Colorado / H3 BCM hacking

bbmike · Post by **bbmike** » Fri Sep 30, 2022 12:51 pm

: 39D98483-DF41-4300-A41E-A581D0C17AD4.jpeg (501.31 KiB) Viewed 1673 times

I believe this is the processor used in the early bcms.

04colyZQ8 · Post by **04colyZQ8** » Fri Sep 30, 2022 11:51 pm

It could be but the number of pins are way off? I count around 104ish pins,, I lost count but much more then 44 or 68, that I seen in the TMs370 manual?

Here is the 2011 bcm utility file only log, search this as hex in the utility file and you will find it 00 08 00 0C 28 08 00 0F 2C 08 00 10 30 see code bellow. Should be able to peace together the kernel with this? just need some help, what does this point to? "6D 40 F0 36 00 00 1E 00 0B 82 00" what's the address in ram? I want to copy it into my ram? where does it start? Is it 00 0B 82 00 or 00 0B 82 ? And is that actual? Like in the Ram file I posted on the 2011, since it was read at memory location 0, does that mean it would go at location
00 0B 82 00 or 00 0B 82 in the ram file in a hex editor? And the addressing seems off? I couldn't get the next segment of code to line up 0B F2, and the given length, do not entirely join up? missing a few bytes between. The length given does it account for the 16 byte block checksum as well, is that why?

also note F2 66 FC is at the top of the utility file as well as the first part of the kernel that is sent in and is the GM part number 15886076

