Colorado / H3 BCM hacking

[kur4o Profile]

41 4b =AK in ascii or some alpha code for version identifier of p/n. Most segments have it.

To use the script you need this program.
https://github.com/joukoy/UniversalPatcher/blob/master/UniversalPatcher-Full.Zip

unzip to a folder and run the exe. goto file->mode->advanced, than goto utilities-logger

Settings tab->select device and connect
Goto vpw console tab->check all checkboxes->you should see some idle traffic->upload script

Save log for debugging if there is some issue with the script.

[04colyZQ8 Profile]

Sweet thanks a lot this will be helpful!

How about to program? can we use mode 36 to write anything ?

[kur4o Profile]

I have tested some script that will read a pcm with custom upload and command set and it works fine.
Writing is a bit risky because there is no way to handle errors on bus communication. For smaller calibrations like the bcm it may be less risky and it can be tested.

A good log of the programming event will be needed to get correct timings.

There is another cool features to convert a bin to mode 36 commands script. You can look at it at logger->action->parse bin to a script.

[kur4o Profile]

Some updates for the new 64kb files. Unzip to xml folder and overwrite any previous versions. Since we have the segments cvn it will also tell if a file is stock.

[04colyZQ8 Profile]

Some updates for the new 64kb files. Unzip to xml folder and overwrite any previous versions. Since we have the segments cvn it will also tell if a file is stock.

Nice thanks:)

What would go here to read ..
36 00 10 00 02 00 (this is 16 bits I want to write)

Say I want to write one line of code which i think is 16 bits?
At address 2000 hex or 8192 decimal?

[kur4o Profile]

With mode 36 you can upload data to ram, either upload only or upload and execute. It is usually preceded with mode 34.

The format is as this 36 [execute BYTE] [size] [address] [data] [block checksum]

To write anything other on bcm, the code that is uploaded needs to have a way to communicate with tool and execute custom commands like erasing the memory, program memory, and storing messages to buffer before writing them.

If you have a dump of sps writing to bcm we can do some script with it.

Otherwise only writing to ram is possible, but not sure what modes the bcm supports.

[04colyZQ8 Profile]

I just want to write to ram I want to see if changing the eeprom
Copy in ram will update the eeprom after key off, it might?

So what do I send? 36 00 10 02 00 my code

I think the tool calculates checksums automatically?

[kur4o Profile]

The 36 upload range is hardcoded in bcm, so you can upload in very specific range. You need to make some bcm code that basically uploads to that range copy some data to ram and exit, without resetting bcm.

The mode 36 block checksum is not the crc byte that is added by tool. It is 16 bit sum from byte 4 till end of data.

[04colyZQ8 Profile]

Anyone know what language the older bcm, or the newer one uses?

Is it Intel x86?

So i would need to write a program that loads in ram with first Instruction at index zero?

[Gatecrasher Profile]

It's ARM7TDMI, big endian.

I absolutely hate it. The disassembled code is a clusterfuck.