TheReaper Posted April 24, 2019 Share Posted April 24, 2019 Hi All, Out of curiosity, would any of you have any information on the below messages within the FG PCM. I have the following messages completed (anything with xx has been completed) ID Data 097 xx xx 00 7E 00 00 xx xx 120 00 00 xx xx 00 00 00 00 12D xx xx xx 00 xx xx 00 01 200 01 82 02 51 xx xx C0 00 207 xx xx xx xx xx xx xx 00 230 00 FF 82 06 68 00 00 01 425 xx xx xx 0C 80 03 xx xx 427 xx xx xx xx xx 00 05 xx 44D 00 00 00 00 xx xx xx CA 4C0 00 00 00 00 00 00 00 00 623 xx xx xx xx 00 00 00 00 640 xx xx xx xx xx 00 xx 00 650 xx xx 00 00 00 00 00 00 6F6 xx xx xx xx xx xx xx xx Currently I have the following on the remaining messages: 0x200 Byte0&1 moves in the same way that 0x097 Byte 3 does however they are inverse (0x097 value increases where 0x200 value decreases) and its 16 bit rather than 8. The value moves with RPM, and has a jump in the opposite direction and freezes when the engine speed limiter is active. 0x200 Decimal values range from around 590@500rpm to 500@6000 however goes to 386 when the engine speed limiter is active. 0x097 Decimal values range from around 35@500rpm to 126@6000 and doesn’t change when the engine speed limiter is active. ( Both of these numbers are also affected by Injector Duty. 0x200 Byte2&3 decreases with RPM between 0rpm and 1100rpm starting with a decimal value of 593 and ending with 240. 0x200 Byte6 seems to have some bit information for engine states. (Mask 0x02 – Engine Cranking) 0x12D Byte7 seems to have some bit information for engine states. (Mask 0x04 – Engine Cranking) 0x097 Byte5 goes to 0 when the speed limiter is active. Thanks!! Quote Link to comment Share on other sites More sharing options...
TheReaper Posted April 25, 2019 Author Share Posted April 25, 2019 I now have a few more completed: ID Data 097 xx xx 00 7E 00 00 xx xx 120 xx xx xx xx 00 00 00 00 12D xx xx xx 00 xx xx 00 01 200 01 82 02 51 xx xx C0 00 207 xx xx xx xx xx xx xx xx 230 00 FF 82 06 68 00 00 01 425 xx xx xx xx xx 03 xx xx 427 xx xx xx xx xx 00 05 xx 44D 00 00 00 00 xx xx xx xx 4C0 00 00 00 00 00 00 00 00 623 xx xx xx xx 00 00 00 00 640 xx xx xx xx xx 00 xx 00 650 xx xx 00 00 00 00 00 00 6F6 xx xx xx xx xx xx xx xx The one that i am very interested in at the moment is the 7E value in 0x97. it seems to increase with RPM but not in a linear fashion, and i cant seem to work out what it is. It also has an effect on one of the torque output values. Quote Link to comment Share on other sites More sharing options...
apoc Posted April 27, 2019 Share Posted April 27, 2019 I'll have to do some logging on my FG, would you be willing to list the data (i.e. what the messages are for) for what you've found? I've been messing with BA, BF & some FG Can-Bus stuff, its cool but sometimes a bit tedious. Here's my list of what I have so far, I'll update it when I get some more. You've probably identified alot of it already though. BA-FGX_CanBusID.xlsx Quote Link to comment Share on other sites More sharing options...
