Difference between revisions of "Holden:ALDL (8192 Baud)"
Line 19: | Line 19: | ||
|} | |} | ||
− | === | + | === Message IDs === |
All ALDL frames are identified by an ID byte. During normal bus operation, message IDs are used to identify a specific type of message (for example, a PCM heartbeat, or radio status message). Each module is typically assigned a ''diagnostic ID'', that can be used to address the module when issuing diagnostic requests. Most diagnostic frames use the same message ID for both the request, and response and the ID used depends on the module and model year. The table below lists some of the IDs used for diagnostic requests across various modules on the Commodore models.<ref>[https://pcmhacking.net/forums/viewtopic.php?f=10&t=2857 pcmhacking.net - GM Reverse Engineering (Page 1)]</ref><ref>[https://pcmhacking.net/forums/viewtopic.php?f=10&t=2857&p=47451#p47451 pcmhacking.net - GM Reverse Engineering (Page 10)]</ref> | All ALDL frames are identified by an ID byte. During normal bus operation, message IDs are used to identify a specific type of message (for example, a PCM heartbeat, or radio status message). Each module is typically assigned a ''diagnostic ID'', that can be used to address the module when issuing diagnostic requests. Most diagnostic frames use the same message ID for both the request, and response and the ID used depends on the module and model year. The table below lists some of the IDs used for diagnostic requests across various modules on the Commodore models.<ref>[https://pcmhacking.net/forums/viewtopic.php?f=10&t=2857 pcmhacking.net - GM Reverse Engineering (Page 1)]</ref><ref>[https://pcmhacking.net/forums/viewtopic.php?f=10&t=2857&p=47451#p47451 pcmhacking.net - GM Reverse Engineering (Page 10)]</ref> |
Revision as of 12:44, 28 April 2021
Overview
ALDL or Assembly Line Diagnostic Link is the diagnostic interface created by GM and used by Holden on the Commodore models from the VN to the VZ. The VE is the first Commodore to exclusively use CAN bus for diagnostics and inter-module communication. The VN through to VS Commodores used GM's original 160 baud interface (compatible with a GM Tech 1 or Tech 2 scan tool), whilst the VT through to VZ Commodores used the newer 8192 baud interface (compatible with a Tech 2 scan tool). This article will focus on the 8192 baud interface. For information on the 160 baud interface, see ALDL (160 Baud).
Frame Structure
An ALDL frame consists of a message ID, length, an optional number of data bytes, and a 2's compliment checksum. Whilst the maximum size of an ALDL frame isn't defined, the length byte allows for up to 170 data bytes (173 bytes total including the ID, length and checksum)[1]. Any multi-byte fields are always big-endian unless otherwise noted. The table below illustrates the structure of an ALDL frame.
Length (bytes) | Field | Notes |
---|---|---|
1 | Message ID | The value 0 is reserved and is not a valid ALDL message ID
|
1 | Length | 0x55 + n, where n is the number of data bytes
|
n | Data | |
1 | Checksum | 2's compliment checksum of all bytes in the frame (message ID, length, and data bytes) |
Message IDs
All ALDL frames are identified by an ID byte. During normal bus operation, message IDs are used to identify a specific type of message (for example, a PCM heartbeat, or radio status message). Each module is typically assigned a diagnostic ID, that can be used to address the module when issuing diagnostic requests. Most diagnostic frames use the same message ID for both the request, and response and the ID used depends on the module and model year. The table below lists some of the IDs used for diagnostic requests across various modules on the Commodore models.[2][3]
ID | Module |
---|---|
BD |
BCM (VR/VS) |
E4 |
Telematics Module (VY) |
EA |
ECC - Climate Control (VY) |
EB |
Radio (VY) |
F0 |
ALDL Tester/Scan Tool |
F1 |
BCM (VT/VX/VY) |
F2 |
Instrument Cluster (VT/VX/VY) |
F2 |
SRS (VR/VS) |
F3 |
PIM (VY) |
F4 |
PCM (VR/VS V8) |
F5 |
PCM (VS V6/VT) |
F7 |
PCM (VX/VY) |
F9 |
ABS/TCS (VR/VS) |
FA |
SRS (VT) |
FB |
SRS (VX/VY) |
Checksum Calculation
An ALDL checksum is calculated by adding every byte prior to the checksum field (ID byte, length byte, and data bytes), and calculating the 2's compliment of the last 8 bits in the sum. Verification works in a similar manner; all bytes of the frame are added (including the checksum byte). The last 8 bits of the sum will equal 0 if the sum is valid.
