Hi there,
I would like to use the unused parts of my instrument cluster, e.g. gear number by injecting packets on the CAN bus.

I have hardware to do so, however, I don't know anyone who has an XP9 with AT (it's rather seldom ordered with AT here in Germany).
I can't afford a gauge to fiddle around with (the one I'd like with VFD costs even used almost always at least 150€, about 200$; I guess the one with electromechanical tachometer would accept the same commands, but it would cost me still >50€ due to shipment costs), and even if I had one, I'm sure it would be a hard job to feed it manually with thousands of possible IDs before getting a reaction. :frown:

So I would like to ask if someone with an AT XP9 and a CAN sniffer (available at ebay from China for ~25€) would be so kind to try to find out where the gear information hides or at least make a log with the IDs used by the ECU :smile:

Hopefully someone can help me ;)

I developed my own CAN sniffer and have reverse engineered a significant portion of the Toyota communications (beyond the simple OBD compliant comm.)

I can definitely help you out with this.

OK - Here's what you can command the AT indicator to show. There is a 5 second timeout, so if you don't send another command within that time the indicator will go off.

blank 07C0:0530090000000000
L 07C0:0530090001000000
2 07C0:0530090002000000
3 07C0:0530090004000000
4 07C0:0530090008000000
D 07C0:0530090010000000
N 07C0:0530090020000000
R 07C0:0530090040000000
P 07C0:0530090080000000
5 07C0:0530090000020000
6 07C0:0530090000040000
7 07C0:0530090000080000
(CVT SPORT) 07C0:0530090000100000
(M) 07C0:0530090000200000
S 07C0:0530090000400000
B 07C0:0530090000800000

:bow:

CTScott, you guy definitely rock! :thumbup:
Sadly, I could not manage to get it working yet with my CAN sniffer, maybe it needs some initialization.
However, I'll program my PIC32 and check whether it makes the job better than the crappy chinese software (sad to have to say it so) :biggrin:

Just to verify, the 07C0 is what you have to set your transmitter address to.

I have a European digital cluster on hand. This morning I will try it with that to verify that it will respond to those same commands. I am fairly certain that it will, as it works as a direct replacement for the US cluster.

Yup, I set it that way.
I think the sniffer is innocent, I remember having injected packets where I got responses that made sense (the same like when I accessed some ECUs with Techstream)

I just tried the European digital cluster and it does not support these commands. It supports ones where I can make all of the digits (including the speedometer and odometer) indicate the numbers 0-9, but not commands to just tickle the gear indicator.

For the heck of it try the following:

07C0:05300A0000200000 (should put the gear indicator as 9 and the odo as all 9's)
07C0:05300A0000400000 (should put the gear indicator as 8 and the odo as all 8's)
07C0:05300A0000800000 (should put the gear indicator as 7 and the odo as all 7's)

Yeah, I've already wondered why there was no way to control the gear display in Techstream, just the entire display test was available there.

Mine does not accept these above commands either, perhaps it wants to be initialized.
Edit: Nope, the sniffer's software punk'd me :D
Sadly setting the CAN filters is a pain in the a$$ with that cheapo software, but I can't afford a better one. :frown:

Quite funny that they omit features for the european versions.
Seemingly it's not just the cruise control (not even an indicator light in the cluster) :cry:

However, thanks for your efforts :thumbsup:

EDIT: the gear commands are even rejected:
07c8 03 7f 30 12 00 00 00 00

Yeah, I've already wondered why there was no way to control the gear display in Techstream, just the entire display test was available there.

Mine does not accept these above commands either, perhaps it wants to be initialized.
Edit: Nope, the sniffer's software punk'd me :D
Sadly setting the CAN filters is a pain in the a$$ with that cheapo software, but I can't afford a better one. :frown:

Quite funny that they omit features for the european versions.
Seemingly it's not just the cruise control (not even an indicator light in the cluster) :cry:

However, thanks for your efforts :thumbsup:

EDIT: the gear commands are even rejected:
07c8 03 7f 30 12 00 00 00 00


Interesting. I might have to work on getting you one of my devices to experiment with. It would actually be very handy for me to have access to data from European Yaris for comparison.

That'd be great!
I have already worked on some basic parameters which are easy to poke:
http://www.fingers-wiki.de/yarisforschung_xp9
Hopefully it's understandable for you ;)
If not, don't hesitate to ask me :)
It is especially about which doors are opened and whether the door locks are operated and especially in what direction and how (fob, lock on door, knob inside the car).