Roland@pcmtec Posted April 29, 2019 Share Posted April 29, 2019 On 4/24/2019 at 10:46 AM, TheReaper said: Hi All, Out of curiosity, would any of you have any information on the below messages within the FG PCM. Currently I have the following on the remaining messages: 0x200 Byte0&1 moves in the same way that 0x097 Byte 3 does however they are inverse (0x097 value increases where 0x200 value decreases) and its 16 bit rather than 8. The value moves with RPM, and has a jump in the opposite direction and freezes when the engine speed limiter is active. 0x200 Decimal values range from around 590@500rpm to 500@6000 however goes to 386 when the engine speed limiter is active. 0x097 Decimal values range from around 35@500rpm to 126@6000 and doesn’t change when the engine speed limiter is active. ( Both of these numbers are also affected by Injector Duty. 0x200 Byte2&3 decreases with RPM between 0rpm and 1100rpm starting with a decimal value of 593 and ending with 240. 0x200 Byte6 seems to have some bit information for engine states. (Mask 0x02 – Engine Cranking) 0x12D Byte7 seems to have some bit information for engine states. (Mask 0x04 – Engine Cranking) 0x097 Byte5 goes to 0 when the speed limiter is active. Thanks!! 0x200 byte 0-1 => is actual wheel torque / wheel to engine torque factor (powertrain losses I believe) I imagine the actual wheel torque is calculated from the torque table of load vs rpm you can find in the editor. Try modifying this table and see what you can datalog. This table is obviously different for each engine calibration. 0x200 byte 2 & 3 is the minimum torque before stall or something like that, this is only used at low rpm, Im not sure if this is even used 0x200 byte 6 sets some flags depending on the type of torque maths used that are all ORd together 0x80 == Engine Torque Type 0x0 = Axle Torque 0x40 = Inertial loss is factored in 0x20 = Cat protection has been enabled byte 7 is some other flags to do with whether the engine is cranking We never normally need to reverse engineer the can messages so this is not something we normally dig too deeply into. But the way we figure this stuff out is to open the ROM up, annotate all addresses with their known DMRs and table locations, from that you can see roughly what is being packed into where. This takes a very long time to created these annotated assembly files but once you have created them they are useful for figuring out things like this. Quote Link to comment Share on other sites More sharing options...
Roland@pcmtec Posted April 29, 2019 Share Posted April 29, 2019 97 is the similar to 200 bytes 0-1 = engine MBT torque but it is just offset and scaled into a 16 bit integer. You should be able to graph it over the value from msg200 and see it follows the same curve or at least values that match the torque table. bytes 2-3 are the same but "engine friction torque" I think this is just using the calculated inertial loss (same as msg200) 207 is speed and rpm which is packed and scaled in various ways 427 contains coolant temp, oil pressure, ac pressure, battery volts, odo value, various MIL states, fuel usage etc 623 various hard coded bits regarding number of cylinders and other not so interesting stuff like if its a gas/petrol engine etc. 6F6 is the PATS security stuff for key codes etc, you won't be able to emulate this as it requires various security algorithms to calculate it. Quote Link to comment Share on other sites More sharing options...
TheReaper Posted May 2, 2019 Author Share Posted May 2, 2019 Hi Roland, Thanks for that info - really appreciate it. I'll be spending some more time on this over the next week or two and will post updates as i have them! again, thanks for your help! 1 Quote Link to comment Share on other sites More sharing options...
Roland@pcmtec Posted May 3, 2019 Share Posted May 3, 2019 Let us know where you get stuck next and I'll see if we can help. Also any chance you will post up your emulator code so others can use it? Quote Link to comment Share on other sites More sharing options...
TheReaper Posted May 4, 2019 Author Share Posted May 4, 2019 Yep, sure thing, i'm going to put it on git for others when i have it all in place and working. I have done a little over the last 2 nights: 0x097 - Byte 0&1 - Engine torque / Byte 2&3 - Friction Losses / Byte 4&5 - Engine Torque (Goes to 0 When limiter active) / Byte 6&7 - Engine Torque I'm not sure what the differences are between the torque in bytes 1&2/4&5 and 6&7 are in this message. 0x120 - Byte 0&1 - Engine Torque minus Reduction Request / Byte 2&3 - Engine Torque minus 0x097 Bye2&3 (Goes to 0 when in idle state) I'm not sure whats in Byte 4,5,6,7 0x12D - Byte 0 - Engine Speed rate of change? / Byte 1 - Throttle Pedal (MaxValue 200) / Byte 2 - Some Shift value maybe??? / Byte 4&5 - Engine Speed * 4 / Byte 7 - Mask 0x01 Brake State Mask 0x04 Cranking State I'm not 100% sure of the value in Byte 2, not idea whats in Byte 3, and not sure of all of the bits inside Byte 7 of this message (only some). 0x200 - Byte 0&1 - Engine Torque (With some other modifier in it) / Byte 2&3 (you mentioned minimum torque before stall, not sure) / Byte 4&5 - Engine Torque (With some other modifier in it.) I'm not sure what the additional modifier is in the torque value in this message. I have graphed it, but cant seem to figure it out, it moves with RPM though. Quote Link to comment Share on other sites More sharing options...
