Difference between revisions of "Holden:ALDL (8192 Baud)"

From Holden
Jump to navigation Jump to search
 
m (Added radio status request message ID)
 
(18 intermediate revisions by 2 users not shown)
Line 5: Line 5:
 
== Frame Structure ==
 
== Frame Structure ==
  
An ALDL frame consists of a message ID, length, an optional number of data bytes (up to 64 bytes), and a 2's compliment checksum. The table below illustrates the structure of an ALDL frame.
+
An ALDL frame consists of a message ID, length, an optional number of data bytes, and a 2's compliment checksum. Whilst the maximum size of an ALDL frame isn't defined, the length byte allows for up to 170 data bytes (173 bytes total including the ID, length and checksum)<ref>[http://fbodytech.com/misc/ee-aldl-communications/ fbodytech - ALDL Communications]</ref>. Any multi-byte fields are always big-endian unless otherwise noted. The table below illustrates the structure of an ALDL frame.
  
 
{| class="wikitable"
 
{| class="wikitable"
Line 12: Line 12:
 
| align="center" | 1 || Message ID || The value <code>0</code> is reserved and is not a valid ALDL message ID
 
| align="center" | 1 || Message ID || The value <code>0</code> is reserved and is not a valid ALDL message ID
 
|-
 
|-
| align="center" | 1 || Length || <code>0x55</code> + ''n'', where ''n'' is the number of data bytes (up to 64)
+
| align="center" | 1 || Length || <code>0x55</code> + ''n'', where ''n'' is the number of data bytes
 
|-
 
|-
 
| align="center" | ''n'' || Data ||
 
| align="center" | ''n'' || Data ||
Line 19: Line 19:
 
|}
 
|}
  
=== Module IDs ===
+
=== Message IDs ===
  
The table below lists IDs for various modules across several Commodore models.
+
All ALDL frames are identified by an ID byte. During normal bus operation, message IDs are used to identify a specific type of message (for example, a PCM heartbeat, or radio status message). Each module is typically assigned a ''diagnostic ID'', that can be used to address the module when issuing diagnostic requests. Most diagnostic frames use the same message ID for both the request, and response. The ID used depends on the module and model year. The table below lists some of the IDs commonly used across various modules on the Commodore models.<ref>[https://pcmhacking.net/forums/viewtopic.php?f=10&t=2857 pcmhacking.net - GM Reverse Engineering (Page 1)]</ref><ref>[https://pcmhacking.net/forums/viewtopic.php?f=10&t=2857&p=47451#p47451 pcmhacking.net - GM Reverse Engineering (Page 10)]</ref>
  
 
{|class="wikitable"
 
{|class="wikitable"
! ID !! Module
+
! ID !! Source !! Destination !! Description !! Model(s)
 
|-
 
|-
| align="center" | <code>BD</code> || BCM (VR/VS)
+
| align="center" | <code>08</code> || BCM || || Heartbeat Frame || VT/VX/VY/VZ
 
|-
 
|-
| align="center" | <code>F0</code> || ALDL Tester
+
| align="center" | <code>11</code> || BCM || || BCM Status Frame || VT/VX/VY/VZ
 
|-
 
|-
| align="center" | <code>F1</code> || BCM (VT/VX/VY)
+
| align="center" | <code>20</code> || BCM || Cluster || Instrument Cluster Status Request || VT/VX/VY/VZ
 
|-
 
|-
| align="center" | <code>F2</code> || SRS (VR/VS)
+
| align="center" | <code>21</code> || Cluster || || Instrument Cluster Status Response || VT/VX/VY/VZ
 
|-
 
|-
| align="center" | <code>F4</code> || PCM (VR/VS V8)
+
| align="center" | <code>40</code> || BCM || PCM || PCM Status Request || VT/VX/VY/VZ
 
|-
 
|-
| align="center" | <code>F5</code> || PCM (VS V6/VT)
+
| align="center" | <code>41</code> || PCM || || PCM Status Response || VT/VX/VY/VZ
 
|-
 
|-
| align="center" | <code>F7</code> || PCM (VX/VY)
+
| align="center" | <code>90</code> || BCM || ABS || ABS Status Request || VT/VX/VY/VZ
 
