| Welcome, Guest |
You have to register before you can post on our site.
|
| Online Users |
There are currently 61 online users. » 0 Member(s) | 58 Guest(s) Baidu, Bing, Google
|
| Latest Threads |
Mysterious Kill Switch Di...
Forum: The Hacker News
Last Post: yazrozzarn
01-10-2026, 04:36 AM
» Replies: 1
» Views: 867
|
UAW drops unfair labor pr...
Forum: Other Automakers
Last Post: BillyMum
06-16-2025, 09:15 PM
» Replies: 2
» Views: 2,565
|
Uber's Ex-CISO Appeals Co...
Forum: Dark Reading.com
Last Post: BillyMum
06-15-2025, 05:26 AM
» Replies: 2
» Views: 3,811
|
2021 Hyundai Ioniq SEL
Forum: Kia USB Entry
Last Post: HackMaster
03-31-2025, 07:17 AM
» Replies: 0
» Views: 458
|
Vulnerability of Remote K...
Forum: Keyless entry
Last Post: HackMaster
03-31-2025, 07:14 AM
» Replies: 0
» Views: 355
|
The (In)Security of Autom...
Forum: Keyless entry
Last Post: HackMaster
03-31-2025, 07:12 AM
» Replies: 0
» Views: 337
|
Relay Attacks on Passive ...
Forum: Keyless entry
Last Post: HackMaster
03-31-2025, 07:07 AM
» Replies: 0
» Views: 328
|
Hacking Tesla from Wirele...
Forum: Tesla
Last Post: HackMaster
03-31-2025, 06:58 AM
» Replies: 0
» Views: 366
|
Hacking Tesla from Wirele...
Forum: Tesla
Last Post: HackMaster
03-31-2025, 06:22 AM
» Replies: 0
» Views: 352
|
Schematics and Datasheets
Forum: Schematics
Last Post: HackMaster
02-27-2025, 12:26 AM
» Replies: 0
» Views: 312
|
|
|
SCI Bus |
|
Posted by: HackMaster - 08-13-2023, 02:09 PM - Forum: Chrysler SCI
- No Replies
|
 |
SCI-bus
Following commands are extracted from an SBEC3 engine controller. Most of the basic commands are valid for SBEC2 engine controllers as well.
1. Low-speed mode commands (7812.5 baud)
Code: ROM:35000 ; =============== S U B R O U T I N E =======================================
ROM:35000
ROM:35000
ROM:35000 SCI_RXIDJT:
ROM:35000 jmp SCI_GETSFT ; SCI ID 10 STORED FAULT CODE LIST
ROM:35000 ; --------------------------------
ROM:35000 ; TX: 10
ROM:35000 ; RX: 10 XX YY ZZ (FD) FE CS
ROM:35000 ;
ROM:35000 ; XX YY ZZ: fault code list
ROM:35000 ; (FD: unknown)
ROM:35000 ; FE: end of list
ROM:35000 ; CS: checksum
ROM:35004 ; ---------------------------------------------------------------------------
ROM:35004 jmp SCI_GETPFT ; SCI ID 11 PENDING FAULT CODE LIST
ROM:35004 ; ---------------------------------
ROM:35004 ; TX: 11
ROM:35004 ; RX: 11 XX YY
ROM:35004 ;
ROM:35004 ; XX YY: two most recent fault codes
ROM:35004 ; pending to be confirmed
ROM:35008 ; ---------------------------------------------------------------------------
ROM:35008 jmp SCI_SETHSP ; SCI ID 12 ENTER HIGH-SPEED MODE
ROM:35008 ; -------------------------------
ROM:35008 ; TX: 12
ROM:35008 ; RX: 12
ROM:35008 ;
ROM:35008 ; 12 is echoed back at 7812.5 baud.
ROM:35008 ; Baudrate is then switched to 62500 baud.
ROM:3500C ; ---------------------------------------------------------------------------
ROM:3500C jmp SCI_SETACT ; SCI ID 13 ACTUATOR TEST
ROM:3500C ; -----------------------
ROM:3500C ; TX: 13 XX
ROM:3500C ; RX: 13 XX XX
ROM:3500C ; TX: 13
ROM:3500C ; RX: 13
ROM:3500C ;
ROM:3500C ; XX: actuator test mode
ROM:35010 ; ---------------------------------------------------------------------------
ROM:35010 jmp SCI_DIAGRQ ; SCI ID 14 DIAGNOSTIC DATA REQUEST
ROM:35010 ; ---------------------------------
ROM:35010 ; TX: 14 XX
ROM:35010 ; RX: 14 XX YY
ROM:35010 ;
ROM:35010 ; XX: parameter
ROM:35010 ; YY: value
ROM:35014 ; ---------------------------------------------------------------------------
ROM:35014 jmp nullsub_3 ; SCI ID 15 READ FLASH MEMORY
ROM:35014 ; ---------------------------
ROM:35014 ; TX: 15 XX YY
ROM:35014 ; RX: 15 XX YY ZZ
ROM:35014 ;
ROM:35014 ; XX YY: flash memory offset
ROM:35014 ; ZZ: flash memory value at given offset
ROM:35014 ;
ROM:35014 ; Note:
ROM:35014 ; SBEC2 only.
ROM:35018 ; ---------------------------------------------------------------------------
ROM:35018 jmp nullsub_3 ; SCI ID 16 READ FLASH MEMORY CONSTANT
ROM:35018 ; ------------------------------------
ROM:35018 ; TX: 16 XX
ROM:35018 ; RX: 16 XX JJ KK LL MM CS
ROM:35018 ;
ROM:35018 ; XX: configuration page (80/81/82)
ROM:35018 ; JJ KK LL MM: 4 bytes from selected page
ROM:35018 ; CS: checksum
ROM:35018 ;
ROM:35018 ; Note:
ROM:35018 ; SBEC2 only.
ROM:3501C ; ---------------------------------------------------------------------------
ROM:3501C jmp SCI_ERSFLT ; SCI ID 17 ERASE ENGINE FAULT CODES
ROM:3501C ; ----------------------------------
ROM:3501C ; TX: 17
ROM:3501C ; RX: 17 RR
ROM:3501C ;
ROM:3501C ; RR: result
ROM:3501C ;
ROM:3501C ; Result:
ROM:3501C ; 00 = stop engine
ROM:3501C ; E0 = erased
ROM:35020 ; ---------------------------------------------------------------------------
ROM:35020 jmp nullsub_3 ; SCI ID 18 CONTROL ASD RELAY
ROM:35020 ; ---------------------------
ROM:35020 ; TX: 18 XX
ROM:35020 ; RX: 18 XX RR
ROM:35020 ;
ROM:35020 ; XX: parameter
ROM:35020 ; RR: result
ROM:35024 ; ---------------------------------------------------------------------------
ROM:35024 jmp nullsub_3 ; SCI ID 19 SET ENGINE SPEED
ROM:35024 ; --------------------------
ROM:35024 ; TX: 19 XX
ROM:35024 ; RX: 19 XX
ROM:35024 ;
ROM:35024 ; XX = desired RPM divided by 7.85
ROM:35024 ;
ROM:35024 ; Example: 1500 RPM | 1500/7.85=191 | 191 = BF (HEX)
ROM:35024 ;
ROM:35024 ; Engine maintains set RPM for a few seconds,
ROM:35024 ; then it returns to normal idle speed.
ROM:35028 ; ---------------------------------------------------------------------------
ROM:35028 jmp SCI_SWTST ; SCI ID 1A SWITCH TEST
ROM:35028 ; ---------------------
ROM:35028 ; TX: 1A XX
ROM:35028 ; RX: 1A XX YY
ROM:35028 ;
ROM:35028 ; YY: switch value of XX
ROM:3502C ; ---------------------------------------------------------------------------
ROM:3502C jmp SCI_BMDWNL ; SCI ID 1B INIT BYTE MODE DOWNLOAD
ROM:3502C ; ---------------------------------
ROM:3502C ; TX: 1B
ROM:3502C ; RX: 1B
ROM:35030 ; ---------------------------------------------------------------------------
ROM:35030 jmp nullsub_3 ; SCI ID 1C EEPROM WRITE
ROM:35030 ; ----------------------
ROM:35030 ; TX: 1C XX YY
ROM:35030 ; RX: 1C XX YY RR
ROM:35030 ;
ROM:35030 ; XX: EEPROM offset
ROM:35030 ; YY: EEPROM byte to write
ROM:35030 ; RR: result
ROM:35030 ;
ROM:35030 ; Note:
ROM:35030 ; SBEC2 only.
