07-2013 GM BCM

Post Reply
bertus76
Posts: 6
Joined: Mon Nov 25, 2013 8:12 am
cars: 1991 BMW 850Ci
2003 Chev Tahoe
2004 Chev Silverado, Cam, Headers, SAS coming and tuned by me
1983 Chev C1500 with tuned 6.0 with Cam and Headers
2001 Lotus 7 replica with SBC for now
1951 IH pick up, wifes project

07-2013 GM BCM

Post by bertus76 »

Hello,

Has anyone looked at getting into the GM BCM's to adjust or activate options?
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: 07-2013 GM BCM

Post by ironduke »

I've been glancing at it but haven't gotten anywhere.. I've gotten a few logs of BCM programming and can see how it's done but don't have seed key algo's and don't have original bins to work with so I'm kinda dead ended..

My only want is to lengthen remote start runtime for my own vehicle.. If I knew what byte t o change I could mock up a programming event since I know my own seed and key and have the cal files.. too worried about bricking it unless Im sure though, lol..
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: 07-2013 GM BCM

Post by Tazzi »

ironduke wrote:I've been glancing at it but haven't gotten anywhere.. I've gotten a few logs of BCM programming and can see how it's done but don't have seed key algo's and don't have original bins to work with so I'm kinda dead ended..

My only want is to lengthen remote start runtime for my own vehicle.. If I knew what byte t o change I could mock up a programming event since I know my own seed and key and have the cal files.. too worried about bricking it unless Im sure though, lol..
Writing calibration sections is pretty safe. Even pulling the scantool mid write is easy to recover, done it a good 50+ times on my own setups here.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: 07-2013 GM BCM

Post by ironduke »

Tazzi wrote:
ironduke wrote:I've been glancing at it but haven't gotten anywhere.. I've gotten a few logs of BCM programming and can see how it's done but don't have seed key algo's and don't have original bins to work with so I'm kinda dead ended..

My only want is to lengthen remote start runtime for my own vehicle.. If I knew what byte t o change I could mock up a programming event since I know my own seed and key and have the cal files.. too worried about bricking it unless Im sure though, lol..
Writing calibration sections is pretty safe. Even pulling the scantool mid write is easy to recover, done it a good 50+ times on my own setups here.
Good to know, I was kind of hoping it was like writing cals to some of the ecms I've been playing with.. they seem pretty bulletproof if you screw up a cal write, but in some cases I needed to write the OS AND cal to fix it, not all the time though..
I'll try to find some time to make some notes on the logs and get some of my own code written to at least write to mine.. I might even pick one up on ebay I can rip apart and get some chip info and maybe pull the flash with bdm or xprog, no idea if I can but I can always try, right? lol.. I've even tried digging around with the E38 flash as I think the 2 remote start limit is in the ECM and not the BCM, I've faked t he bcm message to the ECM but can still only get 2 remote starts out of it.. Being able to remote start 3 times would be neat, but the 10 minute runtime is a pita to me in when it's 2 degrees outside.. Funny how some of the newer vehicles have 15 minute timers..
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: 07-2013 GM BCM

Post by Tazzi »

ironduke wrote:
Tazzi wrote:
ironduke wrote:I've been glancing at it but haven't gotten anywhere.. I've gotten a few logs of BCM programming and can see how it's done but don't have seed key algo's and don't have original bins to work with so I'm kinda dead ended..

My only want is to lengthen remote start runtime for my own vehicle.. If I knew what byte t o change I could mock up a programming event since I know my own seed and key and have the cal files.. too worried about bricking it unless Im sure though, lol..
Writing calibration sections is pretty safe. Even pulling the scantool mid write is easy to recover, done it a good 50+ times on my own setups here.
Good to know, I was kind of hoping it was like writing cals to some of the ecms I've been playing with.. they seem pretty bulletproof if you screw up a cal write, but in some cases I needed to write the OS AND cal to fix it, not all the time though..
I'll try to find some time to make some notes on the logs and get some of my own code written to at least write to mine.. I might even pick one up on ebay I can rip apart and get some chip info and maybe pull the flash with bdm or xprog, no idea if I can but I can always try, right? lol.. I've even tried digging around with the E38 flash as I think the 2 remote start limit is in the ECM and not the BCM, I've faked t he bcm message to the ECM but can still only get 2 remote starts out of it.. Being able to remote start 3 times would be neat, but the 10 minute runtime is a pita to me in when it's 2 degrees outside.. Funny how some of the newer vehicles have 15 minute timers..
In global A, its BCM and ECM. But from BCM you can increase to 25min and unlimited restarts.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
bertus76
Posts: 6
Joined: Mon Nov 25, 2013 8:12 am
cars: 1991 BMW 850Ci
2003 Chev Tahoe
2004 Chev Silverado, Cam, Headers, SAS coming and tuned by me
1983 Chev C1500 with tuned 6.0 with Cam and Headers
2001 Lotus 7 replica with SBC for now
1951 IH pick up, wifes project

Re: 07-2013 GM BCM

Post by bertus76 »

I have a few BCM's here, I can open one up and take a few pictures of the components if anyone is interested
bertus76
Posts: 6
Joined: Mon Nov 25, 2013 8:12 am
cars: 1991 BMW 850Ci
2003 Chev Tahoe
2004 Chev Silverado, Cam, Headers, SAS coming and tuned by me
1983 Chev C1500 with tuned 6.0 with Cam and Headers
2001 Lotus 7 replica with SBC for now
1951 IH pick up, wifes project

Re: 07-2013 GM BCM

Post by bertus76 »

I have pulled the bins of 4 07-13 gm truck BCMs today, If anyone wants to have a look at them, there you go!!
test.bin
(2 KiB) Downloaded 234 times
test2 eclb.bin
(2 KiB) Downloaded 209 times
test3 rcsb.bin
(2 KiB) Downloaded 199 times
test4 van.bin
(2 KiB) Downloaded 196 times
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: 07-2013 GM BCM

Post by ironduke »

Hey there, I am not an expert, barely rated myself a novice but those sure don't look like BCM bins from a Silverado.. Did you read that off a chip?
Programming a BCM with gm sps passes a lot more data than any of your files.. Just the OS for an 07 silverado is over 440,000 bytes
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Post by gmtech825 »

wanted to give this a little revival for some feedback. I'm also looking to extend the remote start timer on my 12 silverado. I have the cals from sps but not the whole flash. I was hoping to put it all together and decompile to try and trace back to the timer setting. My only experience decompiling has been when I have the entire flash. obviously the addresses will all be incorrect because I don't know where in the flash these cals are supposed to reside. With ECM cals I can usually find that data in the OS segement, but I haven't been able to find it in this OS file.

Looks to be a fujitsu mb91f011 MCU. There are 11 segments from SPS and I believe the Flash size is 0x80000. IDA has fujitsu support so I can try to dump it there and see what I find. Any tips on decompiling sps segments would be appreciated.

I've attached the OS segment if anyone wants to take a look.
Attachments
20921437.bin
(479.98 KiB) Downloaded 187 times
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Post by gmtech825 »

ok, I found the section of the OS that describes the segment addresses...it's just formatted differently than I'm used to. Ghidra and ida are showing what looks to be valid data so it's a step in the right direction. I've narrowed down what I think are the the staus bytes for the remote start enable and possibly the hood switch dtcs...maybe. I've been assuming that the timer setting would be in the "powertrain control" segment but can't figure anything out from there. Maybe I'm incorrectly assume that the timer value is in that segment. I'll keep at it and update if I figure it out.
Post Reply