Tag Archives: Euro5

DPF Light Patch

This is meant for programmers or at least folks who understand coding in general. Here I am going to show how I implemented the DPF light patch, part of Diesel ECU Patch v1, on my former (Euro 4) car.
DPF Light Patch - Active Regeneration In Progress


Actual source code, updated to C++14:


// Copyright SubaruDieselCrew (2011-2017)   https://subdiesel.wordpress.com

#include <array>
#include <chrono>
//#include <bitset>
#include "sh.h"
#include "JZ2F401A.h"

using namespace std::chrono_literals;

/**
 * @brief DPF light flashing modes (stock)
 *
 */
enum class DPFLightMode {
    off = 0,
    /**
     * @brief soot-high warning aka vehicle speed request
     *
     */
    on_steady = 1,
    /**
     * @brief error
     *
     * (multiple causes: compulsory regeneration required, oil dilution critical, ash overfill, DPF limp-home mode;
     * see https://subdiesel.wordpress.com/2011/03/21/dpf-light/ )
     */
    flashing = 2,
};

/**
 * @brief time resolution (= CAN frame ID 0x600 interval)
 *
 */
const constexpr auto interval {50ms};
/**
 * @brief stock period for flashing mode is 800 ms,
 *        does not have to match stock here
 *
 */
const constexpr auto dpfLightPeriod {800ms};
/**
 * @brief defines DPF light output over time when active regeneration is on
 *
 */
const constexpr std::array<bool, dpfLightPeriod / interval> dpfLightCustomPattern
{
    1, 1, 0, 0,  1, 1, 0, 0,
    0, 0, 0, 0,  0, 0, 0, 0
};
// tested alternative: bitset; storage-efficient but much more lookup code
// const std::bitset<dpfLightPeriod / interval> bits {"1100110000000000"};

/**
 * @brief Implement custom flashing mode.
 *
 * Called every 50 ms (CAN-ID 0x600 interval)
 * from patched stock function "calcDpfLight".
 * Standard error flashing mode already handled by untouched
 * stock subroutine portion and this case this function won't get called.
 */
void calc_DPFLight_continue()
{
    // needed as original functionality has been overwritten for hook instructions
    if (DPFLightMode(*DPFLightModeEnum_b) == DPFLightMode::on_steady)
    {
        *DPFLight_bool = true;
        return;
    }

    // at this point DPFLightMode == DPFLightMode::off
    if (!*DPF_Regeneration_bool_SSM)
    {
        *DPFLight_bool = false;
        return;
    }

    // at this point active DPF regeneration is ON, do custom flashing
    // reusing DPF light counter var is safe
    auto counter = *DPFLightCounter_b;
    if (++counter >= dpfLightCustomPattern.size())
        counter = 0;
    *DPFLightCounter_b = counter;
    *DPFLight_bool = dpfLightCustomPattern.at(counter);
}



// Copyright SubaruDieselCrew (2011-2017)   https://subdiesel.wordpress.com
/*
	For stock ROM:
	Model	2009/2010 Impreza Turbo Diesel 2.0 6MT EDM 110 kW / 150 PS
	ROMID	6644D87207
	CID		JZ2F401A
	CVN		F5AD7142 FB841734
	PAK		22611AP283
*/

#ifndef JZ2F401A_H
#define JZ2F401A_H

#include "diesel_rom.h"

// RAM vars
static auto const DPFLight_bool = reinterpret_cast<volatile bool*>(0xFFFF9C1E);
static auto const DPFLightModeEnum_b = reinterpret_cast<volatile int8_t*>(0xFFFF9C1F);
static auto const DPFLightCounter_b = reinterpret_cast<volatile uint8_t*>(0xFFFF9C53);
static auto const DPF_Regeneration_bool_SSM = reinterpret_cast<volatile bool*>(0xFFFFB222);
…


