Colorado / H3 BCM hacking

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
04colyZQ8
Posts: 461
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

I can upload the 36 00 payload anywhere from 800000 to 8001b60 verified by bdm dump!

But as soon as I attach 36 80 doesn’t write to ram?

If I try to send empty 36 80 u get 12 reject
kur4o
Posts: 996
Joined: Sun Apr 10, 2016 9:20 pm

Re: Colorado / H3 BCM hacking

Post by kur4o »

It is very likely function is disabled, or needs some mode AE to enable it, or pin grounded. Only disassembly of boot block will reveal the hidden treasures of the bcm.
ironduke
Posts: 600
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: Colorado / H3 BCM hacking

Post by ironduke »

04colyZQ8 wrote: Thu Jul 11, 2024 3:05 am I can upload the 36 00 payload anywhere from 800000 to 8001b60 verified by bdm dump!

But as soon as I attach 36 80 doesn’t write to ram?

If I try to send empty 36 80 u get 12 reject
Just chiming in here because I'm curious what command your sending.. You mentioned in another post about sending the 36 80 with blank address. Not 100% sure with bcm's but with ecm's I have to send the 36 80 with the address I want it to start executing..
If your sending to 00 80 00 00 then the execute command your sending should be 36 80 00 80 00 00 00
You might already be doing that but your previous statement made me wonder if you are or not?
04colyZQ8
Posts: 461
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

I am sending the address
6c 40 f0 36 80 00 00 00 0b 82 checksum
Gives code 12 reject
04colyZQ8
Posts: 461
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

I do have the boot block disssembled but it’s a cluster f!!
User avatar
antus
Site Admin
Posts: 8374
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Colorado / H3 BCM hacking

Post by antus »

put the 36 80 in the last (or only) block of data you are uploading. And you may find the ram you are using is used by something else and not ok to use. for example if the stack is there your kernel might get corrupted as something is pushed or popped on the stack before or as the os hands off to your code, causing a crash and reboot. in the case of the p04 and p08 you have to move the stack to clear more contiguous ram before you make a call which will push the return address on to the stack. looking at the sps address and kernel size should give a starting point and disassemble it to see if it moves the stack and you need that logic in yours.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
04colyZQ8
Posts: 461
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

Well if I send the ae ….. command then it excepts much larger packets of uploads, it when I dump the ram via bdm its all messed up everything’s moved and the eeprom portion that’s usually there disappears! So it’s moving something alright!

If I don’t send the AE thing it only allows max 8 or so bytes of data to be sent but when I dump the ram it’s exactly as it should be and the eeprom is in place!
04colyZQ8
Posts: 461
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

Are there any other commands that could be used other then 80? Any documentation for nrc responses and mode 36 with 80?
User avatar
antus
Site Admin
Posts: 8374
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Colorado / H3 BCM hacking

Post by antus »

Only 36 00 or 36 80
Attachments
Screenshot 2024-07-11 114217.png
Screenshot 2024-07-11 114217.png (217.92 KiB) Viewed 706 times
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
04colyZQ8
Posts: 461
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Colorado / H3 BCM hacking

Post by 04colyZQ8 »

That’s lovely thanks what’s code 76 mean? I get that with 3680
Post Reply