I've been reverse-engineering ECUs since 2001. This blog is to share what I've learned about Honda and Mazda ECUs and to provide you with tips and advice if you would like to hack your own ECU.
Tuesday, December 20, 2011
Season's Greetings
Hi to everyone who's stumbled across this blog! As so often happens in life, you sometimes get busy doing other stuff and all of a sudden a few months have gone by. I was very surprised to see that there have been a lot more views than I expected since I last posted. I will resolve to continue posting in 2012! See you in the new year.
Tuesday, April 12, 2011
NB Miata - OBD Mode 8
Today I'm going to talk about Mode 8. It's been a while since I posted, partly because I have been busy with other things, and partly because I was hoping to have a more complete picture of what Mode 8 does. Unfortunately, it's still mostly a mystery to me. But at least I can tell you what I know.
In general Mode 8 is used to control some on-board system, sometimes to create conditions necessary to test a component or subsystem. In my ECU, here's the quick summary:
I hope to eventually unravel the complete story. In the meantime, if you are willing to try, you can see if you can get your car to accept a Mode 8 PID 1 command and see if you can tell how your car's behavior changes. I doubt very much that Mazda would build in a test that could potentially damage your car, but of course I can't guarantee it, so proceed at your own risk.
Next time, Mode 9? Sorry, but the NB Miata doesn't support Mode 9. In fact, the next higher supported mode is Mode 13.
In general Mode 8 is used to control some on-board system, sometimes to create conditions necessary to test a component or subsystem. In my ECU, here's the quick summary:
- In the NB Miata, it only applies to OBD-II vehicles. Any other flavor will simply respond to a Mode 8 request with an error reply.
- Only two PIDs are supported: 00 and 01.
- The request message must be 11 bytes long, so must be zero-padded. And the extra bytes cannot be anything other than zero.
- PID 0 is just a PIDs supported request. Since I'm telling you now that only 0 and 1 are supported, this is no longer of any use to you.
- If a PID 1 request is sent and bit 0 of 10055 is set at the time, then the ECU will set bit 0 of 108ED and respond with an affirmative OBD reply.
I hope to eventually unravel the complete story. In the meantime, if you are willing to try, you can see if you can get your car to accept a Mode 8 PID 1 command and see if you can tell how your car's behavior changes. I doubt very much that Mazda would build in a test that could potentially damage your car, but of course I can't guarantee it, so proceed at your own risk.
Next time, Mode 9? Sorry, but the NB Miata doesn't support Mode 9. In fact, the next higher supported mode is Mode 13.
Tuesday, February 22, 2011
NB Miata - OBD Mode 7, and Mode 3 update
Mode 7 is similar to Mode 3, in that it does not take any PIDs, and reports on DTCs. They are so similar, in fact, that they share the same subroutines to generate responses to requests. However, while Mode 3 responds by reporting active DTCs, Mode 7 reports pending DTCs - that is, problems that have been detected but have not yet risen to the level of severity of an active DTC.
Another key difference between the two is that they support a slightly different set of DTCs. When I first listed the DTCs in the Mode 3 post, I thought that Mode 3 could report all of them. However, upon closer inspection, it turns out that only a subset of them will ever show up in a Mode 3 response. Similarly, the Mode 7 DTCs are a subset of the Mode 3 DTCs.
Rather than re-list the DTCs that are associated with Mode 7, I'll just list the numbers. You can refer to the previous Mode 3 post for more info.
Mode 7 DTCs
P0011, P0012, P0031, P0032, P0037, P0038, P0101, P0106, P0111, P0116, P0121, P0125, P0126, P0128, P0131, P0132, P0133, P0134, P0138, P0140, P0171, P0172, P0300, P0301, P0302, P0303, P0304, P0401, P0402, P0420, P0421, P0442, P0451, P0443, P0452, P0453, P0455, P0461, P0462, P0463, P0464, P0480, P0500, P0506, P0507, P0550, P0703, P0704, P0706, P0715, P0725, P0741, P0742, P0751, P0752, P0756, P0757, P0850, P1450, P1496, P1497, P1498, P1499, P1512, P1518, P1569, P1570
Mode 3 DTCs
(the above list), plus: P0010, P0102, P0103, P0107, P0108, P0112, P0113, P0117, P0118, P0122, P0123, P0222, P0223, P0327, P0328, P0335, P0340, P0505, P0720, P0743, P0753, P0758, P1562, P1601
Finally, there are a few other modes that report DTCs, and have their own subset of DTCs. More on these later. Up next: Mode 8.
Another key difference between the two is that they support a slightly different set of DTCs. When I first listed the DTCs in the Mode 3 post, I thought that Mode 3 could report all of them. However, upon closer inspection, it turns out that only a subset of them will ever show up in a Mode 3 response. Similarly, the Mode 7 DTCs are a subset of the Mode 3 DTCs.
Rather than re-list the DTCs that are associated with Mode 7, I'll just list the numbers. You can refer to the previous Mode 3 post for more info.
Mode 7 DTCs
P0011, P0012, P0031, P0032, P0037, P0038, P0101, P0106, P0111, P0116, P0121, P0125, P0126, P0128, P0131, P0132, P0133, P0134, P0138, P0140, P0171, P0172, P0300, P0301, P0302, P0303, P0304, P0401, P0402, P0420, P0421, P0442, P0451, P0443, P0452, P0453, P0455, P0461, P0462, P0463, P0464, P0480, P0500, P0506, P0507, P0550, P0703, P0704, P0706, P0715, P0725, P0741, P0742, P0751, P0752, P0756, P0757, P0850, P1450, P1496, P1497, P1498, P1499, P1512, P1518, P1569, P1570
Mode 3 DTCs
(the above list), plus: P0010, P0102, P0103, P0107, P0108, P0112, P0113, P0117, P0118, P0122, P0123, P0222, P0223, P0327, P0328, P0335, P0340, P0505, P0720, P0743, P0753, P0758, P1562, P1601
Finally, there are a few other modes that report DTCs, and have their own subset of DTCs. More on these later. Up next: Mode 8.
