Colorado / H3 BCM hacking

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: Colorado / H3 BCM hacking

Post by ironduke »

04colyZQ8 wrote:
Gatecrasher wrote:EEPROM is copied into RAM and worked on there. At some point it gets copied back to EEPROM during a power down event. I haven't figured out where or under what circumstances that happens. So the RAM addresses from 0x80000000 to 0x80001B0 are just a live, working copy of what's stored on the EEPROM chip.

I made a pretty big discovery last night. Ghidra isn't correctly tracking the branches to and from ARM Thumb mode. That's part of why it's not disassembling all the code correctly. It doesn't answer all the questions, but it'll help a lot. I'm trying to go through and manually patch some of it up. I'll post another archive later this weekend.
Cool!! Yes that makes sense about the eeprom. I’m tempted to disable the checks I see for vin write, looks like it checks to locations for ignition counter? Because I’ve never been able to change the vin for some reason. Using 3b even after cycling the ignition switch.
Haven't been in this discussion at all but I have been following along.. Don't have anything with this BCM but it is very interesting..

I apologize if the below has already been discussed within these pages already, but.
As far as the vin writing failing are you getting the correct 7B 90 response? or something else? an error code? which code? If it is a 7b 90 response but it's not saving it then I wonder if the key off operation/ckt isn't some sort of a problem. new vin is in ram but needs to be written to the eeprom at key off, at least with ecm's it happens at key off, no idea if BCM's need a message or something else to trigger the eeprom write?
I am assuming your unlocking the bcm first with 2701, getting the seed and feeding the key into it with 2702? If not this does have to be done.
Also if the unlocking and vin write is failing have you tried changing the enable counter from 00 to something else with a 3B A0 write?? This would be done after unlocking but before the vin write attempt.
Unlock, read enable counter and see if it is 00, then write enable to something else ff or fe is the highest you can go but I believe even if you change it to a 1 your good.. if the enable counter write comes back with a 7b a0 message then try writing the vin and see if that gives you a 7b 90 response..

One totally oddball thiing I forgot to mention.. Some ecm's simply refuse to let me write the vin... so I send a clear code command(04) and try again and it lets me write it.. don't know why but it works.. Only been doing this with canbus ecm's so no idea if it would even apply or help?
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

I haven’t tried manually. Supposedly these bcms are supposed to be one time program only. But tis always sends the 7b request any way, and yes it’s unlocked. And I try powering off wait 30seconds then back on. And it hasn’t changed. Also it says programming error at 99% which it does when whenever the vin fails to program.

But if I use a chip clip change the vin all good.

But even a brand new virgin bcm failed to program the vin? Maybe I had turned it on and off a few times first though..

So either clearing the dtcs or clearing the ignition counter might be the key to making it .. work
bbmike
Posts: 45
Joined: Thu Apr 02, 2015 1:10 pm
cars: Too many!!

Re: Colorado / H3 BCM hacking

Post by bbmike »

04colyZQ8 how did you read the bin out of the 04 bcm? I'm trying to read a 04 silverado bcm.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

Mode 35, but first you either need the seed and key. If you have a tis program or sps program log you can easily find the seed and key from the log.
bbmike
Posts: 45
Joined: Thu Apr 02, 2015 1:10 pm
cars: Too many!!

Re: Colorado / H3 BCM hacking

Post by bbmike »

I have the key. It uses the algo 12 just like the Colorado. I tried using the script posted for the Colorado. But all I get are 7F responses. Might just be the format of the 35 request is wrong.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

Ok what address are you trying to read from? And are you in 1x mode? Trying reading a smaller amount of bytes at a time?
bbmike
Posts: 45
Joined: Thu Apr 02, 2015 1:10 pm
cars: Too many!!

Re: Colorado / H3 BCM hacking

Post by bbmike »

I’ve tried 0x2000, 0x8000, 0xA000 and others. I’ve tried both 4x and 1x. I’ll try the different sizes next.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

Try looking at the OS, and see what the boot loader addresses are. Then Double that.

If you don’t have your OS, give your vin and I’ll try to get you a bin file of the OS.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

So clearly pin 11 data out of the rf receiver goes to the processor.. but I tried to trace it and nothing pinged off the processor pins with the multi meter on the 2009 board.

I really want to find what module this goes to see the way the processor receives the key fob remote I have one with a trunk button. I want to get its signal to lock the tailgate!

How does the OS send a signal to the processor to upload data from the registers? Is it first controlled via a MUX, then the data outputted into a register?
Attachments
B1BC98EA-43D0-4EC7-AF65-AB5CD33D0C2F.png
bbmike
Posts: 45
Joined: Thu Apr 02, 2015 1:10 pm
cars: Too many!!

Re: Colorado / H3 BCM hacking

Post by bbmike »

I got it to upload data. Had to take out the sub mode. But I can only get one response then I get a 75 50 response to all following requests.
Post Reply