- Options
- Login
- Register
- Desktop Style
- SCI Bus
-
SCI Bus
HackMaster > 08-13-2023, 02:09 PM
SCI-bus
Following commands are extracted from an SBEC3 engine controller. Most of the basic commands are valid for SBEC2 engine controllers as well.
1. Low-speed mode commands (7812.5 baud)
Code:ROM:35000 ; =============== S U B R O U T I N E =======================================
ROM:35000
ROM:35000
ROM:35000 SCI_RXIDJT:
ROM:35000 jmp SCI_GETSFT ; SCI ID 10 STORED FAULT CODE LIST
ROM:35000 ; --------------------------------
ROM:35000 ; TX: 10
ROM:35000 ; RX: 10 XX YY ZZ (FD) FE CS
ROM:35000 ;
ROM:35000 ; XX YY ZZ: fault code list
ROM:35000 ; (FD: unknown)
ROM:35000 ; FE: end of list
ROM:35000 ; CS: checksum
ROM:35004 ; ---------------------------------------------------------------------------
ROM:35004 jmp SCI_GETPFT ; SCI ID 11 PENDING FAULT CODE LIST
ROM:35004 ; ---------------------------------
ROM:35004 ; TX: 11
ROM:35004 ; RX: 11 XX YY
ROM:35004 ;
ROM:35004 ; XX YY: two most recent fault codes
ROM:35004 ; pending to be confirmed
ROM:35008 ; ---------------------------------------------------------------------------
ROM:35008 jmp SCI_SETHSP ; SCI ID 12 ENTER HIGH-SPEED MODE
ROM:35008 ; -------------------------------
ROM:35008 ; TX: 12
ROM:35008 ; RX: 12
ROM:35008 ;
ROM:35008 ; 12 is echoed back at 7812.5 baud.
ROM:35008 ; Baudrate is then switched to 62500 baud.
ROM:3500C ; ---------------------------------------------------------------------------
ROM:3500C jmp SCI_SETACT ; SCI ID 13 ACTUATOR TEST
ROM:3500C ; -----------------------
ROM:3500C ; TX: 13 XX
ROM:3500C ; RX: 13 XX XX
ROM:3500C ; TX: 13
ROM:3500C ; RX: 13
ROM:3500C ;
ROM:3500C ; XX: actuator test mode
ROM:35010 ; ---------------------------------------------------------------------------
ROM:35010 jmp SCI_DIAGRQ ; SCI ID 14 DIAGNOSTIC DATA REQUEST
ROM:35010 ; ---------------------------------
ROM:35010 ; TX: 14 XX
ROM:35010 ; RX: 14 XX YY
ROM:35010 ;
ROM:35010 ; XX: parameter
ROM:35010 ; YY: value
ROM:35014 ; ---------------------------------------------------------------------------
ROM:35014 jmp nullsub_3 ; SCI ID 15 READ FLASH MEMORY
ROM:35014 ; ---------------------------
ROM:35014 ; TX: 15 XX YY
ROM:35014 ; RX: 15 XX YY ZZ
ROM:35014 ;
ROM:35014 ; XX YY: flash memory offset
ROM:35014 ; ZZ: flash memory value at given offset
ROM:35014 ;
ROM:35014 ; Note:
ROM:35014 ; SBEC2 only.
ROM:35018 ; ---------------------------------------------------------------------------
ROM:35018 jmp nullsub_3 ; SCI ID 16 READ FLASH MEMORY CONSTANT
ROM:35018 ; ------------------------------------
ROM:35018 ; TX: 16 XX
ROM:35018 ; RX: 16 XX JJ KK LL MM CS
ROM:35018 ;
ROM:35018 ; XX: configuration page (80/81/82)
ROM:35018 ; JJ KK LL MM: 4 bytes from selected page
ROM:35018 ; CS: checksum
ROM:35018 ;
ROM:35018 ; Note:
ROM:35018 ; SBEC2 only.
