Update: 2/22/11
I originally thought that Mode 3 could report any of the DTCs listed below. This is incorrect. The list below is actually the complete list of all DTCs the ECU can generate, but only some of the DTCs in the list are associated with Mode 3 (see my Mode 7 post for the list). The other DTCs are associated with other modes. More on these later.
OBD Mode 3 is used to return Diagnostic Trouble Codes (DTCs). It does not support any PIDs - a mode 3 request only consists of the mode (other than the 3 header bytes and final checksum byte). If any DTCs are active, the DTCs are returned as two-byte binary-coded-decimal numbers, in groups of three DTCs at a time.
I'm still trying to understand the details of how the code works that determines which DTCs are set and when, but for this post I'll just list the possible DTCs this ECU can report. I'll post more details on OBD Mode 3 at a later time.
All possible DTCs (see http://www.obd-codes.com/trouble_codes/ for details)
P0010 - "A" Camshaft Position Actuator Circuit (Bank 1)
P0011 - "A" Camshaft Position - Timing Over-Advanced or System Performance (Bank 1)
P0012 - "A" Camshaft Position - Timing Over-Retarded (Bank 1)
P0031 - HO2S Heater Control Circuit Low (Bank 1 Sensor 1)
P0032 - HO2S Heater Control Circuit High (Bank 1 Sensor 1)
P0037 - HO2S Heater Control Circuit Low (Bank 1 Sensor 2)
P0038 - HO2S Heater Control Circuit High (Bank 1 Sensor 2)
P0101 - Mass Air Flow Circuit Range/Performance Problem
P0102 - Mass Air Flow Circuit Low Input
P0103 - Mass Air Flow Circuit High Input
P0106 - Manifold Absolute Pressure/Barometric Pressure Circuit Range/Performance Problem
P0107 - Manifold Absolute Pressure/Barometric Pressure Circuit Low Input
P0108 - Manifold Absolute Pressure/Barometric Pressure Circuit High Input
P0111 - Intake Air Temperature Circuit Range/Performance Problem
P0112 - Intake Air Temperature Circuit Low Input
P0113 - Intake Air Temperature Circuit High Input
P0116 - Engine Coolant Temperature Circuit Range/Performance Problem
P0117 - Engine Coolant Temperature Circuit Low Input
P0118 - Engine Coolant Temperature Circuit High Input
P0121 - Throttle Position Sensor/Switch A Circuit Range/Performance Problem
P0122 - Throttle Position Sensor/Switch A Circuit Low Input
P0123 - Throttle Position Sensor/Switch A Circuit High Input
P0125 - Insufficient Coolant Temperature for Closed Loop Fuel Control
P0126 - Insufficient Coolant Temperature for Stable Operation
P0128 - Coolant Thermostat (Coolant Temperature Below Thermostat Regulating Temperature)
P0131 - 02 Sensor Circuit Low Voltage (Bank I Sensor I)
P0132 - 02 Sensor Circuit High Voltage (Bank I Sensor 1)
P0133 - 02 Sensor Circuit Slow Response (Bank 1 Sensor 1)
P0134 - 02 Sensor Circuit No Activity Detected (Bank I Sensor 1)
P0138 - 02 Sensor Circuit High Voltage (Bank I Sensor 2)
P0140 - 02 Sensor Circuit No Activity Detected (Bank 1 Sensor 2)
P0171 - System too Lean (Bank 1)
P0172 - System too Rich (Bank 1)
P0222 - Throttle/Petal Position Sensor/Switch B Circuit Low Input
P0223 - Throttle/Petal Position Sensor/Switch B Circuit High Input
P0300 - Random/Multiple Cylinder Misfire Detected
P0301 - Cylinder 1 Misfire Detected
P0302 - Cylinder 2 Misfire Detected
P0303 - Cylinder 3 Misfire Detected
P0304 - Cylinder 4 Misfire Detected
P0327 - Knock Sensor 1 Circuit Low Input (Bank I or Single Sensor)
P0328 - Knock Sensor 1 Circuit High Input (Bank I or Single Sensor)
P0335 - Crankshaft Position Sensor A Circuit Malfunction
