07-2013 GM BCM

User avatar
Posts: 2918
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: 07-2013 GM BCM

Postby Tazzi » Thu Apr 28, 2022 9:07 am

Code: Select all
Var1 = FUN_000d54f2(uVar2,&DAT_0003ee05);
      CAN_RESPONSE = 0x62;
      CAN_DATA_BYTE = POSS_MODE_SUB_OR_PID_value;
      CAN_DATA_BYTE2 = POSS_PID_BYTE_2;
      FUN_000d9c8e(iVar1 + 3U & 0xff);


I would assume the 'success' CAN TX would be FUN_000d9c8e(iVar1 + 3U & 0xff);
I wouldn't think var1 is the actual calculated response since its being & 0xFF which makes it only 1byte size.
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Posts: 118
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Postby gmtech825 » Thu Apr 28, 2022 9:31 pm

04colyZQ8 wrote:That disassembly is sweeeeet!! How are you getting such clean code? Did you write this yourself? Baised

On the assembly code given by disassembling in ida? Or does the program you have spit this wonderful code out?

I really would like to see my code disassembled like this!



this is from ghidra. If you are referring to the labels for functions etc, I manually added those.

Posts: 118
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Postby gmtech825 » Thu Apr 28, 2022 10:50 pm

Tazzi wrote:
Code: Select all
Var1 = FUN_000d54f2(uVar2,&DAT_0003ee05);
      CAN_RESPONSE = 0x62;
      CAN_DATA_BYTE = POSS_MODE_SUB_OR_PID_value;
      CAN_DATA_BYTE2 = POSS_PID_BYTE_2;
      FUN_000d9c8e(iVar1 + 3U & 0xff);


I would assume the 'success' CAN TX would be FUN_000d9c8e(iVar1 + 3U & 0xff);
I wouldn't think var1 is the actual calculated response since its being & 0xFF which makes it only 1byte size.


Code: Select all
void FUN_000d9c8e(int param_1)

{
  DAT_0003edb4 = 3;
  FUN_000e0716(1,&CAN_RESPONSE,param_1);
  return;
}



Code: Select all
undefined4 FUN_000e0716(int param_1,undefined4 param_2,int param_3)

{
  undefined uVar1;
  undefined4 uVar2;
  int iVar3;
  int iVar4;
 
  FUN_000dc894();
  iVar3 = param_1 * 6;
  if ((&DAT_0003f39b)[iVar3] == '\0') {
    if ((byte)(SBORROW4(param_3,7) ^ param_3 + -7 < 0 | param_3 == 7) == 0) {
      uVar1 = 0x20;
    }
    else {
      uVar1 = 0x10;
    }
    (&DAT_0003f39b)[iVar3] = uVar1;
    (&DAT_0003f398)[param_1 * 3] = 0xb;
    FUN_000dc8b8();
    iVar4 = param_1 * 0xc;
    *(undefined4 *)(&DAT_0003f374 + iVar4) = param_2;
    *(undefined2 *)(&DAT_0003f378 + iVar4) = 0;
    *(short *)(&DAT_0003f37a + iVar4) = (short)param_3;
    (&DAT_0003f39c)[iVar3] = (&DAT_0003f39c)[iVar3] | 0x80;
    uVar2 = 0;
  }
  else {
    FUN_000dc8b8();
    uVar2 = 3;
  }
  return uVar2;
}



here is FUN_000d9c8e. I think you are right, FUN_000d9c8e is also used for the other Modes.

one thing I did find was the security($27 mode) delay timer, which is 400. now asssuming it is 10 seconds (which may not be the case) then if it used the same conversion ( which also may not be the case) then 0x5dC0 would be a possibility. finding new things everyday...just not what I need

Site Admin
User avatar
Posts: 7206
Joined: Sat Feb 28, 2009 8:34 pm

Re: 07-2013 GM BCM

Postby antus » Fri Apr 29, 2022 10:24 am

I think MODE_22_FUNCTION(void) might be handling responses of different lengths. It seems like it has some special handling for 3 byte packets including the mask of ivar1+3 to one byte, perhaps because its stored as a word. Then the other error conditions, and finally maybe a transmission for a longer packet at the end. Looking at https://en.wikipedia.org/wiki/OBD-II_PIDs I can see all kinds of different length responses, including IAT sensor which is 3 bytes. If this is the case then DAT_0003edec is the length of the response payload.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 118
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Postby gmtech825 » Fri Apr 29, 2022 10:59 pm

antus wrote:I think MODE_22_FUNCTION(void) might be handling responses of different lengths. It seems like it has some special handling for 3 byte packets including the mask of ivar1+3 to one byte, perhaps because its stored as a word. Then the other error conditions, and finally maybe a transmission for a longer packet at the end. Looking at https://en.wikipedia.org/wiki/OBD-II_PIDs I can see all kinds of different length responses, including IAT sensor which is 3 bytes. If this is the case then DAT_0003edec is the length of the response payload.