ROM:35034 ; ---------------------------------------------------------------------------
ROM:35034 jmp nullsub_3 ; SCI ID 1D WRITE RAM 1
ROM:35034 ;
ROM:35034 ; Note:
ROM:35034 ; SBEC2 only.
ROM:35034 ; Write to 68HC11 RAM
ROM:35038 ; ---------------------------------------------------------------------------
ROM:35038 jmp nullsub_3 ; SCI ID 1E WRITE RAM 2
ROM:35038 ;
ROM:35038 ; Note:
ROM:35038 ; SBEC2 only.
ROM:35038 ; Write to external RAM
ROM:3503C ; ---------------------------------------------------------------------------
ROM:3503C jmp SCI_WRRMWK ; SCI ID 1F WRITE RAM WORKER
ROM:3503C ; --------------------------
ROM:3503C ; TX: 1F XX YY
ROM:3503C ; RX: 1F XX YY RR
ROM:3503C ;
ROM:3503C ; XX: RAM offset (00-FE)
ROM:3503C ; YY: RAM value to write
ROM:3503C ; RR: result
ROM:3503C ;
ROM:3503C ; Result:
ROM:3503C ; 00 = offset out of range
ROM:3503C ; F1 = no security clearance
ROM:3503C ; E5 = ok
ROM:3503C ;
ROM:3503C ; Note:
ROM:3503C ; Upload small runtime worker function.
ROM:3503C ; Code is stored between F8700 and F87FF.
ROM:3503C ; First byte must point to the last rts instruction.
ROM:3503C ; This area seems to be occupied by important
ROM:3503C ; math stuff so I don't see how this works.
ROM:35040 ; ---------------------------------------------------------------------------
ROM:35040 jmp SCI_RNRMWK ; SCI ID 20 RUN RAM WORKER
ROM:35040 ; ------------------------
ROM:35040 ; TX: 20 XX YY
ROM:35040 ; RX: 20 XX YY RR
ROM:35040 ;
ROM:35040 ; XX YY: relative offset to last rts instruction
ROM:35040 ; RR: result
ROM:35040 ;
ROM:35040 ; Result:
ROM:35040 ; 00 = return instruction is not rts
ROM:35040 ; 01 = return offset mismatch
ROM:35040 ; 02 = return offset out of range
ROM:35040 ; E4 = ok
ROM:35044 ; ---------------------------------------------------------------------------
ROM:35044 jmp SCI_IGNTIM ; SCI ID 21 IGNITION TIMING
ROM:35044 ; -------------------------
ROM:35044 ; TX: 21 XX
ROM:35044 ; RX: 21 XX RR
ROM:35044 ;
ROM:35044 ; XX: parameter
ROM:35044 ; RR: result
ROM:35044 ;
ROM:35044 ; Parameters:
ROM:35044 ; 00: unkill spark scatter
ROM:35044 ; 01: kill spark scatter (basic timing)
ROM:35044 ;
ROM:35044 ; Results:
ROM:35044 ; 00: basic timing abolished
ROM:35044 ; 01: basic timing initiated
ROM:35044 ; 02: rejected because open throttle
ROM:35044 ; 03: rejected because transmission in drive
ROM:35048 ; ---------------------------------------------------------------------------
ROM:35048 jmp SCI_RDENGP ; SCI ID 22 READ ENGINE PARAMETER
ROM:35048 ; -------------------------------
ROM:35048 ; TX: 22 XX
ROM:35048 ; RX: 22 XX YY ZZ
ROM:35048 ;
ROM:35048 ; XX: engine parameter
ROM:35048 ; YY ZZ: parameter value
ROM:35048 ;
ROM:35048 ; Engine parameters:
ROM:35048 ; 01 = engine speed
ROM:35048 ; 02 = injector pulse width 1
ROM:35048 ; 03 = target idle speed
ROM:35048 ; 04 = injector pulse widht 2 (not available here)
ROM:3504C ; ---------------------------------------------------------------------------
ROM:3504C jmp SCI_RSTMEM ; SCI ID 23 RESET MEMORY
ROM:3504C ; ----------------------
ROM:3504C ; TX: 23 XX
ROM:3504C ; RX: 23 XX RR
ROM:3504C ;
ROM:3504C ; XX: mode
ROM:3504C ; RR: result
ROM:3504C ;
ROM:3504C ; Result:
ROM:3504C ; 00 = stop engine
ROM:3504C ; 01 = mode not supported
ROM:3504C ; 02 = denied (module busy)
ROM:3504C ; 03 = denied (security level 1 or 2 needed)
ROM:3504C ; F0 = ok
ROM:35050 ; ---------------------------------------------------------------------------
ROM:35050 jmp nullsub_3 ; SCI ID 24 N/A
ROM:35054 ; ---------------------------------------------------------------------------
ROM:35054 jmp SCI_OVRSET ; SCI ID 25 OVERRIDE SETTING
ROM:35054 ; --------------------------
ROM:35054 ; TX: 25 XX YY
ROM:35054 ; RX: 25 XX YY RR
ROM:35054 ;
ROM:35054 ; XX: setting parameter
ROM:35054 ; YY: state
ROM:35054 ; RR: result
ROM:35054 ;
ROM:35054 ; State:
ROM:35054 ; 00 = reset
ROM:35054 ; 01 = enable
ROM:35054 ; 02 = disable
ROM:35054 ;
ROM:35054 ; Result:
ROM:35054 ; unknown
ROM:35058 ; ---------------------------------------------------------------------------
ROM:35058 jmp SCI_RDROM ; SCI ID 26 READ FLASH MEMORY
ROM:35058 ; ---------------------------
ROM:35058 ; TX: 26 XX YY ZZ
ROM:35058 ; RX: 26 XX YY ZZ MM
ROM:35058 ;
ROM:35058 ; XX YY ZZ: flash memory offset
ROM:35058 ; MM: flash memory value at given offset
ROM:35058 ;
ROM:35058 ; SCI ID 26 READ RAM
ROM:35058 ; ------------------
ROM:35058 ; TX: 26 0F XX YY
ROM:35058 ; RX: 26 0F XX YY NN
ROM:35058 ;
ROM:35058 ; XX YY: RAM offset (8000 - 97FF)
ROM:35058 ; NN: RAM value at given offset
ROM:35058 ;
ROM:35058 ; RAM reading will not work for earlier
ROM:35058 ; SBEC3 computers.
ROM:3505C ; ---------------------------------------------------------------------------
ROM:3505C jmp SCI_WREEPR ; SCI ID 27 WRITE EEPROM
ROM:3505C ; ----------------------
ROM:3505C ; TX: 27 XX YY ZZ
ROM:3505C ; RX: 27 XX YY ZZ RR
ROM:3505C ;
ROM:3505C ; XX YY: EEPROM offset
ROM:3505C ; ZZ: EEPROM value to write
ROM:3505C ; RR: result
ROM:3505C ;
ROM:3505C ; Typical EEPROM offset: 0000 - 01FF (512 bytes)
ROM:3505C ;
ROM:3505C ; Result:
ROM:3505C ; F0: offset out of range
ROM:3505C ; F1: no security clearance
ROM:3505C ; E2: ok
ROM:35060 ; ---------------------------------------------------------------------------
ROM:35060 jmp SCI_RDEEPR ; SCI ID 28 READ EEPROM
ROM:35060 ; ---------------------
ROM:35060 ; TX: 28 XX YY
ROM:35060 ; RX: 28 XX YY ZZ
ROM:35060 ;
ROM:35060 ; XX YY: EEPROM offset
ROM:35060 ; ZZ: EEPROM value at given offset
ROM:35060 ;
ROM:35060 ; Typical EEPROM offset: 0000 - 01FF (512 bytes)
ROM:35064 ; ---------------------------------------------------------------------------
ROM:35064 jmp SCI_WRRAM ; SCI ID 29 WRITE RAM
ROM:35064 ; -------------------
ROM:35064 ; TX: 29 XX YY ZZ
ROM:35064 ; RX: 29 XX YY ZZ RR
ROM:35064 ;
ROM:35064 ; XX YY: RAM offset (0000 - 0FFF)
ROM:35064 ; ZZ: RAM value to write
ROM:35064 ; RR: result
ROM:35064 ;
ROM:35064 ; Result:
ROM:35064 ; F0 = RAM offset out of range
ROM:35064 ; F1 = no security clearance
ROM:35064 ; E5 = ok
ROM:35068 ; ---------------------------------------------------------------------------
ROM:35068 jmp SCI_PCMINF ; SCI ID 2A GET PCM INFO
ROM:35068 ; ----------------------
ROM:35068 ; TX: 2A XX FE
ROM:35068 ; RX: 2A XX YY FE
ROM:35068 ;
ROM:35068 ; XX: information offset
ROM:35068 ; YY: data at given offset
ROM:35068 ;
ROM:35068 ; Note:
ROM:35068 ; Early SBEC3 units do not terminate
ROM:35068 ; this command so FE needs to be
ROM:35068 ; appended.