P0340 - Camshaft Position Sensor Circuit Malfunction
P0401 - Exhaust Gas Recirculation Flow Insufficient Detected
P0402 - Exhaust Gas Recirculation Flow Excessive Detected
P0420 - Catalyst System Efficiency Below Threshold (Bank 1)
P0421 - Warm Up Catalyst Efficiency Below Threshold (Bank 1)
P0442 - Evaporative Emission Control System Leak Detected (small leak)
P0443 - Evaporative Emission Control System Purge Control Valve Circuit
P0451 - Evaporative Emission Control System Pressure Sensor Range/Performance
P0452 - Evaporative Emission Control System Pressure Sensor Low Input
P0453 - Evaporative Emission Control System Pressure Sensor High Input
P0455 - Evaporative Emission Control System Leak Detected (gross leak)
P0461 - Fuel Level Sensor Circuit Range/Performance
P0462 - Fuel Level Sensor Circuit Low Input
P0463 - Fuel Level Sensor Circuit High Input
P0464 - Fuel Level Sensor Circuit Intermittent
P0480 - Cooling Fan I Control Circuit Malfunction
P0500 - Vehicle Speed Sensor Malfunction
P0505 - Idle Control System Malfunction
P0506 - Idle Control System duty cycle Lower Than Expected
P0507 - Idle Control System duty cycle Higher Than Expected
P0550 - Power Steering Pressure Sensor Circuit Malfunction
P0605 - Internal Control Module Read Only Memory (ROM) Error
P0703 - Torque Converter/Brake Switch B Circuit Malfunction
P0704 - Clutch Switch Input Circuit Malfunction
P0705 - Transmission Range Sensor Circuit malfunction (PRNDL Input)
P0706 - Transmission Range Sensor Circuit Range/Performance
P0715 - Input/Turbine Speed Sensor Circuit Malfunction
P0720 - Output Speed Sensor Circuit Malfunction
P0725 - Engine Speed input Circuit Malfunction
P0741 - Torque Converter Clutch Circuit Performance or Stuck Off
P0742 - Torque Converter Clutch Circuit Stuck On
P0743 - Torque Converter Clutch Circuit Electrical
P0751 - Shift Solenoid A Performance or Stuck Off
P0752 - Shift Solenoid A Stuck On
P0753 - Shift Solenoid A Electrical
P0756 - Shift Solenoid B Performance or Stock Off
P0757 - Shift Solenoid B Stuck On
P0758 - Shift Solenoid B Electrical
P0850 - Neutral switch input circuit problem http://foxed.ca/rx7manual/2003mazdarx8/esicont/en/srvc/html/BHE010200800W01.html)
P1449 - Evaporative Check Solenoid Circuit (http://www.aboutautomobile.com/DTC/P1449)
P1450 - Unable to Bleed Up Fuel Tank Vacuum (this and the rest can be found at aboutautomobile.com)
P1487 - Exhaust Gas Recirculation Check Solenoid Circuit
P1496 - EGR Stepper Motor 1 Control Circuit Low/High
P1497 - EGR Stepper Motor 2 Control Circuit Low/High
P1498 - EGR Stepper Motor 3 Control Circuit Low/High
P1499 - EGR Stepper Motor 4 Control Circuit Low/High
P1512 - Intake Manifold Runner Control Circuit (IMRC) Bank 1 stuck closed
P1518 - IMRC stuck open
P1562 - PCM backup + terminal voltage low
P1569 - IMRC circuit malfunction
P1570 - IMRC circuit malfunction
P1601 - ECM/TCM Serial Communication Error
P1602 - Immobilizer/ECM Communication Error
P1603 - ID Number Unregistered
P1604 - Code word Unregistered
P1608 - PCM Internal Circuit
P1621 - Immobilizer Code Words Do Not Match
P1622 - Immobilizer ID Does Not Match
P1623 - Immobilizer Code Word/ID Number Write Failure
P1624 -Vehicle anti-theft system malfunction
P1631 - Alternator Regulator #2 Control Circuit
P1633 - Generator Control System - over charge
P1634 - Generator Control System - no charge
I'm interested in analyzing the code behind the immobilizer-related DTCs. I'll take a look and maybe post what I find next time.
