Some (rather recent model year it seems) ECU stock ROM software, both diesel and petrol, support switching to 10400 baud. Btw, 10400 is speed of ISO 14230 (alias KWP 2000) protocol, needed for BIU and several other control units.
It’s relatively easy to do, starting in standard 4800 baud mode, which is the default mode after ignition ON:
Write exact byte
0x5A into SSM2 address
0x000198 in order to switch to 10400 baud (default content is
00 = standard 4800 mode):
W 80 10 F0 05 B8 00 01 98 5A 30
R 80 F0 10 02 F8 5A D4
Ok, above positive response is the last message to receive using 4800 baud. At this point, all further SSM2 commands will fail (no response) because ECU can only understand 10400 baud.
Set interface device to 10400 baud, all other settings as usual, SSM2 is working again, most important commands at least.
Note: In this mode you have to use tester device ID
0xF2 instead of
0xF0! Everything else, including reported data, is the same it seems.
W 80 10 F2 01 BF 42
R 80 F2 10 69 FF A2 10 14 ...
Read single byte, requesting that SSM2 0x000198 byte set above for example:
W 80 10 F2 05 A8 00 00 01 98 C8
R 80 F2 10 02 E8 5A C6
→ 5A, as set before
Read some standard addresses for sampling:
W 80 10 F2 11 A8 00 00 00 08 00 00 0D 00 00 0E 00 00 0F 00 00 10 7D
R 80 F2 10 06 E8 67 62 00 00 00 39
→ coolant temp = 63°C, MAP =98 kPa, engine speed = 0 rpm, vehicle speed = 0 km/h
Block read from address 0xFFB00, length 5. Btw, reflash counter bytes on 1 MiB ROMs live there, word + negated word at 0xFFB00.
W 80 10 F2 06 A0 00 0F FB 00 04 36
R 80 F2 10 06 E0 00 03 FF FC FF 65
→ reflash counter = 3
Write-Single-B8 command does not seem to work, blocked by ROM code! Looks like this mode isn’t gonna meant for maintenance, just faster logging. Don’t know a way to set baudrate back to 4800, except ignition OFF + ON, yet. Also, sending zero byte(s), like turning off continous mode, did not do it for me.
W 80 10 F2 05 B8 00 01 98 00 D8
Continous push mode (RomRaider “Fast Poll“) is working, too! Tested working for both read single A8 and read block A0 commands.
So 10400 baud + continous mode should yield even higher sample rates – if someone (RomRaider ?) hacks this stuff into software… Not much fun without proper software support.
Did not do benchmarks yet. Theoretically 10400 vs. 4800 baud might yield factor 2.167 speed improvement.
Still not fast enough and cannot use CAN?
As stock ROMs can be patched, the code that actually does the baudrate settings can be modified. We might test that in the future, e.g. 31250 bits/s or even higher might still work reliably. Thanks to this additional mode, we can try changing that one and leave standard mode intact so any diagnostic software keeps working. Don’t know of any software using SSM2 at 10400 baud. All knowledge about this is derived straight from ROM.