K-Line: Difference between revisions

From OpenGK
 
(5 intermediate revisions by the same user not shown)
Line 24: Line 24:


==== Baudrate ====
==== Baudrate ====
By default, SIMK43 uses 10400 baud. On some ECUs (so far testing revealed that <2005 ECUs might not support that), baudrate can be manipulated by additional undocumented parameter of the StartDiagnosticSession service:<blockquote>
0x01: 10400


0x02: 20000
By default, SIMK43 uses 10400 baud. On some ECUs (so far testing revealed that <2005 ECUs might not support that), baudrate can be manipulated by additional undocumented parameter of the StartDiagnosticSession service:
 
{| class="wikitable"
0x03: 40000
|+
 
!Baudrate identifier,
0x04: 60000
passed to StartDiagnosticSession
 
!Baudrate on K-line
0x05: 120000
(bits per second)
</blockquote>
|-
|0x01
|10400
|-
|0x02
|20000
|-
|0x03
|40000
|-
|0x04
|60000
|-
|0x05
|120000
|}
<blockquote>
</blockquote>


==== Challenge-response calculation ====
==== Challenge-response calculation ====
Line 60: Line 75:
|0x14
|0x14
|fuel pump control
|fuel pump control
|
|-
|-
|0x16
|0x16
|"Canister Close Valve-Clocked" (whatever that means)
|"Canister Close Valve-Clocked" (whatever that means)
|
|-
|-
|0x1A
|0x1A
Line 69: Line 86:
|0x1B
|0x1B
|cooling fan relay low
|cooling fan relay low
|
|-
|-
|0x1C
|0x1C
|main relay
|main relay
|
|-
|-
|0x20
|0x20
|canister purge valve
|canister purge valve
|
|-
|-
|0x23
|0x23
|idle speed actuator
|idle speed actuator
|
|-
|-
|0x24
|0x24
|cvvt valve
|cvvt valve
|
|-
|-
|0x31
|0x31
|ignition coil
|ignition coil #1, 4
|#1, 4
|
|-
|-
|0x32
|0x32
|ignition coil
|ignition coil #2, 5
|#2, 5 (v6 only)
|Coil #5 v6 only
|-
|-
|0x33
|0x33
|ignition coil
|ignition coil #3, 6
|#3, 6 (v6 only)
|Coil #6 v6 only
|-
|-
|0x39
|0x39
|injector
|injector cylinder 1
|cylinder 1 (i4 only)
|i4 only
|-
|-
|0x3A
|0x3A
|injector
|injector cylinder 2
|cylinder 2 (i4 only)
|i4 only
|-
|-
|0x3B
|0x3B
|injector
|injector cylinder 3
|cylinder 3 (i4 only)
|i4 only
|-
|-
|0x3C
|0x3C
|injector
|injector cylinder 4
|cylinder 4 (i4 only)
|i4 only
|-
|-
|0x300701
|0x300701
|injector
|injector cylinder 1
|cylinder 1 (v6 only)
|v6 only
|-
|-
|0x300702
|0x300702
|injector
|injector cylinder 2
|cylinder 2 (v6 only)
|v6 only
|-
|-
|0x300704
|0x300704
|injector
|injector cylinder 3
|cylinder 3 (v6 only)
|v6 only
|-
|-
|0x300708
|0x300708
|injector
|injector cylinder 4
|cylinder 4 (v6 only)
|v6 only
|-
|-
|0x300710
|0x300710
|injector
|injector cylinder 5
|cylinder 5 (v6 only)
|v6 only
|-
|-
|0x300720
|0x300720
|injector
|injector cylinder 6
|cylinder 6 (v6 only)
|v6 only
|-
|-
|0x41
|0x41
Line 143: Line 165:
|-
|-
|0x50
|0x50
|adaptive values (0x04 - clear function)
|adaptive values
|0x04 - clear function
|}
|}
<blockquote>0x13 - A/C compressor relay 
<blockquote></blockquote>
 
0x14 - fuel pump control
 
0x16 - "Canister Close Valve-Clocked" (whatever that means)
 
0x1A - cooling fan relay high
 
0x1B - cooling fan relay low
 
0x1C - main relay 
 
0x20 - canister purge valve
 
0x23 - idle speed actuator
 
0x24 - cvvt valve
 
0x31 - ignition coil - #1, 4
 
0x32 - ignition coil - #2, 5 (v6 only)
 
0x33 - ignition coil - #3, 6 (v6 only)
 
0x39 - injector - cylinder 1 (i4 only)
 
0x3A - injector - cylinder 2 (i4 only)
 
0x3B - injector - cylinder 3 (i4 only)
 
0x3C - injector - cylinder 4 (i4 only)
 
0x300701 - injector - cylinder 1 (v6 only)
 
0x300702 - injector - cylinder 2 (v6 only)
 
0x300704 - injector - cylinder 3 (v6 only)
 
0x300708 - injector - cylinder 4 (v6 only)
 
0x300710 - injector - cylinder 5 (v6 only)
 
0x300720 - injector - cylinder 6 (v6 only)
 
0x41 - Version Configuration - Automatic Transaxle (0x08) - This is the ECU reset function to install M/T or Non-TCS system.
 
