Colorado / H3 BCM hacking
-
04colyZQ8
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: Colorado / H3 BCM hacking
I think the rf chip might send the remote and tire pressure rf frequency signals by class 2? To the processor? I don’t see any can or lin, references. And didn’t see locking in mpADC
-
Gatecrasher
- Posts: 273
- Joined: Sat Apr 25, 2020 6:09 am
Re: Colorado / H3 BCM hacking
mibADC is the "multi buffered analog to digital converter". So basically anything that shows a 0-5 or 0-12 voltage in the Tech2 data display would be here. Stuff like battery voltage, light sensor voltage, wiper delay, dimmer, etc. I've got quite a few of those figured out. Go to the symbol tree window and search for 2116. That'll take you to the general area of the PIDs that hold those values.
I don't think the RF stuff uses class 2. It'd be needlessly complicated. It might be something like SPI. The BCM uses that for the EEPROM. Dunno if it's connected to the RF stuff or not. I haven't traced back any of that hardware. The FCC docs have some high level diagrams showing how the RF stuff works, but nothing about the protocol.
https://fcc.report/FCC-ID/L2C0022R
Go to the files for block diagram and description.
I don't think the RF stuff uses class 2. It'd be needlessly complicated. It might be something like SPI. The BCM uses that for the EEPROM. Dunno if it's connected to the RF stuff or not. I haven't traced back any of that hardware. The FCC docs have some high level diagrams showing how the RF stuff works, but nothing about the protocol.
https://fcc.report/FCC-ID/L2C0022R
Go to the files for block diagram and description.
-
04colyZQ8
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: Colorado / H3 BCM hacking
I see the key fob number of fobs, the learn new fob, and luck unlock pids in the tech 2.
How do I trace those back to the bcm? Do I need to sniff the vpw msgs being sent?
Not sure how to decide that, and trace within the bcm?
Is there an easier way to find tech 2, msg and pids? Maybe the pc ram while the program is running
Might show a few things?
Anyway I’d like to find the address of the eeprom to write to it, so I can dump registers to it. Or just write the eeprom from obd rather then a chip clip. I don’t see it’s address even though you mapped the tire Id codes, they are stored There along with the sdm and key fob data. Do you think the eeprom is never written two? And only changes are made to the copy in ram, then at key off the eeprom is hard wired to read the copy in ram, and dump it to the chip?
How do I trace those back to the bcm? Do I need to sniff the vpw msgs being sent?
Not sure how to decide that, and trace within the bcm?
Is there an easier way to find tech 2, msg and pids? Maybe the pc ram while the program is running
Might show a few things?
Anyway I’d like to find the address of the eeprom to write to it, so I can dump registers to it. Or just write the eeprom from obd rather then a chip clip. I don’t see it’s address even though you mapped the tire Id codes, they are stored There along with the sdm and key fob data. Do you think the eeprom is never written two? And only changes are made to the copy in ram, then at key off the eeprom is hard wired to read the copy in ram, and dump it to the chip?
-
04colyZQ8
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: Colorado / H3 BCM hacking
This https://fcc.report/FCC-ID/L2C0022R
Was quite interesting!! The line slicer seems like the last step from anolog to digital conversion?
What does a line slicer look like? If I can trace it to the pin on the processor, then maybe it will tell us what module it goes to?
Was quite interesting!! The line slicer seems like the last step from anolog to digital conversion?
What does a line slicer look like? If I can trace it to the pin on the processor, then maybe it will tell us what module it goes to?
-
04colyZQ8
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: Colorado / H3 BCM hacking
ok so all the mode 3B and 3C requests go to the ram, not the EEProm, so either the EEprom is the same as the ram, as far as read write, or it is definitely as I say, and the copy in ram is all that is worked with, and at key off it saves that portion to the EEProm.
for example, 3B / 3C request to read write tire sensor ID is at 0x8000171h, and open up the bin of the ram read I posted, and it is at address 171h .
found a loop in the bcm that starts at 0x800040h, and reads the vin located in the EEprom at 41h . that's neat!
for example, 3B / 3C request to read write tire sensor ID is at 0x8000171h, and open up the bin of the ram read I posted, and it is at address 171h .
found a loop in the bcm that starts at 0x800040h, and reads the vin located in the EEprom at 41h . that's neat!
-
Gatecrasher
- Posts: 273
- Joined: Sat Apr 25, 2020 6:09 am
Re: Colorado / H3 BCM hacking
EEPROM is copied into RAM and worked on there. At some point it gets copied back to EEPROM during a power down event. I haven't figured out where or under what circumstances that happens. So the RAM addresses from 0x80000000 to 0x80001B0 are just a live, working copy of what's stored on the EEPROM chip.
I made a pretty big discovery last night. Ghidra isn't correctly tracking the branches to and from ARM Thumb mode. That's part of why it's not disassembling all the code correctly. It doesn't answer all the questions, but it'll help a lot. I'm trying to go through and manually patch some of it up. I'll post another archive later this weekend.
I made a pretty big discovery last night. Ghidra isn't correctly tracking the branches to and from ARM Thumb mode. That's part of why it's not disassembling all the code correctly. It doesn't answer all the questions, but it'll help a lot. I'm trying to go through and manually patch some of it up. I'll post another archive later this weekend.
-
04colyZQ8
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: Colorado / H3 BCM hacking
Cool!! Yes that makes sense about the eeprom. I’m tempted to disable the checks I see for vin write, looks like it checks to locations for ignition counter? Because I’ve never been able to change the vin for some reason. Using 3b even after cycling the ignition switch.Gatecrasher wrote:EEPROM is copied into RAM and worked on there. At some point it gets copied back to EEPROM during a power down event. I haven't figured out where or under what circumstances that happens. So the RAM addresses from 0x80000000 to 0x80001B0 are just a live, working copy of what's stored on the EEPROM chip.
I made a pretty big discovery last night. Ghidra isn't correctly tracking the branches to and from ARM Thumb mode. That's part of why it's not disassembling all the code correctly. It doesn't answer all the questions, but it'll help a lot. I'm trying to go through and manually patch some of it up. I'll post another archive later this weekend.
-
04colyZQ8
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: Colorado / H3 BCM hacking
Could this be of any use?
https://www.ti.com/tool/SPRC236#downloads
https://www.ti.com/tool/SPRC236#downloads