ABS Hacking

They go by many names, P01, P59, VPW, '0411 etc . Circa 1999 to 2006. All VPW OBD2 PCMs.
User avatar
Posts: 402
Joined: Fri Feb 02, 2018 3:13 pm

Re: ABS Hacking

Postby NSFW » Sat Feb 01, 2020 4:48 pm

Tazzi wrote:I think I have also extracted the kernel... although no way of verifying without simulating a module on bench.


Can you post it?

If you got it by recording the messages from a reflash session I'd love to see that too.
Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

User avatar
Posts: 2180
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: ABS Hacking

Postby Tazzi » Sat Feb 01, 2020 9:45 pm

NSFW wrote:
Can you post it?

If you got it by recording the messages from a reflash session I'd love to see that too.


I had no module data to simulate on the bench so can't grab a full reflash session, but attached is kernel, or at least one of them that gets sent in a session.
Attachments
ABSKernel.bin
(484 Bytes) Downloaded 52 times
Image

User avatar
Posts: 402
Joined: Fri Feb 02, 2018 3:13 pm

Re: ABS Hacking

Postby NSFW » Sun Feb 02, 2020 8:46 am

I wasn't able to figure out what CPU that's for... I tried a few things in IDA and just got garbage. However I just found this, which might be able to correctly guess:

https://github.com/airbus-seclab/cpu_rec

I want to try it but I'm on my phone now.

Anyone want to give it a shot?
Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

Posts: 183
Joined: Sun Apr 10, 2016 9:20 pm

Re: ABS Hacking

Postby kur4o » Mon Feb 03, 2020 4:17 am

It looks like the ebcm doesn`t support mode 27, so it is permanently unlocked. It also requires removal of some bcm fuses upon programming.
There is no x4 mode and the data is dumped in $100 long chunks. Someone needs to figure out the opcodes relation to processor so disassembly can be made. The main data is loaded at $2000 ram area.
The programming event will be something like this.
Mode 28
Mode 34
Mode 36
...............
Mode 36 upload of calibration
................
mode 36 Reset message and exit

The flashing is more likely the 96-97 lt1 pcm than the ls1 stuff.

User avatar
Posts: 402
Joined: Fri Feb 02, 2018 3:13 pm

Re: ABS Hacking

Postby NSFW » Mon Feb 03, 2020 5:24 am

I tried the cpu_rec tool on the bin file that Tazzi posted, and it couldn't determine what sort of code it is. I suspect that cpu_rec just needs more data, 484 bytes isn't much.

I wonder if mode 35 could be used to read the existing firmware.
Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

Posts: 183
Joined: Sun Apr 10, 2016 9:20 pm

Re: ABS Hacking

Postby kur4o » Mon Feb 03, 2020 7:04 am

I wonder if mode 35 could be used to read the existing firmware.


The module id is $28. You can quiet the bus and poll the ebcm what modes are supported. A 7f as a response will likely mean the mode is not supported. Some of the earlier PCM have built in mode 35 support, so it is worth trying.
The requests will look like
6C 28 F0 XX
XX=MODE

Site Admin
User avatar
Posts: 6182
Joined: Sat Feb 28, 2009 8:34 pm

Re: ABS Hacking

Postby antus » Mon Feb 03, 2020 6:18 pm

I think the firmware might be fixed, and your looking at calibration data. I'd be trying to read from 0x00000 and try and read the rom out of the device.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

User avatar
Posts: 2180
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: ABS Hacking

Postby Tazzi » Tue Feb 04, 2020 11:30 am

Can check the up to date cals for a VIN/module here: https://tis2web.service.gm.com/tis2web

And Antus is right, appears that file is a calibration. Comment for the update is "New calibration to correct setting of false DTC C1288".
Image

User avatar
Posts: 402
Joined: Fri Feb 02, 2018 3:13 pm

Re: ABS Hacking

Postby NSFW » Tue Feb 04, 2020 4:22 pm

kur4o wrote:
I wonder if mode 35 could be used to read the existing firmware.


The module id is $28. You can quiet the bus and poll the ebcm what modes are supported. A 7f as a response will likely mean the mode is not supported. Some of the earlier PCM have built in mode 35 support, so it is worth trying.
The requests will look like
6C 28 F0 XX
XX=MODE


Unfortunately I'm just getting 7F responses to these messages. I wrote a loop that tried to reach every 256-byte chunk from 0-512kb and they all failed.

I've been trying a bunch of things, using PCM Hammer's core code and changing the device ID from 10 to 28...

The first thing I tried was to read a PID, but I just got a 7F response. This is annoying because I have a list of PIDs that the ABS is supposed to support. But apparently it doesn't support the "get one PID" messages that the PCM supports. This is the query for PID 0x0001:

[10:16:08:401] TX: AT SH 6C 28 F0
[10:16:08:423] TX: 22000101
[10:16:08:593] RX: 6C F0 28 7F 22 00 01 01 11

I also tried removing the final 0x01 in the request message (not sure why the PCM needs it), but that made no difference.

So I tried to check for trouble codes and this actually worked, and indeed the ABS unit in my C5 has no codes. (If it said it had DTCs that would be a surprise.)

Good news: I'm supposed to receive a 2002 ABS unit tomorrow.
Bad news: I won't have much time for car hacking stuff for another week or so.
Please don't PM me with questions about tuning or flashing - start a thread instead. Thanks!

Posts: 66
Joined: Mon Feb 11, 2019 12:48 pm

Re: ABS Hacking

Postby jlvaldez » Tue Feb 04, 2020 6:15 pm

NSFW wrote:
kur4o wrote:
I wonder if mode 35 could be used to read the existing firmware.


The module id is $28. You can quiet the bus and poll the ebcm what modes are supported. A 7f as a response will likely mean the mode is not supported. Some of the earlier PCM have built in mode 35 support, so it is worth trying.
The requests will look like
6C 28 F0 XX
XX=MODE


Unfortunately I'm just getting 7F responses to these messages. I wrote a loop that tried to reach every 256-byte chunk from 0-512kb and they all failed.

I've been trying a bunch of things, using PCM Hammer's core code and changing the device ID from 10 to 28...

The first thing I tried was to read a PID, but I just got a 7F response. This is annoying because I have a list of PIDs that the ABS is supposed to support. But apparently it doesn't support the "get one PID" messages that the PCM supports. This is the query for PID 0x0001:

[10:16:08:401] TX: AT SH 6C 28 F0
[10:16:08:423] TX: 22000101
[10:16:08:593] RX: 6C F0 28 7F 22 00 01 01 11

I also tried removing the final 0x01 in the request message (not sure why the PCM needs it), but that made no difference.

So I tried to check for trouble codes and this actually worked, and indeed the ABS unit in my C5 has no codes. (If it said it had DTCs that would be a surprise.)

Good news: I'm supposed to receive a 2002 ABS unit tomorrow.
Bad news: I won't have much time for car hacking stuff for another week or so.


To confirm, is there not a way to use a J2534 device to monitor bus traffic? I haven't sat down and played with the dll shim thing for J2534 to sniff the api calls, but I can use Tech2Win and try to sniff the PIDs from the ABS module.

Sadly I've been swamped with work and haven't had much free time to dig into anything.
I'm also quite far behind everyone else with my understanding of how these modules communicate. No idea what the different modes correspond to.


Just a thought, is it possible that the initial revision of the EBCM binary on TIS would contain the OS? If the later versions are simply a calibration update, would the first versions have the OS. Or must they all be flashed during assembly with the OS...

PreviousNext

Return to GM LS1 512Kbyte and 1Mbyte

Who is online

Users browsing this forum: No registered users and 3 guests