Uplander/montana/relay locked bcm

[kur4o]

3c 08 is some part number, I doubt it is mileage.

There is built in parser to convert logs to bin, I just want to make sure bcm response correctly, and than we need to find the full address space, where is data to be read.
converting 3c dumps to bin is also useless, because they use different formatting, address and length per each 3c request.
On DTC tab query modules will also get you a list of all 3c.

[08:55:03.215] 6C 40 F0 35 00
this command seems uncomplete. it needs address and length to read. currently there is only 1 byte. Length is fixed to 0010 and address is 3 bytes long

6C 40 F0 35 [00 10=length][00 00 00=address]

[04colyZQ8]

Tried changing the length of 35… always gives neg response code 11.

So it seems time to j tag it.

But before i do that I want to try changing the vin does a nice person have an unlock, and write vin script for patcher master? I’d try changing the vin to all ffs I guess, not sure what they are new? I think dps displays it as a y with sideways semi’s colon over the y when it has a new vin? Idk what hex value that is?

[kur4o]

That will be easy but it may reject it unless mec is >0

[04colyZQ8]

Unlocked to change vin or it wouldn’t work. Vin is ff ff as new!! Changed sdm part number to ff ff.

Mec is A0, cannot change even if unlocked:(

Tried tech 2 with blank vin says no communication.. ok through pcm and tcm on bus. Try again says controller is locked.

Likely looking at mec.

Unfortunately it cannot easily be changed unless I guess I j tag it.

[04colyZQ8]

Made more progress logging with tech 2 and pcm bcm on board lets be get to the point of setup new bcm
YES

I see the only thing being sent from tool to bcm is as suspected MEC
6C 40 F0 3C A0
6C F0 40 7C A0 00


Now to spoof this how??

I hacked the pcmia bin changed A0 to 6F as that is the only thing I can see that the bcm sends back as a byte. After this hack my logs showed
6C 40 F0 3C 6F
6C F0 40 7C 6F 0E

That’s pretty low number and didn’t seem to work!

Also tried another hack changed the address t0 50.then spammed it with vpw explorer

6C 50 F0 3C A0
6C F0 50 7C A0 FF // spammed (mec 255) sent repeatedly

[04colyZQ8]

That still comes back saying controller locked

Any ideas?

[Gatecrasher]

Maybe focus on the part where the Tech2 returns the "controller locked" message? Find that jump in the code and patch it to do the opposite. In doing so you'll likely find the criteria it's using for the lock status in the first place.

[04colyZQ8]

Love to but can’t figure out a decant disassembly of true emulator since the card is separate I’m not sure how to setup them both up in ghidra

[Gatecrasher]

Gotcha. It seems I misunderstood.

[04colyZQ8]

Gotcha. It seems I misunderstood.

It’s all good great idea truly! Maybe I can view the ram of the emulator via hxd and try and get a sense of were the na0 card is supposed to go in relation to the exe of the emulator. Then if I disassemble it as a PE file it should work?