Colorado / H3 BCM hacking

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
Posts: 849
Joined: Sun Apr 10, 2016 9:20 pm

Re: Colorado / H3 BCM hacking

Postby kur4o » Wed Sep 21, 2022 4:39 pm

41 4b =AK in ascii or some alpha code for version identifier of p/n. Most segments have it.

To use the script you need this program.
https://github.com/joukoy/UniversalPatcher/blob/master/UniversalPatcher-Full.Zip

unzip to a folder and run the exe. goto file->mode->advanced, than goto utilities-logger

Settings tab->select device and connect
Goto vpw console tab->check all checkboxes->you should see some idle traffic->upload script

Save log for debugging if there is some issue with the script.

Posts: 323
Joined: Thu Jan 16, 2014 12:41 pm

Re: Colorado / H3 BCM hacking

Postby 04colyZQ8 » Thu Sep 22, 2022 12:05 am

Sweet thanks a lot this will be helpful!

How about to program? can we use mode 36 to write anything ?

Posts: 849
Joined: Sun Apr 10, 2016 9:20 pm

Re: Colorado / H3 BCM hacking

Postby kur4o » Thu Sep 22, 2022 12:34 am

I have tested some script that will read a pcm with custom upload and command set and it works fine.
Writing is a bit risky because there is no way to handle errors on bus communication. For smaller calibrations like the bcm it may be less risky and it can be tested.

A good log of the programming event will be needed to get correct timings.

There is another cool features to convert a bin to mode 36 commands script. You can look at it at logger->action->parse bin to a script.

Posts: 849
Joined: Sun Apr 10, 2016 9:20 pm

Re: Colorado / H3 BCM hacking

Postby kur4o » Thu Sep 22, 2022 8:05 am

Some updates for the new 64kb files. Unzip to xml folder and overwrite any previous versions. Since we have the segments cvn it will also tell if a file is stock.
Attachments
Bcm_update.rar
(5.62 KiB) Downloaded 28 times

Posts: 323
Joined: Thu Jan 16, 2014 12:41 pm

Re: Colorado / H3 BCM hacking

Postby 04colyZQ8 » Sat Sep 24, 2022 3:53 am

kur4o wrote:Some updates for the new 64kb files. Unzip to xml folder and overwrite any previous versions. Since we have the segments cvn it will also tell if a file is stock.

Nice thanks:)

What would go here to read ..
36 00 10 00 02 00 (this is 16 bits I want to write)

Say I want to write one line of code which i think is 16 bits?
At address 2000 hex or 8192 decimal?

Posts: 849
Joined: Sun Apr 10, 2016 9:20 pm

Re: Colorado / H3 BCM hacking

Postby kur4o » Sat Sep 24, 2022 5:43 am

With mode 36 you can upload data to ram, either upload only or upload and execute. It is usually preceded with mode 34.

The format is as this 36 [execute BYTE] [size] [address] [data] [block checksum]

To write anything other on bcm, the code that is uploaded needs to have a way to communicate with tool and execute custom commands like erasing the memory, program memory, and storing messages to buffer before writing them.

If you have a dump of sps writing to bcm we can do some script with it.

Otherwise only writing to ram is possible, but not sure what modes the bcm supports.

Posts: 323
Joined: Thu Jan 16, 2014 12:41 pm

Re: Colorado / H3 BCM hacking

Postby 04colyZQ8 » Sun Sep 25, 2022 4:33 am

I just want to write to ram I want to see if changing the eeprom
Copy in ram will update the eeprom after key off, it might?

So what do I send? 36 00 10 02 00 my code

I think the tool calculates checksums automatically?

Posts: 849
Joined: Sun Apr 10, 2016 9:20 pm

Re: Colorado / H3 BCM hacking

Postby kur4o » Mon Sep 26, 2022 3:14 am

The 36 upload range is hardcoded in bcm, so you can upload in very specific range. You need to make some bcm code that basically uploads to that range copy some data to ram and exit, without resetting bcm.

The mode 36 block checksum is not the crc byte that is added by tool. It is 16 bit sum from byte 4 till end of data.

Posts: 323
Joined: Thu Jan 16, 2014 12:41 pm

Re: Colorado / H3 BCM hacking

Postby 04colyZQ8 » Tue Sep 27, 2022 5:20 am

Anyone know what language the older bcm, or the newer one uses?

Is it Intel x86?

So i would need to write a program that loads in ram with first Instruction at index zero?

User avatar
Posts: 251
Joined: Sat Apr 25, 2020 6:09 am

Re: Colorado / H3 BCM hacking

Postby Gatecrasher » Tue Sep 27, 2022 11:23 pm

It's ARM7TDMI, big endian.

I absolutely hate it. The disassembled code is a clusterfuck.

PreviousNext

Return to Engineering and Reverse Engineering

Who is online

Users browsing this forum: No registered users and 2 guests