ECU - OBDII DTCs and PIDs

by **jezzab** » Mon Apr 02, 2012 7:12 pm

Haven't had a chance to do anymore testing. It's a pita coz I have to unplug the car pc and fuel system for the turbo or the battery goes flat real quick

by **tmk** » Tue Apr 10, 2012 3:24 am

https://docs.google.com/spreadsheet/ccc?key=0Aud1vACFe1cUdGM2WklKWnJQN0JqVkQwWEN5cDIzMXc - MyGMLAN bible.. been cobbling this together for a while. Thought I'd share.

If you use this info and it breaks something - you have been warned. If you find something I don't have - let me know and I'll add it.

TMK

by **jezzab** » Wed Apr 11, 2012 7:30 pm

Anyone got some data for a navigation module talking to the headunit? Would like to see if I can get the NAV input to work.

by **ZerOne** » Wed Apr 11, 2012 9:37 pm

Thanks TMK for that Bible....
That thing is bloody awesome !!!!

I have been trying to sniff packets with my GTOSoft Bluetooth module, but I keep getting buffer full errors,
which is SEVERELY limiting what a can sniff.

With TMK's bible, I might try and sniff certain header info, and see if I can get any further....

This is what I have so far....
(I havent had a chance to really LOOK at the logs I have, when I have a chance, I will try and compare the readings
with TMK's bible, and see if there is anything new, or different....)

One for MartinM,
Plugging in the Head unit plug, with the ignition off, and the SW Can asleep.

Code: Select all: >at ma 000 RTR <RX ERROR 10 00 20 40 00 01 74 77 0F FF E0 80 RTR 08 0A 00 40 00 0F FF E0 40 RTR 0F FF E0 B0 RTR 0F FF E0 C0 RTR 0F FF E0 94 RTR 0F FF E0 85 RTR 0F FF E0 40 RTR 0F FF E0 99 RTR 10 2E 80 80 00 01 0F FF E0 80 RTR 10 2E 20 94 01 00 10 00 40 60 00 10 01 20 80 00 10 0D 00 60 00 00 00 00 10 0F 20 80 00 0F FF E0 60 RTR 10 2E C0 BUFFER FULL

This does not enable the Radio (The security lockout exists when you try and turn the radio On, with the ignition still off)
However, if you turn the ignition On, then the SW Can appears to send the VIN on the BUS, which enables the Radio....

New Radio, Turn Ignition Switch On, which cleared VIN Mismatch on Radio

Code: Select all: >at ma 000 RTR <RX ERROR 0F FF E0 80 RTR 10 00 20 40 09 01 74 77 08 0A 00 40 00 0F FF E0 40 RTR 0F FF E0 99 RTR 10 01 20 80 01 00 12 00 58 00 0A AA EA 00 0C 00 99 00 00 00 00 00 00 00 00 13 00 58 73 73 73 00 00 00 08 00 80 B0 02 00 0C 01 60 C0 07 66 00 00 00 00 00 00 0C 0D 40 99 00 00 00 00 00 0F FF E0 58 RTR 00 13 00 58 73 73 73 00 00 00 0F FF E BUFFER FULL

This one was pressing the NAV button, with the Ign Off, Radio off, and SW Bus silent.