Sunday, February 20, 2011
NB Miata - OBD Mode 6, part 1
There is some interest in Mode 6 because the information it provides can sometimes give "early warning" of problems, and also because it tends to be poorly documented (unless you pay for access to the information). Here's what I've been able to piece together from looking at the code. Although I prefer not to post before I think I fully understand a mode, in this case I decided to just write up what I've found so far, because it may be a while before I figure it out completely. Until then, perhaps this partial explanation may prove useful to someone.
Mode 6 supports the following TIDs (the request should only be the mode and the TID, with no other data bytes, which means a total request length of 6 bytes when you include the header and checksum byte):
00 - TIDs supported 01-20 (they are: 01, 02, 03, 04, 05, 06, 11, and 20)
20 - TIDs supported 21-40 (they are: 21, 22, 31, 32, and 40)
40 - TIDs supported 41-60 (only 41)
01 - for component ID (CID) 11, the test value stored at 10F56 needs to be less than 422
02 - for CID 11, the test value stored at 10D46 needs to be less than 62
03 - for CID 11, the test value stored at 10D4A needs to be less than 50
04 - for CIDs 01 and 02, the test value stored at 10970 needs to be greater than zero
05 - for CID 01, the test value stored at 10972 needs to be greater than zero
06 - for CID 01, the test value stored at 10974 needs to be greater than zero
11 - for CID 11, the test value stored at 10F5A needs to be greater than 40
21 - for CID 00, the test value stored at 10F6A needs to be less than the limit value stored at 10F6E
22 - for CID 00, the test value stored at 10F6C needs to be less than the limit value stored at 10F70
31 - for CID 00, the test value stored at 10F72 needs to be less than the limit value stored at 10F74
32 - for CID 00, the test value stored at 10F76 needs to be greater than the limit value stored at 10978
41 - for CID 00, the test value stored at 10F5C needs to be less than the limit value stored at 10F5E and greater than the limit store at 10F60
I got a little help by comparing the format of the reply message that the code puts together to the ISO 15031-5 spec. However, I don't yet know what each test value represents. I also don't know what components CIDs 0, 1, 2 and 11 refer to. I don't even know what the limit values are in some cases (although you could determine this pretty easily by simply plugging a scantool into the car and sending the appropriate Mode 6 requests). If anyone has this information and would like to share, please post a comment. I should eventually be able to figure it out on my own from looking at the code, but I would definitely appreciate it if someone could save me the time by telling me what the above tests are all about.
Next time, Mode 7, which is very similar to Mode 3.
Mode 6 supports the following TIDs (the request should only be the mode and the TID, with no other data bytes, which means a total request length of 6 bytes when you include the header and checksum byte):
00 - TIDs supported 01-20 (they are: 01, 02, 03, 04, 05, 06, 11, and 20)
20 - TIDs supported 21-40 (they are: 21, 22, 31, 32, and 40)
40 - TIDs supported 41-60 (only 41)
01 - for component ID (CID) 11, the test value stored at 10F56 needs to be less than 422
02 - for CID 11, the test value stored at 10D46 needs to be less than 62
03 - for CID 11, the test value stored at 10D4A needs to be less than 50
04 - for CIDs 01 and 02, the test value stored at 10970 needs to be greater than zero
05 - for CID 01, the test value stored at 10972 needs to be greater than zero
06 - for CID 01, the test value stored at 10974 needs to be greater than zero
11 - for CID 11, the test value stored at 10F5A needs to be greater than 40
21 - for CID 00, the test value stored at 10F6A needs to be less than the limit value stored at 10F6E
22 - for CID 00, the test value stored at 10F6C needs to be less than the limit value stored at 10F70
31 - for CID 00, the test value stored at 10F72 needs to be less than the limit value stored at 10F74
32 - for CID 00, the test value stored at 10F76 needs to be greater than the limit value stored at 10978
41 - for CID 00, the test value stored at 10F5C needs to be less than the limit value stored at 10F5E and greater than the limit store at 10F60
I got a little help by comparing the format of the reply message that the code puts together to the ISO 15031-5 spec. However, I don't yet know what each test value represents. I also don't know what components CIDs 0, 1, 2 and 11 refer to. I don't even know what the limit values are in some cases (although you could determine this pretty easily by simply plugging a scantool into the car and sending the appropriate Mode 6 requests). If anyone has this information and would like to share, please post a comment. I should eventually be able to figure it out on my own from looking at the code, but I would definitely appreciate it if someone could save me the time by telling me what the above tests are all about.
Next time, Mode 7, which is very similar to Mode 3.
Thursday, February 17, 2011
NB Miata - OBD Mode 5
If you thought Mode 4 was simple, Mode 5 is, in some ways, even simpler. At least a Mode 4 request causes something to happen. Mode 5 requests only return information, and that information never changes!
Mode 5 is meant to return information that is used for oxygen sensor monitoring. In the NB, only the following TIDs are supported:
Next up, Mode 6.
Mode 5 is meant to return information that is used for oxygen sensor monitoring. In the NB, only the following TIDs are supported:
- 00xx - this is the TIDs supported TID. It must be two bytes, but the second byte can be anything. The reply tells you that only TIDs 1 and 2 are supported
- 0101 - returns the rich-to-lean threshold voltage for O2 sensor 1
- 0102 - returns the rich-to-lean threshold voltage for O2 sensor 2
- 0201 - returns the lean-to-rich threshold voltage for O2 sensor 1
- 0202 - returns the lean-to-rich threshold voltage for O2 sensor 2
Next up, Mode 6.
