Jump to content

CAN Messages


TheReaper

Recommended Posts

Hi All,

Out of curiosity, would any of you have any information on the below messages within the FG PCM.

 

I have the following messages completed (anything with xx has been completed)

ID    Data                  

097   xx xx 00 7E 00 00 xx xx

120   00 00 xx xx 00 00 00 00

12D   xx xx xx 00 xx xx 00 01

200   01 82 02 51 xx xx C0 00

207   xx xx xx xx xx xx xx 00

230   00 FF 82 06 68 00 00 01

425   xx xx xx 0C 80 03 xx xx

427   xx xx xx xx xx 00 05 xx

44D   00 00 00 00 xx xx xx CA

4C0   00 00 00 00 00 00 00 00

623   xx xx xx xx 00 00 00 00

640   xx xx xx xx xx 00 xx 00

650   xx xx 00 00 00 00 00 00

6F6   xx xx xx xx xx xx xx xx

 

Currently I have the following on the remaining messages:

0x200 Byte0&1 moves in the same way that 0x097 Byte 3 does however they are inverse (0x097 value increases where 0x200 value decreases) and its 16 bit rather than 8.

The value moves with RPM, and has a jump in the opposite direction and freezes when the engine speed limiter is active.

0x200 Decimal values range from around 590@500rpm to 500@6000 however goes to 386 when the engine speed limiter is active.

0x097 Decimal values range from around 35@500rpm to 126@6000 and doesn’t change when the engine speed limiter is active. (

Both of these numbers are also affected by Injector Duty.

 

0x200 Byte2&3 decreases with RPM between 0rpm and 1100rpm starting with a decimal value of 593 and ending with 240.

 

0x200 Byte6 seems to have some bit information for engine states. (Mask 0x02 – Engine Cranking)

0x12D Byte7 seems to have some bit information for engine states. (Mask 0x04 – Engine Cranking)

 

0x097 Byte5 goes to 0 when the speed limiter is active.

 

Thanks!!

Link to comment
Share on other sites

I now have a few more completed:
ID    Data                   
097   xx xx 00 7E 00 00 xx xx
120   xx xx xx xx 00 00 00 00
12D   xx xx xx 00 xx xx 00 01
200   01 82 02 51 xx xx C0 00
207   xx xx xx xx xx xx xx xx
230   00 FF 82 06 68 00 00 01
425   xx xx xx xx xx 03 xx xx
427   xx xx xx xx xx 00 05 xx
44D   00 00 00 00 xx xx xx xx
4C0   00 00 00 00 00 00 00 00
623   xx xx xx xx 00 00 00 00
640   xx xx xx xx xx 00 xx 00
650   xx xx 00 00 00 00 00 00
6F6   xx xx xx xx xx xx xx xx

 

The one that i am very interested in at the moment is the 7E value in 0x97. it seems to increase with RPM but not in a linear fashion, and i cant seem to work out what it is.

It also has an effect on one of the torque output values.

 

Link to comment
Share on other sites

I'll have to do some logging on my FG, would you be willing to list the data (i.e. what the messages are for) for what you've found?

I've been messing with BA, BF & some FG Can-Bus stuff, its cool but sometimes a bit tedious.

Here's my list of what I have so far, I'll update it when I get some more. You've probably identified alot of it already though.

BA-FGX_CanBusID.xlsx

Link to comment
Share on other sites

On 4/24/2019 at 10:46 AM, TheReaper said:

Hi All,

Out of curiosity, would any of you have any information on the below messages within the FG PCM.

 Currently I have the following on the remaining messages:

0x200 Byte0&1 moves in the same way that 0x097 Byte 3 does however they are inverse (0x097 value increases where 0x200 value decreases) and its 16 bit rather than 8.

The value moves with RPM, and has a jump in the opposite direction and freezes when the engine speed limiter is active.

0x200 Decimal values range from around 590@500rpm to 500@6000 however goes to 386 when the engine speed limiter is active.

0x097 Decimal values range from around 35@500rpm to 126@6000 and doesn’t change when the engine speed limiter is active. (

Both of these numbers are also affected by Injector Duty.

 

0x200 Byte2&3 decreases with RPM between 0rpm and 1100rpm starting with a decimal value of 593 and ending with 240.

