unlocked E41( and t87a) swapping to another vehicle
- Gatecrasher
- Posts: 278
- Joined: Sat Apr 25, 2020 6:09 am
Re: unlocked E41( and t87a) swapping to another vehicle
My wild ass guess is that the AE 7E 20 security pin reset triggers some other mechanism inside the BCM, and that sends non-diagnostic CAN frames from the BCM to the ECM to tell it to do an immo relearn. From there they talk amongst themselves, and they communicate their progress back to the type 4 app via those mode 22 PIDs.
-
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: unlocked E41( and t87a) swapping to another vehicle
Oh ok that’s what those 100? Ish messages are mode 22! I thought it was some kind of timmer count down.Gatecrasher wrote:My wild ass guess is that the AE 7E 20 security pin reset triggers some other mechanism inside the BCM, and that sends non-diagnostic CAN frames from the BCM to the ECM to tell it to do an immo relearn. From there they talk amongst themselves, and they communicate their progress back to the type 4 app via those mode 22 PIDs.
I think it’s actually
AE 7E 20 00 00 00
And I think AE 7E 80 xx xx xx xx Immo pin needs to me sent prior to this.
Re: unlocked E41( and t87a) swapping to another vehicle
Gatecrasher wrote:My wild ass guess is that the AE 7E 20 security pin reset triggers some other mechanism inside the BCM, and that sends non-diagnostic CAN frames from the BCM to the ECM to tell it to do an immo relearn. From there they talk amongst themselves, and they communicate their progress back to the type 4 app via those mode 22 PIDs.
that would be my guess as well. try logging header $2c9...I'm looking at some code for the Immo that may be looking at that header. that or $3c9
-
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: unlocked E41( and t87a) swapping to another vehicle
gmtech825 wrote:Gatecrasher wrote:My wild ass guess is that the AE 7E 20 security pin reset triggers some other mechanism inside the BCM, and that sends non-diagnostic CAN frames from the BCM to the ECM to tell it to do an immo relearn. From there they talk amongst themselves, and they communicate their progress back to the type 4 app via those mode 22 PIDs.
that would be my guess as well. try logging header $2c9...I'm looking at some code for the Immo that may be looking at that header. that or $3c9
The dll for the type 4 app breaks down very well in ghidra
But still hard to follow. Just want to cut out the checks for other modules on the bus. Just do the learn with bcm and pcm.
- Gatecrasher
- Posts: 278
- Joined: Sat Apr 25, 2020 6:09 am
Re: unlocked E41( and t87a) swapping to another vehicle
PID 90D0 is the active 12 minute security timer value.
After that hits zero, it starts polling 90D4 and 155A. 90D4 is a set of flags for the security system status (learned, unlocked, etc) and 155A is the power mode, I think. Right after that it sends AE 7E 20 to reset the security system, and it starts polling PID 8045. Once 8045 changes from 2 to 0 and then back to 2, it resets the security PIN and starts wrapping up the immobilizer relearn.
Once that's done, it starts polling 90D4 for the EBCM on the HS bus, and then HVAC, IPC and SDM on the LS bus. It's making sure all those have their environment IDs learned. Looks like it also tries the keyless entry module and the column lock module (?), but those aren't present on this truck.
Then it polls 8045 on the BCM again. Guessing those are the door open/close flags.
I think all the magic in this process is inside the BCM. The type 4 app just kicks off the process. I'd just wire up a toggle switch for the door to the BCM bench harness and try sending the PIN unlock, and then toggle the ignition and door switch based on the timestamps in your log file.
After that hits zero, it starts polling 90D4 and 155A. 90D4 is a set of flags for the security system status (learned, unlocked, etc) and 155A is the power mode, I think. Right after that it sends AE 7E 20 to reset the security system, and it starts polling PID 8045. Once 8045 changes from 2 to 0 and then back to 2, it resets the security PIN and starts wrapping up the immobilizer relearn.
Once that's done, it starts polling 90D4 for the EBCM on the HS bus, and then HVAC, IPC and SDM on the LS bus. It's making sure all those have their environment IDs learned. Looks like it also tries the keyless entry module and the column lock module (?), but those aren't present on this truck.
Then it polls 8045 on the BCM again. Guessing those are the door open/close flags.
I think all the magic in this process is inside the BCM. The type 4 app just kicks off the process. I'd just wire up a toggle switch for the door to the BCM bench harness and try sending the PIN unlock, and then toggle the ignition and door switch based on the timestamps in your log file.
- Gatecrasher
- Posts: 278
- Joined: Sat Apr 25, 2020 6:09 am
Re: unlocked E41( and t87a) swapping to another vehicle
Here's an annotated version of the immo relearn. A lot of it is just reading and verifying values.
