Colorado / H3 BCM hacking
Re: Colorado / H3 BCM hacking
If the bcm don`t error on vin change command and send affirmative response, it is likely some power down sequence that prevents writing the vin to eeprom.
-
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: Colorado / H3 BCM hacking
Hey Guys many , many thanks to Gatecrasher! check this out took 5-6hrs to read out via elm327 but I got the entire flash out!! Sweet!
I did get lazy in the end and padded the last remaining zeros I figured that wasn't so crucial, I also figured 6 hrs was long enough lol
I did get lazy in the end and padded the last remaining zeros I figured that wasn't so crucial, I also figured 6 hrs was long enough lol
- Attachments
-
- 2011_canyon_flash_read_by_elm327.bin
- bcm flash module
- (128 KiB) Downloaded 69 times
-
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: Colorado / H3 BCM hacking
also read the ram I think, think this is the ram?
- Attachments
-
- 2011_canyon_ram_bcm_elm327_read.bin
- ram read
- (8 KiB) Downloaded 62 times
Re: Colorado / H3 BCM hacking
I did some auto detect and checksum config for the bcm file. Will be interesting to test on other dumps. Since OS is hardcoded in the xml.
I looked at the rom dump. The vin seems slightly changed. Did you write it that way or there is some other issue. A dump from the eeprom will be nice too.
I can do some custom script for dumping the bin to a log and than convert to bin, if you want to share some log from the elm dump commands.
I looked at the rom dump. The vin seems slightly changed. Did you write it that way or there is some other issue. A dump from the eeprom will be nice too.
I can do some custom script for dumping the bin to a log and than convert to bin, if you want to share some log from the elm dump commands.
- Attachments
-
- BCM_gmt345.rar
- (4.9 KiB) Downloaded 67 times
-
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: Colorado / H3 BCM hacking
Anyone else notice the 6c f1 40 35 etc commands for in the ram I posted? Looks like the data port vpw commands are listed there! Can anyone deconstruct them to tell were they go to?
-
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: Colorado / H3 BCM hacking
made these reads from the 04 can't find the full files can't nail down the proper addresses very different then the 09
- Attachments
-
- 2004_bcm_ram_partial.bin
- (1.02 KiB) Downloaded 63 times
-
- 2004_BCM_flash_ful_allmost.bin
- (64.31 KiB) Downloaded 63 times
-
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: Colorado / H3 BCM hacking
Makes no sense at all the OS says the segments should be at 4c00, but that’s not anywhere near were it actually is? I am missing a few bytes at the top and bottom of the flash, by the looks of it the flash maybe smaller on the 04?
Any ideas what processor this is?
Any ideas what processor this is?
Re: Colorado / H3 BCM hacking
Something does not line up in the file. The segments don`t line with OS range too. File structure seems similar with the later type bcm, but code is definitely different, 2004 seems 16 bit cpu or 8 bit cpu.
If you have a vin for that bcm I can try to score some sps files for it.
Maybe you can try mode 23 read of the bin.
#example
You can read 4 bytes at a time.
If you have a vin for that bcm I can try to score some sps files for it.
Maybe you can try mode 23 read of the bin.
#example
Code: Select all
[05:22:23.220] 6C FE F1 28 00
[05:22:23.283] 6C F1 40 68 00
[05:22:23.283] 6C F1 10 68 00
[05:22:23.799] 8C FE F0 3F
[05:22:23.861] 6C 10 F0 27 01
[05:22:23.877] 6C F0 10 67 01 46 53
[05:22:23.877] 6C 10 F0 27 02 0A B9
[05:22:23.939] 6C F0 10 67 02 34
[05:22:23.939] 6C 40 F0 27 01
[05:22:23.955] 6C F0 40 67 01 00 00
[05:22:23.955] 6C 40 F0 27 02 8B 9F
[05:22:24.017] 6C F0 40 67 02 35
[05:22:24.017] 6C 40 F0 23 00 00 00 01
[05:22:24.080] 6C F0 40 63 00 00 00 6C 35 00
[05:22:24.080] 8C FE F0 3F
[05:22:24.142] 6C 40 F0 23 00 00 04 01
[05:22:24.205] 6C F0 40 63 00 04 7D 00 1F 80
[05:22:24.205] 8C FE F0 3F
[05:22:24.267] 6C 40 F0 23 00 00 08 01
[05:22:24.330] 6C F0 40 63 00 08 10 48 00 00
-
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: Colorado / H3 BCM hacking
This is very close to the full ram of the 04 bcm, notice a lot of vpw commands are in here, can anything interesting be done with that?
this was again read with mode 35.
what is the difference between mode 23, and 35?
the way it is setup to read I can pick address way off, and it will just return null space until it finds some code, ran all night to find the flash bin, but then I don't know exactly where it starts and stops? but I can't be much more than 16kb off either way, which is just white space, so no code exists there, or it is protected?
this was again read with mode 35.
what is the difference between mode 23, and 35?
the way it is setup to read I can pick address way off, and it will just return null space until it finds some code, ran all night to find the flash bin, but then I don't know exactly where it starts and stops? but I can't be much more than 16kb off either way, which is just white space, so no code exists there, or it is protected?
- Attachments
-
- 2004_BCM_ram_ful.bin
- (3.5 KiB) Downloaded 55 times
-
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: Colorado / H3 BCM hacking
I think it’s 16 bit model F16 TI qfp 100kur4o wrote:Something does not line up in the file. The segments don`t line with OS range too. File structure seems similar with the later type bcm, but code is definitely different, 2004 seems 16 bit cpu or 8 bit cpu.
If you have a vin for that bcm I can try to score some sps files for it.
Maybe you can try mode 23 read of the bin.
#exampleYou can read 4 bytes at a time.Code: Select all
[05:22:23.220] 6C FE F1 28 00 [05:22:23.283] 6C F1 40 68 00 [05:22:23.283] 6C F1 10 68 00 [05:22:23.799] 8C FE F0 3F [05:22:23.861] 6C 10 F0 27 01 [05:22:23.877] 6C F0 10 67 01 46 53 [05:22:23.877] 6C 10 F0 27 02 0A B9 [05:22:23.939] 6C F0 10 67 02 34 [05:22:23.939] 6C 40 F0 27 01 [05:22:23.955] 6C F0 40 67 01 00 00 [05:22:23.955] 6C 40 F0 27 02 8B 9F [05:22:24.017] 6C F0 40 67 02 35 [05:22:24.017] 6C 40 F0 23 00 00 00 01 [05:22:24.080] 6C F0 40 63 00 00 00 6C 35 00 [05:22:24.080] 8C FE F0 3F [05:22:24.142] 6C 40 F0 23 00 00 04 01 [05:22:24.205] 6C F0 40 63 00 04 7D 00 1F 80 [05:22:24.205] 8C FE F0 3F [05:22:24.267] 6C 40 F0 23 00 00 08 01 [05:22:24.330] 6C F0 40 63 00 08 10 48 00 00
Processor.
I have the gm segments from sps all ready including the utility file.
Just hacked them out of tis2000 using MySQL.
And they 100% match the segments in here!
Goes in this order
Seg 02
Seg 03
Seg 04
Seg 05
She 06
Boot loader
Os seg 01
Same order as the 09 and 11 bcm