 

0x200 Byte6 seems to have some bit information for engine states. (Mask 0x02 – Engine Cranking)

0x12D Byte7 seems to have some bit information for engine states. (Mask 0x04 – Engine Cranking)

 

0x097 Byte5 goes to 0 when the speed limiter is active.

 

Thanks!!

0x200 byte 0-1 => is actual wheel torque / wheel to engine torque factor (powertrain losses I believe)

I imagine the actual wheel torque is calculated from the torque table of load vs rpm you can find in the editor. Try modifying this table and see what you can datalog. This table is obviously different for each engine calibration.

image.png.d88e4d02af79fcb8a577a54253d02701.png

0x200 byte 2 & 3 is the minimum torque before stall or something like that, this is only used at low rpm, Im not sure if this is even used

0x200 byte 6 sets some flags depending on the type of torque maths used that are all ORd together

0x80 == Engine Torque Type

0x0 = Axle Torque

0x40 = Inertial loss is factored in

0x20 = Cat protection has been enabled

byte 7 is some other flags to do with whether the engine is cranking

We never normally need to reverse engineer the can messages so this is not something we normally dig too deeply into. But the way we figure this stuff out is to open the ROM up, annotate all addresses with their known DMRs and table locations, from that you can see roughly what is being packed into where. This takes a very long time to created these annotated assembly files but once you have created them they are useful for figuring out things like this.

Link to comment
Share on other sites

97 is the similar to 200

bytes 0-1 = engine MBT torque but it is just offset and scaled into a 16 bit integer. You should be able to graph it over the value from msg200 and see it follows the same curve or at least values that match the torque table.

bytes 2-3 are the same but "engine friction torque" I think this is just using the calculated inertial loss (same as msg200)

207 is speed and rpm which is packed and scaled in various ways

427 contains coolant temp, oil pressure, ac pressure, battery volts, odo value, various MIL states, fuel usage etc

623 various hard coded bits regarding number of cylinders and other not so interesting stuff like if its a gas/petrol engine etc.

6F6 is the PATS security stuff for key codes etc, you won't be able to emulate this as it requires various security algorithms to calculate it.

Link to comment
Share on other sites

Yep, sure thing, i'm going to put it on git for others when i have it all in place and working.

I have done a little over the last 2 nights:

0x097 - Byte 0&1 - Engine torque / Byte 2&3 - Friction Losses / Byte 4&5 - Engine Torque (Goes to 0 When limiter active) / Byte 6&7 - Engine Torque
I'm not sure what the differences are between the torque in bytes 1&2/4&5 and 6&7 are in this message.

0x120 - Byte 0&1 - Engine Torque minus Reduction Request / Byte 2&3 - Engine Torque minus 0x097 Bye2&3 (Goes to 0 when in idle state)
I'm not sure whats in Byte 4,5,6,7

0x12D - Byte 0 - Engine Speed rate of change? / Byte 1 - Throttle Pedal (MaxValue 200) / Byte 2 - Some Shift value maybe??? / Byte 4&5 - Engine Speed * 4 / Byte 7 - Mask 0x01 Brake State Mask 0x04 Cranking State
I'm not 100% sure of the value in Byte 2, not idea whats in Byte 3, and not sure of all of the bits inside Byte 7 of this message (only some).

0x200 - Byte 0&1 - Engine Torque (With some other modifier in it) / Byte 2&3 (you mentioned minimum torque before stall, not sure) / Byte 4&5 - Engine Torque (With some other modifier in it.) I'm not sure what the additional modifier is in the torque value in this message. I have graphed it, but cant seem to figure it out, it moves with RPM though.

Link to comment
Share on other sites

Accidentally hit post and didn't mean to on the one above..... please feel free to delete it :)







 

Yep, sure thing, i'm going to put it on git for others when i have it all in place and working.

I have done a little over the last 2 nights:

0x097 - Byte 0&1 - Engine torque / Byte 2&3 - Friction Losses / Byte 4&5 - Engine Torque (Goes to 0 When limiter active) / Byte 6&7 - Engine Torque
I'm not sure what the differences are between the torque in bytes 1&2/4&5 and 6&7 are in this message.

