ABS Hacking
-
- Posts: 155
- Joined: Mon Feb 11, 2019 12:48 pm
- cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6 - Location: DFW, Texas
Re: ABS Hacking
I have TIS200 on my computer and a tech 2. Also have a J2534. I can pull the cal ID from my EBCM no issues. Not sure where it would live on my machine though, if it's already in TIS2000.
Upon some googling, I realize you apparently can't use a J2534 device to sniff the bus. However, I can use a "shim DLL" to intercept the J2534 calls from TIS2000 to my J2534 tool and dump that to a file for analysis... I'll play with this tonight and see if I can get anywhere.
I have the 2001+ module semi disassembled. Looks like I'll need to desoldee the two boards and then remove the epoxy to get anywhere, though.
Upon some googling, I realize you apparently can't use a J2534 device to sniff the bus. However, I can use a "shim DLL" to intercept the J2534 calls from TIS2000 to my J2534 tool and dump that to a file for analysis... I'll play with this tonight and see if I can get anywhere.
I have the 2001+ module semi disassembled. Looks like I'll need to desoldee the two boards and then remove the epoxy to get anywhere, though.
Re: ABS Hacking
I did some hack job and this is what I got.
The ebcm also could be a delphi variant of bosch 5.3 ebcm. If that is the case, no wonder it is complete POS.
The binary doesn`t look similar to motorola code. It is also a calibration update only. The main code might reside on the processor.
It looks like that only 01-02 ebcm can be updated via tis2000. 03-04 might be already upto date.The ebcm also could be a delphi variant of bosch 5.3 ebcm. If that is the case, no wonder it is complete POS.
The binary doesn`t look similar to motorola code. It is also a calibration update only. The main code might reside on the processor.
-
- Posts: 155
- Joined: Mon Feb 11, 2019 12:48 pm
- cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6 - Location: DFW, Texas
Re: ABS Hacking
In my Vette, tech 2 reports:
part number: 12204890
Base part number: 9390570
ROM part number: 12204888
Calibration part number: 12204887
System ID: B6B0
Config ID: 10A2A8
My TIS2000 isn't connecting to my J2534 and my tech2 is in my other vehicle
part number: 12204890
Base part number: 9390570
ROM part number: 12204888
Calibration part number: 12204887
System ID: B6B0
Config ID: 10A2A8
My TIS2000 isn't connecting to my J2534 and my tech2 is in my other vehicle
Re: ABS Hacking
12220685.bin is an update for Calibration part number: 12204887
I guess the base and rom are the missing link. Rom also suggest it is a Read only memory.
I guess the base and rom are the missing link. Rom also suggest it is a Read only memory.
Re: ABS Hacking
If you can shoot me a VIN, I can see if I cant grab some files from an online GM programming session?
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
-
- Posts: 155
- Joined: Mon Feb 11, 2019 12:48 pm
- cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6 - Location: DFW, Texas
Re: ABS Hacking
1G1YY12S315113275Tazzi wrote:If you can shoot me a VIN, I can see if I cant grab some files from an online GM programming session?
From what I have read, there's a scalar that describes the maximum allowed deceleration rate before assuming you're on ice. This should live in the cal, section I'd think. Just to find the OS...
Last edited by jlvaldez on Fri Jan 31, 2020 5:31 pm, edited 1 time in total.
- antus
- Site Admin
- Posts: 8253
- Joined: Sat Feb 28, 2009 8:34 pm
- cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B - Contact:
Re: ABS Hacking
that bin above looks more like cal, and doesnt seem to be hc11 or 68k code. i think your right about the rom, I think we are looking at calibration data, but how make sense of it with no code and no off the shelf tools. our bcm code here seems to be in rom, with a built in eeprom for cal data. I think that was the design choice for most the smaller module in the car. maybe we will need to build a tool that can unlock the module and start sending read commands and see if we can locate and read the rom.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Re: ABS Hacking
So we have the following update using that VIN:
Attached is the file it uploads- Attachments
-
- 12220685.bin
- (1.97 KiB) Downloaded 219 times
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Re: ABS Hacking
I think I have also extracted the kernel... although no way of verifying without simulating a module on bench.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
-
- Posts: 155
- Joined: Mon Feb 11, 2019 12:48 pm
- cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6 - Location: DFW, Texas
Re: ABS Hacking
Nice, I'm two versions out of date.Tazzi wrote:So we have the following update using that VIN:Attached is the file it uploads
So now to figure out how to read out the on CPU EEPROM?
As mentioned, I have a later mode EBCM I can use (or ship to someone who knowledgeable).