This is quite a good step towards writing code to remote start.
Now since I know the start msg for class 2, I just need to write that to ram and send it out via cl2 msg handler.
Then use a relay pin for acc, and another for ignition.
Will setup to have to press lock, then truck to start.
Willing to check out other 315 hz remotes from simular year to see if it will talk to the bcm. If so I can probably use the actual start button.
All I see is the 06 hhr fob but any of the remotes with starter function are extended range, that may not work with the current receiver in the bcm!
If it does and it uses a different rolling code, then that will and not work. I found the rolling code function on our bcm. But cannot access the code in the separate radio module in the hhr to compare it to.
Gatecrasher wrote:At a glance, the SPS files don't have address information for the calibration segments. It's all handled in the kernel somehow. And there's no way to disassemble that without knowing what language the old chip uses.
Speaking of the old chip, I'm almost convinced it's some kind of 16 bit architecture. I got really lucky and stumbled on the pointers for the class 2 handlers. This is how it's represented on the 32 bit Arm7 TMS470:
It's really weird that they hit on odd-numbered addresses, and those addresses don't fall neatly into the range of the 'full' dump Coly posted, which makes me think there's some kind of memory mapping going on. This onion has a whole lot of layers. And some of them stink.
How did you get the disassembly? What setings for the older F16 one?
I bricked my 09 bcm!! And I cannot seem to erase or write to it via J-tag, Did the open port setup allow erase and write?
So I am trying to get a decant disassembly of the 04-08 bcm as I have several of those modules to play with. I tried PIC17, AVR8, and MSP430 they are close but don't seem quite right. It is most definitely 16 bit little endian. I really don't think it's biased off the TMS370, I think it is a TMS320 or there abouts. I cannot seem to find a TMS320 or TMS370 dissembler to try.
I don't remember getting an actual disassembly for the F16 chip. If I remember correctly, it was just dumb luck that I found that in the raw binary file.
I wonder how difficult it would be to retrofit the newer BCM to the older truck? The connectors are the same. I haven't looked to see if the pinout matches.
That’s to bad id fork out money for the open port setup if I knew it worked! I don’t want to loose momentum on this project, and I’m sure I’ll continue to brick it, hard to code arm7 right every single time! Honestly I made it further than I thought before it bricked! I was on my 40th try if custom arm code. I was one byte off, and perhaps the byte I wrote to instead controlled a loop counter or something? But it’s garbage now!
I can still read it via J tag but can’t erase or write to it.
As for the older bcm to bad we can’t find a tms320 or tms370 disassembler, because I think it’s language is the same as one of them.
I found dis2000 but it needs a elf file not bin! Is there a way to convert the 2004-2008 bin file to elf?
2006 only year without seat belt input warning and no tpms marker drls, mid year switch to head lamp drls
2007-2008 has tpms and no seat belt input switch head lamp drls, Battery module
2009-2012 head lamp drls, tpms, no seat belt switch input, and can based 4 Chanel abs messaging, battery module
Putting a 2009-2012 bcm into a 2004 to 2005 truck has many issues:
-drls messed up
-no seat belt input setting sdm code.
-tpms message faults in dic
-traction fault, abs and Brake light on
-battery light on, battery message in dic
So yeah it plugs in and no wiring Changes needed!
But you get a Christmas tree for cluster:)
I can switch the abs type, and possibly switch of battery fault,
And definitely disable Tpms, maybe fix drl issue?
But the seat belt switch not likely.
When I put in the 2007-2008 bcm into my 04 truck I was able to fix the drls, only
Because early 06 hummers had that light setup, and I fixed the seat belt switch, the
Circuit was there even at the correct pin, but missing resisters on the board which I added.
I then also fixed the code to enable it. Adding a battery module, and tpms sensors fixed the rest.