ROM:3501C ; ---------------------------------------------------------------------------
ROM:3501C jmp SCI_ERSFLT ; SCI ID 17 ERASE ENGINE FAULT CODES
ROM:3501C ; ----------------------------------
ROM:3501C ; TX: 17
ROM:3501C ; RX: 17 RR
ROM:3501C ;
ROM:3501C ; RR: result
ROM:3501C ;
ROM:3501C ; Result:
ROM:3501C ; 00 = stop engine
ROM:3501C ; E0 = erased
ROM:35020 ; ---------------------------------------------------------------------------
ROM:35020 jmp nullsub_3 ; SCI ID 18 CONTROL ASD RELAY
ROM:35020 ; ---------------------------
ROM:35020 ; TX: 18 XX
ROM:35020 ; RX: 18 XX RR
ROM:35020 ;
ROM:35020 ; XX: parameter
ROM:35020 ; RR: result
ROM:35024 ; ---------------------------------------------------------------------------
ROM:35024 jmp nullsub_3 ; SCI ID 19 SET ENGINE SPEED
ROM:35024 ; --------------------------
ROM:35024 ; TX: 19 XX
ROM:35024 ; RX: 19 XX
ROM:35024 ;
ROM:35024 ; XX = desired RPM divided by 7.85
ROM:35024 ;
ROM:35024 ; Example: 1500 RPM | 1500/7.85=191 | 191 = BF (HEX)
ROM:35024 ;
ROM:35024 ; Engine maintains set RPM for a few seconds,
ROM:35024 ; then it returns to normal idle speed.
ROM:35028 ; ---------------------------------------------------------------------------
ROM:35028 jmp SCI_SWTST ; SCI ID 1A SWITCH TEST
ROM:35028 ; ---------------------
ROM:35028 ; TX: 1A XX
ROM:35028 ; RX: 1A XX YY
ROM:35028 ;
ROM:35028 ; YY: switch value of XX
ROM:3502C ; ---------------------------------------------------------------------------
ROM:3502C jmp SCI_BMDWNL ; SCI ID 1B INIT BYTE MODE DOWNLOAD
ROM:3502C ; ---------------------------------
ROM:3502C ; TX: 1B
ROM:3502C ; RX: 1B
ROM:35030 ; ---------------------------------------------------------------------------
ROM:35030 jmp nullsub_3 ; SCI ID 1C EEPROM WRITE
ROM:35030 ; ----------------------
ROM:35030 ; TX: 1C XX YY
ROM:35030 ; RX: 1C XX YY RR
ROM:35030 ;
ROM:35030 ; XX: EEPROM offset
ROM:35030 ; YY: EEPROM byte to write
ROM:35030 ; RR: result
ROM:35030 ;
ROM:35030 ; Note:
ROM:35030 ; SBEC2 only.
ROM:35034 ; ---------------------------------------------------------------------------
ROM:35034 jmp nullsub_3 ; SCI ID 1D WRITE RAM 1
ROM:35034 ;
ROM:35034 ; Note:
ROM:35034 ; SBEC2 only.
ROM:35034 ; Write to 68HC11 RAM
ROM:35038 ; ---------------------------------------------------------------------------
ROM:35038 jmp nullsub_3 ; SCI ID 1E WRITE RAM 2
ROM:35038 ;
ROM:35038 ; Note:
ROM:35038 ; SBEC2 only.
ROM:35038 ; Write to external RAM
ROM:3503C ; ---------------------------------------------------------------------------
ROM:3503C jmp SCI_WRRMWK ; SCI ID 1F WRITE RAM WORKER
ROM:3503C ; --------------------------
ROM:3503C ; TX: 1F XX YY
ROM:3503C ; RX: 1F XX YY RR
ROM:3503C ;
ROM:3503C ; XX: RAM offset (00-FE)
ROM:3503C ; YY: RAM value to write
ROM:3503C ; RR: result
ROM:3503C ;
ROM:3503C ; Result:
ROM:3503C ; 00 = offset out of range
ROM:3503C ; F1 = no security clearance
ROM:3503C ; E5 = ok
ROM:3503C ;
ROM:3503C ; Note:
ROM:3503C ; Upload small runtime worker function.
