pcmhacking.net

If the bcm don`t error on vin change command and send affirmative response, it is likely some power down sequence that prevents writing the vin to eeprom.

Hey Guys many , many thanks to Gatecrasher! check this out took 5-6hrs to read out via elm327 but I got the entire flash out!! Sweet!

I did get lazy in the end and padded the last remaining zeros I figured that wasn't so crucial, I also figured 6 hrs was long enough lol

also read the ram I think, think this is the ram?

I did some auto detect and checksum config for the bcm file. Will be interesting to test on other dumps. Since OS is hardcoded in the xml.
I looked at the rom dump. The vin seems slightly changed. Did you write it that way or there is some other issue. A dump from the eeprom will be nice too.

I can do some custom script for dumping the bin to a log and than convert to bin, if you want to share some log from the elm dump commands.

Anyone else notice the 6c f1 40 35 etc commands for in the ram I posted? Looks like the data port vpw commands are listed there! Can anyone deconstruct them to tell were they go to?

made these reads from the 04 can't find the full files can't nail down the proper addresses very different then the 09

Makes no sense at all the OS says the segments should be at 4c00, but that’s not anywhere near were it actually is? I am missing a few bytes at the top and bottom of the flash, by the looks of it the flash maybe smaller on the 04?

Any ideas what processor this is?

Something does not line up in the file. The segments don`t line with OS range too. File structure seems similar with the later type bcm, but code is definitely different, 2004 seems 16 bit cpu or 8 bit cpu.

If you have a vin for that bcm I can try to score some sps files for it.

Maybe you can try mode 23 read of the bin.
#example You can read 4 bytes at a time.

This is very close to the full ram of the 04 bcm, notice a lot of vpw commands are in here, can anything interesting be done with that?

this was again read with mode 35.

what is the difference between mode 23, and 35?

the way it is setup to read I can pick address way off, and it will just return null space until it finds some code, ran all night to find the flash bin, but then I don't know exactly where it starts and stops? but I can't be much more than 16kb off either way, which is just white space, so no code exists there, or it is protected?

kur4o wrote:Something does not line up in the file. The segments don`t line with OS range too. File structure seems similar with the later type bcm, but code is definitely different, 2004 seems 16 bit cpu or 8 bit cpu.

If you have a vin for that bcm I can try to score some sps files for it.

Maybe you can try mode 23 read of the bin.
#example

Code: Select all

[05:22:23.220] 6C FE F1 28 00
[05:22:23.283] 6C F1 40 68 00
[05:22:23.283] 6C F1 10 68 00
[05:22:23.799] 8C FE F0 3F
[05:22:23.861] 6C 10 F0 27 01
[05:22:23.877] 6C F0 10 67 01 46 53
[05:22:23.877] 6C 10 F0 27 02 0A B9
[05:22:23.939] 6C F0 10 67 02 34
[05:22:23.939] 6C 40 F0 27 01
[05:22:23.955] 6C F0 40 67 01 00 00
[05:22:23.955] 6C 40 F0 27 02 8B 9F
[05:22:24.017] 6C F0 40 67 02 35
[05:22:24.017] 6C 40 F0 23 00 00 00 01
[05:22:24.080] 6C F0 40 63 00 00 00 6C 35 00
[05:22:24.080] 8C FE F0 3F
[05:22:24.142] 6C 40 F0 23 00 00 04 01
[05:22:24.205] 6C F0 40 63 00 04 7D 00 1F 80
[05:22:24.205] 8C FE F0 3F
[05:22:24.267] 6C 40 F0 23 00 00 08 01
[05:22:24.330] 6C F0 40 63 00 08 10 48 00 00

You can read 4 bytes at a time.

I think it’s 16 bit model F16 TI qfp 100
Processor.

I have the gm segments from sps all ready including the utility file.
Just hacked them out of tis2000 using MySQL.

And they 100% match the segments in here!

Goes in this order

Seg 02
Seg 03
Seg 04
Seg 05
She 06

Boot loader
Os seg 01

Same order as the 09 and 11 bcm