K-Line: Difference between revisions

From OpenGK
No edit summary
 
(17 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Stub}}
{{Warning|'''Only on 1.6/2.0 without immo the K-line from ECU is connected directly to the K-line pin on [[Data link connector (OBD2)|OBD2]] or [[Multipurpose Check Connector]]!!''' See below for some details.}}
K-Line on SIMK43 runs at 10400 baud and uses the KWP2000 protocol for diagnostic communication.  
K-Line on SIMK43 runs at 10400 baud and uses the KWP2000 protocol for diagnostic communication.  


Line 9: Line 5:
=== ECU ===
=== ECU ===


==== '''- If you have 1.6 or 2.0 without immobilizer installed:''' ====
==== '''If you have 1.6 or 2.0 without immobilizer installed:''' ====
Good news! Your K-Line pins (OBD2/MCC) are connected directly to the K-line pin on the ECU (2.0 - 77)
Good news! Your K-Line pins (OBD2/MCC) are connected directly to the K-line pin on the ECU (2.0 - 77)


==== '''- If you have 1.6 or 2.0 with immobilizer installed:''' ====
==== '''If you have 1.6 or 2.0 with immobilizer installed:''' ====
Your K-Line pins (OBD2/MCC) are connected to BCM's "Diagnosis" pin (BCM-IM, pin 19). '''THERE IS NOTHING CONNECTED TO K-LINE PIN AT THE ECU!!''' (2.0 77). Instead, all K-line stuff is connected to the ECU's W-Line (2.0 - 47)
Your K-Line pins (OBD2/MCC) are connected to BCM's "Diagnosis" pin (BCM-IM, pin 19). '''THERE IS NOTHING CONNECTED TO K-LINE PIN AT THE ECU!!''' (2.0 77). Instead, all K-line stuff is connected to the ECU's W-Line (2.0 - 47)


==== '''- If you have 2.7 with or without immobilizer installed:''' ====
==== '''If you have 2.7 with or without immobilizer installed:''' ====
Your K-Line pins (OBD2/MCC) are connected to BCM's "Diagnosis" pin (BCM-IM, pin 19). Your K/Immo-Line pin at the ECU (C133-1, pin 3) is connected to BCM's "Immo W-line" (BCM-IM, pin 20). 2.7 ECUs don't have a separate K and W line - it's all integrated in one pin, you don't have nothing to worry about.
Your K-Line pins (OBD2/MCC) are connected to BCM's "Diagnosis" pin (BCM-IM, pin 19). Your K/Immo-Line pin at the ECU (C133-1, pin 3) is connected to BCM's "Immo W-line" (BCM-IM, pin 20). 2.7 ECUs don't have a separate K and W line - it's all integrated in one pin, you don't have nothing to worry about.
=== OBD2 (Data Link Connector) ===
==== Vehicles with immo: ====
K-Line pin (2) is connected to "DIAG" (BCM-IM 19) pin on the BCM which acts as a gateway. We don't know yet how to bypass that, so direct connection to ECU (or other modules) K-line is not possible through OBD-2 on vehicles with immobiliser. You could use the joint connector located under the gear shifter to bypass that<sup>[todo: include connector's name and pinout]</sup>.
==== Vehicles without immo: ====
K-Line pin (2) has direct connection to ECU and other modules


== KWP2000 ==
== KWP2000 ==
To start communication, you need to use Fast Init - so bring the K-line down for exactly 25ms, then up for 25ms followed by StartCommunication request. Python example of that using a FTDI cable [https://github.com/Dante383/gkbus/blob/a3ff894e8352ef2faab36e22553da7ddf5688cb8/gkbus/interface/kline/KLineSerial.py#L48 can be found in GKBus] code.
To start communication, you need to use Fast Init - so bring the K-line down for exactly 25ms, then up for 25ms followed by StartCommunication request. Python example of that using a FTDI cable [https://github.com/Dante383/gkbus/blob/a3ff894e8352ef2faab36e22553da7ddf5688cb8/gkbus/interface/kline/KLineSerial.py#L48 can be found in GKBus] code.


