07-2013 GM BCM

[ironduke]

Not trying to hijack, just help where I can..

for 2013 the system calibration changes exactly has gmtech825 described his did.. the 2 files are below. ending 35 is remote start enabled..

22824036.bin

(624 Bytes) Downloaded 149 times

<< Original calibration

22824035.bin

(624 Bytes) Downloaded 120 times

<< this is with remote start enabled

As for what I've tried, not tons, nothing written to BCM to see if it makes a difference.
10 minutes = 600 seconds or 0x258. So should I look at the 0a for 10 minutes?(very doubtful) or the 0x258(not found in system calibration) for 600 seconds? or 0927CD(not found either) for 600,000 milliseconds?

[gmtech825]

at the beginning of the OS the segment start addresses are there followed by the the size of the segment- not the end address of the segment. that's what tripped me up at first. the checksums are the first two bytes of each segment found by 16 bit big endian on the entire segment except for the first two bytes (bitwise NOT + 1 will give you the value for the first two bytes of the segment).

Is your OS in 2 sections as well?? Think I got it.. MY OS is in 2 seperate pieces, seen that before with some ECM's..

Couple of my segments were the wrong size, but just some extra zeros at the end.. Checksum matched because, well they're zeros.. CVN didn't match until I reduced it to the size specified in the OS and then the CVN matched perfect, little odd, maybe something with compressing the files?

My flash is below, obviously missing boot and eeprom(if it has/uses it).. Think I'll definitely need even mroe suggestions after I made it this far, lol.. been fun though..

BCM bin with all segments AND OS.bin

that looks good to me. my OS is 2 segments as well. looks like our segment addresses and sizes are the same

[gmtech825]

this is basically how I found the status bytes for enabling remote start. three bytes were changed from 00 to 01 on the vehicle I compared it to so that narrowed it down.

Ok, so which calibration did you track it into? What tactics have you tried to narrow down the timer so far?

I've been working off the assumption that the timer setting would be in the powertrain control segment. So i've been tracing all the functions that reference to the three bytes that were changed in the system segment to enable remote start and see if there are any references made to the powertrain control segment. does that make sense? could be the entirely wrong way to go about it...I have no idea what I'm doing.

there is one byte in the system that looks very interesting, it looks like A funtion checks to make sure the byte is not zero, followed by a bunch of OR statements that look like they could be other enable criteria. they seem to point to data that does not fall within the flash segments at all. So I'm thinking these could be checking for MIL on, Hood closed ETC. I'm not even proficient with programming langauge let alone Assembly langauge so I'm really just making a bunch of assumptions. but part of my reason for doing this is to learn more. I don't want to get lucky and stumble upon the answer, I actually want to understand how to do this stuff.

I'm thinking about changing that one byte in the system back to a zero to see if that makes the remote start stop working...just as a sanity check to make sure i'm not going down the wrong path.

[gmtech825]

Not trying to hijack, just help where I can..

for 2013 the system calibration changes exactly has gmtech825 described his did.. the 2 files are below. ending 35 is remote start enabled..

22824036.bin

<< Original calibration

22824035.bin

<< this is with remote start enabled

As for what I've tried, not tons, nothing written to BCM to see if it makes a difference.
10 minutes = 600 seconds or 0x258. So should I look at the 0a for 10 minutes?(very doubtful) or the 0x258(not found in system calibration) for 600 seconds? or 0927CD(not found either) for 600,000 milliseconds?

you aren't hijacking nearly as bad as me...this isn't my thread lol

as for searching for the correct value, I would think there is some sort of scalar applied to it right?

[Tazzi]

I feel like iv seen the value 0x64 around on other gm modules that related to 10minute timers, maybe try searching for that?

As for understanding the assembly, it usually helps having multiple parameters found through comparing bins, then map their references in the operating system to find over parameters being called by the same subroutines which are usually related to them.

Another method is guess and check. Make some changes, see what changes. It’s a slow process, but does get the job done. Once you have compared enough different calibrations to identify as many differences as possible, it then makes it easier to start making changes in the right area and know what to look for.

[gmtech825]

0x64 would make sense and I have seen that in the powertrain control segment in a few spots. the three bytes in the system segment are definately related. I found a function that eventually calls to all three but not directly. I'm wondering if one byte enables it, one byte enables the timer and one byte limits the amount of remote starts. just a guess but I think I'll test the theory

[gmtech825]

0x64 would make sense and I have seen that in the powertrain control segment in a few spots. the three bytes in the system segment are definately related. I found a function that eventually calls to all three but not directly. I'm wondering if one byte enables it, one byte enables the timer and one byte limits the amount of remote starts. just a guess but I think I'll test the theory

changing those two bytes in the system back to 0x00 did nothing for the remote start function. I guess I'm back to my original theory about those being relate to the hood switch DTC's. There are two the BCM can set for the hood switch circuits.


At least I confirmed by process of elimination which byte in the system enables the remote start so I can focus down that path.

[Tazzi]

Not trying to hijack, just help where I can..

for 2013 the system calibration changes exactly has gmtech825 described his did.. the 2 files are below. ending 35 is remote start enabled..

22824036.bin

<< Original calibration

22824035.bin

<< this is with remote start enabled

As for what I've tried, not tons, nothing written to BCM to see if it makes a difference.
10 minutes = 600 seconds or 0x258. So should I look at the 0a for 10 minutes?(very doubtful) or the 0x258(not found in system calibration) for 600 seconds? or 0927CD(not found either) for 600,000 milliseconds?

What were the other calibrations that went along with this? or better yet, the VINs used to bring these up?
0x64 pops up multiple times in that file, so I would attempt reducing it to like.. 0x0A.. and see it it goes down to 1 minute.

[ironduke]

Below is the cal files for the BCM.. The only file that changes when enabling remote start is the one posted already.. I'm guessing the 10 minute is already in the calibrations somewhere?

I did mess with the powertrain segment, I had 6 occurrences of 0x64 and I changed each one to 0a yesterday(glad to hear we had similar ideas, lol), no change, let it run for 2 minutes and tried the next one.. In the end I changed every occurrence to 0x64 and it still ran for 2 minutes..

I also tried the system calibration but ran out of time, when I changed every occurrence the remote start didn't work.. Didn't have time to go any further..

Kinda in the middle of a family thing but had a little down time and wanted something to take my mind off things.. Might try again because I might have messed up some of the testing?

13.Silverado.BCM.cals.7z

(167.03 KiB) Downloaded 110 times

[Tazzi]

Thanks for trying. I cannot for the life of my find any more documentation when I was working on this. It must all be on one of the old laptops, since I did all the work while sitting in my ute, testing multiple changes.

I believe looking at the bytes that change in the System cal, its likely related to the following:
1) Show option in radio/instrument cluster to enable/disable
2) Enable remote start
3) DTC enable (Maybe?)

The DTC option could also be a MASK, meaning multiple errors can be on one byte. Some modules I have dealt with in the past has a 0 for ignore fault, and 1 for enable fault.

As for the remote start time, there would be no reason why they would change that even if it didnt come with it from factory.. to keep it uniform with all other vehicles, they would have it matching those with it enabled.