07-2013 GM BCM

04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: 07-2013 GM BCM

Post by 04colyZQ8 »

ironduke wrote:
04colyZQ8 wrote:I wonder if hex ... 09 * 1000 which is 589,824 in decimal, which is 9.83 minutes could tell us anything? I'd search for 09 in the segment that contains the hood pin Boolean and change 09 to 05 and see if it cuts the time down.
Would you still do that if I had timed the remote start runtime and ended up with 10 minutes and 1.6 seconds... so 10:01.6?? You had asked and I had timed it again and posted.. I don't know why we'd start looking at 9 minutes? or 9.83 minutes.. It certainly ran for damn near exactly 10 minutes, and the 1.6 seconds was probably me fat fingering the stop button on my phone.. lol

The way I look at it if it’s stored in seconds or mili seconds then it’s got to start with 09 in hex, or something like 09 xx xx so just incase it’s not exactly 09 27 C0 I’m just saying start with the most obvious MSB. Which is 09.

Otherwise it must be set as a Boolean in the Os or hard coded in the OS.

Is there any applications in the cars or trucks that this style bcm was used in over seas even that has a different remote timer?
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: 07-2013 GM BCM

Post by 04colyZQ8 »

What’s the time out on a Holden Ute or comadore? They use the same family bcm
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Post by gmtech825 »

Not sure how it might help yet, but I found the PID section. Ironduke yours starts at x000FAEE0
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: 07-2013 GM BCM

Post by 04colyZQ8 »

gmtech825 wrote:Not sure how it might help yet, but I found the PID section. Ironduke yours starts at x000FAEE0
Pid for scan tools?
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Post by gmtech825 »

04colyZQ8 wrote:
gmtech825 wrote:Not sure how it might help yet, but I found the PID section. Ironduke yours starts at x000FAEE0
Pid for scan tools?
correct
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: 07-2013 GM BCM

Post by Tazzi »

04colyZQ8 wrote:What’s the time out on a Holden Ute or comadore? They use the same family bcm
Our holden VE (2007-2012) never received factory remote start.
It can be done, but required custom programming BCM, ECM and RFA module.

The BCM must have already had the timer set in it since I only had to program a few bytes to 01 to enable from memory.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Post by gmtech825 »

Found the location for handling Scan tool requests... then fell down a rabbit hole of looking at how all that is handled. Still haven't figured out how the specific PID's are referenced though.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: 07-2013 GM BCM

Post by Tazzi »

gmtech825 wrote:Found the location for handling Scan tool requests... then fell down a rabbit hole of looking at how all that is handled. Still haven't figured out how the specific PID's are referenced though.
Well, understanding the PID should help realistically.

If you can point out where its actually sending the reply to messages.. might be able to start actually trying to make a custom gm kernel to dump ram areas which could be of interest.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Post by gmtech825 »

here is the function I found for mode 22

Code: Select all

    case 0x22:
      MODE_22_FUNCTION();
      break

Code: Select all

void MODE_22_FUNCTION(void)

{
  int iVar1;
  uint uVar2;
  uint unaff_r9;
  ushort *unaff_r11;
  BADSPACEBASE *in_r15;
  undefined *puVar3;
  undefined4 *puVar4;
  
  puVar4 = (undefined4 *)&stack0xffffffec;
  puVar3 = &stack0xffffffec;
  if (DAT_0003edec == '\x03') {
    unaff_r9 = (uint)CONCAT11(POSS_MODE_SUB_OR_PID_value,POSS_PID_BYTE_2);
    unaff_r11 = (ushort *)PID_FUNCTION();
    iVar1 = FUN_DECIMAL_209();
    uVar2 = POSS_PID_LOOKUP_ROUTINE(unaff_r11,iVar1,unaff_r9);
    if (uVar2 == 0xffff) {
      if ((DAT_0003ee6d & 0x10) == 0) {
        CAN_TX(0x7f,0x22,0x31);
      }
    }
    else {
      iVar1 = FUN_000d54f2(uVar2,&DAT_0003ee05);
      CAN_RESPONSE = 0x62;
      CAN_DATA_BYTE = POSS_MODE_SUB_OR_PID_value;
      CAN_DATA_BYTE2 = POSS_PID_BYTE_2;
      FUN_000d9c8e(iVar1 + 3U & 0xff);
    }
  }
  else {
    CAN_TX(0x7f,0x22,0x12);
    puVar4 = (undefined4 *)puVar3;
  }
  *puVar4 = &DAT_0003edec;
  puVar4[-1] = unaff_r9;
  puVar4[-2] = &CAN_RESPONSE;
  puVar4[-3] = unaff_r11;
  return;
}

Code: Select all

undefined * PID_FUNCTION(void)

{
  return &PID_s;
}

Code: Select all

undefined4 FUN_DECIMAL_209(void)

{
  return 0xd1;
}

Code: Select all

uint POSS_PID_LOOKUP_ROUTINE(ushort *param_1,int param_2,uint param_3)

{
  uint uVar1;
  uint uVar2;
  uint uVar3;
  uint uVar4;
  
  uVar3 = param_2 - 1U & 0xffff;
  uVar2 = 0;
  if (((byte)(SBORROW4(param_3,(uint)*param_1) ^ (int)(param_3 - *param_1) < 0) != 1) &&
     (uVar1 = (uint)param_1[param_2 - 1U],
     (byte)(SBORROW4(param_3,uVar1) ^ (int)(param_3 - uVar1) < 0 | param_3 == uVar1) == 1)) {
    while ((byte)(SBORROW4(uVar2,uVar3) ^ (int)(uVar2 - uVar3) < 0 | uVar2 == uVar3) == 1) {
      uVar4 = (uVar2 + uVar3) / 2;
      uVar1 = (uint)param_1[uVar4];
      if ((byte)(SBORROW4(param_3,uVar1) ^ (int)(param_3 - uVar1) < 0 | param_3 == uVar1) == 1) {
        if ((int)(uint)param_1[uVar4] <= (int)param_3) {
          return uVar4;
        }
        uVar3 = uVar4 - 1 & 0xffff;
      }
      else {
        uVar2 = uVar4 + 1 & 0xffff;
      }
    }
  }
  return 0xffff;
}
PID_s is the start of the PID address x000faed4 for my file.

I labeled a couple of things, and I can see the negative and positive responses but maybe you can make more sense of it
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: 07-2013 GM BCM

Post by 04colyZQ8 »

That disassembly is sweeeeet!! How are you getting such clean code? Did you write this yourself? Baised

On the assembly code given by disassembling in ida? Or does the program you have spit this wonderful code out?

I really would like to see my code disassembled like this!
Post Reply