Colorado / H3 BCM hacking
Posted: Thu Dec 10, 2020 1:52 pm
This all started with me wanting to see if I could disable the TPMS in the BCM on my truck. Not so much because I didn't want to fix it, but because everyone says it's not possible. Export models of the Hummer H3 don't have it enabled, and they use the same BCM hardware, so obviously it's possible. 04-06 Colorados don't have TPMS at all, and all years (06-10) of North American H3s do have TPMS. Since I like a challenge, I decided to see what I could do.
There's two different versions of this BCM. 04-08, and 09-12. There's also some variants that don't have the keyless entry RF hardware in the upper right corner, but they use the same MCUs as far as I know. Another nice thing is all the 09-12 BCMs use the same operating system regardless of market or model.
This is the 04-08 version.
And this is the 09-12.
The chip on the first version is labeled F16E88PJA11. So far I haven't been able to pin down exactly what it is. Fortunately the 09+ module uses a TI TMS470PLF111. Documentation for that specific chip isn't complete, at least not publicly, but there's enough out there to get started. The data sheet with the pinout and internal flash details has been enough so far. I think the same chip, or one very similar, is used in some GMT800 BCMs, but I'm not totally certain of that.
This chip has an ARM7TDMI core and JTAG pins that are exposed on the board. After a lot of trial and error, I was able to get it talking to OpenOCD through a Bus Pirate. It wasn't perfect, but it was good enough to dump the flash out of it. I'll get the pinout and config files up once I get those cleaned up. It only has 128K of onboard flash, and only about 94k of that is filled. It disassembles nicely in IDA using the big endian ARM option, so it should be relatively easy to disassemble compared to most ECMs.
I think I've already found where the TPMS disable bit is, but I can't test it until I figure out how to correct the calibration checksums. I was really hoping it was something you could toggle on or off in the EEPROM via a mode $AE request or something, but so far it doesn't look that way. I'm not too deep into this yet, so it may still be possible.
While I was researching this, I did figure out how to do a TPMS disable on a GMT800 passenger door module using some $AE and $3B commands. But the same technique totally failed when applied to the Colorado BCM.
I might also look into a DRL disable, and maybe see about enabling the rear fog light button from the export H3 to control some off road lights. There are easier ways to get the same results, but they wouldn't be nearly as interesting or satisfying.
There's two different versions of this BCM. 04-08, and 09-12. There's also some variants that don't have the keyless entry RF hardware in the upper right corner, but they use the same MCUs as far as I know. Another nice thing is all the 09-12 BCMs use the same operating system regardless of market or model.
This is the 04-08 version.
And this is the 09-12.
The chip on the first version is labeled F16E88PJA11. So far I haven't been able to pin down exactly what it is. Fortunately the 09+ module uses a TI TMS470PLF111. Documentation for that specific chip isn't complete, at least not publicly, but there's enough out there to get started. The data sheet with the pinout and internal flash details has been enough so far. I think the same chip, or one very similar, is used in some GMT800 BCMs, but I'm not totally certain of that.
This chip has an ARM7TDMI core and JTAG pins that are exposed on the board. After a lot of trial and error, I was able to get it talking to OpenOCD through a Bus Pirate. It wasn't perfect, but it was good enough to dump the flash out of it. I'll get the pinout and config files up once I get those cleaned up. It only has 128K of onboard flash, and only about 94k of that is filled. It disassembles nicely in IDA using the big endian ARM option, so it should be relatively easy to disassemble compared to most ECMs.
I think I've already found where the TPMS disable bit is, but I can't test it until I figure out how to correct the calibration checksums. I was really hoping it was something you could toggle on or off in the EEPROM via a mode $AE request or something, but so far it doesn't look that way. I'm not too deep into this yet, so it may still be possible.
While I was researching this, I did figure out how to do a TPMS disable on a GMT800 passenger door module using some $AE and $3B commands. But the same technique totally failed when applied to the Colorado BCM.
I might also look into a DRL disable, and maybe see about enabling the rear fog light button from the export H3 to control some off road lights. There are easier ways to get the same results, but they wouldn't be nearly as interesting or satisfying.