|-
 
|-
| align="center" | <code>F9</code> || ABS (VR/VS)
+
| align="center" | <code>91</code> || ABS || || ABS Status Response || VT/VX/VY/VZ
 
|-
 
|-
| align="center" | <code>FA</code> || SRS (VT)
+
| align="center" | <code>A0</code> || BCM || SRS || SRS Status Request || VT/VX/VY/VZ
 +
|-
 +
| align="center" | <code>A1</code> || SRS || || SRS Status Response || VT/VX/VY/VZ
 +
|-
 +
| align="center" | <code>A8</code> || BCM || ECC || Climate Control Status Request || VT/VX/VY/VZ
 +
|-
 +
| align="center" | <code>A9</code> || ECC || || Climate Control Status Response || VT/VX/VY/VZ
 +
|-
 +
| align="center" | <code>B8</code> || BCM || Radio || Radio Status Request || VY/VZ
 +
|-
 +
| align="center" | <code>B9</code> || Radio || || Radio Status Response || VY/VZ
 +
|-
 +
| align="center" | <code>BD</code> || Scan Tool || BCM || BCM Diagnostics || VR/VS
 +
|-
 +
| align="center" | <code>E4</code> || Scan Tool || Telematics || Telematics Module Diagnostics || VY/VZ
 +
|-
 +
| align="center" | <code>EA</code> || Scan Tool || ECC || Climate Control Diagnostics || VT/VX/VY/VZ
 +
|-
 +
| align="center" | <code>EB</code> || Scan Tool || Radio || Radio Diagnostics || VY/VZ
 +
|-
 +
| align="center" | <code>F0</code> || || || Reserved for ALDL Tester/Scan Tool ||
 +
|-
 +
| align="center" | <code>F1</code> || Scan Tool || BCM || BCM Diagnostics || VT/VX/VY/VZ
 +
|-
 +
| align="center" | <code>F2</code> || Scan Tool || Cluster || Instrument Cluster Diagnostics || VT/VX/VY/VZ
 +
|-
 +
| align="center" | <code>F2</code> || Scan Tool || SRS || SRS Diagnostics || VR/VS
 +
|-
 +
| align="center" | <code>F3</code> || Scan Tool || PIM || PIM Diagnostics || VY/VZ
 +
|-
 +
| align="center" | <code>F4</code> || Scan Tool || PCM || PCM Diagnostics || VR/VS V8
 +
|-
 +
| align="center" | <code>F5</code> || Scan Tool || PCM || PCM Diagnostics || VS V6/VT
 +
|-
 +
| align="center" | <code>F7</code> || Scan Tool || PCM || PCM Diagnostics || VX/VY
 +
|-
 +
| align="center" | <code>F9</code> || Scan Tool || ABS || ABS/TCS Diagnostics || VR/VS
 +
|-
 +
| align="center" | <code>FA</code> || Scan Tool || SRS || SRS Diagnostics || VT
 +
|-
 +
| align="center" | <code>FB</code> || Scan Tool || SRS || SRS Diagnostics || VX/VY
 
|}
 
|}
  
Line 50: Line 90:
  
 
== Modes ==
 
== Modes ==
 +
 +
ALDL diagnostic requests work on the principle of '''modes'''. To issue a diagnostic request, an ALDL frame is sent with an ID corresponding to a module's diagnostic ID (see [[#Module IDs|Module IDs]]), and the first data byte set to the mode number of the request. ALDL diagnostic requests will therefore always have a minimum of 1 data byte. A typical response to a diagnostic request will be an ALDL frame with the same ID as the original request, the first data byte set to the mode number of the request, and an optional number of extra data bytes forming the response. The table below lists the various ALDL modes.
  
