Page 9 of 13
Re: 07-2013 GM BCM
Posted: Tue Apr 26, 2022 1:53 am
by 04colyZQ8
ironduke wrote:04colyZQ8 wrote:I wonder if hex ... 09 * 1000 which is 589,824 in decimal, which is 9.83 minutes could tell us anything? I'd search for 09 in the segment that contains the hood pin Boolean and change 09 to 05 and see if it cuts the time down.
Would you still do that if I had timed the remote start runtime and ended up with 10 minutes and 1.6 seconds... so 10:01.6?? You had asked and I had timed it again and posted.. I don't know why we'd start looking at 9 minutes? or 9.83 minutes.. It certainly ran for damn near exactly 10 minutes, and the 1.6 seconds was probably me fat fingering the stop button on my phone.. lol
The way I look at it if it’s stored in seconds or mili seconds then it’s got to start with 09 in hex, or something like 09 xx xx so just incase it’s not exactly 09 27 C0 I’m just saying start with the most obvious MSB. Which is 09.
Otherwise it must be set as a Boolean in the Os or hard coded in the OS.
Is there any applications in the cars or trucks that this style bcm was used in over seas even that has a different remote timer?
Re: 07-2013 GM BCM
Posted: Tue Apr 26, 2022 1:55 am
by 04colyZQ8
What’s the time out on a Holden Ute or comadore? They use the same family bcm
Re: 07-2013 GM BCM
Posted: Tue Apr 26, 2022 5:00 am
by gmtech825
Not sure how it might help yet, but I found the PID section. Ironduke yours starts at x000FAEE0
Re: 07-2013 GM BCM
Posted: Tue Apr 26, 2022 5:18 am
by 04colyZQ8
gmtech825 wrote:Not sure how it might help yet, but I found the PID section. Ironduke yours starts at x000FAEE0
Pid for scan tools?
Re: 07-2013 GM BCM
Posted: Tue Apr 26, 2022 6:28 am
by gmtech825
04colyZQ8 wrote:gmtech825 wrote:Not sure how it might help yet, but I found the PID section. Ironduke yours starts at x000FAEE0
Pid for scan tools?
correct
Re: 07-2013 GM BCM
Posted: Tue Apr 26, 2022 10:23 am
by Tazzi
04colyZQ8 wrote:What’s the time out on a Holden Ute or comadore? They use the same family bcm
Our holden VE (2007-2012) never received factory remote start.
It can be done, but required custom programming BCM, ECM and RFA module.
The BCM must have already had the timer set in it since I only had to program a few bytes to 01 to enable from memory.
Re: 07-2013 GM BCM
Posted: Tue Apr 26, 2022 11:09 pm
by gmtech825
Found the location for handling Scan tool requests... then fell down a rabbit hole of looking at how all that is handled. Still haven't figured out how the specific PID's are referenced though.
Re: 07-2013 GM BCM
Posted: Wed Apr 27, 2022 3:22 pm
by Tazzi
gmtech825 wrote:Found the location for handling Scan tool requests... then fell down a rabbit hole of looking at how all that is handled. Still haven't figured out how the specific PID's are referenced though.
Well, understanding the PID should help realistically.
If you can point out where its actually sending the reply to messages.. might be able to start actually trying to make a custom gm kernel to dump ram areas which could be of interest.
Re: 07-2013 GM BCM
Posted: Thu Apr 28, 2022 12:02 am
by gmtech825
here is the function I found for mode 22
Code: Select all
case 0x22:
MODE_22_FUNCTION();
break
Code: Select all
void MODE_22_FUNCTION(void)
{
int iVar1;
uint uVar2;
uint unaff_r9;
ushort *unaff_r11;
BADSPACEBASE *in_r15;
undefined *puVar3;
undefined4 *puVar4;
puVar4 = (undefined4 *)&stack0xffffffec;
puVar3 = &stack0xffffffec;
if (DAT_0003edec == '\x03') {
unaff_r9 = (uint)CONCAT11(POSS_MODE_SUB_OR_PID_value,POSS_PID_BYTE_2);
unaff_r11 = (ushort *)PID_FUNCTION();
iVar1 = FUN_DECIMAL_209();
uVar2 = POSS_PID_LOOKUP_ROUTINE(unaff_r11,iVar1,unaff_r9);
if (uVar2 == 0xffff) {
if ((DAT_0003ee6d & 0x10) == 0) {
CAN_TX(0x7f,0x22,0x31);
}
}
else {
iVar1 = FUN_000d54f2(uVar2,&DAT_0003ee05);
CAN_RESPONSE = 0x62;
CAN_DATA_BYTE = POSS_MODE_SUB_OR_PID_value;
CAN_DATA_BYTE2 = POSS_PID_BYTE_2;
FUN_000d9c8e(iVar1 + 3U & 0xff);
}
}
else {
CAN_TX(0x7f,0x22,0x12);
puVar4 = (undefined4 *)puVar3;
}
*puVar4 = &DAT_0003edec;
puVar4[-1] = unaff_r9;
puVar4[-2] = &CAN_RESPONSE;
puVar4[-3] = unaff_r11;
return;
}
Code: Select all
undefined * PID_FUNCTION(void)
{
return &PID_s;
}
Code: Select all
undefined4 FUN_DECIMAL_209(void)
{
return 0xd1;
}
Code: Select all
uint POSS_PID_LOOKUP_ROUTINE(ushort *param_1,int param_2,uint param_3)
{
uint uVar1;
uint uVar2;
uint uVar3;
uint uVar4;
uVar3 = param_2 - 1U & 0xffff;
uVar2 = 0;
if (((byte)(SBORROW4(param_3,(uint)*param_1) ^ (int)(param_3 - *param_1) < 0) != 1) &&
(uVar1 = (uint)param_1[param_2 - 1U],
(byte)(SBORROW4(param_3,uVar1) ^ (int)(param_3 - uVar1) < 0 | param_3 == uVar1) == 1)) {
while ((byte)(SBORROW4(uVar2,uVar3) ^ (int)(uVar2 - uVar3) < 0 | uVar2 == uVar3) == 1) {
uVar4 = (uVar2 + uVar3) / 2;
uVar1 = (uint)param_1[uVar4];
if ((byte)(SBORROW4(param_3,uVar1) ^ (int)(param_3 - uVar1) < 0 | param_3 == uVar1) == 1) {
if ((int)(uint)param_1[uVar4] <= (int)param_3) {
return uVar4;
}
uVar3 = uVar4 - 1 & 0xffff;
}
else {
uVar2 = uVar4 + 1 & 0xffff;
}
}
}
return 0xffff;
}
PID_s is the start of the PID address x000faed4 for my file.
I labeled a couple of things, and I can see the negative and positive responses but maybe you can make more sense of it
Re: 07-2013 GM BCM
Posted: Thu Apr 28, 2022 6:39 am
by 04colyZQ8
That disassembly is sweeeeet!! How are you getting such clean code? Did you write this yourself? Baised
On the assembly code given by disassembling in ida? Or does the program you have spit this wonderful code out?
I really would like to see my code disassembled like this!