Did you ever figure this out? I can read 256 from the eeprom using Vag Can Pro, but can't write to it no matter what I do, and I do believe there should be more data than that on the complete EEPROM. Seems to be nothing about it online. Been screwing around with it for days, and have wrecked two modules in the process of discovery! (without much discovery lol)

Ya, seems your right, proving to be nearly impossible. Almost 0 infomation out there until the b7 generation, where you are able to access the eeprom on the board. I haven't seen 3.1 in years  . any chance you would have access to update files? I'm going to deal with my car, but now that I can't do it, I NEED to do it. I don't like not being able to figure something out. Very stubborn! I've got to look into powertrain communications to move forward, but think that will be a dead end as well, though it will provide some incite at least. I'd kill for a board schematic, but imagine that won't happen  .

Well THIS MAY HELP..

1. Download this. Its Bosch ABS Motorsport software (old version). I've read that Bosch ABS and Motorsport use the same firmware just different eeprom configs (yet to confirm this).

http://www.bosch-motorsport.jp/media/msd/downloads/software/bremssysteme_1/RaceAbs_1409_Setupexe.zip

2. Extract the exe inside with 7zip (7zip.org), right click, extract all to folder.

3. Download ConfuserEx unpacker for .net executable
https://github.com/XenocodeRCE/ConfuserEx-Unpacker/releases/download/1.0/1.0.7z

4. Extract it with 7zip and copy its contents into the Bosch ABS folder, then open a shell command line window;

Type in;

This will deobsfucate the .net application and unpack the executable protection!

You should see the following...

Yeah confuserex unpacker so what
[!] Anti Tamper Detected
[!] Anti Tamper Removed Successfully
[!] Cleaning Proxy Calls
[!] Amount Of Proxy Calls Fixed: 2220
[!] Decrytping Strings
[!] Amount Of Strings Decrypted: 1936

Inside the folder a new file should have been created.

RaceABS.exeCleaned.exe

NOW... you can use dnSpy to reverse it back to source-code with the obsfucation and removed entirely... So lets down it..

Get it from
https://github.com/dnSpy/dnSpy/releases/tag/v6.1.8

Windows 32-bit version exe
https://github.com/dnSpy/dnSpy/releases/download/v6.1.8/dnSpy-net-win32.zip

*or* Windows 64-bit version exe
https://github.com/dnSpy/dnSpy/releases/download/v6.1.8/dnSpy-net-win64.zip

Again extract it ....

Run it and then load in "RaceABS.exeCleaned.exe"

Look inside "RaceABS.LayerDevice"

In particular is SecurityEcuAccess()

This is part of the kwp2000 seed/key stuff which lets you inside the ecu..

Have fun hacking Bosch ABS with all the information learned from this tool !

Good point , however not just dnspy but ANY executable or driver software..

In this case all the links provided (except the race abs itself which is direct from Bosch) are from github which you can also download the source-code from and build (if you so desire) it yourself.

More info for the TMS570... These pins are easily found in the appropriate datasheet of the specific IC...

Any progress on this? I have a couple F430c abs modules sitting here.

can someone provide the version "RaceAbs_1409_Setupexe.zip"?
link is down

It doesn't seem to work with the current one...thanks