OIL PAN OR MALWARE?

 

 

It was a very busy weekend. After returning from an unexpected trip I helped a friend out whose car developed an oil leak that I quickly diagnosed as a stripped drain plug bolt. Oil-pan replacement would total about $800 in labor and parts, but Larry’s household budget couldn’t afford the cost of the repair.

I called Larry and offered to repair the existing pan for about $130, and Larry was elated with the news. I raised the car up on the hoist. Sometimes a simple thread chaser would restore the threads, but not on the Larry’s car. It would take a little more effort.

I listened to an Oldies radio station while working. The songs of the 1960s era set a pretty good tempo for me to work by—not too fast, not too slow.

I greased the ream that would cut through the damaged threads; the grease would help the ream’s progress and also capture the metal shavings.

After reaming through the damaged threads, I carefully plucked the stray shavings from the hole with needle-nose pliers. Next, I replaced the ream with a spring-loaded tap and added more grease. I twisted the tap a half-turn, and then backed it out one-quarter of a turn. This would break the chips and ensure a clean set of threads.

When the tap moved freely, I knew that the threads had been cut properly. I used a flapper wheel on a drill to remove loose paint and machining marks. After degreasing the surface of the oil pan, I sprayed flat black paint onto it.

I installed a magnetized replacement drain plug with a nylon sealing washer, lowered the vehicle, added oil and checked for leaks.

Larry would be happy. The total job would cost him considerably less than if I replaced the pan.

This was relaxing—much more than investigating yet another 2017 SUV that was brought in to a facility in Washington, D.C on Saturday. The vehicle experienced runaway acceleration an faulty brakes. Data bus decoding and a special malware “flushing” technique I found to be successful eliminated the threat. The question was asked how to take future preventative measures against the introduction of malware into a vehicle’s network.

It was suggested by one of their experts to filter the CAN data bus traffic with the introduction of a firewall that would detect such malware, but I suggested it would be impractical. When safety data is transmitted to an onboard ECU, even microseconds count. I’ve been working on using a program that builds a white-list of all binaries, processes, scripts and network behavior that the manufacturer of the ECU intended the computer to have. Anything that is not on the white-list is then blocked.

The last time I was called to investigate resulted in developing a program to detect “droppers,” which are malware components designed to install malware (or a back door) through a gateway module. The malware code is sometimes dumped into a single-stage dropper in such a fashion as to avoid detection; or the dropper might download the malware to the gateway once activated by the ignition wake-up signal. This is a two-stage dropper.

Quite some time ago when I began these investigations, I came up with “Firefly,” which, when introduced through the diagnostic connector, would leave “markers” that would leave a complete audit trail of the source and the path of the malware.

I like the simpler, relaxing repair. Give me an oil pan plug anytime.



Grease Monkey???

Recently I had to diagnose a Diagnostic Trouble code, B0183 05, referencing a sunload sensor fault. The service information stated that, “If no value is read at the time of fault, the HVAC Control Module uses 0 W/m² as intensity, 45° for elevation and -75° for azimuth.”

I reread it, repeatedly, realizing how much a “Grease Monkey” had to understand to effectively diagnose & repair a contemporary vehicle. The phrase “Grease Monkey” is not intended to be offensive. Rather, it draws upon the common perception that, due to the nature of the job, a mechanic, and especially an auto mechanic, will have grease marks or oil stains on his or her clothing. It also refers to a mechanic's ability to reach into small spaces and fix problems that might otherwise be impossible for an average individual to access.

Today’s service technician must understand thermodynamics—the movement of heat—to effectively diagnose a latent-heat exchange problem at a condenser. Imagine the customer’s surprise if you told him, “The diathermal walls of the forward heat exchanger are displaying the consequences of Zeroth’s Law which states that no heat will flow between two objects that are at the same temperature.”

Right.

“In other words, you have a clogged condenser.

Or how about the customer who thinks that you have this remarkable “tool” that tells you what to replace to restore his machine to proper performance? All you must do is plug it into the diagnostic connector, right?

So, you’re diagnosing a P1101, an intake airflow system performance concern. So, this is what you read in the manufacturer’s service information about the concern:

The intake flow rationality diagnostic provides the within-range rationality check for the mass air flow (MAF), manifold absolute pressure (MAP), and the throttle position sensors. This is an explicit model-based diagnostic containing 4 separate models for the intake system.

·         The throttle model describes the flow through the throttle body and is used to estimate the MAF through the throttle body as a function of barometric pressure (BARO), throttle position, intake air temperature (IAT), and estimated MAP. The information from this model is displayed on the scan tool as the MAF Performance Test parameter.

