ABS Hacking

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: ABS Hacking

Post by antus »

@nsfw try changing the priority. It might need to be 6D or something else.
@jlvaldez im pretty sure j2534 could just read and log for data if something with the time wanted to make and test something.
Im not sure that its ROM, but from what posted ROM was mentioned, so im taking that on face value. We also dont know for sure its even code in ROM. Something like an ABS/EBCM might be better made in an FPGA/ASIC for the amount of parallel processing its doing from 4 wheel sensors and multiple brake actuators. It could be that and just hold some flash and a basic MCU to handle configuration and comms. Just thoughts. If anyone does know, jump in!

Edit: Just googling for brake +asic I found this document. Its the loosest connection you could possibly get but it does have multiple references to delphi and other OEMs and does mention various sensor modules built around an ASIC. So I think shows that an ASIC in these small modules is reasonably likely.

https://archive.org/stream/AdvancedMicr ... f_djvu.txt
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: ABS Hacking

Post by NSFW »

The shim DLL thing might be the easiest way to capture messages, if it comes with an app to record data.

I don't know much about J2534 but I suspect that a J2453 device could be put into a monitoring mode, which could be used with a Y-adapter. However we'd need an app to put it into monitoring mode and actually log the data to a file (and again I'm only assuming that such a mode exists).

It might be easier to use Pete & Tazzi's ObdXPro device for monitoring once it becomes available.

In the source code for PCM Hammer there's also an app named "PCM Explorer" that I made for quick-and-hacky things like this, and I've been wanting to give it a Record button to investigate the messages that are on the bus while driving. I might be able to write code for that today but I don't think I'll be able to test it.
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: ABS Hacking

Post by antus »

j2534 is on par with AVT, its just the crappy elm protocol that wont let you do this. You'd just keep calling ReceiveMessage() in the open j2534 driver and output the data as text. It doesnt need a specific monitoring mode. Thats why the streaming devices as I call them (avt, j2534, X-pro) are better than elm type (elm, scantool, obdlink) when your trying to do more than just read pids.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ABS Hacking

Post by Tazzi »

Some J2534 devices allow monitoring, where others do not (Its a tool firmware thing).

So you should be able to set the filter to something like 6C10F0 but then the mask to 000000 which means any frame will pass through. Some J devices do not like the mask being 00's and either do not accept the command or stop communicating all together.
I think the MDI freaks out for all 00's, but the VX nano will allow it?
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ABS Hacking

Post by Tazzi »

As for logging the tech2, this actually doesnt use J2534, it uses its cousin DPU ISO 22900.

Iv been working on trying to get the tech2 to communicate with the OBDX by making a super basic implementation. Its similar to J protocol, just different commands, structures and return values.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
jlvaldez
Posts: 155
Joined: Mon Feb 11, 2019 12:48 pm
cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6
Location: DFW, Texas

Re: ABS Hacking

Post by jlvaldez »

So I was at a track here in the DFW area this last weekend and was able to active ice mode consistently once I figured out what it was. Supposedly one of the guys here has been trying to get a calibration from a friend at GM that changes these thresholds...
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: ABS Hacking

Post by antus »

That would be ideal, heres hopeing it surfaces.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: ABS Hacking

Post by NSFW »

A calibration that works with their Tech 2 programming stuff would simplify things a lot!

But if that's not possible then just ask for the source code and some reflash documentation and we'll take it from there. :)
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: ABS Hacking

Post by NSFW »

jlvaldez wrote:I have TIS200 on my computer and a tech 2. Also have a J2534. I can pull the cal ID from my EBCM no issues. Not sure where it would live on my machine though, if it's already in TIS2000.

Upon some googling, I realize you apparently can't use a J2534 device to sniff the bus. However, I can use a "shim DLL" to intercept the J2534 calls from TIS2000 to my J2534 tool and dump that to a file for analysis... I'll play with this tonight and see if I can get anywhere.

I have the 2001+ module semi disassembled. Looks like I'll need to desoldee the two boards and then remove the epoxy to get anywhere, though.
How did you get yours apart?

I tried to get at the circuit build on my spare EBCM today and it still won't come apart. I attacked that MFer with a knife, a couple of screwdrivers, and even a blowtorch (just on one corner, to see if it would loosen the adhesive) all with no results.

I have the electronic half separated from the pump/valve half, I just can't get to the circuit board.
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
jlvaldez
Posts: 155
Joined: Mon Feb 11, 2019 12:48 pm
cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6
Location: DFW, Texas

Re: ABS Hacking

Post by jlvaldez »

I haven't made it beyond pulling it out of the housing yet, either. Looks like it "just" needs to be desoldered. I had some stuff happen as all this covid crap happened that required my effort elsewhere. So I had to shelf it. I'm trying frantically to get back on track now.

However, I was at a track here, talking to a guy that knows a few people in GM. I told him about how we're unable to get at the OS and need someone to reach out to. He is actually very interested in being able to remove or defeat ice mode. Turns out that he has 2 contacts he knows at GM. One was involved with the C4 electronics and knows all the people that worked on the C5 stuff.

So I had him reach out and start that dialog. I'll follow up with him soon, but want some confirmation. We need the OS binary. I'm surprised they're separate but that's the missing piece.

I was also told he may be able to get his hands on a C5R unit that could be given. However, I don't know if that would help, since I don't know if the C5R ABS unit is the same. If it truly just is a calibration tweak, then why can't we pull the calibration for a C5R and upload it to C5 (of course the means to upload is not yet determined).

I haven't forgotten, it's just been crazy the last few months but things are mostly back to normal.
Post Reply