We have an entirely different engine controller here in europe (no cruise control), it might be just because I have the 1l engine (1KR-FE), on the other hand side I can't imagine that the european yaris with the VFD has a CC which would mean that it'd need a different cluster.

However, a friend of mine has a Yaris with the 1.33 dual-vvt-engine (from 2010 or 2011) where seemingly the same cluster as in the canadian Yaris is used.
IIRC it's an MT, just to mention it ;)

That'd be great!
I have already worked on some basic parameters which are easy to poke:
http://www.fingers-wiki.de/yarisforschung_xp9
Hopefully it's understandable for you ;)
If not, don't hesitate to ask me :)
It is especially about which doors are opened and whether the door locks are operated and especially in what direction and how (fob, lock on door, knob inside the car).

We have an entirely different engine controller here in europe (no cruise control), it might be just because I have the 1l engine (1KR-FE), on the other hand side I can't imagine that the european yaris with the VFD has a CC which would mean that it'd need a different cluster.

However, a friend of mine has a Yaris with the 1.33 dual-vvt-engine (from 2010 or 2011) where seemingly the same cluster as in the canadian Yaris is used.
IIRC it's an MT, just to mention it ;)

Very good - Those all correspond with ours as well. I am glad to see that the primary messaging is likely pretty much all the same.

In that case, when I have a chance, I will sniff out the packets from the ECM to the cluster in regards to shifter position, as they will likely be the same as well (even though the diagnostic mode packets were not).

Last night I also found this:
https://github.com/fabiobaltieri/toyothack/blob/master/toyothack.c
I checked the 0x398 (fuel usage) and the values while driving seemed legitimate :)
However I still need to see how it's dimensioned

Edit:
New findings!

Techstream says A/D value of fuel sensor is 122dec, that is 7ahex.
I had a look at the log, and, surprise:
7c0 02 21 24 00 00 00 00 00 is the request
7c8 03 61 24 74 00 00 00 00 is the answer.
Task for those new to this course: find the location of the interesting byte :D
It looks like a pid-21-obd-command.
EDIT3: could also be 63 instead of 24.
further investigation to do.

EDIT2: Battery voltage is 144=14,4V =90hex
7c0 02 21 11 00 00 00 00 00 is the request
7c8 03 61 11 *90* 00 00 00 00 is the answer

More to come ;)

OK - The ECM message to the cluster for the AT indicator is CAN ID: 03B4. A MT ECM still sends messages on this ID, so you have to frequently (~ every second) send your message to override the blank.

P: 03B4:0000324C80000000
R: 03B4:0000324C40000000
N: 03B4:0000324C20000000
D: 03B4:0000314C00400000

Sadly this wasn't successful, neither with the always crashing sniffer nor with the PIC32 :(
Seems like the ECU initializes the cluster in a special way or there are collisions because of the same ID.
The only way out would be a filter using two transceivers, but this would mean a critical modification to my car, so I fear that I reached a dead end :(

However, this does not mean the end of CAN bus research to me ;)
I'm about to build a bus node that plays a sound whenever the doors are (un)locked via fob :D
Way cooler than blinking ;)

Sadly this wasn't successful, neither with the always crashing sniffer nor with the PIC32 :(
Seems like the ECU initializes the cluster in a special way or there are collisions because of the same ID.
The only way out would be a filter using two transceivers, but this would mean a critical modification to my car, so I fear that I reached a dead end :(

However, this does not mean the end of CAN bus research to me ;)
I'm about to build a bus node that plays a sound whenever the doors are (un)locked via fob :D
Way cooler than blinking ;)

Did you by any chance sniff for 03B4 packets on your car? If you can find someone over there with an AT, it would also be interesting to see if 03B4 is used on European Yaris as well.

If you can find me a cheap AT ECM from a junkyard over there (here I can often pick up ECMs for under $50 from Junkyards) I can do much more analysis on my test bench. I have a complete and fully functional Yaris CAN bus network wired up on my test bench.

Did you by any chance sniff for 03B4 packets on your car? If you can find someone over there with an AT, it would also be interesting to see if 03B4 is used on European Yaris as well.

Here we go:
000003b4 00 00 24 b4 00 00 00 00


If you can find me a cheap AT ECM from a junkyard over there (here I can often pick up ECMs for under $50 from Junkyards) I can do much more analysis on my test bench.

I'm afraid this is a hard job :(

Although the Yaris is quite common here (I see about 5 each day), it is quite hard to find used spare parts because it is still rather new.

Additionally, cars are more expensive here than in the US, and so are the parts.
I can only dream about a cluster for 50$... :frown:

Last but not least: AT is rare here, especially in such small cars it is ordered seldom.
Including anything from Mercedes A-Class over BMW whatever to VW Golf I had to do with up to now, just about 5% had AT.


I have had a look but did not find something acceptable, but maybe you're lucky:
(Fasten seat belts, I can't be held responsible for fallen out eyeballs :biggrin:)
http://www.ebay.de/sch/i.html?_sacat=0&_from=R40&_nkw=yaris+steuerger%C3%A4t&_pgn=2&_skc=200&rt=nc

If a seller doesn't want to ship to the US, I can of course do this for you.


I have a complete and fully functional Yaris CAN bus network wired up on my test bench.
Quite a nice thing :w00t:
You used crashie parts, am I right?

One short extra question:
Do you, by accident, know how the PWM-dimmed dome light is switched?
I did not manage to take the ECU apart or at least out.
I expect a n-channel type Mosfet to be in there, but without any knowledge about the part number, I am unsure how much current I can let it switch without risking damage.
Of course, I could add an external transistor, but I like to keep it as simple as possible.
My plan is to stick LED stripes to the under the seat frames, just if you wondered.

@Management:
I hope the deviation from the thread title is tolerable ;)

Ah, I was just checking the electronic parts catalog for Europe, and it shows that there were no second generation automatic transmission Yaris built in France, so it may be that your cluster completely ignores those AT related commands.

That made me just think to try my European cluster on my test bench and it does not respond to the AT commands.


For the dome light, the Body ECU drives it and although I can't identify the 3 terminal driving device, I would say that by its size that it should be able to handle 1A.

@Management:
I hope the deviation from the thread title is tolerable ;)
Hey, it's your thread. :wink:

For the dome light, the Body ECU drives it and although I can't identify the 3 terminal driving device, I would say that by its size that it should be able to handle 1A.

Can you take a photo of its marking?
I am a bit into this switching stuff ;)

There seems to be a relay inside the Body ECU, the pins on the dome light connector it is connected to are not used, the resistance is 180 Ohms if I remember correctly and letting current flow through it results in a "click".
I could not figure out what it should switch :confused:

Can you take a photo of its marking?
I am a bit into this switching stuff ;)

There seems to be a relay inside the Body ECU, the pins on the dome light connector it is connected to are not used, the resistance is 180 Ohms if I remember correctly and letting current flow through it results in a "click".
I could not figure out what it should switch :confused:

When I have an opportunity I will pull one apart and snap a pic.

(I will begin to work off my questions I have gathered in the last months if you are comfortable with this)

I have discovered 3 female connectors I struggle to identify (maybe I can use them for own projects).
These are one behind the shifting stick and two between stereo and AC.
I checked the manual's EWDs, but I could not track them really down.

The connector behind the shifting stick has one row of wires with a 0,1" spacing (2,54mm).
The colours and what I have found out up to now:

White - GND
Grey - 12V if headlight is on
Cyan/ mint green
Yellow - 12V IGN
Magenta - 12V IGN
Blue
White with black stripes
the 8th slot is not used.

The first connector between stereo and AC has two rows and looks like a shielded audio cable is connected to it.
It seems to belong to the stereo, but what confuses me is the fact that there is exactly one cable that looks like this on the radio connector and what looks like its other end leads to the aux connector.
Maybe it's a Y-cable?

And what confuses me most:
The 3rd connector which has about 5 pins and 3 wires.
The wire in the middle has an impedance of about 5 to 10kOhms.
The voltages are:

ACC off: 0V
ACC on: 3..5V
IGN on: 12V
IGN->ACC: slowly dropping to 3...5V (maybe a capacitor discharging?)
The other two wires are connected to GND.

I have pulled fuses and found out that it gets current via the ACC-fuse when in ACC, when IGN is on, its the AM2 fuse.

Additionally: The US manual does not mention the seat heating wiring (fuses: SHTR 1 and SHTR 2 iirc)
Does someone have access to information about this?

Thanks in advance!

The first one behind the shift, sounds like the connector for the center console mounted door lock switch.

The radio one sound like it is for the optional navigation system or ipod interface.

What are the colors on the third one?

The seat heaters are fed by the P S-HTR (passenger) and D S-HTR (drivers) 15A fuses.

The driver's on originates from pin 11 of 4Q and goes to the seat heater switch. The passenger one originates from pin 10 of 4Q and goes to the switch. The switch simply supplies the + feed to the heaters and then the other side of them is grounded.

Do you know where the wires for the seat heater switch lead to?
Or are these slots unpopulated by default (my car has no seat heater)?
After half an hour of hardcore gynaecology, I gave up :laugh:
While the front of the body ECU looks totally the same like that in the manuals, the backside seems to have an additional connector on the backside slightly below the top.
The other connectors seem to be hidden behind a latch, no chance to take that off :(

Here is the mysterious plug:
http://files.brauchmer.net/imghost/up/small_4830a6bda6f4b3bc68b958efeb617880.jpg (http://files.brauchmer.net/imghost/up/4830a6bda6f4b3bc68b958efeb617880.jpg)

And:
Does someone know where the unpopulated fuse holder is connected to?
(So I can calculate the current I can draw from there)
Hopefully something easy to reach :D
http://files.brauchmer.net/imghost/up/small_80880f75b2cc915d54d5fd5f09208422.jpg (http://files.brauchmer.net/imghost/up/80880f75b2cc915d54d5fd5f09208422.jpg)





There seems to be a relay inside the Body ECU, the pins on the dome light connector it is connected to are not used, the resistance is 180 Ohms if I remember correctly and letting current flow through it results in a "click".
I could not figure out what it should switch :confused:

Got that, it's the PWR relay.
by connecting that pin to Vbat, I can operate the window on the passenger side with the rocker switch - but only that side!
No, I can not think of any use for that up to now :laugh:

Last night I began to place some wires for an ambient lighting under the seats.
Between shifter and parking brake I noticed among the bunch of thin wires (seemingly belonging to the airbag and passenger identification) some (2 or 3 I think) thick wires, about 3mm in diameter.
Might they belong to a seat heating option or do they go to the doors for window lifts or door locks?

What color were the thick wires. The connector above with the pink, yellow and white does look to be the connector for the seat heater switch.

On the under dash fuse panel, the unpopulated fuse position is fed by a 60A feed from the fusible link on the positive battery terminal. I use that to feed my remote starter and heated seats on one Yaris and to feed my aftermarket keyless entry, power locks, and power windows on another. I come off of it with a piece of 12 AWG wire and then branch off with appropriate sized fuses for what I am feeding.

What color were the thick wires.
The only thing I can remember is that there was an emerald green one among them.
Heavy rain prevents me form going out now to take a photo (make an educated guess where my rain jacket lies...) :frown:


The connector above with the pink, yellow and white does look to be the connector for the seat heater switch.

Interesting theory.
But how does that correspond with the high impedance? :iono:
The ~10mA are scarcely enough to power an LED.
Or is that to power a switching logic (maybe even a thermostat?)?
However, I don't get it why there are two wires connected to ground.

I'll hook up an LED to it and have a look whether it might be an "enable" which is interrupted in some instances, e.g. during cranking.

I have seen which small diameters Toyota deems to be good for 15 Amps when I looked at the cigar lighter... that's even less than I would expect in some sort of china cheapo stuff - but more than these wires.



On the under dash fuse panel, the unpopulated fuse position is fed by a 60A feed from the fusible link on the positive battery terminal.
Thanks for this hint :thumbsup:

ATM, I have soldered a crimp tube over the pressed wire stuff for the AC (bunch of blue wires) together with 2*0.75mm² (about AWG 15).
I luckily happened to be given 100m of 16mm² stranded wire (almost AWG 5).
Sadly it's all black - good for grounding, confusing for the rest :cry:

Maybe I'll take some speaker wire ;)

I've had a look at the wires today and it seems that they belong to the wiring which leads to the rear right hand side door.

After a techdoc-raid (or -speedrun) and looking through the downloaded PDFs, I've found out what the grey one is used for:
It's D101, used for the navigation system (which isn't fitted in mine) and seemingly delivers a speed signal.
I'll check that tomorrow!
The shielded wire seems to go to a junction next to the left tweeter, where a mic wire coming from the roof can be hooked up.
The gear number display seems to belong to the multi-mode manual transmission which is has its own connection to the cluster.

:bow:

Yep. There is some old saying...I can't remember how it goes...but the gist of the saying is that one person knows so much more than anyone else that he/she has probably forgotten more about the subject than the sum total of the pertinent knowledge of all others*

* - Normally, this would 'be accurate without quite being hyperbolic (which is what I was shooting for), but this might be an accidental insult to the rest of us, as CTScott has probably rarely forgotten anything!

Hi folks,
now I've found out that the connector near the shifter is intended for the seat heater.
Although it is not installed in mine, the wires are drawn up (or better: down) to the seats :D
The wires are rather thin, interesting that Toyota allows 15A to flow through there.