Utility File: 25960212_00.BIN
Utility File Step=01 Opcode=28
20:01:53.7< 6C FE F0 28 00 [0005]
20:01:53.7> 6C F0 40 68 00 [0005]
20:01:53.7> 6C F0 60 68 00 [0005]
Utility File Step=02 Opcode=27
20:01:55.8< 6C FE F0 28 00 [0005]
20:01:55.8> 6C F0 40 68 00 [0005]
20:01:55.8> 6C F0 60 68 00 [0005]
20:01:56.0< 8C FE F0 3F [0004]
20:01:57.9< 6C 40 F0 27 01 [0005]
20:01:57.9> 6C F0 40 67 01 C2 F0 [0007]
20:01:57.9< 6C 40 F0 27 02 C6 59 [0007]
20:01:57.9> 6C F0 40 67 02 34 [0006]
Utility File Step=03 Opcode=FD
Utility File Step=04 Opcode=FD
Utility File Step=05 Opcode=3B
20:01:58.0< 6C 40 F0 3B 01 00 31 4B 43 43 53 [0011]
20:01:58.0> 6C F0 40 7F 3B 01 00 31 4B 43 33 [0011]
Utility File Step=08 Opcode=3C
20:01:58.0< 6C 40 F0 3C 01 [0005]
20:01:58.0> 6C F0 40 7C 01 00 31 6B 43 43 53 [0011]
Utility File Step=0C Opcode=FB
Utility File Step=0D Opcode=AE
20:01:58.0< 6C 40 F0 AE FE 00 00 00 00 00 80 [0011]
20:01:58.1> 6C F0 40 EE FE E1 [0006]
20:01:58.1< 8C FE F0 3F [0004]
Utility File Step=0E Opcode=A0
20:01:58.1< 8C FE F0 3F [0004]
20:01:58.2< 6C FE F0 A0 [0004]
20:01:58.2> 6C F0 40 E0 AA [0005]
20:01:58.2> 6C F0 60 E0 BB [0005]
Utility File Step=0F Opcode=A1
20:02:00.3< 8C FE F0 3F [0004]
20:02:00.3< 6C FE F0 A1 [0004]
20:02:01.5< 8C FE F0 3F [0004]
Utility File Step=10 Opcode=34
20:02:01.5< 6C 40 F0 34 [0004]
20:02:01.6> 6C F0 40 74 44 [0005]
Utility File Step=11 Opcode=B0
20:02:01.6< 8C FE F0 3F [0004]
20:02:01.7< 6D 40 F0 36 00 00 1E 00 0B 82 00 00 08 00 0C 28 08 00 0F 2C 08 00 10 30 .. [0042] //cut off actual code longer should be 1E long?
20:02:01.7> 6C F0 40 76 00 78 [0006]
20:02:01.7> 6C F0 40 76 00 73 [0006]
Utility File Step=12 Opcode=B0
20:02:01.7< 8C FE F0 3F [0004]
20:02:01.8< 6D 40 F0 36 00 00 32 00 0B F2 00 00 00 00 00 00 00 00 20 00 00 00 40 00 .. [0062] //cut off actual code longer should be 32 long?
20:02:01.8> 6C F0 40 76 00 78 [0006]
20:02:01.8> 6C F0 40 76 00 73 [0006]
Utility File Step=13 Opcode=B0
20:02:01.8< 8C FE F0 3F [0004]
20:02:01.9< 6D 40 F0 36 00 03 02 00 0C 26 00 00 E2 8F C0 01 E1 2F FF 1C B5 30 4C 0A .. [0782] //cut off actual code longer should be 302 long?
20:02:02.0> 6C F0 40 76 00 78 [0006]
20:02:02.0> 6C F0 40 76 00 73 [0006]
Utility File Step=14 Opcode=B0
20:02:02.1< 8C FE F0 3F [0004]
20:02:02.1< 6D 40 F0 36 00 01 02 00 0F 2A 00 00 E2 8F C0 01 E1 2F FF 1C B5 F0 B0 88 .. [0270] //cut off actual code longer should be 102 long?
20:02:02.1> 6C F0 40 76 00 78 [0006]
20:02:02.1> 6C F0 40 76 00 73 [0006]
Utility File Step=15 Opcode=B0
20:02:02.2< 8C FE F0 3F [0004]
20:02:02.2< 6D 40 F0 36 00 02 C6 00 10 2E 00 00 E2 8F C0 01 E1 2F FF 1C B5 F0 B0 8D .. [0722] //cut off actual code longer should be 02 C6 long?
20:02:02.4> 6C F0 40 76 00 78 [0006]
20:02:02.4> 6C F0 40 76 00 73 [0006]
Utility File Step=16 Opcode=B0
20:02:02.4< 8C FE F0 3F [0004]
20:02:02.5< 6D 40 F0 36 00 03 DA 00 12 F6 00 00 E2 8F C0 01 E1 2F FF 1C B5 F0 B0 89 .. [0998] //cut off actual code longer should be 12 56 long?
20:02:02.6> 6C F0 40 76 00 78 [0006]
20:02:02.7> 6C F0 40 76 00 73 [0006]
Utility File Step=17 Opcode=B4
Downloading CAL File: ��q0X�`.BIN //this is because I didn't build it with any segments otherwise it would be the OS number.BIN
Utility File Step=33 Opcode=EE