Code: Select all: >at ma 0F FF E0 40 RTR 0F FF E0 80 RTR 0F FF E0 58 RTR 0F FF E0 94 RTR 0F FF E0 C0 RTR 0F FF E0 99 RTR 0F FF E0 60 RTR 0F FF E0 95 RTR 0F FF E0 BB RTR 10 01 80 C0 00 00 00 10 00 20 40 00 01 74 77 0F FF E0 B0 RTR 0F FF E0 85 RTR 10 00 20 40 00 01 74 77 10 00 40 60 00 0F FF E0 40 RTR 0F FF E0 80 RTR 0F FF E0 58 RTR 0F FF E0 94 RTR 0F FF E0 C0 RTR 0F FF E0 99 RTR 0F FF E0 60 RTR 0F FF E0 95 RTR 0F FF E0 BB RTR 10 01 80 C0 00 00 00 0F FF E0 B0 RTR 0F FF E0 85 RTR 0F FF E0 40 RTR 0F FF E0 80 RTR 0F FF E0 58 RTR 0F FF E0 94 RTR 0F FF E0 C0 RTR 0F FF E0 99 RTR 0F FF E0 60 RTR 0F FF E0 95 RTR 10 01 80 C0 00 00 00 0F FF E0 BB RTR 0F FF E0 B0 RTR 0F FF E0 85 RTR 0F FF E0 40 RTR 0F FF E0 80 RTR 0F FF E0 58 RTR 0F FF E0 94 RTR 0F FF E0 C0 RTR 0F FF E0 99 RTR 0F FF E0 60 RTR 10 01 80 C0 00 00 00 0F FF E0 95 RTR 0F FF E0 BB RTR 0F FF E0 B0 RTR 0F FF E0 85 RTR 0F FF E0 40 RTR 0F FF E0 80 RTR 0F FF E0 58 RTR 0F FF E0 94 RTR 0F FF E0 C0 RTR 0F FF E0 99 RTR 0F FF E0 60 RTR 10 01 80 C0 00 00 00 0F FF E0 95 RTR 0F FF E0 BB RTR 0F FF E0 B0 RTR 0F FF E0 85 RTR 10 00 20 40 00 01 74 77 0F FF E0 40 RTR 0F FF E0 80 RTR 0F FF E0 58 RTR 0F FF E0 94 RTR 0F FF E0 C0 RTR 0F FF E0 99 RTR 10 00 40 60 00 0F FF E0 60 RTR 10 01 80 C0 00 00 00 0F FF E0 95 RTR 0F FF E0 BB RTR 0F FF E0 B0 RTR 0F FF E0 85 RTR 0F FF E0 40 RTR 0F FF E0 80 RTR 0F FF E0 58 RTR 0F FF E0 94 RTR 0F FF E0 C0 RTR 0F FF E0 99 RTR 0F FF E0 60 RTR 10 01 80 C0 00 00 00 0F FF E0 95 RTR 0F FF E0 BB RTR 0F FF E0 B0 RTR 0F FF E0 85 RTR 0F FF E0 40 RTR 0F FF E0 80 RTR 0F FF E0 58 RTR 0F FF E0 94 RTR 0F FF E0 C0 RTR 0F FF E0 99 RTR 0F FF E0 60 RTR 10 01 80 C0 00 00 00 0F FF E0 95 RTR 0F FF E0 BB RTR 0F FF E0 B0 RTR 0F FF E0 85 RTR 0F FF E0 40 RTR 0F FF E0 80 RTR 0F FF E0 58 RTR 0F FF E0 94 RTR 0F FF E0 C0 RTR 0F FF E0 99 RTR 0F FF E0 60 RTR 10 01 80 C0 00 00 00 0F FF E0 95 RTR 0F FF E0 BB RTR 0F FF E0 B0 RTR 0F FF E0 85 RTR 0F FF E0 40 RTR 0F FF E0 80 RTR 0F FF E0 58 RTR 0F FF E0 94 RTR 0F FF E0 C0 RTR 0F FF E0 99 RTR 0F FF E0 60 RTR 10 00 20 40 00 01 74 77 10 01 80 C0 00 00 00 10 00 40 60 00 0F FF E0 95 RTR 0F FF E0 BB RTR 0F FF E0 B0 RTR 0F FF E0 85 RTR 0F FF E0 40 RTR 0F FF E0 80 RTR 0F FF E0 58 RTR 0F FF E0 94 RTR 0F FF E0 C0 RTR 0F FF E0 99 RTR 0F FF E0 60 RTR 10 01 80 C0 00 00 00 0F FF E0 95 RTR 0F FF E0 BB RTR 0F FF E0 B0 RTR 0F FF E0 85 RTR 0F FF E0 40 RTR 0F FF E0 80 RTR 0F FF E0 58 RTR 0F FF E0 94 RTR 0F FF E0 C0 RTR 0F FF E0 99 RTR 0F FF E0 60 RTR 10 01 80 C0 00 00 00 0F FF E0 95 RTR 0F FF E0 BB RTR 0F FF E0 B0 RTR 0F FF E0 85 RTR 10 00 20 40 00 01 74 77 0F FF E0 80 RTR 0F FF E0 40 RTR 0F FF E0 85 RTR 0F FF E0 99 RTR 10 00 40 60 00 10 01 20 80 00 10 0D 00 60 00 00 00 00 10 0F 20 80 00 0F FF E0 60 RTR 10 2E 00 80 00 02 00 10 2E 20 94 24 00 10 2E 80 80 00 01 10 2E C0 85 04 00 10 30 60 94 01 C0 00 03 10 30 00 BUFFER FULL