Disassembly made by objdump:


       c:	91 26       	mov.w	0x5c,r1	! 9c1f
       e:	61 10       	mov.b	@r1,r1
      10:	60 1c       	extu.b	r1,r0
      12:	88 01       	cmp/eq	#1,r0
      14:	89 14       	bt	0x40
      16:	91 22       	mov.w	0x5e,r1	! b222
      18:	61 10       	mov.b	@r1,r1
      1a:	62 1c       	extu.b	r1,r2
      1c:	22 28       	tst	r2,r2
      1e:	8d 0f       	bt.s	0x40
      20:	e2 0f       	mov	#15,r2
      22:	91 1d       	mov.w	0x60,r1	! 9c53
      24:	61 10       	mov.b	@r1,r1
      26:	71 01       	add	#1,r1
      28:	61 1c       	extu.b	r1,r1
      2a:	31 26       	cmp/hi	r2,r1
      2c:	8d 0c       	bt.s	0x48
      2e:	60 13       	mov	r1,r0
      30:	92 16       	mov.w	0x60,r2	! 9c53
      32:	22 10       	mov.b	r1,@r2
      34:	d1 0b       	mov.l	0x64,r1	! 945a8
      36:	02 1c       	mov.b	@(r0,r1),r2
      38:	91 13       	mov.w	0x62,r1	! 9c1e
      3a:	21 20       	mov.b	r2,@r1
      3c:	00 0b       	rts	
      3e:	00 09       	nop	
      40:	92 0f       	mov.w	0x62,r2	! 9c1e
      42:	22 10       	mov.b	r1,@r2
      44:	00 0b       	rts	
      46:	00 09       	nop	
      48:	92 0a       	mov.w	0x60,r2	! 9c53
      4a:	e1 00       	mov	#0,r1
      4c:	e0 00       	mov	#0,r0
      4e:	22 10       	mov.b	r1,@r2
      50:	d1 04       	mov.l	0x64,r1	! 945a8
      52:	02 1c       	mov.b	@(r0,r1),r2
      54:	91 05       	mov.w	0x62,r1	! 9c1e
      56:	21 20       	mov.b	r2,@r1
      58:	00 0b       	rts	
      5a:	00 09       	nop	
      5c:	9c 1f       	mov.w	0x9e,r12	! 600c
      5e:	b2 22       	bsr	0x4a6
      60:	9c 53       	mov.w	0x10a,r12	! e000
      62:	9c 1e       	mov.w	0xa2,r12	! e0ff
      64:	00 09       	nop	
      66:	45 a8       	.word 0x45a8

     5a8:	01 01       	.word 0x0101
     5aa:	00 00       	.word 0x0000
     5ac:	01 01       	.word 0x0101
     5ae:	00 00       	.word 0x0000
     5b0:	00 00       	.word 0x0000
     5b2:	00 00       	.word 0x0000
     5b4:	00 00       	.word 0x0000
     5b6:	00 00       	.word 0x0000

As you can tell there is not much code required. Much more work, orders of magnitude (!), is necessary to reverse-engineer the related stock ROM portions in the first place, defining functions, disassembling machine instructions, naming local and global variables etc.

Usually, ROM and RAM addresses depend on the actual ROM version used. Above definitions work for outdated CID JZ2F401A (dated 2009-Sep). Apart from ROM specific variable addresses the same code will work for all known Euro 4/5/6 models.

Resultant binary data is meant to be inserted into a free unused ROM region. On Renesas SH microprocessors (i.e. SH7058S) free ROM space is rather easy to find – just look for big chunks of continuous FF-bytes. This is because those chips erase bytes to value 0xFF. Others, e.g. Infineon TriCore series, erase their internal flash ROM to zeroes instead.

To actually make use of the added logic, I had to modify (patch) a few bytes in the original calc_DPF_light subroutine, so that after doing some of its work it will call my own function, knowing its start address (0x9400C). Usually there is no free space in between stock functions, therefore we have to apply clever patching tricks to make room for a few new instructions and/or divert execution flow.

Finally, after carefully verifying the changes applied to the stock ROM, you have to correct checksums. Flashing software usually does this anyway, perhaps asking first. Checksum correction and verification is actually very easy to do for such Denso firmware.

Providing SDC-modified ROMs is possible, however will not be free due to amount of labour involved. Contact us if you’re interested.

Updates

  • 2017-10: update code, syntax-highlighted disassembly, C++17
  • 2017-04: minor update, actual disassembly
  • 2016-11: updated source to C++14
  • 2016-10: updated source to C++11 with Doxygen documentation
  • 2016-01: added disassembly
Advertisements

Updated Extended OBD-II definitions

Added 7 PIDs (0x10A1, 0x10A3..0x10A7, 0x1137), some are petrol-only, some diesel-only, some mixed.
See Extended OBD-II definitions page.
Downloads (spreadsheet, CSV) as well as ParsePID project are up to date.
Note that some PIDs have not been tested on actual cars yet – feedback is appreciated!