here is the utility file

76 A5 00 00 00 F2 66 FC 42 43 00 00 00 01 03 48 00 03 08 00 1B 60 04 00 01 28 FE 00 05 00 68 02 FD 24 FF 33 00 00 00 00 02 27 40 12 00 00 34 03 FD 24 FF 33 00 00 00 00 03 FD 02 00 00 00 00 04 00 00 00 00 00 00 00 00 04 FD 03 00 00 00 00 05 00 00 00 00 00 00 00 00 05 3B 40 01 00 00 7B 06 7F 08 FD 24 FF 33 00 00 06 3B 40 02 00 00 7B 07 7F 08 FD 24 FF 33 00 00 07 3B 40 03 00 00 7B 08 7F 08 FD 24 FF 33 00 00 08 3C 40 01 00 00 7C 09 FD 0C FF 0C 00 00 00 00 09 3C 40 02 00 00 7C 0A FD 0C FF 0C 00 00 00 00 0A 3C 40 03 00 00 7C 0B FD 0C FF 0C 00 00 00 00 0B FB 02 02 00 00 00 0C 00 32 FD 00 FF 00 00 00 0C FB 03 02 00 00 00 0D 00 27 00 00 00 00 00 00 0D AE 40 FE 01 00 E1 0E FD 24 FF 33 00 00 00 00 0E A0 FE 00 00 00 AA 0F FD 24 FF 33 00 00 00 00 0F A1 FE 00 00 00 00 10 FF 33 00 00 00 00 00 00 10 34 40 00 02 00 44 11 FD 24 FF 33 00 00 00 00 11 B0 40 02 00 00 73 12 FD 24 FF 33 00 00 00 00 12 B0 40 03 00 00 73 13 FD 24 FF 33 00 00 00 00 13 B0 40 04 00 00 73 14 FD 24 FF 33 00 00 00 00 14 B0 40 05 00 00 73 15 FD 24 FF 33 00 00 00 00 15 B0 40 06 00 00 73 16 FD 24 FF 33 00 00 00 00 16 B0 40 07 00 00 73 17 FD 24 FF 33 00 00 00 00 17 B4 40 01 00 03 73 18 86 26 FD 24 FF 33 00 00 18 B4 40 02 00 03 73 19 86 26 FD 24 FF 33 00 00 19 B4 40 03 00 03 73 1A 86 26 FD 24 FF 33 00 00 1A B4 40 04 00 03 73 1B 86 26 FD 24 FF 33 00 00 1B B4 40 05 00 03 73 1C 86 26 FD 24 FF 33 00 00 1C B4 40 06 00 03 73 1D 86 26 FD 24 FF 33 00 00 1D B4 40 07 00 03 73 1E 86 26 FD 24 FF 33 00 00 1E B4 40 08 00 03 73 1F 86 26 FD 24 FF 33 00 00 1F B4 40 09 00 03 73 20 86 26 FD 24 FF 33 00 00 20 B4 40 0A 00 03 73 21 86 26 FD 24 FF 33 00 00 21 B4 40 0B 00 03 73 22 86 26 FD 24 FF 33 00 00 22 B4 40 0C 00 03 73 23 86 26 FD 24 FF 33 00 00 23 B4 40 0D 00 03 86 26 FD 24 FF 33 00 00 00 00 24 FC 06 00 00 00 00 25 00 00 00 00 00 00 00 00 25 FB 00 03 00 00 00 01 00 33 00 00 00 00 00 00 26 FC 01 00 00 00 00 0B 00 00 00 00 00 00 00 00 27 FC 09 00 00 00 00 28 00 00 00 00 00 00 00 00 28 28 FE 00 05 00 68 29 FD 30 FF 30 00 00 00 00 29 27 40 12 00 00 34 2A FD 30 FF 30 00 00 00 00 2A 3B 40 01 00 00 7B 2B 7F 2D FD 30 FF 30 00 00 2B 3B 40 02 00 00 7B 2C 7F 2D FD 30 FF 30 00 00 2C 3B 40 03 00 00 7B 2D 7F 2D FD 30 FF 30 00 00 2D 3C 