ABS Hacking

They go by many names, P01, P59, VPW, '0411 etc . Circa 1999 to 2006. All VPW OBD2 PCMs.
User avatar
Posts: 419
Joined: Fri Feb 02, 2018 3:13 pm

ABS Hacking

Postby NSFW » Tue Jan 28, 2020 7:55 pm

This is not exactly LS1 hacking but it's another module that's present in some LS1 cars (and maybe trucks) so I figure the same people might want to follow along or get involved. As I write this now, there has been zero progress, but we gotta start somewhere. :)

Many people who take their 1997-2004 Corvettes to track days have reported that the Electronic Brake Control Module (EBCM) has virtually locked out the brakes at one time or another. Apparently the way to trigger it is to press the brake pedal abruptly with grippy tires. GM claims there's no such thing, but it's been described by so many people that I assume it's a bug that just never cropped up during their testing. I want to find it and fix it before it finds me, and jvaldez wants to fix it before it finds him a second time.

There are two versions of the EBCM that were used in Corvettes, with the changover happening at or around the 2000 model year (I don't know exactly). So we might have to do this twice. Hopefully the second iteration will go faster than the first.

My car is a 2002 but a local shop gave me a defective EBCM from a 1998 to play with, and I'm happy to try to figure that one out. The tricky thing about that one is that I can't get it apart. As far as I can tell, the case was filled with epoxy and the circuit board was mashed into it component-side down, so none of the components are visible, and it's going to be impossible to pull the PCB out in one piece because it's anchored to the case by this epoxy.

Does anyone have ideas about how to open this thing up? Are there any products that might be able to dissolve or weak the epoxy without destroying the electronics?

And, does anyone have a later-style EBCM that they can take apart and study? I'd rather not take apart my C5 so I'm going to order one off ebay but it will take a while to get here.

Plan of attack, more or less:
1) identify the components, especially the CPU
2) get the datasheet for the CPU
3) look for a way to read the firmware using BDM or JTAG or similar, to get a head start on reverse engineering
4) try to sniff a firmware upgrade session using a Tech2 or equivalent
5) use info from 3 and 4 to create EBCM Hammer. :)

I'm told that GM was fond of 68HC11 chips in that era, so maybe that's what we'll find?
Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

User avatar
Posts: 5303
Joined: Sat Feb 28, 2009 8:38 pm
Location: Wellington NZ

Re: ABS Hacking

Postby delcowizzid » Tue Jan 28, 2020 8:10 pm

MEK I think it is will melt out most potting material around but it's bad shit don't inhale lol
If Its Got Gas Or Ass Count Me In.if it cant be fixed with a hammer you have an electrical problem

Posts: 151
Joined: Wed Jul 05, 2017 8:30 am
Location: TX USA

Re: ABS Hacking

Postby MudDuck514 » Tue Jan 28, 2020 11:34 pm

delcowizzid wrote:MEK I think it is will melt out most potting material around but it's bad shit don't inhale lol


Hi all,

Unless I am mistaken (and I often AM) this is what he is referring to:
https://en.wikipedia.org/wiki/Butanone

Mike

User avatar
Posts: 330
Joined: Sun Jan 25, 2015 4:21 pm
Location: Sydney

Re: ABS Hacking

Postby j_ds_au » Tue Jan 28, 2020 11:56 pm

MudDuck514 wrote:
delcowizzid wrote:MEK I think it is will melt out most potting material around but it's bad shit don't inhale lol


Hi all,

Unless I am mistaken (and I often AM) this is what he is referring to:
https://en.wikipedia.org/wiki/Butanone

Mike

Never heard of that name, but that URL says it's the same thing.

MEK is strong stuff, so may do the trick, but might ruin parts of the module, if that's a concern.

If you have time on your hands (about a month), you might put it in a jar of acetone. I once dismantled a Bosch regulator that way without damaging anything (including component markings), fixed a couple of fractured solder joints which were causing faulty operation, and put it back together with some fesh epoxy, good as new.

