Runaway and Wheel Speed Sensor Hall Effect Software Forensics

I have BMW Z4, and have been thinking about getting an 2nd gen Prius as a town run-about.
I had a leaky valve stem (Shrader valve). I basically thought that most of the Prius 'runaway' was driver error. It probably still is. However, I had the cruise on my BMW engage itself. I am now a believer that these bugs can happen and not register with the system or log. My car and the Prius Gen II basically work the same way in terms of drive-by-wire.
I believe auto manufacturers are looking only at readouts from dealer software and the cars' logs without comparing them to the actual system measurements (electrical) to see if a bug is present.
I have some software/math background. I am wondering if anyone wants to have a look at this walk-though/forensics of unexpected voltage spikes and how they can effect behavior of drive-by-wire cars. This forensics report regarding Hall effect voltage spikes and transparent software/hardware bugs will be presented to NHTSA in a few weeks.
I have another thread up, here: Video Post over on Bimmerforums regarding how this issue was discovered. In that video I do not address in a serious way the issue of a bug where a partially deflated tire can cause engagement of different systems. That is a cursory discussion of all issues relating to the car.

This thread is a forensic analysis of the bug which got me investigating the car. I could be wrong in this analysis, or at least slightly off in interpretation formulation.
-----

BMW Three Line Can-Bus Forensics For Wheel Speed Sensor Cars

Hypothesis: Voltage capacitance mis-measurement/overage due to failure of Fourier transform conformity and/or leak in Can Bus system, specifically Can H, KL-15 in PT Can and its variants. Voltage spikes are used by system hardware/software interface to wake and control units. Excess voltage in the system can cause unusual and dangerous behavior in the vehicle; the extra voltage works as a software 'spoof' creating false commands passed on to subsets of control units, and is transparent to the ECU.

Note: personally experienced in the e85 (Z4) as cruise auto-engage and believed possible culprit of e65 (7) rollaway.

Outcomes: Under rare circumstances various control modules relating to running of the vehicle can 'self-activate' due to capacitance discharge i.e. a 'voltage leak'. This includes but is not limited to cruise auto wake or self-engagement (unintended acceleration) or neutral select (rollaway).

Forensics:

Bus systems communication manual states: The PT CAN uses two terminal resistors to establish the correct inductive and capacitive impedance in the communication lines. Two 120 Ohm resistors are located in the wire harness (no longer in the control units as on previous systems).

Capacitance and Hall effect: Wheel speed is measured by wave to Fourier transform and compared against a baseline version of the same.

Fourier transform may not have been update, with only rotational differences reprogrammed between vehicles. Over large amounts of time, drop places in the Fourier transform may result in capacitance build up and discharging.

In particular on the e85 it was noticed that a slow valve leak - incorrectly installed, or knocked loose - Schrader valve, resulted in between 8-10lbs leak over 4-8 weeks depending on weather/barometer.

Fourier Transform: This slow leak was undetectable to the wheel speed sensors and the diagnostic system i.e. the Fourier transform was degenerating in its ability to correctly ascertain the state of vehicle without being evident. The delta of the decimal place drop is between these states over this amount of time in comparison to the self-generated wave of the hardware/ software(ECU) used for comparison:

Vx(Fourier transform)(iterate) = self-generated wave->(iterate)Vx ≠ ∆T/x = V!

e.g:

5V ->(V!) | driver input | -> | Fourier Transform comparo to ideal as 'AI' ( ideal drive input (B+ i.e. {KL-15 =5V ->(V!)/1V }) | - > | output (with V feedback in Can H/KL-15?)|


Where voltage in Can H (but not Can L?) *or B+ i.e. KL-15* creates extra 'spoof' voltage.

'Voltage spoof' is transparent to system software hardware.

(see attached page 20, e65 communication system):



Forensic Differential Analysis: Monitoring of event conformity and Fourier transfer over time to reveal gaps in algorithm and resets. Creation of condition events i.e. low pressure in tires with actual physical wire leads inserted into the system to examine against what the software is outputting. Creation of events such as voltage spike in KL-15 and Can H via inserted test leads to register 'spoofing' followed by again cross-referencing with the conform/iteration of the hardware/software interface for difference i.e. 'bugs'. In other words, shocking the system with voltage on the Can H and KL-15 should be able to turn on and off various boxes without registering in the ECU, depending on strength and software runtime.

This in turn should yield results in terms of actual software differences versus variable differences (I.e. vehicle dependent variable like tire rotation version hardware generated wave forms or various running states related to mixture/02 feedback, etc.).

Capacitance discharge events: In particular with the e85 and cruise, the event seems to be downhill off-camber (under-inflated wheel speed up)(2 events) causing Hall effect spike, which effects capacitance between wheel speed sensor, i.e. Hall effect spike, and cruise input. Same for deep potholes (2 events).

Very likely something similar is occurring with the e65 where cruise or other transmission wire faulting is causing 'dealer selected neutral' read as driver error.

Changing leaking valve solves the problem, regardless of resistor regulation as differential between Can-H and Can-L. Effect can also wake the cruise from sleep mode for normal operation (KL-15).

It is probable that on automatic cars this bug is often misconstrued or unnoticed due to the autocreep feature automatics exhibit, and 'brake riding' in traffic.

A resistor differential is very likely not causing the bug - it should not allow the release of excess capacitance into the system - this is the point of a resistor differential - the problem should lie before the differential network in the hardware. It will not be measurable by software - the software is functioning correctly, but was not written correctly (see above re: delta of decimal place drop/variable encoding).

Capacitance should also be able to absorb extra voltage in system and store it to a point (probably/apparently a point greater than the ability to execute the bug in the wrong direction).

However, examples of cars with cruise activated slowing themselves down, or putting themselves into park, do not exist - it is possible that some cruise disengagements are the result of CAN-L inputs, but it seems unlikely. Once voltage is introduced into the system, it does not just disappear.

This is a bug not measurable with regular plug-in 'dealer' engineering software, but coded into the system and the reason for hypothesis of Fourier transform lack of conformity i.e. ' decimal place' drop when conforming.

In plain english this means that the software is not written to each individual vehicle, but that various functions are placed onto the software which is written for a spectrum of vehicles - different engines get different voltages for sequence firing and how much/mixture rates, etc. tagged onto a basic software structure, or different wheels sizings.Cost saving and normal, and usually safer - bespoke software tending towards the buggy - except that in this case it has led to hardware malfunctioning as software because the basic safety checks are failing because they are too generic. It is exceptionally important that the safety check parameters for drive-by-wire cars be narrow and flexible, and these are not. They are wide and homogeneous.

Summation: A serious though rare bug which could result in catastrophic events. BMW has been unwilling/unknowledgeable regarding hardware versus software issues and has only investigated using factory service tools. Unsurprisingly, because the system believes it is functioning correctly, it has been unable to find or recognize the fault.

Original statements to BMW should have made it apparent that the software/hardware interface is probably the source of the issue.

The ECU appears to be fabricated by Siemens, but the Can Bus is of BMW design - the ECU appears not to be at fault, and it is after the resiteor differential network designed to prevent exactly this. Tt appears to be in the system bus communication between units.

The Hall effect measurement used on the cars is a robust system, which unfortunately has several drawbacks. This is one of them. Outside interference - Hall effect from simply running the car (pavement containing rebar and generating a magnetic field from the electricity in the car itself), and the necessity for canceling/shielding being another.

Due to the rarity and type of behavior of this bug it does not seem that the bug is due to any of the normal Hall problems.