This is left brain – right brain weekend. While the more image driven can submerge themselves in pictures of old car ads, the other faction can unleash their inner nerd with abandon. Yesterday, we covered how ABC had entered the grail of automotive disaster-fakery, previously populated by NBC and CBS. ABC’s smoking gun video had been torn to shreds.
Today, we turn our attention to the man who aided and abetted the tricksters: Associate professor David Gilbert of the renowned Southern Illinois University. His work has been inspected by Exponent, a research company hired by Toyota. Hired by Toyota? Well, that should discredit Exponent immediately. Not so fast.
Crash Sled thankfully has found a full copy of Exponent’s retort to Gilbert’s machinations. The report is hosted on the ABC website, so we can assume it passed ABC’s scrutiny, for what that may be worth. Let’s look at the report a little closer.
Warning: This discussion needs a basic understanding of electric circuitry. If that’s not your thing, then don’t waste you time reading further. We’ll leave you to Sunday’s pictures with the message that Gilbert is a charlatan extraordinaire, and that whoever put him on the stand to make a case against Toyota needs to have his or her head examined. However, should you own a 2010 Toyota Avalon, then you have slight cause for concern.
Quick review of the theory: You may remember the discussion that ensued after Ed Niedermeyer had first presented Gilbert’s work a little bit more than a week ago. Gilbert had introduced what he called “a short” to the throttle-by-wire circuitry of a Toyota, and the car took off. A big parsing of words ensued about what consists of a short, and what not. Never mind. Now we know what Gilbert had done.
Follow me please to the picture on top. Ignore the red and green part for a moment, we get to that in a minute. You see the basic circuitry of a Toyota Electronic Throttle Control System (ETCS.) It consists of two separate Hall sensors (housed in the “Accelerator Position Sensor”). The Hall sensors talk to the Engine Control Module (ECM). The throttle position is sent twice to the ECM, via the VPA wire and via the VPA2 wire.
The voltages on VPA and VPA2 are offset, the theory behind it becomes clear when examining the “ETCS Theory” picture on the left. This picture has been lifted from educational material, thanks to ControlsGuy.
Now what did Gilbert do? According to the Exponent document, he did what anybody would do who knows a little bit about resistors, and who has the educational material made available by ControlsGuy. Actually, just from looking at the data, I had recommended exactly the same procedure 10 days ago.
Follow the red circuit. Gilbert connected the VPA output of the primary Hall sensor to the VPA2 output of the secondary Hall sensor. He did not “short” it (this would have caused an immediate fault,) he connected it through a carefully selected 200 ohms resistor. Anything below 50 ohms and anything higher than 250 ohms would have triggered a fault. According to Exponent, “adding the resistance did not noticeably change the operation of the engine.” This does not come as a surprise to someone who knows his V = I * R. To get the engine going, Gilbert had to do something else.
Follow the green part of the circuit. Gilbert connected VPA2 to what Exponent calls “one of the 5-volt power supply wires from the accelerator pedal,” and the car took off without setting a fault. Why? Because the engine computer saw the voltages on VPA and VPA2 rise in unison. Balanced by the carefully chosen resistor, the voltages on both lines rose within the offset limits. The ECM had no reason to get alarmed, or set a fault code. It told the throttle to open wide. Gilbert carefully engineered the setup so that the ECM saw what it wanted to see. The ECM can read and compare voltages. It cannot read a wicked mind.
By the way, Gilbert and Exponent say that this circuit trickery only works if the VPA2 side is connected to +5V. Connecting VPA to +5V would trigger a fault. Students of the ETCS Theory diagram immediately see why: VPA would go to 5V, would rise above VPA2, the ECM would decide that things are solidly out of whack and would immediately surrender into limp mode.
