ABS Hacking

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
Post Reply
jlvaldez
Posts: 155
Joined: Mon Feb 11, 2019 12:48 pm
cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6
Location: DFW, Texas

Re: ABS Hacking

Post by jlvaldez »

While installing my new seats into my Vette, I figured I'd probe the pinout for the seat controller since I figure it has to have a serial port for the memory functions.

Turns out it does. Shame my scope can't decode VPW :( I think I'll grab a raspberry pi and stick it under this seat with the OBX and datalog with this. I can build a cape for the analog inputs for it. Then bam, cheap datalogger that you can ssh or VNC into :)

OBX has been shipped.

I think if I ask, the speed shop will let me use the track during the week for testing/datalogging as well. But I'd like to have some more before I ask for free track access ;)
Attachments
20200706_191030.jpg
20200706_190227.jpg
Last edited by jlvaldez on Wed Jul 08, 2020 6:53 pm, edited 1 time in total.
jlvaldez
Posts: 155
Joined: Mon Feb 11, 2019 12:48 pm
cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6
Location: DFW, Texas

Re: ABS Hacking

Post by jlvaldez »

I know I keep posting crap, but I want to get some of my thoughts out while they're there (I'm forgetful).

I have a raspberry Pi 4 I think I can use to accomplish the datalogging. I'm not sure how I feel about trying to get an OS to handle fairly accurate datalogging, but I imagine that I realistically don't need more than 100 Hz of sampling to accomplish what I need, which should be doable.

Inputs:
1) Wheel sensors (4x 48 pulses/wheel rev)
2) Brake pressure sensor (Analog)
3) Steering wheel inputs (there's 2x of these) (2x Analog)
4) Yaw sensor (Analog)
5) Lateral accel sensor (Analog)
6) Delivered torque from ECU (it has a separate pin, not sure what this is about)
7) Requested torque from EBCM (for reviewing)
8) serial bus data

Yes. There's a lot going on. The wheel sensors concern me the most. They're variable reluctance sensors, but I found the MAX9927 analog front end which is just a differential amp + comparator to boost the low voltage AC to a square waveform, which I could feed straight to a RPi GPIO. However, my basic calculations show that the pulse will be anywhere from 0 Hz to ~2 kHz. The RPI would need to accurately sample 4 GPIOs to determine frequency. Quick looking through some of the libraries show that it might actually be interrupt + timer driven (awesome, if true). I'm not sure, though. I've always done this with embedded devices (MCUs + C code), so this will be different for me, but I figure there's libraries out there that I can utilize to help.

I attached the preliminary schematic of the 4 wheel sensors with output to the Pi. I'm working on a raspberry Pi hat for these inputs. Looks like the Rpi doesn't have an ADC, so I will need to add a SPI or I2C ADC onto the hat for sampling the other sensor inputs (0-5v analog signals, which I imagine will have pretty low frequency content to them (how fast can you really saw away at a steering wheel or the brakes).

Also added the analog section. It's just a bunch of unity gain op amps to buffer the voltage into the ADC. I need to add a voltage translator for the SPI from 5V to 3.3V, and I think I want to try to find a simultaneous sampling ADC. I2C might be an option if I run at 400 kHz or 1 MHz... I'm a little concerned about the Pi's ability to be consistent with requesting samples.

The more I think about this, the more I think I should have a MCU doing all the time sensitive things, and then just dump all the sampled info to the Pi via SPI or something.
Attachments
Analog_In.png
Analog_In.png (29.7 KiB) Viewed 3154 times
Wheel Capture.PNG
Wheel Capture.PNG (29.97 KiB) Viewed 3157 times
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: ABS Hacking

Post by NSFW »

I like where you're going with that.

If you can get clean readings of those signals (or even just the wheel speed signals) then one option for solving ice mode might be to create a new EBCM PCB.
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: ABS Hacking

Post by antus »

That is cool. I can confirm you can do interupt driven IO on the Pi, but some implementations poll. I have experimented with both monitoring some PIR sensors in my shed, and found they both work but a direct hookup to long wires carrying logic level signals is very noisy. That'd be best handled in hardware. In my case on every trigger I took 3 more samples and if all 4 were the same I called it a real trigger. That really loaded up the CPU though and the pi's power consumption doubled compared to polling, because of all the false triggering. So hardware filtering is your friend.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
jlvaldez
Posts: 155
Joined: Mon Feb 11, 2019 12:48 pm
cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6
Location: DFW, Texas

Re: ABS Hacking

Post by jlvaldez »

antus wrote:That is cool. I can confirm you can do interupt driven IO on the Pi, but some implementations poll. I have experimented with both monitoring some PIR sensors in my shed, and found they both work but a direct hookup to long wires carrying logic level signals is very noisy. That'd be best handled in hardware. In my case on every trigger I took 3 more samples and if all 4 were the same I called it a real trigger. That really loaded up the CPU though and the pi's power consumption doubled compared to polling, because of all the false triggering. So hardware filtering is your friend.
Good to know. I've yet to use a Pi for anything outside of a H264 decoder (I use it as a "tv" to stream my HTPC's screen to the kitchen for my wife). I have not played with low level hardware stuff in a linux OS yet, but I imagine it wont' be too bad.
As a note to you, when feeding long wires, if you can feed it to a differential driver instead of a single ended signal, you'll greatly reduce your noise. RS-485 is more or less differential RS-232 and is used to operate ridiculously long cables.