·         The first intake manifold model describes the intake manifold and is used to estimate MAP as a function of the MAF into the manifold from the throttle body and the MAF out of the manifold caused by engine pumping. The flow into the manifold from the throttle uses the MAF estimate calculated from the above throttle model. The information from this model is displayed on the scan tool as the MAP Performance Test 1 parameter.

·         The second intake manifold model is identical to the first intake manifold model except that the MAF sensor measurement is used instead of the throttle model estimate for the throttle air input. The information from this model is displayed on the scan tool as the MAP Performance Test 2 parameter.

·         The fourth model is created from the combination and additional calculations of the throttle model and the first intake manifold model. The information from this model is displayed on the scan tool as the Throttle Position Performance Test parameter.

The estimates of MAF and MAP obtained from this system of models and calculations are then compared to the actual measured values from the MAF, MAP, and the throttle position sensors and to each other to determine the appropriate DTC to fail.

As a technician, you are expected to know that the P1101 is caused from a failed throttle model test, a passed first intake manifold model, a failed second intake manifold model and a failed fourth model. Now, since you know that the engine controller detected that the actual measured airflow from the MAF, MAP, and throttle position sensors is not within range of the calculated airflow that is derived from the system of models for greater than 2 s, you must determine the root cause of the concern. You have a remarkable tool, all right—it’s called your brain. And it doesn’t plug into the diagnostic connector of the vehicle (at least not yet)!

Computer programming can be an everyday occurrence for the typical shop technician. These days, the programming is sequential, meaning that multiple control modules will be updated at the same time to prevent any conflicts that could result due to modules having incompatible versions of programming. Several computers will have a setup procedure to relearn the values of vehicle systems and components. Modules may require a configuration procedure that sets a security code configuring the control module to the specific vehicle, which helps prevent theft of the module.

The technician of today must be adept at electrical diagnosis which can only come with the understanding of Ohm’s Law, Kirchhoff’s Law, and such terms as “resistance,” “conductance,” “susceptance,” “admittance” and “inductive reactance,” just to name a few. An oscilloscope can be a valuable diagnostic tool as it provides a graphic view of the waveform.

Consider a starter motor as it allows moderate current flow as the engine crankshaft pushes a piston up in its chamber and then a higher current as we’re compressing the gases in the cylinder. The starter motor creates an Electromotive Force (EMF), increasing with speed, in the opposite direction to the voltage supplying it. This Back-EMF reduces the current flowing into the motor. The heavier the load on the motor, the slower it runs, so the smaller the back-EMF, the higher the current. EMF and Counter-EMF are more terms the technician is familiar with.

So, what is a Grease-Monkey? Climb into your time machine to visit the industrial revolution of Great Britain to see children greasing the massive rotating axles used to transfer power from one primary steam engine to all the units on the factory floor. The children, capable of climbing into small places, became covered with grease. Now you’ve seen a grease-monkey.

So, back to my first question:

 If 0 W/m² is intensity, and 45° for elevation and -75° for azimuth, is it morning, noon or night from your location (assume, of course, that azimuth is the sun’s location on a horizontal plane running from east to west?

I Think I CAN – Decoding the Bus

 

The 2014 Chrysler 200 Touring car originally arrived with a DTC U1503 (Implausible Message Data Length Received from TIPM). The shop checked the CAN B and CAN C circuits for open or shorted conditions, that the TIPM was configured correctly, powers and grounds at the PCM, TIPM and ABS modules, and battery voltage. The battery and TIPM were replaced. The ABS light would turn on intermittently.

An increasing number of computers and devices are being added to CAN buses and as more modules are added the available bus time becomes more occupied. When the traffic reaches around 40% of the bus time, errors can start to occur. At this point an oscilloscope may be required to debug the network.

What can cause errors? Voltage spikes and electrical interference from collapsing magnetic fields, inductors and power devices can all affect CAN communication. Data bits are fixed amounts of time. CAN data consists of a Start-Of-Frame (SOF) bit, an Identifier field consisting of 11 or 29 bits (indicating the nature of the data, such as engine PIDs, ABS data, etc.);

The Control field indicates the size of the Data field and contains what is called the Data Length Code (DLC). The Data field is the information transferred (such as engine rpm, water temp, oil temp, etc.). The Cyclical Redundancy Check (CRC) field is an error checking method to ensure the transferred data is not corrupted by any electro-magnetic disturbances. The Acknowledge field (ACK) is a very simple method of indicating to the transmitting computer that all the receiving computers have received the data uncorrupted. Then there is the End-Of-Frame bit.

