Dumping GM C3 ECM mask ROM

Mon Oct 20 13:37:22 GMT 1997

I've been asked to provide the following information to the mailing list.

The GM C3 class of ECM typically has a socket for a (relatively) small EPROM.
This EPROM is big enough to hold all the ECM's calibration data, but not the
program code.  Most of the program code is instead stored in one or more mask
ROMs soldered to the ECM circuit board.  To get a full disassembly of the
entire ECM program clearly requires dumping these mask ROMs.

At first look, you might think that the ROMs will need to be unsoldered before
they will give up their secrets.  However, that is not the case.  Some of the
ECMs have a 40 pin edge card test connector.  The processor's entire address
and data buses, as well as various control signals are brought out to this
connector.  Some other C3's expand the edge card to 60 pins, but the circuit
board is cut to also accept a connector for the original 40 pin subset.  Here
are several non-destructive methods to dump the ROMs via the edge card:

 1) The CPU used in these ECMs has the 6800 style ~HALT and BA (BusAvailable)
    signals.  These signals can give you enough access to the bus to perform a
    read cycle on any memory address, including the mask ROM.

 2) Pin 32 of the edge card is a ~ROMDisable input.  It is pulled up to VCC
    with a resistor in the ECM.  By grounding this input, it is possible to
    knock the mask ROM off the bus, provide your own reset vector as the CPU
    comes out of reset, and thus take control of the ECM's CPU.  (The reset
    vector is located in and points into the mask ROM.)  Reenabling and
    dumping the ROM once you have your code running in the ECM is left as
    an exercise for the student.

 3) The CPU used in these ECMs has the 6801 style $4E and $5E test opcodes.
    These two instructions cause the CPU to enter a test mode where the
    address bus increments with each E cycle.  This will cause the entire
    memory image to be dumped onto the data bus.  Use the ~ROMDisable input
    to help inject one of the test opcodes, and a logic analyzer to capture
    the memory image.

 4) Some of the ECMs have a factory bench test mode.  This mode is entered by
    a nonsense combination of ECM inputs.  In one ECM that I've looked at,
    this is a power supply (battery) voltage of less than 10 volts, a fuel
    pump sense voltage of more than 16 volts, and a 3.9K resistor on the ALDL
    input.  As part of the bench test, the ECM computes a check value from
    the entire mask ROM contents.  While it does this, use a logic analyzer to
    capture the ROM image.

 5) The ECM program checks for a calibration box interface ROM at memory
    address $5800.  It expects ten or so vectors of the form "JMP $58__".  If
    it finds them, various vectors will be invoked at various places in the
    ECM program.  The definition of these vectors does not appear to be 100%
    standardized.  However, simply point all of them at your ROM dump code
    and proceed as for method 2 above.

Here are two more methods that are variations of the previous methods:

 6) The EPROM contains a portion of of the ECM program.  If you can identify
    which parts are code, and if you can compute your own EPROM check value,
    then you can place your own ROM dumping function into the EPROM.  If you
    aren't sure of the entry points, fill most of the space with single byte
    NOPs, and at the end of the EPROM, place a JMP to your code.  Note, the
    ECM might not invoke any code in the EPROM until it thinks the engine is
    running.

 7) Instead of placing a dumping function in the EPROM as per method 6, fill
    the EPROM with $4E or $5E test opcodes and proceed as per method 3.

There is one other useful item to know when dumping the mask ROM with any of
the above methods:  Pin 34 of the edge card is a ~COPDisable input.  (COP ==
Computer Operating Properly watchdog.)  It is pulled to VCC with a resistor.
The COP will usually stay off if it has never been tickled, but once started,
it will keep resetting the ECM until the power fails and all the COP's
capacitors fully discharge.  (Unless it is serviced by your software...)
Ground the input to keep the COP muzzled.

If you don't have a fancy logic analyzer, and don't want to build something to
log a large number of address/data pairs, there is a simpler solution.
Connect a (battery backup up or dual port) SRAM to the buses and configure it
to write the data bus value into the SRAM with each memory reference.  With
methods 3, 4, and 7, this will load the SRAM with a copy of the ROM.  You can
then dump the SRAM with other tools.

I now expect a flurry of C3 ROM trading on the list...

                   unsigned long BinToBCD(unsigned long i) {unsigned long t;
Ludis Langens         return i ? (t = BinToBCD(i >> 1), (t << 1) + (i & 1) + 
ludis at netcom.com                 (t + 858993459 >> 2 & 572662306) * 3) : 0;}