40 01 00 00 7C 2E FD 30 FF 30 00 00 00 00 2E 3C 40 02 00 00 7C 2F FD 30 FF 30 00 00 00 00 2F 3C 40 03 00 00 7C 32 FD 30 FF 30 00 00 00 00 30 FC 06 00 00 00 00 31 00 00 00 00 00 00 00 00 31 FB 01 03 00 00 00 28 00 33 00 00 00 00 00 00 32 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 EE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 80 08 00 0B 82 00 1E 00 00 08 00 0C 28 08 00 0F 2C 08 00 10 30 08 00 12 F8 00 F2 66 FC 42 43 00 01 94 00 00 00 08 00 0B F2 00 32 00 00 00 00 00 00 00 00 20 00 00 00 40 00 00 00 80 00 00 00 C0 00 00 01 00 00 00 01 40 00 00 01 80 00 00 01 C0 00 00 01 E0 00 00 40 00 00 00 40 20 00 08 00 0C 26 03 02 00 00 E2 8F C0 01 E1 2F FF 1C B5 30 4C 0A 25 00 60 25 20 10 19 01 48 08 4A 09 F0 00 F8 12 28 01 D0 01 20 EE E0 01 20 FF 25 01 64 60 60 25 68 20 BC 30 BC 04 47 10 08 00 0B 60 00 00 1F F0 FF F8 70 00 B5 F0 1C 16 1C 0D 1C 04 6A 70 09 01 D2 25 69 F0 10 C0 00 C0 61 F0 F0 00 F9 43 69 70 0A 80 D3 FA 68 72 20 FF 43 10 60 70 21 FF 31 01 19 8B 68 18 46 84 20 00 60 18 20 04 27 FF 37 0D 68 23 68 2B 51 BB 34 04 35 04 38 01 D1 F8 20 FF 30 09 59 80 04 00 0F C0 46 63 51 8B 60 72 BD F0 E9 2D 40 00 E2 8F E0 01 E1 2F FF 1E F7 FF FF CA 47 78 46 C0 E8 BD 80 00 48 01 60 88 60 C8 47 70 00 00 FF FF E5 9F C0 00 E1 2F FF 1C 08 00 0C DD B5 10 69 D3 10 DB 00 DB 43 03 61 D3 69 93 20 01 03 C0 43 18 61 90 20 BF 01 80 62 90 20 C3 00 80 18 83 48 18 60 18 20 9F 00 80 18 80 24 32 60 04 4C 15 60 44 4C 15 60 84 20 05 03 40 60 58 01 08 23 43 00 DB 18 9A 1C 03 43 0B 01 1B 60 13 02 0B 43 0B 00 5B 64 53 61 D3 62 93 60 D3 64 90 23 14 43 4B 20 03 03 00 43 18 60 90 20 50 43 48 62 10 00 C8 63 90 20 7D 00 C0 43 48 64 10 48 04 43 48 63 D0 BD 10 00 00 9B 64 00 00 AF FF 00 00 F7 D0 00 00 15 18 E9 2D 40 00 E2 8F E0 01 E1 2F FF 1E F7 FF FF AE 47 78 46 C0 E8 BD 80 00 B5 FC 1C 0E 1C 07 20 00 60 30 60 70 60 B0 60 F0 48 1B 90 00 25 00 20 9B 00 80 90 01 59 C4 20 7C 40 04 2C 64 D0 08 2C 44 D0 02 20 00 43 C4 E0 15 68 B0 30 01 60 B0 E0 11 68 F0 30 01 60 F0 20 53 00 C0 59 C0 04 00 0C 00 68 31 9A 00 42 90 D0 01 90 00 25 00 35 01 42 8D D3 00 60 35 F0 00 F8 84 99 01 59 CA 20 7C 40 10 42 A0 D0 FA F0 00 F8 7C 6A 78 0A 41 D2 CF 05 80 0D 80 60 70 BD FC 46 C0 00 00 FF FF E9 2D 40 00 E2 8F E0 01 E1 2F FF 1E F7 FF FF