07-2013 GM BCM

User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: 07-2013 GM BCM

Post by Tazzi »

Code: Select all

Var1 = FUN_000d54f2(uVar2,&DAT_0003ee05);
      CAN_RESPONSE = 0x62;
      CAN_DATA_BYTE = POSS_MODE_SUB_OR_PID_value;
      CAN_DATA_BYTE2 = POSS_PID_BYTE_2;
      FUN_000d9c8e(iVar1 + 3U & 0xff);
I would assume the 'success' CAN TX would be FUN_000d9c8e(iVar1 + 3U & 0xff);
I wouldn't think var1 is the actual calculated response since its being & 0xFF which makes it only 1byte size.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Post by gmtech825 »

04colyZQ8 wrote:That disassembly is sweeeeet!! How are you getting such clean code? Did you write this yourself? Baised

On the assembly code given by disassembling in ida? Or does the program you have spit this wonderful code out?

I really would like to see my code disassembled like this!

this is from ghidra. If you are referring to the labels for functions etc, I manually added those.
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Post by gmtech825 »

Tazzi wrote:

Code: Select all

Var1 = FUN_000d54f2(uVar2,&DAT_0003ee05);
      CAN_RESPONSE = 0x62;
      CAN_DATA_BYTE = POSS_MODE_SUB_OR_PID_value;
      CAN_DATA_BYTE2 = POSS_PID_BYTE_2;
      FUN_000d9c8e(iVar1 + 3U & 0xff);
I would assume the 'success' CAN TX would be FUN_000d9c8e(iVar1 + 3U & 0xff);
I wouldn't think var1 is the actual calculated response since its being & 0xFF which makes it only 1byte size.

Code: Select all

void FUN_000d9c8e(int param_1)

{
  DAT_0003edb4 = 3;
  FUN_000e0716(1,&CAN_RESPONSE,param_1);
  return;
}

Code: Select all

undefined4 FUN_000e0716(int param_1,undefined4 param_2,int param_3)

{
  undefined uVar1;
  undefined4 uVar2;
  int iVar3;
  int iVar4;
  
  FUN_000dc894();
  iVar3 = param_1 * 6;
  if ((&DAT_0003f39b)[iVar3] == '\0') {
    if ((byte)(SBORROW4(param_3,7) ^ param_3 + -7 < 0 | param_3 == 7) == 0) {
      uVar1 = 0x20;
    }
    else {
      uVar1 = 0x10;
    }
    (&DAT_0003f39b)[iVar3] = uVar1;
    (&DAT_0003f398)[param_1 * 3] = 0xb;
    FUN_000dc8b8();
    iVar4 = param_1 * 0xc;
    *(undefined4 *)(&DAT_0003f374 + iVar4) = param_2;
    *(undefined2 *)(&DAT_0003f378 + iVar4) = 0;
    *(short *)(&DAT_0003f37a + iVar4) = (short)param_3;
    (&DAT_0003f39c)[iVar3] = (&DAT_0003f39c)[iVar3] | 0x80;
    uVar2 = 0;
  }
  else {
    FUN_000dc8b8();
    uVar2 = 3;
  }
  return uVar2;
}

here is FUN_000d9c8e. I think you are right, FUN_000d9c8e is also used for the other Modes.

one thing I did find was the security($27 mode) delay timer, which is 400. now asssuming it is 10 seconds (which may not be the case) then if it used the same conversion ( which also may not be the case) then 0x5dC0 would be a possibility. finding new things everyday...just not what I need
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: 07-2013 GM BCM

Post by antus »

I think MODE_22_FUNCTION(void) might be handling responses of different lengths. It seems like it has some special handling for 3 byte packets including the mask of ivar1+3 to one byte, perhaps because its stored as a word. Then the other error conditions, and finally maybe a transmission for a longer packet at the end. Looking at https://en.wikipedia.org/wiki/OBD-II_PIDs I can see all kinds of different length responses, including IAT sensor which is 3 bytes. If this is the case then DAT_0003edec is the length of the response payload.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Post by gmtech825 »

antus wrote:I think MODE_22_FUNCTION(void) might be handling responses of different lengths. It seems like it has some special handling for 3 byte packets including the mask of ivar1+3 to one byte, perhaps because its stored as a word. Then the other error conditions, and finally maybe a transmission for a longer packet at the end. Looking at https://en.wikipedia.org/wiki/OBD-II_PIDs I can see all kinds of different length responses, including IAT sensor which is 3 bytes. If this is the case then DAT_0003edec is the length of the response payload.


thanks for confirming this
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: 07-2013 GM BCM

