is this possible? copy and save oem cals
-
- Posts: 8
- Joined: Sun Jul 08, 2018 11:43 am
Re: is this possible? copy and save oem cals
A DID $90 write may only be performed under two circumstances:1) When preceded by a ClearDiagnosticInformation ($04) Service during the same ignition cycle - or -2) When the controller has been programmed within the last three ignition cycles There are no DID $90 write restrictions when the MEC is non-zero.
Re: is this possible? copy and save oem cals
VIN can be written at any time so long as you can do the security unlock (Seed/key).nightjoker7 wrote:A DID $90 write may only be performed under two circumstances:1) When preceded by a ClearDiagnosticInformation ($04) Service during the same ignition cycle - or -2) When the controller has been programmed within the last three ignition cycles There are no DID $90 write restrictions when the MEC is non-zero.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
-
- Posts: 8
- Joined: Sun Jul 08, 2018 11:43 am
Re: is this possible? copy and save oem cals
The above info I posted is specific to global a modules that already have a vin in them.Tazzi wrote:VIN can be written at any time so long as you can do the security unlock (Seed/key).nightjoker7 wrote:A DID $90 write may only be performed under two circumstances:1) When preceded by a ClearDiagnosticInformation ($04) Service during the same ignition cycle - or -2) When the controller has been programmed within the last three ignition cycles There are no DID $90 write restrictions when the MEC is non-zero.
- Gatecrasher
- Posts: 278
- Joined: Sat Apr 25, 2020 6:09 am
Re: is this possible? copy and save oem cals
I was screwing around with some immobilizer functions on a 2016 Global A BCM, and I noticed one of the first thing SPS does is write the MEC to 0x10. It sets it back to 0 at the end of the process. Makes me wonder if you could use that to get around any write restrictions on an ECM. I'd test it on my spare E92, but I don't have a bench harness built yet.
-
- Posts: 590
- Joined: Thu Feb 13, 2020 11:32 pm
- cars: Mainly GM trucks, a Cruze and an Equinox for dailys..
Re: is this possible? copy and save oem cals
If you have a log of the writing of the MEC could you post it up, I was wondering about that but never came across where it changed it but I do see where they were looking for it at the end.. Didn't see them write to it though..Gatecrasher wrote:I was screwing around with some immobilizer functions on a 2016 Global A BCM, and I noticed one of the first thing SPS does is write the MEC to 0x10. It sets it back to 0 at the end of the process. Makes me wonder if you could use that to get around any write restrictions on an ECM. I'd test it on my spare E92, but I don't have a bench harness built yet.
- Gatecrasher
- Posts: 278
- Joined: Sat Apr 25, 2020 6:09 am
Re: is this possible? copy and save oem cals
Code: Select all
Enable MixedFormatFrames (ignore failure)!
13:21:54.5 MsgType=1, <[.H..]00 00 01 01 FE 3E [0006] FramePad
13:21:54.6 MsgType=1, <[.H..]00 00 02 41 22 90 A1 [0007] FramePad
13:21:54.6 MsgType=2, >[.H..]00 00 01 01 FE [0005] ExtAddress TxDone
13:21:54.6 MsgType=2, >[.H..]00 00 01 01 [0004] TxDone
13:21:54.6 MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
13:21:54.6 MsgType=2, >[.H..]00 00 06 41 62 90 A1 80 00 02 [0010]
13:21:56.3 MsgType=1, <[.H..]00 00 02 41 22 80 45 [0007] FramePad
13:21:56.3 MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
13:21:56.3 MsgType=2, >[.H..]00 00 06 41 62 80 45 02 [0008]
13:21:56.3 MsgType=1, <[.H..]00 00 02 41 27 01 [0006] FramePad
13:21:56.3 MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
13:21:56.3 MsgType=2, >[.H..]00 00 06 41 67 01 2E 66 [0008]
13:21:56.3 MsgType=1, <[.H..]00 00 02 41 27 02 66 68 [0008] FramePad
13:21:56.3 MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
13:21:56.3 MsgType=2, >[.H..]00 00 06 41 7F 27 35 [0007]
13:21:56.3 MsgType=1, <[.H..]00 00 02 41 27 01 [0006] FramePad