thanks for confirming this

Site Admin
User avatar
Posts: 7206
Joined: Sat Feb 28, 2009 8:34 pm

Re: 07-2013 GM BCM

Postby antus » Fri Apr 29, 2022 11:19 pm

sorry that was not confirmation, just my thoughts after a read for you to consider. Now im looking again I see I miss aligned one of the brackes on my scan of your post and if DAT_0003edec is not 3 it returns a 7f error. So its unlikely to be length, and instead some kind of a flag. I'd probably need to load up the project in ghidra or ida to explore a bit more to try and get further. Though I'll keep looking and post back. Starting to think CAN_TX might be a copy in to a buffer, not the actual tx, and the response struct is finished being populated by the return and tx'd somewhere else.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 118
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Postby gmtech825 » Sat Apr 30, 2022 1:47 am

antus wrote:sorry that was not confirmation, just my thoughts after a read for you to consider. Now im looking again I see I miss aligned one of the brackes on my scan of your post and if DAT_0003edec is not 3 it returns a 7f error. So its unlikely to be length, and instead some kind of a flag. I'd probably need to load up the project in ghidra or ida to explore a bit more to try and get further. Though I'll keep looking and post back. Starting to think CAN_TX might be a copy in to a buffer, not the actual tx, and the response struct is finished being populated by the return and tx'd somewhere else.



I think you are right though. I came to the same conclusion by another method. I compared the Node Interface Pseudo Code from some GM engineering documents to the code for several functions and it seems to be the case for every one of them. The functions start out comparing the message data length to what is expected and if not equal then CanTX= x7F, xMODE, x12.

you may be right about CANTX, those labels are not abslolute, more just indicators to help me while searching through the functions. I'll try to attach this if you're interested in looking at it. Change the .txt to a .gzf (it's a ghidra zip file that wouldn't attach in that format).
Attachments
12 BCM BIN no boot V1.txt
(4.19 MiB) Downloaded 21 times

User avatar
Posts: 2918
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: 07-2013 GM BCM

Postby Tazzi » Sat Apr 30, 2022 4:59 pm

gmtech825 wrote:
antus wrote:sorry that was not confirmation, just my thoughts after a read for you to consider. Now im looking again I see I miss aligned one of the brackes on my scan of your post and if DAT_0003edec is not 3 it returns a 7f error. So its unlikely to be length, and instead some kind of a flag. I'd probably need to load up the project in ghidra or ida to explore a bit more to try and get further. Though I'll keep looking and post back. Starting to think CAN_TX might be a copy in to a buffer, not the actual tx, and the response struct is finished being populated by the return and tx'd somewhere else.



I think you are right though. I came to the same conclusion by another method. I compared the Node Interface Pseudo Code from some GM engineering documents to the code for several functions and it seems to be the case for every one of them. The functions start out comparing the message data length to what is expected and if not equal then CanTX= x7F, xMODE, x12.

you may be right about CANTX, those labels are not abslolute, more just indicators to help me while searching through the functions. I'll try to attach this if you're interested in looking at it. Change the .txt to a .gzf (it's a ghidra zip file that wouldn't attach in that format).


Tried to open in Ghidra but got a "Language not found for 'Fujitsu:BE:32:FR8n'"
Do you know which plugin you added?
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Posts: 118
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Postby gmtech825 » Sat Apr 30, 2022 10:10 pm

Tazzi wrote:
gmtech825 wrote:
antus wrote:sorry that was not confirmation, just my thoughts after a read for you to consider. Now im looking again I see I miss aligned one of the brackes on my scan of your post and if DAT_0003edec is not 3 it returns a 7f error. So its unlikely to be length, and instead some kind of a flag. I'd probably need to load up the project in ghidra or ida to explore a bit more to try and get further. Though I'll keep looking and post back. Starting to think CAN_TX might be a copy in to a buffer, not the actual tx, and the response struct is finished being populated by the return and tx'd somewhere else.



I think you are right though. I came to the same conclusion by another method. I compared the Node Interface Pseudo Code from some GM engineering documents to the code for several functions and it seems to be the case for every one of them. The functions start out comparing the message data length to what is expected and if not equal then CanTX= x7F, xMODE, x12.

you may be right about CANTX, those labels are not abslolute, more just indicators to help me while searching through the functions. I'll try to attach this if you're interested in looking at it. Change the .txt to a .gzf (it's a ghidra zip file that wouldn't attach in that format).


Tried to open in Ghidra but got a "Language not found for 'Fujitsu:BE:32:FR8n'"
Do you know which plugin you added?


ah my bad...it was one of these, I can't remember which.
Attachments
ghidra-fujitsu-risc-master.zip
(15.2 KiB) Downloaded 17 times
ghidra_fujitsu_fr-master.zip
(14.75 KiB) Downloaded 21 times

Posts: 118
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Postby gmtech825 » Wed May 18, 2022 6:31 am

Success! finally had more time to mess with this and was able to change the RVS timer. The ECM limits it to 21 minutes but I'm happy with that. It did end being a bit of a guessing game after I narrowed it down to a few possibilities, but still only took a couple of tries to get it. I learned a whole lot in the process though so I'm happy.

PreviousNext

Return to Other Tuning

Who is online

Users browsing this forum: No registered users and 1 guest