B6 47 78 46 C0 E8 BD 80 00 B0 82 21 6C 46 68 70 01 21 40 70 41 21 F1 70 81 21 76 70 C1 21 01 71 01 21 78 71 41 49 0B 22 00 2A 00 D0 02 78 0B 09 9B D3 FC 5C 13 75 0B 32 01 2A 06 DB F5 B0 02 46 F7 B5 00 48 05 78 00 09 00 D3 03 F7 FF FF DD F0 00 F8 2F BD 00 00 00 00 13 FF FF FC 8B 48 1B 78 81 06 49 0E 49 70 81 78 C2 21 FD 40 11 70 C1 7B 82 21 10 43 11 73 81 49 16 63 81 21 7D 01 09 66 81 66 C1 23 8B 21 08 5C 1A 43 0A 54 1A 23 87 5C 1A 43 0A 54 1A 21 00 63 01 63 41 78 C2 21 02 43 11 70 C1 46 F7 4A 09 78 D1 20 FD 40 08 70 D0 46 F7 48 06 22 8B 23 08 5C 11 43 19 54 11 22 87 5C 11 43 19 54 11 21 00 63 01 63 41 46 F7 FF FF FC 00 00 00 0F 9F B5 00 48 04 49 04 60 01 49 04 60 01 F7 FF FF AE BD 00 46 C0 FF FF FC 9C 00 00 E5 1A 00 00 A3 5C 08 00 0F 2A 01 02 00 00 E2 8F C0 01 E1 2F FF 1C B5 F0 B0 88 20 03 4D 1E 1C 29 22 00 64 8A 31 04 38 01 D1 FA 1C 10 60 28 F7 FF FF A0 20 94 19 46 24 00 94 07 68 30 0D 80 D1 02 1C 22 21 00 E0 02 20 0A 1A 22 21 01 48 13 90 00 A8 03 90 01 68 30 23 04 F0 00 F8 21 1C 07 99 05 98 07 18 08 90 07 2F 00 D0 03 36 04 34 01 2C 0C D3 E3 F7 FF FF A2 98 04 64 E8 98 07 65 28 2F 00 D1 01 20 EE E0 00 20 FF 64 A8 60 2F 1C 38 B0 08 BC F0 BC 04 47 10 08 00 0B 60 FF F8 70 00 B5 FC 1C 06 9C 08 98 07 90 00 22 FF 32 01 18 15 68 28 90 01 27 00 60 2F 1C 08 1C 19 9A 00 F7 FF FE 8B 20 40 80 30 20 01 03 00 80 30 48 09 80 30 98 00 1C 21 F7 FF FE D6 98 01 60 28 68 E0 60 A0 68 20 60 E0 60 27 1C 38 68 61 29 00 D1 00 20 01 BD FC 46 C0 00 00 FF FF E5 8D E0 08 E2 8F E0 01 E1 2F FF 1E F7 FF FF CC 47 78 46 C0 E5 9D F0 08 08 00 10 2E 02 C6 00 00 E2 8F C0 01 E1 2F FF 1C B5 F0 B0 8D 4C 69 20 40 19 05 20 02 1C 21 22 00 65 4A 31 04 38 01 D1 FA 1C 21 20 03 65 CA 31 04 38 01 D1 FB 1C 10 60 20 68 A0 68 E1 F0 00 F8 8A 28 00 D1 01 20 AA E0 5B F7 FF FF 0E 88 6F 88 28 18 38 90 08 20 94 19 00 90 09 1E 79 00 89 18 46 20 00 90 0A 20 01 05 80 68 31 42 81 D0 0F 49 54 68 30 42 88 D0 0B 20 0F 03 40 68 31 42 81 D0 06 00 B9 98 09 58 41 68 30 1A 08 08 80 E0 01 20 01 02 C0 90 0B 68 30 0D 80 D1 07 20 00 90 0C 2F 0A D3 01 25 01 E0 09 1C 3D E0 07 20 01 90 0C 2F 0A D2 01 25 00 E0 01 20 0A 1A 3D A8 04 90 00 68 30 9A 0C 99 0B 4B 3F F0 00 F8 DF 28 01 D0 01 20 00 E0 00 48 3D 90 04 20 04 90 00 48 3A 90 01 A8 04 90 02 68 30 68 E1 