1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DRB III Reverse Engineering Project

Discussion in 'General Viper Discussion' started by MoparMap, Oct 21, 2019.

  1. MoparMap

    MoparMap VCA National President

    Posts:
    1,548
    Joined:
    Jan 7, 2013
    Location:
    Kansas
    So the other day I picked up a Miller 6990 kit, which has the control arm bushing remover/installer, the caster fixtures (for gen 2 unfortunately), and the inclinometers and switchbox used by the DRB III to read caster. I don't have a DRB III, but I have some background in sensors as I helped to set up the test department where I work and deal with sensors and DAQ equipment on and off. I figured the sensors were probably typical 0-5V output or 4-20 mA like most lab style sensors you can find for data acquisition systems. My thought was I would plumb the signals into a simple microcontroller like an Arduino or even just a volt meter and figure out what angle corresponds to what output. Well, I was wrong. These sensors are a little more complicated than I was expecting, so I'm wondering if anyone out there has any background knowledge of the DRB III tool.

    I took the switchbox and sensors apart and pulled the numbers off of all the chips I could see inside and have been trying to trace the wiring to get an idea of what goes to what. As best I can tell and guess, the switchbox itself outputs an RS232 signal to the DRB III. That in and of itself would be easy enough to read with most microcontrollers. I think the DRB also supplies 12V to the switchbox over the cable, which is not exactly in the RS232 standard pinout, but makes some sense. I haven't tried hooking it up to anything to try to intercept data just yet, so I don't know if the sensor just constantly outputs data without being asked or if it will require a request for data before it sends. That is the big question I have right now I'm hoping someone might know.

    The sensors themselves are also quite a bit more complex that I was originally expecting. While I think at their very base level they are probably a simpler output, inside the aluminum box is a sensor on a PCB with a microcontroller (coincidentally the only chip I can't find a datasheet for). The PCB does have the wire hookups clearly marked as RX, TX, +, and - though, so guessing it is also outputting something like RS232 serial data. I would rather not remove the sensor from the board, even if that may be the easiest way to do what I want.

    So long story short, any electrical engineers out there that want to help out in trying to reverse engineer the setup? Or does anyone have a lot of in depth knowledge of how the DRB III communicates with the external sensors? If I can figure out how these sensors talk it would be easy enough to build a small box that would just be a live readout for them to let anyone use them to measure caster without needing the $3000 DRB III. The cheaper DRB III emulator isn't an option as it can't talk to the external sensors, it's just software. If all else fails I could always just get some generic inclinometers and find a way to attach them to the caster brackets, but this seemed like a novel enough side project and the parts are reasonably available.

    Some pictures inside the switchbox and the sensors themselves:

    Switchbox:
    IMAG2653.jpg

    Inside the sensor:
    IMAG2658.jpg

    Other side of the sensor board when removed from the case:
    IMAG2660.jpg
     
  2. MoparMap

    MoparMap VCA National President

    Posts:
    1,548
    Joined:
    Jan 7, 2013
    Location:
    Kansas
    I did find some interesting videos on YouTube the other day. They were the original Chrysler training videos when the DRB III was released and walked through what all it did and how to use it. They even had a very short section on these inclinometers, though it didn't say all that much other than "powered serial port". Did a little more digging into that and it looks like there is a standard pinout for RS-232 that supplies power (12V typically), so at least some precedent there. Also found a guy that was doing WireShark data dumps on the DRB III emulator that runs on a WiTech VCI Pod. The emulator still shows a menu option for the PEP module, so thinking I might have a chance and seeing what command is sent when turning on the inclinometer if I ever get a VCI Pod setup, which is certainly easier to come by than a real physical DRB III.
     
