Colorado / H3 BCM hacking

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
Posts: 15
Joined: Sat Apr 25, 2020 6:09 am

Colorado / H3 BCM hacking

Postby Gatecrasher » Thu Dec 10, 2020 1:52 pm

This all started with me wanting to see if I could disable the TPMS in the BCM on my truck. Not so much because I didn't want to fix it, but because everyone says it's not possible. Export models of the Hummer H3 don't have it enabled, and they use the same BCM hardware, so obviously it's possible. 04-06 Colorados don't have TPMS at all, and all years (06-10) of North American H3s do have TPMS. Since I like a challenge, I decided to see what I could do.

There's two different versions of this BCM. 04-08, and 09-12. There's also some variants that don't have the keyless entry RF hardware in the upper right corner, but they use the same MCUs as far as I know. Another nice thing is all the 09-12 BCMs use the same operating system regardless of market or model.

This is the 04-08 version.

BCM GMT345-355 04-08.jpg

And this is the 09-12.

BCM GMT345-355 09-12.jpg

The chip on the first version is labeled F16E88PJA11. So far I haven't been able to pin down exactly what it is. Fortunately the 09+ module uses a TI TMS470PLF111. Documentation for that specific chip isn't complete, at least not publicly, but there's enough out there to get started. The data sheet with the pinout and internal flash details has been enough so far. I think the same chip, or one very similar, is used in some GMT800 BCMs, but I'm not totally certain of that.

This chip has an ARM7TDMI core and JTAG pins that are exposed on the board. After a lot of trial and error, I was able to get it talking to OpenOCD through a Bus Pirate. It wasn't perfect, but it was good enough to dump the flash out of it. I'll get the pinout and config files up once I get those cleaned up. It only has 128K of onboard flash, and only about 94k of that is filled. It disassembles nicely in IDA using the big endian ARM option, so it should be relatively easy to disassemble compared to most ECMs.

I think I've already found where the TPMS disable bit is, but I can't test it until I figure out how to correct the calibration checksums. I was really hoping it was something you could toggle on or off in the EEPROM via a mode $AE request or something, but so far it doesn't look that way. I'm not too deep into this yet, so it may still be possible.

While I was researching this, I did figure out how to do a TPMS disable on a GMT800 passenger door module using some $AE and $3B commands. But the same technique totally failed when applied to the Colorado BCM.

I might also look into a DRL disable, and maybe see about enabling the rear fog light button from the export H3 to control some off road lights. There are easier ways to get the same results, but they wouldn't be nearly as interesting or satisfying.

Posts: 318
Joined: Sun Apr 10, 2016 9:20 pm

Re: Colorado / H3 BCM hacking

Postby kur4o » Sat Dec 12, 2020 4:38 am

There is already a tool that will do any gm checksum.

You can get it here

You can make your own config file or use this one.
(837 Bytes) Downloaded 27 times

I noticed this is segment 3. It will be intersting to see the full dump.

Posts: 15
Joined: Sat Apr 25, 2020 6:09 am

Re: Colorado / H3 BCM hacking

Postby Gatecrasher » Sat Dec 12, 2020 12:49 pm

That's cool. I'll have to check that out.

Here's the full bin dump along with some supporting info.
BCM 09 Colorado bin
(738.42 KiB) Downloaded 34 times

Posts: 15
Joined: Sat Apr 25, 2020 6:09 am

Re: Colorado / H3 BCM hacking

Postby Gatecrasher » Mon Jan 11, 2021 5:16 am

Finally decided to get back to this, and now I'm more frustrated than ever.

The BusPirate wasn't reliably controlling the CPU. I couldn't do halt or reset halt consistently. It looks like it may have been a lucky accident that I got it to halt and dump at all. My thought was maybe the BusPirate is too basic to control this thing, so I switched to a knockoff XDS100v3 I had laying around. Now it doesn't work at all. OpenOCD sees it the tool, but the JTAG scan is always zero. As sketchy as the BusPirate was, it would at least reliably see the CPU at startup. I've triple checked the wiring and pinouts, and it all looks correct. When you can't even get the tools to start up, it kind of makes you wonder why you're even bothering.

I'm just frustrated and venting. If anyone has any suggestions, I'm open to pretty much anything at this point.

Return to Engineering and Reverse Engineering

Who is online

Users browsing this forum: No registered users and 1 guest