9A 0C 1C 2B F0 00 F8 73 99 06 9A 0A 18 89 91 0A 28 01 D0 04 F7 FF FE D9 20 EE 65 60 E0 13 A8 04 90 00 68 30 9A 0C 99 0B 4B 2D F0 00 F8 BA 28 00 D1 0B F7 FF FE CA 20 FF 65 60 20 EE 65 E0 98 04 66 20 98 05 66 60 20 00 E0 0C 36 04 37 01 98 08 42 B8 D8 94 F7 FF FE B9 21 FF 65 61 98 0A 65 A0 65 E1 20 01 60 20 B0 0D BC F0 BC 04 47 10 B5 F0 18 09 4A 18 1C 13 33 40 26 00 80 1E 80 5E 24 01 46 B4 4B 16 0C DB 42 98 D9 08 4B 16 42 99 D9 04 0D 83 D0 03 4B 15 42 99 D8 00 46 A4 1E 49 46 8E 25 40 00 A1 18 51 31 94 68 0F 46 73 42 BB D9 0F 68 0F 42 B8 D3 03 1C 67 23 42 52 9F 52 AE 5A AF 37 01 52 AF 31 04 1C 63 04 1C 14 24 2C 0C DB EB 46 60 BD F0 46 C0 08 00 0B 60 00 40 20 00 FF F8 70 00 12 34 56 78 00 01 FF FF 00 40 3F FF B5 FF 1C 17 90 00 9D 0B 9C 0A 99 09 29 0C D8 38 4A 20 68 28 1A 80 90 01 20 FF 30 01 90 02 19 00 68 02 92 03 26 00 60 06 1C 38 1C 22 F7 FF FD 64 1C 38 1C 21 F7 FF FD 54 98 01 28 00 D0 01 1C 37 E0 07 20 9F 00 80 19 00 68 07 04 39 0F 09 03 09 60 01 20 40 99 00 80 08 20 20 80 08 48 0E 80 08 1C 20 1C 29 F7 FF FD 9E 60 A6 60 E6 98 01 28 00 D1 02 20 9F 00 80 51 07 98 02 99 03 51 01 68 69 E0 01 21 FF 60 69 20 00 29 00 D1 00 20 01 90 00 BD FF 46 C0 12 34 56 78 00 00 FF FF E5 8D E0 0C E2 8F E0 01 E1 2F FF 1E F7 FF FF AA 47 78 46 C0 E5 9D F0 0C B5 10 B0 88 1C 1C 1C 13 1C 0A 21 00 43 C9 91 04 91 05 91 06 91 07 94 00 99 0A 91 01 21 04 91 02 A9 04 F0 00 F9 5D B0 08 BD 10 00 00 E5 8D E0 04 E2 8F E0 01 E1 2F FF 1E F7 FF FF E2 47 78 46 C0 E5 9D F0 04 08 00 12 F6 03 DA 00 00 E2 8F C0 01 E1 2F FF 1C B5 F0 B0 89 25 00 4C 2D 20 10 19 00 90 08 21 05 1C 20 66 85 67 C5 30 04 39 01 D1 FA 60 25 68 A0 F7 FF FD B6 1C 2F 68 A0 0D 80 D0 00 27 01 20 04 90 00 48 23 90 01 A8 04 90 02 68 A0 68 61 68 E2 08 92 1C 3B F0 00 F8 3E 28 00 D1 0E F7 FF FD C4 20 EE 66 A0 98 04 66 E0 98 05 67 20 98 06 67 60 98 07 67 A0 60 25 1C 28 E0 24 26 FF 66 A6 95 04 95 05 95 06 95 07 48 12 90 00 A8 04 90 01 68 A0 68 61 68 E2 08 92 1C 3B F0 00 F8 38 1C 07 F7 FF FD A3 99 04 98 08 67 01 99 05 67 41 99 06 67 81 99 07 67 C1 2F 01 D0 01 26 EE E0 00 25 01 67 E6 60 25 68 20 B0 09 BC F0 BC 04 47 10 08 00 0B 60 FF F8 70 00 B5 30 B0 86 9C 09 94 00 9C 0A 94 01 9C 0B 94 02 92 03 25 10 46 6C 82 25 F0 00 F8 24 B0 06 BD 30 E5 8D E0 0C E2 8F E0 01 E1 