TheReaper Posted May 4, 2019 Author Share Posted May 4, 2019 Accidentally hit post and didn't mean to on the one above..... please feel free to delete it Yep, sure thing, i'm going to put it on git for others when i have it all in place and working. I have done a little over the last 2 nights: 0x097 - Byte 0&1 - Engine torque / Byte 2&3 - Friction Losses / Byte 4&5 - Engine Torque (Goes to 0 When limiter active) / Byte 6&7 - Engine Torque I'm not sure what the differences are between the torque in bytes 1&2/4&5 and 6&7 are in this message. 0x120 - Byte 0&1 - Engine Torque minus Reduction Request / Byte 2&3 - Engine Torque minus 0x097 Bye2&3 (Goes to 0 when in idle state) I'm not sure whats in Byte 4,5,6,7 0x12D - Byte 0 - Engine Speed rate of change? / Byte 1 - Throttle Pedal (MaxValue 200) / Byte 2 - Some Shift value maybe??? / Byte 4&5 - Engine Speed * 4 / Byte 7 - Mask 0x01 Brake State Mask 0x04 Cranking State I'm not 100% sure of the value in Byte 2, not idea whats in Byte 3, and not sure of all of the bits inside Byte 7 of this message (only some). 0x200 - Byte 0&1 - Engine Torque (With some other modifier in it) / Byte 2&3 (you mentioned minimum torque before stall, not sure) / Byte 4&5 - Engine Torque (With some other modifier in it.) I'm not sure what the additional modifier is in the torque value in this message. I have graphed it, but cant seem to figure it out, it moves with RPM though. I'm also unsure on the minimum torque before stall value. 0x207 - Byte 0&1 - Engine Speed / Byte 2&3 - Engine Speed Rate of Change / Byte 4&5 - Vehicle Speed / Byte 6 - Throttle Position (MaxValue 200) / Byte 7 - TPS Rate of Change 0x230 - Not sure on this one.... Some odd stuff happening in here. 0x425 - Byte 0 - Cruise State Bits / Byte 1&2 - Cruise Set Speed / Byte 3&4 - Boost Pressure / Byte 5 - Mask 0x02 Engine State not cranking / Byte 6&7 - Fuel Flow information Haven't mapped byte 0 fully and not sure of the other bits within byte 5 so far. 0x427 - Byte 0 - Coolant Temp / Byte 1&2 - A/C Pressure / Byte 3 - Battery Voltage / Byte 4 - Odometer Counter / Byte 5&6 - Warning States / Byte 7 - Engine Speed counter. I'm not sure of the logic behind the odometer counter and the engine speed counter on this one. it seems that they follow a similar logic in that they speed up as the corresponding speed increases. 0x44D - Byte 4&5 - Coolant Temp / Byte 6 - Oil Temperature / Byte 7 - Ambient Pressure I'm not sure on what is in the first 4 bytes of this message. Any chance you have any info on the ones i have commented on above Quote Link to comment Share on other sites More sharing options...
Roland@pcmtec Posted May 4, 2019 Share Posted May 4, 2019 Quote 0x097 - Byte 0&1 - Engine torque / Byte 2&3 - Friction Losses / Byte 4&5 - Engine Torque (Goes to 0 When limiter active) / Byte 6&7 - Engine Torque I'm not sure what the differences are between the torque in bytes 1&2/4&5 and 6&7 are in this message. One will include frictional losses, eg powertrain and engine (if you go through the editor you will see there is this table: I assume this is subtracted (or added) to the engine torque to produce this second figure. I can't decode the assembly exactly for you as that would take many hours, I can tell you that it references the following IDs though. These can be datalogged by out datalogger when it is released (very soon) tq_mbt = Torque MBT = Maximum torque that could be produced by the engine tq_loss = Torque Loss = Torque loss due to engine friction and alternator/power steering etc tq_brake_s = Torque Actual = Actual torque produced tq_net_dd = Driver Demand Torque tq_mbt_dd = Driver Demand MBT Torque tq_source = Torque Source (one of those 14 different sources) tq_brk_s_str = Brake Torque (eg at the wheels) BEFORE a trans shift occurs Bytes 0 and 1 are tq_mbt Bytes 2 and 3 are tq_loss Bytes 4 and 5 are some combination of tq_brk_s_str, tq_loss and tq_brake_s. There is a conditional based on whether a gear shift is occuring. I assume it holds last value during a shift or something like that. Bytes 6 and 7 are tq_mbt_dd These bytes are packed, scaled and offset as well, you'll need to figure this out yourself. Quote 0x120 - Byte 0&1 - Engine Torque minus Reduction Request / Byte 2&3 - Engine Torque minus 0x097 Bye2&3 (Goes to 0 when in idle state) I'm not sure whats in Byte 4,5,6,7 Nothing by the looks of it, they appear uninitialised. Quote 0x12D - Byte 0 - Engine Speed rate of change? / Byte 1 - Throttle Pedal (MaxValue 200) / Byte 2 - Some Shift value maybe??? / Byte 4&5 - Engine Speed * 4 / Byte 7 - Mask 0x01 Brake State Mask 0x04 Cranking StateI'm not 100% sure of