I've been reverse-engineering ECUs since 2001. This blog is to share what I've learned about Honda and Mazda ECUs and to provide you with tips and advice if you would like to hack your own ECU.
Wednesday, January 19, 2011
Sunday, January 9, 2011
NB Miata, OBD Mode 2
Today's post is pretty brief, as I'm planning to do one post per OBD Mode, and there's not a lot to say about Mode 2.
OBD Mode 2 is similar to Mode 1. However, whereas Mode 1 is used to obtain current diagnostic data, Mode 2 PIDs return freeze frame data. That is, they report the state of the engine when the last DTC occurred.
For the NB, the following Mode 2 PIDs are supported (a few less than Mode 1):
The subroutine that creates the reply message is at address 2885C.
Return value indicates that 02-07, 0C-0D are supported.
PID 02 - Freeze DTC
The subroutine that creates the reply message is at address 28870.
Returns the DTC which the freeze data is associated with. If there is no DTC, it returns 0.
If the byte at RAM location 10EF4 is non-zero, it means there is a DTC.
The Freeze DTC value is stored as a word at RAM location 10F28.
PID 03 - Fuel system status
The subroutine that creates the reply message is at address 28886.
The freeze frame data for fuel system status is stored in a byte at RAM location 10F21.
PID 04 - Calculated engine load value
The subroutine that creates the reply message is at address 28894.
The byte at RAM location 10F18 is proportional to calculated freeze frame engine load value.
PID 05 - Engine coolant temperature
The subroutine that creates the reply message is at address 288A4.
The byte at RAM location 10F20 is proportional to (freeze frame engine coolant temperature + 40 degrees C).
PID 06 - Short term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 288B4.
The word at RAM location 10F1C is related to short term fuel % trim.
PID 07 - Long term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 288C4.
The word at RAM location 10F1E is related to long term fuel % trim.
PID 0C - Engine RPM
The subroutine that creates the reply message is at address 288D4.
The word at RAM location 10F1A is proportional to RPM.
PID 0D - Vehicle speed
The subroutine that creates the reply message is at address 288E4.
The byte at RAM location 10F1F is proportional to vehicle speed.
OBD Mode 2 is similar to Mode 1. However, whereas Mode 1 is used to obtain current diagnostic data, Mode 2 PIDs return freeze frame data. That is, they report the state of the engine when the last DTC occurred.
For the NB, the following Mode 2 PIDs are supported (a few less than Mode 1):
- 00 - PIDs supported (01-20)
- 02 - Freeze DTC
- 03 - Fuel system status
- 04 - Calculated engine load value
- 05 - Engine coolant temperature
- 06 - Short term fuel % trim - Bank 1
- 07 - Long term fuel % trim - Bank 1
- 0C - Engine RPM
- 0D - Vehicle speed
The subroutine that creates the reply message is at address 2885C.
Return value indicates that 02-07, 0C-0D are supported.
PID 02 - Freeze DTC
The subroutine that creates the reply message is at address 28870.
Returns the DTC which the freeze data is associated with. If there is no DTC, it returns 0.
If the byte at RAM location 10EF4 is non-zero, it means there is a DTC.
The Freeze DTC value is stored as a word at RAM location 10F28.
PID 03 - Fuel system status
The subroutine that creates the reply message is at address 28886.
The freeze frame data for fuel system status is stored in a byte at RAM location 10F21.
PID 04 - Calculated engine load value
The subroutine that creates the reply message is at address 28894.
The byte at RAM location 10F18 is proportional to calculated freeze frame engine load value.
PID 05 - Engine coolant temperature
The subroutine that creates the reply message is at address 288A4.
The byte at RAM location 10F20 is proportional to (freeze frame engine coolant temperature + 40 degrees C).
PID 06 - Short term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 288B4.
The word at RAM location 10F1C is related to short term fuel % trim.
PID 07 - Long term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 288C4.
The word at RAM location 10F1E is related to long term fuel % trim.
PID 0C - Engine RPM
The subroutine that creates the reply message is at address 288D4.