ID of the ECU is 0xF1, and as a diagnostic device you should be using ID 0x11. So an example command and response would look like this:
ID of the ECU is 0x11, and as a diagnostic device you should be using ID 0xF1. So an example command and response would look like this:


Diagnostic device: <code>82 11 F1 27 01 AC</code> (security access request)
Diagnostic device: <code>82 11 F1 27 01 AC</code> (security access request)


ECU response: <code>83 F1 11 67 02 34 22</code>
ECU response: <code>83 F1 11 67 02 34 22</code>
==== Baudrate ====
By default, SIMK43 uses 10400 baud. On some ECUs (so far testing revealed that <2005 ECUs might not support that), baudrate can be manipulated by additional undocumented parameter of the StartDiagnosticSession service:<blockquote>
0x01: 10400
0x02: 20000
0x03: 40000
0x04: 60000
0x05: 120000
</blockquote>
==== Challenge-response calculation ====
SIMK43/41 uses a 2 byte seed and 2 byte key for security access. Until a write-up about the algorithm is prepared, you can take a look at it's Python implementation in GKFlasher: https://github.com/Dante383/GKFlasher/blob/15a715b18f2119d697a5ceed00f6383f690c4a23/ecu.py#L42
==== Input-Output local identifiers ====
<blockquote>
0x10 - check engine light
0x11 - EVAP canister close valve (on)
0x12 - fuel pump relay 
0x13 - A/C compressor relay
0x14 - fuel pump control
0x16 - "Canister Close Valve-Clocked" (whatever that means)
0x1A - cooling fan relay high
0x1B - cooling fan relay low
0x1C - main relay 
0x20 - canister purge valve
0x23 - idle speed actuator
0x24 - cvvt valve
0x31 - ignition coil - #1, 4
0x32 - ignition coil - #2, 5 (v6 only)
0x33 - ignition coil - #3, 6 (v6 only)
0x39 - injector - cylinder 1 (i4 only)
0x3A - injector - cylinder 2 (i4 only)
0x3B - injector - cylinder 3 (i4 only)
0x3C - injector - cylinder 4 (i4 only)
0x300701 - injector - cylinder 1 (v6 only)
0x300702 - injector - cylinder 2 (v6 only)
0x300704 - injector - cylinder 3 (v6 only)
0x300708 - injector - cylinder 4 (v6 only)
0x300710 - injector - cylinder 5 (v6 only)
0x300720 - injector - cylinder 6 (v6 only)
0x41 - Version Configuration - Automatic Transaxle (0x08) - This is the ECU reset function to install M/T or Non-TCS system.
0x42 - Version Configuration - Traction Control System (0x08) - This is the ECU reset function to install M/T or Non-TCS system.
0x50 - adaptive values (0x04 - clear function)
</blockquote>
==== Routines by local identifier ====
<blockquote>
0x00 - erase program section
0x01 - erase calibration section
0x02 - verify and mark blocks as ready to execute. Needs to be called after flashing
0x03 - unknown. requires security access, returned 0x33 0xE0 on a bench ecu
0x04 - unknown, returns 0x22 - Conditions Not Correct Or Request Sequence Error
0x05 - unknown, returns 0x22 - Conditions Not Correct Or Request Sequence Error
0x12 - query immobilizer info: 2 bytes number of keys learnt, 2 bytes immo status (01 = learnt), 2 bytes key status (00 - not learnt), 2 bytes smartra status if applicable
0x13 - needs to be called before immobilizer password teaching/changing 
0x14 - needs to be called before immobilizer teaching.
0x15 - needs to be called before ECU immobilizer reset 
0x16 - needs to be called before putting immobilizer in limp home mode 
0x17 - input new limp home password 
0x18 - activate limp home mode. takes user-provided (default: 2345) password as parameters 
0x19 - confirm limp home password change. takes 0x01 as a parameter 
0x1A - input 6 digit immobilizer password. Needs to be called before teaching, resetting or other actions modifying the immo system. Takes password and 6x 0xFF as parameters 
0x1B, 0x1C, 0x1D, 0x1E - teach keys 1,2,3,4. Takes 0x01 as a parameter 
0x20 - reset ECU immo. Takes 0x01 as a parameter 
0x25 - needs to be called before neutralizing smartra 
0x26 - confirm neutralizing smartra. takes 0x01 as a parameter 
</blockquote>

Latest revision as of 16:19, 3 November 2024

K-Line on SIMK43 runs at 10400 baud and uses the KWP2000 protocol for diagnostic communication.

Connection points

ECU

If you have 1.6 or 2.0 without immobilizer installed:

Good news! Your K-Line pins (OBD2/MCC) are connected directly to the K-line pin on the ECU (2.0 - 77)

If you have 1.6 or 2.0 with immobilizer installed:

Your K-Line pins (OBD2/MCC) are connected to BCM's "Diagnosis" pin (BCM-IM, pin 19). THERE IS NOTHING CONNECTED TO K-LINE PIN AT THE ECU!! (2.0 77). Instead, all K-line stuff is connected to the ECU's W-Line (2.0 - 47)

If you have 2.7 with or without immobilizer installed:

Your K-Line pins (OBD2/MCC) are connected to BCM's "Diagnosis" pin (BCM-IM, pin 19). Your K/Immo-Line pin at the ECU (C133-1, pin 3) is connected to BCM's "Immo W-line" (BCM-IM, pin 20). 2.7 ECUs don't have a separate K and W line - it's all integrated in one pin, you don't have nothing to worry about.