the value in Byte 2, not idea whats in Byte 3, and not sure of all of the bits inside Byte 7 of this message (only some). Byte 0 appears to be the derivative of the rpm Byte 1 appears to be TPS % Byte 2 is something to do with if you are decelerating down a hill Byte 7 is various bit flags, engine cranking (0x04) , brakes enabled (0x03) Quote 0x200 - Byte 0&1 - Engine Torque (With some other modifier in it) / Byte 2&3 (you mentioned minimum torque before stall, not sure) / Byte 4&5 - Engine Torque (With some other modifier in it.) I'm not sure what the additional modifier is in the torque value in this message. I have graphed it, but cant seem to figure it out, it moves with RPM though. I'm also unsure on the minimum torque before stall value I can't help you much more on this. It something to do with engine stalling torque (min stall torque). 0x230 is some combination of the the current gear selected, gear ratio, transmission torque loss and a bunch of other transmission flags. Good luck with this one., 0x427 odo is a few odo readings. The KAM odo reading they take on the LSB of the value to save space (as they dont need to transmit the whole number). There is some constant used here 0.05129784 to convert the number of ticks or something. I also see 1.609344 here. 0x44D byte 1-3 contains any current MIL codes Quote Link to comment Share on other sites More sharing options...
TheReaper Posted May 5, 2019 Author Share Posted May 5, 2019 are you able to see in 0x200 what is also being added to the torque in bytes 0&1 and 4&5 ? I understand that 2&3 is the minimum stal l torque, but i'm interested to see what the extra value is in the other torque numbers. I have attached a visual representation of the 'adder' that is in these values. I can see the torque component, and i have stripped that out for the purpose of finding this adder Quote Link to comment Share on other sites More sharing options...
Roland@pcmtec Posted May 6, 2019 Share Posted May 6, 2019 I can see a few constants in the routine for the 0x200 message. 512 (float) and 0xFFFE It looks like some float to short (16 bit) conversion routine. I suspect they are clipping the value at 0xFFFE so that it stands out from 0xFFFF which would normally be considered a bad value. The 512 is probably an offset or multiplier. Quote Link to comment Share on other sites More sharing options...
Roland@pcmtec Posted May 20, 2019 Share Posted May 20, 2019 How did you go in the end? Quote Link to comment Share on other sites More sharing options...
TheReaper Posted May 22, 2019 Author Share Posted May 22, 2019 I seem to have it working, albeit i think there are still some numbers that aren't quite right in the messaging. I have been going through one by one to validate the results on the TCM side of things, however its taking me a lot longer than the first progress that i had made. Quote Link to comment Share on other sites More sharing options...
TheReaper Posted August 7, 2019 Author Share Posted August 7, 2019 Hi All, After shelving this project due to moving interstate, i finally now have the opportunity to pick up where i left off. The last update was that i was trying to figure out messages 0x623, 0x640, 0x650 and what each of the hard coded bits are, as i think they were causing me some grief with getting everything to play nice. I have the following notes so far: 0x623 - Offset 16 Length 8 = 0x22 Turbo / 0x12 N/A 0x623 - Offset 24 Length 8 = 0x82 Ford / 0x8A FPV 0x640 - Offset 0 Length 8 = 0x50 Manual / 0x44 Auto 0x640 - Offset 24 Length 8 = 0x77 Manual / 0x57 Auto / 6E FPV ? 0x640 - Offset 32 Length 8 = 0x40 Manual / 0x58 Auto / B8 FPV ? 0x650 - Offset 8 Length 8 = 0x42 Manual / 0x22 Auto has anyone decoded these bits to see what flags are what? Quote Link to comment Share on other sites More sharing options...
Roland@pcmtec Posted August 8, 2019 Share Posted August 8, 2019 0x623 byte0 engine capacity in litres x 10 byte1 engine code (some hard coded number for the engine type) (maybe auF2531?) byte2 auF2552 byte3 NA/Turbo etc byte4 TCM Calibration level auF1692 0x640 byte0 axle type eg FWD/RWD/AWD auF2193 byte1&2 = axle ratio as a float converted to a short (16bit) scaled between 0x333 to 0xFFAD Byte3&4 = same as above but the VID axle ratio instead I believe scaled in the same range Byte5 = Torque split (AWD vehicles) to front axle. I believe this changes for AWD vehicles Byte6 = some bit field for number of gears and car model Byte7 = null 0x650 byte0 CAN ID byte1 = byte0 of msg 623 rest of this looks the same as msg 623 just offset by one byte Quote Link to comment Share on other sites More sharing options...
