PDA

View Full Version : LML VATS question...



DURAtotheMAX
August 8th, 2016, 11:18 PM
Ross/Paul...

Is there any chance you can explain exactly what the VATS switches/settings in EFILive actually do in the code? How did you find those switches? Is there anything else in the "system" segment of an LML bin that has anything possibly related to VATS?

As far as I can tell, none of the VATS switches seem to do anything at all. Originally I thought that the "VATS disable" switch would at least allow the engine to start without a valid transponder signal from the key, but maybe still need valid state-of-health from the theft deterrent module and BCM....but that does not seem to be the case. I have gone through dozens of different combinations of VATS switches on the bench, and they all seem to still require a valid key, a theft deterrent module (which is on low speed GMLAN) hooked up, and the BCM hooked up.

I have reverse engineered all of the CAN messages for "crank request" and "BCM is alive and well" for LMM...that works perfectly. With VATS in EFILive set to disable, I can have a BCM sitting in standalone on the bench, send it the proper CAN messages, and it will engage the starter relay just like factory.......which is cool, because Im sure it (my little smart BCM-emulator box) would work for the E38/E67/etc ECM's too...thus giving those gasser standalone guys "proper" crank request with neutral-start-safety, starter over-crank protection, and automated cranking.

The theft challenge/response passwords are sent from the ECM on CAN, and the BCM sends theft info back. It seems to be a complex password, I assume this is the proprietary GM anti-theft algorithm.

The LMM has two VATS enable switches...anti-theft enable/disable, and anti-theft type (PK1, PK2, PK3). In order for my BCM emulator box to work and make the ECM trigger the starter relay, either the anti-theft switch has to be set to disable, OR the anti-theft system type has to be set to something other than PassKey 3. It also works if you set both of them to disable AND to PK1/PK2.

With VATS set to enable and PK3 (factory), the LMM behaves just like the LML and even with the crank request CAN messages, it still wont trigger the starter relay unless the BCM, TDM, and key are valid.

What is interesting though, is that the "anti-theft enable/disable" switch seems to be a simple global "allow ECM to crank/start if theft information received on CAN is missing/invalid".....the anti-theft system type switch determines whether the ECM sends a password challenge/request . So with theft set to disable, and Theft type set to PK3, the ECM still sends out theft data , BUT it doesnt care if theres no response. With the theft system type set to PK1/PK2, the ECM does not send out any data at all.

So Id have to imagine there are similar switches in at least the E86a LML, since the 2007.5-2010 LMM and 2011-2014 LML electrical architecture, CAN messages, anti-theft systems, algorithms etc are IDENTICAL between the two...

In summary...is there anything else, at all, in the E86a code that might be for VATS???

I dont care about needing to make the ECM/VATS "super super dumb" to the point where it will start just by jumping the starter terminals...because I can already do the BCM state-of-health messages and crank-request messages. But I cant fake those BCM password messages because, as far as I can tell, its an extremely complex password algorithm.

Thoughts/ideas? I know this has been discussed before, but I figured it wouldnt hurt to bring it up again now that I have figured out another piece of the puzzle. :)

Ben

GMPX
August 9th, 2016, 10:02 AM
Ross/Paul...

Is there any chance you can explain exactly what the VATS switches/settings in EFILive actually do in the code? How did you find those switches? Is there anything else in the "system" segment of an LML bin that has anything possibly related to VATS?
Unfortunately the VATS calibrations are purely based on assumption based on byte patterns.

Your message was a bit of a long read but my thoughts are I don't think it will be possible to actually have the E86 run standalone, I say that because since 2006 many of GM's ECM's don't have an 'off switch' for the VATS. For the 2006+ E38 and pretty much every gas controller after that the OS requires a patch to force the ECM to never set a VATS no start condition. The code flow means turning VATS off in the system segment doesn't actually disable it.
If the E86 requires an OS patch (and why would it be any different?) then we are in trouble because the OS is RSA signature protected (which is why we've never done DSP5 for them too....that and Tri-Core sucks big time).

Maybe for you a better fix is to send your CAN messages so the ECM will accept the BCM is sending the ok to run signal......might be a nice little box to sell people doing conversions.

Cheers,
Ross

Snipesy
August 9th, 2016, 11:07 PM
All I know is which adresses have 'something' to do with the alleged VATS. Could try playing with them... There would be like 15 I think. Which I guess is pretty narrow. Could also cause a bricked ECM. *shrugs* it's really all I got at this point.

GMPX
August 10th, 2016, 08:25 AM
Could also cause a bricked ECM.
Yeah they don't mind doing that do they :doh2:
For Ben as I said my concern is that the VATS parameters GM have used since 2006 haven't been enough to kill VATS for conversions. Now I know the LML is Bosch code but still you'd think the same spec would apply.