ROM:3506C ; ---------------------------------------------------------------------------
ROM:3506C jmp nullsub_3 ; SCI ID 2B GET SECURITY SEED
ROM:3506C ; ---------------------------
ROM:3506C ; TX: 2B
ROM:3506C ; RX: 2B XX YY CS
ROM:3506C ;
ROM:3506C ; XX YY: security seed
ROM:3506C ; CS: checksum
ROM:35070 ; ---------------------------------------------------------------------------
ROM:35070 jmp nullsub_3 ; SCI ID 2C SEND SECURITY KEY
ROM:35070 ; ---------------------------
ROM:35070 ; TX: 2C XX YY CS
ROM:35070 ; RX: 2C XX YY CS RR
ROM:35070 ;
ROM:35070 ; XX YY: security key
ROM:35070 ; CS: checksum
ROM:35070 ; RR: result
ROM:35070 ;
ROM:35070 ; Result:
ROM:35070 ; 00 = unlocked
ROM:35070 ; 01 = incorrect key
ROM:35070 ; 02 = invalid checksum
ROM:35070 ; 03 = blocked further attempts,
ROM:35070 ; restart PCM
ROM:35070 ;
ROM:35070 ; Note:
ROM:35070 ; Keys generated from SCI ID 35 must be
ROM:35070 ; sent here as well.
ROM:35074 ; ---------------------------------------------------------------------------
ROM:35074 jmp nullsub_3 ; SCI ID 2D READ CONFIGURATION CONSTANT
ROM:35074 ; -------------------------------------
ROM:35074 ; TX: 2D XX YY
ROM:35074 ; RX: 2D XX YY MM NN
ROM:35074 ;
ROM:35074 ; XX YY: page and item
ROM:35074 ; MM NN: word at page
ROM:35078 ; ---------------------------------------------------------------------------
ROM:35078 jmp SCI_GETOTF ; SCI ID 2E ONE-TRIP FAULT CODE LIST
ROM:35078 ; ----------------------------------
ROM:35078 ; TX: 2E
ROM:35078 ; RX: 2E XX YY ZZ (FD) FE CS
ROM:35078 ;
ROM:35078 ; XX YY ZZ: fault code list
ROM:35078 ; (FD: unknown)
ROM:35078 ; FE: end of list
ROM:35078 ; CS: checksum
ROM:3507C ; ---------------------------------------------------------------------------
ROM:3507C jmp nullsub_3 ; SCI ID 2F N/A
ROM:35080 ; ---------------------------------------------------------------------------
ROM:35080 jmp nullsub_3 ; SCI ID 30 N/A
ROM:35084 ; ---------------------------------------------------------------------------
ROM:35084 jmp nullsub_3 ; SCI ID 31 N/A
ROM:35088 ; ---------------------------------------------------------------------------
ROM:35088 jmp nullsub_3 ; SCI ID 32 N/A
ROM:3508C ; ---------------------------------------------------------------------------
ROM:3508C jmp nullsub_3 ; SCI ID 33 N/A
ROM:35090 ; ---------------------------------------------------------------------------
ROM:35090 jmp nullsub_3 ; SCI ID 34 N/A
ROM:35094 ; ---------------------------------------------------------------------------
ROM:35094 jmp nullsub_3 ; SCI ID 35 GET SECURITY SEED
ROM:35094 ; ---------------------------
ROM:35094 ; TX: 35 XX
ROM:35094 ; RX: 35 XX AA BB CS
ROM:35094 ;
ROM:35094 ; XX: security level (01 or 02)
ROM:35094 ; AA BB: security seed
ROM:35094 ; CS: checksum
ROM:35094 ;
ROM:35094 ; Note:
ROM:35094 ; Level 1 security here is equivalent with
ROM:35094 ; SCI ID 2B (legacy).
ROM:35094 ; Level 1 access is needed for memory writing.
ROM:35094 ; Level 2 access is needed for SKIM reset only.
ROM:35094 ; Send key to SCI ID 2C, it will know which
ROM:35094 ; level the key unlocks.
ROM:35098 ; ---------------------------------------------------------------------------
ROM:35098 jmp nullsub_3 ; SCI ID 36 OBD2 GATEWAY
ROM:35098 ; ----------------------
ROM:35098 ; TX: 36 XX YY ZZ
ROM:35098 ; RX: 36 XX YY ZZ KK YY MM NN PP QQ RR SS CS
ROM:35098 ;
ROM:35098 ; XX: OBD2 MODE
ROM:35098 ; YY: OBD2 PID
ROM:35098 ; ZZ: unknown
ROM:35098 ; KK: OBD2 MODE + $40
ROM:35098 ; YY: OBD2 PID
ROM:35098 ; MM: result HB
ROM:35098 ; NN: result LB
ROM:35098 ; PP QQ RR SS: unknown
ROM:35098 ; CS: full checksum
ROM:35098 ;
ROM:35098 ; Example: Mode 1 PID 00 (PIDs supported [01-20])
ROM:35098 ;
ROM:35098 ; TX: 36 01 00 00
ROM:35098 ; RX: 36 01 00 00 41 00 BE 3E B8 10 00 BE FA
ROM:35098 ;
ROM:35098 ; PIDs supported [01-20] = BE 3E
ROM:35098 ;
ROM:35098 ; Example: Mode 4 (Clear DTCs)
ROM:35098 ;
ROM:35098 ; TX: 36 04 00 00
ROM:35098 ; RX: 36 04 00 00 44 00 00 00 00 00 00 BB 39
ROM:3509C
ROM:3509C [...]
ROM:3509C
ROM:35220 ; End of function SCI_RXIDJT
ROM:35220
ROM:35220 ; ---------------------------------------------------------------------------
2. High-speed mode commands (62500 baud)
Also known as parameter interrogation mode. The RAM offsets given here are not to be confused with the offsets given in low-speed mode (SCI ID 26 and SCI ID 29). In high-speed mode the RAM tables are subsets of the real RAM, comprising important areas.
Code: ---------------------------------------------------------------------------
SCI ID FX SELECT RAM-TABLE
TX: F0...FD
RX: F0...FD
RAM table identifier is echoed back when it's valid.
Each table holds a maximum of 240 bytes of readable offsets.
---------------------------------------------------------------------------
SCI FX AA READ RAM VALUE
TX: FX AA
RX: FX AA BB
FX: RAM table (F0...FD)
AA: RAM offset (00...EF)
BB: RAM value at given offset
Technically the RAM table needs to be selected only once,
however, for clarity the scanner requires it to be selected
for every request.
RAM offset is never echoed back, therefore the scanner copies
the actual offset from the request message itself.
Multiple offsets can be read by listing them one after each other:
TX: FX AA BB CC
RX: FX AA aa BB bb CC cc
Since RAM offsets are not echoed by the PCM the scanner groups
the response like this:
FX: RAM table (F0...FD)
AA: RAM offset
aa: RAM value at offset AA
BB: RAM offset
bb: RAM value at offset BB
CC: RAM offset
cc: RAM value at offset CC
Normally FF is an invalid RAM offset but the scanner uses it as a
shortcut to dump all possible RAM values from a given table:
TX: FX FF
RX: FX 00 aa 01 bb 02 cc ... EF dd
00: first RAM offset
aa: RAM value at first RAM offset
01: second RAM offset
bb: RAM value at second RAM offset
02: third RAM offset
bb: RAM value at third RAM offset
...
EF: last RAM offset
dd: RAM value at last RAM offset
---------------------------------------------------------------------------
SCI ID FE RETURN TO LOW-SPEED MODE
TX: FE
RX: FE
FE is echoed back at 62500 baud.
Then baudrate is switched to 7812.5 baud.