TheReaper Posted August 12, 2019 Author Share Posted August 12, 2019 It seems the above has sorted out some of the funky stuff that was going on, however i'm left with one big unknown, and that is 0x230. I can see that trans temp warning is in there, along with trans fault warning flags (In byte 7) but the others are a big unknown. I'm currently just sending what i found on the ecu that i have on the bench here, but i'm concerned given that it may have an effect on the shifts. does anyone have more info on the makeup of what seems to be the final message? Quote Link to comment Share on other sites More sharing options...
Roland@pcmtec Posted August 12, 2019 Share Posted August 12, 2019 No one is going to have any information on this. You'll have to learn to disassemble the code if you want to know more. That message is sent to the TCM and I suspect will be critical for shifts to work properly. Mess with the torque tables in the PCM and see how they change, that should give you some idea how it is made up. Quote Link to comment Share on other sites More sharing options...
Nigel Posted August 14, 2019 Share Posted August 14, 2019 This is interesting - Id been looking for more data on 0x640. In the factory workshop manuals in the cluster/instrumentation section, data is listed as CanData : "ManualTrans" - Removes PRNDL from cluster if Manual. That would appear to be 0x640, Byte 3, bit 5 which might indicate this. Also in the Factory Manual for the FG powertrain, there is a table on page 303-14-96/97 which shows what canbus data is sent from/to the PCM. Whats particularly interesting is that the only Data it shows the TCM receiving from the PCM is Throttle Position. I guess thats possible with the ZF - it has Speed and Tach already available. Ive seen documentation errors before, and also in the ford factory stuff. But thats an interesting observation. I didnt see it further up the list, but 0x200 also has Crank Status Warning, which is used to disable a pile of alerts on the clusters while the engine is cranking. that was an interesting one, because if you send 0x200 to a cluster it will stop many warning lamps from working correctly, and will silence the Alarm. Speaking of the Alarm - Roland, this may be a way to silence any alerts that happen while your displaying the CustomOS Selection on the cluster Im not as far into this as you guys, but I love the work. Nigel 1 Quote Link to comment Share on other sites More sharing options...
Roland@pcmtec Posted August 15, 2019 Share Posted August 15, 2019 "because if you send 0x200 to a cluster it will stop many warning lamps from working correctly, and will silence the Alarm. Speaking of the Alarm - Roland, this may be a way to silence any alerts that happen while your displaying the CustomOS Selection on the cluster" Nice find! We were going to mask the alarms individually, but this might be even simpler! Quote Link to comment Share on other sites More sharing options...
Nigel Posted August 15, 2019 Share Posted August 15, 2019 Roland. It was a pain in my backside - I had RSS Enabled on the cluster I had, and if I sent 0x200, then it would stop. However then other stuff wouldnt work - its one of those weird "ok, how come its fixed something, but broken all this other stuff". Page 413-01-51 (FG1, but Im not sure that this one would have changed for FG2). Ive attached the Documentation in the Cluster Section of FG1. 0x210, 0x230, and 0x360 are disabled while cranking. 0x210 is your ABS/DSC Warnings, 0x230 is the PCM Telling Cluster about Gear Selected, and (on MS Can) 0x360 is the Reverse Park Sonar (PAM) Wouldnt take much here to work out exactly which bit it is. It could be Bits 0,1 of Byte 6 that actually signal the Crank Quote Link to comment Share on other sites More sharing options...
Roland@pcmtec Posted August 15, 2019 Share Posted August 15, 2019 I never even bothered to check the manuals. The fact they show the CANID is very interesting. I assumed they wouldn't cover that level of detail at all! I bet that it is incomplete though. Quote Link to comment Share on other sites More sharing options...
Nigel Posted August 15, 2019 Share Posted August 15, 2019 This is where its a little interesting. There are bits and pieces of the CANID in the PCM Sections for BA, BF, however they only list a very few. There were odd ones - I came across this gem : (BF Falcon) Message 427, Bit 6 = Travel Assistance Service (Unlock all doors). Makes sense, but its not mentioned again in any later manual I have. The FG1 Manual only, for the Cluster Only, has the CanID's for all alerts etc, as well as a comprehensive list of RX and TX Source/Destinations. Again - not in ba, bf, and not in FG2 either. But it helps!. I am not able to confirm at the moment if 0x200 will silence the oil alarm etc. However, I do have an FG Cluster on the bench, and an FG2 cluster, and I can try. Im not sure I have enough info to correctly Simulate it yet. Quote Link to comment Share on other sites More sharing options...
