Colorado / H3 BCM hacking

[04colyZQ8]

Just a update on the 09-12 bcm in a older 04 truck!

After desiccating several vins with different options I got a base 2009 tune for my truck!
So after mixing a few segments I was left with…
-tpms light and messages
-traction fault msg
-battery light
-no seatbelt msg or light to sdm important!
-Drls non functional with dtcs for drl relay
Made my cluster go to 230,000 miles! Oops
I guess used bcm had way higher miles

[04colyZQ8]

First thing I did was write a function to update the miles,
Since I got tired of using the chip clip on the eeprom all ways
Slips off!

More later …

[04colyZQ8]

I attempted to write the millage to the eeprom portion of the ram, this however didn’t change anything! Next I changed the millage in the working portion of the ram, that changed it as viewed by the cluster but key off/on it reverts. Finally I tricked the bcm to read the mileage from my own location, then called the built in function to update it, then sent a class to message to add 5kms to it, key on key off finally stored new mileage. I have a theory that the actual eeprom is in another memory location and the emulated chip is the one at the top of the ram, for future work I need to find the true memory location of the eeprom

[04colyZQ8]

I then deleted tpms, wired in a battery module, relearned the security, setup sdm code, enabled the older style seat belt input to send the class 2 seat belt buckled message, and deleted traction control.

However the traction fault msg remained, this is because that message is turned off by newer can biased abs module. I sniffed a newer abs module message then created that message in the bcm, to feed in a constant loop. No more traction fault message!

Then I modified some old custom code I made for the 04-08 bcm lighting segment and enabled upper marker drls, removed head lamp drl relay dtc, changed to USA style lighting, added fog lamps.

So all that remains is that the seat belt light is steady when unbuckled instead of flashing, other then, that I just created a drop in 09-12 bcm that can replace the 04-08 bcm without wiring changes, apart from adding a battery module, which can probably be eliminated as well.

Now back to creating remote start.

[04colyZQ8]

Last test using a 5 wire hookup single relay, plus for clutch bypass another relay pot resister and 5 wire hookup.

Truck started with pressing lock and trunk, shuts off with pressing trunk again or releasing e brake.

However dash says error for Kms, fault, tpms flashing security light flashing with code for no modulation., these errors don’t go away unless you key off, back on and delete codes from theft module or or won’t start.

So got to see what I’m doing wrong here as I’m supposed to mimic the factory starting sequence. Getting close but still kinks to work out.

[In-Tech]

[04colyZQ8]

6C 40 F0 36 00 01 08 00 00 00

6C 40 F0 36 80 01 08 00 00 00 ...data...[block checksum]

If you are unsure how to calculate block checksum. Post the message you want to send and I will fix it for you.

Back on this again finally got used to both universal patcher scripts and now I can write python code to use avt 852. Want to send a simple code to Change kind bit in eeprom. Using 36 and 80 to execute it.

Question can my code jump from ram to flash to use built in functions?

What can I use to calculate the mode 36 checksum? Hxd?

[antus]

Question can my code jump from ram to flash to use built in functions?

Yes it can.

[04colyZQ8]

Ok great:)

[kur4o]

hxd will work great for block checksum. It is 16 bit, byte sum from 4th byte of message till end of data.

Most modules have special write sequence to eeprom, On power down it checks for changes and write to eeprom new data, comparing it from some virtual eeprom stored in RAM.