---------------------------------------------------------------------------
NOTABLE OFFSETS
Maximum of 8 fault codes are stored in F4:
F4 01 = DTC#1
F4 74 = DTC#2
F4 75 = DTC#3
F4 76 = DTC#4
F4 77 = DTC#5
F4 78 = DTC#6
F4 79 = DTC#7
F4 02 = DTC#8
|
|
|
PCI Bus |
|
Posted by: HackMaster - 08-13-2023, 02:03 PM - Forum: Chrysler PCI Bus ( SAE J1850 VPW )
- No Replies
|
 |
PCI-bus
Code: ROM:3100D ; PCI-BUS RX ID LOOKUP TABLE
ROM:3100D
ROM:3100D PCI_RXIDLT: dc.b 81h ; Group 1
ROM:3100E dc.b 2Dh, 4 ; PCI ID 2D | Length = 4 bytes | Instrument cluster lamp state
ROM:31010 dc.b 24h, 7 ; PCI ID 24 | Length = 7 bytes | PCI request
ROM:31012 dc.b 3Ah, 3 ; PCI ID 3A | Length = 3 bytes | Transmission selected gear
ROM:31014 dc.b 37h, 4 ; PCI ID 37 | Length = 4 bytes | Shift lever position (Autostick)
ROM:31016 dc.b 0Eh, 4 ; PCI ID 0E | Length = 4 bytes | Transmission status
ROM:31018
ROM:31018 dc.b 82h ; Group 2
ROM:31019 dc.b 0, 0
ROM:3101B dc.b 0, 0
ROM:3101D dc.b 6Ch, 7 ; PCI ID 6C | Length = 7 bytes | TCM fault code present
ROM:3101F dc.b 68h, 0 ; PCI ID 68 | Length = 0 bytes | OBD2 response
ROM:31021 dc.b 0, 0
ROM:31023
ROM:31023 dc.b 83h ; Group 3
ROM:31024 dc.b 0, 0
ROM:31026 dc.b 4Fh, 7 ; PCI ID 4F | Length = 7 bytes | SKIM seed/key validation
ROM:31028 dc.b 0, 0
ROM:3102A dc.b 42h, 4 ; PCI ID 42 | Length = 4 bytes | Last engine shutdown (minutes)
ROM:3102C dc.b 52h, 3 ; PCI ID 52 | Length = 3 bytes | A/C relay state request
ROM:3102E
ROM:3102E dc.b 84h ; Group 4
ROM:3102F dc.b 0A5h, 4 ; PCI ID A5 | Length = 4 bytes | Fuel level sensor voltage and level
ROM:31031 dc.b 0A3h, 4 ; PCI ID A3 | Length = 4 bytes | Ambient temperature sensor voltage (from BCM)
ROM:31033 dc.b 0B5h, 3 ; PCI ID B5 | Length = 3 bytes | VTSS status
ROM:31035 dc.b 0B1h, 3 ; PCI ID B1 | Length = 3 bytes | SKIM status
ROM:31037 dc.b 87h, 4 ; PCI ID 87 | Length = 4 bytes | Update beacon payload in PCM EEPROM
ROM:31039
ROM:31039 dc.b 85h ; Group 5
ROM:3103A dc.b 0, 0
ROM:3103C dc.b 0, 0
ROM:3103E dc.b 0, 0
ROM:31040 dc.b 0EAh, 3 ; PCI ID EA | Length = 3 bytes | Transmission temperature
ROM:31042 dc.b 0, 0
ROM:31044
ROM:31044 dc.b 86h ; Group 6
ROM:31045 dc.b 0, 0
ROM:31047 dc.b 0CCh, 4 ; PCI ID CC | Length = 4 bytes | Outside air temperature
ROM:31049 dc.b 0, 0
ROM:3104B dc.b 0, 0
ROM:3104D dc.b 0, 0
ROM:3104F
ROM:3104F ; Unknown lookup table
ROM:3104F
ROM:3104F dc.b 0A0h
ROM:31050 dc.b 10h
ROM:31051 dc.b 1
ROM:31052 dc.b 1
ROM:31053 dc.b 0
ROM:31054 dc.b 2Dh
ROM:31055 dc.b 0
ROM:31056 dc.b 0
ROM:31057 dc.b 0
ROM:31058 dc.b 0
ROM:31059 dc.b 0
ROM:3105A
ROM:3105A ; =============== S U B R O U T I N E =======================================
ROM:3105A
ROM:3105A ; PCI-BUS RX ID JUMP TABLE
ROM:3105A ; Attributes: thunk
ROM:3105A
ROM:3105A PCI_RXIDJT:
ROM:3105A jmp PCI_2D ; Instrument cluster lamp state | CCD_A4
ROM:3105E ; ---------------------------------------------------------------------------
ROM:3105E jmp PCI_24 ; PCI request
ROM:31062 ; ---------------------------------------------------------------------------
ROM:31062 jmp PCI_3A ; Transmission selected gear | CCD_DC 3032E
ROM:31066 ; ---------------------------------------------------------------------------
ROM:31066 jmp PCI_37 ; Shift lever position (Autostick) | CCD_02 30300 and CCD_52 303EC
ROM:3106A ; ---------------------------------------------------------------------------
ROM:3106A jmp PCI_0E ; Transmission status | CCD_A1 3025A
ROM:3106E ; ---------------------------------------------------------------------------
ROM:3106E jmp PCI_SKIP
ROM:31072 ; ---------------------------------------------------------------------------
ROM:31072 jmp PCI_SKIP
ROM:31076 ; ---------------------------------------------------------------------------
ROM:31076 jmp PCI_6C ; Transmission faults present | CCD_56 3040A
ROM:3107A ; ---------------------------------------------------------------------------
ROM:3107A jmp PCI_68 ; OBD2 response
ROM:3107E ; ---------------------------------------------------------------------------
ROM:3107E jmp PCI_SKIP
ROM:31082 ; ---------------------------------------------------------------------------
ROM:31082 jmp PCI_SKIP
ROM:31086 ; ---------------------------------------------------------------------------
ROM:31086 jmp PCI_4F_RX ; SKIM seed/key validation | CCD_C2 3047A
ROM:3108A ; ---------------------------------------------------------------------------
ROM:3108A jmp PCI_SKIP
ROM:3108E ; ---------------------------------------------------------------------------
ROM:3108E jmp PCI_42 ; Last engine shutdown (MM MM) | CCD_29 303B8 and CCD_A9 3035E
ROM:31092 ; ---------------------------------------------------------------------------
ROM:31092 jmp PCI_52 ; PCI A/C RELAY STATE | CCD_7E 30226
ROM:31096 ; ---------------------------------------------------------------------------
ROM:31096 jmp PCI_A5 ; Fuel level sensor voltage and level | CCD_95 30392
ROM:3109A ; ---------------------------------------------------------------------------
ROM:3109A jmp PCI_A3 ; Ambient temperature sensor voltage
ROM:3109E ; ---------------------------------------------------------------------------
ROM:3109E jmp PCI_B5 ; VTSS status | CCD_AA 301AA
ROM:310A2 ; ---------------------------------------------------------------------------
ROM:310A2 jmp PCI_B1 ; SKIM status | CCD_0B 3044C
ROM:310A6 ; ---------------------------------------------------------------------------
ROM:310A6 jmp PCI_87 ; Update beacon payload in EEPROM | CCD_91 301FE
ROM:310A6 ;
ROM:310A6 ; PCI: 87 XX YY CRC
ROM:310A6 ; XX: payload offset
ROM:310A6 ; YY: new payload byte
ROM:310AA ; ---------------------------------------------------------------------------
ROM:310AA jmp PCI_SKIP
ROM:310AE ; ---------------------------------------------------------------------------
ROM:310AE jmp PCI_SKIP
ROM:310B2 ; ---------------------------------------------------------------------------
ROM:310B2 jmp PCI_SKIP
