unlocked E41( and t87a) swapping to another vehicle

Bosch Motronic etc ECUs and PCMs
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by Gatecrasher »

My wild ass guess is that the AE 7E 20 security pin reset triggers some other mechanism inside the BCM, and that sends non-diagnostic CAN frames from the BCM to the ECM to tell it to do an immo relearn. From there they talk amongst themselves, and they communicate their progress back to the type 4 app via those mode 22 PIDs.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: unlocked E41( and t87a) swapping to another vehicle

Post by 04colyZQ8 »

Gatecrasher wrote:My wild ass guess is that the AE 7E 20 security pin reset triggers some other mechanism inside the BCM, and that sends non-diagnostic CAN frames from the BCM to the ECM to tell it to do an immo relearn. From there they talk amongst themselves, and they communicate their progress back to the type 4 app via those mode 22 PIDs.
Oh ok that’s what those 100? Ish messages are mode 22! I thought it was some kind of timmer count down.

I think it’s actually
AE 7E 20 00 00 00
And I think AE 7E 80 xx xx xx xx Immo pin needs to me sent prior to this.
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by gmtech825 »

Gatecrasher wrote:My wild ass guess is that the AE 7E 20 security pin reset triggers some other mechanism inside the BCM, and that sends non-diagnostic CAN frames from the BCM to the ECM to tell it to do an immo relearn. From there they talk amongst themselves, and they communicate their progress back to the type 4 app via those mode 22 PIDs.

that would be my guess as well. try logging header $2c9...I'm looking at some code for the Immo that may be looking at that header. that or $3c9
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: unlocked E41( and t87a) swapping to another vehicle

Post by 04colyZQ8 »

gmtech825 wrote:
Gatecrasher wrote:My wild ass guess is that the AE 7E 20 security pin reset triggers some other mechanism inside the BCM, and that sends non-diagnostic CAN frames from the BCM to the ECM to tell it to do an immo relearn. From there they talk amongst themselves, and they communicate their progress back to the type 4 app via those mode 22 PIDs.

that would be my guess as well. try logging header $2c9...I'm looking at some code for the Immo that may be looking at that header. that or $3c9

The dll for the type 4 app breaks down very well in ghidra

But still hard to follow. Just want to cut out the checks for other modules on the bus. Just do the learn with bcm and pcm.
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by Gatecrasher »

PID 90D0 is the active 12 minute security timer value.

After that hits zero, it starts polling 90D4 and 155A. 90D4 is a set of flags for the security system status (learned, unlocked, etc) and 155A is the power mode, I think. Right after that it sends AE 7E 20 to reset the security system, and it starts polling PID 8045. Once 8045 changes from 2 to 0 and then back to 2, it resets the security PIN and starts wrapping up the immobilizer relearn.

Once that's done, it starts polling 90D4 for the EBCM on the HS bus, and then HVAC, IPC and SDM on the LS bus. It's making sure all those have their environment IDs learned. Looks like it also tries the keyless entry module and the column lock module (?), but those aren't present on this truck.

Then it polls 8045 on the BCM again. Guessing those are the door open/close flags.

I think all the magic in this process is inside the BCM. The type 4 app just kicks off the process. I'd just wire up a toggle switch for the door to the BCM bench harness and try sending the PIN unlock, and then toggle the ignition and door switch based on the timestamps in your log file.
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by Gatecrasher »

Here's an annotated version of the immo relearn. A lot of it is just reading and verifying values.

