Pages: [1]
Author Topic: Bosch ABS Boot Mode  (Read 12126 times)
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« on: September 24, 2018, 01:44:37 PM »

Anyone got any information about it?

I need to go deeper into the ABS since my tires are almost twice the size of the originals so the mechanical grip is vastly different to factory so a new ABS calibration is required.

Q. What Microcontrollers are in use on the older Bosch ABS 5.3 vintage? Is it a C16x which I could do a Minimon over K-Line trick with?

-T
Logged
torcity
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 8


« Reply #1 on: May 04, 2019, 07:44:22 AM »

Did you ever figure this out? I can read 256 from the eeprom using Vag Can Pro, but can't write to it no matter what I do, and I do believe there should be more data than that on the complete EEPROM. Seems to be nothing about it online. Been screwing around with it for days, and have wrecked two modules in the process of discovery! (without much discovery lol)
Logged
jochen_145
Full Member
***

Karma: +9/-4
Offline Offline

Posts: 177


« Reply #2 on: May 05, 2019, 05:49:34 AM »

Very difficult infos, your are looking for..

Even for OEM, ABS/ESP are compleatly BLACK-BOX.

So very difficult to get ANY information about Bosch ABS.

Maybe try to re-engineer based of OEM update files, but with the information, your´ll, you do no have any info about application, addresses or A2L

Last time I saw Bosch flashing there stock ABS/EPS they are still using old Win3.11 based PC..
Logged
torcity
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 8


« Reply #3 on: May 06, 2019, 11:55:12 AM »

Ya, seems your right, proving to be nearly impossible. Almost 0 infomation out there until the b7 generation, where you are able to access the eeprom on the board. I haven't seen 3.1 in years  Grin. any chance you would have access to update files? I'm going to deal with my car, but now that I can't do it, I NEED to do it. I don't like not being able to figure something out. Very stubborn! I've got to look into powertrain communications to move forward, but think that will be a dead end as well, though it will provide some incite at least. I'd kill for a board schematic, but imagine that won't happen  Huh.
Logged
User2020
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 10


« Reply #4 on: July 25, 2021, 05:40:09 PM »

Any news on this?
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #5 on: January 11, 2022, 04:44:05 PM »

Well THIS MAY HELP..

1. Download this. Its Bosch ABS Motorsport software (old version). I've read that Bosch ABS and Motorsport use the same firmware just different eeprom configs (yet to confirm this).

http://www.bosch-motorsport.jp/media/msd/downloads/software/bremssysteme_1/RaceAbs_1409_Setupexe.zip

2. Extract the exe inside with 7zip (7zip.org), right click, extract all to folder.

3. Download ConfuserEx unpacker for .net executable
https://github.com/XenocodeRCE/ConfuserEx-Unpacker/releases/download/1.0/1.0.7z

4. Extract it with 7zip and copy its contents into the Bosch ABS folder, then open a shell command line window;

Type in;
Code:
"ConfuserEx Dynamic Unpacker.exe" -s RaceABS.exe

This will deobsfucate the .net application and unpack the executable protection!

You should see the following...

Yeah confuserex unpacker so what
[!] Anti Tamper Detected
[!] Anti Tamper Removed Successfully
[!] Cleaning Proxy Calls
[!] Amount Of Proxy Calls Fixed: 2220
[!] Decrytping Strings
[!] Amount Of Strings Decrypted: 1936


Inside the folder a new file should have been created.

RaceABS.exeCleaned.exe

NOW... you can use dnSpy to reverse it back to source-code with the obsfucation and removed entirely... So lets down it..

Get it from
https://github.com/dnSpy/dnSpy/releases/tag/v6.1.8

Windows 32-bit version exe
https://github.com/dnSpy/dnSpy/releases/download/v6.1.8/dnSpy-net-win32.zip

*or* Windows 64-bit version exe
https://github.com/dnSpy/dnSpy/releases/download/v6.1.8/dnSpy-net-win64.zip

Again extract it ....

Run it and then load in "RaceABS.exeCleaned.exe"

Look inside "RaceABS.LayerDevice"

In particular is SecurityEcuAccess()

This is part of the kwp2000 seed/key stuff which lets you inside the ecu.. Smiley

Have fun hacking Bosch ABS with all the information learned from this tool !
« Last Edit: January 11, 2022, 04:45:59 PM by 360trev » Logged
aef
Hero Member
*****

Karma: +69/-46
Offline Offline

Posts: 1601


« Reply #6 on: January 11, 2022, 11:56:58 PM »

be careful where you download dnspy from:
https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #7 on: January 12, 2022, 05:37:55 AM »


Good point , however not just dnspy but ANY executable or driver software..