0x120 - Byte 0&1 - Engine Torque minus Reduction Request / Byte 2&3 - Engine Torque minus 0x097 Bye2&3 (Goes to 0 when in idle state)
I'm not sure whats in Byte 4,5,6,7

0x12D - Byte 0 - Engine Speed rate of change? / Byte 1 - Throttle Pedal (MaxValue 200) / Byte 2 - Some Shift value maybe??? / Byte 4&5 - Engine Speed * 4 / Byte 7 - Mask 0x01 Brake State Mask 0x04 Cranking State
I'm not 100% sure of the value in Byte 2, not idea whats in Byte 3, and not sure of all of the bits inside Byte 7 of this message (only some).

0x200 - Byte 0&1 - Engine Torque (With some other modifier in it) / Byte 2&3 (you mentioned minimum torque before stall, not sure) / Byte 4&5 - Engine Torque (With some other modifier in it.) I'm not sure what the additional modifier is in the torque value in this message. I have graphed it, but cant seem to figure it out, it moves with RPM though. I'm also unsure on the minimum torque before stall value.

0x207 - Byte 0&1 - Engine Speed / Byte 2&3 - Engine Speed Rate of Change / Byte 4&5 - Vehicle Speed / Byte 6 - Throttle Position (MaxValue 200) / Byte 7 - TPS Rate of Change

0x230 - Not sure on this one.... Some odd stuff happening in here.

0x425 - Byte 0 - Cruise State Bits / Byte 1&2 - Cruise Set Speed / Byte 3&4 - Boost Pressure / Byte 5 - Mask 0x02 Engine State not cranking / Byte 6&7 - Fuel Flow information
Haven't mapped byte 0 fully and not sure of the other bits within byte 5 so far.

0x427 - Byte 0 - Coolant Temp / Byte 1&2 - A/C Pressure  / Byte 3 - Battery Voltage / Byte 4 - Odometer Counter / Byte 5&6 - Warning States / Byte 7 - Engine Speed counter.
I'm not sure of the logic behind the odometer counter and the engine speed counter on this one. it seems that they follow a similar logic in that they speed up as the corresponding speed increases.

0x44D - Byte 4&5 - Coolant Temp / Byte 6 - Oil Temperature / Byte 7 - Ambient Pressure
I'm not sure on what is in the first 4 bytes of this message.


Any chance you have any info on the ones i have commented on above :P

Link to comment
Share on other sites

 

Quote

0x097 - Byte 0&1 - Engine torque / Byte 2&3 - Friction Losses / Byte 4&5 - Engine Torque (Goes to 0 When limiter active) / Byte 6&7 - Engine Torque
I'm not sure what the differences are between the torque in bytes 1&2/4&5 and 6&7 are in this message.

One will include frictional losses, eg powertrain and engine (if you go through the editor you will see there is this table:

image.png.9b1d7441abdfe2e40de2def13cf145ca.png

I assume this is subtracted (or added) to the engine torque to produce this second figure. I can't decode the assembly exactly for you as that would take many hours, I can tell you that it references the following IDs though. These can be datalogged by out datalogger when it is released (very soon)

tq_mbt = Torque MBT = Maximum torque that could be produced by the engine
tq_loss = Torque Loss = Torque loss due to engine friction and alternator/power steering etc
tq_brake_s = Torque Actual = Actual torque produced
tq_net_dd = Driver Demand Torque
tq_mbt_dd = Driver Demand MBT Torque
tq_source = Torque Source (one of those 14 different sources)
tq_brk_s_str = Brake Torque (eg at the wheels) BEFORE a trans shift occurs

Bytes 0 and 1 are tq_mbt

Bytes 2 and 3 are tq_loss

Bytes 4 and 5 are some combination of tq_brk_s_str, tq_loss and tq_brake_s. There is a conditional based on whether a gear shift is occuring. I assume it holds last value during a shift or something like that.

Bytes 6 and 7 are tq_mbt_dd

These bytes are packed, scaled and offset as well, you'll need to figure this out yourself.

Quote

0x120 - Byte 0&1 - Engine Torque minus Reduction Request / Byte 2&3 - Engine Torque minus 0x097 Bye2&3 (Goes to 0 when in idle state)
I'm not sure whats in Byte 4,5,6,7

Nothing by the looks of it, they appear uninitialised.

Quote

0x12D - Byte 0 - Engine Speed rate of change? / Byte 1 - Throttle Pedal (MaxValue 200) / Byte 2 - Some Shift value maybe??? / Byte 4&5 - Engine Speed * 4 / Byte 7 - Mask 0x01 Brake State Mask 0x04 Cranking State
I'm not 100% sure of the value in Byte 2, not idea whats in Byte 3, and not sure of all of the bits inside Byte 7 of this message (only some).