Roland@pcmtec Posted August 15, 2019 Share Posted August 15, 2019 Darryl should be able to dig it all up for msg200 as he is looking into that now to attempt to mask the alarms. Quote Link to comment Share on other sites More sharing options...
Darryl@pcmtec Posted August 16, 2019 Share Posted August 16, 2019 msg 0x200 details (FG Falcon only): Bytes 1 & 2 : (Actual Wheel Torque in N-M / Wheel torque to Engine torque) + 512.0 Bytes 3 & 4: (Minimum Wheel Torque in N-M / Wheel torque to Engine torque) + 512.0 Bytes 5 & 6: (Maximum Wheel Torque in N-M / Wheel torque to Engine torque) + 512.0 Byte 7: Flags: 0x80 = Torque type is Engine Torque 0x40 = torque calculation includes losses (inertia,...) 0x20 = Catalyst protection active Bottom 2 bits are crank status. Still checking this but I believe it is: 0 = no crank, 1 = crank pending, 2 = low voltage cranking Byte 8: non 0 => key off timer in minutes (rounded up to next minute) Quote Link to comment Share on other sites More sharing options...
Nigel Posted August 16, 2019 Share Posted August 16, 2019 Nice work Darryl. I had the two lower bits of byte 7 as the two that disabled noise. Interesting to see how much it mutes. Can you confirm if its the same for FG2? - completely understand if timing doesnt allow. Not sure if this needs to be moved to another Thread. All of the Factory stuff says that Crank Pending is enough to mute the Alarms (and that reflects my experience on the cluster). Which alarms needed to be silenced? Quote Link to comment Share on other sites More sharing options...
Darryl@pcmtec Posted August 16, 2019 Share Posted August 16, 2019 Some Alarms like low oil pressure, seat belt warning and the lovely locking of the doors if the customer has that set up MK2 FGs do not have message 200 Quote Link to comment Share on other sites More sharing options...
Darryl@pcmtec Posted August 21, 2019 Share Posted August 21, 2019 On 8/16/2019 at 1:10 PM, Nigel said: Nice work Darryl. I had the two lower bits of byte 7 as the two that disabled noise. Interesting to see how much it mutes. Can you confirm if its the same for FG2? - completely understand if timing doesnt allow. Not sure if this needs to be moved to another Thread. All of the Factory stuff says that Crank Pending is enough to mute the Alarms (and that reflects my experience on the cluster). Which alarms needed to be silenced? Nigel, Can you check on the FG2 if the cranking flag in msg 12D silences the alarms? Quote Link to comment Share on other sites More sharing options...
Nigel Posted August 21, 2019 Share Posted August 21, 2019 Darryl. can you give me more information on 0x12d? - I have only got Tach and Throttle Pos here, and it appears for ABS not cluster? If you can tell me which is the cranking flag I'll give that a go Quote Link to comment Share on other sites More sharing options...
Darryl@pcmtec Posted August 21, 2019 Share Posted August 21, 2019 Last byte has two flags: 0x01 = Brake Switch On 0x04 = Cranking in Progress Byte 1: rate of change of RPM vs time [maths equivalent d(RPM)/d(t)] Byte 2: Throttle Percent Byte 3: Pedal Postition Byte 4: Hill Descent Flags Bytes 5 and 6: Engine RPM Byte 7 is a flag to clear malfunction fault codes Byte 8 as above Quote Link to comment Share on other sites More sharing options...
Nigel Posted August 21, 2019 Share Posted August 21, 2019 Darryl. Is there any note there of the intended target for this data? I know that for the general stuff, this is not where the FG2 Cluster gets its running data from - Hence my assumption that this was data for Trans/ABS. I'll take a look as soon as I have a second. Quote Link to comment Share on other sites More sharing options...
Darryl@pcmtec Posted August 21, 2019 Share Posted August 21, 2019 Will have a look but all modules will see it as it is broadcast type message. Also seems to be the only spot where the mk2 sends the cranking flag and is in BF, FG Mk1 and mk2. Have not checked the BA yet. Quote Link to comment Share on other sites More sharing options...
Nigel Posted August 21, 2019 Share Posted August 21, 2019 Let me know if its in BA - it matters (to me). Its also higher speed than the data the cluster uses (more frequent). Quote Link to comment Share on other sites More sharing options...
