pcmhacking.net

Electronic Fuel Injection - Developement & Tuning
https://pcmhacking.net/forums/

is this possible? copy and save oem cals

https://pcmhacking.net/forums/viewtopic.php?t=5182

Page 4 of 5

Re: is this possible? copy and save oem cals

Posted: Mon Feb 08, 2021 6:25 am
by nightjoker7
A DID $90 write may only be performed under two circumstances:1) When preceded by a ClearDiagnosticInformation ($04) Service during the same ignition cycle - or -2) When the controller has been programmed within the last three ignition cycles There are no DID $90 write restrictions when the MEC is non-zero.

Re: is this possible? copy and save oem cals

Posted: Mon Feb 08, 2021 11:14 am
by Tazzi
nightjoker7 wrote:A DID $90 write may only be performed under two circumstances:1) When preceded by a ClearDiagnosticInformation ($04) Service during the same ignition cycle - or -2) When the controller has been programmed within the last three ignition cycles There are no DID $90 write restrictions when the MEC is non-zero.
VIN can be written at any time so long as you can do the security unlock (Seed/key). :thumbup:

Re: is this possible? copy and save oem cals

Posted: Mon Feb 08, 2021 2:45 pm
by nightjoker7
Tazzi wrote:
nightjoker7 wrote:A DID $90 write may only be performed under two circumstances:1) When preceded by a ClearDiagnosticInformation ($04) Service during the same ignition cycle - or -2) When the controller has been programmed within the last three ignition cycles There are no DID $90 write restrictions when the MEC is non-zero.
VIN can be written at any time so long as you can do the security unlock (Seed/key). :thumbup:
The above info I posted is specific to global a modules that already have a vin in them.

Re: is this possible? copy and save oem cals

Posted: Tue Feb 09, 2021 1:50 am
by Gatecrasher
I was screwing around with some immobilizer functions on a 2016 Global A BCM, and I noticed one of the first thing SPS does is write the MEC to 0x10. It sets it back to 0 at the end of the process. Makes me wonder if you could use that to get around any write restrictions on an ECM. I'd test it on my spare E92, but I don't have a bench harness built yet.

Re: is this possible? copy and save oem cals

Posted: Tue Feb 09, 2021 1:59 am
by ironduke
Gatecrasher wrote:I was screwing around with some immobilizer functions on a 2016 Global A BCM, and I noticed one of the first thing SPS does is write the MEC to 0x10. It sets it back to 0 at the end of the process. Makes me wonder if you could use that to get around any write restrictions on an ECM. I'd test it on my spare E92, but I don't have a bench harness built yet.
If you have a log of the writing of the MEC could you post it up, I was wondering about that but never came across where it changed it but I do see where they were looking for it at the end.. Didn't see them write to it though..

