Colorado / H3 BCM hacking

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

kur4o wrote:6C 40 F0 36 00 01 08 00 00 00

6C 40 F0 36 80 01 08 00 00 00 ...data...[block checksum]

If you are unsure how to calculate block checksum. Post the message you want to send and I will fix it for you.
6C 40 F0 36 00 01 080 00 30 FF FF AA AA

I’ll send this for starters , to ram offset 30, data OS FF FF AA AA


What checksum
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Colorado / H3 BCM hacking

Post by kur4o »

You can only upload to predefined area that is hardcoded in bcm rom. Anything send outside that range will likely get refused.

To get the block checksum, sum all bytes from 4th byte on and 16 bit result is added at the end.

Before uploading you also need to send mode 34 message. Not quiet sure about the format bcm will use. An sps log will help.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

Made some more progress today!

So I have a aftermarket flip key fob with trunk button and I discovered the location for they key button type.

Added few lines of code to check for type “trunk”

If true Jump to vacant place in flash.
Wrote a simple function to write 0x44 to the first location of the vin.

Now when I press the trunk button and read the vin it changes the first digit of the vin from 1 to D.

However after ignition cycle the vin reverts back! Prob need to zero out a ignition counter first.

Anyway quite interesting!

Also on the stock bcm code I changed the lock and unlock buttons around!!
Then made trunk unlock and lock write the vin!

I’m doing all this via hex, no compiler just writing arm7 assembly on note pade, then converting into hex.

Is there a easier way to convert say C into arm 7, then inject into bin file ?
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

This is quite a good step towards writing code to remote start.

Now since I know the start msg for class 2, I just need to write that to ram and send it out via cl2 msg handler.

Then use a relay pin for acc, and another for ignition.

Will setup to have to press lock, then truck to start.

Willing to check out other 315 hz remotes from simular year to see if it will talk to the bcm. If so I can probably use the actual start button.

All I see is the 06 hhr fob but any of the remotes with starter function are extended range, that may not work with the current receiver in the bcm!

If it does and it uses a different rolling code, then that will and not work. I found the rolling code function on our bcm. But cannot access the code in the separate radio module in the hhr to compare it to.
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: Colorado / H3 BCM hacking

Post by Gatecrasher »

That's cool. Nice work. :)
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

Gatecrasher wrote:At a glance, the SPS files don't have address information for the calibration segments. It's all handled in the kernel somehow. And there's no way to disassemble that without knowing what language the old chip uses.

Speaking of the old chip, I'm almost convinced it's some kind of 16 bit architecture. I got really lucky and stumbled on the pointers for the class 2 handlers. This is how it's represented on the 32 bit Arm7 TMS470:

Code: Select all

22 00 00 00 //Mode 22
00 00 6d 17 //Routine
25 00 00 00 //Mode 25
00 00 6c f5 //Routine
27 00 00 00 //Mode 27
00 00 6b f1 //Routine
And this is how it's represented on the older F16E.

Code: Select all

00 22 //Mode 22
a3 3a //Routine
00 25 //Mode 25
af c3 //Routine
00 27 //Mode 27
93 e8 //Routine
Also, the data at 0x0 on the F16E looks like 16 bit vector addresses instead of 32-bit addresses or 32-bit jump instructions like the TMS470 has.

Code: Select all

0x00 44 03 
0x02 44 07 
0x04 44 09 
0x06 44 0d 
0x08 44 13 
0x0A 44 17 
It's really weird that they hit on odd-numbered addresses, and those addresses don't fall neatly into the range of the 'full' dump Coly posted, which makes me think there's some kind of memory mapping going on. This onion has a whole lot of layers. And some of them stink.
How did you get the disassembly? What setings for the older F16 one?
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

I bricked my 09 bcm!! And I cannot seem to erase or write to it via J-tag, Did the open port setup allow erase and write?

So I am trying to get a decant disassembly of the 04-08 bcm as I have several of those modules to play with. I tried PIC17, AVR8, and MSP430 they are close but don't seem quite right. It is most definitely 16 bit little endian. I really don't think it's biased off the TMS370, I think it is a TMS320 or there abouts. I cannot seem to find a TMS320 or TMS370 dissembler to try.
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: Colorado / H3 BCM hacking

Post by Gatecrasher »

I don't remember getting an actual disassembly for the F16 chip. If I remember correctly, it was just dumb luck that I found that in the raw binary file.

I wonder how difficult it would be to retrofit the newer BCM to the older truck? The connectors are the same. I haven't looked to see if the pinout matches.

I never tried erase and write with JTAG.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

That’s to bad id fork out money for the open port setup if I knew it worked! I don’t want to loose momentum on this project, and I’m sure I’ll continue to brick it, hard to code arm7 right every single time! Honestly I made it further than I thought before it bricked! I was on my 40th try if custom arm code. I was one byte off, and perhaps the byte I wrote to instead controlled a loop counter or something? But it’s garbage now!

I can still read it via J tag but can’t erase or write to it.

As for the older bcm to bad we can’t find a tms320 or tms370 disassembler, because I think it’s language is the same as one of them.

I found dis2000 but it needs a elf file not bin! Is there a way to convert the 2004-2008 bin file to elf?
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

FYI all bcms from 2004-2012 interchange

With these issues:

2004-2005 no issues to each other (marker drls)

2006 only year without seat belt input warning and no tpms marker drls, mid year switch to head lamp drls

2007-2008 has tpms and no seat belt input switch head lamp drls, Battery module

2009-2012 head lamp drls, tpms, no seat belt switch input, and can based 4 Chanel abs messaging, battery module

Putting a 2009-2012 bcm into a 2004 to 2005 truck has many issues:

-drls messed up
-no seat belt input setting sdm code.
-tpms message faults in dic
-traction fault, abs and Brake light on
-battery light on, battery message in dic

So yeah it plugs in and no wiring Changes needed!

But you get a Christmas tree for cluster:)

I can switch the abs type, and possibly switch of battery fault,
And definitely disable Tpms, maybe fix drl issue?
But the seat belt switch not likely.

When I put in the 2007-2008 bcm into my 04 truck I was able to fix the drls, only
Because early 06 hummers had that light setup, and I fixed the seat belt switch, the
Circuit was there even at the correct pin, but missing resisters on the board which I added.
I then also fixed the code to enable it. Adding a battery module, and tpms sensors fixed the rest.
Post Reply