ROM:3503C ; Code is stored between F8700 and F87FF.
ROM:3503C ; First byte must point to the last rts instruction.
ROM:3503C ; This area seems to be occupied by important
ROM:3503C ; math stuff so I don't see how this works.
ROM:35040 ; ---------------------------------------------------------------------------
ROM:35040 jmp SCI_RNRMWK ; SCI ID 20 RUN RAM WORKER
ROM:35040 ; ------------------------
ROM:35040 ; TX: 20 XX YY
ROM:35040 ; RX: 20 XX YY RR
ROM:35040 ;
ROM:35040 ; XX YY: relative offset to last rts instruction
ROM:35040 ; RR: result
ROM:35040 ;
ROM:35040 ; Result:
ROM:35040 ; 00 = return instruction is not rts
ROM:35040 ; 01 = return offset mismatch
ROM:35040 ; 02 = return offset out of range
ROM:35040 ; E4 = ok
ROM:35044 ; ---------------------------------------------------------------------------
ROM:35044 jmp SCI_IGNTIM ; SCI ID 21 IGNITION TIMING
ROM:35044 ; -------------------------
ROM:35044 ; TX: 21 XX
ROM:35044 ; RX: 21 XX RR
ROM:35044 ;
ROM:35044 ; XX: parameter
ROM:35044 ; RR: result
ROM:35044 ;
ROM:35044 ; Parameters:
ROM:35044 ; 00: unkill spark scatter
ROM:35044 ; 01: kill spark scatter (basic timing)
ROM:35044 ;
ROM:35044 ; Results:
ROM:35044 ; 00: basic timing abolished
ROM:35044 ; 01: basic timing initiated
ROM:35044 ; 02: rejected because open throttle
ROM:35044 ; 03: rejected because transmission in drive
ROM:35048 ; ---------------------------------------------------------------------------
ROM:35048 jmp SCI_RDENGP ; SCI ID 22 READ ENGINE PARAMETER
ROM:35048 ; -------------------------------
ROM:35048 ; TX: 22 XX
ROM:35048 ; RX: 22 XX YY ZZ
ROM:35048 ;
ROM:35048 ; XX: engine parameter
ROM:35048 ; YY ZZ: parameter value
ROM:35048 ;
ROM:35048 ; Engine parameters:
ROM:35048 ; 01 = engine speed
ROM:35048 ; 02 = injector pulse width 1
ROM:35048 ; 03 = target idle speed
ROM:35048 ; 04 = injector pulse widht 2 (not available here)
ROM:3504C ; ---------------------------------------------------------------------------
ROM:3504C jmp SCI_RSTMEM ; SCI ID 23 RESET MEMORY
ROM:3504C ; ----------------------
ROM:3504C ; TX: 23 XX
ROM:3504C ; RX: 23 XX RR
ROM:3504C ;
ROM:3504C ; XX: mode
ROM:3504C ; RR: result
ROM:3504C ;
ROM:3504C ; Result:
ROM:3504C ; 00 = stop engine
ROM:3504C ; 01 = mode not supported
ROM:3504C ; 02 = denied (module busy)
ROM:3504C ; 03 = denied (security level 1 or 2 needed)
ROM:3504C ; F0 = ok
ROM:35050 ; ---------------------------------------------------------------------------
ROM:35050 jmp nullsub_3 ; SCI ID 24 N/A
ROM:35054 ; ---------------------------------------------------------------------------
ROM:35054 jmp SCI_OVRSET ; SCI ID 25 OVERRIDE SETTING
ROM:35054 ; --------------------------
ROM:35054 ; TX: 25 XX YY
ROM:35054 ; RX: 25 XX YY RR
ROM:35054 ;
ROM:35054 ; XX: setting parameter
ROM:35054 ; YY: state
ROM:35054 ; RR: result
ROM:35054 ;
ROM:35054 ; State:
ROM:35054 ; 00 = reset
ROM:35054 ; 01 = enable
ROM:35054 ; 02 = disable
ROM:35054 ;
ROM:35054 ; Result:
ROM:35054 ; unknown
ROM:35058 ; ---------------------------------------------------------------------------
ROM:35058 jmp SCI_RDROM ; SCI ID 26 READ FLASH MEMORY
ROM:35058 ; ---------------------------
ROM:35058 ; TX: 26 XX YY ZZ
ROM:35058 ; RX: 26 XX YY ZZ MM
ROM:35058 ;
ROM:35058 ; XX YY ZZ: flash memory offset
ROM:35058 ; MM: flash memory value at given offset
ROM:35058 ;
ROM:35058 ; SCI ID 26 READ RAM
ROM:35058 ; ------------------
ROM:35058 ; TX: 26 0F XX YY
ROM:35058 ; RX: 26 0F XX YY NN
ROM:35058 ;
ROM:35058 ; XX YY: RAM offset (8000 - 97FF)
ROM:35058 ; NN: RAM value at given offset
ROM:35058 ;
ROM:35058 ; RAM reading will not work for earlier
ROM:35058 ; SBEC3 computers.