 
{|class="wikitable"
 
{|class="wikitable"
Line 69: Line 111:
 
|-
 
|-
 
| align="center" | <code>10</code> || Clear DTCs
 
| align="center" | <code>10</code> || Clear DTCs
 +
|-
 +
| align="center" | <code>13</code> || Security Seed/Key
 
|}
 
|}
  
 
=== Mode 0 ===
 
=== Mode 0 ===
  
ALDL Mode 0, or '''Normal Mode''' reverts any previous ALDL commands (except commands with lasting effect such as a DTC clear), returning the addressed module to normal operation.
+
ALDL Mode 0, or '''Normal Mode''' reverts the effect of any previous ALDL requests (except requests with lasting effect such as a DTC clear), returning the addressed module to normal operation. The table below illustrates the full structure of a Mode 0 request.
 +
 
 +
{|class="wikitable"
 +
! Length (bytes) !! Field !! Value !! Notes
 +
|-
 +
| align="center" | 1 || ID || align="center" | || ID of the module to return to normal mode
 +
|-
 +
| align="center" | 1 || Length || align="center" | <code>56</code> ||
 +
|-
 +
| align="center" | 1 || Mode || align="center" | <code>00</code> ||
 +
|-
 +
| align="center" | 1 || Checksum || align="center" | ''c'' ||
 +
|}
  
 
=== Mode 1 ===
 
=== Mode 1 ===
  
Mode 1 is used to retrieve live data.
+
Each module maintains a set of tables containing live data as well as stored parameters. When a device issues a Mode 1 request to a module, it provides the number of the table being requested. The module responds by transmitting the requested table number, followed by the contents of the table (the PCM differs in that it does not transmit the table number, only the table data). The exact contents and structure of the table depend on both the table in question, and the module. Tables are numbered sequentially, however most modules have less than 10 tables. When an invalid table number is requested, the response differs depending on the module the request was issued to. When an invalid table is requested, the PCM will simply not respond. When an invalid table is requested from the BCM, it will send a Mode 13 response. When an invalid table is requested from the ABS/TCS module, the response will be an empty table (the requested table number, followed by 0 bytes of data). The table below illustrates the full structure of a Mode 1 request.
 +
 
 +
{|class="wikitable"
 +
! Length (bytes) !! Field !! Value !! Notes
 +
|-
 +
| align="center" | 1 || ID || align="center" | <code>F1</code> ||
 +
|-
 +
| align="center" | 1 || Length || align="center" | <code>57</code> ||
 +
|-
 +
| align="center" | 1 || Mode || align="center" | <code>01</code> ||
 +
|-
 +
| align="center" | 1 || Table || align="center" | ''n'' || Table number
 +
|-
 +
| align="center" | 1 || Checksum || align="center" | ''c'' ||
 +
|}
  
 
=== Mode 2 ===
 
=== Mode 2 ===
Line 86: Line 156:
 
! Length (bytes) !! Field !! Value !! Notes
 
! Length (bytes) !! Field !! Value !! Notes
 
|-
 
|-
| align="center" | 1 || ID || align="center" | <code>F1</code> ||
+
| align="center" | 1 || ID || align="center" | <code>F7</code> ||
 
|-
 
|-
 
| align="center" | 1 || Length || align="center" | <code>58</code> ||
 
| align="center" | 1 || Length || align="center" | <code>58</code> ||
Line 94: Line 164:
 
| align="center" | 2 || Address || align="center" | ''n'' || 16-bit address in big endian format
 
| align="center" | 2 || Address || align="center" | ''n'' || 16-bit address in big endian format
 
|-
 
|-
| align="center" | 1 || Checksum || align="center" | ||
+
| align="center" | 1 || Checksum || align="center" | ''c'' ||
 +
|}
 +
 
 +
Expected response:
 +
 
 +
{|class="wikitable"
 +
! Length (bytes) !! Field !! Value !! Notes
 +
|-
 +
| align="center" | 1 || ID || align="center" | <code>F7</code> ||
 +
|-
 +
| align="center" | 1 || Length || align="center" | <code>96</code> ||
 +
|-
 +
| align="center" | 1 || Mode || align="center" | <code>02</code> ||
 +
|-
 +
| align="center" | 64 || Data || align="center" | || Memory contents at the requested address
 +
|-
 +
| align="center" | 1 || Checksum || align="center" | ''c'' ||
 +
|}
 +
 
 +
=== Mode 3 ===
 +
 
 +
Mode 3 requests are used for [[w:Vectored I/O|scatter-gather]] memory operations on the PCM. A Mode 3 request is made with a list of 16-bit memory addresses to be read. The PCM responds with the contents of the requested memory locations. Mode 3 scatter-gather requests are useful for retrieving specific values in memory quickly, without creating the large amount of activity on the bus as Mode 2 block reads. The table below illustrates the full structure of a Mode 3 request.
 +
 