Saturday, February 5, 2011
NB Miata - OBD Mode 4
This is a very simple mode. There are no PIDs. A mode 4 message tells the ECU to clear all DTCs.
Under the hood, the way it works is as follows. There are a slew of subroutines that periodically monitor the car's health and set DTCs as necessary. If you send a mode 4 message (with no PID - if you send a PID, it won't work), the ECU sets a bit (108E7, bit 2) to let these subroutines know that they should clear their associated DTCs. At the same time this bit is set, a countdown timer at 1094E is set to 30. When it counts down to zero, the "clear DTCs" bit is cleared, and the system returns to normal operation. I haven't yet worked out how long the ECU takes to countdown from 30 to 0.
Last time I said that I would post some details on the immobilizer system. I have been working on it, a lot, and have learned a lot, too, but I don't feel like I have enough of the big picture to share yet. So, maybe next time. Otherwise, the next post will be on OBD Mode 5.
Under the hood, the way it works is as follows. There are a slew of subroutines that periodically monitor the car's health and set DTCs as necessary. If you send a mode 4 message (with no PID - if you send a PID, it won't work), the ECU sets a bit (108E7, bit 2) to let these subroutines know that they should clear their associated DTCs. At the same time this bit is set, a countdown timer at 1094E is set to 30. When it counts down to zero, the "clear DTCs" bit is cleared, and the system returns to normal operation. I haven't yet worked out how long the ECU takes to countdown from 30 to 0.
Last time I said that I would post some details on the immobilizer system. I have been working on it, a lot, and have learned a lot, too, but I don't feel like I have enough of the big picture to share yet. So, maybe next time. Otherwise, the next post will be on OBD Mode 5.
Wednesday, January 19, 2011
NB Miata - OBD Mode 3 and DTCs
Update: 2/22/11
I originally thought that Mode 3 could report any of the DTCs listed below. This is incorrect. The list below is actually the complete list of all DTCs the ECU can generate, but only some of the DTCs in the list are associated with Mode 3 (see my Mode 7 post for the list). The other DTCs are associated with other modes. More on these later.
OBD Mode 3 is used to return Diagnostic Trouble Codes (DTCs). It does not support any PIDs - a mode 3 request only consists of the mode (other than the 3 header bytes and final checksum byte). If any DTCs are active, the DTCs are returned as two-byte binary-coded-decimal numbers, in groups of three DTCs at a time.
I'm still trying to understand the details of how the code works that determines which DTCs are set and when, but for this post I'll just list the possible DTCs this ECU can report. I'll post more details on OBD Mode 3 at a later time.
All possible DTCs (see http://www.obd-codes.com/trouble_codes/ for details)
P0010 - "A" Camshaft Position Actuator Circuit (Bank 1)
P0011 - "A" Camshaft Position - Timing Over-Advanced or System Performance (Bank 1)
P0012 - "A" Camshaft Position - Timing Over-Retarded (Bank 1)
P0031 - HO2S Heater Control Circuit Low (Bank 1 Sensor 1)
P0032 - HO2S Heater Control Circuit High (Bank 1 Sensor 1)
P0037 - HO2S Heater Control Circuit Low (Bank 1 Sensor 2)
P0038 - HO2S Heater Control Circuit High (Bank 1 Sensor 2)
P0101 - Mass Air Flow Circuit Range/Performance Problem
P0102 - Mass Air Flow Circuit Low Input
P0103 - Mass Air Flow Circuit High Input
P0106 - Manifold Absolute Pressure/Barometric Pressure Circuit Range/Performance Problem
P0107 - Manifold Absolute Pressure/Barometric Pressure Circuit Low Input
P0108 - Manifold Absolute Pressure/Barometric Pressure Circuit High Input
P0111 - Intake Air Temperature Circuit Range/Performance Problem
P0112 - Intake Air Temperature Circuit Low Input
P0113 - Intake Air Temperature Circuit High Input
P0116 - Engine Coolant Temperature Circuit Range/Performance Problem
P0117 - Engine Coolant Temperature Circuit Low Input
P0118 - Engine Coolant Temperature Circuit High Input
P0121 - Throttle Position Sensor/Switch A Circuit Range/Performance Problem
P0122 - Throttle Position Sensor/Switch A Circuit Low Input
P0123 - Throttle Position Sensor/Switch A Circuit High Input
P0125 - Insufficient Coolant Temperature for Closed Loop Fuel Control
P0126 - Insufficient Coolant Temperature for Stable Operation
P0128 - Coolant Thermostat (Coolant Temperature Below Thermostat Regulating Temperature)
P0131 - 02 Sensor Circuit Low Voltage (Bank I Sensor I)
P0132 - 02 Sensor Circuit High Voltage (Bank I Sensor 1)
P0133 - 02 Sensor Circuit Slow Response (Bank 1 Sensor 1)
P0134 - 02 Sensor Circuit No Activity Detected (Bank I Sensor 1)
P0138 - 02 Sensor Circuit High Voltage (Bank I Sensor 2)
P0140 - 02 Sensor Circuit No Activity Detected (Bank 1 Sensor 2)
P0171 - System too Lean (Bank 1)
P0172 - System too Rich (Bank 1)
