Colorado / H3 BCM hacking
Re: Colorado / H3 BCM hacking
41 4b =AK in ascii or some alpha code for version identifier of p/n. Most segments have it.
To use the script you need this program.
https://github.com/joukoy/UniversalPatcher/blob/master/UniversalPatcher-Full.Zip
unzip to a folder and run the exe. goto file->mode->advanced, than goto utilities-logger
Settings tab->select device and connect
Goto vpw console tab->check all checkboxes->you should see some idle traffic->upload script
Save log for debugging if there is some issue with the script.
To use the script you need this program.
https://github.com/joukoy/UniversalPatcher/blob/master/UniversalPatcher-Full.Zip
unzip to a folder and run the exe. goto file->mode->advanced, than goto utilities-logger
Settings tab->select device and connect
Goto vpw console tab->check all checkboxes->you should see some idle traffic->upload script
Save log for debugging if there is some issue with the script.
Re: Colorado / H3 BCM hacking
Sweet thanks a lot this will be helpful!
How about to program? can we use mode 36 to write anything ?
How about to program? can we use mode 36 to write anything ?
Re: Colorado / H3 BCM hacking
I have tested some script that will read a pcm with custom upload and command set and it works fine.
Writing is a bit risky because there is no way to handle errors on bus communication. For smaller calibrations like the bcm it may be less risky and it can be tested.
A good log of the programming event will be needed to get correct timings.
There is another cool features to convert a bin to mode 36 commands script. You can look at it at logger->action->parse bin to a script.
Writing is a bit risky because there is no way to handle errors on bus communication. For smaller calibrations like the bcm it may be less risky and it can be tested.
A good log of the programming event will be needed to get correct timings.
There is another cool features to convert a bin to mode 36 commands script. You can look at it at logger->action->parse bin to a script.
Re: Colorado / H3 BCM hacking
Some updates for the new 64kb files. Unzip to xml folder and overwrite any previous versions. Since we have the segments cvn it will also tell if a file is stock.
- Attachments
-
Bcm_update.rar
- (5.62 KiB) Downloaded 28 times
Re: Colorado / H3 BCM hacking
kur4o wrote:Some updates for the new 64kb files. Unzip to xml folder and overwrite any previous versions. Since we have the segments cvn it will also tell if a file is stock.
Nice thanks:)
What would go here to read ..
36 00 10 00 02 00 (this is 16 bits I want to write)
Say I want to write one line of code which i think is 16 bits?
At address 2000 hex or 8192 decimal?
Re: Colorado / H3 BCM hacking
With mode 36 you can upload data to ram, either upload only or upload and execute. It is usually preceded with mode 34.
The format is as this 36 [execute BYTE] [size] [address] [data] [block checksum]
To write anything other on bcm, the code that is uploaded needs to have a way to communicate with tool and execute custom commands like erasing the memory, program memory, and storing messages to buffer before writing them.
If you have a dump of sps writing to bcm we can do some script with it.
Otherwise only writing to ram is possible, but not sure what modes the bcm supports.
The format is as this 36 [execute BYTE] [size] [address] [data] [block checksum]
To write anything other on bcm, the code that is uploaded needs to have a way to communicate with tool and execute custom commands like erasing the memory, program memory, and storing messages to buffer before writing them.
If you have a dump of sps writing to bcm we can do some script with it.
Otherwise only writing to ram is possible, but not sure what modes the bcm supports.
Re: Colorado / H3 BCM hacking
I just want to write to ram I want to see if changing the eeprom
Copy in ram will update the eeprom after key off, it might?
So what do I send? 36 00 10 02 00 my code
I think the tool calculates checksums automatically?
Copy in ram will update the eeprom after key off, it might?
So what do I send? 36 00 10 02 00 my code
I think the tool calculates checksums automatically?
Re: Colorado / H3 BCM hacking
The 36 upload range is hardcoded in bcm, so you can upload in very specific range. You need to make some bcm code that basically uploads to that range copy some data to ram and exit, without resetting bcm.
The mode 36 block checksum is not the crc byte that is added by tool. It is 16 bit sum from byte 4 till end of data.
The mode 36 block checksum is not the crc byte that is added by tool. It is 16 bit sum from byte 4 till end of data.
Re: Colorado / H3 BCM hacking
Anyone know what language the older bcm, or the newer one uses?
Is it Intel x86?
So i would need to write a program that loads in ram with first Instruction at index zero?
Is it Intel x86?
So i would need to write a program that loads in ram with first Instruction at index zero?
- Gatecrasher
-
- Posts: 251
- Joined: Sat Apr 25, 2020 6:09 am
Re: Colorado / H3 BCM hacking
It's ARM7TDMI, big endian.
I absolutely hate it. The disassembled code is a clusterfuck.
I absolutely hate it. The disassembled code is a clusterfuck.
Return to Engineering and Reverse Engineering
Who is online
Users browsing this forum: No registered users and 2 guests