Code: Select all

Start
  16:11:24.1<[.H..] 00 00 02 41 22 90 A1				//Query BCM to see if immo allowed
  16:11:24.1>[.H..] 00 00 06 41 62 90 A1 00 00 01		//01 = allowed (If 00, immo relearn quits)
  16:11:24.1<[.H..] 00 00 02 41 22 80 45				//Query BCM power mode
  16:11:24.1>[.H..] 00 00 06 41 62 80 45 02				//BCM power mode = 02 Run
Repeat
  16:11:27.2<[.H..] 00 00 02 41 22 80 45				//Query BCM power mode
  16:11:27.4>[.H..] 00 00 06 41 62 80 45 00				//BCM power mode = 00 Off
Repeat
  16:11:36.1<[.H..] 00 00 02 41 22 80 45				//Query BCM power mode
  16:11:36.2>[.H..] 00 00 06 41 62 80 45 00				//BCM power mode = 00 Off
  16:11:36.4<[.H..] 00 00 02 41 22 80 45				//Query BCM power mode
  16:11:36.4>[.H..] 00 00 06 41 62 80 45 02				//BCM power mode = 02 Run
Tool rebuilds matrix
  16:11:42.6<[.H..] 00 00 07 E0 22 15 5A				//Query ECM PID 155A
  16:11:42.6>[.H..] 00 00 07 E8 62 15 5A C4
  16:11:42.6<[.H..] 00 00 02 41 22 90 D4				//Query BCM security status
  16:11:42.7>[.H..] 00 00 06 41 62 90 D4 02
  16:11:51.4<[.H..] 00 00 02 41 AE 7E 80 38 31 31 31	//Send BCM sec PIN unlock
  16:11:51.5>[.H..] 00 00 06 41 EE 7E
  16:11:51.5<[.H..] 00 00 02 41 22 90 D0				//Query sec unlock timer
  16:11:51.5>[.H..] 00 00 06 41 62 90 D0 00 09 27 AC	//Timer init to 0x927C0 (600,000 msec = 10 min)
Repeat
  16:21:52.1<[.H..] 00 00 02 41 22 90 D0
  16:21:52.1>[.H..] 00 00 06 41 62 90 D0 00 00 00 00
  16:21:53.2<[.H..] 00 00 02 41 22 90 D0
  16:21:53.2>[.H..] 00 00 06 41 62 90 D0 00 00 00 00
Repeat
  16:23:53.4<[.H..] 00 00 02 41 22 90 D0
  16:23:53.4>[.H..] 00 00 06 41 62 90 D0 00 00 00 00
  16:23:59.6<[.H..] 00 00 02 41 22 90 D4				//Query BCM security status
  16:23:59.7>[.H..] 00 00 06 41 62 90 D4 03
  16:23:59.7<[.H..] 00 00 07 E0 22 15 5A				//Query ECM PID 155A
  16:23:59.7>[.H..] 00 00 07 E8 62 15 5A C4
  16:23:59.8<[.H..] 00 00 02 41 22 90 D4				//Query BCM security status again
  16:23:59.8>[.H..] 00 00 06 41 62 90 D4 03
  16:23:59.8<[.H..] 00 00 02 41 AE 7E 20 00 00 00 00	//Send BCM sec PIN reset
  16:23:59.9>[.H..] 00 00 06 41 7F AE 78				//BCM resp pending
  16:24:04.8>[.H..] 00 00 06 41 EE 7E					//BCM resp success
  16:24:04.8<[.H..] 00 00 02 41 22 80 45				//Query BCM power mode
  16:24:04.8>[.H..] 00 00 06 41 62 80 45 02				//BCM power mode = 02 Run
Repeat
  16:24:08.8<[.H..] 00 00 02 41 22 80 45				//Query BCM power mode
  16:24:08.8>[.H..] 00 00 06 41 62 80 45 00				//BCM power mode = 00 Off
Repeat
  16:25:04.3<[.H..] 00 00 02 41 22 80 45				//Query BCM power mode
  16:25:04.4>[.H..] 00 00 06 41 62 80 45 02				//BCM power mode = 02 Run
  16:25:04.4<[.H..] 00 00 07 E0 22 15 5A				//Query ECM PID 155A
  16:25:04.4>[.H..] 00 00 07 E8 62 15 5A E6
  16:25:04.4<[.H..] 00 00 02 41 22 90 D4				//Query BCM security status
  16:25:04.5>[.H..] 00 00 06 41 62 90 D4 01
  16:25:04.5<[.H..] 00 00 02 41 AE 7E 40 38 31 31 31	//Send BCM sec PIN set new value
  16:25:04.6>[.H..] 00 00 06 41 7F AE 78				//BCM resp pending
  16:25:09.5>[.H..] 00 00 06 41 EE 7E					//BCM resp success
  16:25:09.5<[.H..] 00 00 02 41 1A A0					//Query BCM MEC
  16:25:09.5>[.H..] 00 00 06 41 5A A0 00				//BCM MEC = 00. Security locked/armed
  16:25:09.5<[.H..] 00 00 07 E0 22 15 5B				//Query ECM security status (equivalent to 90D4 on other modules)