13:21:56.3 MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
13:21:56.3 MsgType=2, >[.H..]00 00 06 41 67 01 2E 66 [0008]
13:21:56.3 MsgType=1, <[.H..]00 00 02 41 27 02 B0 35 [0008] FramePad
13:21:56.3 MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
13:21:56.3 MsgType=2, >[.H..]00 00 06 41 67 02 [0006]
13:21:56.4 MsgType=1, <[.H..]00 00 02 41 1A A0 [0006] FramePad
13:21:56.4 MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
13:21:56.4 MsgType=2, >[.H..]00 00 06 41 5A A0 00 [0007]
13:21:56.4 MsgType=1, <[.H..]00 00 02 41 3B A0 10 [0007] FramePad
13:21:56.4 MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
13:21:56.4 MsgType=2, >[.H..]00 00 06 41 7B A0 [0006]
13:21:56.4 MsgType=1, <[.H..]00 00 02 41 AE 04 80 00 03 00 00 [0011] FramePad
13:21:56.4 MsgType=2, >[.H..]00 00 02 41 [0004] TxDone
13:21:56.4 MsgType=2, >[.H..]00 00 06 41 EE 04 [0006]
It's also interesting that SPS fails with the first security key it tries. The second key succeeds.
That mode $AE lets you power up the module enough to do some testing, but a lot of the bus messages are zeroed out.
-
- Posts: 590
- Joined: Thu Feb 13, 2020 11:32 pm
- cars: Mainly GM trucks, a Cruze and an Equinox for dailys..
Re: is this possible? copy and save oem cals
So it's just a regular 3b write command after it's unlocked.. nice!!! That's interesting..
I've just been screwing around on the bench and it seems certain Os's don't like letting you change the vin with just a regular 3B90 command after an unlock.. With those OS's I found out after an OS write than you can change the vin afterwards, next time I have an E92 or E38 with the newer OS I'll try writing the enable to 10.. Hadn't seen that in any of my logs.. thanks!!!!
I've just been screwing around on the bench and it seems certain Os's don't like letting you change the vin with just a regular 3B90 command after an unlock.. With those OS's I found out after an OS write than you can change the vin afterwards, next time I have an E92 or E38 with the newer OS I'll try writing the enable to 10.. Hadn't seen that in any of my logs.. thanks!!!!
- Gatecrasher
- Posts: 278
- Joined: Sat Apr 25, 2020 6:09 am
Re: is this possible? copy and save oem cals
You read some of the leaked docs and they talk about the MEC like it's this hard lockdown that shall never be touched once something leaves the plant. Then you see this SPS process just casually re-writing it before it even does any actual work. The whole thing failed and aborted almost immediately because I didn't have a keyless entry (K84) module hooked up. But it still unlocked the BCM and screwed around with that MEC.
Re: is this possible? copy and save oem cals
What year and OS BCM was this?Gatecrasher wrote:You read some of the leaked docs and they talk about the MEC like it's this hard lockdown that shall never be touched once something leaves the plant. Then you see this SPS process just casually re-writing it before it even does any actual work. The whole thing failed and aborted almost immediately because I didn't have a keyless entry (K84) module hooked up. But it still unlocked the BCM and screwed around with that MEC.
I just tried writing the MEC to 0x10 and the BCM rejected it. (241, 03 3B A0 10)
Yes, I had security access granted.
- Gatecrasher
- Posts: 278
- Joined: Sat Apr 25, 2020 6:09 am
Re: is this possible? copy and save oem cals
It came out of a wrecked 16 Corvette. PN 13510531. Looks like they only ever issued one OS for this thing. 13511493. It's about as crude as you can get for this test, so maybe that's working in my favor? I've got just the BCM on my desk, hooked to an MDI. I'm copying and pasting commands one by one with the DrewTech J2534 software. I set a periodic tester present message at a rate of 4.5 seconds, and sent a mode $28 to disable normal communication, mainly to keep the logging noise down. I could have set a filter instead. Everything else was done in the scratchpad field on the DrewTech software.