ROM:3505C ; ---------------------------------------------------------------------------
ROM:3505C jmp SCI_WREEPR ; SCI ID 27 WRITE EEPROM
ROM:3505C ; ----------------------
ROM:3505C ; TX: 27 XX YY ZZ
ROM:3505C ; RX: 27 XX YY ZZ RR
ROM:3505C ;
ROM:3505C ; XX YY: EEPROM offset
ROM:3505C ; ZZ: EEPROM value to write
ROM:3505C ; RR: result
ROM:3505C ;
ROM:3505C ; Typical EEPROM offset: 0000 - 01FF (512 bytes)
ROM:3505C ;
ROM:3505C ; Result:
ROM:3505C ; F0: offset out of range
ROM:3505C ; F1: no security clearance
ROM:3505C ; E2: ok
ROM:35060 ; ---------------------------------------------------------------------------
ROM:35060 jmp SCI_RDEEPR ; SCI ID 28 READ EEPROM
ROM:35060 ; ---------------------
ROM:35060 ; TX: 28 XX YY
ROM:35060 ; RX: 28 XX YY ZZ
ROM:35060 ;
ROM:35060 ; XX YY: EEPROM offset
ROM:35060 ; ZZ: EEPROM value at given offset
ROM:35060 ;
ROM:35060 ; Typical EEPROM offset: 0000 - 01FF (512 bytes)
ROM:35064 ; ---------------------------------------------------------------------------
ROM:35064 jmp SCI_WRRAM ; SCI ID 29 WRITE RAM
ROM:35064 ; -------------------
ROM:35064 ; TX: 29 XX YY ZZ
ROM:35064 ; RX: 29 XX YY ZZ RR
ROM:35064 ;
ROM:35064 ; XX YY: RAM offset (0000 - 0FFF)
ROM:35064 ; ZZ: RAM value to write
ROM:35064 ; RR: result
ROM:35064 ;
ROM:35064 ; Result:
ROM:35064 ; F0 = RAM offset out of range
ROM:35064 ; F1 = no security clearance
ROM:35064 ; E5 = ok
ROM:35068 ; ---------------------------------------------------------------------------
ROM:35068 jmp SCI_PCMINF ; SCI ID 2A GET PCM INFO
ROM:35068 ; ----------------------
ROM:35068 ; TX: 2A XX FE
ROM:35068 ; RX: 2A XX YY FE
ROM:35068 ;
ROM:35068 ; XX: information offset
ROM:35068 ; YY: data at given offset
ROM:35068 ;
ROM:35068 ; Note:
ROM:35068 ; Early SBEC3 units do not terminate
ROM:35068 ; this command so FE needs to be
ROM:35068 ; appended.
