Colorado / H3 BCM hacking

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
bbmike
Posts: 45
Joined: Thu Apr 02, 2015 1:10 pm
cars: Too many!!

Re: Colorado / H3 BCM hacking

Post by bbmike »

I can feel your pain. Trying to learn assembly has nearly drove me insane more than once. Have you tried a simulator and stepping through the program. It’s pretty boring. But it helped me make a 7k tach on the 03-07 Silverado clusters. The simulator made it easier to find the way the jumps and ram locations where loaded since they are done from offsets. You need to manually set things like inputs that tell the mcu that the ignition is on and if it reads from the eeprom what the data should be. It also thought me how much faster the mcu can read and execute the program than I can. Also it probably won’t simulate the class 2 hardware.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

I have successfully turned off the tpms, in the 07-12 Colorado canyon BCMs. I can also likely disable DRLS, and or at the very least make them so they can be turned off by switching the headlamp switch to the left. I have far too much invested in it though.. to publicly post up the code, but I can tune your BCM if you like.
bbmike
Posts: 45
Joined: Thu Apr 02, 2015 1:10 pm
cars: Too many!!

Re: Colorado / H3 BCM hacking

Post by bbmike »

I believe the controller on the first design bcms are a TMS370C16 type. It is a 16 bit version of the TMS370 that was used in ASIC's for manufactures. I have only found 1 pdf that talks about them. It does have the assembly instruction set in it. And doing some manual disassembly it appears to make sense. Too bad I can't find a disassembler for it.
Highlander
Posts: 81
Joined: Sun May 11, 2014 6:36 pm
cars: Z06

Re: Colorado / H3 BCM hacking

Post by Highlander »

04colyZQ8 wrote:Yeah people keep trying to tell me to use the ram to watch for changes and trace it back. Never could get that to happen on the E67, as it wouldn't stay in halt, and kept resting. I think because of its separate ECU chip with some kind of watch dog. Ok It seemed like PE micro had some sort of code to disable watch dogs on the main CPU for the E67, that's why I thought it would also be required for this project.

So in the disassembly it doesn't show where the Fog Lamp enable bit goes to in the OS? Isn't the Os laid out like a bunch of addresses? As the code executes in it's order it would reach address xxxxxxx and jump there to check what the Value is? If xxxxxxx = = 90 then Fog lamps are enabled .... etc.. I just wnat to find that point because there should be a table of values listed in the OS, that are excepted for that address. Then I can try each one and see what it does? Right now I don't really know which values are valid?
I can do that. I've seen live RAM on the E67.
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: Colorado / H3 BCM hacking

Post by Gatecrasher »

Many thanks to 04colyZQ8 for motivating me to get thinking about this again.

The MCU in the BCM uses a 4 byte address space, but mode 35 on the older Class 2 modules only supports 3 byte addressing. So the BCM code automatically adds an offset to your request so it can read from RAM. EG if your mode 35 request is for data at address 0x000100, then the BCM returns data from 0x08000100.

I've been meaning to locate and disassemble this function to see if it was possible to read anything else in the BCM. I struck gold. :D

They used a series of address locations that don't exist on the physical chip. If you read from those locations, the code applies a mask to the address and returns data from the real 4 byte address. If you read from outside those areas, it just returns null values.

This is the memory map from the TMS470PLF111 data sheet, with the mode 35 request ranges added. It looks like the only range you can't read is the Flash ECC area.
TMS470 mode 35 map.png
TMS470 mode 35 map.png (85.48 KiB) Viewed 1492 times
I did a few quick spot checks on my H3, and it worked to read a few blocks from the flash area. I haven't done anything more involved yet. The obvious application is dumping the flash, but I think you could also write some basic code to monitor RAM and register contents too.

