One thing I've noticed, Bosch designed all this for MB several years before GM got it. My 05 E320 (which is basically the exact same CR fuel system as an LMM) uses very similar security and starting structure as you've listed above. So our possible data pool to learn from likely includes MB, plus VW / Audi in there too. No one ever reinvented the wheel, they just keep changing rim sizes...
Yes, from what I understand, the LML uses a European style immobilizer code/implementation in the ECM...since the LML ECM is infact just a GM-ized EDC17. As far as I know, GM didnt write any of the operating system/base code in the LML ECM, they basically just told Bosch what they wanted/needed, and then Bosch gave them tuning software (think EFILive) to write the engine calibration. But GM really had nothing to do with anything else on the ECM....so Bosch probably just carried over the stupid complicated immobilizer code from the traditional common European EDC17
1. Can you bump start a LML with manual trans in KOEO?
Manual transmission option disappeared way back in 2007. There was never any LMM or LML with a manual trans. Allison only.
That would tell us if that crank request message is actually required. I'll bet the ECM will fuel and fire long as that primary security OK message was received and the crank trigger is pulsing. If so, switch starter wiring to LLY / LBZ style and you've removed the second CAN message.
I know for a fact this wont work on an LML. You cant just jumper the starter relay. It wont start/enable fuel without a "crank-request" data message from the BCM...and maybe from the TDM too. That is the unknown, how much play the TDM has in just cranking the engine alone. I think quite a bit, because Ive heard of stock LMM's having anti-theft problems, and the truck wont even crank...so Im 99% sure we need to fake the BCM and TDM to make the engine start.
Need to verify those security message between BCM and ECM across several vehicles. Again going out on a limb here, security OK or not-OK messages (at hex or binary CAN level) are gonna be same across all vehicles. If not the ECM and BCM are "married" or VIN coded at some point so they know each others key. Sending this one over to my GM tech bud for further input.
Thats easy. Take your LMM you have there, go to the hardware store, and have the key copied to a "non-chipped" key...should only cost $5. Now try to start the truck. Obviously the engine wont run, but see if it will crank with no chip present in the key.
Log messages on LS GMLAN from the TDM to the BCM with both a valid key and a non-valid key. Then log HS GMLAN messages from the BCM to the ECM with a valid key and non-valid key.
Once you do that, its just a matter of deciphering the data. At least on my truck, it only took me about 10 minutes of looking over the databus logs to find where/when the password was transmitted in the code....and what a valid fuel enable password looks like, and a non-valid/fuel DISABLE message looks like.
Once you find the fuel enable password and the "fuel enable/disable" message, and the TDM SOH health messages...unplug the TDM, and use the CBT to broadcast both the TDM SOH messages, and the "fuel enable" password. NOTE: you'll have to do this all on the LS GMLAN bus...lets eliminate ONE thing at a time...its easier to work on the slower low speed bus anyways.
So say now you specifically spoofed the message from the TDM, and you can make the truck start with the TDM disconnected (and wrong key) just by sending a LS GMLAN message to the BCM that gives TDM SOH and fuel enable password.
Now you just have to log the HS GMLAN bus and find out what a valid "crank request with proper fuel enable password" message looks like. That should be it....
Last, I do have access to a LMM stand alone ECM & TCM combo running fine in with only VATS turned off. It's in the boat I've been helping out on. Give ya some more details later. But don't recall anything else special being done. Maybe slight starter relay circuit changes.
Ok cool, and you're sure its an LMM right? And not an LBZ? Did the engine start with no relay load on the "starter relay control circuit"? Or did you have to put a dummy load on the control circuit, and then just jump the starter solenoid???
So then I guess the LMM ECM uses the older "simpler" non-Euro style VATS and immobilizer code, that can be easily disabled in the calibration with EFILive...no base level operating system changes needed.
But still, we can use the LMM for R&D...because electrically and databus-ly its the same as a 2011-2014 LML.
Ben