Nigel Posted August 22, 2019 Share Posted August 22, 2019 (edited) Darryl. Ive taken a look. That was interesting - as the same data exists for FG1 as well. However - it does not mute the cluster One to look at is 0x35c, in particular the 5th Byte. When the 3rd and 4th bits are set (&0x0c), I do not get communications fault. When they are not set, Communications Fault. This may be completely related to invalid data, however it is also the same behaviour I saw with 0x200 on the FG Cluster. P.S. I would love the complete breakdown of 0x35c. There is a very interesting behaviour/interaction between 5th Byte, 8th bit, and the Tach where the FG2 cluster changes its data source for RPM from 0x35c to 0x15f. Actually I have a range of CAN ID's Id love, but this is one of them Edited August 22, 2019 by Nigel Quote Link to comment Share on other sites More sharing options...
Lukeyson Posted April 28, 2020 Share Posted April 28, 2020 Hey Guys Many years ago I did a whole lot of work like this on BA, BF Falcon and SX Territory - reverse engineer CAN Arbitration messages/ IDs. I didn't do so much on the PCM side like you guys are doing, but I did a whole lot on the other modules - PAM, RCM, IC, ICC, HIM etc I've just started some similar work recently on a 2007 WQ Fiesta XR4. Is there any appetite for me sharing any of my data? Or is this mainly a thread with Focus in PCM broadcasts...? I'm kinda on the hunt for a forum or message group with people doing similar reverse-engineer analysis on Ford messages. There's not much around. Some US based F150 guys, one on a Focus which, depending on the model, is likely to be very similar to the WQ Fiesta and BA Falcon, as both used ECU architectures that were derivatives of the original MkI Focus. Luke Quote Link to comment Share on other sites More sharing options...
Lukeyson Posted April 28, 2020 Share Posted April 28, 2020 (edited) I cannot for the life of me remember my source, but this is what I have for CAN ID 200 for Black Oak/Spanish Oak, whic hI saw you all chatting about above. This is copy and pasted out of an Excel spreadsheet. Byte 6 in particular looks terrible when I paste - it's a bitwise field. Byte 0 Byte 1 Byte 2 Byte 3 Byte 4 Byte 5 Byte 6 Byte 7 200 PCM TorqueDataEngineFlags ActualEngTorque MinAvailibleTorque MaxAvailibleTorque KeyOffTimer ActualEngTorque Units:Nm Offset:-512;Mult:1;Div:1 MinAvailibleTorque Units:Nm Offset:-512;Mult:1;Div:1 MaxAvailibleTorque Units:Nm Offset:-512;Mult:1;Div:1 TorqueType_PCM 0=Axle;1=Engine InertiaLosses 0=Axle;1=Engine CatProtectionActive 0-Off;1=On CrankStatusPCM_HS 0=NoAction;1=CrankPending; 2=CrankInProgress;3=LowVoltageCrankAttempt KeyOffTimer Unit:Minutes Offset:0;Mult:1;Div:1 Edited April 28, 2020 by Lukeyson Quote Link to comment Share on other sites More sharing options...
Nigel Posted April 28, 2020 Share Posted April 28, 2020 (edited) Luke - how did you work out some of that data - it seemed quite advanced when you had it Nigel Edited April 28, 2020 by Nigel Quote Link to comment Share on other sites More sharing options...
Lukeyson Posted April 28, 2020 Share Posted April 28, 2020 You know, I wish I could recall where that data came from. It's making my efforts to do the same work on the XR4 all that much harder. A few messages map across but not all. Clearly I had access to something at the time given the detail - like the data ID's and the offset/mult/div. I am doing the discovery now using a J2534 tool - a few cheaper tools have popped up in the 10 years since - and the software I used back in the day, which is still useful. It's very good at showing the broadcast ID's and highlighting when data changes (including graphing, or doing a live offset/mult conversion on the fly). Or Blocking all other messages so I can focus on a smaller subset. I might sanitise the BA/BF/SX/SY data i have and upload it somewhere The work I'm doing on the WQ I have up in a Google Sheet and am still updating it: WQ Fiesta XR4 CAN-IDs Luke 1 Quote Link to comment Share on other sites More sharing options...