0x42 - Version Configuration - Traction Control System (0x08) - This is the ECU reset function to install M/T or Non-TCS system.
 
0x50 - adaptive values (0x04 - clear function)
</blockquote>


==== Routines by local identifier ====
==== Routines by local identifier ====
<blockquote>
{| class="wikitable"
0x00 - erase program section
|+
 
!Identifier (hex)
0x01 - erase calibration section
!Description
 
!Notes
0x02 - verify and mark blocks as ready to execute. Needs to be called after flashing
|-
 
|0x00
0x03 - unknown. requires security access, returned 0x33 0xE0 on a bench ecu
|erase program section
 
|
0x04 - unknown, returns 0x22 - Conditions Not Correct Or Request Sequence Error
|-
 
|0x01
0x05 - unknown, returns 0x22 - Conditions Not Correct Or Request Sequence Error
|erase calibration section
 
|
0x12 - query immobilizer info: 2 bytes number of keys learnt, 2 bytes immo status (01 = learnt), 2 bytes key status (00 - not learnt), 2 bytes smartra status if applicable  
|-
 
|0x02
0x13 - needs to be called before immobilizer password teaching/changing   
|verify and mark blocks as ready to execute
 
|Needs to be called after flashing
0x14 - needs to be called before immobilizer teaching.  
|
 
|-
0x15 - needs to be called before ECU immobilizer reset   
|0x03
 
|unknown
0x16 - needs to be called before putting immobilizer in limp home mode   
|requires security access, returned 0x33 0xE0 on a bench ecu
 
|-
0x17 - input new limp home password   
|0x04
 
|unknown
0x18 - activate limp home mode. takes user-provided (default: 2345) password as parameters
|returns 0x22 Conditions Not Correct Or Request Sequence Error
 
|
0x19 - confirm limp home password change. takes 0x01 as a parameter
|-
 
|0x05
0x1A - input 6 digit immobilizer password. Needs to be called before teaching, resetting or other actions modifying the immo system. Takes password and 6x 0xFF as parameters  
|unknown
 
|returns 0x22 Conditions Not Correct Or Request Sequence Error
0x1B, 0x1C, 0x1D, 0x1E - teach keys 1,2,3,4. Takes 0x01 as a parameter
|
 
|-
0x20 - reset ECU immo. Takes 0x01 as a parameter
|0x12
 
|query immobilizer info
0x25 - needs to be called before neutralizing smartra   
|1 byte number of keys learnt, 1 bytes immo status (0x01 = learnt), 1 byte key status (0x00 not learnt), 1 byte smartra status if applicable
 
|
0x26 - confirm neutralizing smartra. takes 0x01 as a parameter
|-
</blockquote>
|0x13
|needs to be called before immobilizer password teaching/changing   
|
|-
|0x14
|needs to be called before immobilizer teaching.  
|
|-
|0x15
|needs to be called before ECU immobilizer reset   
|
|-
|0x16
|needs to be called before putting immobilizer in limp home mode   
|
|-
|0x17
|input new limp home password   
|
|-
|0x18
|activate limp home mode
|takes user-provided (default: 2345) password as parameters
|-
|0x19
|confirm limp home password change  
|takes 0x01 as a parameter  
|-
|0x1A
|input 6 digit immobilizer password  
|Needs to be called before teaching, resetting or other actions modifying the immo system. Takes password and 6x 0xFF as parameters
|-
|0x1B, 0x1C, 0x1D, 0x1E
|teach keys 1,2,3,4
|Takes 0x01 as a parameter
|-
|0x20
|reset ECU immo.  
|Takes 0x01 as a parameter
|-
|0x25
|needs to be called before neutralizing smartra   
|
|-
|0x26
|confirm neutralizing smartra.
|takes 0x01 as a parameter
|}

Latest revision as of 14:09, 10 December 2024

K-Line on SIMK43 runs at 10400 baud and uses the KWP2000 protocol for diagnostic communication.

