Colorado / H3 BCM hacking

[04colyZQ8]

There is no point sending the 36 80 more than once. Do you know if there are any watch dogs the CPU needs to stay alive? First of all you need a loop that just keeps the watchdogs happy and no more to prevent a reset. Then you can do something else and see if that happens with BDM.

I have a loop that feeds two watch dogs but I don’t think the codes rubbing

[antus]

If you can just loop on the watchdogs it'll be the minimim code you can upload and observe working. If it stops responding until you pull the power it works. Then you have the first piece in place. Anything else is a crash and it'll start responding to normal trafic again. Once you have it uploading and not rebooting add the next piece. You can move the watchdog loop around and use it as an indicator if its not working and then try and add a function that sends a known response. Then you can look for that and get your data transmit working. Then try and get the receive working next.

[04colyZQ8]

Great advice antus. I wrote a code to the operating system that if I press panic on my fob it jumps to ram

If key fob panic == true:
Then load ram 08 00 0b 60 into register r1,
Bx jump to r1.

Still not executing code when I load it to ram, I think the class 2 mode block timer value 0x28 expires then resets the bcm, before I can get a change to press the key fob just after uploading my watch dog kernel to jump to via mode 36.

I’m going to try to load a 32 bit pointer to FF ff fff ff as a timer cause 28 is likely 2 milliseconds or so.

That or I’ll put my code into eeprom section then jump to it cause it doesn’t get wiped after block reset timer expires.

Maybe that daft timer is the entire problem? Wonder if the factory kernel is somehow accessing the stack or that register and resetting it? Cause during programing events it takes a good 3-4 min to program surely longer then 0x28!

[Tazzi]

If you can just loop on the watchdogs it'll be the minimim code you can upload and observe working. If it stops responding until you pull the power it works. Then you have the first piece in place. Anything else is a crash and it'll start responding to normal trafic again. Once you have it uploading and not rebooting add the next piece. You can move the watchdog loop around and use it as an indicator if its not working and then try and add a function that sends a known response. Then you can look for that and get your data transmit working. Then try and get the receive working next.

Trying doing as Antus has said exactly.

This will confirm at least three things:
1) That your assembly code is working
2) That the watch dog is being satisfied
3) That there is no slave ECU or external item resetting the cpu.

[04colyZQ8]

Well it’s not loosing coms ever so must not be executing my code, or the code is bad or both.

[antus]

probably you are not satisfying the watchdogs and it reboots within milliseconds.

[04colyZQ8]

It’s loosing coms now but not executing code I put a simple code that moved aa to the vin. It resets after 15-20 seconds then coms come back. I think it’s jumping to the pointer at least

[SickFinga]

Has anyone tried changing the VIN in the BCM using VPW commands?
I get security access denied when I try to change the VIN. Does it not support the VIN change or it requires some other access level?

Code: Select all

Send: ATSH 6C40F1
OK
Send: 3C 03
7C 03 31 35 36 34 31 36 
Send: 2701
67 01 C6 E5 
Send: 2702B061
67 02 34 
Send: 3B 03 313131313131 
7F 3B 03 31 31 31 31 33  

[04colyZQ8]

You can’t change the vin on the bcm via mode 7b/3b commands it’s not supported. You can as I have done write a custom kernel download to the bcm, then up run it to download a new vin to the bcm.

Or you can simply replace or reprogram the eeprom with a new vin

[SickFinga]

You can’t change the vin on the bcm via mode 7b/3b commands it’s not supported. You can as I have done write a custom kernel download to the bcm, then up run it to download a new vin to the bcm.

Or you can simply replace or reprogram the eeprom with a new vin

Some BCMs actually allow you to change VIN via the commands. I've was able to borrow 13 different P/N BCMs fom Canyon/H3 to play around with.
Two P/N allowed me to change the VIN via the command. P/N 15802494 which is for 2005-2006 Canyon and 15951589 which is for 2007-2008 Canyon. Not really sure why these were so special.

eeprom method requires desoldering as it can't be read in circuit which is something I was trying to avoid.