Lukeyson Posted April 28, 2020 Share Posted April 28, 2020 For shits and giggles: BA BF SX SY Falcon Territory CAN-IDs Lukeyson 3 1 Quote Link to comment Share on other sites More sharing options...
jakka351 Posted May 12, 2021 Share Posted May 12, 2021 On 4/28/2020 at 2:34 PM, Lukeyson said: Hey Guys Many years ago I did a whole lot of work like this on BA, BF Falcon and SX Territory - reverse engineer CAN Arbitration messages/ IDs. I didn't do so much on the PCM side like you guys are doing, but I did a whole lot on the other modules - PAM, RCM, IC, ICC, HIM etc I've just started some similar work recently on a 2007 WQ Fiesta XR4. Is there any appetite for me sharing any of my data? Or is this mainly a thread with Focus in PCM broadcasts...? I'm kinda on the hunt for a forum or message group with people doing similar reverse-engineer analysis on Ford messages. There's not much around. Some US based F150 guys, one on a Focus which, depending on the model, is likely to be very similar to the WQ Fiesta and BA Falcon, as both used ECU architectures that were derivatives of the original MkI Focus. Luke I have been using a socketcan to map out the the CAN in my FG mk1 - sheet is here https://github.com/jakka351/FG-Falcon Quote Link to comment Share on other sites More sharing options...
Roland@pcmtec Posted May 13, 2021 Share Posted May 13, 2021 If there are any pcm messages you are struggling with let us know. We can dig them out of the asm with reasonable confidence. Quote Link to comment Share on other sites More sharing options...
TheReaper Posted August 26, 2021 Author Share Posted August 26, 2021 Random one, raised from the dead, did anyone ever work out the 0x6F6 PATS exchange and how that message is calculated? Quote Link to comment Share on other sites More sharing options...
jakka351 Posted September 4, 2021 Share Posted September 4, 2021 ever post that emulator you were working on? Quote Link to comment Share on other sites More sharing options...
Roland@pcmtec Posted September 5, 2021 Share Posted September 5, 2021 On 8/26/2021 at 11:37 AM, TheReaper said: Random one, raised from the dead, did anyone ever work out the 0x6F6 PATS exchange and how that message is calculated? We do know how it calculated, it is fairly complicated but it could be emulated if someone had enough time up their sleeve. Quote Link to comment Share on other sites More sharing options...
TheReaper Posted September 5, 2021 Author Share Posted September 5, 2021 (edited) 20 hours ago, jakka351 said: ever post that emulator you were working on? I'll pm you a link to the git repository. 9 minutes ago, Roland@pcmtec said: We do know how it calculated, it is fairly complicated but it could be emulated if someone had enough time up their sleeve. Is it the same as the OBD seed/key setup for security access? Can you share any information on it? I have attached a link to my DBC file for what I have on the canbus stuff so far. I haven't had an opportunity to try and work out any MKII stuff, but would love it if anyone could add anything to it.https://www104.zippyshare.com/v/UmRDp2O4/file.html@Roland@pcmtec is there any lists or anything you guys have that i could use to add to this ? Edited September 5, 2021 by TheReaper Quote Link to comment Share on other sites More sharing options...
jakka351 Posted September 5, 2021 Share Posted September 5, 2021 Thank you, appreicate it. I'll link my .dbc file too, but it is still a WIP. https://github.com/jakka351/fgdbc/blob/main/falcon.dbc Quote Link to comment Share on other sites More sharing options...
jakka351 Posted September 5, 2021 Share Posted September 5, 2021 https://github.com/jakka351/FG-Falcon#canbus-decoded theres fsir amount of can info in those spread sheets might help you Quote Link to comment Share on other sites More sharing options...
Roland@pcmtec Posted September 5, 2021 Share Posted September 5, 2021 8 hours ago, TheReaper said: Is it the same as the OBD seed/key setup for security access? Can you share any information on it?@Roland@pcmtec is there any lists or anything you guys have that i could use to add to this ? It is similar in that it is a key challenge exchange, but that is about it. What is your goal? Depending on what it is I might be able to point you in the right direction time permitting. There is a lot of extra stuff to stop replay attacks, it also performs some kind of checksum on the responses. The actual alg looks similar in that it is some kind of XOR type of encryption. It looks like a multi part exchange that has a few more steps than the security unlock. We have disassembled the PCM to a high level, but none of the other modules. So to fully emulate it you'd need to do the BCM as well. But I can get some ideas about what the PCM side is doing from the work we have done to date. 1 Quote Link to comment Share on other sites More sharing options...
TheReaper Posted September 5, 2021 Author Share Posted September 5, 2021 Effectively I'm trying to work out if its possible to remove the PCM and still have the ACM/ICC work without whinging about the security code by emulating the PATS information or some other method. Does anyone have any information on the MKII canbus too by chance?? I know 097, 120, 12D,207, 425, 44D, and 650 are shared with previous models, but from what I understand 023,085,0A5,0FC,143,15F,274 and 35C have been added. Quote Link to comment Share on other sites More sharing options...
Roland@pcmtec Posted September 6, 2021 Share Posted September 6, 2021 Why do you want to remove the pcm? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.