The word at RAM location 10F1A is proportional to RPM.
PID 0D - Vehicle speed
The subroutine that creates the reply message is at address 288E4.
The byte at RAM location 10F1F is proportional to vehicle speed.
Saturday, January 8, 2011
NB Miata Specifics, OBD Mode 1
So far, I've given you some general guidelines for extracting your ECU's firmware image and some suggestions for how to begin analyzing it. I'll just mention a few other analysis tips, and then I want to switch gears to talk about the specifics of what I'm learning about the NB Miata ECU.
So, a few other analysis tips:
Mode 1 provides information about the current state of the engine. The '01 NB supports the following Mode 1 PIDs:
You can get all of the above info with any generic OBD scantool. But the following additional details can only be determined from looking at the code:
PID 00 - PIDs supported (01-20)
The subroutine that creates the reply message is at address 285A6.
Return value indicates that 01, 03-07, 0C-11, 13-15, 1C and 20 are supported. However, PIDs 15 and 20 will only be indicated as supported if the ECU is configured to conform to OBD-II as defined by CARB or to EOBD (Europe).
PID 01 - Monitor status since DTCs cleared
The subroutine that creates the reply message is at address 285D8.
The subroutine that counts active DTCs is at 2866A. Not all DTCs are counted: only the ones that match a specified set of categories. More on this later.
If the 5th bit of RAM location 104C1 is set, this means the check engine light (MIL) is on. Alternatively, if the 1st and 3rd bits of 10000 are 0 and the 4th bit of 104C2 is 1, that also means the MIL is on.
If the ECU is configured to conform to OBD-II as defined by CARB, the following tests are available:
PID 03 - Fuel system status
The subroutine that creates the reply message is at address 286D2.
If the 2nd bit of 10190 is 0, the fuel system is open loop due to engine load OR fuel cut due to deacceleration.
Otherwise if the 4th bit of 1028E is 0, the fuel system is open loop due to insufficient engine temperature.
Otherwise if the first bit of 1028E is 0, the fuel system is open loop due to system failure.
Otherwise if the 2nd bit of 0104E6 is 0, the fuel system is closed loop, using oxygen sensor feedback to determine fuel mix.
Otherwise the fuel system is closed loop, using at least one oxygen sensor but there is a fault in the feedback system.
PID 04 - Calculated engine load value
The subroutine that creates the reply message is at address 286E2.
The byte at RAM location 100D8 is proportional to calculated engine load value.
PID 05 - Engine coolant temperature
The subroutine that creates the reply message is at address 286F2.
The byte at RAM location 100FF is proportional to (engine coolant temperature + 40 degrees C).
PID 06 - Short term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 28702.
The word at RAM location 10296 is related to short term fuel % trim.
PID 07 - Long term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 28712.
The word at RAM location 102D8 is related to long term fuel % trim.
PID 0C - Engine RPM
The subroutine that creates the reply message is at address 28722.
The word at RAM location 10078 is proportional to RPM. This variable is almost certainly used with fuel and timing lookup tables. I haven't located them yet, but I hope to soon.
PID 0D - Vehicle speed
The subroutine that creates the reply message is at address 28732.
The byte at RAM location 10141 is proportional to vehicle speed.
The subroutine at 29F8E is used to calculate vehicle speed, and could probably be modified to account for different wheel/tire sizes.
PID 0E - Timing advance
The subroutine that creates the reply message is at address 28744.
The byte at RAM location 103BE is related to timing advance. This variable is likely calculated from lookup tables.
PID 0F - Intake air temperature
The subroutine that creates the reply message is at address 28764.
The byte at RAM location 1013B is proportional to intake air temperature.
PID 10 - MAF air flow rate
The subroutine that creates the reply message is at address 28774.
The word at RAM location 100CC is proportional to MAF air flow rate.
PID 11 - Throttle position
The subroutine that creates the reply message is at address 28780.
Throttle position % is stored in the byte at RAM location 10102.
PID 13 - Oxygen sensors present
The subroutine that creates the reply message is at address 2878C.
If the ECU is configured to conform to OBD-II as defined by CARB or to EOBD (Europe), it will report Bank 1 Sensors 1 and 2 present.