Byte 0 appears to be the derivative of the rpm

Byte 1 appears to be TPS %

Byte 2 is something to do with if you are decelerating down a hill

Byte 7 is various bit flags, engine cranking (0x04) , brakes enabled (0x03)

Quote

0x200 - Byte 0&1 - Engine Torque (With some other modifier in it) / Byte 2&3 (you mentioned minimum torque before stall, not sure) / Byte 4&5 - Engine Torque (With some other modifier in it.) I'm not sure what the additional modifier is in the torque value in this message. I have graphed it, but cant seem to figure it out, it moves with RPM though. I'm also unsure on the minimum torque before stall value

I can't help you much more on this. It something to do with engine stalling torque (min stall torque).

0x230 is some combination of the the current gear selected, gear ratio, transmission torque loss and a bunch of other transmission flags. Good luck with this one.,

0x427 odo is a few odo readings. The KAM odo reading they take on the LSB of the value to save space (as they dont need to transmit the whole number). There is some constant used here 0.05129784 to convert the number of ticks or something. I also see 1.609344 here.

0x44D byte 1-3 contains any current MIL codes

Link to comment
Share on other sites

are you able to see in 0x200 what is also being added to the torque in bytes 0&1 and 4&5 ?
I understand that 2&3 is the minimum stal l torque, but i'm interested to see what the extra value is in the other torque numbers.
I have attached a visual representation of the 'adder' that is in these values. I can see the torque component, and i have stripped that out for the purpose of finding this adder :)

200h odd addition.jpg

Link to comment
Share on other sites

I can see a few constants in the routine for the 0x200 message. 512 (float) and 0xFFFE

It looks like some float to short (16 bit) conversion routine. I suspect they are clipping the value at 0xFFFE so that it stands out from 0xFFFF which would normally be considered a bad value. The 512 is probably an offset or multiplier.

Link to comment
Share on other sites

  • 2 weeks later...

I seem to have it working, albeit i think there are still some numbers that aren't quite right in the messaging.
I have been going through one by one to validate the results on the TCM side of things, however its taking me a lot longer than the first progress that i had made.

Link to comment
Share on other sites

  • 2 months later...

Hi All,

After shelving this project due to moving interstate, i finally now have the opportunity to pick up where i left off.

The last update was that i was trying to figure out messages 0x623, 0x640, 0x650 and what each of the hard coded bits are, as i think they were causing me some grief with getting everything to play nice.


I have the following notes so far:
0x623 - Offset 16 Length 8 = 0x22 Turbo / 0x12 N/A

0x623 - Offset 24 Length 8 = 0x82 Ford / 0x8A FPV

0x640 - Offset 0 Length 8 = 0x50 Manual / 0x44 Auto

0x640 - Offset 24 Length 8 = 0x77 Manual / 0x57 Auto / 6E FPV ?

0x640 - Offset 32 Length 8 = 0x40 Manual / 0x58 Auto / B8 FPV ?

0x650 - Offset 8 Length 8 = 0x42 Manual / 0x22 Auto

 

has anyone decoded these bits to see what flags are what?

Link to comment
Share on other sites

0x623 

byte0 engine capacity in litres x 10

byte1 engine code (some hard coded number for the engine type) (maybe auF2531?)

byte2 auF2552

byte3 NA/Turbo etc

byte4 TCM Calibration level auF1692

 

0x640

byte0 axle type eg FWD/RWD/AWD auF2193

byte1&2 = axle ratio as a float converted to a short (16bit) scaled between 0x333 to 0xFFAD

Byte3&4 = same as above but the VID axle ratio instead I believe scaled in the same range

Byte5 = Torque split (AWD vehicles) to front axle.  I believe this changes for AWD vehicles

Byte6 = some bit field for number of gears and car model

Byte7 = null

 

0x650

byte0 CAN ID

byte1 = byte0 of msg 623

rest of this looks the same as msg 623 just offset by one byte

Link to comment
Share on other sites

It seems the above has sorted out some of the funky stuff that was going on, however i'm left with one big unknown, and that is 0x230.