P0222 - Throttle/Petal Position Sensor/Switch B Circuit Low Input
P0223 - Throttle/Petal Position Sensor/Switch B Circuit High Input
P0300 - Random/Multiple Cylinder Misfire Detected
P0301 - Cylinder 1 Misfire Detected
P0302 - Cylinder 2 Misfire Detected
P0303 - Cylinder 3 Misfire Detected
P0304 - Cylinder 4 Misfire Detected
P0327 - Knock Sensor 1 Circuit Low Input (Bank I or Single Sensor)
P0328 - Knock Sensor 1 Circuit High Input (Bank I or Single Sensor)
P0335 - Crankshaft Position Sensor A Circuit Malfunction
P0340 - Camshaft Position Sensor Circuit Malfunction
P0401 - Exhaust Gas Recirculation Flow Insufficient Detected
P0402 - Exhaust Gas Recirculation Flow Excessive Detected
P0420 - Catalyst System Efficiency Below Threshold (Bank 1)
P0421 - Warm Up Catalyst Efficiency Below Threshold (Bank 1)
P0442 - Evaporative Emission Control System Leak Detected (small leak)
P0443 - Evaporative Emission Control System Purge Control Valve Circuit
P0451 - Evaporative Emission Control System Pressure Sensor Range/Performance
P0452 - Evaporative Emission Control System Pressure Sensor Low Input
P0453 - Evaporative Emission Control System Pressure Sensor High Input
P0455 - Evaporative Emission Control System Leak Detected (gross leak)
P0461 - Fuel Level Sensor Circuit Range/Performance
P0462 - Fuel Level Sensor Circuit Low Input
P0463 - Fuel Level Sensor Circuit High Input
P0464 - Fuel Level Sensor Circuit Intermittent
P0480 - Cooling Fan I Control Circuit Malfunction
P0500 - Vehicle Speed Sensor Malfunction
P0505 - Idle Control System Malfunction
P0506 - Idle Control System duty cycle Lower Than Expected
P0507 - Idle Control System duty cycle Higher Than Expected
P0550 - Power Steering Pressure Sensor Circuit Malfunction
P0605 - Internal Control Module Read Only Memory (ROM) Error
P0703 - Torque Converter/Brake Switch B Circuit Malfunction
P0704 - Clutch Switch Input Circuit Malfunction
P0705 - Transmission Range Sensor Circuit malfunction (PRNDL Input)
P0706 - Transmission Range Sensor Circuit Range/Performance
P0715 - Input/Turbine Speed Sensor Circuit Malfunction
P0720 - Output Speed Sensor Circuit Malfunction
P0725 - Engine Speed input Circuit Malfunction
P0741 - Torque Converter Clutch Circuit Performance or Stuck Off
P0742 - Torque Converter Clutch Circuit Stuck On
P0743 - Torque Converter Clutch Circuit Electrical
P0751 - Shift Solenoid A Performance or Stuck Off
P0752 - Shift Solenoid A Stuck On
P0753 - Shift Solenoid A Electrical
P0756 - Shift Solenoid B Performance or Stock Off
P0757 - Shift Solenoid B Stuck On
P0758 - Shift Solenoid B Electrical
P0850 - Neutral switch input circuit problem http://foxed.ca/rx7manual/2003mazdarx8/esicont/en/srvc/html/BHE010200800W01.html)
P1449 - Evaporative Check Solenoid Circuit (http://www.aboutautomobile.com/DTC/P1449)
P1450 - Unable to Bleed Up Fuel Tank Vacuum (this and the rest can be found at aboutautomobile.com)
P1487 - Exhaust Gas Recirculation Check Solenoid Circuit
P1496 - EGR Stepper Motor 1 Control Circuit Low/High
P1497 - EGR Stepper Motor 2 Control Circuit Low/High
P1498 - EGR Stepper Motor 3 Control Circuit Low/High
P1499 - EGR Stepper Motor 4 Control Circuit Low/High
P1512 - Intake Manifold Runner Control Circuit (IMRC) Bank 1 stuck closed
P1518 - IMRC stuck open
P1562 - PCM backup + terminal voltage low
P1569 - IMRC circuit malfunction
P1570 - IMRC circuit malfunction
P1601 - ECM/TCM Serial Communication Error
P1602 - Immobilizer/ECM Communication Error
P1603 - ID Number Unregistered
P1604 - Code word Unregistered
P1608 - PCM Internal Circuit
P1621 - Immobilizer Code Words Do Not Match
P1622 - Immobilizer ID Does Not Match
P1623 - Immobilizer Code Word/ID Number Write Failure
P1624 -Vehicle anti-theft system malfunction
P1631 - Alternator Regulator #2 Control Circuit
P1633 - Generator Control System - over charge
P1634 - Generator Control System - no charge
I'm interested in analyzing the code behind the immobilizer-related DTCs. I'll take a look and maybe post what I find next time.
I originally thought that Mode 3 could report any of the DTCs listed below. This is incorrect. The list below is actually the complete list of all DTCs the ECU can generate, but only some of the DTCs in the list are associated with Mode 3 (see my Mode 7 post for the list). The other DTCs are associated with other modes. More on these later.
OBD Mode 3 is used to return Diagnostic Trouble Codes (DTCs). It does not support any PIDs - a mode 3 request only consists of the mode (other than the 3 header bytes and final checksum byte). If any DTCs are active, the DTCs are returned as two-byte binary-coded-decimal numbers, in groups of three DTCs at a time.
I'm still trying to understand the details of how the code works that determines which DTCs are set and when, but for this post I'll just list the possible DTCs this ECU can report. I'll post more details on OBD Mode 3 at a later time.
