Colorado / H3 BCM hacking

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
Post Reply
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Colorado / H3 BCM hacking

Post by Gatecrasher »

This all started with me wanting to see if I could disable the TPMS in the BCM on my truck. Not so much because I didn't want to fix it, but because everyone says it's not possible. Export models of the Hummer H3 don't have it enabled, and they use the same BCM hardware, so obviously it's possible. 04-06 Colorados don't have TPMS at all, and all years (06-10) of North American H3s do have TPMS. Since I like a challenge, I decided to see what I could do.

There's two different versions of this BCM. 04-08, and 09-12. There's also some variants that don't have the keyless entry RF hardware in the upper right corner, but they use the same MCUs as far as I know. Another nice thing is all the 09-12 BCMs use the same operating system regardless of market or model.

This is the 04-08 version.
BCM GMT345-355 04-08.jpg
And this is the 09-12.
BCM GMT345-355 09-12.jpg
The chip on the first version is labeled F16E88PJA11. So far I haven't been able to pin down exactly what it is. Fortunately the 09+ module uses a TI TMS470PLF111. Documentation for that specific chip isn't complete, at least not publicly, but there's enough out there to get started. The data sheet with the pinout and internal flash details has been enough so far. I think the same chip, or one very similar, is used in some GMT800 BCMs, but I'm not totally certain of that.

This chip has an ARM7TDMI core and JTAG pins that are exposed on the board. After a lot of trial and error, I was able to get it talking to OpenOCD through a Bus Pirate. It wasn't perfect, but it was good enough to dump the flash out of it. I'll get the pinout and config files up once I get those cleaned up. It only has 128K of onboard flash, and only about 94k of that is filled. It disassembles nicely in IDA using the big endian ARM option, so it should be relatively easy to disassemble compared to most ECMs.

I think I've already found where the TPMS disable bit is, but I can't test it until I figure out how to correct the calibration checksums. I was really hoping it was something you could toggle on or off in the EEPROM via a mode $AE request or something, but so far it doesn't look that way. I'm not too deep into this yet, so it may still be possible.

While I was researching this, I did figure out how to do a TPMS disable on a GMT800 passenger door module using some $AE and $3B commands. But the same technique totally failed when applied to the Colorado BCM.

I might also look into a DRL disable, and maybe see about enabling the rear fog light button from the export H3 to control some off road lights. There are easier ways to get the same results, but they wouldn't be nearly as interesting or satisfying.
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: Colorado / H3 BCM hacking

Post by kur4o »

There is already a tool that will do any gm checksum.

You can get it here
https://github.com/joukoy/UniversalPatcher

You can make your own config file or use this one.
GM-SEG-Type1.xml
(837 Bytes) Downloaded 367 times
I noticed this is segment 3. It will be intersting to see the full dump.
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: Colorado / H3 BCM hacking

Post by Gatecrasher »

That's cool. I'll have to check that out.

Here's the full bin dump along with some supporting info.
Attachments
BCM 09 Colorado bin dump.zip
(738.42 KiB) Downloaded 370 times
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: Colorado / H3 BCM hacking

Post by Gatecrasher »

Finally decided to get back to this, and now I'm more frustrated than ever.

The BusPirate wasn't reliably controlling the CPU. I couldn't do halt or reset halt consistently. It looks like it may have been a lucky accident that I got it to halt and dump at all. My thought was maybe the BusPirate is too basic to control this thing, so I switched to a knockoff XDS100v3 I had laying around. Now it doesn't work at all. OpenOCD sees it the tool, but the JTAG scan is always zero. As sketchy as the BusPirate was, it would at least reliably see the CPU at startup. I've triple checked the wiring and pinouts, and it all looks correct. When you can't even get the tools to start up, it kind of makes you wonder why you're even bothering.

I'm just frustrated and venting. If anyone has any suggestions, I'm open to pretty much anything at this point.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

Gatecrasher wrote:Finally decided to get back to this, and now I'm more frustrated than ever.

The BusPirate wasn't reliably controlling the CPU. I couldn't do halt or reset halt consistently. It looks like it may have been a lucky accident that I got it to halt and dump at all. My thought was maybe the BusPirate is too basic to control this thing, so I switched to a knockoff XDS100v3 I had laying around. Now it doesn't work at all. OpenOCD sees it the tool, but the JTAG scan is always zero. As sketchy as the BusPirate was, it would at least reliably see the CPU at startup. I've triple checked the wiring and pinouts, and it all looks correct. When you can't even get the tools to start up, it kind of makes you wonder why you're even bothering.

I'm just frustrated and venting. If anyone has any suggestions, I'm open to pretty much anything at this point.

This is very interesting! I’m trying to read and write via obd2 port being able to j tag would be great! I have logged the tech 2 during programming and it’s very strange! The os is split up in typical 400 byte chunks for a while then it goes strange and splits it up in a way that is hard to follow! Then some segments get sent as a full segment in 140 bytes. But some segments like the system one aren’t fully sent? Also the accessory segments never written? I don’t understand how the codes going into to the bcm?

However the tpms I can turn off, same as setting up different lighting options, and different types of traction control etc..

Currently working on the seat belt light.
On 04-05 Colorado canyons the driver seat belt goes to the bcm. And is grounded when not plugged in I think.

The 2006-12 h3, canyon/Colorado goes to the sdm module abs the passenger presence system switch on the dash board sends a signal to the cluster to turn on the seat belt light.

I have a 2008 bcm in my 04 truck I made everything work 100% with code changes for tpms elimination. 04-06 style drls. I have the code for the seat belt figured out. But the 2007-2008 bcm is missing some components for the seat belt circuit. Looks like a few resistors and a fuse or diode. Currently working on adding them as the pads are there on the board.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

I’d like to share resources with you Gatecrasher:)
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: Colorado / H3 BCM hacking

Post by Gatecrasher »

I'd be happy to. But it sounds like you're way ahead of me at this point.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

Gatecrasher wrote:I'd be happy to. But it sounds like you're way ahead of me at this point.
Well I need a 09-12 bcm to start mapping things out on that series. It is to no avail.. If we can’t read out the current tune!! I need a way to read the bcm out over the obd 2 port. Currently I need to use a gm vin (cost 50.00) one time use using Sps to get the files to change then flash in with dps. Abs you have to know the seed and key to use that program. I can write a program in C to read it out. If I knew what to put for the processor and what type of watch dog it has. Being able to read write via bdm would be helpful for when. I mess up my custom kernel uploaded via obd2 port. As I’m sure to do! I can’t find any info on the 04-08 processor. So I’m likely going to buy a 09–12 or fix one that I bricked I have two 09-12 os that I bricked experimenting. That should be able too bf fixed via Bdm.

Could you help guide me to connect up to the 09-12 pcm via bdm?
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

ST92F124/ST92F150/ST92F250
That could be the chip possibly for the older bcm? What do you think? Qfp100
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: Colorado / H3 BCM hacking

Post by Gatecrasher »

I think the older chip is still a TI chip. Some of the sketchy Chinese suppliers list the manufacturer as TI. It's just something there was never public documentation for. Have you get an OS you can post? It'd be worth seeing if the code is similar to the gen 2.

The gen 2 BCM uses algo $12. Might be worth seeing if the gen 1 BCM uses the same algo. The JTAG pinout for the gen 2 unit is attached. I really need to get a proper JTAG adapter. The BusPirate is just too glitchy.
Attachments
BCM ver2 JTAG pins.jpg
Post Reply