The particular areas of interest for reading data from the CAN Bus are the Identifier and Data fields. The PICO Scope is capable of serial decoding and I used it to decode the CAN data bus. The IDs and Data are shown in coded hex (Hexadecimal), which is standard in the digital communications industry. I noticed that the bus frame rate and bus load of this CAN Bus system was shown as approximately 28%. Max bus load of a Powertrain type system is usually around 40%. I noticed that at 64.87 seconds after the start of collection, a few Error frames began to occur and then disappeared.

We started moving connectors and when we moved the ABS module connector, multiple Error frames appeared on the PICO Scope. Upon closer inspection of the 47-way connector, Pin #12, which is CAN C (+), had green corrosion, barely discernible, until I inspected it with my 40x, illuminated loupe. These days a quality magnifier is a must!

I Want to be an Automatic!

The call came in from a shop in Cincinnati. “I’m dealing with a 1999 Camaro Z28 with a 5.7 VIN G and a manual transmission,” Jim F. said. I replaced the powertrain control module and that’s when my trouble began.”

“Why did you replace the PCM? What was the original customer concern?”

“It kept tripping a code for the coolant sensor. I traced the problem to a defective PCM so I put a remanufactured PCM in that I got from Brand X warehouse (no names please).”

“They don’t make new ones for this older vehicle,” I said, just to make sure.

“Correct. Anyway, I put the VIN code in, did the idle learn procedure, the crankshaft position variation learn procedure; the engine oil life reset and the functional check. Now the PCM keeps tripping all kinds of automatic transmission codes and it’s a stick shift.”

“Maybe you programmed it incorrectly or put the wrong VIN in?” I offered.

“Look—I’ve been a GM line tech for thirty years. I’ve been programming computers since day one. I didn’t make any mistakes, Bob.”

“Okay,” I said. “Is there any more to the story?”

“I figured I had a defective Brand X PCM so I got another Brand X computer, put it in, and programmed it. I had the same problem.”

“Okay,” I said, “Is there any more to this story?”

“Yeah,” Jim said, “I got tired of Brand X so I got a PCM from the Brand Y warehouse, put it in, programmed it, and I still have the same problem. What do you think?”

“Are you using a factory tool to program it?”

“Yep.”

“I think you should double check the VIN code against what you’re putting in to it,” I said.

“Is that all you got?” Jim asked.

“That’s all for now,” I said.

He ended the call. Later that afternoon I got a call from a sales rep who told me he was on his way to Jim’s shop with another reman PCM he picked up from the Brand X warehouse. “Help me out, Bob,” Dave said, what should I be looking for? Jim is really upset with our Brand X parts and with you for not helping him.”

“Dave, check the VIN code very carefully of the Camaro.”

That evening, Dave called me back. “You’re not going to believe what I found, Bob, on that Camaro.”

“Try me.”

“The first-time Jim programmed the PCM, he was one digit off on the VIN code. The PCM thought the car had an automatic transmission. Every time he put another PCM in it, he pulled out the wrong VIN code and put it back in to the other PCMs.”

“I’m glad it’d fixed,” I said.

Jim never called me back to thank me or apologize for hanging up. All I can say is, entry-level technicians make mistakes and seasoned technicians make mistakes. We’re human and it happens to all of us. The key is, learn from your mistakes.

Until the next time.

Two For One

The 2011 Impala came in to the shop for a rough idle and P0300 misfire code. The shop determined that the cause of the concern was throttle body coking. After cleaning the throttle body the engine had a high idle, around 1700 RPM, and wouldn’t drop, even after a battery disconnect.

Coking comes from certain emission control components that capture crankcase oil vapors and small amounts of exhaust fumes and re-directs them back thru the intake system of the internal combustion engine. Too much time in stop and go traffic or idling isn’t the best for an internal combustion engine. This type of driving/operation can significantly carbon/coke up their engine very quickly. Another bad habit is hard acceleration. This over fuels the engine and leads to more problems including more carbon/coking build-up.

“So, how do we bring the idle speed back down?” Raul asked.

“First, realize that then engine computer learns the airflow through the throttle body to calculate the correct idle speed and stores the calculations in its memory.”

“Yeah, but can’t it compensate for coking?”

“It does,” I explained, “But up to a point. Then when you cleaned the coking, you changed the throttle body airflow rate.”

“Right—but doesn’t the engine computer learn the new values on its own?”

“It may take several drive cycles to learn out the coking, Raul. But you can also use a scan tool to reset all the learned values back to zero.”