Otherwise, only Bank 1 Sensor 1 is reported as present.
PID 14 - Bank 1, Sensor 1: O2S Voltage, Short term fuel trim
The subroutine that creates the reply message is at address 287A4.
The reply "A" byte is proportional to the byte at RAM location 10160.
The reply "B" byte is a function of the word at RAM location 10296 (same as in PID 06).
PID 15 - Bank 1, Sensor 2: O2S Voltage, Short term fuel trim
The subroutine that creates the reply message is at address 287C2.
The reply "A" byte is proportional to the byte at RAM location 10172.
The reply "B" byte is #FF.
PID 1C - OBD standards this vehicle conforms to
The subroutine that creates the reply message is at address 287DA.
If the 4th bit of 10000 is set, this vehicle conforms to OBD-II as defined by the CARB.
Otherwise, if the 2nd bit of 10000 is set, this vehicle conforms to EOBD (Europe).
Otherwise, this vehicle is not meant to comply with any OBD standard.
PID 20 - PIDs supported (21-40)
The subroutine that creates the reply message is at address 287F4.
If the ECU is configured to conform to OBD-II as defined by CARB or to EOBD (Europe), it will report that PID 21 is supported. Otherwise, none.
PID 21 - Distance traveled with MIL on
The subroutine that creates the reply message is at address 28826.
The word at RAM location 104DE is the number of km traveled with the MIL on.
Whew - OK, that's all for Mode 1. Next time I'll describe Mode 2. The ECU supports standard modes 1-8 and a little over a dozen other non-standard modes, and I plan to describe all of them, in order.
So, a few other analysis tips:
- Try to find out which variables and functions are called most often. These are likely to be the most important.
- Note where a variable is referenced. The subroutines that share common variables are related.
- Take special note of where variables are modified. Often a variable that is referenced in a dozen or more places is only set in one place; therefore the code that sets this variable influences all of the other routines.
Mode 1 provides information about the current state of the engine. The '01 NB supports the following Mode 1 PIDs:
- 00 - PIDs supported (01-20)
- 01 - Monitor status since DTCs cleared
- 03 - Fuel system status
- 04 - Calculated engine load value
- 05 - Engine coolant temperature
- 06 - Short term fuel % trim - Bank 1
- 07 - Long term fuel % trim - Bank 1
- 0C - Engine RPM
- 0D - Vehicle speed
- 0E - Timing advance
- 0F - Intake air temperature
- 10 - MAF air flow rate
- 11 - Throttle position
- 13 - Oxygen sensors present
- 14 - Bank 1, Sensor 1: O2S Voltage, Short term fuel trim
- 15 - Bank 1, Sensor 2: O2S Voltage, Short term fuel trim
- 1C - OBD standards this vehicle conforms to
- 20 - PIDs supported (21-40)
- 21 - Distance traveled with MIL on
You can get all of the above info with any generic OBD scantool. But the following additional details can only be determined from looking at the code:
PID 00 - PIDs supported (01-20)
The subroutine that creates the reply message is at address 285A6.
Return value indicates that 01, 03-07, 0C-11, 13-15, 1C and 20 are supported. However, PIDs 15 and 20 will only be indicated as supported if the ECU is configured to conform to OBD-II as defined by CARB or to EOBD (Europe).
PID 01 - Monitor status since DTCs cleared
The subroutine that creates the reply message is at address 285D8.
The subroutine that counts active DTCs is at 2866A. Not all DTCs are counted: only the ones that match a specified set of categories. More on this later.
If the 5th bit of RAM location 104C1 is set, this means the check engine light (MIL) is on. Alternatively, if the 1st and 3rd bits of 10000 are 0 and the 4th bit of 104C2 is 1, that also means the MIL is on.
If the ECU is configured to conform to OBD-II as defined by CARB, the following tests are available:
- Misfire
- Fuel System
- Components
- Catalyst
- Evaporative System
- Oxygen Sensor
- Oxygen Sensor Heater
- EGR System
- Misfire
- Fuel System
- Components
- Catalyst
- Oxygen Sensor
- Oxygen Sensor Heater
PID 03 - Fuel system status
The subroutine that creates the reply message is at address 286D2.
