ABS Hacking

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
Post Reply
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

ABS Hacking

Post by NSFW »

This is not exactly LS1 hacking but it's another module that's present in some LS1 cars (and maybe trucks) so I figure the same people might want to follow along or get involved. As I write this now, there has been zero progress, but we gotta start somewhere. :)

Many people who take their 1997-2004 Corvettes to track days have reported that the Electronic Brake Control Module (EBCM) has virtually locked out the brakes at one time or another. Apparently the way to trigger it is to press the brake pedal abruptly with grippy tires. GM claims there's no such thing, but it's been described by so many people that I assume it's a bug that just never cropped up during their testing. I want to find it and fix it before it finds me, and jvaldez wants to fix it before it finds him a second time.

There are two versions of the EBCM that were used in Corvettes, with the changover happening at or around the 2000 model year (I don't know exactly). So we might have to do this twice. Hopefully the second iteration will go faster than the first.

My car is a 2002 but a local shop gave me a defective EBCM from a 1998 to play with, and I'm happy to try to figure that one out. The tricky thing about that one is that I can't get it apart. As far as I can tell, the case was filled with epoxy and the circuit board was mashed into it component-side down, so none of the components are visible, and it's going to be impossible to pull the PCB out in one piece because it's anchored to the case by this epoxy.

Does anyone have ideas about how to open this thing up? Are there any products that might be able to dissolve or weak the epoxy without destroying the electronics?

And, does anyone have a later-style EBCM that they can take apart and study? I'd rather not take apart my C5 so I'm going to order one off ebay but it will take a while to get here.

Plan of attack, more or less:
1) identify the components, especially the CPU
2) get the datasheet for the CPU
3) look for a way to read the firmware using BDM or JTAG or similar, to get a head start on reverse engineering
4) try to sniff a firmware upgrade session using a Tech2 or equivalent
5) use info from 3 and 4 to create EBCM Hammer. :)

I'm told that GM was fond of 68HC11 chips in that era, so maybe that's what we'll find?
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
User avatar
delcowizzid
Posts: 5493
Joined: Sat Feb 28, 2009 8:38 pm
Location: Wellington NZ
Contact:

Re: ABS Hacking

Post by delcowizzid »

MEK I think it is will melt out most potting material around but it's bad shit don't inhale lol
If Its Got Gas Or Ass Count Me In.if it cant be fixed with a hammer you have an electrical problem
MudDuck514
Posts: 397
Joined: Wed Jul 05, 2017 8:30 am
cars: 2001 Pontiac Grand AM SE
LD9 2.4l I4, 4T40E
2005 Chevrolet Venture
LA1 3400 V6, 4T65E
Location: North TX, USA

Re: ABS Hacking

Post by MudDuck514 »

delcowizzid wrote:MEK I think it is will melt out most potting material around but it's bad shit don't inhale lol
Hi all,

Unless I am mistaken (and I often AM) this is what he is referring to:
https://en.wikipedia.org/wiki/Butanone

Mike
User avatar
j_ds_au
Posts: 384
Joined: Sun Jan 25, 2015 4:21 pm
Location: Sydney

Re: ABS Hacking

Post by j_ds_au »

MudDuck514 wrote:
delcowizzid wrote:MEK I think it is will melt out most potting material around but it's bad shit don't inhale lol
Hi all,

Unless I am mistaken (and I often AM) this is what he is referring to:
https://en.wikipedia.org/wiki/Butanone

Mike
Never heard of that name, but that URL says it's the same thing.

MEK is strong stuff, so may do the trick, but might ruin parts of the module, if that's a concern.

If you have time on your hands (about a month), you might put it in a jar of acetone. I once dismantled a Bosch regulator that way without damaging anything (including component markings), fixed a couple of fractured solder joints which were causing faulty operation, and put it back together with some fesh epoxy, good as new.

Joe.
bubba2533
Posts: 498
Joined: Wed Apr 11, 2018 8:50 am
cars: 03 Chevy S10 Turbo V6

Re: ABS Hacking

Post by bubba2533 »

One suggestion is to be patient...I could not wait and destroyed a PCM that I was trying to removed from epoxy with not so delicate methods.
LS1 Boost OS V3 Here. For feature suggestions post in here Development Thread. Support future development ->Patreon.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: ABS Hacking

Post by antus »

I expect it will be a hc11, that and aldl were the platform of the day. I dont think you'll find BDM or JTAG. But I suspect that once you have the seed/key you'll be able to read memory regions and once you've mapped it out get a dump.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: ABS Hacking

Post by NSFW »

bubba2533 wrote:One suggestion is to be patient...I could not wait and destroyed a PCM that I was trying to removed from epoxy with not so delicate methods.
I'm pretty sure I lost that battle a couple weeks ago. :) It was unusable when I got it so there wasn't much to lose. The PCB is still anchored to the case though.

But if I can get it apart, learn some part numbers, and follow some traces on the circuit board it could still be useful.

And if MEK / Acetone / whatever proves useful, or too destructive, that'd be useful one way or the other. Acetone is easy to find and not as toxic so I think I'll start with that.
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
jlvaldez
Posts: 155
Joined: Mon Feb 11, 2019 12:48 pm
cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6
Location: DFW, Texas

Re: ABS Hacking

Post by jlvaldez »

I have a newer style EBCM in my garage. I'll try opening it and I guess I need to soak it in acetone to get the stuff off of it.

Ice mode bit me last weekend at a track and I flew off track at > 100 mph. I got lucky and there was no car or wall for me to hit where I went off.

I also have a GM tech 2 and can probably sniff the OBD traffic used by the tech 2 to get the procedure used to flash the module.

I've not yet had to do this but I assume the procedure is:
1) Disassemble the rev 2 EBCM I have in my garage to determine the CPU used.

2) use tech 2 to reflash my module and sniff traffic to try and reverse engineer the process?

3) once we get the binary, decompile it (the hard part)
jlvaldez
Posts: 155
Joined: Mon Feb 11, 2019 12:48 pm
cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6
Location: DFW, Texas

Re: ABS Hacking

Post by jlvaldez »

NSFW, is there a way for you to use the j2534 device to sniff the bus while I flash with the Tech 2? I don't have an easy way to sniff otherwise other than building my own VPW to comm device. I can splice the tech 2 and the J2534 device onto the obdii port pretty easily, so if you have some sort of utility that can then use the J2534 to dump all bus traffic I'll flash the device with my tech 2. I have some of my own CAN utilities to sniff busses but I've done nothing for VPW.

If you've got something in place, I can get a tech 2 flash dump this weekend
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: ABS Hacking

Post by antus »

I think its a fairly safe bet it'll be 68k, but I dont think you need to identify the processor at this stage. That should become apparent from looking at the code after you've logged the flash by trying the likely candidates and see if it decompiles. The other gotcha will be if the flash happens in 1x of 4x speed. If you get the setup traffic at 1x then it goes quiet you might need to flash again and log at 4x if thats possible. Do you have the calibration ID of whats on the device? Tis2000 might have the file on disk to be matched up by name.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Post Reply