“My scan tool doesn’t have anything like that,” he said.

That’s why I brought mine to his shop. I consulted the service information because the relearn procedures can be different depending on the vehicle.

“To reset the learned values to zero, we turn the ignition ON, engine OFF,” I said, finding the Idle Learn Reset procedure in the Module Setup menu on the scan tool.

“Next, we start the engine and monitor the throttle idle airflow compensation data PID.” The engine was already idling normally now and the data PID was at zero, which was where it belonged. I checked for trouble codes; there were none, and Raul took the vehicle out on a short road test. He was all smiles when he returned.

“The Impala runs great now.”

That one was easy. But Raul wasn’t going to let me off that easily.

“Hey, as long as you’re here, Bob, I have another one for you.”

Here it comes. “What is it?”

“I’ve been fighting with a 2009 C4500 eating up heater cores all the time,” he said. “We did a coolant flush first and that didn’t fix it. I switched coolants and put a ground on the heater core but that didn’t help.”

I was writing this all down in my notepad, of course. The memory isn’t as good as it used to be. “Get rid of the heater core ground,” I said. Back when electrolysis first cropped up as a cooling system problem, some technicians tried to re-route stray voltages to battery ground. But it merely accelerated the problem. I asked what else had been done to the truck.

“We installed a water shutoff valve to shut off flow to the heater core when not in use, but we still have issues with the truck. How about if we install a copper and brass heater core?”

“That would be treating the symptom but not the disease,” I said.

“We checked for bulletins and other documents but found nothing.”

I wrote that down. “Did you check for voltage in the coolant?”

Raul nodded. “A tenth of a volt, maybe less,” he said. We touched the negative voltmeter probe to battery ground and pot the positive lead into the coolant. We didn’t touch any metal, either.”

“Did you check for both DC and AC voltages?” I asked.

Jim, one of the technicians, asked me why they had to check for AC voltage.

“Keep in mind that you could have a bad engine block heater or faulty alternator diode,” I explained. “Did you check all the grounds?”

“They’re all good,” Jim said.

“Let’s check them statically,” I said. “Turn off all accessories. Turn ignition on, but do not start the engine.” I had them check with the ground probe of the meter to battery ground, engine ground and vehicle ground, sequentially. They found one ground connection that needed cleaning. We continued our testing.

“Check the accessories without using the on/off switch on the vehicle instrument panel, use a jumper wire to ground,” I instructed. Next, we turned on all the accessories. We tested again with the ground probe of the meter to battery ground, engine ground and vehicle ground. We were coming up with about two-hundred milli-volts.

“The spec calls for .4 volts or less,” I said.

“Can static buildup cause problems?” Raul asked.

“Rubber-mounted driveline components, a squirrel cage spinning in a plastic HVAC case when the blower motor isn’t properly grounded, and even tires.”

“Tires?” Jim asked.

“Tires?” Raul asked.

“A while back, a certain tire company got complaints from drivers who kept getting zapped whenever they got out of their vehicles. The tires were producing a static buildup when the vehicle was driven under certain conditions.”

“Maybe that’s the problem here,” Raul offered.

“What’s this truck used for, Raul?” I asked.

“Deliveries—it’s a delivery truck.”

“Lots of stop-and-start driving?”

“Right,” he said.

“Did you check for coolant voltage while cranking the engine?”

Bingo.

In cases of electrolysis, a defective or missing ground on an electrical component causes the electricity to seek the path of least resistance whenever the component is energized. Sometimes the path of least resistance is a radiator or maybe a heater hose, or the radiator or heater core. As the current draw of the poorly grounded accessory increases, so does the destructiveness of electrolysis. A poorly grounded engine and starter motor can flow enough current through the cooling system to blast apart a heater or radiator in a matter of weeks or even days, depending on how often the vehicle is driven with stops and starts. 

It was a long weekend. Closing up shop.

Under Pressure

 

 

This has been a week for TPMS issues—that’s AutoGeek for Tire Pressure Monitoring System. Many failures were attributed to the fact that the sensor batteries are getting older with each passing year. Battery life is directly related to the number of radio frequency transmissions which are affected by the system/sensor design and driving habits. Generally speaking, short drive trips with starts and stops can have a greater impact than overall miles driven. Those sensors have been rated at a 7-to-10-year life span but again, there are many conditions affecting battery life.

“What we’ve been fighting is a 2010 Ford Focus with a B2872 and a B287A code. What do you think it could be?” They ask.

Like I memorize every single DTC out there, right? Doesn’t everybody? So, I ask, “What are the code definitions?”

