Colorado / H3 BCM hacking

gmtech825 · Post by **gmtech825** » Thu Jul 11, 2024 11:04 pm

76 IS A POSITIVE RESPONSE TO MODE 36

04colyZQ8 · Post by **04colyZQ8** » Fri Jul 12, 2024 1:06 am

Oh ok so then maybe it’s excepting the execute command? But doesn’t seem to do any thing? Even tried this ..
Ram
Ram location a
……
My kernel
Upload 0xff to location a.

I then dumped the ram via bdm I see my kernel but the location a is 00, not ff?

gmtech825 · Post by **gmtech825** » Fri Jul 12, 2024 2:08 am

IT IS ACCEPTING IT. PROBABLY A KERNEL PROBLEM. POSSIBLY THE ADDRESS YOU ARE TRYING TO WRITE IS PROTECTED AND NEEDS SOME MISSING CODE TO UNLOCK THAT ADDRESS FOR WRITING. I'M DEFINATELY NOT THE GUY TO HELP WITH THIS THOUGH. MAYBE TRY A DIFFERENT TEST KERNEL TO VERIFY THAT IT RUNS, SUCH AS SPITTING A VALUE OUT TO THE BUS.

Post by **antus** » Fri Jul 12, 2024 8:15 am

Agree with the above. If you get the 76 it loaded and tried to run and crashed.

04colyZQ8 · Post by **04colyZQ8** » Fri Jul 12, 2024 10:43 am

antus wrote: ↑Fri Jul 12, 2024 8:15 am Agree with the above. If you get the 76 it loaded and tried to run and crashed.

Ok the factory kernel is so complicated it loads three pointers first then the middle of the kernel then the rest! Then loads the os to a different address that is reused for each time the flash code is uploaded. Not sure what initiates execution.

04colyZQ8 · Post by **04colyZQ8** » Fri Jul 12, 2024 12:21 pm

Ok when I use 36 80 and dump ram a see a pointer being written to 1b60 for the address I stated. That’s interesting but doesn’t seem to jump to it though

Post by **Tazzi** » Fri Jul 12, 2024 1:34 pm

Are you sure the code you have written works?

Like, how do you know its able to send a VPW frame back?

Post by **antus** » Fri Jul 12, 2024 5:50 pm

3 pointers sounds like it could be a dual core CPU with 2 kernels and a buffer address. This is something I have begun looking in to as I'd like to one day add slave cpu write for the P10 and P12 in pcmhammer, but other than a hint about maybe recognising the pattern, I don't have any more at this stage.

04colyZQ8 · Post by **04colyZQ8** » Fri Jul 12, 2024 8:13 pm

Tazzi wrote: ↑Fri Jul 12, 2024 1:34 pm Are you sure the code you have written works?

Like, how do you know its able to send a VPW frame back?

The latest code I’m using just writes oxff to available ram below the kernel. I then dump ram via bdm to see if it’s written it.

But maybe since I’m sending the 3680 in a constant loop via the script it’s not getting a chance to process it

Post by **antus** » Fri Jul 12, 2024 8:46 pm

There is no point sending the 36 80 more than once. Do you know if there are any watch dogs the CPU needs to stay alive? First of all you need a loop that just keeps the watchdogs happy and no more to prevent a reset. Then you can do something else and see if that happens with BDM.

Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking

Re: Colorado / H3 BCM hacking