Mode 23 – Read Memory

According to some of my notes, Euro 5 diesel models, or cars that support Extended/Enhanced OBD-II in general, might support mode/service 23 for dumping ROM or RAM blocks:

Format is similar or same as ReadMemoryByAddress (23 hex) service specified UDS (Unified Diagnostic Services, ISO 14229) protocol:

"23 <Format> <Address[]> <Length[]>"

Several $23 formats can be supported, Euro 5 diesel:

  1. "23 14 A1 A2 A3 A4 L1"
  2. "23 24 A1 A2 A3 A4 L1 L2"

As you can guess, format byte e.g. 0x14 means:

  • 4 address bytes → uint32 big endian, encoded in low nibble of format byte
  • 1 length byte → uint8, encoded in high nibble of format

Restrictions

Stock firmware usually restrict available address ranges, allowing only partial dumps. ROM calibration data and RAM regions might work. Knowing how to reflash and reverse-engineer the logic, such restrictions can be patched and therefore eliminated.

Errors

Depends on actual implementation, (early) Euro 5 diesel ROM logic:

  • 0 < length ≤ 0x400 (dec 1024) bytes otherwise NRC 31
  • other formats or request message lengths yield NRC 13
NRC (hex) Description
13 Incorrect message length or invalid format
31 Request out of range

Example

Euro 5 diesel (1.5 MiB ROM, SH7059 chip) example – dump beginning at ROM calibration data:

Start address = 0xC0000
Length (per request) = 0x40 = 64 bytes

"23 14 00 0C 00 00 40"
Positive response: "63 <XX XX XX ... total 64 payload bytes ... XX XX>"

"23 14 00 0C 00 40 40"

"23 14 00 0C 00 80 40"

"23 14 00 0C 00 C0 40"

"23 14 00 0C 01 00 40"

Anyone able to confirm that these mode 23 commands and formats are working?

Personal experience on many different control units: Maximizing length per request yields max transfer speed, however application algorithm must be able to handle NRC codes and react properly.

Definitions Download for Extended OBD-II

Uploaded first draft of definitions file for diagnostics protocol Extended/Enhanced OBD-II. Should be easy to work with, can export to CSV etc. Everyone is welcome to use the data as long as it is mentioned where it came from.
Also added a few more PIDs in the meantime.
Go to page: Extended OBD-II

Protocols page Extended OBD-II

Added 3 more DPF related PIDs on page Extended OBD-II:

114A Pressure Difference between DPF Inlet and Outlet
1155 Estimated Distance to Oil Change
1156 Running Distance since last DPF Regeneration

Will add some more over time…
Apparently newer petrol models now also use this protocol (exclusively apart OBD-II, no SSM2 anymore ?). Might add petrol specific PIDs in the future.
Also, apps like Torque have been confirmed working with this.
Anyone able to provide any data, testing new or known PIDs, screenshots of software including SSM etc. or spot any issues, please get in touch!

Updated protocols page Extended OBD-II

Updated protocols page Extended OBD-II:

  • corrected “Exhaust Gas Temperature (EGT) at DPF Inlet”
  • added “DPF Regeneration Count”

Euro 5/6 model owners please test and report results, thanks!

Would also be interesting to know (logging) software capable of using this protocol. Tactrix Openport 2.0 standalone logging, Torque perhaps???

Injector Codes

Denso Injector DCRI107890 (Denso part# 095000-7890, Subaru part# 16613-AA020) for Euro 4 Subaru Diesel

Introduction

Quote from a DENSO document incl. picture below:

Replacing a Diesel Common Rail Injector:
When replacing a DENSO Diesel Common Rail Injector, marked with a compensation code, it is necessary to register the ID code, printed on the upper part of the injector, with a genuine OEM – or DENSO diagnostic tool, into the electronic control unit (ECU). The injector compensation (ID) code is used to compensate injector production tolerances.
Some vehicles also require Small Injection Quantity Learning.

Denso Injector ID graphic

Subaru’s term for injector compensation or ID code is “injector code“. Dealership diagnostic software (SSM-III, SSM4) has menu items like “Injector Code Display” and “Injector Code New Registration (SSM to ECM)

First off, the engine control unit has no way of measuring actual injected fuel amount, such technology would be expensive for these kind of small fluid quantities. Due to high common rail pressure, even tiny production tolerances result in unwanted injection quantity variations. Obviously, each injector must be registered using its correct cylinder number so the ECU can apply individual adjustments when it is calculating injections. Basically, the ECU accomplishes desired (target) injection quantity by adjusting the duration of injector drive signal.

Since programmed injector codes as well as any other important data is being saved into an extra EEPROM chip, there is no risk of data loss having the car battery disconnected.

Consequences of Wrong or Missing Injector Codes

According to DENSO:

  • Knocking noise
  • Unstable idle
  • Wiggling during driving
  • MIL (Check Engine Lamp) on

Cylinder numbers – Quick Reference

As for a quick reminder, looking at the front of the car into engine bay, cylinder numbers are:

towards back
transmission
  3        4
  1        2
car front (radiator etc.)

Getting Injector Codes via QR Code

Although normally this should not be necessary, injector codes can be read from the actual injector parts even when mounted on the engine and inside the engine bay, therefore not easily accessible. Taking a picture using a mirror tool is relatively easy, no need to disassemble any parts:

Injector QR Cyl2 small

While the injector code label itself is hidden by the (white) electrical connector, its QR code is visible by default.
Make sure the QR code on the photo is as sharp as possible and has sufficient resolution. At the car I usually just try to get high quality pictures. Later on my computer I simply select the best pic, then scan QR info straight off the computer screen using a smartphone.

Using an image manipulation program (i.e. GIMP, PhotoShop) in order to improve the QR code area can result in much better QR detection. In my case, this was not needed as the app can also detect inverted QR (light code on dark background).
Android app tested: “Barcode Scanner” from F-Droid repository. Check settings → Invert scan.

As an example, the following pic is the extracted and improved QR code portion from above picture. I used these steps in GIMP: crop, perspective correction, grayscale, invert, brightness & contrast . You should be able to scan this:

Injector QR Cyl2 processedScanning captured QR code results in a line of text containing 49 characters:

7890AA0200809118736B30000000000E9EBEBECF300000045

First 19 chars:

7890AA0200809118736
  • First four chars 7890 match Denso basic part number.
  • AA020 is also found in Subaru part# 16613-AA020
  • Possibly contains production date 2008-09-11 ?
  • Serial# ?

Injector Code Format

Remaining 30 chars is the exact injector code needed for ECU. These chars must be in hexadecimal [0-9, A-F] form as they are transmitted as 15 bytes to and from the ECU:

B30000000000E9EBEBECF300000045
Byte index [0..14] Content
0 const, sort of generation ID, verified by ECU:

  • Euro 4: B3
  • Euro 5: B2
  • Euro 6: B6
1..12 12 payload bytes containing correction data, type int8, for up to 12 pre-defined correction points. Each signed byte must be within range [-125, 125]. In other words, the following five bytes are not allowed: 7E, 7F, 80, 81, 82.
13 const 00
14 simple XOR checksum

Resultant properly formatted injector code (left to right, 4 chars per block):

B300    0000
0000    E9EB
EBEC    F300
0000    45

Notes

Invalid codes will be rejected! Euro 5+ will return NRC 0x31 (request out of range).
Injector code data is not compatible between common rail system generations due to differing correction points! Euro 4 uses fewer points (10) than E5+ (12). Therefore, for example, programming a Euro 5 injector code into Euro 4 ECU will not work and vice versa.

Software

AFAIK, Denso’s own PC diagnostic software has the ability to read from a QR scanner device, Subaru OEM application SSM-III does not – need to type in codes manually.

Protocols needed for injector code display & registration:

  • Euro 4: SSM2 via Serial
  • Euro 5/6: Extended OBD-II

As far as we know, there is no free/open-source software for this yet.

EcuTek tool probably supports injector coding (up to Euro 5 ?).

Other Brands

Many other car brands are based on Denso diesel software. These often use similar 15 byte injector codes as well. However, injectors and pre-defined correction points usually differ!

Mazda CX-5 (SkyActiv-D 2.2)

Piezo injectors! 15 bytes; first byte: 3C; pressure levels and corrections points differ vs. Subaru.

Mazda terminology: fuel injector code programming, injector correction factors

Updates

  • 2017-05: additional notes and details
  • 2016-04-03: Euro 6