Code: Select all
Start
16:11:24.1<[.H..] 00 00 02 41 22 90 A1 //Query BCM to see if immo allowed
16:11:24.1>[.H..] 00 00 06 41 62 90 A1 00 00 01 //01 = allowed (If 00, immo relearn quits)
16:11:24.1<[.H..] 00 00 02 41 22 80 45 //Query BCM power mode
16:11:24.1>[.H..] 00 00 06 41 62 80 45 02 //BCM power mode = 02 Run
Repeat
16:11:27.2<[.H..] 00 00 02 41 22 80 45 //Query BCM power mode
16:11:27.4>[.H..] 00 00 06 41 62 80 45 00 //BCM power mode = 00 Off
Repeat
16:11:36.1<[.H..] 00 00 02 41 22 80 45 //Query BCM power mode
16:11:36.2>[.H..] 00 00 06 41 62 80 45 00 //BCM power mode = 00 Off
16:11:36.4<[.H..] 00 00 02 41 22 80 45 //Query BCM power mode
16:11:36.4>[.H..] 00 00 06 41 62 80 45 02 //BCM power mode = 02 Run
Tool rebuilds matrix
16:11:42.6<[.H..] 00 00 07 E0 22 15 5A //Query ECM PID 155A
16:11:42.6>[.H..] 00 00 07 E8 62 15 5A C4
16:11:42.6<[.H..] 00 00 02 41 22 90 D4 //Query BCM security status
16:11:42.7>[.H..] 00 00 06 41 62 90 D4 02
16:11:51.4<[.H..] 00 00 02 41 AE 7E 80 38 31 31 31 //Send BCM sec PIN unlock
16:11:51.5>[.H..] 00 00 06 41 EE 7E
16:11:51.5<[.H..] 00 00 02 41 22 90 D0 //Query sec unlock timer
16:11:51.5>[.H..] 00 00 06 41 62 90 D0 00 09 27 AC //Timer init to 0x927C0 (600,000 msec = 10 min)
Repeat
16:21:52.1<[.H..] 00 00 02 41 22 90 D0
16:21:52.1>[.H..] 00 00 06 41 62 90 D0 00 00 00 00
16:21:53.2<[.H..] 00 00 02 41 22 90 D0
16:21:53.2>[.H..] 00 00 06 41 62 90 D0 00 00 00 00
Repeat
16:23:53.4<[.H..] 00 00 02 41 22 90 D0
16:23:53.4>[.H..] 00 00 06 41 62 90 D0 00 00 00 00
16:23:59.6<[.H..] 00 00 02 41 22 90 D4 //Query BCM security status
16:23:59.7>[.H..] 00 00 06 41 62 90 D4 03
16:23:59.7<[.H..] 00 00 07 E0 22 15 5A //Query ECM PID 155A
16:23:59.7>[.H..] 00 00 07 E8 62 15 5A C4
16:23:59.8<[.H..] 00 00 02 41 22 90 D4 //Query BCM security status again
16:23:59.8>[.H..] 00 00 06 41 62 90 D4 03
16:23:59.8<[.H..] 00 00 02 41 AE 7E 20 00 00 00 00 //Send BCM sec PIN reset
16:23:59.9>[.H..] 00 00 06 41 7F AE 78 //BCM resp pending
16:24:04.8>[.H..] 00 00 06 41 EE 7E //BCM resp success
16:24:04.8<[.H..] 00 00 02 41 22 80 45 //Query BCM power mode
16:24:04.8>[.H..] 00 00 06 41 62 80 45 02 //BCM power mode = 02 Run
Repeat
16:24:08.8<[.H..] 00 00 02 41 22 80 45 //Query BCM power mode
16:24:08.8>[.H..] 00 00 06 41 62 80 45 00 //BCM power mode = 00 Off
Repeat
16:25:04.3<[.H..] 00 00 02 41 22 80 45 //Query BCM power mode
16:25:04.4>[.H..] 00 00 06 41 62 80 45 02 //BCM power mode = 02 Run
16:25:04.4<[.H..] 00 00 07 E0 22 15 5A //Query ECM PID 155A
16:25:04.4>[.H..] 00 00 07 E8 62 15 5A E6
16:25:04.4<[.H..] 00 00 02 41 22 90 D4 //Query BCM security status
16:25:04.5>[.H..] 00 00 06 41 62 90 D4 01
16:25:04.5<[.H..] 00 00 02 41 AE 7E 40 38 31 31 31 //Send BCM sec PIN set new value
16:25:04.6>[.H..] 00 00 06 41 7F AE 78 //BCM resp pending
16:25:09.5>[.H..] 00 00 06 41 EE 7E //BCM resp success
16:25:09.5<[.H..] 00 00 02 41 1A A0 //Query BCM MEC
16:25:09.5>[.H..] 00 00 06 41 5A A0 00 //BCM MEC = 00. Security locked/armed
16:25:09.5<[.H..] 00 00 07 E0 22 15 5B //Query ECM security status (equivalent to 90D4 on other modules)
16:25:09.5>[.H..] 00 00 07 E8 62 15 5B 16
16:25:09.5<[.H..] 00 00 07 E0 1A A0 //Query ECM MEC
16:25:09.6>[.H..] 00 00 07 E8 5A A0 00 //ECM MEC = 00. Security locked/armed
