SSM2 via Serial at 10400 Baud

Standard SSM2 via serial protocol uses 4800 baud = bits/second on “K-Line”, OBD-II Connection pin# 7.

Some (rather recent model year it seems) ECU stock ROM software, both diesel and petrol, support switching to 10400 baud. Btw, 10400 is speed of ISO 14230 (alias KWP 2000) protocol, needed for BIU and several other control units.
It’s relatively easy to do, starting in standard 4800 baud mode, which is the default mode after ignition ON:

Write exact byte 0x5A into SSM2 address 0x000198 in order to switch to 10400 baud (default content is 00 = standard 4800 mode):
W 80 10 F0 05 B8 00 01 98 5A 30
R 80 F0 10 02 F8 5A D4

Ok, above positive response is the last message to receive using 4800 baud. At this point, all further SSM2 commands will fail (no response) because ECU can only understand 10400 baud.
Set interface device to 10400 baud, all other settings as usual, SSM2 is working again, most important commands at least.
Note: In this mode you have to use tester device ID 0xF2 instead of 0xF0! Everything else, including reported data, is the same it seems.

SSM2 Init:
W 80 10 F2 01 BF 42
R 80 F2 10 69 FF A2 10 14 ...

Read single byte, requesting that SSM2 0x000198 byte set above for example:
W 80 10 F2 05 A8 00 00 01 98 C8
R 80 F2 10 02 E8 5A C6
→ 5A, as set before

Read some standard addresses for sampling:
W 80 10 F2 11 A8 00 00 00 08 00 00 0D 00 00 0E 00 00 0F 00 00 10 7D
R 80 F2 10 06 E8 67 62 00 00 00 39
→ coolant temp = 63°C, MAP =98 kPa, engine speed = 0 rpm, vehicle speed = 0 km/h

Block read from address 0xFFB00, length 5. Btw, reflash counter bytes on 1 MiB ROMs live there, word + negated word at 0xFFB00.
W 80 10 F2 06 A0 00 0F FB 00 04 36
R 80 F2 10 06 E0 00 03 FF FC FF 65
→ reflash counter = 3

Write-Single-B8 command does not seem to work, blocked by ROM code! Looks like this mode isn’t gonna meant for maintenance, just faster logging. Don’t know a way to set baudrate back to 4800, except ignition OFF + ON, yet. Also, sending zero byte(s), like turning off continous mode, did not do it for me.
W 80 10 F2 05 B8 00 01 98 00 D8
(no response)

Continous push mode (RomRaider “Fast Poll“) is working, too! Tested working for both read single A8 and read block A0 commands.
So 10400 baud + continous mode should yield even higher sample rates – if someone (RomRaider ?) hacks this stuff into software… Not much fun without proper software support.
Did not do benchmarks yet. Theoretically 10400 vs. 4800 baud might yield factor 2.167 speed improvement.

Still not fast enough and cannot use CAN?
As stock ROMs can be patched, the code that actually does the baudrate settings can be modified. We might test that in the future, e.g. 31250 bits/s or even higher might still work reliably. Thanks to this additional mode, we can try changing that one and leave standard mode intact so any diagnostic software keeps working. Don’t know of any software using SSM2 at 10400 baud. All knowledge about this is derived straight from ROM.

Advertisements

One response to “SSM2 via Serial at 10400 Baud

  1. <>

    Tested allready with RomRaider “fast poll”
    Value seems to be good :-), twice as fast as normal mode with Rom ID JZ2F401A

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s