I found a library called Pigpio, which seems to have very heavily optimized functions for the Pi to reduce overhead significantly. I'll be looking into that as well. My thought for the wheel speed is that i'll set an interrupt for each edge change. Check a timer, measure the time between pulses, and then I can calculate the RPM. I'll likely feed the time value into a circular buffer and average it out to smooth the readings a bit. My calculations show that 2 kHz is the upper limit out of a wheel hub if the car is doing ~160 mph. I would like to think a 4x 1.5 Ghz CPU can handle that...


Another update regarding the schematics. I've decided to completely redo my analog input stage. Mainly because 1) The signals share a low reference, I should use that instead of powered ground, 2) Ability to reject some common mode noise on the signal lines if they're ran close to each other, 3) I need to implement a low pass filter for the ADC that will come afterwards.

I think I'm done with the schematics, as far as I can tell, unless I screwed up the torque requested and delivered signals. I attached the PDF of the HAT.

I only use the differential amplifier stage on the sensors. I'm still not sure what the waveforms on the torque requested and delivered signals are. I'm hoping to get my vette running here within the next few days, and I'll get a datalogger on it to see. I suspect it's either an analog voltage, or a PWM'd signal.

With that being said, I redesigned it into 3 easy to understand stages. A buffer stage since I don't know what the source impedance of the sensors are, so I buffer with high impedance unity gain op amps to prevent screwing with the sensors. The buffered signal is fed into a differential amplifier configuration with unity gain, which will do (Vsignal - Vlow_reference) as the output. This output is then fed into the last stage which is a second order low pass filter with a -3db point set around 2kHz. Don't ask me why I chose 2kHz. I figured it would attenuate most higher frequency noise. I need to actually look at the sensor output to get an idea of if this can be dropped. I also have a DNP'd resistor to skip the low pass filter if I want to feed the output from 2nd stage to the ADC directly.

The bad: 5 op amp ICs are needed to pull this off... each one having 4 op amps. That's 20 op amps to condition 8 inputs. I'm tried to combine stage 2 and 3, but couldn't get good CMRR with filtering. Then I think it makes sense to keep it separate so I can disable or adjust the filter if I need to without giving up the differential amplifier.

I also ran some simulations to make sure that it worked as I expect (at least with ideal components).
Common_mode_Rejection.png
Here you can see the red waveform is the input waveform with 600 mV of AC noise getting coupled onto the sensor wires. Green is the output, and you can see the differential amplifier is doing its job quite well to produce a beautiful noise-free output waveform. I tested DC and some switching waveforms. DC isn't exciting to look at. The input wiggles, the output is a flat line like it's supposed to be.
Low pass filter.png
Here's the frequency response of the entire 3 stage network. I used a 2nd order low pass to get a better cut off. This will likely require tweaking.
Attachments
PiHat.pdf
(204.24 KiB) Downloaded 156 times
Analog_inputs.png
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ABS Hacking

Post by Tazzi »

NSFW wrote: I've exchanged a couple messages with an ex-GM guy on Linked In, and I'm waiting to hear back from the last one I sent. He's worked on ABS calibration in the past, but I have no idea whether he'll be able to help with flashing. We'll see.
I feel like this is someone to become best mates with. :D
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
jlvaldez
Posts: 155
Joined: Mon Feb 11, 2019 12:48 pm
cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6
Location: DFW, Texas

Re: ABS Hacking

Post by jlvaldez »

Caught a few issues with my schematics during layout. Layout seems to be done. I was trying hard to put all components on 1 side (assembly done on 1 side to get good rate). 2 layer board, surface mount on 1 side. Had to put the level shifter on the bottom layer, I ran out of room. Was difficult with the size constraint.... If I got rid of the low pass filter, this would've fit easy....

Lil sniffer is done, I think. Will generate the gerbers and BOM tomorrow and get her quoted. Boards should be dirt cheap ($2 for 5 boards) since I meet the size restriction and layer requirement. I've actually been awake for ~40 hours so far, so I'm goign to get some sleep and come back to this and look.

Whenever my OBX sniffer gets here, I can start the fun of programming to get everything working (assuming I didn't screw my schematics up).

Edit: So I found out that the requested and delivered torque measurements are simply PWM signals. Not sure what the switching frequency is, but I should be able to feed them directly into the GPIO (after shifting voltage down).

Sadly the op amps i'm using dont' seem to be in stock, so I will have to switch to bigger ones, and I won't have room. So I'm going to give up my low pass filter for this variant of the board to try and save space. Sadly i need to switch to the single channel max reluctance AFEs too :(
Attachments
lil_sniffer.png
Last edited by jlvaldez on Mon Jul 13, 2020 3:12 pm, edited 1 time in total.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ABS Hacking

Post by Tazzi »

Nice job!!
If doing it single sided, possibly take a look at having jcpcb assemble them as they do single sided assembly.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
jlvaldez
Posts: 155
Joined: Mon Feb 11, 2019 12:48 pm
cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6
Location: DFW, Texas

Re: ABS Hacking

Post by jlvaldez »

That's exactly why I was trying for single sided 2 layer. Those awesome $2 boards with cheap assembly.

I've used them for my other proto boards before. Always good quality. I found some other issues I need to correct before I send to fab.
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: ABS Hacking

Post by Gampy »

Tazzi wrote:If doing it single sided, possibly take a look at having jcpcb assemble them as they do single sided assembly.
I assume that's jlcpcb.com ... Thank you much, didn't know about them.
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
Post Reply