Error $0331 when flashing CM2450B (CMF) controllers

[Blacky]

I've started this thread so that customers who have reported this issue have a place to discuss symptoms and possible solutions to this problem.

Recently (in the last few months) we have seen multiple reports of late model CM2450B (CMF) controllers failing the flash process and reporting error $0331 which means "Request out of range".
This failures usually occurs because one or more modules on the CAN bus/network continue to transmit data after a "bus silence" request has been issued.

The messages being transmitted appear to be from a module (or modules) that request data for, among other things:

• Primary_Accelerator_Pedal_Position
• Instantaneous_Percent_Load
• Target_Gear
• Current_Gear

The module (or modules) responsible for requesting that data must be identified and disconnected from the CAN bus or powered down so that they can no longer interfere with the flash process.

We have not yet been able to identify the module (or modules) responsible for requesting that data. It appears, based on the data being requested, that the module is some sort of tracking/logging device that is possibly recording the driver's inputs (throttle, gear etc.) to the vehicle. Possibly an insurance or extended warranty validation/data logger.

For now, until the module(s) can be identified, the best way to successfully flash the ECM is to remove it from the vehicle and use a bench harness.
You can purchase bench harnesses here: https://bench-force.com/collections/...ming-harnesses

Here is a trace of the flash process failing due to the negative response codes from the ECM when the ECM is trying to reject the rogue module's requests for data during the flash process. The trace does not include the actual requests from the rogue module, just the ECM's negative responses.


Here is a sample trace of the data that includes the data being transmitted by the rogue module on the CAN bus.
The blue messages are the messages being transmitted by the rogue module, the green messages are the ECM's negative response rejecting those requests. The red block identifies the repeating message schedule from the rogue module(s).



==============================

An updated firmware version is attached that includes a "Rogue module detector" option. The new option will emit an audible "tick" whenever a module transmits a message while the CAN network has been commanded to be silent.
Select the option and while you can hear the audible ticks, disconnect each module in turn from the CAN bus, or power down each module in turn until the ticks stop. When the ticks stop you know that you have disconnected the actual module causing the messages to be transmitted.
To use the new firmware:
Download the attached file, unzip it into the folder: \Program Files (x86)\EFILive\V8\Firmware.
Use the EFILive Explorer program to program in the new firmware.
Use the new option: Tune->F1: Tuning -> F4: Test OBD Network -> F4: Monitor Rogue Modules -> F1: Monitor CAN J1979

If you hear ticking sounds from the V3 device you know that one or rogue modules are transmitting messages.
If you hear nothing, then no modules are transmitting messages.

The test will run forever, you must press X to exit the test.

Regards
Paul

[Jim P]

I've had two trucks, a 2020 and a 2021 so far lock up the ECM and leave it in rom boot when trying trying to flash a custom SOTF file to it. Had to have the ECM sent to me to bench flash recover it.

[carter.turpin36@gmail.com]

I've had two trucks, a 2020 and a 2021 so far lock up the ECM and leave it in rom boot when trying trying to flash a custom SOTF file to it. Had to have the ECM sent to me to bench flash recover it.

any updates on this, currently dealing with this. Could you possibly PM me

[Blacky]

One thing that can help to track down the module(s) responsible is this:

Ensure your FlashScan/AutoCal are running firmware V3.00.100,

available as part of the beta release here: https://forum.efilive.com/showthread...1-Beta-Release



Could you please attempt the flash again, this time if/when it fails please do this:

1. Do not switch off the ignition.
2. Do not unplug AutoCal from the vehicle or from the PC.
3. On AutoCal select the option: Tune Tool -> F1: Tuning -> F4: Test OBD Network -> F1: Test CAN J1979
4. You will need to agree to the "Switch to BBX mode" prompt.
5. Wait for that to complete - it will save a trace file whether it succeeds or fails.
6. Unplug the AutoCal from the PC only - leave it connected to the vehicle with the ignition turned on.
7. On AutoCal select the option: Tune Tool -> F1: Tuning -> F4: Test OBD Network -> F1: Test CAN J1979
8. Wait for that to complete - it will save a trace file whether it succeeds or fails.
9. Reconnect AutoCal to the PC and use EFILive Explorer to copy those two *.xalm trace files to your PC.
10. Send both trace files to me, either by attaching them to this thread or directly to paul@efilive.com thanks.

Regards
Paul

[Blacky]

I have added a new option to help locate rogue modules on the CAN bus.
See end of first post for more info...

Regards
Paul

[BYTES]

When will be able to flash modified files ?

[Blacky]

When will be able to flash modified files ?

Probably, never. Digital signatures are designed to be virtually impossible to break. It's the same technology that underpins digital currency and prevents malicious actors from just making up new transactions on the block chain. Each transaction has to be digitally signed. If it was possible to break the digital signatures then you could make literally millions (billions?) of dollars spoofing the bitcoin blockchain. It's simply not possible - not yet anyway. Eventually digital signatures will be broken, maybe by super fast classical computers of the future or maybe by quantum computers (if they ever get them to work reliably) but that's still many years way.

The only hope right now to be able to flash them is if Cummins made a mistake and left an exploitable bug in the boot block. As far as we know, no such exploit exists.
The only reason we can flash the 19-21 Cummins is because Cummins did accidentally leave an exploitable bug in the old boot block - which we used to allow modified files to be flashed.
Cummins released an updated 2022 boot block to close down that exploit/bug.

It's a similar "arms" race in which iPhone "jail-breakers" engage with Apple. They find an exploit, then Apple releases an update to kill the exploit, then they start looking for another exploit. The major difference is that iPhones are designed to allow developers to develop software to run on iPhones, so the attack surface for the developer is enormous and exploits can be and are regularly discovered. With an ECM however, the attack surface is tiny, just a few OBDII commands that can be used to send data to/from the ECM. The attack surface is so small that it is relatively trivial for Cummins to close it completely - which apparently they have now done.

It may be possible to physically open the ECM and use dedicated hardware that can read/modify the data directly in the flash chip(s) - but that is not something that EFILive is looking at doing.

Regards
Paul

[BYTES]

Wow this is going to be fun, within the next 6-10 months these 2022 cummins will be available for free here in usa then because there are not parts
For repair and also people will not repair the stupid expensive bill of these parts needed to repair things will get interesting then, hopefully some Italian company develops a protocol to read this MCU by jtag then

[wait4me]

Hi Guys, I went to repair a truck that was stock and not running after a flash from a company. The Fix to this is to turn on the ignition. Then pull fuses 49 and 51 Under the hood. Your radio and the instrument cluster will turn off, Then hit the license button if you have not already, and then the full flash button. Then the flash will go thru just fine. IF you licensed the ecm previously then you do not have to hit the license button again. This will work if the computer is in bootmode from a failed flash and if it is talking and letting the truck run.

After the flash is complete, you can then put the fuses back into the fuse block.

Also, make sure your SGM bypass cable is plugged into one of the green connectors under the driver side kick panel area. Sometimes you have to try a few different open slots to get it to work too i have seen.

[jfreemanak]

Can anyone confirm if pulling the fuses mitigates the failed flash? I have always powered down the radio and HVAC system prior to flashing my truck. Would like to tune a friends truck but am apprehensive knowing this issue exists.