Re: is this possible? copy and save oem cals

Posted: Tue Feb 09, 2021 2:34 am
by Gatecrasher

Code: Select all

Enable MixedFormatFrames (ignore failure)!
  13:21:54.5  MsgType=1, <[.H..]00 00 01 01 FE 3E [0006] FramePad 
  13:21:54.6  MsgType=1, <[.H..]00 00 02 41 22 90 A1 [0007] FramePad 
  13:21:54.6  MsgType=2, >[.H..]00 00 01 01 FE [0005] ExtAddress TxDone 
  13:21:54.6  MsgType=2, >[.H..]00 00 01 01 [0004] TxDone 
  13:21:54.6  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:54.6  MsgType=2, >[.H..]00 00 06 41 62 90 A1 80 00 02 [0010] 
  13:21:56.3  MsgType=1, <[.H..]00 00 02 41 22 80 45 [0007] FramePad 
  13:21:56.3  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:56.3  MsgType=2, >[.H..]00 00 06 41 62 80 45 02 [0008] 
  13:21:56.3  MsgType=1, <[.H..]00 00 02 41 27 01 [0006] FramePad 
  13:21:56.3  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:56.3  MsgType=2, >[.H..]00 00 06 41 67 01 2E 66 [0008] 
  13:21:56.3  MsgType=1, <[.H..]00 00 02 41 27 02 66 68 [0008] FramePad 
  13:21:56.3  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:56.3  MsgType=2, >[.H..]00 00 06 41 7F 27 35 [0007] 
  13:21:56.3  MsgType=1, <[.H..]00 00 02 41 27 01 [0006] FramePad 
  13:21:56.3  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:56.3  MsgType=2, >[.H..]00 00 06 41 67 01 2E 66 [0008] 
  13:21:56.3  MsgType=1, <[.H..]00 00 02 41 27 02 B0 35 [0008] FramePad 
  13:21:56.3  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:56.3  MsgType=2, >[.H..]00 00 06 41 67 02 [0006] 
  13:21:56.4  MsgType=1, <[.H..]00 00 02 41 1A A0 [0006] FramePad 
  13:21:56.4  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:56.4  MsgType=2, >[.H..]00 00 06 41 5A A0 00 [0007] 
  13:21:56.4  MsgType=1, <[.H..]00 00 02 41 3B A0 10 [0007] FramePad 
  13:21:56.4  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:56.4  MsgType=2, >[.H..]00 00 06 41 7B A0 [0006] 
  13:21:56.4  MsgType=1, <[.H..]00 00 02 41 AE 04 80 00 03 00 00 [0011] FramePad 
  13:21:56.4  MsgType=2, >[.H..]00 00 02 41 [0004] TxDone 
  13:21:56.4  MsgType=2, >[.H..]00 00 06 41 EE 04 [0006]
I was trying to link a used key to a used BCM so I could get it into a run state for bench work. It was a failure for a few different reasons. I don't want to de-rail the thread with the details.

It's also interesting that SPS fails with the first security key it tries. The second key succeeds.

That mode $AE lets you power up the module enough to do some testing, but a lot of the bus messages are zeroed out.

Re: is this possible? copy and save oem cals

Posted: Tue Feb 09, 2021 3:20 am
by ironduke
So it's just a regular 3b write command after it's unlocked.. nice!!! That's interesting..
I've just been screwing around on the bench and it seems certain Os's don't like letting you change the vin with just a regular 3B90 command after an unlock.. With those OS's I found out after an OS write than you can change the vin afterwards, next time I have an E92 or E38 with the newer OS I'll try writing the enable to 10.. Hadn't seen that in any of my logs.. thanks!!!!

Re: is this possible? copy and save oem cals

Posted: Tue Feb 09, 2021 5:08 am
by Gatecrasher
You read some of the leaked docs and they talk about the MEC like it's this hard lockdown that shall never be touched once something leaves the plant. Then you see this SPS process just casually re-writing it before it even does any actual work. The whole thing failed and aborted almost immediately because I didn't have a keyless entry (K84) module hooked up. But it still unlocked the BCM and screwed around with that MEC.

Re: is this possible? copy and save oem cals

Posted: Mon Feb 15, 2021 7:50 am
by dmaxben
Gatecrasher wrote:You read some of the leaked docs and they talk about the MEC like it's this hard lockdown that shall never be touched once something leaves the plant. Then you see this SPS process just casually re-writing it before it even does any actual work. The whole thing failed and aborted almost immediately because I didn't have a keyless entry (K84) module hooked up. But it still unlocked the BCM and screwed around with that MEC.
What year and OS BCM was this?

I just tried writing the MEC to 0x10 and the BCM rejected it. (241, 03 3B A0 10)

Yes, I had security access granted.

Re: is this possible? copy and save oem cals

Posted: Mon Feb 15, 2021 9:40 am
by Gatecrasher
It came out of a wrecked 16 Corvette. PN 13510531. Looks like they only ever issued one OS for this thing. 13511493. It's about as crude as you can get for this test, so maybe that's working in my favor? I've got just the BCM on my desk, hooked to an MDI. I'm copying and pasting commands one by one with the DrewTech J2534 software. I set a periodic tester present message at a rate of 4.5 seconds, and sent a mode $28 to disable normal communication, mainly to keep the logging noise down. I could have set a filter instead. Everything else was done in the scratchpad field on the DrewTech software.

