So, a few other analysis tips:
- Try to find out which variables and functions are called most often. These are likely to be the most important.
- Note where a variable is referenced. The subroutines that share common variables are related.
- Take special note of where variables are modified. Often a variable that is referenced in a dozen or more places is only set in one place; therefore the code that sets this variable influences all of the other routines.
Mode 1 provides information about the current state of the engine. The '01 NB supports the following Mode 1 PIDs:
- 00 - PIDs supported (01-20)
- 01 - Monitor status since DTCs cleared
- 03 - Fuel system status
- 04 - Calculated engine load value
- 05 - Engine coolant temperature
- 06 - Short term fuel % trim - Bank 1
- 07 - Long term fuel % trim - Bank 1
- 0C - Engine RPM
- 0D - Vehicle speed
- 0E - Timing advance
- 0F - Intake air temperature
- 10 - MAF air flow rate
- 11 - Throttle position
- 13 - Oxygen sensors present
- 14 - Bank 1, Sensor 1: O2S Voltage, Short term fuel trim
- 15 - Bank 1, Sensor 2: O2S Voltage, Short term fuel trim
- 1C - OBD standards this vehicle conforms to
- 20 - PIDs supported (21-40)
- 21 - Distance traveled with MIL on
You can get all of the above info with any generic OBD scantool. But the following additional details can only be determined from looking at the code:
PID 00 - PIDs supported (01-20)
The subroutine that creates the reply message is at address 285A6.
Return value indicates that 01, 03-07, 0C-11, 13-15, 1C and 20 are supported. However, PIDs 15 and 20 will only be indicated as supported if the ECU is configured to conform to OBD-II as defined by CARB or to EOBD (Europe).
PID 01 - Monitor status since DTCs cleared
The subroutine that creates the reply message is at address 285D8.
The subroutine that counts active DTCs is at 2866A. Not all DTCs are counted: only the ones that match a specified set of categories. More on this later.
If the 5th bit of RAM location 104C1 is set, this means the check engine light (MIL) is on. Alternatively, if the 1st and 3rd bits of 10000 are 0 and the 4th bit of 104C2 is 1, that also means the MIL is on.
If the ECU is configured to conform to OBD-II as defined by CARB, the following tests are available:
- Misfire
- Fuel System
- Components
- Catalyst
- Evaporative System
- Oxygen Sensor
- Oxygen Sensor Heater
- EGR System
- Misfire
- Fuel System
- Components
- Catalyst
- Oxygen Sensor
- Oxygen Sensor Heater
PID 03 - Fuel system status
The subroutine that creates the reply message is at address 286D2.
If the 2nd bit of 10190 is 0, the fuel system is open loop due to engine load OR fuel cut due to deacceleration.
Otherwise if the 4th bit of 1028E is 0, the fuel system is open loop due to insufficient engine temperature.
Otherwise if the first bit of 1028E is 0, the fuel system is open loop due to system failure.
Otherwise if the 2nd bit of 0104E6 is 0, the fuel system is closed loop, using oxygen sensor feedback to determine fuel mix.
Otherwise the fuel system is closed loop, using at least one oxygen sensor but there is a fault in the feedback system.
PID 04 - Calculated engine load value
The subroutine that creates the reply message is at address 286E2.
The byte at RAM location 100D8 is proportional to calculated engine load value.
PID 05 - Engine coolant temperature
The subroutine that creates the reply message is at address 286F2.
The byte at RAM location 100FF is proportional to (engine coolant temperature + 40 degrees C).
PID 06 - Short term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 28702.
The word at RAM location 10296 is related to short term fuel % trim.
PID 07 - Long term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 28712.
The word at RAM location 102D8 is related to long term fuel % trim.
PID 0C - Engine RPM
The subroutine that creates the reply message is at address 28722.
The word at RAM location 10078 is proportional to RPM. This variable is almost certainly used with fuel and timing lookup tables. I haven't located them yet, but I hope to soon.
PID 0D - Vehicle speed
The subroutine that creates the reply message is at address 28732.
The byte at RAM location 10141 is proportional to vehicle speed.
The subroutine at 29F8E is used to calculate vehicle speed, and could probably be modified to account for different wheel/tire sizes.
PID 0E - Timing advance
The subroutine that creates the reply message is at address 28744.
The byte at RAM location 103BE is related to timing advance. This variable is likely calculated from lookup tables.
PID 0F - Intake air temperature
The subroutine that creates the reply message is at address 28764.
The byte at RAM location 1013B is proportional to intake air temperature.
PID 10 - MAF air flow rate
The subroutine that creates the reply message is at address 28774.
The word at RAM location 100CC is proportional to MAF air flow rate.
PID 11 - Throttle position
The subroutine that creates the reply message is at address 28780.
Throttle position % is stored in the byte at RAM location 10102.
PID 13 - Oxygen sensors present
The subroutine that creates the reply message is at address 2878C.
If the ECU is configured to conform to OBD-II as defined by CARB or to EOBD (Europe), it will report Bank 1 Sensors 1 and 2 present.
Otherwise, only Bank 1 Sensor 1 is reported as present.
PID 14 - Bank 1, Sensor 1: O2S Voltage, Short term fuel trim
The subroutine that creates the reply message is at address 287A4.
The reply "A" byte is proportional to the byte at RAM location 10160.
The reply "B" byte is a function of the word at RAM location 10296 (same as in PID 06).
PID 15 - Bank 1, Sensor 2: O2S Voltage, Short term fuel trim
The subroutine that creates the reply message is at address 287C2.
The reply "A" byte is proportional to the byte at RAM location 10172.
The reply "B" byte is #FF.
PID 1C - OBD standards this vehicle conforms to
The subroutine that creates the reply message is at address 287DA.
If the 4th bit of 10000 is set, this vehicle conforms to OBD-II as defined by the CARB.
Otherwise, if the 2nd bit of 10000 is set, this vehicle conforms to EOBD (Europe).
Otherwise, this vehicle is not meant to comply with any OBD standard.
PID 20 - PIDs supported (21-40)
The subroutine that creates the reply message is at address 287F4.
If the ECU is configured to conform to OBD-II as defined by CARB or to EOBD (Europe), it will report that PID 21 is supported. Otherwise, none.
PID 21 - Distance traveled with MIL on
The subroutine that creates the reply message is at address 28826.
The word at RAM location 104DE is the number of km traveled with the MIL on.
Whew - OK, that's all for Mode 1. Next time I'll describe Mode 2. The ECU supports standard modes 1-8 and a little over a dozen other non-standard modes, and I plan to describe all of them, in order.
Good day, very interesting article, is this PID codes generic for all the make of cars or is this specific to one manufacturer?
ReplyDeleteI am trying to find the OBDII routine in a disassembly and was wondering how to go about. I know the RPM variable but cannot recognise any OBDII routines, any tips or advise will be appreciated
Cheers
Mode 1 PIDs are generic. I think some are required to be supported by all manufacturers, while others are optional. And of course, manufacturers also add their own custom PIDs.
ReplyDeleteAs for locating the OBD II routines, start with the code that controls the communication to the OBD port. In a Miata, it's a serial port, so you start by looking for any code that makes use of the MCU's serial port. From there, since you know the PIDs for various sensors, you can begin to figure out which analog or digital input is associated with that sensor, and so on.
Thanks, J. From your experience, would sensors usually be in the RAM section? (Dealing with HC11 processor in extended mode)
ReplyDeleteYes, everything that changes is in RAM. Things that are static, like lookup tables, are in ROM.
Delete