2F FF 1E F7 FF FF E8 47 78 46 C0 E5 9D F0 0C B5 1F 9C 06 94 00 9C 07 94 01 92 02 F0 00 F8 C2 90 00 BD 1F E5 8D E0 08 E2 8F E0 01 E1 2F FF 1E F7 FF FF EE 47 78 46 C0 E5 9D F0 08 B5 F0 AF 05 B0 8B 93 00 92 01 91 02 1C 04 8A 38 90 03 68 F9 91 04 68 BD 68 7E 21 00 43 C9 60 29 49 4A 60 69 21 00 60 A9 60 E9 91 05 21 01 91 06 21 10 1A 42 D0 0A 23 7F 01 1B 1A D2 D0 03 60 A9 98 05 90 06 E0 7F 98 06 90 07 E0 01 98 05 90 07 98 06 28 00 D0 77 98 01 00 40 90 01 98 04 00 40 90 04 20 FF 30 01 90 08 19 81 68 08 90 09 20 00 60 08 98 00 68 39 1C 32 F7 FF FC 28 98 07 28 00 D1 04 98 00 1C 31 F7 FF FC 15 E0 06 68 70 90 05 68 71 20 01 03 C0 43 08 60 70 20 9F 00 80 59 80 04 00 0C 00 90 00 98 01 28 00 D0 3D 99 01 98 04 42 81 D9 01 9F 04 E0 00 9F 01 98 01 1B C0 90 01 98 02 90 0A 20 00 43 C0 19 C7 42 87 D0 EB 20 40 80 20 98 03 80 20 98 0A 88 00 80 20 F7 FF FD 00 6A 71 0A 48 D2 FA 05 88 0D 81 20 51 00 C0 59 82 98 00 1A 80 04 02 0C 12 68 E8 42 82 D9 00 60 EA 68 A8 18 10 60 A8 34 02 98 00 42 82 D0 04 98 0A 30 02 90 0A 29 00 D0 D5 3C 02 60 2C 68 20 60 68 00 48 60 A8 20 00 90 06 98 07 28 00 D1 03 20 00 60 B0 60 F0 E0 01 98 05 60 70 98 08 99 09 51 81 68 A8 08 40 60 A8 98 06 B0 0B BD F0 12 34 56 78 E5 8D E0 14 E2 8F E0 01 E1 2F FF 1E F7 FF FF 50 47 78 46 C0 E5 9D F0 14 B5 F0 B0 91 92 05 46 8C 46 86 98 18 90 06 98 17 90 07 9F 16 20 00 90 00 90 01 1C 01 46 68 72 01 24 04 72 44 24 08 72 84 73 01 21 FF 73 41 21 11 90 08 73 81 69 F8 10 C0 00 C0 43 18 61 F8 20 FF 30 01 90 09 19 C4 68 20 90 0A 68 79 91 0B 23 1D 43 DB 68 25 40 1D 60 25 24 BF 01 A4 62 BC 40 18 90 0C 12 08 02 00 90 0D A8 03 90 0E A8 02 90 0F 20 01 21 00 91 10 99 0F 78 09 07 0B 0F 9B D0 01 23 0B 61 3B 9B 0C 43 19 9B 09 51 D9 46 76 99 0E 78 0B 99 0D 43 0B 60 7B 9C 05 2C 00 D0 22 99 06 42 8C D9 01 9B 06 E0 00 1C 23 1A E4 46 61 E0 17 25 00 43 ED 18 EB 42 AB D0 EF 88 35 95 01 88 72 9D 08 82 2A 9A 01 04 12 92 01 8A 2D 43 15 95 01 68 0D 95 00 9A 01 42 95 D0 00 20 00 36 04 31 04 28 00 D1 E5 28 01 D0 09 1F 33 99 07 60 0B 9B 01 60 4B 9B 00 60 8B 9B 0F 78 1B 60 CB 28 00 D0 0A 99 0F 31 01 91 0F 99 0E 31 01 91 0E 99 10 31 01 91 10 29 03 D3 AF 21 0F 61 39 99 0B 60 79 99 09 9A 0A 51 CA B0 11 BD F0 E5 8D E0 0C E2 8F E0 01 E1 2F FF 1E F7 FF FF 64 47 78 46 C0 E5 9D F0 0C