 +
{|class="wikitable"
 +
! Length (bytes) !! Field !! Value !! Notes
 +
|-
 +
| align="center" | 1 || ID || align="center" | <code>F7</code> ||
 +
|-
 +
| align="center" | 1 || Length || align="center" | <code>55</code> + 1 + 2''n'' ||
 +
|-
 +
| align="center" | 1 || Mode || align="center" | <code>03</code> ||
 +
|-
 +
| align="center" | 2 || ''A''<sub>1</sub> || align="center" | || First address to be read
 +
|-
 +
| align="center" colspan="4" | ...
 +
|-
 +
| align="center" | 2 || ''A''<sub>n</sub> || align="center" | ||
 +
|-
 +
| align="center" | 1 || Checksum || align="center" | ''c'' ||
 +
|}
 +
 
 +
=== Mode 4 ===
 +
 
 +
A Mode 4 request is used to control a module for testing purposes. Control can include anything from slewing or setting fixed output values, slewing or setting fixed input sensor values, altering the results of certain calculations and invoking certain module functions. Modules that respond to Mode 4 requests include the; PCM, BCM, [[Holden:Instrument Cluster|instrument cluster]] and ABS/TCS modules. The structure of a Mode 4 request differs greatly depending on the module it is addressed to. The basic structure of a Mode 4 request is illustrated by the table below.
 +
 
 +
{|class="wikitable"
 +
! Length (bytes) !! Field !! Value !! Notes
 +
|-
 +
| align="center" | 1 || ID || align="center" | || ID of the module to be controlled
 +
|-
 +
| align="center" | 1 || Length || align="center" | <code>55</code> + 1 + ''n'' ||
 +
|-
 +
| align="center" | 1 || Mode || align="center" | <code>04</code> ||
 +
|-
 +
| align="center" | ''n'' || Control Structure || align="center" | || Varies depending on module
 +
|-
 +
| align="center" | 1 || Checksum || align="center" | ''c'' ||
 
|}
 
|}
  
 
=== Mode 8 ===
 
=== Mode 8 ===
  
Periodically, the BCM sends polling requests amongst other data on the bus. These requests poll the ECM for sensor data and operational parameters used by the [[Holden:Instrument Cluster|instrument cluster]]. A Mode 8 request is used to temporarily disable these messages from being sent. This essentially silences the BCM and quietens the bus, allowing for another device such as a computer or scan tool to transmit with a lower chance of a [https://en.wikipedia.org/wiki/Collision_domain#:~:text=A%20network%20collision%20occurs%20when%20more%20than%20one%20device%20attempts%20to%20send%20a%20packet%20on%20a%20network%20segment%20at%20the%20same%20time packet collision]. Unless another Mode 8 request is sent within a predetermined amount of time{{When}}, the BCM will automatically resume normal bus operation. The below table illustrates the full structure of a Mode 8 request.
+
Periodically, the BCM sends polling requests amongst other data on the bus. These requests poll the PCM for sensor data and operational parameters used by the instrument cluster. A Mode 8 request is used to temporarily disable these messages from being sent. This essentially silences the BCM and quietens the bus, allowing for another device such as a computer or scan tool to transmit with a lower chance of a [https://en.wikipedia.org/wiki/Collision_domain#:~:text=A%20network%20collision%20occurs%20when%20more%20than%20one%20device%20attempts%20to%20send%20a%20packet%20on%20a%20network%20segment%20at%20the%20same%20time packet collision]. Unless another Mode 8 request is sent within a predetermined amount of time{{When}}, the BCM will automatically resume normal bus operation. The BCM will respond with a frame containing a single data byte <code>08</code> with an ID of <code>F1</code> (a frame identical to the request). The below table illustrates the full structure of a Mode 8 request.
  