Modes
ALDL diagnostic requests work on the principle of modes. To issue a diagnostic request, an ALDL frame is sent with an ID corresponding to a module's diagnostic ID (see Module IDs), and the first data byte set to the mode number of the request. ALDL diagnostic requests will therefore always have a minimum of 1 data byte. A typical response to a diagnostic request will be an ALDL frame with the same ID as the original request, the first data byte set to the mode number of the request, and an optional number of extra data bytes forming the response. The table below lists the various ALDL modes.
Mode (decimal) | Description |
---|---|
00 |
Normal Mode |
01 |
Live Data |
02 |
Memory Block Read |
03 |
Memory Scatter Read |
04 |
Control Function |
08 |
Disable Bus Chatter |
09 |
Enable Bus Chatter |
10 |
Clear DTCs |
13 |
Security Seed/Key |
Mode 0
ALDL Mode 0, or Normal Mode reverts the effect of any previous ALDL requests (except requests with lasting effect such as a DTC clear), returning the addressed module to normal operation. The table below illustrates the full structure of a Mode 0 request.
Length (bytes) | Field | Value | Notes |
---|---|---|---|
1 | ID | ID of the module to return to normal mode | |
1 | Length | 56 |
|
1 | Mode | 00 |
|
1 | Checksum | c |
Mode 1
Each module maintains a set of tables containing live data as well as stored parameters. When a device issues a Mode 1 request to a module, it provides the number of the table being requested. The module responds by transmitting the requested table number, followed by the contents of the table (the PCM differs in that it does not transmit the table number, only the table data). The exact contents and structure of the table depend on both the table in question, and the module. Tables are numbered sequentially, however most modules have less than 10 tables. When an invalid table number is requested, the response differs depending on the module the request was issued to. When an invalid table is requested, the PCM will simply not respond. When an invalid table is requested from the BCM, it will send a Mode 13 response. When an invalid table is requested from the ABS/TCS module, the response will be an empty table (the requested table number, followed by 0 bytes of data). The table below illustrates the full structure of a Mode 1 request.
Length (bytes) | Field | Value | Notes |
---|---|---|---|
1 | ID | F1 |
|
1 | Length | 57 |
|
1 | Mode | 01 |
|
1 | Table | n | Table number |
1 | Checksum | c |
Mode 2
Mode 2 requests are used to retrieve a block of 64 bytes from the PCM's memory[4]. Any 16-bit address within the processor's memory address space may be requestedTemplate:Cn. This means that ROM, RAM, calibration data and I/O registers may be retrieved with Mode 2 requests. Whilst Mode 2 requests memory in blocks of 64 bytes, the requested address does not need to be aligned on a 64 byte boundary. This may be useful for reducing the number of requests required for values in close proximity to one another. The below table illustrates the full structure of a Mode 2 request.
Length (bytes) | Field | Value | Notes |
---|---|---|---|
1 | ID | F7 |
|
1 | Length | 58 |
|
1 | Mode | 02 |
|
2 | Address | n | 16-bit address in big endian format |
1 | Checksum | c |
Expected response:
Length (bytes) | Field | Value | Notes |
---|---|---|---|
1 | ID | F7 |
|
1 | Length | 96 |
|
1 | Mode | 02 |
|
64 | Data | Memory contents at the requested address | |
1 | Checksum | c |
Mode 3
Mode 3 requests are used for scatter-gather memory operations on the PCM. A Mode 3 request is made with a list of 16-bit memory addresses to be read. The PCM responds with the contents of the requested memory locations. Mode 3 scatter-gather requests are useful for retrieving specific values in memory quickly, without creating the large amount of activity on the bus as Mode 2 block reads. The table below illustrates the full structure of a Mode 3 request.
Length (bytes) | Field | Value | Notes |
---|---|---|---|
1 | ID | F7 |
|
1 | Length | 55 + 1 + 2n |
|
1 | Mode | 03 |
|
2 | A1 | First address to be read | |
... | |||
2 | An | ||
1 | Checksum | c |
Mode 4
A Mode 4 request is used to control a module for testing purposes. Control can include anything from slewing or setting fixed output values, slewing or setting fixed input sensor values, altering the results of certain calculations and invoking certain module functions. Modules that respond to Mode 4 requests include the; PCM, BCM, instrument cluster and ABS/TCS modules. The structure of a Mode 4 request differs greatly depending on the module it is addressed to. The basic structure of a Mode 4 request is illustrated by the table below.
Length (bytes) | Field | Value | Notes |
---|---|---|---|
1 | ID | ID of the module to be controlled | |
1 | Length | 55 + 1 + n |
|
1 | Mode | 04 |
|
n | Control Structure | Varies depending on module | |
1 | Checksum | c |
Mode 8
Periodically, the BCM sends polling requests amongst other data on the bus. These requests poll the PCM for sensor data and operational parameters used by the instrument cluster. A Mode 8 request is used to temporarily disable these messages from being sent. This essentially silences the BCM and quietens the bus, allowing for another device such as a computer or scan tool to transmit with a lower chance of a packet collision. Unless another Mode 8 request is sent within a predetermined amount of timeTemplate:When, the BCM will automatically resume normal bus operation. The BCM will respond with a frame containing a single data byte 08
with an ID of F1
(a frame identical to the request). The below table illustrates the full structure of a Mode 8 request.
Length (bytes) | Field | Value |
---|---|---|
1 | ID | F1
|
1 | Length | 56
|
1 | Mode | 08
|
1 | Checksum | B1
|
Mode 9
Similar to Mode 8, a Mode 9 request will re-enable BCM chatter. A Mode 9 request can be sent to enable bus chatter earlier, rather than waiting for the original Mode 8 request to time out. This may be useful (and potentially good practice) if a device only requires bus silence for a short period of time, as bus silence for longer periods of time can lead to Check Engine warnings on the clusterTemplate:Cn. Note that some scan tools issue a Mode 0 request instead of a Mode 9 request to re-enable BCM chatterTemplate:Cn. When a Mode 9 request is sent, the BCM will respond with a frame containing a single data byte 09
with an ID of F1
(a frame identical to the request). The below table illustrates the full structure of a Mode 9 request.
Length (bytes) | Field | Value |
---|---|---|
1 | ID | F1
|
1 | Length | 56
|
1 | Mode | 09
|
1 | Checksum | B0
|
Mode 10
The majority of modules in the vehicle can have stored DTCs cleared with a Mode 10 request. These include, but are not limited to; the PCM, BCM, ABS/TCS, SRS modules as well as the instrument cluster. The below table illustrates the full structure of a Mode 10 request.
Length (bytes) | Field | Value | Notes |
---|---|---|---|
1 | ID | ID of the module DTCs will be cleared from (see Module IDs). | |
1 | Length | 56 |
|
1 | Mode | 0A |
|
1 | Checksum | c |
Mode 13
Mode 13 is used for a challenge-response authentication system in order to unlock flash-based PCMs for programming. Once the PCM is in an unlocked state, certain restricted operations and Mode 1 tables will become available. The challenge-response calculation itself is fairly straightforward. On request, the PCM will provide a 16-bit value as the seed. All bits of the seed are inverted with an XOR operation, which is sent back to the PCM as the key.[5] The tables below illustrate the structure of the seed request, key response and PCM unlock response.
First, a request for Table 1 is made in Mode 13.
Length (bytes) | Field | Value | Notes |
---|---|---|---|
1 | ID | F7 |
|
1 | Length | 57 |
|
1 | Mode | 0D |
|
1 | Table | 01 |
|
1 | Checksum | A4 |
The PCM will respond with a seed value as the challenge.
Length (bytes) | Field | Value | Notes |
---|---|---|---|
1 | ID | F7 |
|
1 | Length | 59 |
|
1 | Mode | 0D |
|
1 | Table | 01 |
|
2 | Seed | S | 16-bit Seed Value |
1 | Checksum | c |
The key K is calculated by inverting all bits of the seed S (for example, A2B9
becomes 5D46
), and transmitted back as a write to Table 2 in Mode 13.
Length (bytes) | Field | Value | Notes |
---|---|---|---|
1 | ID | F7 |
|
1 | Length | 59 |
|
1 | Mode | 0D |
|
1 | Table | 02 |
|
2 | Key | K | 16-bit Key Value |
1 | Checksum | c |
If the key is correct, and the unlock operation is successful, the PCM will respond with Table 2 containing a single value AA
. The table below shows the full response that can be expected from the PCM after a successful unlock.
Length (bytes) | Field | Value | Notes |
---|---|---|---|
1 | ID | F7 |
|
1 | Length | 58 |
|
1 | Mode | 0D |
|
1 | Table | 02 |
|
1 | Status | AA |
Equals AA on successful unlock
|
1 | Checksum | F8 |