bbmike · Post by **bbmike** » Sat Oct 01, 2022 3:33 am

I believe it’s an asic made for gm by ti. Using a tms370 and j1850 controller and eeprom all in one chip.

Gatecrasher · Post by **Gatecrasher** » Sat Oct 01, 2022 4:00 am

I totally forgot that you posted that earlier. Nice find. Damn shame we don't have a disassembler for it. I looked over what it would take to write one in Ghirda, and it looks pretty tedious.

In-Tech · Post by **In-Tech** » Sat Oct 01, 2022 7:42 am

I kinda thought it might be tms370. I'll look for the disassembler and simulator we were using on those back in the early 2000's. I fear the stuff could be long gone now though

In-Tech · Post by **In-Tech** » Sat Oct 01, 2022 7:46 am

Here is the data manual

1993_TI_TMS370_Family_Data_Manual.rar: (16.32 MiB) Downloaded 60 times

bbmike · Post by **bbmike** » Sun Oct 02, 2022 1:57 am

The B0 in the utility file is a download to ram instruction that creates the mode 36 message. The 40 is the module ID the next byte is the routine to download from the end of the utility file. Next byte is unused. Then the next byte tells to download and execute or just download. 00 means to just download. The B4 is similar to B0 but is used to download calibrations. I think the AE command just before the first B0 command jumps the program code to the bootloader and waits for the ram downloads then the calibration downloads. The utility file never sends a download with an execute command. From reading the data sheet I would think the ram downloads are downloaded to 0x08000B82. The bootloader must add the 80 onto the address because the mode 36 only use 3 byte addresses.

bbmike · Post by **bbmike** » Sun Oct 02, 2022 2:07 am

In-Tech wrote:Here is the data manual
1993_TI_TMS370_Family_Data_Manual.rar

That looks to be for the 8 bit micros. These BCMs use the 16 bit version of the tms370

Gatecrasher · Post by **Gatecrasher** » Sun Oct 02, 2022 3:02 am

bbmike wrote:The B0 in the utility file is a download to ram instruction that creates the mode 36 message. The 40 is the module ID the next byte is the routine to download from the end of the utility file. Next byte is unused. Then the next byte tells to download and execute or just download. 00 means to just download. The B4 is similar to B0 but is used to download calibrations. I think the AE command just before the first B0 command jumps the program code to the bootloader and waits for the ram downloads then the calibration downloads. The utility file never sends a download with an execute command. From reading the data sheet I would think the ram downloads are downloaded to 0x08000B82. The bootloader must add the 80 onto the address because the mode 36 only use 3 byte addresses.

You're right on with all of that. I threw the attached file together yesterday. It's the flash kernel remapped as it would appear in RAM. Load it into Ghidra with the following settings:

: 09kernelGhidra.png (14.26 KiB) Viewed 1560 times

Let it run the auto analysis if you want. I don't know if it matters. When that's done, go to 0x8000b82, and create four address pointers (P key). That'll give you the entry points for the four main functions in this thing.

: 09kernelptr.png (8.47 KiB) Viewed 1560 times

Then you can go through the code, and see what a vague mess it is. It's nothing like the truck EBCM TMS470R1X kernel that I took apart. That one followed the TI example code almost exactly.

It makes no damn sense to me. If someone else can figure it out and post their findings, I'll be the first one in line to buy you something really nice to drink.

In-Tech · Post by **In-Tech** » Sun Oct 02, 2022 4:53 am

bbmike wrote:
In-Tech wrote:Here is the data manual
1993_TI_TMS370_Family_Data_Manual.rar
That looks to be for the 8 bit micros. These BCMs use the 16 bit version of the tms370

Hehe, yes. Even back in my play days the tms370 stuff could do way more than this guide outlined and I bet GM had their own version too. For me, this was just a guide. We found the asic was used a lot during communication for the header/footer. Dumping the asic was quite the treat

It still all boiled down to 8 bit even with 16bit addressing.

I'm going to get some BCM's so I can play along with y'all

Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking