I'm almost certain the connections are good. I've swapped from the FDD cable to crimp lugs and the nothings changed. I've tried 2 different power supplies and the one i'm using has next to no ripple and plenty of capacity (2A). I connected up in the car and it took a 3 send attempts (through OSE tool) but in the end I got a reply of "F2,9E,1,0,79,0,0,0,B0,0,0,40,1,7,7,1,A4,3,1D,0,0,0,0,3,FF,1, 62,15,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,85,0,40,0,0,0,0,0,0,40, 0,FF,50,0,2,94,9,6B,F,FA,D,71,20,0,93"
The software and cable reset the airbag light in the VT no problem this morning.
I agree that spamming the bus isn't a good idea! so far I have found these device id's from delcohacking, here, ls1gto and the like:
HEX Code meaning Comments
$05 Coolant temperature, A/D cnt
$06 Vehicle Speed
$07 MAP voltage 255=5.00V
$08 Engine speed, RPM = n x 25
$09 TPS voltage 255=5.00V
$0A Injector flow, 100=8.3 g/h
$0B MAT degrees C = (nx0.75)-40
$0C Malfunction flag word 1
$0D Malfunction flag word 2
$0E Malfunction flag word 3
$0F Block Learn Multiplier
$10 Oxygen sensor voltage
$11 Input status word B0=*park/neutral, B1=*trans. O/T, B7=A/C req.
$12 Battery Voltage times 10
$13 Integrator
$14 Output status word B0=Fan relay, B1=A/C clutch, B2=Torque Conv. Clutch, B4=closed loop status
$A8 BCM VT
$A9 ECC VT
$BD BCM VR
$F1 BCM VS, VT, VX, VY
$F2 SRS VS, VZ Cluster
$F4 PCM VR V6&V8 and VS V8
$F5 PCM for VS, VT
$F7 PCM VX, VY
$F9 ABS VS
$FA SRS VT
$FB srs vz
Yeah, I have to admit that simulating modules isn't very useful... but I would enjoy moving a slider on the pc and watching the speedo show 240Km/H!
I have a spare 3 window (Berlina) VT cluster that i'm happy to throw frames at and see what happens. Just let me know what to send. I dont think the radio sends anything to cluster in the VT's. I pulled out the stock radio years ago so I cant log it unfortunately.
GM Technical Document Discussion
GM ALDL Logging and Scanning
Forum rules
To gain access to the Invite Only forum you must be invited by a member of that forum. That member will PM the mods or admins (NOT you) saying that they nominate you for access. THEY will be responsible for your actions. If you don't post and just leech info, you will BOTH be removed. Dont send a PM to the moderators or admins asking for access, you really dont want to see the result. If you submit information, you may simply be invited
To gain access to the Invite Only forum you must be invited by a member of that forum. That member will PM the mods or admins (NOT you) saying that they nominate you for access. THEY will be responsible for your actions. If you don't post and just leech info, you will BOTH be removed. Dont send a PM to the moderators or admins asking for access, you really dont want to see the result. If you submit information, you may simply be invited
by TazzI » Fri May 31, 2013 10:12 pm
Not sure how your cable is set up, but the Delco cable I got from VL400 has two negatives, one of my negative pins was a bit iffy, and my bench setup stopped working but it worked in car.
All I did was wire the other negative to the cluster and all was sweet!. So the main negative is the black/yellow wire coming from the diagnostic plug, and the second negative was the solid black wire. Fairly certain the pins were next to each other although dont have my setup with me at the moment. Take some images of your current setup, should be able to point out the problem.
The OSE tool does sometimes take a few sends. Thats normal due to the cars comms and the software sometimes misses. Faster computers also help out. But yeah thats a typical reply for the "general" info. You can send the "general info" request to all modules. eg XX,57,01,checksum.. just change the XX to the module ID.
Dont think the first few ids are actual module ID's, they look more like frame bytes eg Byte 6 of the general status frame is vehicle speed. Im guessing those were taking from tuner pro or delco.
Simulating modules wont make the speedo needles move. Since they move due to a pulse input on both the revs and speedo gauges. So cant manipulate them like that. Unless you go pick up a pulse generator? Only thing simulating modules does is allows us to mess with what the cluster sees eg engine status, radio station ect.
Yeah, I have to admit that simulating modules isn't very useful... but I would enjoy moving a slider on the pc and watching the speedo show 240Km/H!
I think the VT radio does sends off "generic" info like the vy/vz ones but the cluster doesnt display anything. (I think!). At minimum the radio will respond back to requests.
Grabbing some responses from the VT cluster would be good.
eg F2,57,01,00,B6
F2,57,01,01,B5
F2,57,01,02,B4
all the way to table 9. I dont think it responds to each requests from memory.
All I did was wire the other negative to the cluster and all was sweet!. So the main negative is the black/yellow wire coming from the diagnostic plug, and the second negative was the solid black wire. Fairly certain the pins were next to each other although dont have my setup with me at the moment. Take some images of your current setup, should be able to point out the problem.
The OSE tool does sometimes take a few sends. Thats normal due to the cars comms and the software sometimes misses. Faster computers also help out. But yeah thats a typical reply for the "general" info. You can send the "general info" request to all modules. eg XX,57,01,checksum.. just change the XX to the module ID.
Dont think the first few ids are actual module ID's, they look more like frame bytes eg Byte 6 of the general status frame is vehicle speed. Im guessing those were taking from tuner pro or delco.
Simulating modules wont make the speedo needles move. Since they move due to a pulse input on both the revs and speedo gauges. So cant manipulate them like that. Unless you go pick up a pulse generator? Only thing simulating modules does is allows us to mess with what the cluster sees eg engine status, radio station ect.
Yeah, I have to admit that simulating modules isn't very useful... but I would enjoy moving a slider on the pc and watching the speedo show 240Km/H!
I think the VT radio does sends off "generic" info like the vy/vz ones but the cluster doesnt display anything. (I think!). At minimum the radio will respond back to requests.
Grabbing some responses from the VT cluster would be good.
eg F2,57,01,00,B6
F2,57,01,01,B5
F2,57,01,02,B4
all the way to table 9. I dont think it responds to each requests from memory.
by shifte » Sat Jun 01, 2013 2:33 pm
I've connected the power supply GND to the ALDL ground and the Oscilloscope Gnd. I've connected the 12V supply to Pin 1 and through a swith to pin 20. I have connected the ALDL data line to the scope and pin 6. Attached are the pictures but it is a bit hard to tell which wire goes where. I get the same results using an UART FTDI cable as well as a home made RS232 to ALDL adapter using the most complicated circuit I could find on the net (using 4 additional transistors to better filter the signals). Could it be related to the steady state voltage level of 3.3V instead of 5V... what voltage do you get on your Delco cable?
I've got a port sniffer and the scope confirming the a signal is getting through (Although the scope isn't good enough to freeze the frame so I can decode it manually). I'll start sniffing all the packets sent from the AAPL software once i can get the cluster responding on the bench. I might try reverse engineering if I get desperate but knowing the frames, should be enough to make up some software that works a bit more consistently.
I have a function generator which I built in uni many years ago which should be suitable to simulate the pulses required although it shouldn't be too hard to rig something up through the serial com port.
What are the pin numbers for the VY clusters and the VT/VX clusters? I'll send through those commands and see if those clusters respond with anything (unlike this WL one!).
I've got a port sniffer and the scope confirming the a signal is getting through (Although the scope isn't good enough to freeze the frame so I can decode it manually). I'll start sniffing all the packets sent from the AAPL software once i can get the cluster responding on the bench. I might try reverse engineering if I get desperate but knowing the frames, should be enough to make up some software that works a bit more consistently.
I have a function generator which I built in uni many years ago which should be suitable to simulate the pulses required although it shouldn't be too hard to rig something up through the serial com port.
What are the pin numbers for the VY clusters and the VT/VX clusters? I'll send through those commands and see if those clusters respond with anything (unlike this WL one!).
You do not have the required permissions to view the files attached to this post.
- shifte
- Kicking Tyres
- Posts: 8
- Joined: Sun Aug 05, 2012 9:44 am
- Has thanked: 0 time
- Been thanked: 0 time
by shifte » Sun Jun 02, 2013 12:24 pm
I connected up the VT cluster and it worked first time! Starting to think that the WL cluster I bought off eBay was damaged when I got it!
