ABS Hacking

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
jlvaldez
Posts: 155
Joined: Mon Feb 11, 2019 12:48 pm
cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6
Location: DFW, Texas

Re: ABS Hacking

Post by jlvaldez »

I have TIS200 on my computer and a tech 2. Also have a J2534. I can pull the cal ID from my EBCM no issues. Not sure where it would live on my machine though, if it's already in TIS2000.

Upon some googling, I realize you apparently can't use a J2534 device to sniff the bus. However, I can use a "shim DLL" to intercept the J2534 calls from TIS2000 to my J2534 tool and dump that to a file for analysis... I'll play with this tonight and see if I can get anywhere.

I have the 2001+ module semi disassembled. Looks like I'll need to desoldee the two boards and then remove the epoxy to get anywhere, though.
Attachments
20200130_173858.jpg
20200130_173849.jpg
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: ABS Hacking

Post by kur4o »

I did some hack job and this is what I got.
flash_data_upload.txt
(2.18 KiB) Downloaded 220 times
12220685.bin
(1.97 KiB) Downloaded 227 times
It looks like that only 01-02 ebcm can be updated via tis2000. 03-04 might be already upto date.
The ebcm also could be a delphi variant of bosch 5.3 ebcm. If that is the case, no wonder it is complete POS.
The binary doesn`t look similar to motorola code. It is also a calibration update only. The main code might reside on the processor.
jlvaldez
Posts: 155
Joined: Mon Feb 11, 2019 12:48 pm
cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6
Location: DFW, Texas

Re: ABS Hacking

Post by jlvaldez »

In my Vette, tech 2 reports:
part number: 12204890
Base part number: 9390570
ROM part number: 12204888
Calibration part number: 12204887
System ID: B6B0
Config ID: 10A2A8

My TIS2000 isn't connecting to my J2534 and my tech2 is in my other vehicle
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: ABS Hacking

Post by kur4o »

12220685.bin is an update for Calibration part number: 12204887
I guess the base and rom are the missing link. Rom also suggest it is a Read only memory.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ABS Hacking

Post by Tazzi »

If you can shoot me a VIN, I can see if I cant grab some files from an online GM programming session?
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
jlvaldez
Posts: 155
Joined: Mon Feb 11, 2019 12:48 pm
cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6
Location: DFW, Texas

Re: ABS Hacking

Post by jlvaldez »

Tazzi wrote:If you can shoot me a VIN, I can see if I cant grab some files from an online GM programming session?
1G1YY12S315113275

From what I have read, there's a scalar that describes the maximum allowed deceleration rate before assuming you're on ice. This should live in the cal, section I'd think. Just to find the OS...
Last edited by jlvaldez on Fri Jan 31, 2020 5:31 pm, edited 1 time in total.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: ABS Hacking

Post by antus »

that bin above looks more like cal, and doesnt seem to be hc11 or 68k code. i think your right about the rom, I think we are looking at calibration data, but how make sense of it with no code and no off the shelf tools. our bcm code here seems to be in rom, with a built in eeprom for cal data. I think that was the design choice for most the smaller module in the car. maybe we will need to build a tool that can unlock the module and start sending read commands and see if we can locate and read the rom.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ABS Hacking

Post by Tazzi »

So we have the following update using that VIN:
absupdateinfo.PNG
absupdateinfo.PNG (12.89 KiB) Viewed 4537 times
Attached is the file it uploads
Attachments
12220685.bin
(1.97 KiB) Downloaded 218 times
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ABS Hacking

Post by Tazzi »

I think I have also extracted the kernel... although no way of verifying without simulating a module on bench.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
jlvaldez
Posts: 155
Joined: Mon Feb 11, 2019 12:48 pm
cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6
Location: DFW, Texas

Re: ABS Hacking

Post by jlvaldez »

Tazzi wrote:So we have the following update using that VIN:
absupdateinfo.PNG
Attached is the file it uploads
Nice, I'm two versions out of date.

So now to figure out how to read out the on CPU EEPROM?

As mentioned, I have a later mode EBCM I can use (or ship to someone who knowledgeable).
Post Reply