Just for fun, I cut power to it since I don't have a way to gracefully shut it down yet. MEC was still at 0x10 after a restart. I guess it didn't decrement to 0x0F because it wasn't a proper ignition cycle. I definitely didn't return to 0 though. The write stuck.

Are you doing this over high speed or low speed CAN? Mine was done on high speed. The BCM will respond to some things on low speed, but doesn't seem to like doing diagnostics on that bus.

Code: Select all

14:28.412109,CAN,0x00000001,00 00 02 41 01 3E
14:28.423638,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:32.605241,CAN,0x00000001,00 00 02 41 02 1A A0 00 00 00 00 00		//Check MEC
14:32.613478,CAN,0x00000000,00 00 06 41 03 5A A0 00 00 00 00 00		//MEC at 0
14:32.912563,CAN,0x00000001,00 00 02 41 01 3E
14:32.923454,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:37.412543,CAN,0x00000001,00 00 02 41 01 3E
14:37.423278,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:41.912521,CAN,0x00000001,00 00 02 41 01 3E
14:41.923064,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:46.412504,CAN,0x00000001,00 00 02 41 01 3E
14:46.422880,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:47.948231,CAN,0x00000001,00 00 02 41 02 27 01 00 00 00 00 00		//Request seed
14:47.952796,CAN,0x00000000,00 00 06 41 04 67 01 2E 66 00 00 00		//Receive seed
14:50.912555,CAN,0x00000001,00 00 02 41 01 3E
14:50.922688,CAN,0x00000000,00 00 06 41 01 7E 01 2E 66 00 00 00		
14:51.042595,CAN,0x00000001,00 00 02 41 04 27 02 B0 35 00 00 00		//Send key
14:51.052679,CAN,0x00000000,00 00 06 41 02 67 02 2E 66 00 00 00		//Key accepted
14:55.412922,CAN,0x00000001,00 00 02 41 01 3E
14:55.422497,CAN,0x00000000,00 00 06 41 01 7E 02 2E 66 00 00 00
14:59.912831,CAN,0x00000001,00 00 02 41 01 3E
14:59.922297,CAN,0x00000000,00 00 06 41 01 7E 02 2E 66 00 00 00
15:04.412804,CAN,0x00000001,00 00 02 41 01 3E
15:04.422113,CAN,0x00000000,00 00 06 41 01 7E 02 2E 66 00 00 00
15:08.009065,CAN,0x00000001,00 00 02 41 03 3B A0 10 00 00 00 00		//Write to MEC
15:08.011937,CAN,0x00000000,00 00 06 41 02 7B A0 2E 66 00 00 00		//MEC accepted
15:08.912418,CAN,0x00000001,00 00 02 41 01 3E
15:08.921923,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:13.412390,CAN,0x00000001,00 00 02 41 01 3E
15:13.421725,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:17.912372,CAN,0x00000001,00 00 02 41 01 3E
15:17.921513,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:22.412347,CAN,0x00000001,00 00 02 41 01 3E
15:22.421333,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:26.912327,CAN,0x00000001,00 00 02 41 01 3E
15:26.921125,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:27.970045,CAN,0x00000001,00 00 02 41 02 1A A0 00 00 00 00 00		//Re-read MEC
15:27.981105,CAN,0x00000000,00 00 06 41 03 5A A0 10 66 00 00 00		//MEC at 10
15:31.412368,CAN,0x00000001,00 00 02 41 01 3E
15:31.420937,CAN,0x00000000,00 00 06 41 01 7E A0 10 66 00 00 00
All times are UTC+10:00
Page 4 of 5

Powered by phpBB® Forum Software © phpBB Limited