All possible DTCs (see http://www.obd-codes.com/trouble_codes/ for details)
P0010 - "A" Camshaft Position Actuator Circuit (Bank 1)
P0011 - "A" Camshaft Position - Timing Over-Advanced or System Performance (Bank 1)
P0012 - "A" Camshaft Position - Timing Over-Retarded (Bank 1)
P0031 - HO2S Heater Control Circuit Low (Bank 1 Sensor 1)
P0032 - HO2S Heater Control Circuit High (Bank 1 Sensor 1)
P0037 - HO2S Heater Control Circuit Low (Bank 1 Sensor 2)
P0038 - HO2S Heater Control Circuit High (Bank 1 Sensor 2)
P0101 - Mass Air Flow Circuit Range/Performance Problem
P0102 - Mass Air Flow Circuit Low Input
P0103 - Mass Air Flow Circuit High Input
P0106 - Manifold Absolute Pressure/Barometric Pressure Circuit Range/Performance Problem
P0107 - Manifold Absolute Pressure/Barometric Pressure Circuit Low Input
P0108 - Manifold Absolute Pressure/Barometric Pressure Circuit High Input
P0111 - Intake Air Temperature Circuit Range/Performance Problem
P0112 - Intake Air Temperature Circuit Low Input
P0113 - Intake Air Temperature Circuit High Input
P0116 - Engine Coolant Temperature Circuit Range/Performance Problem
P0117 - Engine Coolant Temperature Circuit Low Input
P0118 - Engine Coolant Temperature Circuit High Input
P0121 - Throttle Position Sensor/Switch A Circuit Range/Performance Problem
P0122 - Throttle Position Sensor/Switch A Circuit Low Input
P0123 - Throttle Position Sensor/Switch A Circuit High Input
P0125 - Insufficient Coolant Temperature for Closed Loop Fuel Control
P0126 - Insufficient Coolant Temperature for Stable Operation
P0128 - Coolant Thermostat (Coolant Temperature Below Thermostat Regulating Temperature)
P0131 - 02 Sensor Circuit Low Voltage (Bank I Sensor I)
P0132 - 02 Sensor Circuit High Voltage (Bank I Sensor 1)
P0133 - 02 Sensor Circuit Slow Response (Bank 1 Sensor 1)
P0134 - 02 Sensor Circuit No Activity Detected (Bank I Sensor 1)
P0138 - 02 Sensor Circuit High Voltage (Bank I Sensor 2)
P0140 - 02 Sensor Circuit No Activity Detected (Bank 1 Sensor 2)
P0171 - System too Lean (Bank 1)
P0172 - System too Rich (Bank 1)
P0222 - Throttle/Petal Position Sensor/Switch B Circuit Low Input
P0223 - Throttle/Petal Position Sensor/Switch B Circuit High Input
P0300 - Random/Multiple Cylinder Misfire Detected
P0301 - Cylinder 1 Misfire Detected
P0302 - Cylinder 2 Misfire Detected
P0303 - Cylinder 3 Misfire Detected
P0304 - Cylinder 4 Misfire Detected
P0327 - Knock Sensor 1 Circuit Low Input (Bank I or Single Sensor)
P0328 - Knock Sensor 1 Circuit High Input (Bank I or Single Sensor)
P0335 - Crankshaft Position Sensor A Circuit Malfunction
P0340 - Camshaft Position Sensor Circuit Malfunction
P0401 - Exhaust Gas Recirculation Flow Insufficient Detected
P0402 - Exhaust Gas Recirculation Flow Excessive Detected
P0420 - Catalyst System Efficiency Below Threshold (Bank 1)
P0421 - Warm Up Catalyst Efficiency Below Threshold (Bank 1)
P0442 - Evaporative Emission Control System Leak Detected (small leak)
P0443 - Evaporative Emission Control System Purge Control Valve Circuit
P0451 - Evaporative Emission Control System Pressure Sensor Range/Performance
P0452 - Evaporative Emission Control System Pressure Sensor Low Input
P0453 - Evaporative Emission Control System Pressure Sensor High Input
P0455 - Evaporative Emission Control System Leak Detected (gross leak)
P0461 - Fuel Level Sensor Circuit Range/Performance
P0462 - Fuel Level Sensor Circuit Low Input
P0463 - Fuel Level Sensor Circuit High Input
P0464 - Fuel Level Sensor Circuit Intermittent
P0480 - Cooling Fan I Control Circuit Malfunction
P0500 - Vehicle Speed Sensor Malfunction
P0505 - Idle Control System Malfunction
P0506 - Idle Control System duty cycle Lower Than Expected
P0507 - Idle Control System duty cycle Higher Than Expected
P0550 - Power Steering Pressure Sensor Circuit Malfunction
P0605 - Internal Control Module Read Only Memory (ROM) Error
P0703 - Torque Converter/Brake Switch B Circuit Malfunction
P0704 - Clutch Switch Input Circuit Malfunction
P0705 - Transmission Range Sensor Circuit malfunction (PRNDL Input)
P0706 - Transmission Range Sensor Circuit Range/Performance
P0715 - Input/Turbine Speed Sensor Circuit Malfunction
P0720 - Output Speed Sensor Circuit Malfunction
P0725 - Engine Speed input Circuit Malfunction
P0741 - Torque Converter Clutch Circuit Performance or Stuck Off
P0742 - Torque Converter Clutch Circuit Stuck On
P0743 - Torque Converter Clutch Circuit Electrical
P0751 - Shift Solenoid A Performance or Stuck Off
P0752 - Shift Solenoid A Stuck On
P0753 - Shift Solenoid A Electrical
P0756 - Shift Solenoid B Performance or Stock Off
P0757 - Shift Solenoid B Stuck On
P0758 - Shift Solenoid B Electrical
P0850 - Neutral switch input circuit problem http://foxed.ca/rx7manual/2003mazdarx8/esicont/en/srvc/html/BHE010200800W01.html)
P1449 - Evaporative Check Solenoid Circuit (http://www.aboutautomobile.com/DTC/P1449)
P1450 - Unable to Bleed Up Fuel Tank Vacuum (this and the rest can be found at aboutautomobile.com)
P1487 - Exhaust Gas Recirculation Check Solenoid Circuit
P1496 - EGR Stepper Motor 1 Control Circuit Low/High
P1497 - EGR Stepper Motor 2 Control Circuit Low/High
P1498 - EGR Stepper Motor 3 Control Circuit Low/High
P1499 - EGR Stepper Motor 4 Control Circuit Low/High
P1512 - Intake Manifold Runner Control Circuit (IMRC) Bank 1 stuck closed
P1518 - IMRC stuck open
P1562 - PCM backup + terminal voltage low
P1569 - IMRC circuit malfunction
P1570 - IMRC circuit malfunction
P1601 - ECM/TCM Serial Communication Error
P1602 - Immobilizer/ECM Communication Error
P1603 - ID Number Unregistered
P1604 - Code word Unregistered
P1608 - PCM Internal Circuit
P1621 - Immobilizer Code Words Do Not Match
P1622 - Immobilizer ID Does Not Match
P1623 - Immobilizer Code Word/ID Number Write Failure
P1624 -Vehicle anti-theft system malfunction
P1631 - Alternator Regulator #2 Control Circuit
P1633 - Generator Control System - over charge
P1634 - Generator Control System - no charge
I'm interested in analyzing the code behind the immobilizer-related DTCs. I'll take a look and maybe post what I find next time.