Lots of repeating crap in the above one...
Note, this did not display the Nav screen, however it did WAKE UP the Nav Unit from its power slumber
(The Nav units front blue light turned on).....

Because of the amount of data flowing when I turn the Ign Switch to on, its nearly impossible to log anything
at the moment with the hardware that I have.
(I get about 5 lines before I get the BUFFER FULL crap)....

I havent had much time to work on the stupid C# logger thing yet. (There is a serious bug with the serial port stuff, which needs some urgent attention), so I am going to write a quick and dirty perl script, to just press enter, and at ma when I get a BUFFER FULL Error.
That way, (HOPEFULLY) we can start getting some logs from this bloody nav unit thing !!!!!

by **tmk** » Thu Apr 12, 2012 1:05 am

ZerOne - your gonna overflow the buffer every time if you ATMA with an ELM327 and no filter on the header. I needed to go to 115200 baud to not overflow.

BUT don't do that if you have a bluetooth cheapy ELM327 - The chip will change baud rates and the Bluetooth serial module will not.. So - kinda half bricked.. (Speaking from experience.)

Not sure what GTOsoft had for autobauding in that GTOsoft module.. I can ask him?

TMK

by **tmk** » Thu Apr 12, 2012 1:15 am

Oh.. And my guess is the 0x094 is Nav.. ECU addresses $090 - $097 are personal comms. Onstar lives at $097. I'd set the ELM to filter everything from that one. And maybe 0x080 which is the radio head unit. Never seen anything at 0x094 in my G8.

On the ELM:

Header Filter
AT CF 00 00 00 94

Mask Filter
AT CM 00 00 1F FF

I have just about all the onstar turn by turn hav packets figured out. This displays directions in the center of the DIC, uses icons for turns and pops up a bar graph as you get close to a waypoint.

I think a Linux -> arduino -> CAN gateway could easily offer the same functionality.

I will post them once I test that they can be parroted back to the car and do what they are supposed to do.

TMK

by **ZerOne** » Thu Apr 12, 2012 8:35 am

TMK - Thankyou HEAPS again for your help !!!!

I am a real newbie when it comes to this stuff, so any and all help is HUGELY appreciated.
Now that you have shown me how to mask stuff out, I am itching to start logging packets for the Sat Nav module.

I will try and give this a go tonight, and post up anything that I find.

I also have some other modules in the car that would be interesting to sniff.
The Park assist (Shows how close you are to objects on the screen, using the Ultra sonic sensors),
Roof mounted DVD, LCD Entertainment unit. (Hopefully thing works, I have never ever tried using it, total waste of money if you ask me lol !!!).

Will post up some logs tonight
Cheers

by **tmk** » Thu Apr 12, 2012 11:06 am

ZerOne..

I have wanted the Nav packets for SOOOO long! Looking forwards to anything you get. I'd love to get component input.. Or even just a second mono audio input..

Suspect we will see ECUs between 0x090-0x096 for the nav stuff and ArbIDs in the 0x170-0x17f range.. They seem to be mostly undocumented anywhere and car specific..

You could mask on those things first?