Connection points

ECU

If you have 1.6 or 2.0 without immobilizer installed:

Good news! Your K-Line pins (OBD2/MCC) are connected directly to the K-line pin on the ECU (2.0 - 77)

If you have 1.6 or 2.0 with immobilizer installed:

Your K-Line pins (OBD2/MCC) are connected to BCM's "Diagnosis" pin (BCM-IM, pin 19). THERE IS NOTHING CONNECTED TO K-LINE PIN AT THE ECU!! (2.0 77). Instead, all K-line stuff is connected to the ECU's W-Line (2.0 - 47)

If you have 2.7 with or without immobilizer installed:

Your K-Line pins (OBD2/MCC) are connected to BCM's "Diagnosis" pin (BCM-IM, pin 19). Your K/Immo-Line pin at the ECU (C133-1, pin 3) is connected to BCM's "Immo W-line" (BCM-IM, pin 20). 2.7 ECUs don't have a separate K and W line - it's all integrated in one pin, you don't have nothing to worry about.

KWP2000

To start communication, you need to use Fast Init - so bring the K-line down for exactly 25ms, then up for 25ms followed by StartCommunication request. Python example of that using a FTDI cable can be found in GKBus code.

ID of the ECU is 0x11, and as a diagnostic device you should be using ID 0xF1. So an example command and response would look like this:

Diagnostic device: 82 11 F1 27 01 AC (security access request)

ECU response: 83 F1 11 67 02 34 22

Baudrate

By default, SIMK43 uses 10400 baud. On some ECUs (so far testing revealed that <2005 ECUs might not support that), baudrate can be manipulated by additional undocumented parameter of the StartDiagnosticSession service:

Baudrate identifier,

passed to StartDiagnosticSession

Baudrate on K-line

(bits per second)

0x01 10400
0x02 20000
0x03 40000
0x04 60000
0x05 120000

Challenge-response calculation

SIMK43/41 uses a 2 byte seed and 2 byte key for security access. Until a write-up about the algorithm is prepared, you can take a look at it's Python implementation in GKFlasher: https://github.com/Dante383/GKFlasher/blob/15a715b18f2119d697a5ceed00f6383f690c4a23/ecu.py#L42

Input-Output local identifiers

Identifier (hex) Description Notes
0x10 check engine light
0x11 EVAP canister close valve (on)
0x12 fuel pump relay
0x14 fuel pump control
0x16 "Canister Close Valve-Clocked" (whatever that means)
0x1A cooling fan relay high
0x1B cooling fan relay low
0x1C main relay
0x20 canister purge valve
0x23 idle speed actuator
0x24 cvvt valve
0x31 ignition coil #1, 4
0x32 ignition coil #2, 5 Coil #5 v6 only
0x33 ignition coil #3, 6 Coil #6 v6 only
0x39 injector cylinder 1 i4 only
0x3A injector cylinder 2 i4 only
0x3B injector cylinder 3 i4 only
0x3C injector cylinder 4 i4 only
0x300701 injector cylinder 1 v6 only
0x300702 injector cylinder 2 v6 only
0x300704 injector cylinder 3 v6 only
0x300708 injector cylinder 4 v6 only
0x300710 injector cylinder 5 v6 only
0x300720 injector cylinder 6 v6 only
0x41 Version Configuration Automatic Transaxle (0x08) - This is the ECU reset function to install M/T or Non-TCS system.
0x42 Version Configuration Traction Control System (0x08) - This is the ECU reset function to install M/T or Non-TCS system.
0x50 adaptive values 0x04 - clear function

Routines by local identifier

Identifier (hex) Description Notes
0x00 erase program section
0x01 erase calibration section
0x02 verify and mark blocks as ready to execute Needs to be called after flashing
0x03 unknown requires security access, returned 0x33 0xE0 on a bench ecu
0x04 unknown returns 0x22 Conditions Not Correct Or Request Sequence Error
0x05 unknown returns 0x22 Conditions Not Correct Or Request Sequence Error
0x12 query immobilizer info 1 byte number of keys learnt, 1 bytes immo status (0x01 = learnt), 1 byte key status (0x00 not learnt), 1 byte smartra status if applicable
0x13 needs to be called before immobilizer password teaching/changing
0x14 needs to be called before immobilizer teaching.
0x15 needs to be called before ECU immobilizer reset
0x16 needs to be called before putting immobilizer in limp home mode
0x17 input new limp home password
0x18 activate limp home mode takes user-provided (default: 2345) password as parameters
0x19 confirm limp home password change takes 0x01 as a parameter
0x1A input 6 digit immobilizer password Needs to be called before teaching, resetting or other actions modifying the immo system. Takes password and 6x 0xFF as parameters
0x1B, 0x1C, 0x1D, 0x1E teach keys 1,2,3,4 Takes 0x01 as a parameter
0x20 reset ECU immo. Takes 0x01 as a parameter
0x25 needs to be called before neutralizing smartra
0x26 confirm neutralizing smartra. takes 0x01 as a parameter