16:25:09.6<[.H..] 00 00 02 43 22 90 D4 //Query EBCM security status
16:25:09.6>[.H..] 00 00 06 43 62 90 D4 02 //EBCM environment variable learned
16:25:09.6<[.H..] 00 00 02 43 1A A0 //Query EBCM MEC
16:25:09.6>[.H..] 00 00 06 43 5A A0 00 //EBCM MEC = 00. Security locked/armed
Tool switches to LS network
16:25:13.8<[...L] 00 00 02 51 22 90 D4 //Query HVAC security status
16:25:13.8>[...L] 00 00 06 51 7F 22 31 //HVAC PID 90D4 not supported (surprising)
16:25:13.8<[...L] 00 00 02 51 1A A0 //Query HVAC MEC
16:25:13.8>[...L] 00 00 06 51 5A A0 00 //HVAC MEC = 00. Security locked/armed
16:25:13.8<[...L] 00 00 02 4C 22 90 D4 //Query IPC security status
16:25:13.8>[...L] 00 00 06 4C 62 90 D4 02 //IPC environment variable learned
16:25:13.8<[...L] 00 00 02 4C 1A A0 //Query IPC MEC
16:25:13.9>[...L] 00 00 06 4C 5A A0 00 //IPC MEC = 00. Security locked/armed
16:25:13.9<[...L] 00 00 02 47 22 90 D4 //Query SDM security status
16:25:13.9>[...L] 00 00 06 47 62 90 D4 06 //SDM security = 06?? Unknown
16:25:13.9<[...L] 00 00 02 47 1A A0 //Query SDM MEC
16:25:14.0>[...L] 00 00 06 47 5A A0 00 //SDM MEC = 00. Security locked/armed
Tool switches to HS network
16:25:15.9<[.H..] 00 00 02 41 22 80 45 //Query BCM power mode
16:25:15.9>[.H..] 00 00 06 41 62 80 45 02 //BCM power mode = 02 Run
Repeat
16:25:18.5<[.H..] 00 00 02 41 22 80 45 //Query BCM power mode
16:25:18.5>[.H..] 00 00 06 41 62 80 45 00 //BCM power mode = 00 Off
Repeat
16:26:12.6<[.H..] 00 00 02 41 22 80 45 //Query BCM power mode
16:26:12.6>[.H..] 00 00 06 41 62 80 45 01 //BCM power mode = 01 Acc
16:26:12.9<[.H..] 00 00 02 41 22 80 45 //Query BCM power mode
16:26:12.9>[.H..] 00 00 06 41 62 80 45 02 //BCM power mode = 02 Run
Relearn complete
-
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: unlocked E41( and t87a) swapping to another vehicle
Interesting the file I posted was in my 2015 trax
I want to learn a 2018 Colorado environment if
When i tried the type 4 on the bench it instantly failed saying
Wrong calibration in bcm
I bet since Z1 security relearn is not available for this vin
That it’s not supported
I bet it fails this 00 00 06 41 62 90 A1 00 00 01 prob it returned 00
If that’s the case how does the Colorado 2018 platform Learn the secondary Immo code?
I want to learn a 2018 Colorado environment if
When i tried the type 4 on the bench it instantly failed saying
Wrong calibration in bcm
I bet since Z1 security relearn is not available for this vin
That it’s not supported
I bet it fails this 00 00 06 41 62 90 A1 00 00 01 prob it returned 00
If that’s the case how does the Colorado 2018 platform Learn the secondary Immo code?
-
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: unlocked E41( and t87a) swapping to another vehicle
I’ve searched vins for everything that is using the same service number bcm non of them have the z1 security relearn option! Strange
-
- Posts: 380
- Joined: Thu Jan 16, 2014 12:41 pm
- cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion
Re: unlocked E41( and t87a) swapping to another vehicle
yup failed prob because
00 00 06 41 62 90 A1 00 00 00 last byte is 00 not 01
see log
00 00 06 41 62 90 A1 00 00 00 last byte is 00 not 01
see log
- Attachments
-
- ProgramLog_colorado_2018_bcm_immo_fail.Txt
- (51.74 KiB) Downloaded 105 times