  16:25:09.5>[.H..] 00 00 07 E8 62 15 5B 16
  16:25:09.5<[.H..] 00 00 07 E0 1A A0					//Query ECM MEC
  16:25:09.6>[.H..] 00 00 07 E8 5A A0 00				//ECM MEC = 00. Security locked/armed
  16:25:09.6<[.H..] 00 00 02 43 22 90 D4				//Query EBCM security status
  16:25:09.6>[.H..] 00 00 06 43 62 90 D4 02				//EBCM environment variable learned
  16:25:09.6<[.H..] 00 00 02 43 1A A0					//Query EBCM MEC
  16:25:09.6>[.H..] 00 00 06 43 5A A0 00				//EBCM MEC = 00. Security locked/armed
Tool switches to LS network
  16:25:13.8<[...L] 00 00 02 51 22 90 D4				//Query HVAC security status
  16:25:13.8>[...L] 00 00 06 51 7F 22 31				//HVAC PID 90D4 not supported (surprising)
  16:25:13.8<[...L] 00 00 02 51 1A A0					//Query HVAC MEC
  16:25:13.8>[...L] 00 00 06 51 5A A0 00				//HVAC MEC = 00. Security locked/armed
  16:25:13.8<[...L] 00 00 02 4C 22 90 D4				//Query IPC security status
  16:25:13.8>[...L] 00 00 06 4C 62 90 D4 02				//IPC environment variable learned
  16:25:13.8<[...L] 00 00 02 4C 1A A0					//Query IPC MEC
  16:25:13.9>[...L] 00 00 06 4C 5A A0 00				//IPC MEC = 00. Security locked/armed
  16:25:13.9<[...L] 00 00 02 47 22 90 D4 				//Query SDM security status
  16:25:13.9>[...L] 00 00 06 47 62 90 D4 06				//SDM security = 06??  Unknown
  16:25:13.9<[...L] 00 00 02 47 1A A0					//Query SDM MEC
  16:25:14.0>[...L] 00 00 06 47 5A A0 00				//SDM MEC = 00. Security locked/armed
Tool switches to HS network
  16:25:15.9<[.H..] 00 00 02 41 22 80 45				//Query BCM power mode
  16:25:15.9>[.H..] 00 00 06 41 62 80 45 02				//BCM power mode = 02 Run
Repeat
  16:25:18.5<[.H..] 00 00 02 41 22 80 45				//Query BCM power mode
  16:25:18.5>[.H..] 00 00 06 41 62 80 45 00				//BCM power mode = 00 Off
Repeat
  16:26:12.6<[.H..] 00 00 02 41 22 80 45				//Query BCM power mode
  16:26:12.6>[.H..] 00 00 06 41 62 80 45 01				//BCM power mode = 01 Acc
  16:26:12.9<[.H..] 00 00 02 41 22 80 45				//Query BCM power mode
  16:26:12.9>[.H..] 00 00 06 41 62 80 45 02				//BCM power mode = 02 Run
Relearn complete
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: unlocked E41( and t87a) swapping to another vehicle

Post by 04colyZQ8 »

Very cool!!
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: unlocked E41( and t87a) swapping to another vehicle

Post by 04colyZQ8 »

Interesting the file I posted was in my 2015 trax

I want to learn a 2018 Colorado environment if
When i tried the type 4 on the bench it instantly failed saying
Wrong calibration in bcm

I bet since Z1 security relearn is not available for this vin
That it’s not supported

I bet it fails this 00 00 06 41 62 90 A1 00 00 01 prob it returned 00

If that’s the case how does the Colorado 2018 platform Learn the secondary Immo code?
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: unlocked E41( and t87a) swapping to another vehicle

Post by 04colyZQ8 »

I’ve searched vins for everything that is using the same service number bcm non of them have the z1 security relearn option! Strange
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: unlocked E41( and t87a) swapping to another vehicle

Post by 04colyZQ8 »

yup failed prob because

00 00 06 41 62 90 A1 00 00 00 last byte is 00 not 01

see log
Attachments
ProgramLog_colorado_2018_bcm_immo_fail.Txt
(51.74 KiB) Downloaded 88 times
Post Reply