Sunday, January 9, 2011
NB Miata, OBD Mode 2
Today's post is pretty brief, as I'm planning to do one post per OBD Mode, and there's not a lot to say about Mode 2.
OBD Mode 2 is similar to Mode 1. However, whereas Mode 1 is used to obtain current diagnostic data, Mode 2 PIDs return freeze frame data. That is, they report the state of the engine when the last DTC occurred.
For the NB, the following Mode 2 PIDs are supported (a few less than Mode 1):
The subroutine that creates the reply message is at address 2885C.
Return value indicates that 02-07, 0C-0D are supported.
PID 02 - Freeze DTC
The subroutine that creates the reply message is at address 28870.
Returns the DTC which the freeze data is associated with. If there is no DTC, it returns 0.
If the byte at RAM location 10EF4 is non-zero, it means there is a DTC.
The Freeze DTC value is stored as a word at RAM location 10F28.
PID 03 - Fuel system status
The subroutine that creates the reply message is at address 28886.
The freeze frame data for fuel system status is stored in a byte at RAM location 10F21.
PID 04 - Calculated engine load value
The subroutine that creates the reply message is at address 28894.
The byte at RAM location 10F18 is proportional to calculated freeze frame engine load value.
PID 05 - Engine coolant temperature
The subroutine that creates the reply message is at address 288A4.
The byte at RAM location 10F20 is proportional to (freeze frame engine coolant temperature + 40 degrees C).
PID 06 - Short term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 288B4.
The word at RAM location 10F1C is related to short term fuel % trim.
PID 07 - Long term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 288C4.
The word at RAM location 10F1E is related to long term fuel % trim.
PID 0C - Engine RPM
The subroutine that creates the reply message is at address 288D4.
The word at RAM location 10F1A is proportional to RPM.
PID 0D - Vehicle speed
The subroutine that creates the reply message is at address 288E4.
The byte at RAM location 10F1F is proportional to vehicle speed.
OBD Mode 2 is similar to Mode 1. However, whereas Mode 1 is used to obtain current diagnostic data, Mode 2 PIDs return freeze frame data. That is, they report the state of the engine when the last DTC occurred.
For the NB, the following Mode 2 PIDs are supported (a few less than Mode 1):
- 00 - PIDs supported (01-20)
- 02 - Freeze DTC
- 03 - Fuel system status
- 04 - Calculated engine load value
- 05 - Engine coolant temperature
- 06 - Short term fuel % trim - Bank 1
- 07 - Long term fuel % trim - Bank 1
- 0C - Engine RPM
- 0D - Vehicle speed
The subroutine that creates the reply message is at address 2885C.
Return value indicates that 02-07, 0C-0D are supported.
PID 02 - Freeze DTC
The subroutine that creates the reply message is at address 28870.
Returns the DTC which the freeze data is associated with. If there is no DTC, it returns 0.
If the byte at RAM location 10EF4 is non-zero, it means there is a DTC.
The Freeze DTC value is stored as a word at RAM location 10F28.
PID 03 - Fuel system status
The subroutine that creates the reply message is at address 28886.
The freeze frame data for fuel system status is stored in a byte at RAM location 10F21.
PID 04 - Calculated engine load value
The subroutine that creates the reply message is at address 28894.
The byte at RAM location 10F18 is proportional to calculated freeze frame engine load value.
PID 05 - Engine coolant temperature
The subroutine that creates the reply message is at address 288A4.
The byte at RAM location 10F20 is proportional to (freeze frame engine coolant temperature + 40 degrees C).
PID 06 - Short term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 288B4.
The word at RAM location 10F1C is related to short term fuel % trim.
PID 07 - Long term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 288C4.
The word at RAM location 10F1E is related to long term fuel % trim.
PID 0C - Engine RPM
The subroutine that creates the reply message is at address 288D4.
The word at RAM location 10F1A is proportional to RPM.
PID 0D - Vehicle speed
The subroutine that creates the reply message is at address 288E4.
The byte at RAM location 10F1F is proportional to vehicle speed.
Saturday, January 8, 2011
NB Miata Specifics, OBD Mode 1
So far, I've given you some general guidelines for extracting your ECU's firmware image and some suggestions for how to begin analyzing it. I'll just mention a few other analysis tips, and then I want to switch gears to talk about the specifics of what I'm learning about the NB Miata ECU.
So, a few other analysis tips:
Mode 1 provides information about the current state of the engine. The '01 NB supports the following Mode 1 PIDs:
You can get all of the above info with any generic OBD scantool. But the following additional details can only be determined from looking at the code:
PID 00 - PIDs supported (01-20)
The subroutine that creates the reply message is at address 285A6.