Post by antus »

sorry that was not confirmation, just my thoughts after a read for you to consider. Now im looking again I see I miss aligned one of the brackes on my scan of your post and if DAT_0003edec is not 3 it returns a 7f error. So its unlikely to be length, and instead some kind of a flag. I'd probably need to load up the project in ghidra or ida to explore a bit more to try and get further. Though I'll keep looking and post back. Starting to think CAN_TX might be a copy in to a buffer, not the actual tx, and the response struct is finished being populated by the return and tx'd somewhere else.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Post by gmtech825 »

antus wrote:sorry that was not confirmation, just my thoughts after a read for you to consider. Now im looking again I see I miss aligned one of the brackes on my scan of your post and if DAT_0003edec is not 3 it returns a 7f error. So its unlikely to be length, and instead some kind of a flag. I'd probably need to load up the project in ghidra or ida to explore a bit more to try and get further. Though I'll keep looking and post back. Starting to think CAN_TX might be a copy in to a buffer, not the actual tx, and the response struct is finished being populated by the return and tx'd somewhere else.

I think you are right though. I came to the same conclusion by another method. I compared the Node Interface Pseudo Code from some GM engineering documents to the code for several functions and it seems to be the case for every one of them. The functions start out comparing the message data length to what is expected and if not equal then CanTX= x7F, xMODE, x12.

you may be right about CANTX, those labels are not abslolute, more just indicators to help me while searching through the functions. I'll try to attach this if you're interested in looking at it. Change the .txt to a .gzf (it's a ghidra zip file that wouldn't attach in that format).
Attachments
12 BCM BIN no boot V1.txt
(4.19 MiB) Downloaded 137 times
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: 07-2013 GM BCM

Post by Tazzi »

gmtech825 wrote:
antus wrote:sorry that was not confirmation, just my thoughts after a read for you to consider. Now im looking again I see I miss aligned one of the brackes on my scan of your post and if DAT_0003edec is not 3 it returns a 7f error. So its unlikely to be length, and instead some kind of a flag. I'd probably need to load up the project in ghidra or ida to explore a bit more to try and get further. Though I'll keep looking and post back. Starting to think CAN_TX might be a copy in to a buffer, not the actual tx, and the response struct is finished being populated by the return and tx'd somewhere else.

I think you are right though. I came to the same conclusion by another method. I compared the Node Interface Pseudo Code from some GM engineering documents to the code for several functions and it seems to be the case for every one of them. The functions start out comparing the message data length to what is expected and if not equal then CanTX= x7F, xMODE, x12.

you may be right about CANTX, those labels are not abslolute, more just indicators to help me while searching through the functions. I'll try to attach this if you're interested in looking at it. Change the .txt to a .gzf (it's a ghidra zip file that wouldn't attach in that format).
Tried to open in Ghidra but got a "Language not found for 'Fujitsu:BE:32:FR8n'"
Do you know which plugin you added?
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Post by gmtech825 »

Tazzi wrote:
gmtech825 wrote:
antus wrote:sorry that was not confirmation, just my thoughts after a read for you to consider. Now im looking again I see I miss aligned one of the brackes on my scan of your post and if DAT_0003edec is not 3 it returns a 7f error. So its unlikely to be length, and instead some kind of a flag. I'd probably need to load up the project in ghidra or ida to explore a bit more to try and get further. Though I'll keep looking and post back. Starting to think CAN_TX might be a copy in to a buffer, not the actual tx, and the response struct is finished being populated by the return and tx'd somewhere else.

I think you are right though. I came to the same conclusion by another method. I compared the Node Interface Pseudo Code from some GM engineering documents to the code for several functions and it seems to be the case for every one of them. The functions start out comparing the message data length to what is expected and if not equal then CanTX= x7F, xMODE, x12.

you may be right about CANTX, those labels are not abslolute, more just indicators to help me while searching through the functions. I'll try to attach this if you're interested in looking at it. Change the .txt to a .gzf (it's a ghidra zip file that wouldn't attach in that format).
Tried to open in Ghidra but got a "Language not found for 'Fujitsu:BE:32:FR8n'"
Do you know which plugin you added?
ah my bad...it was one of these, I can't remember which.
Attachments
ghidra-fujitsu-risc-master.zip
(15.2 KiB) Downloaded 131 times
ghidra_fujitsu_fr-master.zip
(14.75 KiB) Downloaded 128 times
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: 07-2013 GM BCM

Post by gmtech825 »

Success! finally had more time to mess with this and was able to change the RVS timer. The ECM limits it to 21 minutes but I'm happy with that. It did end being a bit of a guessing game after I narrowed it down to a few possibilities, but still only took a couple of tries to get it. I learned a whole lot in the process though so I'm happy.
Post Reply