pcmhacking.net

gmtech825 wrote: oof...there's a whole lot of jumping around for sure.

It (kind of?) makes sense. Its similar to the API development I have been doing, where a pointer saves the address that pointsto the desired function/structure.

There was a blackhat demonstration of injecting malware into a renesas CPU a while ago which is whats used in modern GM BCMs, and I explicitly remember saying that everything was setup as above. All the CAN functions were saved as pointers that jumped to the required function.

Is the 10 minute timer where remote start is already running going to be in the same routine as checking if it's ok to start?? No idea if my thinking is correct but it'd check if it's ok to remote start, then start the truck and then have a set of checks to see if it continues or shuts down.

Might be way off base here, but there are some checks being done while it's already running on remote start, mainly the timer and the hood switch then maybe some possible(s) such as fuel level and check engine light. I know if the low fuel light is on or ses light is on it will not remote start. I do not know if either of those will shut it down if the fuel level drops or a code sets turning the light on.

To check if it's ok to remote start there'd be a different set of tests, I don't think the 10 minute timer would be looked at until it's started? The number of remote start events would be for sure, along with hood switch,low fuel level,SES light and other disable criteria



Just thinking out loud, I've tried following along with IDA but having trouble getting the right settings so it's matching yours..

I haven’t read this entire thread, but I added remote start to a 2015 trax, plus extended the remote start timmer to 20 min.

Couple of things it’s stored in the bcm and pcm. I got lucky and my pcm factory timmer in the pcm is 20 min. My bcm was 10 min, stored as seconds. Anyway now mine runs for 20 minutes:)

04colyZQ8 wrote:I haven’t read this entire thread, but I added remote start to a 2015 trax, plus extended the remote start timmer to 20 min.

Couple of things it’s stored in the bcm and pcm. I got lucky and my pcm factory timmer in the pcm is 20 min. My bcm was 10 min, stored as seconds. Anyway now mine runs for 20 minutes:)

so if it was stored as seconds then you had it stored in 2 bytes? 0x0258?? Whereabouts did you find the timer? was it a specfic segment? OS? system? Powertrain?

Man, I hope it is stored in 2 bytes as 0x258.. I only have 17 occurrences in the entire BCM bin, 8 in the OS segment and 9 in the charging segment.. Been playing around with IDA but time has been limited.. plenty of time to stare at an ipad but that's been about it..

Vats is also 10 minutes or 600 seconds so a couple might be for that as well?

ironduke wrote:

04colyZQ8 wrote:I haven’t read this entire thread, but I added remote start to a 2015 trax, plus extended the remote start timmer to 20 min.

Couple of things it’s stored in the bcm and pcm. I got lucky and my pcm factory timmer in the pcm is 20 min. My bcm was 10 min, stored as seconds. Anyway now mine runs for 20 minutes:)

so if it was stored as seconds then you had it stored in 2 bytes? 0x0258?? Whereabouts did you find the timer? was it a specfic segment? OS? system? Powertrain?

Man, I hope it is stored in 2 bytes as 0x258.. I only have 17 occurrences in the entire BCM bin, 8 in the OS segment and 9 in the charging segment.. Been playing around with IDA but time has been limited.. plenty of time to stare at an ipad but that's been about it..

Vats is also 10 minutes or 600 seconds so a couple might be for that as well?

It’s in the same segment the remote start is in. If I recall, which makes total sense. Keep in mind the bcm is little endian byte order too:)

So it’s backwards.

Wish I could figure out disassembly a bit better, can you help me dissemble my bcm?

04colyZQ8 wrote:

ironduke wrote:

04colyZQ8 wrote:I haven’t read this entire thread, but I added remote start to a 2015 trax, plus extended the remote start timmer to 20 min.

Couple of things it’s stored in the bcm and pcm. I got lucky and my pcm factory timmer in the pcm is 20 min. My bcm was 10 min, stored as seconds. Anyway now mine runs for 20 minutes:)

so if it was stored as seconds then you had it stored in 2 bytes? 0x0258?? Whereabouts did you find the timer? was it a specfic segment? OS? system? Powertrain?

Man, I hope it is stored in 2 bytes as 0x258.. I only have 17 occurrences in the entire BCM bin, 8 in the OS segment and 9 in the charging segment.. Been playing around with IDA but time has been limited.. plenty of time to stare at an ipad but that's been about it..

Vats is also 10 minutes or 600 seconds so a couple might be for that as well?

It’s in the same segment the remote start is in. If I recall, which makes total sense. Keep in mind the bcm is little endian byte order too:)

So it’s backwards.

Wish I could figure out disassembly a bit better, can you help me dissemble my bcm?

gmtech825 has made some headway, I'm still stumbling with IDA trying to figure out settings,

Was it indeed stores as 0x258 I was already viewing it as little endian I believe..

As far as segments there is no 0x258 or 0x5802 in the system segment where remote start is enabled/disabled in my bin, nothing in powertrain either..

It’s Milli seconds btw 0927C0 hex is 600000ms, segment 05

04colyZQ8 wrote:It’s Milli seconds btw 0927C0 hex is 600000ms, segment 05

Well if it's written in milii seconds then I'm not gonna get mine, lol.. I don't have 0927c0 or c02709 anywhere in the entire bin...

segment 5 for mine is wiper, that's not where remote start enable was for mine, mine was in 2, system..

Thanks for the input though, anything else comes to mine please post it up!!!

I haven't had much time to spend on this, but if we stretch it out to two bytes then maybe it's 0x1770 (6000). that value appears in the system and powertrain segment i think

I need to figure out the error with that function decompiling i posted earlier, it may be the cause my issues.

ironduke wrote:

04colyZQ8 wrote:It’s Milli seconds btw 0927C0 hex is 600000ms, segment 05

Well if it's written in milii seconds then I'm not gonna get mine, lol.. I don't have 0927c0 or c02709 anywhere in the entire bin...

segment 5 for mine is wiper, that's not where remote start enable was for mine, mine was in 2, system..

Thanks for the input though, anything else comes to mine please post it up!!!

have you timed it with an accurate timer? Is it for sure exactly 10 minutes?