“The B2872 is a tire pressure sensor fault in general if the GEM module loses a sensor signal and B287A sets when the GEM module doesn’t get a response from all four sensors.”

“Okay,” I said. “Did you do anything to diagnose it?”

“We performed the relearn procedure and the car seemed fine after we road tested it. It came back three weeks later.”

“Okay,” I said, writing that down. I always jot down the notes and then review them for later. “Anything else?”

“We did a cold reboot of the smart junction box,” was the response.

“How did you do that?”

“We pulled the battery cables off and shorted them together for about a minute to drain the SJB’s memory.”

I jotted that down in my notepad. “Anything else?”

“The car has a dealer-installed car alarm but that was two years ago and this problem is fairly recent.”

I wrote that down.

“How long do the batteries last in the sensors?”

“That depends on driving habits for the most part. Manufacturers claim 7-10 years but I’ve been hearing that they last at the lower end of the window in city driving.”

“We replaced all the sensors on the vehicle but the car came back for the same problem and the same two codes.”

“At least you know what isn’t causing the problem,” I said.

They didn’t appreciate my comment. No one ever does. I remember a customer asked a friend of mine, “If a shop doesn’t send their technicians to training classes, then where do those technicians get their training from?” The response was, “Your wallet.”

“Do you think the Smart Junction Box could be bad? I mean—it monitors the sensors’ signals, right?”

“Correct,” I said, “But didn’t you say that the problem is intermittent?”

“Yeah—we even tried training the sensors in a different order and it worked fine.”

I jotted that down. “It acts up for the customer, right? But it doesn’t act up in your shop?”

“That’s right.”

“Is the customer driving the vehicle with an insurance tracking device, or a cell phone charger, power inverter—anything like that?”

“I don’t know—the guy is in the waiting room, so I’ll ask him.”

That is a missed step in the diagnostic process. Always check for aftermarket devices in the vehicle and always ask the customer about using them, also. Rod came back to the phone.

“The guy said not really.”

“Rod, it isn’t a tough question—yes or no? I don’t know what not really means in this business.”

“He uses a cell phone charger. But he also said he charges the phone while driving and sometimes the tire pressure system acts up with the charger plugged in and sometimes it doesn’t.”

“Most cell phone chargers don’t produce high levels of RFI all the time, Rod. It depends on the state of charge of the cell phone battery. The phone must be almost completely discharged in some cases for lots of RFI to be produced."

I heard Rod explain what I just said to the customer but Mr. Customer wasn’t buying it.”

“Rod, ask the guy if the charger is the original charger that came with his phone.”

After a couple of minutes the guy said that he couldn’t find the original charger and bought a cheap one.

“Here’s the problem,” I started, “Cheap chargers don’t carry CE, MFI and RHOS approvals. The U.S. market TPMS transmits data on 315MHz, while the European TPMS transmits data on 434MHz. Electronic devices not intended for U.S. markets may not be shielded properly for different frequencies, thus interfering with U.S. market devices—understand?”

I heard Rod tell the guy as best as he could but I heard the customer arguing. Rod came back to the phone.

“Is there anything else we can check? He doesn’t believe the charger could be doing it.”

“Yeah, Rod—you can disconnect the dealer-installed alarm system and tell the guy to drive the Focus for a while to see what happens. Sometimes, the interference can be caused by a module or ground on the vehicle. Depending on how bad the issue is, a dirty ground, improperly built ground shield or module can disable the system. Modules that have microcontrollers using clock circuits to create the timing pulses for the microprocessor may radiate RFI. I can go on, but how much does the guy want to pay you to diagnose it, Rod?”

Rod chatted with the customer. The guy decided to leave his car for additional diagnostic time. Rod set him up with a rental car and he left.

“Thanks for your time,” Rod said to me, “I’ll let you know what we find.”

And here the story may have ended except that one week later, that argumentative customer brought the rental car back with a TPMS problem that developed AFTER he plugged in that cheap, Brand X cell phone charger into the rental and it triggered a fault.

And he didn’t want to pay Rod for his diagnostic time because the car didn’t really have a problem—it was the charger.

“I don’t need customers like that,” Rod said.

“Really? Did you charge the guy to retrain the system the first time he brought it in?”

“Well, yeah, but—“

“Did you charge him to do a cold reboot of the SJB?”

“Well, yeah, but—“

“Did you charge the guy for the four sensors you installed that the Focus didn’t need?”

“Okay, okay—I get your point.”

I guess Rod got his training from the customer’s wallet, eh?

Closing up shop for the night.