Haven't been in this discussion at all but I have been following along.. Don't have anything with this BCM but it is very interesting..04colyZQ8 wrote:Cool!! Yes that makes sense about the eeprom. I’m tempted to disable the checks I see for vin write, looks like it checks to locations for ignition counter? Because I’ve never been able to change the vin for some reason. Using 3b even after cycling the ignition switch.Gatecrasher wrote:EEPROM is copied into RAM and worked on there. At some point it gets copied back to EEPROM during a power down event. I haven't figured out where or under what circumstances that happens. So the RAM addresses from 0x80000000 to 0x80001B0 are just a live, working copy of what's stored on the EEPROM chip.
I made a pretty big discovery last night. Ghidra isn't correctly tracking the branches to and from ARM Thumb mode. That's part of why it's not disassembling all the code correctly. It doesn't answer all the questions, but it'll help a lot. I'm trying to go through and manually patch some of it up. I'll post another archive later this weekend.
I apologize if the below has already been discussed within these pages already, but.
As far as the vin writing failing are you getting the correct 7B 90 response? or something else? an error code? which code? If it is a 7b 90 response but it's not saving it then I wonder if the key off operation/ckt isn't some sort of a problem. new vin is in ram but needs to be written to the eeprom at key off, at least with ecm's it happens at key off, no idea if BCM's need a message or something else to trigger the eeprom write?
I am assuming your unlocking the bcm first with 2701, getting the seed and feeding the key into it with 2702? If not this does have to be done.
Also if the unlocking and vin write is failing have you tried changing the enable counter from 00 to something else with a 3B A0 write?? This would be done after unlocking but before the vin write attempt.
Unlock, read enable counter and see if it is 00, then write enable to something else ff or fe is the highest you can go but I believe even if you change it to a 1 your good.. if the enable counter write comes back with a 7b a0 message then try writing the vin and see if that gives you a 7b 90 response..
One totally oddball thiing I forgot to mention.. Some ecm's simply refuse to let me write the vin... so I send a clear code command(04) and try again and it lets me write it.. don't know why but it works.. Only been doing this with canbus ecm's so no idea if it would even apply or help?