ROM:3506C ; ---------------------------------------------------------------------------
ROM:3506C jmp nullsub_3 ; SCI ID 2B GET SECURITY SEED
ROM:3506C ; ---------------------------
ROM:3506C ; TX: 2B
ROM:3506C ; RX: 2B XX YY CS
ROM:3506C ;
ROM:3506C ; XX YY: security seed
ROM:3506C ; CS: checksum
ROM:35070 ; ---------------------------------------------------------------------------
ROM:35070 jmp nullsub_3 ; SCI ID 2C SEND SECURITY KEY
ROM:35070 ; ---------------------------
ROM:35070 ; TX: 2C XX YY CS
ROM:35070 ; RX: 2C XX YY CS RR
ROM:35070 ;
ROM:35070 ; XX YY: security key
ROM:35070 ; CS: checksum
ROM:35070 ; RR: result
ROM:35070 ;
ROM:35070 ; Result:
ROM:35070 ; 00 = unlocked
ROM:35070 ; 01 = incorrect key
ROM:35070 ; 02 = invalid checksum
ROM:35070 ; 03 = blocked further attempts,
ROM:35070 ; restart PCM
ROM:35070 ;
ROM:35070 ; Note:
ROM:35070 ; Keys generated from SCI ID 35 must be
ROM:35070 ; sent here as well.
ROM:35074 ; ---------------------------------------------------------------------------
ROM:35074 jmp nullsub_3 ; SCI ID 2D READ CONFIGURATION CONSTANT
ROM:35074 ; -------------------------------------
ROM:35074 ; TX: 2D XX YY
ROM:35074 ; RX: 2D XX YY MM NN
ROM:35074 ;
ROM:35074 ; XX YY: page and item
ROM:35074 ; MM NN: word at page
ROM:35078 ; ---------------------------------------------------------------------------
ROM:35078 jmp SCI_GETOTF ; SCI ID 2E ONE-TRIP FAULT CODE LIST
ROM:35078 ; ----------------------------------
ROM:35078 ; TX: 2E
ROM:35078 ; RX: 2E XX YY ZZ (FD) FE CS
ROM:35078 ;
ROM:35078 ; XX YY ZZ: fault code list
ROM:35078 ; (FD: unknown)
ROM:35078 ; FE: end of list
ROM:35078 ; CS: checksum
ROM:3507C ; ---------------------------------------------------------------------------
ROM:3507C jmp nullsub_3 ; SCI ID 2F N/A
ROM:35080 ; ---------------------------------------------------------------------------
ROM:35080 jmp nullsub_3 ; SCI ID 30 N/A
ROM:35084 ; ---------------------------------------------------------------------------
ROM:35084 jmp nullsub_3 ; SCI ID 31 N/A
ROM:35088 ; ---------------------------------------------------------------------------
ROM:35088 jmp nullsub_3 ; SCI ID 32 N/A
ROM:3508C ; ---------------------------------------------------------------------------
ROM:3508C jmp nullsub_3 ; SCI ID 33 N/A
ROM:35090 ; ---------------------------------------------------------------------------
ROM:35090 jmp nullsub_3 ; SCI ID 34 N/A
ROM:35094 ; ---------------------------------------------------------------------------
ROM:35094 jmp nullsub_3 ; SCI ID 35 GET SECURITY SEED
ROM:35094 ; ---------------------------
ROM:35094 ; TX: 35 XX
ROM:35094 ; RX: 35 XX AA BB CS
ROM:35094 ;
ROM:35094 ; XX: security level (01 or 02)
ROM:35094 ; AA BB: security seed
ROM:35094 ; CS: checksum
ROM:35094 ;
ROM:35094 ; Note:
ROM:35094 ; Level 1 security here is equivalent with
ROM:35094 ; SCI ID 2B (legacy).
ROM:35094 ; Level 1 access is needed for memory writing.
ROM:35094 ; Level 2 access is needed for SKIM reset only.
ROM:35094 ; Send key to SCI ID 2C, it will know which
ROM:35094 ; level the key unlocks.