This may not be limited to Colorado and H3. Some of the older full size trucks appear to use a BCM based around a similar chip. I don't know if the address offsets will be identical, but maybe it'll at least give a starting point to someone who's working on one of those.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

This is amazing I can't wait to try it out! I have been touching up my programming skills, and was able to get a elm327 to do some interesting stuff today, I was motived after using it to read the BCM thanks to Gatecrasher! And now I was able to change the elm327 protocol to send some can commands as well. So fat I can reset the sdm code in the BCM/ vpw, and reset the clutch position learn (can). All of these things are necessary when swapping a new or used bcm in. This is the complete list that will need to be finished for a bcm swapping utility.

-Clutch learn
-security learn (vats)
-sdm code set in bcm
-write bcm cluster millage (can be done with chip clip, ideally we can do this via obd2 port)
-learn the remotes to the bcm
-set the tire pressure, and learn the tpms sensor positions
-setup the Vin (vpw 3C, 3F, 3B commands don't work) I can only set this up via chip clip.

Ideally these can all be done via elm327, I am using a vpw, and can sniffer to decipher the msg sent via tech 2.
kur4o
Posts: 945
Joined: Sun Apr 10, 2016 9:20 pm

Re: Colorado / H3 BCM hacking

Post by kur4o »

To change options you need first to unlock bcm, than set up ignition counter to >0, than you have limited ignition cycles to set the new options like vin and so on.
With elm device on vpw bus you can do some custom scripts with universal patcher to do it, or even dump the rom with mode 23 or 35.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

kur4o wrote:To change options you need first to unlock bcm, than set up ignition counter to >0, than you have limited ignition cycles to set the new options like vin and so on.
With elm device on vpw bus you can do some custom scripts with universal patcher to do it, or even dump the rom with mode 23 or 35.

Interesting, I can unlock it using an elm327 or mongoose pro with vpw explorer, or with a script. I have not noticed any bit of code that tech 2 sends to setup the ignition counter to zero. Do you know what they are, or hoe to do it with a tech 2, the I can just monitor what is sent via the tech 2. DPS, and tis2000 with tech2, do attempt to change the bcm vin in the colorado/h3 using either 3B or 3C, after security access is granted, but always fails to change the vin. I even tried it with a virgin brand new bcm, and the vin never changed it was xxxxxxxxxxxxxx, and therefore when programming with tis2000, is gets to 99% then crashes and fails, but still works fine, it's only because the vin failed to change.

The only way I was able to change the vin was to actually pull the eeprom file using a chip clip, and change it that way.

The sdm code can be changed after security unlock, and sending 3C/3B commands. And doesn't require setting the ignition counter to 0. And they are both stored o the same eeprom chip.
kur4o
Posts: 945
Joined: Sun Apr 10, 2016 9:20 pm

Re: Colorado / H3 BCM hacking

Post by kur4o »

On earlier year bcms that were not programmable, and one time option setup, I managed to reconfigure options and part of the vin using that sequence. Usually t2 is checking the ignition counter, if set to zero it fails and exits, if >0 it proceeds with the commands, You can read all 3c info from the module with a script, than try to change whatever you like. It should accept or give negative response.timeframe is tight so a script is needed for better results. It also may need proper ign off, shut down sequence to overwrite vin in eeprom.

I send you script that will read all 3c commands.

exchange algo number for your module algo on this line

getseed:5:42 42=algo number

It is set up for pcm and bcm 3c dumps, so ignore what is not needed.
Attachments
3c_read.txt
(387 Bytes) Downloaded 82 times
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

kur4o wrote:On earlier year bcms that were not programmable, and one time option setup, I managed to reconfigure options and part of the vin using that sequence. Usually t2 is checking the ignition counter, if set to zero it fails and exits, if >0 it proceeds with the commands, You can read all 3c info from the module with a script, than try to change whatever you like. It should accept or give negative response.timeframe is tight so a script is needed for better results. It also may need proper ign off, shut down sequence to overwrite vin in eeprom.

I send you script that will read all 3c commands.

exchange algo number for your module algo on this line

getseed:5:42 42=algo number

It is set up for pcm and bcm 3c dumps, so ignore what is not needed.
I see well I have sent these in vpw explorer before, but I guess I didn't physically switch the key off then on, so maybe it will work?
Post Reply