DURAtotheMAX
August 10th, 2016, 09:18 AM
Unfortunately the VATS calibrations are purely based on assumption based on byte patterns.

Your message was a bit of a long read but my thoughts are I don't think it will be possible to actually have the E86 run standalone, I say that because since 2006 many of GM's ECM's don't have an 'off switch' for the VATS.

Is there anything else in that "section" that looks VATS related?

The europeans can "easily" disable the immobilizer in their EDC17's?


For the 2006+ E38 and pretty much every gas controller after that the OS requires a patch to force the ECM to never set a VATS no start condition. The code flow means turning VATS off in the system segment doesn't actually disable it.

What about those Isuzu NPR trucks that have a 6.0? They run an E38 If im not mistaken... And sure as hell no fancy immobilizer or BCM in those junkers. :D



Maybe for you a better fix is to send your CAN messages so the ECM will accept the BCM is sending the ok to run signal......might be a nice little box to sell people doing conversions.



Unless I figure out the crypto-algorithm for the immobilizer, Im not going to be able to make my little box totally emulate a BCM.

On the LMM (which has the EXACT SAME immobilizer system, CAN messages, and password stuff as 11-14 LML), you can hit that LMM VATS switch, and then crank request CAN message works. Because on the LMM, that VATS switch tells the ECM to ignore the fact that CAN from the BCM (with the complex password challenge/response) is missing/invalid.....this is not the case on the LML. Why???? Its the exact same immobilizer system from 2007.5-2014 on all GM trucks/SUV's, regardless of engine/ECM.

I bought an E38 and T42 to mess around with on the bench....and see what I can get the ECM to do WITHOUT applying that special "VATS patch"...just by messing with the VATS switches in the "segment" section.
Just sucks Ill have to burn a $125 license when literally all I want to do is run some experiments on the bench here. :doh2: :(


Ben

GMC-2002-Dmax
August 10th, 2016, 10:30 AM
Gotta pay to play......I get weekly requests for LML conversions, I run from they like they are the plague because I know they won't start unless everything is present.

GMPX
August 11th, 2016, 10:27 AM
The europeans can "easily" disable the immobilizer in their EDC17's?
Ok but not every EDC17 is created equal, GM have theirs tailored to GM specs and if their spec says only pre-production controllers listen to VATS disable then that is what Bosch program them to do. I might be wrong, I just don't know Bosch code that deep to know 100% for sure.



What about those Isuzu NPR trucks that have a 6.0? They run an E38 If im not mistaken... And sure as hell no fancy immobilizer or BCM in those junkers. :D
They may have a special OS written for them, much like the GMPP ECM's, no VATS in those either and that part of the OS is not standard GM.


I bought an E38 and T42 to mess around with on the bench....and see what I can get the ECM to do WITHOUT applying that special "VATS patch"...just by messing with the VATS switches in the "segment" section.
Just sucks Ill have to burn a $125 license when literally all I want to do is run some experiments on the bench here. :doh2: :(
I could have saved you even more money by telling you not to bother buying the E38 to experiment on. :hihi:
From memory how it worked was if the controller is flagged as a production controller (it checks for a valid SEED/KEY pair) then some of those VATS calibrations are ignored. What the OS patch does is just direct the code to where it flags the engine is allowed to start regardless of any of the checks it does.
And the license comment, Cindy sent you a PM on that so I am not sure why you even said what you said. :nixweiss:

DURAtotheMAX
August 11th, 2016, 10:46 AM
They may have a special OS written for them, much like the GMPP ECM's, no VATS in those either and that part of the OS is not standard GM.

Ill have to do some reading on the E38 compatibility stuff...I might grab a VIN from an NPR, flash the ECM with a Tech 2, and read it out...


From memory how it worked was if the controller is flagged as a production controller (it checks for a valid SEED/KEY pair) then some of those VATS calibrations are ignored. What the OS patch does is just direct the code to where it flags the engine is allowed to start regardless of any of the checks it does.

Interesting! Good info to know....that was one of the things I was curious about.


And the license comment, Cindy sent you a PM on that so I am not sure why you even said what you said. :nixweiss:

Yep, I posted that response before I saw Cindy's PM...apologize about that/disregard that comment! :cheers:

I will keep this updated when I get my E38 here, and Ill weigh in on the E38/67 VATS thread when I start doing my bench experiments...because as far as I know, no one has actually done "in depth" CAN analysis of the messages, and BCM reverse engineering?

Ben

GMPX
August 11th, 2016, 11:19 AM
I will keep this updated when I get my E38 here, and Ill weigh in on the E38/67 VATS thread when I start doing my bench experiments...
I'm not sure why you are doing the E38 though when it is the LML that is the issue.