07-2013 GM BCM

User avatar
Posts: 2912
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: 07-2013 GM BCM

Postby Tazzi » Wed May 18, 2022 10:08 am

gmtech825 wrote:Success! finally had more time to mess with this and was able to change the RVS timer. The ECM limits it to 21 minutes but I'm happy with that. It did end being a bit of a guessing game after I narrowed it down to a few possibilities, but still only took a couple of tries to get it. I learned a whole lot in the process though so I'm happy.

Nice work!
I guess next up is the ECM?? :lol:
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Posts: 118
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Postby gmtech825 » Wed May 18, 2022 9:50 pm

possibly :lol: but 21 minutes is adequate for me. There are other things I might look into next. it looks like rear flashing lights can be enabled somehow, so that would be great for this truck since I plow with it. Time to fall down another rabbit hole :D

User avatar
Posts: 2912
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: 07-2013 GM BCM

Postby Tazzi » Thu May 19, 2022 11:06 am

gmtech825 wrote:possibly :lol: but 21 minutes is adequate for me. There are other things I might look into next. it looks like rear flashing lights can be enabled somehow, so that would be great for this truck since I plow with it. Time to fall down another rabbit hole :D


I guess adding 6minutes more is better then nothing! I mean the theoretical maximum in the BCM is way higher. I havent actually looked at the ECM figures to know what it can go up to.
I would guess the next thing would be if the timer resets an unlimited number of times to allow unlimited restarts.
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Posts: 118
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Postby gmtech825 » Thu May 19, 2022 10:07 pm

this timer was actually set to 10 minutes stock, so I gained 11 minutes. It's looking like the restart limit may be a function of the ECM as well, but that contradicts one document I've read that states the limit is set by the Platform and not the powertrain.

Do you have any advice on decompiling the E38 ECM with ghidra. I selected powper pc with VLE for the processor type, but a lot of the code is showing R13 + some other value.

Code: Select all
  if (*(char *)(in_r13 + -0x3172) == '\0') {
    if (DAT_001c09fa < *(ushort *)(in_r13 + 0x48a4)) {
      *(undefined *)(in_r13 + 0x48a3) = 1;
      *(undefined *)(in_r13 + 0x48a2) = 1;
      FUN_00151888(0);
      FUN_00151600(4);
    }
    else if (*(short *)(in_r13 + -0x7468) == 0) {
      if (((*(short *)(in_r13 + -0x19fe) == 8) && (*(char *)(in_r13 + -0x19fc) != '\0')) ||
         (*(char *)(in_r13 + -0x3116) != '\x01')) {
        if (DAT_001c09fe < *(ushort *)(in_r13 + 0x48ac)) {
          *(undefined *)(in_r13 + 0x48a3) = 1;
          *(undefined *)(in_r13 + 0x48a2) = 1;
          FUN_00151888(0);
          FUN_00151600(10);
        }
        else if (*(short *)(in_r13 + 0x48ae) == 0) {
          *(undefined *)(in_r13 + 0x48a3) = 1;
          *(undefined *)(in_r13 + 0x48a2) = 1;
          FUN_00151888(0);
          FUN_00151600(7);
        }
        else if ((*(short *)(&DAT_00002cc4 + in_r13) == 2) || ((&DAT_00002cc6)[in_r13] == '\0'))  {
          *(undefined *)(in_r13 + 0x48a3) = 1;
          *(undefined *)(in_r13 + 0x48a2) = 1;
          FUN_00151888(0);
          FUN_00151600(0xc);
        }
        else if ((DAT_001c09f4 < *(ushort *)(in_r13 + 0x48a6)) ||
                (DAT_001c09f6 < *(ushort *)(in_r13 + 0x48a8))) {
          *(undefined *)(in_r13 + 0x48a3) = 1;
          FUN_00151600(1);
        }
        else if (DAT_001c09f8 < *(ushort *)(in_r13 + 0x48aa)) {
          *(undefined *)(in_r13 + 0x48a3) = 1;
          FUN_00151600(8);
        }
        else if (((*(char *)(in_r13 + 0x4710) == '\0') || (*(char *)(in_r13 + 0x48b5) == '\0')) | |
                (*(short *)(in_r13 + -0x311a) < 0x800)) {
          *(undefined *)(in_r13 + 0x48a3) = 1;
        }
      }
      else {
        *(undefined *)(in_r13 + 0x48a3) = 1;
        *(undefined *)(in_r13 + 0x48a2) = 1;
        FUN_00151888(0);
        FUN_00151600(9);
      }
    }
    else {
      *(undefined *)(in_r13 + 0x48a3) = 1;
      *(undefined *)(in_r13 + 0x48a2) = 1;
      FUN_00151888(0);
      FUN_00151600(6);
    }
  }
  else {
    *(undefined *)(in_r13 + 0x48a3) = 1;
    *(undefined *)(in_r13 + 0x48a2) = 1;
    FUN_00151888(0);
    FUN_00151600(2);
  }
  return;