I can see that trans temp warning is in there, along with trans fault warning flags (In byte 7) but the others are a big unknown.
I'm currently just sending what i found on the ecu that i have on the bench here, but i'm concerned given that it may have an effect on the shifts.

does anyone have more info on the makeup of what seems to be the final message?

Link to comment
Share on other sites

No one is going to have any information on this. You'll have to learn to disassemble the code if you want to know more. That message is sent to the TCM and I suspect will be critical for shifts to work properly.

Mess with the torque tables in the PCM and see how they change, that should give you some idea how it is made up.

Link to comment
Share on other sites

This is interesting - Id been looking for more data on 0x640.   In the factory workshop manuals in the cluster/instrumentation section, data is listed as CanData "ManualTrans" - Removes PRNDL from cluster if Manual.  That would appear to be 0x640, Byte 3, bit 5 which might indicate this.

Also in the Factory Manual for the FG powertrain, there is a table on page 303-14-96/97 which shows what canbus data is sent from/to the PCM.   Whats particularly interesting is that the only Data it shows the TCM receiving from the PCM is Throttle Position.     I guess thats possible with the ZF - it has Speed and Tach already available.  Ive seen documentation errors before, and also in the ford factory stuff.  But thats an interesting observation.

I didnt see it further up the list, but 0x200 also has Crank Status Warning, which is used to disable a pile of alerts on the clusters while the engine is cranking.  that was an interesting one, because if you send 0x200 to a cluster it will stop many warning lamps from working correctly, and will silence the Alarm.     Speaking of the Alarm - Roland, this may be a way to silence any alerts that happen while your displaying the CustomOS Selection on the cluster

Im not as far into this as you guys, but I love the work.

Nigel

 

  • Like 1
Link to comment
Share on other sites

"because if you send 0x200 to a cluster it will stop many warning lamps from working correctly, and will silence the Alarm.     Speaking of the Alarm - Roland, this may be a way to silence any alerts that happen while your displaying the CustomOS Selection on the cluster"

Nice find! We were going to mask the alarms individually, but this might be even simpler!

Link to comment
Share on other sites

Roland.   It was a pain in my backside - I had RSS Enabled on the cluster I had, and if I sent 0x200, then it would stop.  However then other stuff wouldnt work - its one of those weird "ok, how come its fixed something, but broken all this other stuff".  

Page 413-01-51 (FG1, but Im not sure that this one would have changed for FG2).

Ive attached the Documentation in the Cluster Section of FG1.     0x210, 0x230, and 0x360 are disabled while cranking.  0x210 is your ABS/DSC Warnings, 0x230 is the PCM Telling Cluster about Gear Selected, and (on MS Can) 0x360 is the Reverse Park Sonar (PAM)

Wouldnt take much here to work out exactly which bit it is.      It could be Bits 0,1 of Byte 6 that actually signal the Crank

 

CrankStatusWarningPref.JPG

Link to comment
Share on other sites

This is where its a little interesting.  There are bits and pieces of the CANID in the PCM Sections for BA, BF, however they only list a very few.   There were odd ones - I came across this gem :

(BF Falcon) Message 427, Bit 6 = Travel Assistance Service (Unlock all doors).

Makes sense, but its not mentioned again in any later manual I  have.

The FG1 Manual only, for the Cluster Only, has the CanID's for all alerts etc, as well as a comprehensive list of RX and TX Source/Destinations.   Again - not in ba, bf, and not in FG2 either.   But it helps!.  

I am not able to confirm at the moment if 0x200 will silence the oil alarm etc.   However, I do have an FG Cluster on the bench, and an FG2 cluster, and I can try.    Im not sure I have enough info to correctly Simulate it yet.

 

Link to comment
Share on other sites

msg 0x200 details (FG Falcon only):

Bytes 1 & 2 :  (Actual Wheel Torque in N-M / Wheel torque to Engine torque) + 512.0

Bytes 3 & 4:  (Minimum Wheel Torque in N-M / Wheel torque to Engine torque) + 512.0

Bytes 5 & 6:  (Maximum Wheel Torque in N-M / Wheel torque to Engine torque) + 512.0

Byte 7:   Flags:

          0x80 = Torque type is Engine Torque

          0x40 = torque calculation includes losses (inertia,...)