ROM:310B6 ; ---------------------------------------------------------------------------
ROM:310B6 jmp PCI_EA ; Transmission temperature | CCD_7C 303CE
ROM:310BA ; ---------------------------------------------------------------------------
ROM:310BA jmp PCI_SKIP
ROM:310BE ; ---------------------------------------------------------------------------
ROM:310BE jmp PCI_SKIP
ROM:310C2 ; ---------------------------------------------------------------------------
ROM:310C2 jmp PCI_CC ; Outside air temperature
ROM:310C6 ; ---------------------------------------------------------------------------
ROM:310C6 jmp PCI_SKIP
ROM:310CA ; ---------------------------------------------------------------------------
ROM:310CA jmp PCI_SKIP
ROM:310CE ; ---------------------------------------------------------------------------
ROM:310CE jmp PCI_SKIP
ROM:310CE ; End of function PCI_RXIDJT
ROM:310CE
ROM:310CE ; ---------------------------------------------------------------------------
ROM:310D2
ROM:310D2 ; PCI-bus message transmission timing table
ROM:310D2
ROM:310D2 dc.w 0
ROM:310D4 dc.w 0
ROM:310D6 dc.w 0
ROM:310D8 dc.w 0
ROM:310DA dc.w 0
ROM:310DC dc.w 0FFh
ROM:310DE
ROM:310DE ; PCI-BUS TX STREAM LOOKUP TABLE
ROM:310DE ; Jump instruction comparison table
ROM:310DE ; Example: 18A2 -> subroutine at 318A2 -> PCI_10
ROM:310DE
ROM:310DE PCI_TXSTLT: dc.w 18A2h ; PCI_10
ROM:310E0 dc.w 19D0h ; PCI_35
ROM:310E2 dc.w 18D2h ; PCI_14
ROM:310E4 dc.w 189Ah ; PCI_CLEAR
ROM:310E6 dc.w 18A2h ; PCI_10
ROM:310E8 dc.w 1B98h ; PCI_B0
ROM:310EA dc.w 1922h ; PCI_5D
ROM:310EC dc.w 189Ah ; PCI_CLEAR
ROM:310EE dc.w 18A2h ; PCI_10
ROM:310F0 dc.w 19E4h ; PCI_C0
ROM:310F2 dc.w 18D2h ; PCI_14
ROM:310F4 dc.w 189Ah ; PCI_CLEAR
ROM:310F6 dc.w 18A2h ; PCI_10
ROM:310F8 dc.w 189Ah ; PCI_CLEAR
ROM:310FA dc.w 1998h ; PCI_1A
ROM:310FC dc.w 189Ah ; PCI_CLEAR
ROM:310FE dc.w 18A2h ; PCI_10
ROM:31100 dc.w 19D0h ; PCI_35
ROM:31102 dc.w 18D2h ; PCI_14
ROM:31104 dc.w 189Ah ; PCI_CLEAR
ROM:31106 dc.w 18A2h ; PCI_10
ROM:31108 dc.w 189Ah ; PCI_CLEAR
ROM:3110A dc.w 1922h ; PCI_5D
ROM:3110C dc.w 189Ah ; PCI_CLEAR
ROM:3110E dc.w 18A2h ; PCI_10
ROM:31110 dc.w 1A10h ; PCI_D0
ROM:31112 dc.w 18D2h ; PCI_14
ROM:31114 dc.w 189Ah ; PCI_CLEAR
ROM:31116 dc.w 18A2h ; PCI_10
ROM:31118 dc.w 189Ah ; PCI_CLEAR
ROM:3111A dc.w 1998h ; PCI_1A
ROM:3111C dc.w 189Ah ; PCI_CLEAR
ROM:3111E dc.w 18A2h ; PCI_10
ROM:31120 dc.w 19D0h ; PCI_35
ROM:31122 dc.w 18D2h ; PCI_14
ROM:31124 dc.w 189Ah ; PCI_CLEAR
ROM:31126 dc.w 18A2h ; PCI_10
ROM:31128 dc.w 1CFCh ; PCI_D1
ROM:3112A dc.w 1922h ; PCI_5D
ROM:3112C dc.w 189Ah ; PCI_CLEAR
ROM:3112E dc.w 18A2h ; PCI_10
ROM:31130 dc.w 1A20h ; PCI_D2
ROM:31132 dc.w 18D2h ; PCI_14
ROM:31134 dc.w 189Ah ; PCI_CLEAR
ROM:31136 dc.w 18A2h ; PCI_10
ROM:31138 dc.w 189Ah ; PCI_CLEAR
ROM:3113A dc.w 1998h ; PCI_1A
ROM:3113C dc.w 189Ah ; PCI_CLEAR
ROM:3113E dc.w 18A2h ; PCI_10
ROM:31140 dc.w 19D0h ; PCI_35
ROM:31142 dc.w 18D2h ; PCI_14
ROM:31144 dc.w 189Ah ; PCI_CLEAR
ROM:31146 dc.w 18A2h ; PCI_10
ROM:31148 dc.w 189Ah ; PCI_CLEAR
ROM:3114A dc.w 1922h ; PCI_5D
ROM:3114C dc.w 189Ah ; PCI_CLEAR
ROM:3114E dc.w 18A2h ; PCI_10
ROM:31150 dc.w 1982h ; PCI_DF
ROM:31152 dc.w 18D2h ; PCI_14
ROM:31154 dc.w 189Ah ; PCI_CLEAR
ROM:31156 dc.w 18A2h ; PCI_10
ROM:31158 dc.w 189Ah ; PCI_CLEAR
ROM:3115A dc.w 1998h ; PCI_1A
ROM:3115C dc.w 189Ah ; PCI_CLEAR
ROM:3115E dc.w 18A2h ; PCI_10
ROM:31160 dc.w 19D0h ; PCI_35
ROM:31162 dc.w 18D2h ; PCI_14
ROM:31164 dc.w 189Ah ; PCI_CLEAR
ROM:31166 dc.w 18A2h ; PCI_10
ROM:31168 dc.w 1DAEh ; PCI_16
ROM:3116A dc.w 1922h ; PCI_5D
ROM:3116C dc.w 189Ah ; PCI_CLEAR
ROM:3116E dc.w 18A2h ; PCI_10
ROM:31170 dc.w 19E4h ; PCI_C0
ROM:31172 dc.w 18D2h ; PCI_14
ROM:31174 dc.w 189Ah ; PCI_CLEAR
ROM:31176 dc.w 18A2h ; PCI_10
ROM:31178 dc.w 189Ah ; PCI_CLEAR
ROM:3117A dc.w 1998h ; PCI_1A
ROM:3117C dc.w 189Ah ; PCI_CLEAR
ROM:3117E dc.w 18A2h ; PCI_10
ROM:31180 dc.w 19D0h ; PCI_35
ROM:31182 dc.w 18D2h ; PCI_14
ROM:31184 dc.w 189Ah ; PCI_CLEAR
ROM:31186 dc.w 18A2h ; PCI_10
ROM:31188 dc.w 189Ah ; PCI_CLEAR
ROM:3118A dc.w 1922h ; PCI_5D
ROM:3118C dc.w 189Ah ; PCI_CLEAR
ROM:3118E dc.w 18A2h ; PCI_10
ROM:31190 dc.w 1A58h ; PCI_ED
ROM:31192 dc.w 18D2h ; PCI_14
ROM:31194 dc.w 189Ah ; PCI_CLEAR
ROM:31196 dc.w 18A2h ; PCI_10
ROM:31198 dc.w 189Ah ; PCI_CLEAR
ROM:3119A dc.w 1998h ; PCI_1A
ROM:3119C dc.w 189Ah ; PCI_CLEAR
ROM:3119E dc.w 18A2h ; PCI_10
ROM:311A0 dc.w 19D0h ; PCI_35
ROM:311A2 dc.w 18D2h ; PCI_14
ROM:311A4 dc.w 189Ah ; PCI_CLEAR
ROM:311A6 dc.w 18A2h ; PCI_10
ROM:311A8 dc.w 1B76h ; PCI_AF
ROM:311AA dc.w 1922h ; PCI_5D
ROM:311AC dc.w 189Ah ; PCI_CLEAR
ROM:311AE dc.w 18A2h ; PCI_10
ROM:311B0 dc.w 1A86h ; PCI_F0
ROM:311B2 dc.w 18D2h ; PCI_14
ROM:311B4 dc.w 189Ah ; PCI_CLEAR
ROM:311B6 dc.w 18A2h ; PCI_10
ROM:311B8 dc.w 189Ah ; PCI_CLEAR
ROM:311BA dc.w 1998h ; PCI_1A
ROM:311BC dc.w 189Ah ; PCI_CLEAR
ROM:311BE dc.w 18A2h ; PCI_10
ROM:311C0 dc.w 19D0h ; PCI_35
ROM:311C2 dc.w 18D2h ; PCI_14
ROM:311C4 dc.w 189Ah ; PCI_CLEAR
ROM:311C6 dc.w 18A2h ; PCI_10
ROM:311C8 dc.w 189Ah ; PCI_CLEAR
ROM:311CA dc.w 1922h ; PCI_5D
ROM:311CC dc.w 189Ah ; PCI_CLEAR
ROM:311CE dc.w 18A2h ; PCI_10
ROM:311D0 dc.w 1AF8h ; PCI_6E_6F
ROM:311D2 dc.w 18D2h ; PCI_14
ROM:311D4 dc.w 189Ah ; PCI_CLEAR
ROM:311D6 dc.w 18A2h ; PCI_10
ROM:311D8 dc.w 189Ah ; PCI_CLEAR
ROM:311DA dc.w 1998h ; PCI_1A
ROM:311DC dc.w 189Ah ; PCI_CLEAR
ROM:311DE
ROM:311DE ; =============== S U B R O U T I N E =======================================
ROM:311DE
ROM:311DE ; PCI-BUS TX ID JUMP TABLE
ROM:311DE ; Attributes: thunk
ROM:311DE
ROM:311DE PCI_TXIDJT:
ROM:311DE jmp PCI_CLEAR
ROM:311E2 ; ---------------------------------------------------------------------------
ROM:311E2 jmp PCI_10
ROM:311E6 ; ---------------------------------------------------------------------------
ROM:311E6 jmp PCI_14
ROM:311EA ; ---------------------------------------------------------------------------
ROM:311EA jmp PCI_5D ; Mileage increment (CCD_84)