In this case all the links provided (except the race abs itself which is direct from Bosch) are from github which you can also download the source-code from and build (if you so desire) it yourself.
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #8 on: January 13, 2022, 06:46:29 PM »

If playing with kwp2000 and seed/keys to get into the ABS isn't your idea of fun there are other options to retrieve a version of the ABS code.

These screenshots are from a 2015 MY Jaguar F-Type ABS ecu - the pictures not mine, what you can clearly see is that Bosch dropped their die substrate nonsense and went to using an off the shelf Texas Instruments (ARM Cortex based) microcontroller called the TMS570.
These are JTAG'able and can be read/written using a ARM Segger J-Link (or cheap sub $20 clone)... Haven't done it myself yet but its only my list to dump the firmware if I can get some time!!!

Datasheet is still available from Ti online too which helps identify the JTAG pins (this is an example there are many variants you'll have to dig a bit further);
https://www.ti.com/lit/ds/symlink/tms570ls0432.pdf

« Last Edit: January 13, 2022, 06:50:34 PM by 360trev » Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #9 on: January 14, 2022, 06:17:18 AM »

More info for the TMS570... These pins are easily found in the appropriate datasheet of the specific IC...


Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #10 on: January 14, 2022, 06:21:05 AM »

And then you need to trace where the pins breakout..

There are many ways to find these kind of pins, if you invest in a Infrared BGA de-soldering station and then its easier to identify the JTAG pins and find the trace points by hand by looking up exactly where they come out of the IC itself (from the datasheet), then you can do a continuity test on a multi-meter and find the output pin by going around the board.

Here is an example of the another Texas Instruments TMS570 being used in a Volvo airbag computer and the final pinout... (from X-Tool but anyone can do this)
Logged
SqueeMax
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3


« Reply #11 on: May 08, 2022, 08:38:50 AM »

Any progress on this? I have a couple F430c abs modules sitting here.
Logged
treadshuffle
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 1


« Reply #12 on: April 22, 2023, 08:45:27 PM »

The specifics of the algo are in an external library called 'SecAcc.dll' which isn't included with the RaceABS installation nor with Modas (which I remember reading that it interfaces with the ABS module). Unfortunately I wasn't able to find this, perhaps its distribution is severely limited to only those who are authorized to have them.
« Last Edit: May 17, 2023, 08:01:57 AM by treadshuffle » Logged
sonflasch
Full Member
***

Karma: +12/-2
Offline Offline

Posts: 68


« Reply #13 on: April 24, 2024, 03:58:59 AM »

Well THIS MAY HELP..

1. Download this. Its Bosch ABS Motorsport software (old version). I've read that Bosch ABS and Motorsport use the same firmware just different eeprom configs (yet to confirm this).

http://www.bosch-motorsport.jp/media/msd/downloads/software/bremssysteme_1/RaceAbs_1409_Setupexe.zip

2. Extract the exe inside with 7zip (7zip.org), right click, extract all to folder.

3. Download ConfuserEx unpacker for .net executable
https://github.com/XenocodeRCE/ConfuserEx-Unpacker/releases/download/1.0/1.0.7z

4. Extract it with 7zip and copy its contents into the Bosch ABS folder, then open a shell command line window;

Type in;
Code:
"ConfuserEx Dynamic Unpacker.exe" -s RaceABS.exe

This will deobsfucate the .net application and unpack the executable protection!

You should see the following...

Yeah confuserex unpacker so what
[!] Anti Tamper Detected
[!] Anti Tamper Removed Successfully
[!] Cleaning Proxy Calls
[!] Amount Of Proxy Calls Fixed: 2220
[!] Decrytping Strings
[!] Amount Of Strings Decrypted: 1936


Inside the folder a new file should have been created.

RaceABS.exeCleaned.exe

NOW... you can use dnSpy to reverse it back to source-code with the obsfucation and removed entirely... So lets down it..

Get it from
https://github.com/dnSpy/dnSpy/releases/tag/v6.1.8

Windows 32-bit version exe
https://github.com/dnSpy/dnSpy/releases/download/v6.1.8/dnSpy-net-win32.zip

*or* Windows 64-bit version exe
https://github.com/dnSpy/dnSpy/releases/download/v6.1.8/dnSpy-net-win64.zip

Again extract it ....

Run it and then load in "RaceABS.exeCleaned.exe"

Look inside "RaceABS.LayerDevice"

In particular is SecurityEcuAccess()

This is part of the kwp2000 seed/key stuff which lets you inside the ecu.. Smiley

Have fun hacking Bosch ABS with all the information learned from this tool !


can someone provide the version "RaceAbs_1409_Setupexe.zip"?
link is down

It doesn't seem to work with the current one...thanks
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.027 seconds with 17 queries. (Pretty URLs adds 0s, 0q)