          0x20 = Catalyst protection active

          Bottom 2 bits are crank status. Still checking this but I  believe it is: 0 = no crank, 1 = crank pending, 2 = low voltage cranking

Byte 8: non 0 => key off timer in minutes (rounded up to next minute)

 

Link to comment
Share on other sites

Nice work Darryl.   I had the two lower bits of byte 7 as the two that disabled noise.  Interesting to see how much it mutes.

Can you confirm if its the same for FG2? - completely understand if timing doesnt allow.  Not sure if this needs to be moved to another Thread.    All of the Factory stuff says that Crank Pending is enough to mute the Alarms (and that reflects my experience on the cluster).  Which alarms needed to be silenced?

 

 

Link to comment
Share on other sites

On 8/16/2019 at 1:10 PM, Nigel said:

Nice work Darryl.   I had the two lower bits of byte 7 as the two that disabled noise.  Interesting to see how much it mutes.

Can you confirm if its the same for FG2? - completely understand if timing doesnt allow.  Not sure if this needs to be moved to another Thread.    All of the Factory stuff says that Crank Pending is enough to mute the Alarms (and that reflects my experience on the cluster).  Which alarms needed to be silenced?

 

 

Nigel, Can you check on the FG2 if the cranking flag in msg 12D silences the alarms?

Link to comment
Share on other sites

Last byte has two flags:

     0x01 = Brake Switch On

     0x04 = Cranking in Progress

Byte 1: rate of change of RPM vs time [maths equivalent d(RPM)/d(t)]

Byte 2: Throttle Percent

Byte 3:  Pedal Postition

Byte 4: Hill Descent Flags

Bytes 5 and 6: Engine RPM

Byte 7 is a flag to clear malfunction fault codes 

Byte 8 as above

 

Link to comment
Share on other sites

Darryl.  Is there any note there of the intended target for this data?

I know that for the general stuff, this is not where the FG2 Cluster gets its running data from - Hence my assumption that this was data for Trans/ABS.

I'll take a look as soon as I have a second.

Link to comment
Share on other sites

Darryl.

Ive taken a look.     That was interesting - as the same data exists for FG1 as well.    However - it does not mute the cluster

One to look at is 0x35c, in particular the 5th Byte.   When the 3rd and 4th bits are set (&0x0c), I do not get communications fault.  When they are not set, Communications Fault.    This may be completely related to invalid data, however it is also the same behaviour I saw with 0x200 on the FG Cluster.

P.S.   I would love the complete breakdown of 0x35c.  There is a very interesting behaviour/interaction between 5th Byte, 8th bit, and the Tach where the FG2 cluster changes its data source for RPM from 0x35c to 0x15f.  Actually I have a range of CAN ID's Id love, but this is one of them

 

 

Edited by Nigel
Link to comment
Share on other sites

  • 8 months later...

Hey Guys

 

Many years ago I did a whole lot of work like this on BA, BF Falcon and SX Territory - reverse engineer CAN Arbitration messages/ IDs.  I didn't do so much on the PCM side like you guys are doing, but I did a whole lot on the other modules - PAM, RCM, IC, ICC, HIM etc

I've just started some similar work recently on a 2007 WQ Fiesta XR4.

Is there any appetite for me sharing any of my data? Or is this mainly a thread with Focus in PCM broadcasts...?

I'm kinda on the hunt for a forum or message group with people doing similar reverse-engineer analysis on Ford messages. There's not much around. Some US based F150 guys, one on a Focus which, depending on the model, is likely to be very similar to the WQ Fiesta and BA Falcon, as both used ECU architectures that were derivatives of the original MkI Focus.

 

Luke

Link to comment
Share on other sites

I cannot for the life of me remember my source, but this is what I have for CAN ID 200 for Black Oak/Spanish Oak, whic hI saw you all chatting about above. This is copy and pasted out of an Excel spreadsheet. Byte 6 in particular looks terrible when I paste - it's a bitwise field. 