For those looking for the pin configuration for VT's it is:
Pin 6 = Ground
Pin 12 = Serial Data
Pin 19 = Ignition (Switched to simulate ignition on)
Pin 20 = Battery / 12V+
Tazzi, the responses I got from the table queries are:
Table 0
F2, 67, 1, 0, 30, 60, 0, 7B, 0, 0, 0, 0, FF, 32, FF, 97, 1, 13, A, 32, 84,
Table 1
F2, 67, 1, 1, 0, 0, FF, 7C, 0, 0, 3, E8, 4, 4C, FF, FF, FF, 0, 0, 0, F2,
Table 2
F2, 67, 1, 2, 3, 16, 4, 0, 0, 0, 3F, 0, 0, 0, 0, 0, 92, 4, 77, 72, C9,
Table 3
F2, 67, 1, 3, E1, 1, C5, FF, 0, 64, C, E, 18, 8C, 3, E8, 5, 32, 29, 0, 90,
Table 4
F2, 67, 1, 4, FB, 42, FB, 30, FB, 6B, FB, 66, FB, 41, 0, 0, 0, 0, 0, 0, 37,
Table 5
F2, 67, 1, 5, FB, D2, FB, FD, FC, 10, FE, 69, FC, 28, 0, 0, 0, 0, 0, 0, 45,
Tables 6 and 7 do not get a response.
The car is a V6, Berlina Auto, Registered in 98 but potentially built in 97. The k's are 202,244 and the 200,000 service reminder is showing. There is a drivers and passenger airbag with seat belt pretensioners.
For those looking for the pin configuration for VT's it is:
Pin 6 = Ground
Pin 12 = Serial Data
Pin 19 = Ignition (Switched to simulate ignition on)
Pin 20 = Battery / 12V+
Tazzi, the responses I got from the table queries are:
Table 0
F2, 67, 1, 0, 30, 60, 0, 7B, 0, 0, 0, 0, FF, 32, FF, 97, 1, 13, A, 32, 84,
Table 1
F2, 67, 1, 1, 0, 0, FF, 7C, 0, 0, 3, E8, 4, 4C, FF, FF, FF, 0, 0, 0, F2,
Table 2
F2, 67, 1, 2, 3, 16, 4, 0, 0, 0, 3F, 0, 0, 0, 0, 0, 92, 4, 77, 72, C9,
Table 3
F2, 67, 1, 3, E1, 1, C5, FF, 0, 64, C, E, 18, 8C, 3, E8, 5, 32, 29, 0, 90,
Table 4
F2, 67, 1, 4, FB, 42, FB, 30, FB, 6B, FB, 66, FB, 41, 0, 0, 0, 0, 0, 0, 37,
Table 5
F2, 67, 1, 5, FB, D2, FB, FD, FC, 10, FE, 69, FC, 28, 0, 0, 0, 0, 0, 0, 45,
Tables 6 and 7 do not get a response.
The car is a V6, Berlina Auto, Registered in 98 but potentially built in 97. The k's are 202,244 and the 200,000 service reminder is showing. There is a drivers and passenger airbag with seat belt pretensioners.
- shifte
- Kicking Tyres
- Posts: 8
- Joined: Sun Aug 05, 2012 9:44 am
- Has thanked: 0 time
- Been thanked: 0 time
by TazzI » Sun Jun 02, 2013 3:17 pm
Im not actually 100% sure on the pinout of the vy/vz clusters. They both differ and neither match up to the pinouts diagrams on carmodder. The vt.vx cluster pinouts do match though if you check the vt/vx specifications section, but looks like you sussed out the pins anyways, Least that one is working!
Iv grabbed a couple harness from vy/vz's and use those instead of the pins, so I only know the wiring colour pinout for the vy/vz.
Yeah looks like a typical response for the vt cluster. Could already see the kms in the responses eg.
F2, 67, 1, 2, 3, 16, 4, 0, 0, 0, 3F, 0, 0, 0, 0, 0, 92, 4, 77, 72, C9,
0x031604 = 202244kms
And also the part number: 92, 4, 77, 72 = 92047772
Not sure why they did they part number like that.
F2, 67, 1, 3, E1, 1, C5, FF, 0, 64, C, E, 18, 8C, 3, E8, 5, 32, 29, 0, 90,
Can also see the speedo cal in there (ppk) = 6284
And table 0 general has what is currently going on, such as which lights are on, engine status, gear status, voltage ect.
Those responses are the "generic" codes that can be obtained from the cluster. I think most main changes can be done there... I think? eg v6/v8,auto/manual, speedo, airbags ect.
But I find it better attacking the direct eeprom location for each parameter.
Try sending F2,57,11,00,chksum. That should send back a seed that you will need a key for.
Done a bit of work on the vt/vx clusters, be good to dig into them some more.
Iv grabbed a couple harness from vy/vz's and use those instead of the pins, so I only know the wiring colour pinout for the vy/vz.
Yeah looks like a typical response for the vt cluster. Could already see the kms in the responses eg.
F2, 67, 1, 2, 3, 16, 4, 0, 0, 0, 3F, 0, 0, 0, 0, 0, 92, 4, 77, 72, C9,
0x031604 = 202244kms
And also the part number: 92, 4, 77, 72 = 92047772
Not sure why they did they part number like that.
F2, 67, 1, 3, E1, 1, C5, FF, 0, 64, C, E, 18, 8C, 3, E8, 5, 32, 29, 0, 90,
Can also see the speedo cal in there (ppk) = 6284
And table 0 general has what is currently going on, such as which lights are on, engine status, gear status, voltage ect.
Those responses are the "generic" codes that can be obtained from the cluster. I think most main changes can be done there... I think? eg v6/v8,auto/manual, speedo, airbags ect.
But I find it better attacking the direct eeprom location for each parameter.
Try sending F2,57,11,00,chksum. That should send back a seed that you will need a key for.
Done a bit of work on the vt/vx clusters, be good to dig into them some more.
by sdh » Tue Jun 04, 2013 11:45 am
Hey Tazzi, I didn't get a reply from that Seed frame you mentioned but could that be because the cluster is on the bench and that info should come from the BCM?
I did another search for pin diagrams and found another one on JustCommodores. The correct UART pin is number 2 on the cluster! I'm a little surprised no one has mentioned the wrong pin number in the forum considering the many people who have bench setups.
I now see why everyone is saying the AAPL software is full of bugs! Has anyone worked out the user id to get high level access and possibly less bugs?
Image source: http://forums.justcommodores.com.au/vz-holden-commodore-2004-2006/97161-vz-cluster-wiring-plugs.html
from user andyman.
I did another search for pin diagrams and found another one on JustCommodores. The correct UART pin is number 2 on the cluster! I'm a little surprised no one has mentioned the wrong pin number in the forum considering the many people who have bench setups.
I now see why everyone is saying the AAPL software is full of bugs! Has anyone worked out the user id to get high level access and possibly less bugs?
Image source: http://forums.justcommodores.com.au/vz-holden-commodore-2004-2006/97161-vz-cluster-wiring-plugs.html
from user andyman.
You do not have the required permissions to view the files attached to this post.
- sdh
- Newbie Modder
- Posts: 3
- Joined: Wed Jun 27, 2012 12:55 pm
- Has thanked: 0 time
- Been thanked: 0 time
by gruntly69 » Wed Jun 05, 2013 7:44 am
That program looks AMAZING!
When's it going to be available for us all to purchase?????
Looks friggen COOL!
When's it going to be available for us all to purchase?????
Looks friggen COOL!
by shifte » Wed Jun 05, 2013 5:36 pm
I got a response from both the VT and the WL clusters with F2,57,11,00,A6.
I've sniffed all the frames sent to retrieve and program the Table info and will post it up once i've aligned some of the responses to useful information or at least identified what information is in the response so someone else can also have a crack and deciphering it. It's not all that straight forward doing the writing because the AAPL software sends the data to be changed and then another frame repeatedly until the response changes before saying the write was successful.
How do you read/write the cluster bin over ALDL? I gather it has something to do with mode 2 or 3 however I haven't been getting any responses from F2, 57, 02, Checksum or F2, 57, 02, 00, checksum....
I think I might have corrupted the dash as you have said by a failed write attempt. I get a "not programmed" message even after trying to restore all the original information back through the AAPL software.
If worst comes to worst I could desolder the EEPROM and write an bin back to it but over the ALDL line would be much simpler.
I've sniffed all the frames sent to retrieve and program the Table info and will post it up once i've aligned some of the responses to useful information or at least identified what information is in the response so someone else can also have a crack and deciphering it. It's not all that straight forward doing the writing because the AAPL software sends the data to be changed and then another frame repeatedly until the response changes before saying the write was successful.
How do you read/write the cluster bin over ALDL? I gather it has something to do with mode 2 or 3 however I haven't been getting any responses from F2, 57, 02, Checksum or F2, 57, 02, 00, checksum....
I think I might have corrupted the dash as you have said by a failed write attempt. I get a "not programmed" message even after trying to restore all the original information back through the AAPL software.
If worst comes to worst I could desolder the EEPROM and write an bin back to it but over the ALDL line would be much simpler.
- shifte
- Kicking Tyres
- Posts: 8
- Joined: Sun Aug 05, 2012 9:44 am
- Has thanked: 0 time
- Been thanked: 0 time
by TazzI » Wed Jun 05, 2013 5:59 pm
shifte wrote:I got a response from both the VT and the WL clusters with F2,57,11,00,A6.
I've sniffed all the frames sent to retrieve and program the Table info and will post it up once i've aligned some of the responses to useful information or at least identified what information is in the response so someone else can also have a crack and deciphering it. It's not all that straight forward doing the writing because the AAPL software sends the data to be changed and then another frame repeatedly until the response changes before saying the write was successful.
How do you read/write the cluster bin over ALDL? I gather it has something to do with mode 2 or 3 however I haven't been getting any responses from F2, 57, 02, Checksum or F2, 57, 02, 00, checksum....
I think I might have corrupted the dash as you have said by a failed write attempt. I get a "not programmed" message even after trying to restore all the original information back through the AAPL software.
If worst comes to worst I could desolder the EEPROM and write an bin back to it but over the ALDL line would be much simpler.
The VT cluster should give the same security key each time you send it whereas the WL cluster will give a different seed each time to be calculated. This seed is required to unlock the cluster to access eeprom locations.
Yeah, AA software isnt a great idea to mess with sending random things. Sounds like you have wiped the cluster clean. Cant write a whole eeprom bin over aldl without using software really, theres over a few hundred locations to write to so its not really simple. Also.. a bit of bad news, but I dont have a WL cluster .bin backup, so im unsure if any other cluster bins will work 100% correctly, as in match up for the clusters speedo,revs ect (compression ratios). Assuming its the same as a hsv/calais.
by shifte » Fri Jun 07, 2013 12:23 pm
I haven't wiped the cluster because it is still showing the odo, service intervals and several other stuff but must be missing something important... I have another WL cluster in the car so once I work out how to extract the bin over ALDL, I can write it back to this cluster anyway.
Im working out the security disable stuff now. I noticed the seed was different each time through the AAPL software. I'm trying to link the following bytes (stripped of device id, length, checksum) after sending the request code (F2,57,11,00,A6). Each line is a separate request to unlock the cluster.
Recieved 92, 97. Sent 26, F4
Recieved F8, C8. Sent F7, 8E
Recieved BC, 7C. Sent 41, CE
Recieved 55, D5. Sent E9, 31
I'll have a spreadsheet up in the next couple of days with the findings so far.
Im working out the security disable stuff now. I noticed the seed was different each time through the AAPL software. I'm trying to link the following bytes (stripped of device id, length, checksum) after sending the request code (F2,57,11,00,A6). Each line is a separate request to unlock the cluster.
Recieved 92, 97. Sent 26, F4
Recieved F8, C8. Sent F7, 8E
Recieved BC, 7C. Sent 41, CE
Recieved 55, D5. Sent E9, 31
I'll have a spreadsheet up in the next couple of days with the findings so far.
- shifte
- Kicking Tyres
- Posts: 8
- Joined: Sun Aug 05, 2012 9:44 am
- Has thanked: 0 time
- Been thanked: 0 time