Return value indicates that 01, 03-07, 0C-11, 13-15, 1C and 20 are supported. However, PIDs 15 and 20 will only be indicated as supported if the ECU is configured to conform to OBD-II as defined by CARB or to EOBD (Europe).
PID 01 - Monitor status since DTCs cleared
The subroutine that creates the reply message is at address 285D8.
The subroutine that counts active DTCs is at 2866A. Not all DTCs are counted: only the ones that match a specified set of categories. More on this later.
If the 5th bit of RAM location 104C1 is set, this means the check engine light (MIL) is on. Alternatively, if the 1st and 3rd bits of 10000 are 0 and the 4th bit of 104C2 is 1, that also means the MIL is on.
If the ECU is configured to conform to OBD-II as defined by CARB, the following tests are available:
PID 03 - Fuel system status
The subroutine that creates the reply message is at address 286D2.
If the 2nd bit of 10190 is 0, the fuel system is open loop due to engine load OR fuel cut due to deacceleration.
Otherwise if the 4th bit of 1028E is 0, the fuel system is open loop due to insufficient engine temperature.
Otherwise if the first bit of 1028E is 0, the fuel system is open loop due to system failure.
Otherwise if the 2nd bit of 0104E6 is 0, the fuel system is closed loop, using oxygen sensor feedback to determine fuel mix.
Otherwise the fuel system is closed loop, using at least one oxygen sensor but there is a fault in the feedback system.
PID 04 - Calculated engine load value
The subroutine that creates the reply message is at address 286E2.
The byte at RAM location 100D8 is proportional to calculated engine load value.
PID 05 - Engine coolant temperature
The subroutine that creates the reply message is at address 286F2.
The byte at RAM location 100FF is proportional to (engine coolant temperature + 40 degrees C).
PID 06 - Short term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 28702.
The word at RAM location 10296 is related to short term fuel % trim.
PID 07 - Long term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 28712.
The word at RAM location 102D8 is related to long term fuel % trim.
PID 0C - Engine RPM
The subroutine that creates the reply message is at address 28722.
The word at RAM location 10078 is proportional to RPM. This variable is almost certainly used with fuel and timing lookup tables. I haven't located them yet, but I hope to soon.
PID 0D - Vehicle speed
The subroutine that creates the reply message is at address 28732.
The byte at RAM location 10141 is proportional to vehicle speed.
The subroutine at 29F8E is used to calculate vehicle speed, and could probably be modified to account for different wheel/tire sizes.
PID 0E - Timing advance
The subroutine that creates the reply message is at address 28744.
The byte at RAM location 103BE is related to timing advance. This variable is likely calculated from lookup tables.
PID 0F - Intake air temperature
The subroutine that creates the reply message is at address 28764.
The byte at RAM location 1013B is proportional to intake air temperature.
PID 10 - MAF air flow rate
The subroutine that creates the reply message is at address 28774.
The word at RAM location 100CC is proportional to MAF air flow rate.
PID 11 - Throttle position
The subroutine that creates the reply message is at address 28780.
Throttle position % is stored in the byte at RAM location 10102.
PID 13 - Oxygen sensors present
The subroutine that creates the reply message is at address 2878C.
If the ECU is configured to conform to OBD-II as defined by CARB or to EOBD (Europe), it will report Bank 1 Sensors 1 and 2 present.
Otherwise, only Bank 1 Sensor 1 is reported as present.
PID 14 - Bank 1, Sensor 1: O2S Voltage, Short term fuel trim
The subroutine that creates the reply message is at address 287A4.
The reply "A" byte is proportional to the byte at RAM location 10160.
The reply "B" byte is a function of the word at RAM location 10296 (same as in PID 06).
PID 15 - Bank 1, Sensor 2: O2S Voltage, Short term fuel trim
The subroutine that creates the reply message is at address 287C2.
The reply "A" byte is proportional to the byte at RAM location 10172.
The reply "B" byte is #FF.
PID 1C - OBD standards this vehicle conforms to
The subroutine that creates the reply message is at address 287DA.
If the 4th bit of 10000 is set, this vehicle conforms to OBD-II as defined by the CARB.
Otherwise, if the 2nd bit of 10000 is set, this vehicle conforms to EOBD (Europe).
Otherwise, this vehicle is not meant to comply with any OBD standard.
PID 20 - PIDs supported (21-40)
The subroutine that creates the reply message is at address 287F4.
If the ECU is configured to conform to OBD-II as defined by CARB or to EOBD (Europe), it will report that PID 21 is supported. Otherwise, none.
PID 21 - Distance traveled with MIL on
The subroutine that creates the reply message is at address 28826.
The word at RAM location 104DE is the number of km traveled with the MIL on.
Whew - OK, that's all for Mode 1. Next time I'll describe Mode 2. The ECU supports standard modes 1-8 and a little over a dozen other non-standard modes, and I plan to describe all of them, in order.
So, a few other analysis tips:
- Try to find out which variables and functions are called most often. These are likely to be the most important.
- Note where a variable is referenced. The subroutines that share common variables are related.
- Take special note of where variables are modified. Often a variable that is referenced in a dozen or more places is only set in one place; therefore the code that sets this variable influences all of the other routines.
Mode 1 provides information about the current state of the engine. The '01 NB supports the following Mode 1 PIDs:
- 00 - PIDs supported (01-20)
- 01 - Monitor status since DTCs cleared
- 03 - Fuel system status
- 04 - Calculated engine load value
- 05 - Engine coolant temperature
- 06 - Short term fuel % trim - Bank 1
- 07 - Long term fuel % trim - Bank 1
- 0C - Engine RPM
- 0D - Vehicle speed
- 0E - Timing advance
- 0F - Intake air temperature
- 10 - MAF air flow rate
- 11 - Throttle position
- 13 - Oxygen sensors present
- 14 - Bank 1, Sensor 1: O2S Voltage, Short term fuel trim
- 15 - Bank 1, Sensor 2: O2S Voltage, Short term fuel trim
- 1C - OBD standards this vehicle conforms to
- 20 - PIDs supported (21-40)
- 21 - Distance traveled with MIL on
You can get all of the above info with any generic OBD scantool. But the following additional details can only be determined from looking at the code:
PID 00 - PIDs supported (01-20)
The subroutine that creates the reply message is at address 285A6.