 
{|class="wikitable"
 
{|class="wikitable"
Line 115: Line 241:
 
=== Mode 9 ===
 
=== Mode 9 ===
  
Similar to [[#Mode 8|Mode 8]], a Mode 9 request will re-enable BCM chatter. A Mode 9 request can be sent to enable bus chatter earlier, rather than waiting for the original Mode 8 request to time out. This may be useful (and potentially good practice) if a device only requires bus silence for a short period of time, as bus silence for longer periods of time can lead to Check Engine warnings on the cluster{{Cn}}. The below table illustrates the full structure of a Mode 9 request.
+
Similar to [[#Mode 8|Mode 8]], a Mode 9 request will re-enable BCM chatter. A Mode 9 request can be sent to enable bus chatter earlier, rather than waiting for the original Mode 8 request to time out. This may be useful (and potentially good practice) if a device only requires bus silence for a short period of time, as bus silence for longer periods of time can lead to Check Engine warnings on the cluster{{Cn}}. Note that some scan tools issue a Mode 0 request instead of a Mode 9 request to re-enable BCM chatter{{Cn}}. When a Mode 9 request is sent, the BCM will respond with a frame containing a single data byte <code>09</code> with an ID of <code>F1</code> (a frame identical to the request). The below table illustrates the full structure of a Mode 9 request.
  
 
{|class="wikitable"
 
{|class="wikitable"
Line 142: Line 268:
 
| align="center" | 1 || Mode || align="center" | <code>0A</code> ||
 
| align="center" | 1 || Mode || align="center" | <code>0A</code> ||
 
|-
 
|-
| align="center" | 1 || Checksum || align="center" | ||
+
| align="center" | 1 || Checksum || align="center" | ''c'' ||
 +
|}
 +
 
 +
=== Mode 13 ===
 +
 
 +
Mode 13 is used for a challenge-response authentication system in order to unlock flash-based PCMs for programming. Once the PCM is in an ''unlocked'' state, certain restricted operations and Mode 1 tables will become available. The challenge-response calculation itself is fairly straightforward. On request, the PCM will provide a 16-bit value as the ''seed''. All bits of the seed are inverted with an XOR operation, which is sent back to the PCM as the ''key''.<ref>[http://fbodytech.com/misc/ee-aldl-communications/ fbodytech - ALDL Communications]</ref> The tables below illustrate the structure of the seed request, key response and PCM unlock response.
 +
 
 +
First, a request for ''Table 1'' is made in ''Mode 13''.
 +
 
 +
{|class="wikitable"
 +
! Length (bytes) !! Field !! Value !! Notes
 +
|-
 +
| align="center" | 1 || ID || align="center" | <code>F7</code> ||
 +
|-
 +
| align="center" | 1 || Length || align="center" | <code>57</code> ||
 +
|-
 +
| align="center" | 1 || Mode || align="center" | <code>0D</code> ||
 +
|-
 +
| align="center" | 1 || Table || align="center" | <code>01</code> ||
 +
|-
 +
| align="center" | 1 || Checksum || align="center" | <code>A4</code> ||
 +
|}
 +
 
 +
The PCM will respond with a seed value as the challenge.
 +
 
 +
{|class="wikitable"
 +
! Length (bytes) !! Field !! Value !! Notes
 +
|-
 +
| align="center" | 1 || ID || align="center" | <code>F7</code> ||
 +
|-
 +
| align="center" | 1 || Length || align="center" | <code>59</code> ||
 +
|-
 +
| align="center" | 1 || Mode || align="center" | <code>0D</code> ||
 +
|-
 +
| align="center" | 1 || Table || align="center" | <code>01</code> ||
 +
|-
 +
| align="center" | 2 || Seed || align="center" | ''S'' || 16-bit Seed Value
 +
|-
 +
| align="center" | 1 || Checksum || align="center" | ''c'' ||
 +
|}
 +
 
 +
The key ''K'' is calculated by inverting all bits of the seed ''S'' (for example, <code>A2B9</code> becomes <code>5D46</code>), and transmitted back as a write to ''Table 2'' in ''Mode 13''.
 +
 
 +
{|class="wikitable"
 +
! Length (bytes) !! Field !! Value !! Notes
 +
|-
 +
| align="center" | 1 || ID || align="center" | <code>F7</code> ||
 +
|-
 +
| align="center" | 1 || Length || align="center" | <code>59</code> ||
 +
|-
 +
| align="center" | 1 || Mode || align="center" | <code>0D</code> ||
 +
|-
 +
| align="center" | 1 || Table || align="center" | <code>02</code> ||
 +
|-
 +
| align="center" | 2 || Key || align="center" | ''K'' || 16-bit Key Value
 +
|-
 +
| align="center" | 1 || Checksum || align="center" | ''c'' ||
 +
|}
 +
 