ROM:311EE ; ---------------------------------------------------------------------------
ROM:311EE jmp PCI_1A
ROM:311F2 ; ---------------------------------------------------------------------------
ROM:311F2 jmp PCI_35
ROM:311F6 ; ---------------------------------------------------------------------------
ROM:311F6 jmp PCI_C0 ; Battery voltage, oil pressure, engine coolant temperature, ambient temperature
ROM:311FA ; ---------------------------------------------------------------------------
ROM:311FA jmp PCI_D0
ROM:311FE ; ---------------------------------------------------------------------------
ROM:311FE jmp PCI_D2
ROM:31202 ; ---------------------------------------------------------------------------
ROM:31202 jmp PCI_DF
ROM:31206 ; ---------------------------------------------------------------------------
ROM:31206 jmp PCI_ED
ROM:3120A ; ---------------------------------------------------------------------------
ROM:3120A jmp PCI_F0
ROM:3120E ; ---------------------------------------------------------------------------
ROM:3120E jmp PCI_B0
ROM:31212 ; ---------------------------------------------------------------------------
ROM:31212 jmp PCI_6E_6F
ROM:31216 ; ---------------------------------------------------------------------------
ROM:31216 jmp PCI_16
ROM:3121A ; ---------------------------------------------------------------------------
ROM:3121A jmp PCI_D1
ROM:3121E ; ---------------------------------------------------------------------------
ROM:3121E jmp PCI_AF
ROM:31222 ; ---------------------------------------------------------------------------
ROM:31222 jmp PCI_3F ; SKIM seed: CCD ID A6 | PCI ID 3F
ROM:31226 ; ---------------------------------------------------------------------------
ROM:31226 jmp PCI_4F_TX ; SKIM payload from PCM EEPROM
ROM:3122A ; ---------------------------------------------------------------------------
ROM:3122A jmp PCI_6E
ROM:3122E ; ---------------------------------------------------------------------------
ROM:3122E jmp Skip6E
ROM:31232 ; ---------------------------------------------------------------------------
ROM:31232 jmp PCI_VAR ; Variable PCI-bus message
ROM:31236 ; ---------------------------------------------------------------------------
ROM:31236 jmp PCI_26 ; Diagnostic response to PCI ID 24
ROM:31236 ; End of function PCI_TXIDJT
|
|
|
CCD Bus |
|
Posted by: HackMaster - 08-13-2023, 02:02 PM - Forum: Chrysler Collision Detection (C2D™) Bus Interface
- No Replies
|
 |
Code: ROM:30000 ; CCD-BUS TX STREAM LOOKUP TABLE
ROM:30000 ; Jump instruction comparison table
ROM:30000 ; Example: 6A6 -> subroutine at 306A6 -> CCD_E4
ROM:30000
ROM:30000 CCD_TXSTLT: dc.w CCDTX_E4
ROM:30002 dc.w CCDTX_84
ROM:30004 dc.w CCDTX_BEACON
ROM:30006 dc.w CCDTX_B4
ROM:30008 dc.w CCDTX_E4
ROM:3000A dc.w CCDTX_D4
ROM:3000C dc.w CCDTX_6C
ROM:3000E dc.w CCDTX_CLEAR
ROM:30010 dc.w CCDTX_E4
ROM:30012 dc.w CCDTX_24
ROM:30014 dc.w CCDTX_A4
ROM:30016 dc.w CCDTX_B4
ROM:30018 dc.w CCDTX_E4
ROM:3001A dc.w CCDTX_42
ROM:3001C dc.w CCDTX_CLEAR
ROM:3001E dc.w CCDTX_CLEAR
ROM:30020 dc.w CCDTX_E4
ROM:30022 dc.w CCDTX_84
ROM:30024 dc.w CCDTX_BEACON
ROM:30026 dc.w CCDTX_B4
ROM:30028 dc.w CCDTX_E4
ROM:3002A dc.w CCDTX_54
ROM:3002C dc.w CCDTX_CLEAR
ROM:3002E dc.w CCDTX_CLEAR
ROM:30030 dc.w CCDTX_E4
ROM:30032 dc.w CCDTX_24
ROM:30034 dc.w CCDTX_A4
ROM:30036 dc.w CCDTX_B4
ROM:30038 dc.w CCDTX_E4
ROM:3003A dc.w CCDTX_42
ROM:3003C dc.w CCDTX_CLEAR
ROM:3003E dc.w CCDTX_CLEAR
ROM:30040 dc.w CCDTX_E4
ROM:30042 dc.w CCDTX_84
ROM:30044 dc.w CCDTX_BEACON
ROM:30046 dc.w CCDTX_B4
ROM:30048 dc.w CCDTX_E4
ROM:3004A dc.w CCDTX_8C
ROM:3004C dc.w CCDTX_CLEAR
ROM:3004E dc.w CCDTX_CLEAR
ROM:30050 dc.w CCDTX_E4
ROM:30052 dc.w CCDTX_24
ROM:30054 dc.w CCDTX_A4
ROM:30056 dc.w CCDTX_B4
ROM:30058 dc.w CCDTX_E4
ROM:3005A dc.w CCDTX_42
ROM:3005C dc.w CCDTX_A5
ROM:3005E dc.w CCDTX_CLEAR
ROM:30060 dc.w CCDTX_E4
ROM:30062 dc.w CCDTX_84
ROM:30064 dc.w CCDTX_BEACON
ROM:30066 dc.w CCDTX_B4
ROM:30068 dc.w CCDTX_E4
ROM:3006A dc.w CCDTX_CC
ROM:3006C dc.w CCDTX_CLEAR
ROM:3006E dc.w CCDTX_CLEAR
ROM:30070 dc.w CCDTX_E4
ROM:30072 dc.w CCDTX_24
ROM:30074 dc.w CCDTX_A4
ROM:30076 dc.w CCDTX_B4
ROM:30078 dc.w CCDTX_E4
ROM:3007A dc.w CCDTX_42
ROM:3007C dc.w CCDTX_CLEAR
ROM:3007E dc.w CCDTX_CLEAR
ROM:30080 dc.w CCDTX_E4
ROM:30082 dc.w CCDTX_84
ROM:30084 dc.w CCDTX_BEACON
ROM:30086 dc.w CCDTX_B4
ROM:30088 dc.w CCDTX_E4
ROM:3008A dc.w CCDTX_D4
ROM:3008C dc.w CCDTX_CLEAR
ROM:3008E dc.w CCDTX_CLEAR
ROM:30090 dc.w CCDTX_E4
ROM:30092 dc.w CCDTX_24
ROM:30094 dc.w CCDTX_A4
ROM:30096 dc.w CCDTX_B4
ROM:30098 dc.w CCDTX_E4
ROM:3009A dc.w CCDTX_42
ROM:3009C dc.w CCDTX_CLEAR
ROM:3009E dc.w CCDTX_CLEAR
ROM:300A0 dc.w CCDTX_E4
ROM:300A2 dc.w CCDTX_84
ROM:300A4 dc.w CCDTX_BEACON
ROM:300A6 dc.w CCDTX_B4
ROM:300A8 dc.w CCDTX_E4
ROM:300AA dc.w CCDTX_EC
ROM:300AC dc.w CCDTX_CLEAR
ROM:300AE dc.w CCDTX_CLEAR
ROM:300B0 dc.w CCDTX_E4
ROM:300B2 dc.w CCDTX_24
ROM:300B4 dc.w CCDTX_A4
ROM:300B6 dc.w CCDTX_B4
ROM:300B8 dc.w CCDTX_E4
ROM:300BA dc.w CCDTX_42
ROM:300BC dc.w CCDTX_75
ROM:300BE dc.w CCDTX_CLEAR
ROM:300C0 dc.w CCDTX_E4
ROM:300C2 dc.w CCDTX_84
ROM:300C4 dc.w CCDTX_BEACON
ROM:300C6 dc.w CCDTX_B4
ROM:300C8 dc.w CCDTX_E4
ROM:300CA dc.w CCDTX_8C
ROM:300CC dc.w CCDTX_CLEAR
ROM:300CE dc.w CCDTX_CLEAR
ROM:300D0 dc.w CCDTX_E4
ROM:300D2 dc.w CCDTX_24
ROM:300D4 dc.w CCDTX_A4
ROM:300D6 dc.w CCDTX_B4
ROM:300D8 dc.w CCDTX_E4
ROM:300DA dc.w CCDTX_42
ROM:300DC dc.w CCDTX_CLEAR
ROM:300DE dc.w CCDTX_CLEAR
ROM:300E0 dc.w CCDTX_E4
ROM:300E2 dc.w CCDTX_84
ROM:300E4 dc.w CCDTX_BEACON
ROM:300E6 dc.w CCDTX_B4
ROM:300E8 dc.w CCDTX_E4
ROM:300EA dc.w CCDTX_AC
ROM:300EC dc.w CCDTX_CLEAR
ROM:300EE dc.w CCDTX_CLEAR
ROM:300F0 dc.w CCDTX_E4
ROM:300F2 dc.w CCDTX_24
ROM:300F4 dc.w CCDTX_A4
ROM:300F6 dc.w CCDTX_B4
ROM:300F8 dc.w CCDTX_E4
ROM:300FA dc.w CCDTX_42
ROM:300FC dc.w CCDTX_6D
ROM:300FE dc.w CCDTX_CLEAR
ROM:30100