Joe.

Posts: 66
Joined: Wed Apr 11, 2018 8:50 am

Re: ABS Hacking

Postby bubba2533 » Wed Jan 29, 2020 3:42 am

One suggestion is to be patient...I could not wait and destroyed a PCM that I was trying to removed from epoxy with not so delicate methods.

Site Admin
User avatar
Posts: 6271
Joined: Sat Feb 28, 2009 8:34 pm

Re: ABS Hacking

Postby antus » Wed Jan 29, 2020 7:51 am

I expect it will be a hc11, that and aldl were the platform of the day. I dont think you'll find BDM or JTAG. But I suspect that once you have the seed/key you'll be able to read memory regions and once you've mapped it out get a dump.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

User avatar
Posts: 419
Joined: Fri Feb 02, 2018 3:13 pm

Re: ABS Hacking

Postby NSFW » Wed Jan 29, 2020 2:44 pm

bubba2533 wrote:One suggestion is to be patient...I could not wait and destroyed a PCM that I was trying to removed from epoxy with not so delicate methods.


I'm pretty sure I lost that battle a couple weeks ago. :) It was unusable when I got it so there wasn't much to lose. The PCB is still anchored to the case though.

But if I can get it apart, learn some part numbers, and follow some traces on the circuit board it could still be useful.

And if MEK / Acetone / whatever proves useful, or too destructive, that'd be useful one way or the other. Acetone is easy to find and not as toxic so I think I'll start with that.
Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

Posts: 106
Joined: Mon Feb 11, 2019 12:48 pm
Location: DFW, Texas

Re: ABS Hacking

Postby jlvaldez » Fri Jan 31, 2020 3:24 am

I have a newer style EBCM in my garage. I'll try opening it and I guess I need to soak it in acetone to get the stuff off of it.

Ice mode bit me last weekend at a track and I flew off track at > 100 mph. I got lucky and there was no car or wall for me to hit where I went off.

I also have a GM tech 2 and can probably sniff the OBD traffic used by the tech 2 to get the procedure used to flash the module.

I've not yet had to do this but I assume the procedure is:
1) Disassemble the rev 2 EBCM I have in my garage to determine the CPU used.

2) use tech 2 to reflash my module and sniff traffic to try and reverse engineer the process?

3) once we get the binary, decompile it (the hard part)

Posts: 106
Joined: Mon Feb 11, 2019 12:48 pm
Location: DFW, Texas

Re: ABS Hacking

Postby jlvaldez » Fri Jan 31, 2020 6:33 am

NSFW, is there a way for you to use the j2534 device to sniff the bus while I flash with the Tech 2? I don't have an easy way to sniff otherwise other than building my own VPW to comm device. I can splice the tech 2 and the J2534 device onto the obdii port pretty easily, so if you have some sort of utility that can then use the J2534 to dump all bus traffic I'll flash the device with my tech 2. I have some of my own CAN utilities to sniff busses but I've done nothing for VPW.

If you've got something in place, I can get a tech 2 flash dump this weekend

Site Admin
User avatar
Posts: 6271
Joined: Sat Feb 28, 2009 8:34 pm

Re: ABS Hacking

Postby antus » Fri Jan 31, 2020 9:20 am

I think its a fairly safe bet it'll be 68k, but I dont think you need to identify the processor at this stage. That should become apparent from looking at the code after you've logged the flash by trying the likely candidates and see if it decompiles. The other gotcha will be if the flash happens in 1x of 4x speed. If you get the setup traffic at 1x then it goes quiet you might need to flash again and log at 4x if thats possible. Do you have the calibration ID of whats on the device? Tis2000 might have the file on disk to be matched up by name.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Next

Return to GM LS1 512Kbyte and 1Mbyte

Who is online

Users browsing this forum: Gareth and 3 guests