ROM:35098 ; ---------------------------------------------------------------------------
ROM:35098 jmp nullsub_3 ; SCI ID 36 OBD2 GATEWAY
ROM:35098 ; ----------------------
ROM:35098 ; TX: 36 XX YY ZZ
ROM:35098 ; RX: 36 XX YY ZZ KK YY MM NN PP QQ RR SS CS
ROM:35098 ;
ROM:35098 ; XX: OBD2 MODE
ROM:35098 ; YY: OBD2 PID
ROM:35098 ; ZZ: unknown
ROM:35098 ; KK: OBD2 MODE + $40
ROM:35098 ; YY: OBD2 PID
ROM:35098 ; MM: result HB
ROM:35098 ; NN: result LB
ROM:35098 ; PP QQ RR SS: unknown
ROM:35098 ; CS: full checksum
ROM:35098 ;
ROM:35098 ; Example: Mode 1 PID 00 (PIDs supported [01-20])
ROM:35098 ;
ROM:35098 ; TX: 36 01 00 00
ROM:35098 ; RX: 36 01 00 00 41 00 BE 3E B8 10 00 BE FA
ROM:35098 ;
ROM:35098 ; PIDs supported [01-20] = BE 3E
ROM:35098 ;
ROM:35098 ; Example: Mode 4 (Clear DTCs)
ROM:35098 ;
ROM:35098 ; TX: 36 04 00 00
ROM:35098 ; RX: 36 04 00 00 44 00 00 00 00 00 00 BB 39
ROM:3509C
ROM:3509C [...]
ROM:3509C
ROM:35220 ; End of function SCI_RXIDJT
ROM:35220
ROM:35220 ; ---------------------------------------------------------------------------
2. High-speed mode commands (62500 baud)
Also known as parameter interrogation mode. The RAM offsets given here are not to be confused with the offsets given in low-speed mode (SCI ID 26 and SCI ID 29). In high-speed mode the RAM tables are subsets of the real RAM, comprising important areas.
Code:---------------------------------------------------------------------------
SCI ID FX SELECT RAM-TABLE
TX: F0...FD
RX: F0...FD
RAM table identifier is echoed back when it's valid.
Each table holds a maximum of 240 bytes of readable offsets.
---------------------------------------------------------------------------
SCI FX AA READ RAM VALUE
TX: FX AA
RX: FX AA BB
FX: RAM table (F0...FD)
AA: RAM offset (00...EF)
BB: RAM value at given offset
Technically the RAM table needs to be selected only once,
however, for clarity the scanner requires it to be selected
for every request.
RAM offset is never echoed back, therefore the scanner copies
the actual offset from the request message itself.
Multiple offsets can be read by listing them one after each other:
TX: FX AA BB CC
RX: FX AA aa BB bb CC cc
Since RAM offsets are not echoed by the PCM the scanner groups
the response like this:
FX: RAM table (F0...FD)
AA: RAM offset
aa: RAM value at offset AA
BB: RAM offset
bb: RAM value at offset BB
CC: RAM offset
cc: RAM value at offset CC
Normally FF is an invalid RAM offset but the scanner uses it as a
shortcut to dump all possible RAM values from a given table:
TX: FX FF
RX: FX 00 aa 01 bb 02 cc ... EF dd
00: first RAM offset
aa: RAM value at first RAM offset
01: second RAM offset
bb: RAM value at second RAM offset
02: third RAM offset
bb: RAM value at third RAM offset
...
EF: last RAM offset
dd: RAM value at last RAM offset
---------------------------------------------------------------------------
SCI ID FE RETURN TO LOW-SPEED MODE
TX: FE
RX: FE
FE is echoed back at 62500 baud.
Then baudrate is switched to 7812.5 baud.
---------------------------------------------------------------------------
NOTABLE OFFSETS
Maximum of 8 fault codes are stored in F4:
F4 01 = DTC#1
F4 74 = DTC#2
F4 75 = DTC#3
F4 76 = DTC#4
F4 77 = DTC#5
F4 78 = DTC#6
F4 79 = DTC#7
F4 02 = DTC#8