ROM:30100 ; =============== S U B R O U T I N E =======================================
ROM:30100
ROM:30100 ; CCD-BUS TX ID JUMP TABLE
ROM:30100 ; Attributes: thunk
ROM:30100
ROM:30100 CCD_TXIDJT:
ROM:30100 jmp CCD_E4 ; Engine speed and intake manifold absolute pressure
ROM:30104 ; ---------------------------------------------------------------------------
ROM:30104 jmp CCD_CLEAR ; No CCD-bus message
ROM:30108 ; ---------------------------------------------------------------------------
ROM:30108 jmp CCD_B4 ; Vehicle speed sensor signal
ROM:3010C ; ---------------------------------------------------------------------------
ROM:3010C jmp CCD_84 ; Injector pulse width and mileage increment
ROM:30110 ; ---------------------------------------------------------------------------
ROM:30110 jmp CCD_BEACON ; Feature list transmitted once at startup
ROM:30114 ; ---------------------------------------------------------------------------
ROM:30114 jmp CCD_24 ; Vehicle speed
ROM:30118 ; ---------------------------------------------------------------------------
ROM:30118 jmp CCD_A4 ; Instrument cluster lamp state | PCI_2D
ROM:3011C ; ---------------------------------------------------------------------------
ROM:3011C jmp CCD_42 ; Relative TPS voltage and set cruise speed
ROM:30120 ; ---------------------------------------------------------------------------
ROM:30120 jmp CCD_8C ; Engine coolant temperature and ambient temperature
ROM:30124 ; ---------------------------------------------------------------------------
ROM:30124 jmp CCD_D4 ; Battery voltage and charging voltage
ROM:30128 ; ---------------------------------------------------------------------------
ROM:30128 jmp CCD_AC ; Vehicle information
ROM:3012C ; ---------------------------------------------------------------------------
ROM:3012C jmp CCD_75 ; A/C high side pressure
ROM:30130 ; ---------------------------------------------------------------------------
ROM:30130 jmp CCD_CC ; Mileage and target engine idle speed
ROM:30134 ; ---------------------------------------------------------------------------
ROM:30134 jmp CCD_54 ; Barometric pressure and intake air temperature
ROM:30138 ; ---------------------------------------------------------------------------
ROM:30138 jmp CCD_EC ; Limp-in states, fuel type and SKIM status
ROM:3013C ; ---------------------------------------------------------------------------
ROM:3013C jmp CCD_6D ; Vehicle identification number (VIN) character
ROM:30140 ; ---------------------------------------------------------------------------
ROM:30140 jmp CCD_6C ; Cruise control status update
ROM:30144 ; ---------------------------------------------------------------------------
ROM:30144 jmp CCD_A5 ; PWM fan duty cycle
ROM:30144 ; End of function CCD_TXIDJT
ROM:30144
ROM:30144 ; ---------------------------------------------------------------------------
ROM:30148
ROM:30148 ; CCD-bus beacon message ID bytes
ROM:30148 ; Payload is loaded from EEPROM
ROM:30148
ROM:30148 dc.b 36h ; CCD ID 36
ROM:30149 dc.b 0B6h ; CCD ID B6
ROM:3014A dc.b 76h ; CCD ID 76
ROM:3014B dc.b 0F6h ; CCD ID F6
ROM:3014C dc.b 0Dh ; CCD ID 0D
ROM:3014D dc.b 8Dh ; CCD ID 8D
ROM:3014E dc.b 4Dh ; CCD ID 4D
ROM:3014F dc.b 0CDh ; CCD ID CD
ROM:30150 dc.b 11h ; CCD ID 11
ROM:30151 ---list repeats---
ROM:30151 dc.b 36h ; CCD ID 36
ROM:30152 dc.b 0B6h ; CCD ID B6
ROM:30153 dc.b 76h ; CCD ID 76
ROM:30154 dc.b 0F6h ; CCD ID F6
ROM:30155 dc.b 0Dh ; CCD ID 0D
ROM:30156 dc.b 8Dh ; CCD ID 8D
ROM:30157 dc.b 4Dh ; CCD ID 4D
ROM:30158 dc.b 0CDh ; CCD ID CD
ROM:30159 dc.b 11h ; CCD ID 11
ROM:3015A dc.b 0
ROM:3015B dc.b 0FFh
ROM:3015C
ROM:3015C ; CCD-BUS RX ID LOOKUP TABLE
ROM:3015C
ROM:3015C CCD_RXIDLT: dc.b 0AAh, 85h ; CCD ID AA | Length = 5 bytes | VTSS status message
ROM:3015E dc.b 16h, 85h ; CCD ID 16 | Length = 5 bytes | SKIM status message
ROM:30160 dc.b 7Eh, 83h ; CCD ID 7E | Length = 3 bytes | A/C relay state request
ROM:30162 dc.b 91h, 84h ; CCD ID 91 | Length = 4 bytes | Update EEPROM (beacon payload)
ROM:30164 dc.b 0A1h, 84h ; CCD ID A1 | Length = 4 bytes | Transmission status
ROM:30166 dc.b 2, 83h ; CCD ID 02 | Length = 3 bytes | Shift lever position
ROM:30168 dc.b 0DCh, 83h ; CCD ID DC | Length = 3 bytes | Transmission gear selected
ROM:3016A dc.b 0A9h, 83h ; CCD ID A9 | Length = 3 bytes | Last engine shutdown (minutes)
ROM:3016C dc.b 95h, 84h ; CCD ID 95 | Length = 4 bytes | Fuel level sensor voltage and fuel level
ROM:3016E dc.b 29h, 84h ; CCD ID 29 | Length = 4 bytes | Last engine shutdown (hours and minutes)
ROM:30170 dc.b 7Ch, 84h ; CCD ID 7C | Length = 4 bytes | Transmission temperature
ROM:30172 dc.b 52h, 84h ; CCD ID 52 | Length = 4 bytes | Transmission gear request (Autostick)
ROM:30174 dc.b 56h, 86h ; CCD ID 56 | Length = 6 bytes | TCM fault code present
ROM:30176 dc.b 0BEh, 83h ; CCD ID BE | Length = 3 bytes | Ignition switch position
ROM:30178 dc.b 0Bh, 83h ; CCD ID 0B | Length = 3 bytes | SKIM cluster message (failure, warning)
ROM:3017A dc.b 0C2h, 86h ; CCD ID C2 | Length = 6 bytes | SKIM seed/key validation
Code: CCD ID 02 SHIFT LEVER POSITION
------------------------------
RX: 02 XX CS
XX:
- 01 = PARK
- 02 = REVERSE
- 03 = NEUTRAL
- 05 = DRIVE
- 06 = AUTOSHIFT
CCD ID 0A SEND DIAGNOSTIC FAILURE DATA
--------------------------------------
RX: 0A XX YY CS
XX YY = UNKNOWN
CCD ID 0B SKIM STATUS
---------------------
RX: 0B XX CS
XX = UNKNOWN
CCD ID 0C BATTERY | OIL | COOLANT | IAT
---------------------------------------------------------------------------
RX: 0C XX YY ZZ WW CS
BATTERY VOLTAGE = (XX * 0.125) [V]
OIL PRESSURE = (YY * 0.5) [PSI] or (YY * 0.5 * 6.894757) [KPA]
COOLANT TEMPERATURE = (ZZ * 1.8 - 83.2) [°F] or (ZZ - 64) [°C]
INTAKE AIR TEMPERATURE = (WW * 1.8 - 83.2) [°F] or (WW - 64) [°C]
CCD ID 0D UNKNOWN FEATURE PRESENT
---------------------------------
RX: 0D FF FF 0B
NOTE: RECEIVED ONCE AT STARTUP
CCD ID 10 HVAC MESSAGE
----------------------
RX: 10 XX YY CS