KWP2000

To start communication, you need to use Fast Init - so bring the K-line down for exactly 25ms, then up for 25ms followed by StartCommunication request. Python example of that using a FTDI cable can be found in GKBus code.

ID of the ECU is 0x11, and as a diagnostic device you should be using ID 0xF1. So an example command and response would look like this:

Diagnostic device: 82 11 F1 27 01 AC (security access request)

ECU response: 83 F1 11 67 02 34 22

Baudrate

By default, SIMK43 uses 10400 baud. On some ECUs (so far testing revealed that <2005 ECUs might not support that), baudrate can be manipulated by additional undocumented parameter of the StartDiagnosticSession service:

0x01: 10400

0x02: 20000

0x03: 40000

0x04: 60000

0x05: 120000

Challenge-response calculation

SIMK43/41 uses a 2 byte seed and 2 byte key for security access. Until a write-up about the algorithm is prepared, you can take a look at it's Python implementation in GKFlasher: https://github.com/Dante383/GKFlasher/blob/15a715b18f2119d697a5ceed00f6383f690c4a23/ecu.py#L42

Input-Output local identifiers

0x10 - check engine light

0x11 - EVAP canister close valve (on)

0x12 - fuel pump relay

0x13 - A/C compressor relay

0x14 - fuel pump control

0x16 - "Canister Close Valve-Clocked" (whatever that means)

0x1A - cooling fan relay high

0x1B - cooling fan relay low

0x1C - main relay

0x20 - canister purge valve

0x23 - idle speed actuator

0x24 - cvvt valve

0x31 - ignition coil - #1, 4

0x32 - ignition coil - #2, 5 (v6 only)

0x33 - ignition coil - #3, 6 (v6 only)

0x39 - injector - cylinder 1 (i4 only)

0x3A - injector - cylinder 2 (i4 only)

0x3B - injector - cylinder 3 (i4 only)

0x3C - injector - cylinder 4 (i4 only)

0x300701 - injector - cylinder 1 (v6 only)

0x300702 - injector - cylinder 2 (v6 only)

0x300704 - injector - cylinder 3 (v6 only)

0x300708 - injector - cylinder 4 (v6 only)

0x300710 - injector - cylinder 5 (v6 only)

0x300720 - injector - cylinder 6 (v6 only)

0x41 - Version Configuration - Automatic Transaxle (0x08) - This is the ECU reset function to install M/T or Non-TCS system.

0x42 - Version Configuration - Traction Control System (0x08) - This is the ECU reset function to install M/T or Non-TCS system.

0x50 - adaptive values (0x04 - clear function)

Routines by local identifier

0x00 - erase program section

0x01 - erase calibration section

0x02 - verify and mark blocks as ready to execute. Needs to be called after flashing

0x03 - unknown. requires security access, returned 0x33 0xE0 on a bench ecu

0x04 - unknown, returns 0x22 - Conditions Not Correct Or Request Sequence Error

0x05 - unknown, returns 0x22 - Conditions Not Correct Or Request Sequence Error

0x12 - query immobilizer info: 2 bytes number of keys learnt, 2 bytes immo status (01 = learnt), 2 bytes key status (00 - not learnt), 2 bytes smartra status if applicable

0x13 - needs to be called before immobilizer password teaching/changing

0x14 - needs to be called before immobilizer teaching.

0x15 - needs to be called before ECU immobilizer reset

0x16 - needs to be called before putting immobilizer in limp home mode

0x17 - input new limp home password

0x18 - activate limp home mode. takes user-provided (default: 2345) password as parameters

0x19 - confirm limp home password change. takes 0x01 as a parameter

0x1A - input 6 digit immobilizer password. Needs to be called before teaching, resetting or other actions modifying the immo system. Takes password and 6x 0xFF as parameters

0x1B, 0x1C, 0x1D, 0x1E - teach keys 1,2,3,4. Takes 0x01 as a parameter

0x20 - reset ECU immo. Takes 0x01 as a parameter

0x25 - needs to be called before neutralizing smartra

0x26 - confirm neutralizing smartra. takes 0x01 as a parameter