07-2013 GM BCM

[ironduke]

ok, I found the section of the OS that describes the segment addresses...it's just formatted differently than I'm used to. Ghidra and ida are showing what looks to be valid data so it's a step in the right direction. I've narrowed down what I think are the the staus bytes for the remote start enable and possibly the hood switch dtcs...maybe. I've been assuming that the timer setting would be in the "powertrain control" segment but can't figure anything out from there. Maybe I'm incorrectly assume that the timer value is in that segment. I'll keep at it and update if I figure it out.

I'm definitely following along here.. I'm looking at my 13 OS now with renewed interest, lol... Comparing mine to yours, some similarities, same layout I would say at least..

1-OS_22820316.bin

(479.98 KiB) Downloaded 98 times

[Tazzi]

I find process of elimination is always the way to go. I never looked at the 10min timer since none of our Holden’s in Aus had the factory remote start, but was used in the Pontiac G8s. These also use the same style BCMs as the 2007-2013 GM ones.

I did manage to enable remote start by comparing a g8 that did and didn’t come with remote start… then I compared the mapping in the VEs to enable it in my Holden VE ute. This then required a custom RFA module fitted and then custom ecm programming (overall.. a lot of work for something not really worth it haha).

Anyways, moral of the story is it’s probably a good start to find a variant of your vehicle that does not have remote start, then compare to one that does have it, and start at least narrowing down which calibration is affected. This will then at least be a starting point for where to start making changes.

[gmtech825]

Anyways, moral of the story is it’s probably a good start to find a variant of your vehicle that does not have remote start, then compare to one that does have it, and start at least narrowing down which calibration is affected. This will then at least be a starting point for where to start making changes.

this is basically how I found the status bytes for enabling remote start. three bytes were changed from 00 to 01 on the vehicle I compared it to so that narrowed it down.

[gmtech825]

ok, I found the section of the OS that describes the segment addresses...it's just formatted differently than I'm used to. Ghidra and ida are showing what looks to be valid data so it's a step in the right direction. I've narrowed down what I think are the the staus bytes for the remote start enable and possibly the hood switch dtcs...maybe. I've been assuming that the timer setting would be in the "powertrain control" segment but can't figure anything out from there. Maybe I'm incorrectly assume that the timer value is in that segment. I'll keep at it and update if I figure it out.

I'm definitely following along here.. I'm looking at my 13 OS now with renewed interest, lol... Comparing mine to yours, some similarities, same layout I would say at least..

1-OS_22820316.bin

were you able to find the addresses I was talking about? I made one file and put all the segments at the correct addresses to decompile it.

[ironduke]

ok, I found the section of the OS that describes the segment addresses...it's just formatted differently than I'm used to. Ghidra and ida are showing what looks to be valid data so it's a step in the right direction. I've narrowed down what I think are the the staus bytes for the remote start enable and possibly the hood switch dtcs...maybe. I've been assuming that the timer setting would be in the "powertrain control" segment but can't figure anything out from there. Maybe I'm incorrectly assume that the timer value is in that segment. I'll keep at it and update if I figure it out.

I'm definitely following along here.. I'm looking at my 13 OS now with renewed interest, lol... Comparing mine to yours, some similarities, same layout I would say at least..

1-OS_22820316.bin

were you able to find the addresses I was talking about? I made one file and put all the segments at the correct addresses to decompile it.

Not yet, usually find it at the beginning of the OS but it's kinda funny there.. Didn't take a long look but tried finding the
segment start and end
segment checksum start(should be 2 more than segment start
segment checksum end
Don't see CVN's in the actual calibration? but there is a CVN at tis2web and that matches checksum section so I stopped looking for cvn start/stop/start/stop where the 1st start is the same as checksum start and the last stop is segment end..

I
ll keep on digging..

[gmtech825]

Not yet, usually find it at the beginning of the OS but it's kinda funny there.. Didn't take a long look but tried finding the
segment start and end
segment checksum start(should be 2 more than segment start
segment checksum end
Don't see CVN's in the actual calibration? but there is a CVN at tis2web and that matches checksum section so I stopped looking for cvn start/stop/start/stop where the 1st start is the same as checksum start and the last stop is segment end..

I
ll keep on digging..

at the beginning of the OS the segment start addresses are there followed by the the size of the segment- not the end address of the segment. that's what tripped me up at first. the checksums are the first two bytes of each segment found by 16 bit big endian on the entire segment except for the first two bytes (bitwise NOT + 1 will give you the value for the first two bytes of the segment).

[gmtech825]

also, the cvn that tis lists is not in the segment...thats a crc-16 of the segment excluding the first two bytes of the segment.

[ironduke]

also, the cvn that tis lists is not in the segment...thats a crc-16 of the segment excluding the first two bytes of the segment.

Yup, pretty much what I figured out, CVN exists for GM to check cals but it's not stored in the cal like I usually see.
I know how to do the checksum, used to that,
segment start and segment size is a new on for me, lol.. thanks for the tip!!!

[ironduke]

at the beginning of the OS the segment start addresses are there followed by the the size of the segment- not the end address of the segment. that's what tripped me up at first. the checksums are the first two bytes of each segment found by 16 bit big endian on the entire segment except for the first two bytes (bitwise NOT + 1 will give you the value for the first two bytes of the segment).

Is your OS in 2 sections as well?? Think I got it.. MY OS is in 2 seperate pieces, seen that before with some ECM's..

Couple of my segments were the wrong size, but just some extra zeros at the end.. Checksum matched because, well they're zeros.. CVN didn't match until I reduced it to the size specified in the OS and then the CVN matched perfect, little odd, maybe something with compressing the files?

My flash is below, obviously missing boot and eeprom(if it has/uses it).. Think I'll definitely need even mroe suggestions after I made it this far, lol.. been fun though..

BCM bin with all segments AND OS.bin

(1023.99 KiB) Downloaded 124 times

[Tazzi]

this is basically how I found the status bytes for enabling remote start. three bytes were changed from 00 to 01 on the vehicle I compared it to so that narrowed it down.

Ok, so which calibration did you track it into? What tactics have you tried to narrow down the timer so far?