  3. MoparMap

    MoparMap VCA National President

    Posts:
    1,548
    Joined:
    Jan 7, 2013
    Location:
    Kansas
    So the circuit in the switchbox appears to be simple enough from what I can guess. It appears to be a fairly straightforward multiplexer and level shifter. The SP233ACT chip at the top right converts an RS232 signal to 5V logic (the level shifter part), so the DRB III appears to deal in RS232 and the inclinometers themselves only deal in 5V. The small chip on the far left is a voltage regulator to take what I presume is 12V in from the DRB down to 5V to run all the chips in the switchbox and the sensors themselves. The top middle chip is a simple inverter, there are six channels in it, but only 2 are used. The last chip is a multiplexer, or more simply basically just a switch that flops which sensor you are talking to. So the Rx and Tx ports on the DB9 connector for the switchbox are your standard RS232 serial connections, and you've got 12V and ground coming in as well. The last wire is the signal that toggles which sensor you want output from. Here's a logic diagram I drew up based on the schematics:
    Inclinometer Switchbox Logic.jpg
    So at this point I'm pretty sure I understand how to wire up something to try to talk to the sensors, but the bigger question still looms for what signal I need to send the sensors and what their response will look like. T1 in and R1 out on the diagram go to the SP233ACT chip to convert from 5V to RS232 levels. Judging from the readout on a DRB III, I'm expecting a signed floating point number to come out of the sensors, so I have some idea what to expect there, but still in the dark for what I might need to send the sensors to request them to send that info back. At this point I may just hook things up and see if it constantly broadcasts.
     
  4. Mumbles05

    Mumbles05 Enthusiast

    Posts:
    2
    Joined:
    Mar 18, 2016
    I don’t have accesses to anything to capture the signal nor do I have the sensor but I do have several DRB 3’s. I will try to upload some pictures of the PCB inside the PEP module later (assuming I am allowed) so that you can see what it’s connecting to inside the DRB 3. The guts of the DRB 3 are a lot more complex than you might imagine so there isn’t going to be an easy way to replicate that side of the hardware. That sensor plugs into the DRB 3 PEP module which itself plugs into the bottom board of a stack of 3 large PCBs and a 4th small one on top. I buy sell and repair Chrysler scan tools through eBay mostly so I’m familiar with the tools inside and out but I’m definitely not an electrical engineer so won’t be able to add much to the conversation in that respect. I do actually sell the VCI pod (real) with laptop setup running witech 17.04.27 and the “enhanced DRB 3 emulator” which was their later version of the emulator software that added support for the crossfire and sprinter vans, but I’m not yet familiar with the forum rules regarding buying/selling so I’ll hold off on anything regarding that until I check the forum rules. I’ve got ~6 of them out in the field though, including a viper shop in SoCal, so I know they work as they should but they do not support the inclinometer or other PEP accessories.

    C24A89F0-FF69-4497-88FF-A03D20D4D468.jpeg
     
  5. MoparMap

    MoparMap VCA National President

    Posts:
    1,548
    Joined:
    Jan 7, 2013
    Location:
    Kansas
    Ah, very cool! I have a DRB III manual I've been reading through and watched some of the original training videos for the fun of it. That thing can do an awful lot of stuff, so I can understand that it's not simple by any means to reverse engineer the whole system. I think the individual PEP module stuff still seems like it would be relatively more straightforward though, assuming there isn't some wild code exchange between the DRB and PEP sensors. I found one guy online that was doing WireShark data dumps from the emulator as there was another group trying to do a more thorough reverse engineering and I don't think anything looked super complex, but then again I don't know what all was going on either.
     
  6. Mumbles05

    Mumbles05 Enthusiast

    Posts:
    2
    Joined:
    Mar 18, 2016
    I do know the DRB 3 OS is “pSOS+” the + sign is part of the name. The pep tools programming is on the supercard 2 PCMCIA card. The PCMCIA card contains all of the software needed for the vehicles and functions it covers. When doing something that requires the supercard 2, the DRB 3 does a warm reboot and boots off of the card, running the programming contained on it in place of the software installed on the DRB 3. So, any reverse engineering/decompiling effort on the software side would be best focused there. The PCMCIA card is of the Linear type. The DRB 3 only appears to be compatible with Linear or SRAM card types. If you were to get your hands on something like the “Elan Memory Card Explorer” software, you could dump the contents of the card.
     
  7. MoparMap

    MoparMap VCA National President

    Posts:
    1,548
    Joined:
    Jan 7, 2013
    Location:
    Kansas
    Interesting, I'll have to keep my eye out and see what comes up in the future. I'm still kinda surprised that the sensors were as complex as they were. I really figured they would just use "off the shelf" style lab sensors with typical voltage or amperage output. It seems a bit odd they would put a microcontroller in each sensor to convert data to a digital style output, but maybe they had their reasons for it. I guess you have to have a pretty good filtered power supply and sensitive circuitry to read that, but seems like it would be easier to built that into the DRB III instead of each sensor.
     

Share This Page