Colorado / H3 BCM hacking

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
Posts: 19
Joined: Thu Apr 02, 2015 1:10 pm

Re: Colorado / H3 BCM hacking

Postby bbmike » Tue Oct 19, 2021 11:06 am

I can feel your pain. Trying to learn assembly has nearly drove me insane more than once. Have you tried a simulator and stepping through the program. It’s pretty boring. But it helped me make a 7k tach on the 03-07 Silverado clusters. The simulator made it easier to find the way the jumps and ram locations where loaded since they are done from offsets. You need to manually set things like inputs that tell the mcu that the ignition is on and if it reads from the eeprom what the data should be. It also thought me how much faster the mcu can read and execute the program than I can. Also it probably won’t simulate the class 2 hardware.

Posts: 90
Joined: Thu Jan 16, 2014 12:41 pm

Re: Colorado / H3 BCM hacking

Postby 04colyZQ8 » Tue Apr 19, 2022 7:19 am

I have successfully turned off the tpms, in the 07-12 Colorado canyon BCMs. I can also likely disable DRLS, and or at the very least make them so they can be turned off by switching the headlamp switch to the left. I have far too much invested in it though.. to publicly post up the code, but I can tune your BCM if you like.

Posts: 19
Joined: Thu Apr 02, 2015 1:10 pm

Re: Colorado / H3 BCM hacking

Postby bbmike » Sun May 22, 2022 12:07 am

I believe the controller on the first design bcms are a TMS370C16 type. It is a 16 bit version of the TMS370 that was used in ASIC's for manufactures. I have only found 1 pdf that talks about them. It does have the assembly instruction set in it. And doing some manual disassembly it appears to make sense. Too bad I can't find a disassembler for it.

Posts: 64
Joined: Sun May 11, 2014 6:36 pm

Re: Colorado / H3 BCM hacking

Postby Highlander » Thu Jun 30, 2022 10:35 am

04colyZQ8 wrote:Yeah people keep trying to tell me to use the ram to watch for changes and trace it back. Never could get that to happen on the E67, as it wouldn't stay in halt, and kept resting. I think because of its separate ECU chip with some kind of watch dog. Ok It seemed like PE micro had some sort of code to disable watch dogs on the main CPU for the E67, that's why I thought it would also be required for this project.

So in the disassembly it doesn't show where the Fog Lamp enable bit goes to in the OS? Isn't the Os laid out like a bunch of addresses? As the code executes in it's order it would reach address xxxxxxx and jump there to check what the Value is? If xxxxxxx = = 90 then Fog lamps are enabled .... etc.. I just wnat to find that point because there should be a table of values listed in the OS, that are excepted for that address. Then I can try each one and see what it does? Right now I don't really know which values are valid?

I can do that. I've seen live RAM on the E67.


Return to Engineering and Reverse Engineering

Who is online

Users browsing this forum: No registered users and 1 guest