 +
If the key is correct, and the unlock operation is successful, the PCM will respond with ''Table 2'' containing a single value <code>AA</code>. The table below shows the full response that can be expected from the PCM after a successful unlock.
 +
 
 +
{|class="wikitable"
 +
! Length (bytes) !! Field !! Value !! Notes
 +
|-
 +
| align="center" | 1 || ID || align="center" | <code>F7</code> ||
 +
|-
 +
| align="center" | 1 || Length || align="center" | <code>58</code> ||
 +
|-
 +
| align="center" | 1 || Mode || align="center" | <code>0D</code> ||
 +
|-
 +
| align="center" | 1 || Table || align="center" | <code>02</code> ||
 +
|-
 +
| align="center" | 1 || Status || align="center" | <code>AA</code> || Equals <code>AA</code> on successful unlock
 +
|-
 +
| align="center" | 1 || Checksum || align="center" | <code>F8</code> ||
 
|}
 
|}
  

Latest revision as of 08:50, 11 January 2023

Overview

ALDL or Assembly Line Diagnostic Link is the diagnostic interface created by GM and used by Holden on the Commodore models from the VN to the VZ. The VE is the first Commodore to exclusively use CAN bus for diagnostics and inter-module communication. The VN through to VS Commodores used GM's original 160 baud interface (compatible with a GM Tech 1 or Tech 2 scan tool), whilst the VT through to VZ Commodores used the newer 8192 baud interface (compatible with a Tech 2 scan tool). This article will focus on the 8192 baud interface. For information on the 160 baud interface, see ALDL (160 Baud).

Frame Structure

An ALDL frame consists of a message ID, length, an optional number of data bytes, and a 2's compliment checksum. Whilst the maximum size of an ALDL frame isn't defined, the length byte allows for up to 170 data bytes (173 bytes total including the ID, length and checksum)[1]. Any multi-byte fields are always big-endian unless otherwise noted. The table below illustrates the structure of an ALDL frame.

Length (bytes) Field Notes
1 Message ID The value 0 is reserved and is not a valid ALDL message ID
1 Length 0x55 + n, where n is the number of data bytes
n Data
1 Checksum 2's compliment checksum of all bytes in the frame (message ID, length, and data bytes)

Message IDs

All ALDL frames are identified by an ID byte. During normal bus operation, message IDs are used to identify a specific type of message (for example, a PCM heartbeat, or radio status message). Each module is typically assigned a diagnostic ID, that can be used to address the module when issuing diagnostic requests. Most diagnostic frames use the same message ID for both the request, and response. The ID used depends on the module and model year. The table below lists some of the IDs commonly used across various modules on the Commodore models.[2][3]

ID Source Destination Description Model(s)
08 BCM Heartbeat Frame VT/VX/VY/VZ
11 BCM BCM Status Frame VT/VX/VY/VZ
20 BCM Cluster Instrument Cluster Status Request VT/VX/VY/VZ
21 Cluster Instrument Cluster Status Response VT/VX/VY/VZ
40 BCM PCM PCM Status Request VT/VX/VY/VZ
41 PCM PCM Status Response VT/VX/VY/VZ
90 BCM ABS ABS Status Request VT/VX/VY/VZ
91 ABS ABS Status Response VT/VX/VY/VZ
A0 BCM SRS SRS Status Request VT/VX/VY/VZ
A1 SRS SRS Status Response VT/VX/VY/VZ
A8 BCM ECC Climate Control Status Request VT/VX/VY/VZ
A9 ECC Climate Control Status Response VT/VX/VY/VZ
B8 BCM Radio Radio Status Request VY/VZ
B9 Radio Radio Status Response VY/VZ
BD Scan Tool BCM BCM Diagnostics VR/VS
E4 Scan Tool Telematics Telematics Module Diagnostics VY/VZ
EA Scan Tool ECC Climate Control Diagnostics VT/VX/VY/VZ
EB Scan Tool Radio Radio Diagnostics VY/VZ
F0 Reserved for ALDL Tester/Scan Tool
F1 Scan Tool BCM BCM Diagnostics VT/VX/VY/VZ
F2 Scan Tool Cluster Instrument Cluster Diagnostics VT/VX/VY/VZ
F2 Scan Tool SRS SRS Diagnostics VR/VS
F3 Scan Tool PIM PIM Diagnostics VY/VZ
F4 Scan Tool PCM PCM Diagnostics VR/VS V8
F5 Scan Tool PCM PCM Diagnostics VS V6/VT
F7 Scan Tool PCM PCM Diagnostics VX/VY
F9 Scan Tool ABS ABS/TCS Diagnostics VR/VS
FA Scan Tool SRS SRS Diagnostics VT
FB Scan Tool SRS SRS Diagnostics VX/VY

