ABS Hacking

They go by many names, P01, P59, VPW, '0411 etc. Also covering E38 and newer here.
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: ABS Hacking

Post by NSFW »

Tazzi wrote:I think I have also extracted the kernel... although no way of verifying without simulating a module on bench.
Can you post it?

If you got it by recording the messages from a reflash session I'd love to see that too.
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ABS Hacking

Post by Tazzi »

NSFW wrote:
Can you post it?

If you got it by recording the messages from a reflash session I'd love to see that too.
I had no module data to simulate on the bench so can't grab a full reflash session, but attached is kernel, or at least one of them that gets sent in a session.
Attachments
ABSKernel.bin
(484 Bytes) Downloaded 217 times
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: ABS Hacking

Post by NSFW »

I wasn't able to figure out what CPU that's for... I tried a few things in IDA and just got garbage. However I just found this, which might be able to correctly guess:

https://github.com/airbus-seclab/cpu_rec

I want to try it but I'm on my phone now.

Anyone want to give it a shot?
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: ABS Hacking

Post by kur4o »

It looks like the ebcm doesn`t support mode 27, so it is permanently unlocked. It also requires removal of some bcm fuses upon programming.
There is no x4 mode and the data is dumped in $100 long chunks. Someone needs to figure out the opcodes relation to processor so disassembly can be made. The main data is loaded at $2000 ram area.
The programming event will be something like this.
Mode 28
Mode 34
Mode 36
...............
Mode 36 upload of calibration
................
mode 36 Reset message and exit

The flashing is more likely the 96-97 lt1 pcm than the ls1 stuff.
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: ABS Hacking

Post by NSFW »

I tried the cpu_rec tool on the bin file that Tazzi posted, and it couldn't determine what sort of code it is. I suspect that cpu_rec just needs more data, 484 bytes isn't much.

I wonder if mode 35 could be used to read the existing firmware.
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
kur4o
Posts: 948
Joined: Sun Apr 10, 2016 9:20 pm

Re: ABS Hacking

Post by kur4o »

I wonder if mode 35 could be used to read the existing firmware.
The module id is $28. You can quiet the bus and poll the ebcm what modes are supported. A 7f as a response will likely mean the mode is not supported. Some of the earlier PCM have built in mode 35 support, so it is worth trying.
The requests will look like
6C 28 F0 XX
XX=MODE
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: ABS Hacking

Post by antus »

I think the firmware might be fixed, and your looking at calibration data. I'd be trying to read from 0x00000 and try and read the rom out of the device.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: ABS Hacking

Post by Tazzi »

Can check the up to date cals for a VIN/module here: https://tis2web.service.gm.com/tis2web

And Antus is right, appears that file is a calibration. Comment for the update is "New calibration to correct setting of false DTC C1288".
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: ABS Hacking

Post by NSFW »

kur4o wrote:
I wonder if mode 35 could be used to read the existing firmware.
The module id is $28. You can quiet the bus and poll the ebcm what modes are supported. A 7f as a response will likely mean the mode is not supported. Some of the earlier PCM have built in mode 35 support, so it is worth trying.
The requests will look like
6C 28 F0 XX
XX=MODE
Unfortunately I'm just getting 7F responses to these messages. I wrote a loop that tried to reach every 256-byte chunk from 0-512kb and they all failed.

I've been trying a bunch of things, using PCM Hammer's core code and changing the device ID from 10 to 28...

The first thing I tried was to read a PID, but I just got a 7F response. This is annoying because I have a list of PIDs that the ABS is supposed to support. But apparently it doesn't support the "get one PID" messages that the PCM supports. This is the query for PID 0x0001:

[10:16:08:401] TX: AT SH 6C 28 F0
[10:16:08:423] TX: 22000101
[10:16:08:593] RX: 6C F0 28 7F 22 00 01 01 11

I also tried removing the final 0x01 in the request message (not sure why the PCM needs it), but that made no difference.

So I tried to check for trouble codes and this actually worked, and indeed the ABS unit in my C5 has no codes. (If it said it had DTCs that would be a surprise.)

Good news: I'm supposed to receive a 2002 ABS unit tomorrow.
Bad news: I won't have much time for car hacking stuff for another week or so.
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
jlvaldez
Posts: 155
Joined: Mon Feb 11, 2019 12:48 pm
cars: '01 - Corvette Z06
'20 - Sierra Denali
'03 - Volvo S80 T6
'16 - Accord V6
Location: DFW, Texas

Re: ABS Hacking

Post by jlvaldez »

NSFW wrote:
kur4o wrote:
I wonder if mode 35 could be used to read the existing firmware.
The module id is $28. You can quiet the bus and poll the ebcm what modes are supported. A 7f as a response will likely mean the mode is not supported. Some of the earlier PCM have built in mode 35 support, so it is worth trying.
The requests will look like
6C 28 F0 XX
XX=MODE
Unfortunately I'm just getting 7F responses to these messages. I wrote a loop that tried to reach every 256-byte chunk from 0-512kb and they all failed.

I've been trying a bunch of things, using PCM Hammer's core code and changing the device ID from 10 to 28...

The first thing I tried was to read a PID, but I just got a 7F response. This is annoying because I have a list of PIDs that the ABS is supposed to support. But apparently it doesn't support the "get one PID" messages that the PCM supports. This is the query for PID 0x0001:

[10:16:08:401] TX: AT SH 6C 28 F0
[10:16:08:423] TX: 22000101
[10:16:08:593] RX: 6C F0 28 7F 22 00 01 01 11

I also tried removing the final 0x01 in the request message (not sure why the PCM needs it), but that made no difference.

So I tried to check for trouble codes and this actually worked, and indeed the ABS unit in my C5 has no codes. (If it said it had DTCs that would be a surprise.)

Good news: I'm supposed to receive a 2002 ABS unit tomorrow.
Bad news: I won't have much time for car hacking stuff for another week or so.
To confirm, is there not a way to use a J2534 device to monitor bus traffic? I haven't sat down and played with the dll shim thing for J2534 to sniff the api calls, but I can use Tech2Win and try to sniff the PIDs from the ABS module.

Sadly I've been swamped with work and haven't had much free time to dig into anything.
I'm also quite far behind everyone else with my understanding of how these modules communicate. No idea what the different modes correspond to.


Just a thought, is it possible that the initial revision of the EBCM binary on TIS would contain the OS? If the later versions are simply a calibration update, would the first versions have the OS. Or must they all be flashed during assembly with the OS...
Post Reply