Return value indicates that 01, 03-07, 0C-11, 13-15, 1C and 20 are supported. However, PIDs 15 and 20 will only be indicated as supported if the ECU is configured to conform to OBD-II as defined by CARB or to EOBD (Europe).
PID 01 - Monitor status since DTCs cleared
The subroutine that creates the reply message is at address 285D8.
The subroutine that counts active DTCs is at 2866A. Not all DTCs are counted: only the ones that match a specified set of categories. More on this later.
If the 5th bit of RAM location 104C1 is set, this means the check engine light (MIL) is on. Alternatively, if the 1st and 3rd bits of 10000 are 0 and the 4th bit of 104C2 is 1, that also means the MIL is on.
If the ECU is configured to conform to OBD-II as defined by CARB, the following tests are available:
- Misfire
- Fuel System
- Components
- Catalyst
- Evaporative System
- Oxygen Sensor
- Oxygen Sensor Heater
- EGR System
- Misfire
- Fuel System
- Components
- Catalyst
- Oxygen Sensor
- Oxygen Sensor Heater
PID 03 - Fuel system status
The subroutine that creates the reply message is at address 286D2.
If the 2nd bit of 10190 is 0, the fuel system is open loop due to engine load OR fuel cut due to deacceleration.
Otherwise if the 4th bit of 1028E is 0, the fuel system is open loop due to insufficient engine temperature.
Otherwise if the first bit of 1028E is 0, the fuel system is open loop due to system failure.
Otherwise if the 2nd bit of 0104E6 is 0, the fuel system is closed loop, using oxygen sensor feedback to determine fuel mix.
Otherwise the fuel system is closed loop, using at least one oxygen sensor but there is a fault in the feedback system.
PID 04 - Calculated engine load value
The subroutine that creates the reply message is at address 286E2.
The byte at RAM location 100D8 is proportional to calculated engine load value.
PID 05 - Engine coolant temperature
The subroutine that creates the reply message is at address 286F2.
The byte at RAM location 100FF is proportional to (engine coolant temperature + 40 degrees C).
PID 06 - Short term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 28702.
The word at RAM location 10296 is related to short term fuel % trim.
PID 07 - Long term fuel % trim - Bank 1
The subroutine that creates the reply message is at address 28712.
The word at RAM location 102D8 is related to long term fuel % trim.
PID 0C - Engine RPM
The subroutine that creates the reply message is at address 28722.
The word at RAM location 10078 is proportional to RPM. This variable is almost certainly used with fuel and timing lookup tables. I haven't located them yet, but I hope to soon.
PID 0D - Vehicle speed
The subroutine that creates the reply message is at address 28732.
The byte at RAM location 10141 is proportional to vehicle speed.
The subroutine at 29F8E is used to calculate vehicle speed, and could probably be modified to account for different wheel/tire sizes.
PID 0E - Timing advance
The subroutine that creates the reply message is at address 28744.
The byte at RAM location 103BE is related to timing advance. This variable is likely calculated from lookup tables.
PID 0F - Intake air temperature
The subroutine that creates the reply message is at address 28764.
The byte at RAM location 1013B is proportional to intake air temperature.
PID 10 - MAF air flow rate
The subroutine that creates the reply message is at address 28774.
The word at RAM location 100CC is proportional to MAF air flow rate.
PID 11 - Throttle position
The subroutine that creates the reply message is at address 28780.
Throttle position % is stored in the byte at RAM location 10102.
PID 13 - Oxygen sensors present
The subroutine that creates the reply message is at address 2878C.
If the ECU is configured to conform to OBD-II as defined by CARB or to EOBD (Europe), it will report Bank 1 Sensors 1 and 2 present.
Otherwise, only Bank 1 Sensor 1 is reported as present.
PID 14 - Bank 1, Sensor 1: O2S Voltage, Short term fuel trim
The subroutine that creates the reply message is at address 287A4.
The reply "A" byte is proportional to the byte at RAM location 10160.
The reply "B" byte is a function of the word at RAM location 10296 (same as in PID 06).
PID 15 - Bank 1, Sensor 2: O2S Voltage, Short term fuel trim
The subroutine that creates the reply message is at address 287C2.
The reply "A" byte is proportional to the byte at RAM location 10172.
The reply "B" byte is #FF.
PID 1C - OBD standards this vehicle conforms to
The subroutine that creates the reply message is at address 287DA.
If the 4th bit of 10000 is set, this vehicle conforms to OBD-II as defined by the CARB.
Otherwise, if the 2nd bit of 10000 is set, this vehicle conforms to EOBD (Europe).
Otherwise, this vehicle is not meant to comply with any OBD standard.
PID 20 - PIDs supported (21-40)
The subroutine that creates the reply message is at address 287F4.
If the ECU is configured to conform to OBD-II as defined by CARB or to EOBD (Europe), it will report that PID 21 is supported. Otherwise, none.
PID 21 - Distance traveled with MIL on
The subroutine that creates the reply message is at address 28826.
The word at RAM location 104DE is the number of km traveled with the MIL on.
Whew - OK, that's all for Mode 1. Next time I'll describe Mode 2. The ECU supports standard modes 1-8 and a little over a dozen other non-standard modes, and I plan to describe all of them, in order.
Subscribe to:
Posts (Atom)