07-2013 GM BCM

User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: 07-2013 GM BCM

Post by Tazzi »

gmtech825 wrote:Success! finally had more time to mess with this and was able to change the RVS timer. The ECM limits it to 21 minutes but I'm happy with that. It did end being a bit of a guessing game after I narrowed it down to a few possibilities, but still only took a couple of tries to get it. I learned a whole lot in the process though so I'm happy.
Nice work!
I guess next up is the ECM?? :lol:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Post by gmtech825 »

possibly :lol: but 21 minutes is adequate for me. There are other things I might look into next. it looks like rear flashing lights can be enabled somehow, so that would be great for this truck since I plow with it. Time to fall down another rabbit hole :D
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: 07-2013 GM BCM

Post by Tazzi »

gmtech825 wrote:possibly :lol: but 21 minutes is adequate for me. There are other things I might look into next. it looks like rear flashing lights can be enabled somehow, so that would be great for this truck since I plow with it. Time to fall down another rabbit hole :D
I guess adding 6minutes more is better then nothing! I mean the theoretical maximum in the BCM is way higher. I havent actually looked at the ECM figures to know what it can go up to.
I would guess the next thing would be if the timer resets an unlimited number of times to allow unlimited restarts.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Post by gmtech825 »

this timer was actually set to 10 minutes stock, so I gained 11 minutes. It's looking like the restart limit may be a function of the ECM as well, but that contradicts one document I've read that states the limit is set by the Platform and not the powertrain.

Do you have any advice on decompiling the E38 ECM with ghidra. I selected powper pc with VLE for the processor type, but a lot of the code is showing R13 + some other value.

Code: Select all

  if (*(char *)(in_r13 + -0x3172) == '\0') {
    if (DAT_001c09fa < *(ushort *)(in_r13 + 0x48a4)) {
      *(undefined *)(in_r13 + 0x48a3) = 1;
      *(undefined *)(in_r13 + 0x48a2) = 1;
      FUN_00151888(0);
      FUN_00151600(4);
    }
    else if (*(short *)(in_r13 + -0x7468) == 0) {
      if (((*(short *)(in_r13 + -0x19fe) == 8) && (*(char *)(in_r13 + -0x19fc) != '\0')) ||
         (*(char *)(in_r13 + -0x3116) != '\x01')) {
        if (DAT_001c09fe < *(ushort *)(in_r13 + 0x48ac)) {
          *(undefined *)(in_r13 + 0x48a3) = 1;
          *(undefined *)(in_r13 + 0x48a2) = 1;
          FUN_00151888(0);
          FUN_00151600(10);
        }
        else if (*(short *)(in_r13 + 0x48ae) == 0) {
          *(undefined *)(in_r13 + 0x48a3) = 1;
          *(undefined *)(in_r13 + 0x48a2) = 1;
          FUN_00151888(0);
          FUN_00151600(7);
        }
        else if ((*(short *)(&DAT_00002cc4 + in_r13) == 2) || ((&DAT_00002cc6)[in_r13] == '\0'))  {
          *(undefined *)(in_r13 + 0x48a3) = 1;
          *(undefined *)(in_r13 + 0x48a2) = 1;
          FUN_00151888(0);
          FUN_00151600(0xc);
        }
        else if ((DAT_001c09f4 < *(ushort *)(in_r13 + 0x48a6)) ||
                (DAT_001c09f6 < *(ushort *)(in_r13 + 0x48a8))) {
          *(undefined *)(in_r13 + 0x48a3) = 1;
          FUN_00151600(1);
        }
        else if (DAT_001c09f8 < *(ushort *)(in_r13 + 0x48aa)) {
          *(undefined *)(in_r13 + 0x48a3) = 1;
          FUN_00151600(8);
        }
        else if (((*(char *)(in_r13 + 0x4710) == '\0') || (*(char *)(in_r13 + 0x48b5) == '\0')) | |
                (*(short *)(in_r13 + -0x311a) < 0x800)) {
          *(undefined *)(in_r13 + 0x48a3) = 1;
        }
      }
      else {
        *(undefined *)(in_r13 + 0x48a3) = 1;
        *(undefined *)(in_r13 + 0x48a2) = 1;
        FUN_00151888(0);
        FUN_00151600(9);
      }
    }
    else {
      *(undefined *)(in_r13 + 0x48a3) = 1;
      *(undefined *)(in_r13 + 0x48a2) = 1;
      FUN_00151888(0);
      FUN_00151600(6);
    }
  }
  else {
    *(undefined *)(in_r13 + 0x48a3) = 1;
    *(undefined *)(in_r13 + 0x48a2) = 1;
    FUN_00151888(0);
    FUN_00151600(2);
  }
  return;
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: 07-2013 GM BCM

Post by Tazzi »

gmtech825 wrote:this timer was actually set to 10 minutes stock, so I gained 11 minutes. It's looking like the restart limit may be a function of the ECM as well, but that contradicts one document I've read that states the limit is set by the Platform and not the powertrain.