Checksum Calculation

An ALDL checksum is calculated by adding every byte prior to the checksum field (ID byte, length byte, and data bytes), and calculating the 2's compliment of the last 8 bits in the sum. Verification works in a similar manner; all bytes of the frame are added (including the checksum byte). The last 8 bits of the sum will equal 0 if the sum is valid.

Modes

ALDL diagnostic requests work on the principle of modes. To issue a diagnostic request, an ALDL frame is sent with an ID corresponding to a module's diagnostic ID (see Module IDs), and the first data byte set to the mode number of the request. ALDL diagnostic requests will therefore always have a minimum of 1 data byte. A typical response to a diagnostic request will be an ALDL frame with the same ID as the original request, the first data byte set to the mode number of the request, and an optional number of extra data bytes forming the response. The table below lists the various ALDL modes.

Mode (decimal) Description
00 Normal Mode
01 Live Data
02 Memory Block Read
03 Memory Scatter Read
04 Control Function
08 Disable Bus Chatter
09 Enable Bus Chatter
10 Clear DTCs
13 Security Seed/Key

Mode 0

ALDL Mode 0, or Normal Mode reverts the effect of any previous ALDL requests (except requests with lasting effect such as a DTC clear), returning the addressed module to normal operation. The table below illustrates the full structure of a Mode 0 request.

Length (bytes) Field Value Notes
1 ID ID of the module to return to normal mode
1 Length 56
1 Mode 00
1 Checksum c

Mode 1

Each module maintains a set of tables containing live data as well as stored parameters. When a device issues a Mode 1 request to a module, it provides the number of the table being requested. The module responds by transmitting the requested table number, followed by the contents of the table (the PCM differs in that it does not transmit the table number, only the table data). The exact contents and structure of the table depend on both the table in question, and the module. Tables are numbered sequentially, however most modules have less than 10 tables. When an invalid table number is requested, the response differs depending on the module the request was issued to. When an invalid table is requested, the PCM will simply not respond. When an invalid table is requested from the BCM, it will send a Mode 13 response. When an invalid table is requested from the ABS/TCS module, the response will be an empty table (the requested table number, followed by 0 bytes of data). The table below illustrates the full structure of a Mode 1 request.

Length (bytes) Field Value Notes
1 ID F1
1 Length 57
1 Mode 01
1 Table n Table number
1 Checksum c

Mode 2

Mode 2 requests are used to retrieve a block of 64 bytes from the PCM's memory[4]. Any 16-bit address within the processor's memory address space may be requestedTemplate:Cn. This means that ROM, RAM, calibration data and I/O registers may be retrieved with Mode 2 requests. Whilst Mode 2 requests memory in blocks of 64 bytes, the requested address does not need to be aligned on a 64 byte boundary. This may be useful for reducing the number of requests required for values in close proximity to one another. The below table illustrates the full structure of a Mode 2 request.

Length (bytes) Field Value Notes
1 ID F7
1 Length 58
1 Mode 02
2 Address n 16-bit address in big endian format
1 Checksum c

Expected response:

Length (bytes) Field Value Notes
1 ID F7
1 Length 96
1 Mode 02
64 Data Memory contents at the requested address
1 Checksum c

Mode 3

Mode 3 requests are used for scatter-gather memory operations on the PCM. A Mode 3 request is made with a list of 16-bit memory addresses to be read. The PCM responds with the contents of the requested memory locations. Mode 3 scatter-gather requests are useful for retrieving specific values in memory quickly, without creating the large amount of activity on the bus as Mode 2 block reads. The table below illustrates the full structure of a Mode 3 request.