        Byte 0 Byte 1 Byte 2  Byte 3 Byte 4 Byte 5 Byte 6 Byte 7
200
PCM
  TorqueDataEngineFlags   ActualEngTorque MinAvailibleTorque MaxAvailibleTorque                 KeyOffTimer
    ActualEngTorque
Units:Nm
Offset:-512;Mult:1;Div:1
MinAvailibleTorque
Units:Nm
Offset:-512;Mult:1;Div:1
MaxAvailibleTorque
Units:Nm
Offset:-512;Mult:1;Div:1
TorqueType_PCM
0=Axle;1=Engine
InertiaLosses
0=Axle;1=Engine
CatProtectionActive
0-Off;1=On
      CrankStatusPCM_HS
0=NoAction;1=CrankPending;
2=CrankInProgress;3=LowVoltageCrankAttempt
KeyOffTimer
Unit:Minutes
Offset:0;Mult:1;Div:1
Edited by Lukeyson
Link to comment
Share on other sites

You know, I wish I could recall where that data came from. It's making my efforts to do the same work on the XR4 all that much harder. A few messages map across but not all. Clearly I had access to something at the time given the detail - like the data ID's and the offset/mult/div. I am doing the discovery now using a J2534 tool - a few cheaper tools have popped up in the 10 years since - and the software I used back in the day, which is still useful. It's very good at showing the broadcast ID's and highlighting when data changes (including graphing, or doing a live offset/mult conversion on the fly). Or Blocking all other messages so I can focus on a smaller subset.

I might sanitise the BA/BF/SX/SY data i have and upload it somewhere The work I'm doing on the WQ I have up in a Google Sheet and am still updating it: 

 

WQ Fiesta XR4 CAN-IDs

 

Luke

  • Like 1
Link to comment
Share on other sites

  • 1 year later...
On 4/28/2020 at 2:34 PM, Lukeyson said:

Hey Guys

 

Many years ago I did a whole lot of work like this on BA, BF Falcon and SX Territory - reverse engineer CAN Arbitration messages/ IDs.  I didn't do so much on the PCM side like you guys are doing, but I did a whole lot on the other modules - PAM, RCM, IC, ICC, HIM etc

I've just started some similar work recently on a 2007 WQ Fiesta XR4.

Is there any appetite for me sharing any of my data? Or is this mainly a thread with Focus in PCM broadcasts...?

I'm kinda on the hunt for a forum or message group with people doing similar reverse-engineer analysis on Ford messages. There's not much around. Some US based F150 guys, one on a Focus which, depending on the model, is likely to be very similar to the WQ Fiesta and BA Falcon, as both used ECU architectures that were derivatives of the original MkI Focus.

 

Luke

I have been using a socketcan to map out the the CAN in my FG mk1 - sheet is here https://github.com/jakka351/FG-Falcon

Link to comment
Share on other sites

  • 3 months later...
  • 2 weeks later...
20 hours ago, jakka351 said:

ever post that emulator you were working on?

I'll pm you a link to the git repository.
 

9 minutes ago, Roland@pcmtec said:

We do know how it calculated, it is fairly complicated but it could be emulated if someone had enough time up their sleeve.

Is it the same as the OBD seed/key setup for security access? Can you share any information on it?


I have attached a link to my DBC file for what I have on the canbus stuff so far.
I haven't had an opportunity to try and work out any MKII stuff, but would love it if anyone could add anything to it.

https://www104.zippyshare.com/v/UmRDp2O4/file.html

@Roland@pcmtec is there any lists or anything you guys have that i could use to add to this ?

Edited by TheReaper
Link to comment
Share on other sites

8 hours ago, TheReaper said:

Is it the same as the OBD seed/key setup for security access? Can you share any information on it?

@Roland@pcmtec is there any lists or anything you guys have that i could use to add to this ?

It is similar in that it is a key challenge exchange, but that is about it. What is your goal? Depending on what it is I might be able to point you in the right direction time permitting.

There is a lot of extra stuff to stop replay attacks, it also performs some kind of checksum on the responses. The actual alg looks similar in that it is some kind of XOR type of encryption. It looks like a multi part exchange that has a few more steps than the security unlock. We have disassembled the PCM to a high level, but none of the other modules. So to fully emulate it you'd need to do the BCM as well. But I can get some ideas about what the PCM side is doing from the work we have done to date.

  • Like 1
Link to comment
Share on other sites

Effectively I'm trying to work out if its possible to remove the PCM and still have the ACM/ICC work without whinging about the security code by emulating the PATS information or some other method.

Does anyone have any information on the MKII canbus too by chance??

I know 097, 120, 12D,207, 425, 44D, and 650 are shared with previous models, but from what I understand 023,085,0A5,0FC,143,15F,274 and 35C have been added.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...