Talked with GTOsoft - he never got the bluetooth module baud rates figured out. His android app just restarts the captures after a buffer full.

I have updated the bible. I just ran successful parrots on the OnStar nav stuff. Seems like there is 20 or so icons, and the AuxNav arbid was money.

TMK

by **ZerOne** » Sat Apr 14, 2012 5:07 pm

Sorry for the very long delay.
(I was rebuilding PCs for Home, after lightning took out two of them)...

Anyway, here are some more logs,
Header Filter : AT CF 00 00 00 94
Mask Filter : AT CM 00 00 1F FF

Ignition Switch Off, Bus activated...
No Data...

Ignition Switch On, (Nav button not pressed, but Nav system powers up and prepares for use).

Code: Select all: >AT MA 000 RTR <RX ERROR 10 2E 20 94 01 00 10 2E 40 94 03 10 30 60 94 01 C0 00 03 10 33 40 94 00 0F FF E0 94 RTR 0F FF E0 94 RTR 10 2E 20 94 01 00 10 30 60 94 01 C0 00 03 10 33 40 94 00 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 10 2E 20 94 21 00 0F FF E0 94 RTR 10 2E 20 94 20 00 10 0A 60 94 0C 04 0E 20 24 76 10 2E 20 94 24 00 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR etc etc etc...

NAV Button pressed (Does nothing really, just more of the same as the above.
Each line is sent roughly every 3 or so seconds....

Code: Select all: >at ma 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR

Ignition Switched Off

Code: Select all: >at ma 0F FF E0 94 RTR 0F FF E0 94 RTR 10 0A 60 94 0C 04 0E 20 28 16 10 2E 20 94 24 00 0F FF E0 94 RTR 0F FF E0 94 RTR 10 30 60 94 01 F8 00 00 10 30 A0 94 00 0C 80 00 00 00 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR etc.. Until Bus goes to sleep

Ign On, Nav screen displayed, Pressing NAV button on Steering wheel (using E3 HSV steering wheel buttons).
This showed NAVIGATION on the Instrument Cluster in Large Font...

Code: Select all: >at ma 0F FF E0 94 RTR 00 FF E0 BB RTR <RX ERROR 000 RTR <RX ERROR 10 2E 20 94 01 00 10 2E 40 94 03 10 30 60 94 01 C0 00 03 10 33 40 94 00 0F FF E0 94 RTR 0F FF E0 94 RTR 10 2E 20 94 01 00 10 30 60 94 01 C0 00 03 10 33 40 94 00 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 10 2E 20 94 21 00 0F FF E0 94 RTR 10 2E 20 94 20 00 10 0A 60 94 0C 04 0E 20 2A 32 10 2E 20 94 24 00 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 10 30 A0 94 00 0C 82 81 7F D7 10 30 C0 94 C9 03 0A 0A 4E 61 76 69 10 30 C0 94 C8 02 67 61 74 69 6F 6E 10 30 C0 94 C8 03 0A 04 00 00 00 00 10 30 A0 94 00 0C 83 01 7F D7 0F FF E0 94 RTR 10 30 A0 94 00 0C 83 41 7F D7 10 30 C0 94 C9 03 0A 0A 4E 61 76 69 10 30 C0 94 C8 02 67 61 74 69 6F 6E 10 30 C0 94 C8 03 0A 04 00 00 00 00 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 10 30 A0 94 00 0C 83 81 7F D7 10 30 C0 94 C9 03 0A 0A 4E 61 76 69 10 30 C0 94 C8 02 67 61 74 69 6F 6E 10 30 C0 94 C8 03 0A 04 00 00 00 00 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 10 30 A0 94 00 0C 83 C1 7F D7 10 2E 20 94 24 00 10 30 C0 94 C9 03 00 4E 61 76 69 67 10 30 C0 94 C8 02 61 74 69 6F 6E 0A 10 30 C0 94 C8 03 0A 0A 04 00 00 00 0F FF E0 94 RTR 10 30 A0 94 00 0C 82 41 7F D7 10 30 C0 94 C9 03 00 4E 61 76 69 67 10 30 C0 94 C8 02 61 74 69 6F 6E 0A 10 30 C0 94 C8 03 0A 0A 04 00 00 00 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR

Ign On, NAV set, Cluster Showing Navigation information...
Setting a destination on the NAV system....