Do you have any advice on decompiling the E38 ECM with ghidra. I selected powper pc with VLE for the processor type, but a lot of the code is showing R13 + some other value.
Oh sorry, I was thinking of the recent late model BCMs, they came out with 15min timers after everyone complained about it being only 10min.

Quick way of identifying if theres an "overall" timer, is when you do a restart remote startup, does it go the full 21min again?

I think in my E38, the time was something like 45 or 50mins overall, meaning it would allow up to a total of 50mins remote start time. This meant that all remote starts total time together could be a maximum of 45-50mins (Cant remember which one). Ontop of that is the per remote start time (Which in your case is 21min), I believe in my E38, it was about 20min, so it could do 2 starts at extended time, then 1 shorter one.

Whats conflicting with this, is it appears some trucks overall timer 'restarts' on each remote start. This could be an ECU operating system thing, so have to keep that in mind.

I unfortunately don't have much more insight on the above, as I had to switch my ecu OS back to a Holden one so I could actually drive around, since the enable option didn't want to play nicely with the Holden OS :lol:

As for ghidra, the E38 processors do not use VLE so need to turn that option off :)
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Post by gmtech825 »

It'll require verification but I believe there are 2 backup timers in the ecm. the first start is 21 minutes and the second is 11 minutes. There are two parameters in my ECM cal that seem to support this aong with an engineering document I found that also states this is how the ECM/BCM control RVS. The BCM has the main timer, but the ecm has it's own backup timer. if the bcm hasn't sent the shutdown command before the ecm backup timer expires then the ECM will force the shutdown. The BCM timer is only one byte, so with the conversion I think the max the BCM will allow will be around 40 minutes. The ecm timer looks to be 2 bytes so that will allow for a way longer time than the BCM ever will.

I'm still trying to get this ecm file to decompile better. I've tried non VLE powerpc processor types but they all display that same way. It seems to only be references related to register 13. For what it's worth IDA seems to do it as well. I'm hoping there's an easy way to fix that.
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: 07-2013 GM BCM

Post by ironduke »

Just in case anyone else is wondering, I pulled my bench BCM from a 2008-20010 silverado and the main ecu is a Fujitsu MB91F011
I am able to write 2013 OS and cals to it so I assume it's the same processor 07-13? Anyone have any info on pulling flash from this? Xprog doesn't list it, I'll be googling it later, lol..
Vampyre
Posts: 261
Joined: Wed Dec 06, 2017 1:02 pm
cars: grand am, trans am

Re: 07-2013 GM BCM

Post by Vampyre »

Ii see you had success but no mention of where you found it :P, mind sharing. I am trying to help some brits add remote start, they can get it activated but immediately shuts off, just wanna make sure the timer is is set to something more than 3 seconds.
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: 07-2013 GM BCM

Post by ironduke »

Vampyre wrote:Ii see you had success but no mention of where you found it :P, mind sharing. I am trying to help some brits add remote start, they can get it activated but immediately shuts off, just wanna make sure the timer is is set to something more than 3 seconds.
You mean it actually starts for a second and then turns off? or just the parking lights flash??
I've enabled a few usa trucks for rvs and never had a problem with the stock timer of 10 minutes being there..
Do you have a vin so I can look up the files? or the files themselves?
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Post by gmtech825 »

Vampyre wrote:Ii see you had success but no mention of where you found it :P, mind sharing. I am trying to help some brits add remote start, they can get it activated but immediately shuts off, just wanna make sure the timer is is set to something more than 3 seconds.
all the parameters were in the system segments. keep in ind the ecm software has to have the rvs enabled as well...but all the ecms i've seen have had it enabled even if the truck didn't come with it to begin with. I'm willing to help out but I would need the flash I think.
Post Reply