Colorado / H3 BCM hacking

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
Post Reply
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Colorado / H3 BCM hacking

Post by kur4o »

If the bcm don`t error on vin change command and send affirmative response, it is likely some power down sequence that prevents writing the vin to eeprom.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

Hey Guys many , many thanks to Gatecrasher! check this out took 5-6hrs to read out via elm327 but I got the entire flash out!! Sweet!

I did get lazy in the end and padded the last remaining zeros I figured that wasn't so crucial, I also figured 6 hrs was long enough lol
Attachments
2011_canyon_flash_read_by_elm327.bin
bcm flash module
(128 KiB) Downloaded 69 times
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

also read the ram I think, think this is the ram?
Attachments
2011_canyon_ram_bcm_elm327_read.bin
ram read
(8 KiB) Downloaded 62 times
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Colorado / H3 BCM hacking

Post by kur4o »

I did some auto detect and checksum config for the bcm file. Will be interesting to test on other dumps. Since OS is hardcoded in the xml.
I looked at the rom dump. The vin seems slightly changed. Did you write it that way or there is some other issue. A dump from the eeprom will be nice too.

I can do some custom script for dumping the bin to a log and than convert to bin, if you want to share some log from the elm dump commands.
Attachments
BCM_gmt345.rar
(4.9 KiB) Downloaded 67 times
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

Anyone else notice the 6c f1 40 35 etc commands for in the ram I posted? Looks like the data port vpw commands are listed there! Can anyone deconstruct them to tell were they go to?
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

made these reads from the 04 can't find the full files can't nail down the proper addresses very different then the 09
Attachments
2004_bcm_ram_partial.bin
(1.02 KiB) Downloaded 63 times
2004_BCM_flash_ful_allmost.bin
(64.31 KiB) Downloaded 63 times
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

Makes no sense at all the OS says the segments should be at 4c00, but that’s not anywhere near were it actually is? I am missing a few bytes at the top and bottom of the flash, by the looks of it the flash maybe smaller on the 04?

Any ideas what processor this is?
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Colorado / H3 BCM hacking

Post by kur4o »

Something does not line up in the file. The segments don`t line with OS range too. File structure seems similar with the later type bcm, but code is definitely different, 2004 seems 16 bit cpu or 8 bit cpu.

If you have a vin for that bcm I can try to score some sps files for it.

Maybe you can try mode 23 read of the bin.
#example

Code: Select all

[05:22:23.220] 6C FE F1 28 00
[05:22:23.283] 6C F1 40 68 00
[05:22:23.283] 6C F1 10 68 00
[05:22:23.799] 8C FE F0 3F
[05:22:23.861] 6C 10 F0 27 01
[05:22:23.877] 6C F0 10 67 01 46 53
[05:22:23.877] 6C 10 F0 27 02 0A B9
[05:22:23.939] 6C F0 10 67 02 34
[05:22:23.939] 6C 40 F0 27 01
[05:22:23.955] 6C F0 40 67 01 00 00
[05:22:23.955] 6C 40 F0 27 02 8B 9F
[05:22:24.017] 6C F0 40 67 02 35
[05:22:24.017] 6C 40 F0 23 00 00 00 01
[05:22:24.080] 6C F0 40 63 00 00 00 6C 35 00
[05:22:24.080] 8C FE F0 3F
[05:22:24.142] 6C 40 F0 23 00 00 04 01
[05:22:24.205] 6C F0 40 63 00 04 7D 00 1F 80
[05:22:24.205] 8C FE F0 3F
[05:22:24.267] 6C 40 F0 23 00 00 08 01
[05:22:24.330] 6C F0 40 63 00 08 10 48 00 00
You can read 4 bytes at a time.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

This is very close to the full ram of the 04 bcm, notice a lot of vpw commands are in here, can anything interesting be done with that?

this was again read with mode 35.

what is the difference between mode 23, and 35?

the way it is setup to read I can pick address way off, and it will just return null space until it finds some code, ran all night to find the flash bin, but then I don't know exactly where it starts and stops? but I can't be much more than 16kb off either way, which is just white space, so no code exists there, or it is protected?
Attachments
2004_BCM_ram_ful.bin
(3.5 KiB) Downloaded 55 times
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

kur4o wrote:Something does not line up in the file. The segments don`t line with OS range too. File structure seems similar with the later type bcm, but code is definitely different, 2004 seems 16 bit cpu or 8 bit cpu.

If you have a vin for that bcm I can try to score some sps files for it.

Maybe you can try mode 23 read of the bin.
#example

Code: Select all

[05:22:23.220] 6C FE F1 28 00
[05:22:23.283] 6C F1 40 68 00
[05:22:23.283] 6C F1 10 68 00
[05:22:23.799] 8C FE F0 3F
[05:22:23.861] 6C 10 F0 27 01
[05:22:23.877] 6C F0 10 67 01 46 53
[05:22:23.877] 6C 10 F0 27 02 0A B9
[05:22:23.939] 6C F0 10 67 02 34
[05:22:23.939] 6C 40 F0 27 01
[05:22:23.955] 6C F0 40 67 01 00 00
[05:22:23.955] 6C 40 F0 27 02 8B 9F
[05:22:24.017] 6C F0 40 67 02 35
[05:22:24.017] 6C 40 F0 23 00 00 00 01
[05:22:24.080] 6C F0 40 63 00 00 00 6C 35 00
[05:22:24.080] 8C FE F0 3F
[05:22:24.142] 6C 40 F0 23 00 00 04 01
[05:22:24.205] 6C F0 40 63 00 04 7D 00 1F 80
[05:22:24.205] 8C FE F0 3F
[05:22:24.267] 6C 40 F0 23 00 00 08 01
[05:22:24.330] 6C F0 40 63 00 08 10 48 00 00
You can read 4 bytes at a time.
I think it’s 16 bit model F16 TI qfp 100
Processor.

I have the gm segments from sps all ready including the utility file.
Just hacked them out of tis2000 using MySQL.

And they 100% match the segments in here!

Goes in this order

Seg 02
Seg 03
Seg 04
Seg 05
She 06

Boot loader
Os seg 01

Same order as the 09 and 11 bcm
Post Reply