User avatar
Posts: 2912
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: 07-2013 GM BCM

Postby Tazzi » Fri May 20, 2022 9:44 am

gmtech825 wrote:this timer was actually set to 10 minutes stock, so I gained 11 minutes. It's looking like the restart limit may be a function of the ECM as well, but that contradicts one document I've read that states the limit is set by the Platform and not the powertrain.

Do you have any advice on decompiling the E38 ECM with ghidra. I selected powper pc with VLE for the processor type, but a lot of the code is showing R13 + some other value.


Oh sorry, I was thinking of the recent late model BCMs, they came out with 15min timers after everyone complained about it being only 10min.

Quick way of identifying if theres an "overall" timer, is when you do a restart remote startup, does it go the full 21min again?

I think in my E38, the time was something like 45 or 50mins overall, meaning it would allow up to a total of 50mins remote start time. This meant that all remote starts total time together could be a maximum of 45-50mins (Cant remember which one). Ontop of that is the per remote start time (Which in your case is 21min), I believe in my E38, it was about 20min, so it could do 2 starts at extended time, then 1 shorter one.

Whats conflicting with this, is it appears some trucks overall timer 'restarts' on each remote start. This could be an ECU operating system thing, so have to keep that in mind.

I unfortunately don't have much more insight on the above, as I had to switch my ecu OS back to a Holden one so I could actually drive around, since the enable option didn't want to play nicely with the Holden OS :lol:

As for ghidra, the E38 processors do not use VLE so need to turn that option off :)
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Posts: 118
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Postby gmtech825 » Sat May 21, 2022 10:54 pm

It'll require verification but I believe there are 2 backup timers in the ecm. the first start is 21 minutes and the second is 11 minutes. There are two parameters in my ECM cal that seem to support this aong with an engineering document I found that also states this is how the ECM/BCM control RVS. The BCM has the main timer, but the ecm has it's own backup timer. if the bcm hasn't sent the shutdown command before the ecm backup timer expires then the ECM will force the shutdown. The BCM timer is only one byte, so with the conversion I think the max the BCM will allow will be around 40 minutes. The ecm timer looks to be 2 bytes so that will allow for a way longer time than the BCM ever will.

I'm still trying to get this ecm file to decompile better. I've tried non VLE powerpc processor types but they all display that same way. It seems to only be references related to register 13. For what it's worth IDA seems to do it as well. I'm hoping there's an easy way to fix that.

Posts: 431
Joined: Thu Feb 13, 2020 11:32 pm

Re: 07-2013 GM BCM

Postby ironduke » Sat May 28, 2022 5:36 am

Just in case anyone else is wondering, I pulled my bench BCM from a 2008-20010 silverado and the main ecu is a Fujitsu MB91F011
I am able to write 2013 OS and cals to it so I assume it's the same processor 07-13? Anyone have any info on pulling flash from this? Xprog doesn't list it, I'll be googling it later, lol..

Previous

Return to Other Tuning

Who is online

Users browsing this forum: No registered users and 1 guest