Just for fun, I cut power to it since I don't have a way to gracefully shut it down yet. MEC was still at 0x10 after a restart. I guess it didn't decrement to 0x0F because it wasn't a proper ignition cycle. I definitely didn't return to 0 though. The write stuck.
Are you doing this over high speed or low speed CAN? Mine was done on high speed. The BCM will respond to some things on low speed, but doesn't seem to like doing diagnostics on that bus.
Just for fun, I cut power to it since I don't have a way to gracefully shut it down yet. MEC was still at 0x10 after a restart. I guess it didn't decrement to 0x0F because it wasn't a proper ignition cycle. I definitely didn't return to 0 though. The write stuck.
Are you doing this over high speed or low speed CAN? Mine was done on high speed. The BCM will respond to some things on low speed, but doesn't seem to like doing diagnostics on that bus.
Code: Select all
14:28.412109,CAN,0x00000001,00 00 02 41 01 3E
14:28.423638,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:32.605241,CAN,0x00000001,00 00 02 41 02 1A A0 00 00 00 00 00 //Check MEC
14:32.613478,CAN,0x00000000,00 00 06 41 03 5A A0 00 00 00 00 00 //MEC at 0
14:32.912563,CAN,0x00000001,00 00 02 41 01 3E
14:32.923454,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:37.412543,CAN,0x00000001,00 00 02 41 01 3E
14:37.423278,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:41.912521,CAN,0x00000001,00 00 02 41 01 3E
14:41.923064,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:46.412504,CAN,0x00000001,00 00 02 41 01 3E
14:46.422880,CAN,0x00000000,00 00 06 41 01 7E A0 00 00 00 00 00
14:47.948231,CAN,0x00000001,00 00 02 41 02 27 01 00 00 00 00 00 //Request seed
14:47.952796,CAN,0x00000000,00 00 06 41 04 67 01 2E 66 00 00 00 //Receive seed
14:50.912555,CAN,0x00000001,00 00 02 41 01 3E
14:50.922688,CAN,0x00000000,00 00 06 41 01 7E 01 2E 66 00 00 00
14:51.042595,CAN,0x00000001,00 00 02 41 04 27 02 B0 35 00 00 00 //Send key
14:51.052679,CAN,0x00000000,00 00 06 41 02 67 02 2E 66 00 00 00 //Key accepted
14:55.412922,CAN,0x00000001,00 00 02 41 01 3E
14:55.422497,CAN,0x00000000,00 00 06 41 01 7E 02 2E 66 00 00 00
14:59.912831,CAN,0x00000001,00 00 02 41 01 3E
14:59.922297,CAN,0x00000000,00 00 06 41 01 7E 02 2E 66 00 00 00
15:04.412804,CAN,0x00000001,00 00 02 41 01 3E
15:04.422113,CAN,0x00000000,00 00 06 41 01 7E 02 2E 66 00 00 00
15:08.009065,CAN,0x00000001,00 00 02 41 03 3B A0 10 00 00 00 00 //Write to MEC
15:08.011937,CAN,0x00000000,00 00 06 41 02 7B A0 2E 66 00 00 00 //MEC accepted
15:08.912418,CAN,0x00000001,00 00 02 41 01 3E
15:08.921923,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:13.412390,CAN,0x00000001,00 00 02 41 01 3E
15:13.421725,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:17.912372,CAN,0x00000001,00 00 02 41 01 3E
15:17.921513,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:22.412347,CAN,0x00000001,00 00 02 41 01 3E
15:22.421333,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:26.912327,CAN,0x00000001,00 00 02 41 01 3E
15:26.921125,CAN,0x00000000,00 00 06 41 01 7E A0 2E 66 00 00 00
15:27.970045,CAN,0x00000001,00 00 02 41 02 1A A0 00 00 00 00 00 //Re-read MEC
15:27.981105,CAN,0x00000000,00 00 06 41 03 5A A0 10 66 00 00 00 //MEC at 10
15:31.412368,CAN,0x00000001,00 00 02 41 01 3E
15:31.420937,CAN,0x00000000,00 00 06 41 01 7E A0 10 66 00 00 00