]00 00 06 41 7F 27 35 [0007] 
  13:21:56.3  MsgType=1, <[.H..]00 00 02 41 27 01 [0006] FramePad 
  13:21:56.3  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:56.3  MsgType=2, >[.H..]00 00 06 41 67 01 2E 66 [0008] 
  13:21:56.3  MsgType=1, <[.H..]00 00 02 41 27 02 B0 35 [0008] FramePad 
  13:21:56.3  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:56.3  MsgType=2, >[.H..]00 00 06 41 67 02 [0006] 
  13:21:56.4  MsgType=1, <[.H..]00 00 02 41 1A A0 [0006] FramePad 
  13:21:56.4  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:56.4  MsgType=2, >[.H..]00 00 06 41 5A A0 00 [0007] 
  13:21:56.4  MsgType=1, <[.H..]00 00 02 41 3B A0 10 [0007] FramePad 
  13:21:56.4  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:56.4  MsgType=2, >[.H..]00 00 06 41 7B A0 [0006] 
  13:21:56.4  MsgType=1, <[.H..]00 00 02 41 AE 04 80 00 03 00 00 [0011] FramePad 
  13:21:56.4  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:56.4  MsgType=2, >[.H..]00 00 06 41 EE 04 [0006] 
I was trying to link a used key to a used BCM so I could get it into a run state for bench work. It was a failure for a few different reasons. I don't want to de-rail the thread with the details.

It's also interesting that SPS fails with the first security key it tries. The second key succeeds.

That mode $AE lets you power up the module enough to do some testing, but a lot of the bus messages are zeroed out.
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: is this possible? copy and save oem cals

Post by ironduke »

So it's just a regular 3b write command after it's unlocked.. nice!!! That's interesting..
I've just been screwing around on the bench and it seems certain Os's don't like letting you change the vin with just a regular 3B90 command after an unlock.. With those OS's I found out after an OS write than you can change the vin afterwards, next time I have an E92 or E38 with the newer OS I'll try writing the enable to 10.. Hadn't seen that in any of my logs.. thanks!!!!
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: is this possible? copy and save oem cals

Post by Gatecrasher »

You read some of the leaked docs and they talk about the MEC like it's this hard lockdown that shall never be touched once something leaves the plant. Then you see this SPS process just casually re-writing it before it even does any actual work. The whole thing failed and aborted almost immediately because I didn't have a keyless entry (K84) module hooked up. But it still unlocked the BCM and screwed around with that MEC.
dmaxben
Posts: 16
Joined: Thu Feb 19, 2015 12:54 am
cars: Duramax

Re: is this possible? copy and save oem cals

Post by dmaxben »

Gatecrasher wrote:You read some of the leaked docs and they talk about the MEC like it's this hard lockdown that shall never be touched once something leaves the plant. Then you see this SPS process just casually re-writing it before it even does any actual work. The whole thing failed and aborted almost immediately because I didn't have a keyless entry (K84) module hooked up. But it still unlocked the BCM and screwed around with that MEC.
What year and OS BCM was this?

I just tried writing the MEC to 0x10 and the BCM rejected it. (241, 03 3B A0 10)

Yes, I had security access granted.
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: is this possible? copy and save oem cals

Post by Gatecrasher »

It came out of a wrecked 16 Corvette. PN 13510531. Looks like they only ever issued one OS for this thing. 13511493. It's about as crude as you can get for this test, so maybe that's working in my favor? I've got just the BCM on my desk, hooked to an MDI. I'm copying and pasting commands one by one with the DrewTech J2534 software. I set a periodic tester present message at a rate of 4.5 seconds, and sent a mode $28 to disable normal communication, mainly to keep the logging noise down. I could have set a filter instead. Everything else was done in the scratchpad field on the DrewTech software.

Just for fun, I cut power to it since I don't have a way to gracefully shut it down yet. MEC was still at 0x10 after a restart. I guess it didn't decrement to 0x0F because it wasn't a proper ignition cycle. I definitely didn't return to 0 though. The write stuck.

Are you doing this over high speed or low speed CAN? Mine was done on high speed. The BCM will respond to some things on low speed, but doesn't seem to like doing diagnostics on that bus.

Code: Select all

14:28.412109,CAN,0x00000001,00 00 02 41 01 3E
14:28.423638,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:32.605241,CAN,0x00000001,00 00 02 41 02 1A A0 00 00 00 00 00		//Check MEC
14:32.613478,CAN,0x00000000,00 00 06 41 03 5A A0 00 00 00 00 00		//MEC at 0
14:32.912563,CAN,0x00000001,00 00 02 41 01 3E
14:32.923454,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:37.412543,CAN,0x00000001,00 00 02 41 01 3E
14:37.423278,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:41.912521,CAN,0x00000001,00 00 02 41 01 3E
14:41.923064,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:46.412504,CAN,0x00000001,00 00 02 41 01 3E
14:46.422880,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:47.948231,CAN,0x00000001,00 00 02 41 02 27 01 00 00 00 00 00		//Request seed
14:47.952796,CAN,0x00000000,00 00 06 41 04 67 01 2E 66 00 00 00		//Receive seed
14:50.912555,CAN,0x00000001,00 00 02 41 01 3E
14:50.922688,CAN,0x00000000,00 00 06 41 01 7E 01 2E 66 00 00 00		
14:51.042595,CAN,0x00000001,00 00 02 41 04 27 02 B0 35 00 00 00		//Send key
14:51.052679,CAN,0x00000000,00 00 06 41 02 67 02 2E 66 00 00 00		//Key accepted
14:55.412922,CAN,0x00000001,00 00 02 41 01 3E
14:55.422497,CAN,0x00000000,00 00 06 41 01 7E 02 2E 66 00 00 00
14:59.912831,CAN,0x00000001,00 00 02 41 01 3E
14:59.922297,CAN,0x00000000,00 00 06 41 01 7E 02 2E 66 00 00 00
15:04.412804,CAN,0x00000001,00 00 02 41 01 3E
15:04.422113,CAN,0x00000000,00 00 06 41 01 7E 02 2E 66 00 00 00
15:08.009065,CAN,0x00000001,00 00 02 41 03 3B A0 10 00 00 00 00		//Write to MEC
15:08.011937,CAN,0x00000000,00 00 06 41 02 7B A0 2E 66 00 00 00		//MEC accepted
15:08.912418,CAN,0x00000001,00 00 02 41 01 3E
15:08.921923,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:13.412390,CAN,0x00000001,00 00 02 41 01 3E
15:13.421725,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:17.912372,CAN,0x00000001,00 00 02 41 01 3E
15:17.921513,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:22.412347,CAN,0x00000001,00 00 02 41 01 3E
15:22.421333,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:26.912327,CAN,0x00000001,00 00 02 41 01 3E
15:26.921125,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:27.970045,CAN,0x00000001,00 00 02 41 02 1A A0 00 00 00 00 00		//Re-read MEC
15:27.981105,CAN,0x00000000,00 00 06 41 03 5A A0 10 66 00 00 00		//MEC at 10
15:31.412368,CAN,0x00000001,00 00 02 41 01 3E
15:31.420937,CAN,0x00000000,00 00 06 41 01 7E A0 10 66 00 00 00
Post Reply