Code: Select all: 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 10 30 A0 94 00 0C 82 41 7F D7 10 30 C0 94 C9 03 00 4E 61 76 69 67 10 30 C0 94 C8 02 61 74 69 6F 6E 0A 10 30 C0 94 C8 03 0A 0A 04 00 00 00 10 2E 20 94 24 00 10 0A 60 94 0C 04 0E 20 2C 4A 10 2E 20 94 24 00 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 10 33 40 94 01 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 10 33 40 94 00 10 30 A0 94 00 0C 86 41 80 15 10 30 40 94 06 40 01 16 10 29 00 94 00 00 00 00 10 30 A0 94 00 0C 86 41 BF D5 10 30 C0 94 C9 01 01 0A 02 20 0A 04 10 30 40 94 06 40 01 16 10 2E 20 94 24 00 10 29 00 94 00 00 00 00 0F FF E0 94 RTR 0F FF E0 94 RTR 10 30 A0 94 00 0C 86 41 80 15 10 30 C0 94 C9 03 01 0A 02 4F 66 66 10 30 C0 94 C8 02 20 52 6F 61 64 0A 10 30 C0 94 C8 03 04 00 00 00 00 00 10 30 40 94 06 40 01 16 10 33 40 94 01 10 29 00 94 00 00 00 00 0F FF E0 94 RTR 0F FF E0 94 RTR 10 33 40 94 00 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR 0F FF E0 94 RTR

This displayed the RIGHT ARROW on the cluster, no distance bar displayed, OFF ROAD displayed in small font on the cluster...

Let me know what else to try

Cheers

by **tmk** » Sun Apr 15, 2012 8:46 am

Cool stuff!

Looks like ECU 0x094 is just there to display stuff on the DIC.. I'd open up the log mask - I suspect we will see more stuff.

0x090-0x097 is what I'd grab -> So set the mask to 0x0001ff8

As for the snippets you posted - I see this DIC text was sent : ?Navigation?????

0x094 also sent a GPS date and time packet: 0x4 0x053 0x094 | 6 | 10 0A 60 94 0C 04 0E 20 2C 4A

I see the icon here: 0x4 0x182 0x094 | 4 | 10 30 40 94 06 40 01 16 - Same as onstar! (See the GMLAN bible)
I see the aux nav display info here: 0x4 0x148 0x094 | 4 | 10 29 00 94 00 00 00 00 - Same as onstar and in the GMLAN bible.. That's the bar graph stuff.

This might be the screen control.. - Never seen these before. and 19a isn't documented that I have found..
0x4 0x19a 0x094 | 1 | 10 33 40 94 01
0x4 0x19a 0x094 | 1 | 10 33 40 94 00

There is some ArbIDs in the 0x17x range.. Figured we see those .. What they do is TBD!

Great start ZerOne!

Welcome Anonymous !

ECU - OBDII DTCs and PIDs

GM Lan Single Wire CAN Bus Sniffing

Re: GM Lan Single Wire CAN Bus Sniffing

Re: GM Lan Single Wire CAN Bus Sniffing

Re: GM Lan Single Wire CAN Bus Sniffing

Re: GM Lan Single Wire CAN Bus Sniffing

Re: GM Lan Single Wire CAN Bus Sniffing

Re: GM Lan Single Wire CAN Bus Sniffing

Re: GM Lan Single Wire CAN Bus Sniffing

Re: GM Lan Single Wire CAN Bus Sniffing

Re: GM Lan Single Wire CAN Bus Sniffing

Re: GM Lan Single Wire CAN Bus Sniffing

Search

Main Menu

User Menu

Preset Styles

Login

View new posts

Who is online