XX YY: UNKNOWN
CCD ID 11 UNKNOWN FEATURE PRESENT
---------------------------------
RX: 11 FF FF 0F
NOTE: RECEIVED ONCE AT STARTUP
CCD ID 12 REQUEST EEPROM READ COMPASS MINI-TRIP
-----------------------------------------------
RX: 12 XX YY ZZ WW CS
XX YY ZZ WW = UNKNOWN
CCD ID 16 VEHICLE THEFT SECURITY STATE
--------------------------------------
RX: 16 XX CS
XX:
- 00 = DISARMED
- 01 = TIMING OUT
- 02 = ARMED
- 04 = HORN AND LIGHTS
- 08 = LIGHTS ONLY
- 10 = TIMED OUT
- 20 = SELF DIAGS
CCD ID 1B LAST OS TEMPERATURE
-----------------------------
RX: 1B XX YY CS
XX YY = UNKNOWN
CCD ID 1C FUEL LEVEL COUNTS
---------------------------
CCD ID 23 COUNTRY CODE
----------------------
CCD ID 24 VEHICLE SPEED
-----------------------
CCD ID 25 FUEL TANK LEVEL
-------------------------
CCD ID 29 LAST ENGINE SHUTDOWN
------------------------------
CCD ID 2A UNKNOWN FEATURE PRESENT
---------------------------------
RX: 2A FF FF 28
NOTE: RECEIVED ONCE AT STARTUP
CCD ID 2C WIPER
---------------
CCD ID 34 BCM TO MIC MESSAGE
----------------------------
CCD ID 35 US/METRIC STATUS | SEAT-BELT
--------------------------------------
CCD ID 36 UNKNOWN FEATURE PRESENT
---------------------------------
RX: 36 FF FF 34
NOTE: RECEIVED ONCE AT STARTUP
CCD ID 3A INSTRUMENT CLUSTER LAMP STATES
----------------------------------------
CCD ID 3B SEND COMPENSATION AND CHECKSUM DATA
---------------------------------------------
CCD ID 42 THROTTLE POSITION SENSOR | CRUISE SET SPEED
-----------------------------------------------------
CCD ID 44 FUEL USED
-------------------
CCD ID 46 REQUEST CALIBRATION DATA
----------------------------------
CCD ID 4B N/S AND E/W A/D
-------------------------
CCD ID 4D UNKNOWN FEATURE PRESENT
---------------------------------
RX: 4D FF FF 4B
NOTE: RECEIVED ONCE AT STARTUP
CCD ID 50 MIC LAMP STATE (AIRBAG | SEATBELT)
--------------------------------------------
CCD ID 52 TRANSMISSION STATUS / SELECTED GEAR
---------------------------------------------
CCD ID 54 BAROMETRIC PRESSURE | TEMPERATURE
-------------------------------------------
CCD ID 56 REQUESTED MIL STATE - TRANSMISSION
--------------------------------------------
CCD ID 6B COMPASS COMP. AND CHECKSUM DATA RECEIVED
--------------------------------------------------
CCD ID 6D VEHICLE IDENTIFICATION NUMBER (VIN) CHARACTER
-------------------------------------------------------
CCD ID 75 A/C HIGH SIDE PRESSURE
--------------------------------
CCD ID 76 UNKNOWN FEATURE PRESENT
---------------------------------
RX: 76 FF FF 74
NOTE: RECEIVED ONCE AT STARTUP
CCD ID 7B OUTSIDE AIR TEMPERATURE
---------------------------------
CCD ID 7E A/C CLUTCH RELAY STATE
--------------------------------
CCD ID 83 OUTSIDE AIR TEMPERATURE
---------------------------------
CCD ID 84 PCM TO BCM MESSAGE | INCREMENT MILEAGE
------------------------------------------------
CCD ID 89 FUEL EFFICIENCY
-------------------------
CCD ID 8C ENGINE COOLANT TEMPERATURE | INTAKE AIR TEMPERATURE
-------------------------------------------------------------
CCD ID 8D UNKNOWN FEATURE PRESENT
---------------------------------
RX: 8D FF FF 8B
NOTE: RECEIVED ONCE AT STARTUP
CCD ID 8E STATUS 21
-------------------
CCD ID 93 SEND CALIBRATION AND VARIANCE DATA
--------------------------------------------
CCD ID 94 MIC GAUGE/LAMP STATE
------------------------------
CCD ID 99 COMPASS CALIBRATION AND VARIANCE DATA RECEIVED
--------------------------------------------------------
CCD ID A4 MIC LAMP STATE
------------------------
CCD ID A9 LAST ENGINE SHUTDOWN
------------------------------
CCD ID AA VEHICLE THEFT SECURITY STATE
--------------------------------------
CCD ID AC VEHICLE INFORMATION
-----------------------------
CCD ID B1 WARNING
-----------------
CCD ID B2 REQUEST
-----------------
CCD ID B4 VEHICLE SPEED SENSOR
------------------------------
CCD ID B6 UNKNOWN FEATURE PRESENT
---------------------------------
RX: B6 FF FF B4
NOTE: RECEIVED ONCE AT STARTUP
CCD ID BA REQUEST COMPASS CALIBRATION OR VARIANCE
-------------------------------------------------
CCD ID BE IGNITION SWITCH POSITION
----------------------------------
CCD ID C2 SKIM SECRET KEY
-------------------------
CCD ID C4 VEHICLE SPEED SENSOR | DISTANCE PULSES PER 344 MS
--------------------------------------------------------
CCD ID CA WRITE EEPROM
----------------------
CCD ID CB SEND COMPASS AND LAST OUTSIDE AIR TEMPERATURE DATA
------------------------------------------------------------
CCD ID CC ACCUMULATED MILEAGE
-----------------------------
CCD ID CD UNKNOWN FEATURE PRESENT
---------------------------------
RX: CD FF FF CB
NOTE: RECEIVED ONCE AT STARTUP
CCD ID CE VEHICLE DISTANCE / ODOMETER
-------------------------------------
CCD ID D3 COMPASS DISPLAY
-------------------------
CCD ID D4 BATTERY VOLTAGE | CALCULATED CHARGING VOLTAGE
-------------------------------------------------------
CCD ID DA MIC SWITCH/LAMP STATE
-------------------------------
CCD ID DB COMPASS CALL DATA | A/C CLUTCH ON
-------------------------------------------
CCD ID DC TRANSMISSION STATUS / SELECTED GEAR
---------------------------------------------
CCD ID E4 ENGINE SPEED | INTAKE MANIFOLD ABSOLUTE PRESSURE
----------------------------------------------------------
CCD ID EC VEHICLE INFORMATION
-----------------------------
CCD ID EE TRIP DISTANCE / TRIPMETER
-----------------------------------
CCD ID F1 WARNING
-----------------
CCD ID F2 RESPONSE
------------------
CCD ID F3 SWITCH MESSAGE
------------------------
CCD ID F5 ENGINE LAMP CTRL
--------------------------
CCD ID F6 UNKNOWN FEATURE PRESENT
---------------------------------
RX: F6 FF FF F4
NOTE: RECEIVED ONCE AT STARTUP
CCD ID FD COMPASS COMP. AND TEMPERATURE DATA RECEIVED
-----------------------------------------------------
CCD ID FE INTERIOR LAMP DIMMING
-------------------------------
CCD ID FF CCD-BUS WAKE UP
-------------------------
|
|
|
|