pcmhacking.net

This is not exactly LS1 hacking but it's another module that's present in some LS1 cars (and maybe trucks) so I figure the same people might want to follow along or get involved. As I write this now, there has been zero progress, but we gotta start somewhere.

Many people who take their 1997-2004 Corvettes to track days have reported that the Electronic Brake Control Module (EBCM) has virtually locked out the brakes at one time or another. Apparently the way to trigger it is to press the brake pedal abruptly with grippy tires. GM claims there's no such thing, but it's been described by so many people that I assume it's a bug that just never cropped up during their testing. I want to find it and fix it before it finds me, and jvaldez wants to fix it before it finds him a second time.

There are two versions of the EBCM that were used in Corvettes, with the changover happening at or around the 2000 model year (I don't know exactly). So we might have to do this twice. Hopefully the second iteration will go faster than the first.

My car is a 2002 but a local shop gave me a defective EBCM from a 1998 to play with, and I'm happy to try to figure that one out. The tricky thing about that one is that I can't get it apart. As far as I can tell, the case was filled with epoxy and the circuit board was mashed into it component-side down, so none of the components are visible, and it's going to be impossible to pull the PCB out in one piece because it's anchored to the case by this epoxy.

Does anyone have ideas about how to open this thing up? Are there any products that might be able to dissolve or weak the epoxy without destroying the electronics?

And, does anyone have a later-style EBCM that they can take apart and study? I'd rather not take apart my C5 so I'm going to order one off ebay but it will take a while to get here.

Plan of attack, more or less:
1) identify the components, especially the CPU
2) get the datasheet for the CPU
3) look for a way to read the firmware using BDM or JTAG or similar, to get a head start on reverse engineering
4) try to sniff a firmware upgrade session using a Tech2 or equivalent
5) use info from 3 and 4 to create EBCM Hammer.

I'm told that GM was fond of 68HC11 chips in that era, so maybe that's what we'll find?

MEK I think it is will melt out most potting material around but it's bad shit don't inhale lol

delcowizzid wrote:MEK I think it is will melt out most potting material around but it's bad shit don't inhale lol

Hi all,

Unless I am mistaken (and I often AM) this is what he is referring to:
https://en.wikipedia.org/wiki/Butanone

Mike

MudDuck514 wrote:

delcowizzid wrote:MEK I think it is will melt out most potting material around but it's bad shit don't inhale lol

Hi all,

Unless I am mistaken (and I often AM) this is what he is referring to:
https://en.wikipedia.org/wiki/Butanone

Mike

Never heard of that name, but that URL says it's the same thing.

MEK is strong stuff, so may do the trick, but might ruin parts of the module, if that's a concern.

If you have time on your hands (about a month), you might put it in a jar of acetone. I once dismantled a Bosch regulator that way without damaging anything (including component markings), fixed a couple of fractured solder joints which were causing faulty operation, and put it back together with some fesh epoxy, good as new.

Joe.

One suggestion is to be patient...I could not wait and destroyed a PCM that I was trying to removed from epoxy with not so delicate methods.

I expect it will be a hc11, that and aldl were the platform of the day. I dont think you'll find BDM or JTAG. But I suspect that once you have the seed/key you'll be able to read memory regions and once you've mapped it out get a dump.

bubba2533 wrote:One suggestion is to be patient...I could not wait and destroyed a PCM that I was trying to removed from epoxy with not so delicate methods.

I'm pretty sure I lost that battle a couple weeks ago. It was unusable when I got it so there wasn't much to lose. The PCB is still anchored to the case though.

But if I can get it apart, learn some part numbers, and follow some traces on the circuit board it could still be useful.

And if MEK / Acetone / whatever proves useful, or too destructive, that'd be useful one way or the other. Acetone is easy to find and not as toxic so I think I'll start with that.

I have a newer style EBCM in my garage. I'll try opening it and I guess I need to soak it in acetone to get the stuff off of it.

Ice mode bit me last weekend at a track and I flew off track at > 100 mph. I got lucky and there was no car or wall for me to hit where I went off.

I also have a GM tech 2 and can probably sniff the OBD traffic used by the tech 2 to get the procedure used to flash the module.

I've not yet had to do this but I assume the procedure is:
1) Disassemble the rev 2 EBCM I have in my garage to determine the CPU used.

2) use tech 2 to reflash my module and sniff traffic to try and reverse engineer the process?

3) once we get the binary, decompile it (the hard part)

NSFW, is there a way for you to use the j2534 device to sniff the bus while I flash with the Tech 2? I don't have an easy way to sniff otherwise other than building my own VPW to comm device. I can splice the tech 2 and the J2534 device onto the obdii port pretty easily, so if you have some sort of utility that can then use the J2534 to dump all bus traffic I'll flash the device with my tech 2. I have some of my own CAN utilities to sniff busses but I've done nothing for VPW.

If you've got something in place, I can get a tech 2 flash dump this weekend

I think its a fairly safe bet it'll be 68k, but I dont think you need to identify the processor at this stage. That should become apparent from looking at the code after you've logged the flash by trying the likely candidates and see if it decompiles. The other gotcha will be if the flash happens in 1x of 4x speed. If you get the setup traffic at 1x then it goes quiet you might need to flash again and log at 4x if thats possible. Do you have the calibration ID of whats on the device? Tis2000 might have the file on disk to be matched up by name.