Length (bytes) Field Value Notes
1 ID F7
1 Length 55 + 1 + 2n
1 Mode 03
2 A1 First address to be read
...
2 An
1 Checksum c

Mode 4

A Mode 4 request is used to control a module for testing purposes. Control can include anything from slewing or setting fixed output values, slewing or setting fixed input sensor values, altering the results of certain calculations and invoking certain module functions. Modules that respond to Mode 4 requests include the; PCM, BCM, instrument cluster and ABS/TCS modules. The structure of a Mode 4 request differs greatly depending on the module it is addressed to. The basic structure of a Mode 4 request is illustrated by the table below.

Length (bytes) Field Value Notes
1 ID ID of the module to be controlled
1 Length 55 + 1 + n
1 Mode 04
n Control Structure Varies depending on module
1 Checksum c

Mode 8

Periodically, the BCM sends polling requests amongst other data on the bus. These requests poll the PCM for sensor data and operational parameters used by the instrument cluster. A Mode 8 request is used to temporarily disable these messages from being sent. This essentially silences the BCM and quietens the bus, allowing for another device such as a computer or scan tool to transmit with a lower chance of a packet collision. Unless another Mode 8 request is sent within a predetermined amount of timeTemplate:When, the BCM will automatically resume normal bus operation. The BCM will respond with a frame containing a single data byte 08 with an ID of F1 (a frame identical to the request). The below table illustrates the full structure of a Mode 8 request.

Length (bytes) Field Value
1 ID F1
1 Length 56
1 Mode 08
1 Checksum B1

Mode 9

Similar to Mode 8, a Mode 9 request will re-enable BCM chatter. A Mode 9 request can be sent to enable bus chatter earlier, rather than waiting for the original Mode 8 request to time out. This may be useful (and potentially good practice) if a device only requires bus silence for a short period of time, as bus silence for longer periods of time can lead to Check Engine warnings on the clusterTemplate:Cn. Note that some scan tools issue a Mode 0 request instead of a Mode 9 request to re-enable BCM chatterTemplate:Cn. When a Mode 9 request is sent, the BCM will respond with a frame containing a single data byte 09 with an ID of F1 (a frame identical to the request). The below table illustrates the full structure of a Mode 9 request.

Length (bytes) Field Value
1 ID F1
1 Length 56
1 Mode 09
1 Checksum B0

Mode 10

The majority of modules in the vehicle can have stored DTCs cleared with a Mode 10 request. These include, but are not limited to; the PCM, BCM, ABS/TCS, SRS modules as well as the instrument cluster. The below table illustrates the full structure of a Mode 10 request.

Length (bytes) Field Value Notes
1 ID ID of the module DTCs will be cleared from (see Module IDs).
1 Length 56
1 Mode 0A
1 Checksum c

Mode 13

Mode 13 is used for a challenge-response authentication system in order to unlock flash-based PCMs for programming. Once the PCM is in an unlocked state, certain restricted operations and Mode 1 tables will become available. The challenge-response calculation itself is fairly straightforward. On request, the PCM will provide a 16-bit value as the seed. All bits of the seed are inverted with an XOR operation, which is sent back to the PCM as the key.[5] The tables below illustrate the structure of the seed request, key response and PCM unlock response.

First, a request for Table 1 is made in Mode 13.

Length (bytes) Field Value Notes
1 ID F7
1 Length 57
1 Mode 0D
1 Table 01
1 Checksum A4

The PCM will respond with a seed value as the challenge.

Length (bytes) Field Value Notes
1 ID F7
1 Length 59
1 Mode 0D
1 Table 01
2 Seed S 16-bit Seed Value
1 Checksum c

The key K is calculated by inverting all bits of the seed S (for example, A2B9 becomes 5D46), and transmitted back as a write to Table 2 in Mode 13.

Length (bytes) Field Value Notes
1 ID F7
1 Length 59
1 Mode 0D
1 Table 02
2 Key K 16-bit Key Value
1 Checksum c

If the key is correct, and the unlock operation is successful, the PCM will respond with Table 2 containing a single value AA. The table below shows the full response that can be expected from the PCM after a successful unlock.

Length (bytes) Field Value Notes
1 ID F7
1 Length 58
1 Mode 0D
1 Table 02
1 Status AA Equals AA on successful unlock
1 Checksum F8

References