For the Intended Gilbert Acceleration to occur in the wild, several things would have to happen in the exact sequence: First, the isolation for both VPA and VPA2 would have to break down. Then, a connection between VPA and VPA2 would have to be established. Into this connection, a resistance of no less than 50 ohms and no higher than 250 ohms would have to be connected. Once, and only once this connection between VPA and VPA2 has been established through the proper resistor, VPA2 (and not VPA) would have to be connected to +5V. Then, the car would take off.
Says Exponent: “For such an event to happen in the real world requires a sequence of faults that is extraordinarily unlikely.” What is more, the unlikely sequence would have left “a fingerprint” as Exponent calls it, broken or scorched insulation, stains, if not the “short” itself. Nothing of that kind has been recorded.
One minor problem remains. That problem has not been raised by Gilbert (shame on you,) nor by Exponent (well, they are paid by Toyota:) Connecting VPA2 to +5V should be recognized as a short to power, and the system should go into limp mode. We don’t know whether the Avalon would go into limp with the 200 ohms resistor removed and VPA2 connected to +5V. Let’s assume it would. Nonetheless, a basic failsafe step is missing in the Avalon. And the Avalon is pretty much alone with this problem, as we shall soon see.
Exponent went on to test the same setup with six other cars: A 2007 Toyota Camry, a 2009 Mercedes E350, a 2003 BMW 325i, a 2008 Honda Accord, a 2006 Subaru Impreza Outback, and a 2005 Chrysler Crossfire. Interestingly, the Gilbert rigging produced the same results in all cars. Same results. But not quite the same rigging.
When the 2007 Toyota Camry was tested, nothing happened again when VPA was connected with VPA2 through a 200 ohms resistor. However, when VPA2 was connected to +5V, the ECM registered a fault, did set an error code and put the Camry into limp mode. The older Camry computer recognized the short to power. Exponent had to do what I thought necessary 10 days ago.
Please proceed to the next drawing. Follow the green circuit. Exponent added a 100 ohm (Resistor 2) into the line to +5V. Resistor 2 dropped the supply voltage to a level that would not look like a short. The engine started to rev. Again, that was expected. The 200 ohms Resistor 1 maintained the offset between VPA and VPA2. The 100 ohms Resistor 2 kept the signal voltage from looking unhealthy. Varying Resistor 2 between 200 ohms and 15 ohms changed engine speed: A low cost aftermarket cruise control (don’t try this at home.)
Testing the other cars provided the same results. The Honda Accord needed a 300 ohms resistor between the two redundant pedal sensors. The Subaru wanted a 100 ohms resistor. The others were happy with the 200 ohms. All cars needed a resistor between +5, just like the Camry. None of them did set an error code. Smoking gun? More like smoke and mirrors.
If you remember the discussion 10 days ago, the “inverted” setting of the redundant sensors in non-Toyotas drew quite some attention. Exponent notes that “for the Subaru, the two accelerator pedal position sensors produce parallel and nearly identical output voltages. For the other vehicles, the line slopes for sensor 1 and sensor 2 are different and not parallel to each other.” Surprisingly, this did not harden their circuitry against Gilbert-like shenanigans.
Says Exponent: “Dr. Gilbert opined in his report that several vehicle manufacturers currently use this fault detection strategy and that a short between the two pedal sensor outputs would be detected by the ECM. However, tests with pedal position sensors from five other manufacturers using his strategy demonstrate that the electrical wiring to the pedal can also be manipulated to create an apparent ‘sudden’ onset of acceleration and engine revving.” (Exponent does not say what happens when you vary the resistance to +5V and hence the input voltage, like they did with the Camry.)
There is much more in the report, such as a study of connectors, a look into the likelihood of wiring insulation, ECM and pedal failures. There is even a quote from NASA’s Fault Tree Construction Ground Rules that recommend to ignore shorts to ground and power: “Do not model wiring faults between components. Generally, wiring faults, such as shorts to ground and shorts to power, have very low probabilities compared to probabilities of major components failing.” What’s good enough for the space shuttle is not necessarily good enough for your car. In any case, study of this material is left as an exercise to the student.
Class and Professor dismissed.