07-2013 GM BCM

Posts: 90
Joined: Thu Jan 16, 2014 12:41 pm

Re: 07-2013 GM BCM

Postby 04colyZQ8 » Tue Apr 26, 2022 1:53 am

ironduke wrote:
04colyZQ8 wrote:I wonder if hex ... 09 * 1000 which is 589,824 in decimal, which is 9.83 minutes could tell us anything? I'd search for 09 in the segment that contains the hood pin Boolean and change 09 to 05 and see if it cuts the time down.


Would you still do that if I had timed the remote start runtime and ended up with 10 minutes and 1.6 seconds... so 10:01.6?? You had asked and I had timed it again and posted.. I don't know why we'd start looking at 9 minutes? or 9.83 minutes.. It certainly ran for damn near exactly 10 minutes, and the 1.6 seconds was probably me fat fingering the stop button on my phone.. lol



The way I look at it if it’s stored in seconds or mili seconds then it’s got to start with 09 in hex, or something like 09 xx xx so just incase it’s not exactly 09 27 C0 I’m just saying start with the most obvious MSB. Which is 09.

Otherwise it must be set as a Boolean in the Os or hard coded in the OS.

Is there any applications in the cars or trucks that this style bcm was used in over seas even that has a different remote timer?

Posts: 90
Joined: Thu Jan 16, 2014 12:41 pm

Re: 07-2013 GM BCM

Postby 04colyZQ8 » Tue Apr 26, 2022 1:55 am

What’s the time out on a Holden Ute or comadore? They use the same family bcm

Posts: 118
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Postby gmtech825 » Tue Apr 26, 2022 5:00 am

Not sure how it might help yet, but I found the PID section. Ironduke yours starts at x000FAEE0

Posts: 90
Joined: Thu Jan 16, 2014 12:41 pm

Re: 07-2013 GM BCM

Postby 04colyZQ8 » Tue Apr 26, 2022 5:18 am

gmtech825 wrote:Not sure how it might help yet, but I found the PID section. Ironduke yours starts at x000FAEE0


Pid for scan tools?

Posts: 118
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Postby gmtech825 » Tue Apr 26, 2022 6:28 am

04colyZQ8 wrote:
gmtech825 wrote:Not sure how it might help yet, but I found the PID section. Ironduke yours starts at x000FAEE0


Pid for scan tools?


correct

User avatar
Posts: 2918
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: 07-2013 GM BCM

Postby Tazzi » Tue Apr 26, 2022 10:23 am

04colyZQ8 wrote:What’s the time out on a Holden Ute or comadore? They use the same family bcm


Our holden VE (2007-2012) never received factory remote start.
It can be done, but required custom programming BCM, ECM and RFA module.

The BCM must have already had the timer set in it since I only had to program a few bytes to 01 to enable from memory.
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Posts: 118
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Postby gmtech825 » Tue Apr 26, 2022 11:09 pm

Found the location for handling Scan tool requests... then fell down a rabbit hole of looking at how all that is handled. Still haven't figured out how the specific PID's are referenced though.

User avatar
Posts: 2918
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: 07-2013 GM BCM

Postby Tazzi » Wed Apr 27, 2022 3:22 pm

gmtech825 wrote:Found the location for handling Scan tool requests... then fell down a rabbit hole of looking at how all that is handled. Still haven't figured out how the specific PID's are referenced though.

Well, understanding the PID should help realistically.

If you can point out where its actually sending the reply to messages.. might be able to start actually trying to make a custom gm kernel to dump ram areas which could be of interest.
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Posts: 118
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Postby gmtech825 » Thu Apr 28, 2022 12:02 am

here is the function I found for mode 22

Code: Select all
    case 0x22:
      MODE_22_FUNCTION();
      break


Code: Select all
void MODE_22_FUNCTION(void)

{
  int iVar1;
  uint uVar2;
  uint unaff_r9;
  ushort *unaff_r11;
  BADSPACEBASE *in_r15;
  undefined *puVar3;
  undefined4 *puVar4;
 
  puVar4 = (undefined4 *)&stack0xffffffec;
  puVar3 = &stack0xffffffec;
  if (DAT_0003edec == '\x03') {
    unaff_r9 = (uint)CONCAT11(POSS_MODE_SUB_OR_PID_value,POSS_PID_BYTE_2);
    unaff_r11 = (ushort *)PID_FUNCTION();
    iVar1 = FUN_DECIMAL_209();
    uVar2 = POSS_PID_LOOKUP_ROUTINE(unaff_r11,iVar1,unaff_r9);
    if (uVar2 == 0xffff) {
      if ((DAT_0003ee6d & 0x10) == 0) {
        CAN_TX(0x7f,0x22,0x31);
      }
    }
    else {
      iVar1 = FUN_000d54f2(uVar2,&DAT_0003ee05);
      CAN_RESPONSE = 0x62;
      CAN_DATA_BYTE = POSS_MODE_SUB_OR_PID_value;
      CAN_DATA_BYTE2 = POSS_PID_BYTE_2;
      FUN_000d9c8e(iVar1 + 3U & 0xff);
    }
  }
  else {
    CAN_TX(0x7f,0x22,0x12);
    puVar4 = (undefined4 *)puVar3;
  }
  *puVar4 = &DAT_0003edec;
  puVar4[-1] = unaff_r9;
  puVar4[-2] = &CAN_RESPONSE;
  puVar4[-3] = unaff_r11;
  return;
}



Code: Select all
undefined * PID_FUNCTION(void)

{
  return &PID_s;
}



Code: Select all
undefined4 FUN_DECIMAL_209(void)

{
  return 0xd1;
}


Code: Select all
uint POSS_PID_LOOKUP_ROUTINE(ushort *param_1,int param_2,uint param_3)

{
  uint uVar1;
  uint uVar2;
  uint uVar3;
  uint uVar4;
 
  uVar3 = param_2 - 1U & 0xffff;
  uVar2 = 0;
  if (((byte)(SBORROW4(param_3,(uint)*param_1) ^ (int)(param_3 - *param_1) < 0) != 1) &&
     (uVar1 = (uint)param_1[param_2 - 1U],
     (byte)(SBORROW4(param_3,uVar1) ^ (int)(param_3 - uVar1) < 0 | param_3 == uVar1) == 1)) {
    while ((byte)(SBORROW4(uVar2,uVar3) ^ (int)(uVar2 - uVar3) < 0 | uVar2 == uVar3) == 1) {
      uVar4 = (uVar2 + uVar3) / 2;
      uVar1 = (uint)param_1[uVar4];
      if ((byte)(SBORROW4(param_3,uVar1) ^ (int)(param_3 - uVar1) < 0 | param_3 == uVar1) == 1) {
        if ((int)(uint)param_1[uVar4] <= (int)param_3) {
          return uVar4;
        }
        uVar3 = uVar4 - 1 & 0xffff;
      }
      else {
        uVar2 = uVar4 + 1 & 0xffff;
      }
    }
  }
  return 0xffff;
}


PID_s is the start of the PID address x000faed4 for my file.

I labeled a couple of things, and I can see the negative and positive responses but maybe you can make more sense of it

Posts: 90
Joined: Thu Jan 16, 2014 12:41 pm

Re: 07-2013 GM BCM

Postby 04colyZQ8 » Thu Apr 28, 2022 6:39 am

That disassembly is sweeeeet!! How are you getting such clean code? Did you write this yourself? Baised

On the assembly code given by disassembling in ida? Or does the program you have spit this wonderful code out?

I really would like to see my code disassembled like this!

PreviousNext

Return to Other Tuning

Who is online

Users browsing this forum: No registered users and 1 guest