If the 2nd bit of 10190 is 0, the fuel system is open loop due to engine load OR fuel cut due to deacceleration.
Otherwise if the 4th bit of 1028E is 0, the fuel system is open loop due to insufficient engine temperature.
Otherwise if the first bit of 1028E is 0, the fuel system is open loop due to system failure.
Otherwise if the 2nd bit of 0104E6 is 0, the fuel system is closed loop, using oxygen sensor feedback to determine fuel mix.
Otherwise the fuel system is closed loop, using at least one oxygen sensor but there is a fault in the feedback system.
PID 04 - Calculated engine load value
The subroutine that creates the reply message is at address 286E2.
The byte at RAM location 100D8 is proportional to calculated engine load value.
PID 05 - Engine coolant temperature
The subroutine that creates the reply message is at address 286F2.
The byte at RAM location 100FF is proportional to (engine coolant temperature + 40 degrees C).
PID 06 - Short term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 28702.
The word at RAM location 10296 is related to short term fuel % trim.
PID 07 - Long term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 28712.
The word at RAM location 102D8 is related to long term fuel % trim.
PID 0C - Engine RPM
The subroutine that creates the reply message is at address 28722.
The word at RAM location 10078 is proportional to RPM. This variable is almost certainly used with fuel and timing lookup tables. I haven't located them yet, but I hope to soon.
PID 0D - Vehicle speed
The subroutine that creates the reply message is at address 28732.
The byte at RAM location 10141 is proportional to vehicle speed.
The subroutine at 29F8E is used to calculate vehicle speed, and could probably be modified to account for different wheel/tire sizes.
PID 0E - Timing advance
The subroutine that creates the reply message is at address 28744.
The byte at RAM location 103BE is related to timing advance. This variable is likely calculated from lookup tables.
PID 0F - Intake air temperature
The subroutine that creates the reply message is at address 28764.
The byte at RAM location 1013B is proportional to intake air temperature.
PID 10 - MAF air flow rate
The subroutine that creates the reply message is at address 28774.
The word at RAM location 100CC is proportional to MAF air flow rate.
PID 11 - Throttle position
The subroutine that creates the reply message is at address 28780.
Throttle position % is stored in the byte at RAM location 10102.
PID 13 - Oxygen sensors present
The subroutine that creates the reply message is at address 2878C.
If the ECU is configured to conform to OBD-II as defined by CARB or to EOBD (Europe), it will report Bank 1 Sensors 1 and 2 present.
Otherwise, only Bank 1 Sensor 1 is reported as present.
PID 14 - Bank 1, Sensor 1: O2S Voltage, Short term fuel trim
The subroutine that creates the reply message is at address 287A4.
The reply "A" byte is proportional to the byte at RAM location 10160.
The reply "B" byte is a function of the word at RAM location 10296 (same as in PID 06).
PID 15 - Bank 1, Sensor 2: O2S Voltage, Short term fuel trim
The subroutine that creates the reply message is at address 287C2.
The reply "A" byte is proportional to the byte at RAM location 10172.
The reply "B" byte is #FF.
PID 1C - OBD standards this vehicle conforms to
The subroutine that creates the reply message is at address 287DA.
If the 4th bit of 10000 is set, this vehicle conforms to OBD-II as defined by the CARB.
Otherwise, if the 2nd bit of 10000 is set, this vehicle conforms to EOBD (Europe).
Otherwise, this vehicle is not meant to comply with any OBD standard.
PID 20 - PIDs supported (21-40)
The subroutine that creates the reply message is at address 287F4.
If the ECU is configured to conform to OBD-II as defined by CARB or to EOBD (Europe), it will report that PID 21 is supported. Otherwise, none.
PID 21 - Distance traveled with MIL on
The subroutine that creates the reply message is at address 28826.
The word at RAM location 104DE is the number of km traveled with the MIL on.
Whew - OK, that's all for Mode 1. Next time I'll describe Mode 2. The ECU supports standard modes 1-8 and a little over a dozen other non-standard modes, and I plan to describe all of them, in order.